Scalable DDoS mitigation. Peter Filo Senior Systems Engineer ALEF Distribution SK
|
|
- Rhoda Rodgers
- 7 years ago
- Views:
Transcription
1 Scalable DDoS mitigation Peter Filo Senior Systems Engineer ALEF Distribution SK
2 Agenda Traditional DDoS Mitigation Remote Triggered Blackhole Filtering Scalable DDoS Mitigation BGP FlowSpec Cloud DDoS Protection F5 Silverline
3 DDoS Overview Distributed denial-of service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served Addressing DDoS attacks Detection Detect incoming fake requests Mitigation Diversion Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets Return Send back the clean traffic to the server
4 DDoS Detection NetFlow / IPFIX / sflow How many flows/sec can your routers meter, and how fast is your collector/analyzer? What are you going to look at? SNMP Are you looking at all the right values? Are you polling your devices every second, every minute, every hour? SYSLOG Need to set up proper rules to filter out the events you want to see RADIUS/TACACS+ logging Watch those authentication failures and changes to the nodes Packet capturing Do you use TAPs/Splitters?
5 Goals of DDoS Mitigation Stop the attack Drop only the DDoS traffic Application aware filtering, redirection, mirroring Dynamic and adaptive technology Simple to configure Easy to disseminate
6 Remote Triggered Black-Hole Filtering (RTBH) Once the attack has been detected, traffic related to the DDoS should be discarded on the edge of the service provider network BGP router (trigger) signals over BGP to the edge routers that traffic causing DDoS should be discarded (forwarded to null interface) Destination-based RTBH Traffic going to the IP addresses of the customer is discarded on the edge Source-based RTBH Traffic coming from the IP addresses of the attacker is discarded on the edge Uses strict urpf with BGP signalling
7 Destination-based RTBH PE1 router ip route Null0 interface Null0 no ip unreachables PE2 SP AS PE1 Gi0/0 Customer /24 Signalling router Signalling router router bgp redistribute static route-map static-to-bgp. route-map static-to-bgp permit 10 match tag 66 set ip next-hop set local-preference 200 set community no-export set origin igp route-map static-to-bgp permit 20 Attacker /24 Signalling router / adding a static route when under attack ip route Null0 Tag 66
8 Source-based RTBH PE1 router ip route Null0 interface Null0 no ip unreachables interface GigabitEthernet0/0/0 ip verify unicast source reachable-via rx PE2 SP AS PE1 Gi0/0/0 Customer /24 Signalling router Signalling router router bgp redistribute static route-map static-to-bgp. route-map static-to-bgp permit 10 match tag 66 set ip next-hop set local-preference 200 set community no-export set origin igp route-map static-to-bgp permit 20 Attacker /24 Signalling router / adding a static route when under attack ip route Null0 Tag 66
9 RTBH as a Service Ask your uplink providers for blackhole BGP community Provide blackhole BGP community to your customers web server /24 DDoS Traffic F0/0 BGP: /24 SP AS Internet CE BGP: /32 Com: 65535:666 PE2 PE /32 Discard CE router router bgp network mask redistribute static route-map static-to-bgp route-map static-to-bgp permit 5 match tag 666 set community additive 65535:666 ip route FastEthernet0/0 tag 666 PE2 router router bgp neighbor cust route-map from-customer in ip community-list standard BH permit 65535:666 route-map from-customer permit 10 match community BH set ip next-hop set local-preference 200 set community no-export route-map rm-community-in permit 20
10 Remote Triggered Black-Hole Filtering (RTBH) No more DDoS traffic on my web server But no more traffic at all on my webserver IP based solution only Is this the solution you were looking for?
11 Policy Based Routing? Identification of DDoS traffic based around conditions regarding MATCH statements Source/Destination address Protocol Packet Size Port Number Etc... Actions upon DDoS traffic Discard Rate Limiting Redirection Etc...No more DDoS traffic on my web server Does not this sound as a great solution?
12 Policy Based Routing? Good solution for Done with hardware acceleration for carrier grade routers Can provide very good precision of match statements and actions to impose But... Customer need to call its Service Provider Service Provider has to accept and run this filter on each of their peering routers Customers need to call the Service Provider and remove the rule after Not scalable...
