APNIC, profile picture
Uploaded byAPNIC
2,947 views

DDoS Mitigation using BGP Flowspec

This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.

Embed presentation

Copyright © 2014 Juniper Networks, Inc.1 DDoS Mitigation Using BGP Flowspec Justin Ryburn Consulting Engineer jryburn@juniper.net
Copyright © 2014 Juniper Networks, Inc.2 Background •  Who is this guy? •  http://www.linkedin.com/in/justinryburn •  Why this topic? •  Experience tracking DDoS “back in the day”
Copyright © 2014 Juniper Networks, Inc.3 Agenda •  Problem Statement •  Legacy DDoS Mitigation Methods •  BGP Flowspec Overview •  Use Case Examples •  State of the Union
Copyright © 2014 Juniper Networks, Inc.4 Problem Statement
Copyright © 2014 Juniper Networks, Inc.5 Copyright © 2014 Juniper Networks, Inc.5 Is DDoS Really an Issue? “…taking down a site or preventing transactions is only the tip of the iceberg. A DDoS attack can lead to reputational losses or legal claims over undelivered services.” Kaspersky Lab [1] Verisign [2] “Attacks in the 10 Gbps and above category grew by 38% from Q2 … Q3.” NBC News [3] “…more than 40 percent estimated DDoS losses at more than $1 million per day.” Tech Times [4] “DDoS attack cripples Sony PSN while Microsoft deals with Xbox Live woes”
Copyright © 2014 Juniper Networks, Inc.6 Legacy DDoS Mitigation Methods
Copyright © 2014 Juniper Networks, Inc.7 Blocking DDoS in the “Old” Days Service Provider Internet Enterprise or DC 203.0.113.1   203.0.113.0/24   203.0.113.0/24   “HELP”  I’m  being  a1acked.   NOC  might  connect  to  each   router  and  add  filter   x SP NOC •  Easy to implement and uses well understood constructs •  Requires high degree of co-ordination between customer and provider •  Cumbersome to scale in a large network perimeter •  Mis-configuration possible and expensive 203.0.113.0/24  
Copyright © 2014 Juniper Networks, Inc.8 Destination Remotely Triggered Black Hole (D/RTBH) Service Provider Internet Enterprise or DC 203.0.113.1   203.0.113.1/32   203.0.113.1/32   VicAm  iniAates  RTBH   announcement   BGP  Prefix  with  next-­‐hop   set  to  discard  route.   x •  RFC 3882 circa 2004 •  Requires pre-configuration of discard route on all edge routers •  Victim’s destination address is completely unreachable but attack (and collateral damage) is stopped. 203.0.113.1/32  
Copyright © 2014 Juniper Networks, Inc.9 Source Remotely Triggered Black Hole (S/RTBH) •  RFC 5635 circa 2009 •  Requires pre-configuration of discard route and uRPF on all edge routers •  Victim’s destination address is still useable •  Only works for single (or small number) source. Service Provider Internet Enterprise or DC 203.0.113.1   “HELP”  I’m  being  a1acked.   NOC  configures  S/RTBH  on   route  server   x SP NOC BGP  prefix  with  next-­‐hop   pointed  at  discard  and   uRPF  enabled.  
Copyright © 2014 Juniper Networks, Inc.10 BGP FlowSpec Overview
Copyright © 2014 Juniper Networks, Inc.11 BGP Flow Specification •  Specific information about a flow can now be distributed using a BGP NLRI defined in RFC 5575 [5] circa 2009 •  AFI/SAFI = 1/133: Unicast Traffic Filtering Applications •  AFI/SAFI = 1/134: VPN Traffic Filtering Applications •  Flow routes are automatically validated against unicast routing information or via routing policy framework. •  Must belong to the longest match unicast prefix. •  Once validated, firewall filter is created based on match and action criteria.
Copyright © 2014 Juniper Networks, Inc.12 BGP Flow Specification •  BGP Flowspec can include the following information: •  Type 1 - Destination Prefix •  Type 2 - Source Prefix •  Type 3 - IP Protocol •  Type 4 – Source or Destination Port •  Type 5 – Destination Port •  Type 6 - Source Port •  Type 7 – ICMP Type •  Type 8 – ICMP Code •  Type 9 - TCP flags •  Type 10 - Packet length •  Type 11 – DSCP •  Type 12 - Fragment Encoding
Copyright © 2014 Juniper Networks, Inc.13 BGP Flow Specification •  Actions are defined using BGP Extended Communities: •  0x8006 – traffic-rate (set to 0 to drop all traffic) •  0x8007 – traffic-action (sampling) •  0x8008 – redirect to VRF (route target) •  0x8009 – traffic-marking (DSCP value)
Copyright © 2014 Juniper Networks, Inc.14 Vendor Support •  DDoS Detection Vendors: •  Arbor Peakflow SP 3.5 •  Accumuli DDoS Secure •  Router Vendors: •  Alcatel-Lucent SR OS 9.0R1 •  Juniper JUNOS 7.3 •  Cisco 5.2.0 for ASR and CRS [6] •  OpenSource BGP Software: •  ExaBGP
Copyright © 2014 Juniper Networks, Inc.15 What Makes BGP Flowspec Better? •  Same granularity as ACLs •  Based on n-tuple matching •  Same automation as RTBH •  Much easier to propagate filters to all edge routers in large networks •  Leverages BGP best practices and policy controls •  Same filtering and best practices used for RTBH can be applied to BGP Flowspec
