Juniper – How to Get Around ‘Configure One Application-DDOS Definition for Each Protected Server’ in Juniper SRX IDP

juniperjuniper-junossrx

When using an SRX (we have a 1400) to protect a server we can create an application-ddos rule for DNS, but what if we want to protect it against SQL exploit attempts like "SaAdmin" login attempts?

In the JUNOS guide, it states,

"Note: Application-level denial-of-service (application-level DDoS)
detection will not work if two rules with different application-level
DDoS applications process traffic going to a single destination
application server."

It's almost as if you can protect a server from only one protocol's exploits at a time. If that's not the case, how is it done? I haven't seen a single configuration for SRX IDP that shows a specific destination protected for more than a single application/protocol. What happens if you want to protect your webserver from HTTP and FTP exploits?

Best Answer

I would recommend not using AppDDoS moving forward. Juniper announced its deprecation some time ago, and this is probably the reason you can't find many solid examples of its use: http://kb.juniper.net/InfoCenter/index?page=content&id=KB28592&actp=search&viewlocale=en_US&searchid=1374905420170

Ironically, that KB recommends using the DDos Secure Product which has also been canned.

To somewhat reproduce AppDDoS behaviour, you can do the following:

Create a custom-attack referencing the protocol you are specifically hunting (e.g.: SQL), and just pick a context to match a normal operation (e.g.: mssql-login). You can then apply time-binding count 100 to it, which basically means - if you see 100 of these within a minute, this is an attack. The scope variable determines: from a single source to multiple destinations (DoS), from multiple sources to a single destination (DDoS), or just a single a single peer to a single destination.

The whole thing looks like:

custom-attack SQL-DDOS {
    recommended-action drop;
    severity major;
    time-binding {
        count 100;
        scope destination;
    }
    attack-type {
        signature {
            context mssql-login;
            direction client-to-server;
            protocol {
                tcp {
                    destination-port {
                        match equal;
                        value 1433;
                    }
                }
            }
        }
    }
}

Reference your attack(s) in an IPS policy, and make the then term something like:

idp-policy FRONTEND-SERVICS {
   rulebase-ips {
        rule SQL-SERVER {
            match {
                application junos-ms-sql;
                attacks {
                    custom-attacks SQL-DDOS;
                }
            }
            then {
                action {
                    drop-connection;
                }
                ip-action {
                    ip-block;
                    target source-address;
                    log;
                    timeout 60;
                    refresh-timeout;
                }
            }
        }
    }
}

This will put in an ip-block action against any source addresses that trigger this attack for 1 minute, and if any further attacks from the same source are detected (e.g.: it's a dumb bot), keep restarting the 60-second timer every time you see one.

Related Solutions

Juniper Switch – How to Configure 2 LAN as Input and One Output Ports

The basic process is as follows:

Configure your VLANs

set vlans v100-INTERNAL1 vlan-id 100
set vlans v101-INTERNAL2 vlan-id 101
set vlans v102-EXTERNAL vlan-id 102

Attach VLANs to switch ports

set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan-members v100-INTERNAL1
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan-members v101-INTERNAL2
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan-members v102-EXTERNAL

Configure IP Interfaces

set interfaces vlan unit 100 family inet address 192.168.100.1/24
set interfaces vlan unit 101 family inet address 192.168.101.1/24
set interfaces vlan unit 102 family inet address 192.168.102.1/24

Attach IP interfaces to VLANs

set vlans v100-INTERNAL1 l3-interface vlan.100
set vlans v101-INTERNAL2 l3-interface vlan.101
set vlans v102-EXTERNAL l3-interface vlan.102

Configure a default route

set routing-options static route 0.0.0.0/0 next-hop 192.168.102.254

Create Security Zones

set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone EXTERNAL host-inbound-traffic ping

Attach IP Interfaces to Security Zones

set security zones security-zone EXTERNAL interfaces vlan.102
set security zones security-zone INTERNAL interfaces vlan.100
set security zones security-zone INTERNAL interfaces vlan.101

Create security policies

set security policies from-zone INTERNAL to-zone EXTERNAL policy PERMIT-OUTBOUND match source-address any destination-address any application any
set security policies from-zone INTERNAL to-zone EXTERNAL policy PERMIT-OUTBOUND then permit
set security policies from-zone INTERNAL to-zone INTERNAL policy PERMIT-INTERNAL match source-address any destination-address any application any
set security policies from-zone INTERNAL to-zone INTERNAL policy PERMIT-INTERNAL then permit

Hopefully the topology is fairly self-explanatory - just substitute the IP Addresses you wish to use.

If you are connecting to the Internet on the EXTERNAL network, I would recommend tightening up the security policies to only allow specific subnets out, and specific applications

How to Configure Juniper EX Switch for Anti-Bruteforcing

Ideally you want to use SSH Key-based authentication and move away from user-based as much as possible, but in areas where I need to use username and password logging, I tend to standardise on the following:

set system login retry-options backoff-threshold 2
set system login retry-options backoff-factor 10
set system login retry-options tries-before-disconnect 3
set system ssh root-login deny
set system ssh protocol-version v2
set system ssh max-sessions-per-connection 1
set system ssh client-alive-interval 30

This gives you three guesses at the password, but after the 2nd wrong attempt, it will make you wait 10 seconds before having a third go.

This also stops the root account from being able to log in remotely (instead you can escalate to root via su in the shell later)

Be very careful with set system login retry-options lockout-period - it does not work per IP as fail2ban does, but instead works by username (which is pretty disappointing for a security feature).

This means if someone bruteforces your legitimate username, they will lock your account out continuously and you will be unable to log into your own device.

This raises a final point which is to make your network infrastructure username unique eg: not your email address prefix, and not generic accounts such as admin.

Best Answer

Related Solutions

Juniper Switch – How to Configure 2 LAN as Input and One Output Ports

How to Configure Juniper EX Switch for Anti-Bruteforcing

Related Topic