JUNI-ND-001210 - The Juniper router must be configured to protect against known types of Denial of Service (DoS) attacks by employing organization-defined security safeguards - DoS attacks by employing organization-defined security safeguards

Information

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

The security safeguards cannot be defined at the DoD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the router protect against known types of DoS attacks on the route processor. Implementing a CoPP policy as shown in the example below is a best practice method.

Step 1: Configure policers for specific traffic types.

set firewall policer CRITICAL filter-specific
set firewall policer CRITICAL if-exceeding bandwidth-limit 4000000 burst-size-limit 1500
set firewall policer CRITICAL then discard
set firewall policer IMPORTANT filter-specific
set firewall policer IMPORTANT if-exceeding bandwidth-limit 512000 burst-size-limit 16000
set firewall policer IMPORTANT then discard
set firewall policer NORMAL filter-specific
set firewall policer NORMAL if-exceeding bandwidth-limit 64000 burst-size-limit 2000
set firewall policer NORMAL then discard
set firewall policer UNDESIRABLE filter-specific
set firewall policer UNDESIRABLE if-exceeding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer UNDESIRABLE then discard
set firewall policer ALL-OTHER filter-specific
set firewall policer ALL-OTHER if-exceeding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer ALL-OTHER then discard

Step 2: Configure the CoPP filter by applying policers to the appropriate traffic types.

set firewall filter CoPP_Policy term CRITICAL from protocol ospf
set firewall filter CoPP_Policy term CRITICAL from protocol pim
set firewall filter CoPP_Policy term CRITICAL from protocol tcp destination-port bgp
set firewall filter CoPP_Policy term CRITICAL from protocol tcp source-port bgp
set firewall filter CoPP_Policy term CRITICAL then policer CRITICAL
set firewall filter CoPP_Policy term IMPORTANT from source-address 10.1.1.0/24
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp
set firewall filter CoPP_Policy term IMPORTANT then policer IMPORTANT
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp
set firewall filter CoPP_Policy term IMPORTANT then discard
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code ttl-eq-zero-during-transit
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code port-unreachable
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-reply
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-request
set firewall filter CoPP_Policy term NORMAL then policer NORMAL
set firewall filter CoPP_Policy term UNDESIRABLE from protocol udp destination-port 1434
set firewall filter CoPP_Policy term UNDESIRABLE then policer UNDESIRABLE
set firewall filter CoPP_Policy term ALL-OTHER from address 0.0.0.0/0
set firewall filter CoPP_Policy term ALL-OTHER then policer ALL-OTHER

Step 3: Apply the CoPP filter to the loopback interface.

set interface lo0 unit 0 family inet filter input CoPP_Policy

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-217342r961620_rule, STIG-ID|JUNI-ND-001210, STIG-Legacy|SV-101273, STIG-Legacy|V-91173, Vuln-ID|V-217342

Plugin: Juniper

Control ID: 6a881196e213ffb16a00bfa88d0f1774ceb57412f702c1755f184a57d4dc17da