Copyright © 2014 Juniper Networks, Inc.16 Caveats •  Forwarding Plane resources •  Creating dynamic firewall filters that use these resources •  More complex FS routes/filters will use more resources •  Need to test your vendors limits and what happens when it is hit •  Usually ways to limit the number and complexity of filters to avoid issues •  Not a replacement technology •  Should be ADDED to existing mitigation methods and not replace them •  When it goes wrong (bugs) it goes wrong fast •  Cloudflare outage: https://blog.cloudflare.com/todays-outage-post-mortem-82515/
Copyright © 2014 Juniper Networks, Inc.17 Use Case Examples
Copyright © 2014 Juniper Networks, Inc.18 Inter-domain DDoS Mitigation Using Flowspec Service Provider 203.0.113.1/32,*,17,53   Internet Enterprise or DC 203.0.113.1   VicAm  iniAates  Flowspec   announcement  for  53/UDP   only   BGP  Prefix  installed  with   acAon  set  to  rate  0.   x •  Allows ISP customer to initiate the filter. •  Requires sane filtering at customer edge.
Copyright © 2014 Juniper Networks, Inc.19 Intra-domain DDoS Mitigation Using Flowspec •  Could be initiated by phone call, detection in SP network, or a web portal for the customer. •  Requires co-ordination between customer and provider. Service Provider Internet Enterprise or DC 203.0.113.1   “HELP”  I’m  being  a1acked.   NOC  configures  Flowpec   route  on  route  server   x SP NOC BGP  Prefix  installed  with   acAon  set  to  rate  0.  
Copyright © 2014 Juniper Networks, Inc.20 DDoS Mitigation Using Scrubbing Center •  Could be initiated by phone call, detection in SP network, or a web portal for the customer. •  Allows for mitigating application layer attacks without completing the attack. Service Provider Internet Enterprise or DC 203.0.113.1   “HELP”  I’m  being  a1acked.   NOC  configures  Flowpec   route  on  route  server   x SP NOC BGP  Prefix  installed  with   acAon  set  to  redirect.   Scrubbing Center A1ack  traffic  is  scrubbed   by  DPI  appliance.   LegiAmate  traffic  sent  to   customer  via  GRE  or  VRF   tunnel.  
Copyright © 2014 Juniper Networks, Inc.21 Real World Example (TDC) "Where I think FlowSpec excels, is for protection of our mobile platform. 2 /24s are shared among a million mobile devices with NAT in a firewall. The link capacity (and in part the firewall itself) is overloaded by a simple DDoS attack against just one of these adresses. The system detects a DoS attack against an address on the firewall. It will identify total traffic, UDP, fragments, TCP SYN, ICMP, whatever, and depending on what kind of attack it is, a policer is added for the specific protocol/attack on individual peering routers. Protocols are policed with individual policers, so that for instance UDP and TCP SYN can be policed to different throughputs. Basically, an attack against a single IP on UDP will not affect other customers being NAT'ed to the same address, using anything but UDP - and link capacity is protected."
Copyright © 2014 Juniper Networks, Inc.22 Real World Example •  Attack on 1/13/16
Copyright © 2014 Juniper Networks, Inc.23 Where Are We Going? •  IPv6 Support •  http://tools.ietf.org/html/draft-ietf-idr-flow-spec-v6-06 •  Relaxing Validation •  http://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-02 •  Redirect to IP Action •  https://tools.ietf.org/html/draft-ietf-idr-flowspec-redirect-ip-02
Copyright © 2014 Juniper Networks, Inc.24 State of the Union
Copyright © 2014 Juniper Networks, Inc.25 Summary of Survey •  Great idea and would love to see it take off but… •  Enterprises and Content Providers are waiting for ISPs to accept their Flowspec routes. •  Some would even be willing to switch to an ISP that did this. •  ISPs are waiting for vendors to support it. •  More vendors supporting it •  Specific features they need for their environment •  Better scale or stability
Copyright © 2014 Juniper Networks, Inc.26 References •  [1] Kaspersky Lab – Every Third Public Facing Company Encounters DDoS Attacks http://tinyurl.com/neu4zzr •  [2] Verisign – 2014 DDoS Attack Trends http://tinyurl.com/oujgx94 •  [3] NBC News – Internet Speeds are Rising Sharply, But So Are Hack Attacks http://tinyurl.com/q4u2b7m •  [4] Tech Times – DDoS Attack Cripples Sony PSN While Microsoft Deals with Xbox Live Woes http://tinyurl.com/kkdczjx •  [5] RFC 5575 - Dissemination of Flow Specification Rules http://www.ietf.org/rfc/rfc5575.txt •  [6] Cisco - Implementing BGP Flowspec http://tinyurl.com/mm5w7mo •  [7] Cisco – Understanding BGP Flowspec http://tinyurl.com/l4kwb3b
Copyright © 2014 Juniper Networks, Inc.27 More Information •  NANOG PDF •  NANOG YouTube Video •  Day One Guide
Thank You!

