(VRRP:Virtual Router Redundancy Protocol)
虛擬路由器冗餘協議(VRRP)是一種選擇協議,它可以把一個虛擬路由器的責任動態分配到區域網上的 VRRP 路由器中的一台。控制虛擬路由器
IP 地址的 VRRP 路由器稱為主路由器,它負責轉發數據包到這些虛擬 IP
地址。一旦主路由器不可用,這種選擇過程就提供了動態的故障轉移機制,這就允許虛擬路由器的 IP 地址可以作為終端主機的默認第一跳路由器。使用
VRRP 的好處是有更高的默認路徑的可用性而無需在每個終端主機上配置動態路由或路由發現協議。(http://www.twwiki.com/wiki/VRRP)
Juniper
EX-3200 為例
Virtual IP : 192.168.1.10
第一台 IP : 192.168.1.11
第二台 IP : 192.168.1.12
#set vlans VLAN10 vlan-id 10
#set vlans VLAN10 l3-interface vlan.10
第一台
#set interfaces vlan unit 10 family inet address 192.168.1.11/24
#set interfaces vlan unit 10 family inet address 192.168.1.11/24 vrrp-group 0 virtual-address 192.168.1.10
#set interfaces vlan unit 10 family inet address 192.168.1.11/24 vrrp-group 0 priority 200
***priority 高的為 Master***
第二台
#set interfaces vlan unit 10 family inet address 192.168.1.12/24
#set interfaces vlan unit 10 family inet address 192.168.1.12/24 vrrp-group 0 virtual-address 192.168.1.10
#set interfaces vlan unit 10 family inet address 192.168.1.12/24 vrrp-group 0 priority 100
>show vrrp
Cisco
第一台
R1(config)# interface ethernet0/1
R1(config-if)# ip address 192.168.1.11 255.255.255.0
R1(config-if)# vrrp 1 ip 192.168.1.10
R1(config-if)# vrrp 1 priority 200
R1(config-if)# vrrp 1 authentication md5 key-string cisco
R1(config-if)# no shut
第二台
R2(config)# interface ethernet0/1
R2(config-if)# ip address 192.168.1.12 255.255.255.0
R1(config-if)# vrrp 1 ip 192.168.1.10
R1(config-if)# vrrp 1 priority 100
R2(config-if)# vrrp 1 authentication md5 key-string cisco
R2(config-if)# no shut
2014年2月18日 星期二
NTP DDOS 攻擊
2014年2月出現在歐洲的新攻擊方式,基本上跟 DNS DDOS 攻擊很像
http://technews.tw/2014/02/11/united-states-warning-through-scheduled-server-ntp-new-ddos-hack-attack-tactics/
http://ssorc.tw/?p=4236
http://blog.gslin.org/archives/2014/02/13/4254/%E6%9C%80%E8%BF%91%E7%9A%84-ntp-attack-%E7%9A%84%E6%AA%A2%E6%B8%AC/
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
http://www.computerweekly.com/news/2240214216/NTP-based-DDoS-attacks-a-concern-says-Cloudflare
解決辦法
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
Juniper 的設定方法,Firewall Filter (類似 Cisco ACL)
remote-login ( filter name )
allow-ntp、 deny-ntp ( term name )
set firewall family inet filter remote-login term allow-ntp from source-address 59.124.196.84/32 //設定來源IP
set firewall family inet filter remote-login term allow-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term allow-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term allow-ntp then accep //符合條件的話允許通過
下列的 term 不同,因為一個 port 只能套用一條 filter ,因此想要設定多項過濾設定就必須用 term 來做區分。
set firewall family inet filter remote-login term deny-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term deny-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term deny-ntp then discard //符合條件的話就阻擋
set interfaces lo0 unit 1 family inet filter input remote-login //套用在 lookback 1的 port 上
set system ntp server 59.124.196.84 prefer //設定 NTP Server IP ,prefer 為優先使用
set system ntp server 192.168.1.254 //設定 NTP Server IP
set system ntp source-address 192.168.1.1 //限制 NTP 的封包來源
上面是 switch 的設定,下列是 route的設定,只差在開頭不同。
set firewall filter ntp term allow-ntp from source-address 59.124.196.84/32
set firewall filter ntp term allow-ntp from protocol udp
set firewall filter ntp term allow-ntp from destination-port ntp
set firewall filter ntp term allow-ntp then accept
set firewall filter ntp term deny-ntp from protocol udp
set firewall filter ntp term deny-ntp from destination-port ntp
set firewall filter ntp term deny-ntp then discard
set firewall filter ntp term not-ntp then accept
http://technews.tw/2014/02/11/united-states-warning-through-scheduled-server-ntp-new-ddos-hack-attack-tactics/
http://ssorc.tw/?p=4236
http://blog.gslin.org/archives/2014/02/13/4254/%E6%9C%80%E8%BF%91%E7%9A%84-ntp-attack-%E7%9A%84%E6%AA%A2%E6%B8%AC/
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
http://www.computerweekly.com/news/2240214216/NTP-based-DDoS-attacks-a-concern-says-Cloudflare
解決辦法
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
Juniper 的設定方法,Firewall Filter (類似 Cisco ACL)
remote-login ( filter name )
allow-ntp、 deny-ntp ( term name )
set firewall family inet filter remote-login term allow-ntp from source-address 59.124.196.84/32 //設定來源IP
set firewall family inet filter remote-login term allow-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term allow-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term allow-ntp then accep //符合條件的話允許通過
下列的 term 不同,因為一個 port 只能套用一條 filter ,因此想要設定多項過濾設定就必須用 term 來做區分。
set firewall family inet filter remote-login term deny-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term deny-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term deny-ntp then discard //符合條件的話就阻擋
set interfaces lo0 unit 1 family inet filter input remote-login //套用在 lookback 1的 port 上
set system ntp server 59.124.196.84 prefer //設定 NTP Server IP ,prefer 為優先使用
set system ntp server 192.168.1.254 //設定 NTP Server IP
set system ntp source-address 192.168.1.1 //限制 NTP 的封包來源
上面是 switch 的設定,下列是 route的設定,只差在開頭不同。
set firewall filter ntp term allow-ntp from source-address 59.124.196.84/32
set firewall filter ntp term allow-ntp from protocol udp
set firewall filter ntp term allow-ntp from destination-port ntp
set firewall filter ntp term allow-ntp then accept
set firewall filter ntp term deny-ntp from protocol udp
set firewall filter ntp term deny-ntp from destination-port ntp
set firewall filter ntp term deny-ntp then discard
set firewall filter ntp term not-ntp then accept
訂閱:
文章 (Atom)