InformationIf the XNM-SSL service is configured, the Rate Limit should be set.
JUNOScript can be configured to use SSL transport to prevent the exposure of sensitive data and authentication details on the network. If configured the XNM-SSL service will provide services on port TCP/3220.
An attacker may attempt to open a large number of sessions to the XNM-SSL service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow a scripting interface to JUNOS.
To limit the impact of any such incident, the rate at which new connections to the XNM-SSL service should explicitly limited. Rate Limits are set in terms of the number of connection attempts per minute. Established connections do not count towards this count. A relatively low value of 60 (the equivalent of one attempt per second, sustained over a minute) is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.
If the Rate Limit is exceeded, new connection attempts will be rejected until the new connection rate drops below the configured limit.
SolutionThe XNM-SSL Rate Limit can be configured by issuing the following command from the [edit system services xnm-ssl] hierarchy;
[edit system services xnm-ssl]
[email protected]#set rate-limit <limit>
Where <limit> is the desired Rate Limit measured in Connection Attempts per Minute.
The XNM-SSL Service is disabled by default. When it is first configured the default Rate Limit is 150 connection attempts per second.