More Related Content

PPTX
BGP Flowspec (RFC5575) Case study and Discussion
byAPNIC
 
PDF
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
byCisco Russia
 
PPTX
Cisco Live Milan 2015 - BGP advance
byBertrand Duvivier
 
PDF
GoBGP : yet another OSS BGPd
byPavel Odintsov
 
PDF
MPLS L3 VPN Deployment
byAPNIC
 
PPT
Mpls
byFasih Rehman
 
PPTX
Ethernet VPN (EVPN) EVerything Provider Needs
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Tutorial: Using GoBGP as an IXP connecting router
byShu Sugimoto
 
BGP Flowspec (RFC5575) Case study and Discussion
byAPNIC
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
byCisco Russia
 
Cisco Live Milan 2015 - BGP advance
byBertrand Duvivier
 
GoBGP : yet another OSS BGPd
byPavel Odintsov
 
MPLS L3 VPN Deployment
byAPNIC
 
Mpls
byFasih Rehman
 
Ethernet VPN (EVPN) EVerything Provider Needs
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Tutorial: Using GoBGP as an IXP connecting router
byShu Sugimoto
 

What's hot

PPTX
BGP FlowSpec experience and future developments
byPavel Odintsov
 
PDF
An Introduction to BGP Flow Spec
byShortestPathFirst
 
PPTX
FastNetMon Advanced DDoS detection tool
byPavel Odintsov
 
PDF
Multi Chassis LAG for Cloud builders
byJuniper Networks (日本)
 
PDF
ISE-CiscoLive.pdf
byssuserf4db0a
 
PDF
Demystifying EVPN in the data center: Part 1 in 2 episode series
byCumulus Networks
 
PPTX
Vxlan control plane and routing
byWilfredzeng
 
PDF
Mobile Transport Evolution with Unified MPLS
byCisco Canada
 
PDF
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
byBruno Teixeira
 
PPT
Deploying Carrier Ethernet features on ASR 9000
byVinod Kumar Balasubramanyam
 
PDF
EVPN Introduction
byBangladesh Network Operators Group
 
PPTX
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
byAPNIC
 
PPTX
Ccna ppt1
byAIRTEL
 
PDF
VXLAN BGP EVPN: Technology Building Blocks
byAPNIC
 
PPTX
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PDF
How BGP Works
byThousandEyes
 
