How to Limit Traffic on Junos Router Interfaces
In order to thwart one type of denial of service (DoS) attack on your Junos router, you can use Junos policers to tell the router what to do to limit the impact of such an attack.
Some DoS attacks on routers work by inundating the router with traffic, sending so much traffic to router interfaces so quickly that the interfaces are overwhelmed and can’t handle the regular traffic that should be passing through the interface.
One method to combat this attack is to use Junos policers, which you can specify when you define the action a firewall filter should take. Policers allow you to place limits on the amount of traffic (or even just a type of traffic) that an interface can receive, which can limit the impact of DoS attacks.
Policers control the maximum allowed bandwidth (the average number of bits per second) and the maximum allowed size of a single burst of traffic when the bandwidth limit is exceeded. Any traffic received beyond the set limits is dropped.
Policers are used in the action (then) portion of a firewall filter. To use them in a firewall filter, you first define the policer. The following example creates a policer called police-ssh-telnet that sets a maximum traffic rate (bandwidth) of 1 Mbps and the maximum size of a traffic burst exceeding this limit (burst size) of 25K. Traffic exceeding these limits is discarded.
[edit firewall] fred@router# set policer police-ssh-telnet if-exceeding bandwidth-limit 1m [edit firewall] fred@router# set policer police-ssh-telnet if-exceeding burst-size-limit 25k [edit firewall] fred@router# set policer police-ssh-telnet then discard
Then include the policer in a firewall filter action. For example, you can add it to an SSH-Telnet firewall filter that is already in existence on the router’s loopback interface:
[edit firewall] fred@router# set filter limit-ssh-telnet term access-term then policer police-ssh-telnet [edit firewall] fred@router# set filter limit-ssh-telnet term access-term then accept
Traffic that conforms to the limits in the policer will take the action you specify in the firewall term — in this case, it is accepted — whereas traffic that exceeds the limits in the policer will take the action specified there — in this case, it is discarded.
Rate-limiting traffic flow to the Routing Engine by defining policers is a good security practice to prevent the Routing Engine from being overwhelmed by unwanted traffic or by possible attacks on the router. All the routing protocol processes run on the Routing Engine, which is critical to the core operation of the router itself. When these processes can’t run normally, the result can be a destabilization of the network.