Is it possible to block IKE from reaching a Netscreen's control plane?

Question

I have an issue where a Netscreen 25 is being flooded with IKE packets from an unrelated source, which at times is overloading the firewall's processing capacity. I see thousands of log entries indicating that the IKE messages are being rejected:

Rejected an IKE packet on ethernet1 from x.x.x.x:500 to y.y.y.y:500 with cookies c423bfd6ca96608b and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

Is there a way to filter the control plane of the firewall so that these packets are dropped at the interface edge rather than processed and rejected? This would be done with a simple interface ACL on a Cisco router or ASA, but I'm not sure how to go about this on ScreenOS.

Answer 1

You could try terminating the VPN tunnels on the IP address of a loopback interface, and creating a policy rule to specify what sources are (not) allowed to contact this VPN endpoint. If the loopback interface is in the same zone as the interface receiving the traffic, enable "block intra-zone traffic" for this zone and specify a rule to permit your VPNs.

Answer 2

That should be caught by the default dos-protection-group. No? Do you have, perhaps, 'unset ike dos-protection' ?

What does 'show suspicious-control-flow-detection ike' show?

Answer 3

Short answer, no.

Long answer, no and..

Basically the netscreens will listen for any IKE packets coming to the device and attempt to process them. While it's a vector for attacks I haven't seen juniper change this behavior.

Short of filling up your event log it shouldn't do much assuming it's a single source attempting to stand up a VPN tunnel to you. If you think it's impacting your performance you can check 'get cpu perf all detail" and see the task/flow CPU usage.