PDF
MPLS Traffic Engineering
byAPNIC
 
PDF
Cisco ospf
bysarasanandam
 
PPT
BGP Communities: A Guide for Service Provider Networks
byRichard Steenbergen
 
PPT
Juniper mpls best practice part 1
byFebrian ‎
 
BGP FlowSpec experience and future developments
byPavel Odintsov
 
An Introduction to BGP Flow Spec
byShortestPathFirst
 
FastNetMon Advanced DDoS detection tool
byPavel Odintsov
 
Multi Chassis LAG for Cloud builders
byJuniper Networks (日本)
 
ISE-CiscoLive.pdf
byssuserf4db0a
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
byCumulus Networks
 
Vxlan control plane and routing
byWilfredzeng
 
Mobile Transport Evolution with Unified MPLS
byCisco Canada
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
byBruno Teixeira
 
Deploying Carrier Ethernet features on ASR 9000
byVinod Kumar Balasubramanyam
 
EVPN Introduction
byBangladesh Network Operators Group
 
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
byAPNIC
 
Ccna ppt1
byAIRTEL
 
VXLAN BGP EVPN: Technology Building Blocks
byAPNIC
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
How BGP Works
byThousandEyes
 
MPLS Traffic Engineering
byAPNIC
 
Cisco ospf
bysarasanandam
 
BGP Communities: A Guide for Service Provider Networks
byRichard Steenbergen
 
Juniper mpls best practice part 1
byFebrian ‎
 

Viewers also liked

PDF
Segment Routing: A Tutorial
byAPNIC
 
PPTX
BGP Monitoring Protocol
byBertrand Duvivier
 
PPTX
LISP and NSH in Open vSwitch
bymestery
 
PPTX
Ddos and mitigation methods.pptx (1)
bybtpsec
 
PPTX
2015-ShowNet -DDoS/IX/BGPFlowspec/External
byInterop Tokyo ShowNet NOC Team
 
PPTX
Radware Cloud Security Services
byRadware
 
PDF
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
byMyNOG
 
PDF
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
byShuichi Ohkubo
 
PDF
Btpsec Sample Penetration Test Report
bybtpsec
 
PPTX
Bgpcep odl summit 2015
byGiles Heron
 
PDF
Deep Learning Based Real-Time DNS DDoS Detection System
bySeungjoo Kim
 
PDF
Misused top ASNs
byAPNIC
 
PPTX
BGP persistence
byBertrand Duvivier
 
PDF
Keeping your rack cool
byPavel Odintsov
 
PDF
Protect your edge BGP security made simple
byPavel Odintsov
 
Segment Routing: A Tutorial
byAPNIC
 
BGP Monitoring Protocol
byBertrand Duvivier
 
LISP and NSH in Open vSwitch
bymestery
 
Ddos and mitigation methods.pptx (1)
bybtpsec
 
2015-ShowNet -DDoS/IX/BGPFlowspec/External
byInterop Tokyo ShowNet NOC Team
 
Radware Cloud Security Services
byRadware
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
byMyNOG
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
byShuichi Ohkubo
 
Btpsec Sample Penetration Test Report
bybtpsec
 
Bgpcep odl summit 2015
byGiles Heron
 
Deep Learning Based Real-Time DNS DDoS Detection System
bySeungjoo Kim
 
Misused top ASNs
byAPNIC
 
BGP persistence
byBertrand Duvivier
 
Keeping your rack cool
byPavel Odintsov
 
Protect your edge BGP security made simple
byPavel Odintsov
 

Similar to DDoS Mitigation using BGP Flowspec

PDF
DDoS Mitigation Tools and Techniques
byBabak Farrokhi
 
PPT
9534715
byPavel Odintsov
 
PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
PDF
KHNOG 3: DDoS Attack Prevention
byAPNIC
 
