When using an SRX (we have a 1400) to protect a server we can create an application-ddos rule for DNS, but what if we want to protect it against SQL exploit attempts like "SaAdmin" login attempts?
In the JUNOS guide, it states,
"Note: Application-level denial-of-service (application-level DDoS)
detection will not work if two rules with different application-level
DDoS applications process traffic going to a single destination
application server."
It's almost as if you can protect a server from only one protocol's exploits at a time. If that's not the case, how is it done? I haven't seen a single configuration for SRX IDP that shows a specific destination protected for more than a single application/protocol. What happens if you want to protect your webserver from HTTP and FTP exploits?
Best Answer
I would recommend not using AppDDoS moving forward. Juniper announced its deprecation some time ago, and this is probably the reason you can't find many solid examples of its use: http://kb.juniper.net/InfoCenter/index?page=content&id=KB28592&actp=search&viewlocale=en_US&searchid=1374905420170
Ironically, that KB recommends using the DDos Secure Product which has also been canned.
To somewhat reproduce AppDDoS behaviour, you can do the following:
Create a custom-attack referencing the protocol you are specifically hunting (e.g.: SQL), and just pick a context to match a normal operation (e.g.: mssql-login). You can then apply
time-binding count 100
to it, which basically means - if you see 100 of these within a minute, this is an attack. The scope variable determines: from a singlesource
to multiple destinations (DoS), from multiple sources to a singledestination
(DDoS), or just a single a singlepeer
to a single destination.The whole thing looks like:
Reference your attack(s) in an IPS policy, and make the
then
term something like:This will put in an ip-block action against any source addresses that trigger this attack for 1 minute, and if any further attacks from the same source are detected (e.g.: it's a dumb bot), keep restarting the 60-second timer every time you see one.