Using Counters to Determine Whether a Router Is Under Attack
Problem
You want to count traffic on an interface to help determine whether a router is under attack.
Solution
If you suspect that an attack includes TCP packets, add a counter to the firewall term that counts all TCP traffic:
[edit firewall filter protect-RE2 ] aviva@RouterF# set term tcp then count tcp-counter
To have the counter take effect, apply the firewall filter to the router's lo0 interface:
[edit interfaces] aviva@RouterF# set lo0 unit 0 family inet filter input protect-RE2
For more fine-grained counting of the TCP traffic, define additional filter terms:
[edit firewall filter tcp-flooding ] aviva@RouterF# set term syn from protocol tcp aviva@RouterF# set term syn from tcp-flags syn aviva@RouterF# set term syn then count packets-syn aviva@RouterF# set term syn then log aviva@RouterF# set term syn then accept aviva@RouterF# set term rst from protocol tcp aviva@RouterF# set term rst from tcp-flags rst aviva@RouterF# set term rst then count packets-rst aviva@RouterF# set term rst then log aviva@RouterF# set term rst then accept aviva@RouterF# set term fin from protocol tcp aviva@RouterF# set term fin from tcp-flags fin aviva@RouterF# set term fin then count packets-fin aviva@RouterF# set term fin then log aviva@RouterF# set term fin then accept aviva@RouterF# set term tcp then count packets-tcp aviva@RouterF# set term tcp then accept
Discussion
If the router comes under attack, the best way to spot the attack is by watching network flows and sampling traffic if necessary. Firewall filters also provide some clues about what is happening. If the attack packets match one of the rate-limited terms, the router will start dropping traffic. If they don't match any term, you will see a sudden increase in any counters that reject traffic (in Recipe 9.16, this is the discarded-packets counter). To determine what types of attack packets the router is receiving, add a counter to the appropriate firewall term.
If your traffic sampling indicates that the attack includes TCP packets, start by counting all the TCP packets. The set term tcp then count tcp-counter command in this recipe adds a counter to the tcp term in Recipe 9.16.
If you determine that a TCP flooding attack of some kind might be underway, you can replace the tcp term with a series of terms that count each type of TCP control packet or you can create a separate filter that does this and apply it to the interface insteadhere, the filter tcp-flooding. The first term, configured with the set term syn commands, matches, counts, logs, and accepts TCP SYN packets. The second and third terms do the same for TCP RST and FIN packets. A final term accepts and counts all the TCP packets.
To help you figure out what's going on with the attack, look at the amount of TCP SYN, RST, and FIN packets received as a percentage of all TCP traffic received (counted in the packets-tcp counter). If the router already has a number of established TCP connections and you suddenly see that TCP RST, FIN, or SYN packets start to make up more than 10 percent of the total TCP packet, this is an indication of unusual and unexpected router activity. You should also check the rate at which the counters are changing. If you use a filter like this to monitor your standard day-to-day traffic when you are not under attack, you will have a better handle on what the normal and unusual TCP packet ratios are on the router.
See Also
Recipe 9.16