PDF
BGP evolution -from SDN perspective
byMiya Kohno
 
PDF
DDos, Peering, Automation and more
byInternet Society
 
PPTX
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
byFwdays
 
PDF
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
byPROIDEA
 
PDF
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
byAPNIC
 
PDF
Make DDoS expensive for the threat actors
byAPNIC
 
PDF
DDoS Protection System DPS
byAlexander Velikiy
 
PDF
PLNOG 13: Julian Lucek: Centralized Traffic Enginnering
byPROIDEA
 
PPTX
DeiC DDoS Prevention System - DDPS
byPavel Odintsov
 
PDF
BGP Flow Spec HKNOG 13
byPavel Odintsov
 
PDF
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
byPROIDEA
 
PPTX
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
byPROIDEA
 
PDF
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
byPROIDEA
 
PDF
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
byAPNIC
 
PPT
Configuraciones con BGP Juniper 4.bgp-1232073634451868-3.ppt
bycourseh813
 
PPT
flowspec @ APF 2013
byTom Paseka
 
DDoS Mitigation Tools and Techniques
byBabak Farrokhi
 
9534715
byPavel Odintsov
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
KHNOG 3: DDoS Attack Prevention
byAPNIC
 
BGP evolution -from SDN perspective
byMiya Kohno
 
DDos, Peering, Automation and more
byInternet Society
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
byFwdays
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
byPROIDEA
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
byAPNIC
 
Make DDoS expensive for the threat actors
byAPNIC
 
DDoS Protection System DPS
byAlexander Velikiy
 
PLNOG 13: Julian Lucek: Centralized Traffic Enginnering
byPROIDEA
 
DeiC DDoS Prevention System - DDPS
byPavel Odintsov
 
BGP Flow Spec HKNOG 13
byPavel Odintsov
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
byPROIDEA
 
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
byPROIDEA
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
byPROIDEA
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
byAPNIC
 
Configuraciones con BGP Juniper 4.bgp-1232073634451868-3.ppt
bycourseh813
 
flowspec @ APF 2013
byTom Paseka
 

More from APNIC

PDF
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
PDF
Prop-154: Resizing of IPv4 assignments for IXPs
byAPNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
Prop-154: Resizing of IPv4 assignments for IXPs
byAPNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 

Recently uploaded

PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
A complete presentation on green computing
byreetapandey0007
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPTX
DEMO_ARTS for PowerPoint presentation of beed
bykeyebalagso23
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
A complete presentation on green computing
byreetapandey0007
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
DEMO_ARTS for PowerPoint presentation of beed
bykeyebalagso23
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 

