JUNI-RT-000770 - The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks - DoS attacks.

Information

DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.

Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure a forwarding class has been configured for the Scavenger class as shown in the example below.

[edit class-of-service forwarding-classes]
set class CS1 queue-num 7 priority low

The Scavenger class is marked at the access layer with DSCP CS1. Hence, the router must maintain the marking and assign the packet to the configured forwarding class CS1.

PE Router only - Configure a Multifield (MF) classifier to provision for the Scavenger class as shown in the example below.

[edit firewall family inet filter CLASSIFY_TRAFFIC]
set term SCAVENGER from dscp cs1
set term SCAVENGER then forwarding-class CS1 accept
insert term SCAVENGER before term ACCEPT_OTHER

PE and P Router - Configure a Behavior aggregate (BA) classifier to match on the packets marked with DSCP CS1.

[edit class-of-service classifiers]
set dscp CLASSIFIER import default forwarding-class CS1 loss-priority high code-points 001000

P router only - Apply the BA classifier to all interfaces.

[edit class-of-service interfaces]
set ge-0/0/1 unit 0 classifiers dscp CLASSIFIER
set ge-0/1/1 unit 0 classifiers dscp CLASSIFIER

Remaining steps are only applicable to the PE router.

Configure a scheduler for the Scavenger class.

[edit class-of-service schedulers]
set SCAVENGER_SCHED transmit-rate percent 5
set SCAVENGER_SCHED buffer-size percent 5
set SCAVENGER_SCHED priority low
set BEST_EFFORT_SCHED transmit-rate percent 55

Add the Scavenger scheduler to the scheduler map.

[edit class-of-service scheduler-maps QOS_SCHED_MAP]
set forwarding-class CS1 scheduler SCAVENGER_SCHED

Apply the scheduler map to all core-facing interfaces.

[edit class-of-service interfaces]
set ge-2/1/1 scheduler-map QOS_SCHED_MAP
set ge-1/0/1 scheduler-map QOS_SCHED_MAP

Note: The above step should already have been completed.

Configure rewrite rules to ensure egress Scavenger packets will continue to be marked with DSCP CS1.

[edit class-of-service rewrite-rules]
set dscp REWRITE_DSCP import default forwarding-class CS1 loss-priority high code-point 001000

Apply the configured rewrite rules to all core-facing interfaces.

[edit class-of-service interfaces]
set ge-2/1/1 unit 0 rewrite-rules dscp REWRITE_DSCP
set ge-1/0/1 unit 0 rewrite-rules dscp REWRITE_DSCP

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y22M10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001095, Rule-ID|SV-217081r604135_rule, STIG-ID|JUNI-RT-000770, STIG-Legacy|SV-101155, STIG-Legacy|V-90945, Vuln-ID|V-217081

Plugin: Juniper

Control ID: 2ed25eb59f099216382e76fb5a24123b51008a9b0df71386afcd59443c6c7ba0