Title: Mitigating NTP amplification attack using Juniper Date: 2014-04-24 10:20 Category: NTP Tags: Juniper, junos, NTP Slug: juniper-ntp-amplification-attack-mitigation Author: someone Summary: Mitigating NTP amplification attack using Juniper
Legitimate NTP traffic normally have UDP packet size less tnan 128 bytes, and normally has both source and destination ports set to 123. Attackers trig NTP amplification attack to be sent to port 80 UDP, thus such traffic is obviously an attack, oversized packets are rare and most likely an attack.
First, lets create a policer for 1M
set firewall policer limitntp-1 if-exceeding bandwidth-limit 1M set firewall policer limitntp-1 if-exceeding burst-size-limit 10k set firewall policer limitntp-1 then discard
Then, lets classify traffic and police traffic:
set firewall family inet filter ntp-1 interface-specific # 123 -> 80 - drop set firewall family inet filter ntp-1 term 1 from protocol udp set firewall family inet filter ntp-1 term 1 from source-port ntp set firewall family inet filter ntp-1 term 1 from destination-port http set firewall family inet filter ntp-1 term 1 then discard # too small or oversized packets with UDP port 123 - police and count set firewall family inet filter ntp-1 term 2 from packet-length-except 40-128 set firewall family inet filter ntp-1 term 2 from protocol udp set firewall family inet filter ntp-1 term 2 from port ntp set firewall family inet filter ntp-1 term 2 then policer limitntp-1 set firewall family inet filter ntp-1 term 2 then count ntp-count set firewall family inet filter ntp-1 term 2 then accept # accept the rest set firewall family inet filter ntp-1 term 3 then accept
Now apply to interface units:
# traffic leaving our network set interfaces ae0 unit 10 family inet filter output ntp-1 # traffic entering our network set interfaces ae0 unit 10 family inet filter input ntp-1