DDoS Mitigation using BGP Flowspec

  • 1.
    Copyright © 2014Juniper Networks, Inc.1 DDoS Mitigation Using BGP Flowspec Justin Ryburn Consulting Engineer [email protected]
  • 2.
    Copyright © 2014Juniper Networks, Inc.2 Background •  Who is this guy? •  http://www.linkedin.com/in/justinryburn •  Why this topic? •  Experience tracking DDoS “back in the day”
  • 3.
    Copyright © 2014Juniper Networks, Inc.3 Agenda •  Problem Statement •  Legacy DDoS Mitigation Methods •  BGP Flowspec Overview •  Use Case Examples •  State of the Union
  • 4.
    Copyright © 2014Juniper Networks, Inc.4 Problem Statement
  • 5.
    Copyright © 2014Juniper Networks, Inc.5 Copyright © 2014 Juniper Networks, Inc.5 Is DDoS Really an Issue? “…taking down a site or preventing transactions is only the tip of the iceberg. A DDoS attack can lead to reputational losses or legal claims over undelivered services.” Kaspersky Lab [1] Verisign [2] “Attacks in the 10 Gbps and above category grew by 38% from Q2 … Q3.” NBC News [3] “…more than 40 percent estimated DDoS losses at more than $1 million per day.” Tech Times [4] “DDoS attack cripples Sony PSN while Microsoft deals with Xbox Live woes”
  • 6.
    Copyright © 2014Juniper Networks, Inc.6 Legacy DDoS Mitigation Methods
  • 7.
    Copyright © 2014Juniper Networks, Inc.7 Blocking DDoS in the “Old” Days Service Provider Internet Enterprise or DC 203.0.113.1   203.0.113.0/24   203.0.113.0/24   “HELP”  I’m  being  a1acked.   NOC  might  connect  to  each   router  and  add  filter   x SP NOC •  Easy to implement and uses well understood constructs •  Requires high degree of co-ordination between customer and provider •  Cumbersome to scale in a large network perimeter •  Mis-configuration possible and expensive 203.0.113.0/24  
  • 8.
    Copyright © 2014Juniper Networks, Inc.8 Destination Remotely Triggered Black Hole (D/RTBH) Service Provider Internet Enterprise or DC 203.0.113.1   203.0.113.1/32   203.0.113.1/32   VicAm  iniAates  RTBH   announcement   BGP  Prefix  with  next-­‐hop   set  to  discard  route.   x •  RFC 3882 circa 2004 •  Requires pre-configuration of discard route on all edge routers •  Victim’s destination address is completely unreachable but attack (and collateral damage) is stopped. 203.0.113.1/32  
  • 9.
    Copyright © 2014Juniper Networks, Inc.9 Source Remotely Triggered Black Hole (S/RTBH) •  RFC 5635 circa 2009 •  Requires pre-configuration of discard route and uRPF on all edge routers •  Victim’s destination address is still useable •  Only works for single (or small number) source. Service Provider Internet Enterprise or DC 203.0.113.1   “HELP”  I’m  being  a1acked.   NOC  configures  S/RTBH  on   route  server   x SP NOC BGP  prefix  with  next-­‐hop   pointed  at  discard  and   uRPF  enabled.  
  • 10.
    Copyright © 2014Juniper Networks, Inc.10 BGP FlowSpec Overview
  • 11.
    Copyright © 2014Juniper Networks, Inc.11 BGP Flow Specification •  Specific information about a flow can now be distributed using a BGP NLRI defined in RFC 5575 [5] circa 2009 •  AFI/SAFI = 1/133: Unicast Traffic Filtering Applications •  AFI/SAFI = 1/134: VPN Traffic Filtering Applications •  Flow routes are automatically validated against unicast routing information or via routing policy framework. •  Must belong to the longest match unicast prefix. •  Once validated, firewall filter is created based on match and action criteria.
  • 12.
    Copyright © 2014Juniper Networks, Inc.12 BGP Flow Specification •  BGP Flowspec can include the following information: •  Type 1 - Destination Prefix •  Type 2 - Source Prefix •  Type 3 - IP Protocol •  Type 4 – Source or Destination Port •  Type 5 – Destination Port •  Type 6 - Source Port •  Type 7 – ICMP Type •  Type 8 – ICMP Code •  Type 9 - TCP flags •  Type 10 - Packet length •  Type 11 – DSCP •  Type 12 - Fragment Encoding
  • 13.
    Copyright © 2014Juniper Networks, Inc.13 BGP Flow Specification •  Actions are defined using BGP Extended Communities: •  0x8006 – traffic-rate (set to 0 to drop all traffic) •  0x8007 – traffic-action (sampling) •  0x8008 – redirect to VRF (route target) •  0x8009 – traffic-marking (DSCP value)
  • 14.
    Copyright © 2014Juniper Networks, Inc.14 Vendor Support •  DDoS Detection Vendors: •  Arbor Peakflow SP 3.5 •  Accumuli DDoS Secure •  Router Vendors: •  Alcatel-Lucent SR OS 9.0R1 •  Juniper JUNOS 7.3 •  Cisco 5.2.0 for ASR and CRS [6] •  OpenSource BGP Software: •  ExaBGP
  • 15.
    Copyright © 2014Juniper Networks, Inc.15 What Makes BGP Flowspec Better? •  Same granularity as ACLs •  Based on n-tuple matching •  Same automation as RTBH •  Much easier to propagate filters to all edge routers in large networks •  Leverages BGP best practices and policy controls •  Same filtering and best practices used for RTBH can be applied to BGP Flowspec
  • 16.
    Copyright © 2014Juniper Networks, Inc.16 Caveats •  Forwarding Plane resources •  Creating dynamic firewall filters that use these resources •  More complex FS routes/filters will use more resources •  Need to test your vendors limits and what happens when it is hit •  Usually ways to limit the number and complexity of filters to avoid issues •  Not a replacement technology •  Should be ADDED to existing mitigation methods and not replace them •  When it goes wrong (bugs) it goes wrong fast •  Cloudflare outage: https://blog.cloudflare.com/todays-outage-post-mortem-82515/
  • 17.
    Copyright © 2014Juniper Networks, Inc.17 Use Case Examples
  • 18.
    Copyright © 2014Juniper Networks, Inc.18 Inter-domain DDoS Mitigation Using Flowspec Service Provider 203.0.113.1/32,*,17,53   Internet Enterprise or DC 203.0.113.1   VicAm  iniAates  Flowspec   announcement  for  53/UDP   only   BGP  Prefix  installed  with   acAon  set  to  rate  0.   x •  Allows ISP customer to initiate the filter. •  Requires sane filtering at customer edge.
  • 19.
    Copyright © 2014Juniper Networks, Inc.19 Intra-domain DDoS Mitigation Using Flowspec •  Could be initiated by phone call, detection in SP network, or a web portal for the customer. •  Requires co-ordination between customer and provider. Service Provider Internet Enterprise or DC 203.0.113.1   “HELP”  I’m  being  a1acked.   NOC  configures  Flowpec   route  on  route  server   x SP NOC BGP  Prefix  installed  with   acAon  set  to  rate  0.  
  • 20.
    Copyright © 2014Juniper Networks, Inc.20 DDoS Mitigation Using Scrubbing Center •  Could be initiated by phone call, detection in SP network, or a web portal for the customer. •  Allows for mitigating application layer attacks without completing the attack. Service Provider Internet Enterprise or DC 203.0.113.1   “HELP”  I’m  being  a1acked.   NOC  configures  Flowpec   route  on  route  server   x SP NOC BGP  Prefix  installed  with   acAon  set  to  redirect.   Scrubbing Center A1ack  traffic  is  scrubbed   by  DPI  appliance.   LegiAmate  traffic  sent  to   customer  via  GRE  or  VRF   tunnel.  
  • 21.
    Copyright © 2014Juniper Networks, Inc.21 Real World Example (TDC) "Where I think FlowSpec excels, is for protection of our mobile platform. 2 /24s are shared among a million mobile devices with NAT in a firewall. The link capacity (and in part the firewall itself) is overloaded by a simple DDoS attack against just one of these adresses. The system detects a DoS attack against an address on the firewall. It will identify total traffic, UDP, fragments, TCP SYN, ICMP, whatever, and depending on what kind of attack it is, a policer is added for the specific protocol/attack on individual peering routers. Protocols are policed with individual policers, so that for instance UDP and TCP SYN can be policed to different throughputs. Basically, an attack against a single IP on UDP will not affect other customers being NAT'ed to the same address, using anything but UDP - and link capacity is protected."
  • 22.
    Copyright © 2014Juniper Networks, Inc.22 Real World Example •  Attack on 1/13/16
  • 23.
    Copyright © 2014Juniper Networks, Inc.23 Where Are We Going? •  IPv6 Support •  http://tools.ietf.org/html/draft-ietf-idr-flow-spec-v6-06 •  Relaxing Validation •  http://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-02 •  Redirect to IP Action •  https://tools.ietf.org/html/draft-ietf-idr-flowspec-redirect-ip-02
  • 24.
    Copyright © 2014Juniper Networks, Inc.24 State of the Union
  • 25.
    Copyright © 2014Juniper Networks, Inc.25 Summary of Survey •  Great idea and would love to see it take off but… •  Enterprises and Content Providers are waiting for ISPs to accept their Flowspec routes. •  Some would even be willing to switch to an ISP that did this. •  ISPs are waiting for vendors to support it. •  More vendors supporting it •  Specific features they need for their environment •  Better scale or stability
  • 26.
    Copyright © 2014Juniper Networks, Inc.26 References •  [1] Kaspersky Lab – Every Third Public Facing Company Encounters DDoS Attacks http://tinyurl.com/neu4zzr •  [2] Verisign – 2014 DDoS Attack Trends http://tinyurl.com/oujgx94 •  [3] NBC News – Internet Speeds are Rising Sharply, But So Are Hack Attacks http://tinyurl.com/q4u2b7m •  [4] Tech Times – DDoS Attack Cripples Sony PSN While Microsoft Deals with Xbox Live Woes http://tinyurl.com/kkdczjx •  [5] RFC 5575 - Dissemination of Flow Specification Rules http://www.ietf.org/rfc/rfc5575.txt •  [6] Cisco - Implementing BGP Flowspec http://tinyurl.com/mm5w7mo •  [7] Cisco – Understanding BGP Flowspec http://tinyurl.com/l4kwb3b
  • 27.
    Copyright © 2014Juniper Networks, Inc.27 More Information •  NANOG PDF •  NANOG YouTube Video •  Day One Guide
  • 28.