13 Solution: BGP FlowSpec Makes static PBR a dynamic solution Allows to propagate PBR rules Existing control plane communication channel is used Uses your existing MP-BGP infrastructure
14 RFC5575 Dissemination of Flow Specification Rules Published in August 2009 New Flow Specification NLRI type encoded using MP_REACH_NLRI/MP_UNREACH_NLRI Inter-domain support Point-to-multipoint with Route-Reflectors Networking engineers and architects understand perfectly BGP Capability to send via a BGP address Family Match criteria (NLRI) Action criteria (Extended communities) Three elements Controller Client Route-reflector (optional)
15 BGP FlowSpec Components Controller Injects rules remotely in the clients Needs to implement at the minimum the Control Path Examples of BGP FS Controllers: Router (ASR9K, CRS, NCS6000, XR12000) Server (ExaBGP, Arbor PeakFlow SP Collector Platform) Virtual router (XRv) Client Receives rules from Controller(s) and programs the match/action in hw Needs to implement both Control Plane and Data Plane Examples of BGP FS Clients: Router (ASR9K, ASR1K) Route-Reflector (optional) Receives rules from Controller(s) and distributes them to Clients Examples of BGP FS Route-Reflectors: ASR9K; CRS; NCS6000 or XRv
16 RFC5575 Dissemination of Flow Specification Rules New NLRI defined (AFI=1, SAFI=133) to describe the traffic of interest 1. Destination IP Address (1 component) 2. Source IP Address (1 component) 3. IP Protocol (+1 component) 4. Port (+1 component) 5. Destination port (+1 component) 6. Source port (+1 component) 7. ICMP Type 8. ICMP code 9. TCP Flags 10. Packet length 11. DSCP 12.Fragment Address Family Identifier (2 octets) Subsequent Address Family Identifier (1 octet) Length of Next Hop Network Address (1 octet) Network Address of Next Hop (variable) Reserved (1 octet) Network Layer Reachability Information (variable) The MP_REACH_NLRI RFC 4760 Notice from the RFC: Flow specification components must follow strict type ordering. A given component type may or may not be present in the specification, but if present, it MUST precede any component of higher numeric type value.
17 RFC5575 Dissemination of Flow Specification Rules Traffic Action is defined in extended communities (RFC4360) Type high Type low(*) Value Type Description Encoding 0x8006 Traffic-rate 2bytes ASN; 4 bytes as float 0x8007 Traffic-action Bitmask 0x8008 Redirect 6 bytes RT (Route Target) 0x8009 Traffic-marking DSCP value
18 Cisco IOS XR Routers BGP FS Implementation Platform Hardware Control Plane Support Data Plane Support ASR9K Typhoon LC ASR9K Thor LC ASR ASR9K Tomahawk Target 5.3.x Target 5.3.x CRS Taiko LC CRS Topaz LC Target XRv N/A C12K Not planned NCS6000 Target 5.2.3/5.2.4 Target 5.2.3/5.2.4 In Cisco IOS 15.5(S) release, BGP flow specification is supported only on a route reflector. IOS XE software supports BGP flow specification client function and does not support BGP flow specification controller function. Mixing of address family matches and actions is not supported in flow spec rules. For example, IPv4 matches cannot be combined with IPv6 actions and vice versa.
19 Cisco IOS XR Routers BGP FS Implementation NLRI type Match fields Value input method Type 1 IPv4 Destination address XR PI ASR9K CRS NCS6000 Prefix length Type 2 IPv4 Source address Prefix length Type 3 IPv4 protocol Multi value range Type 4 Type 5 IPv4 source or destination port IPv4 destination port Multi value range Multi value range Type 6 IPv4 source port Multi value range Type 7 IPv4 ICMP type Multi value range Type 8 IPv4 ICMP code Multi value range Type 9 IPv4 TCP flags Bit mask Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Type 10 IPv4 packet length Multi value range Type 11 IPv4 DSCP Multi value range Type 12 IPv4 fragmentation bits Bit mask Only indication of fragment
20 Cisco IOS XR Routers BGP FS Implementation NLRI type Match fields Value input method XR PI ASR9K CRS NCS6000 Type 1 IPv6 Destination address Prefix length Type 2 IPv6 Source address Prefix length Type 3 IPv6 Next header Multi value range Type 4 Type 5 IPv6 source or destination port IPv6 destination port Multi value range Multi value range Type 6 IPv6 source port Multi value range Type 7 IPv6 ICMP type Multi value range Type 8 IPv6 ICMP code Multi value range Type 9 IPv6 TCP flags Bit mask Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Type 10 IPv6 packet length Multi value range Type 11 IPv6 Traffic class Multi value range Type 12 Reserved N/A N/A N/A N/A N/A Type 13 IPv6 Flow Based Multi value range x x x x
21 Configuring BGP FlowSpec on IOS XR Routers Signalisation: Use of a new Address-family flowspec Controller Client router bgp1 bgprouter-id address-family ipv4 flowspec neighbor-group ibgp-flowspec remote-as 1 update-source loopbook0 address-family ipv4 flowspec neighbor use neighbor-group ibgp-flowspec neighbor use neighbor-group ibgp-flowspec flowspec address-family ipv4 service-policy type pbr FS router bgp1 bgprouter-id address-family ipv4 flowspec neighbor-group ibgp-flowspec remote-as 1 update-source loopback0 address-family ipv4 flowspec neighbor use neighbor-group ibgp-flowspec flowspec local-install interface-all Advertise policy FS Install all rules on all interfaces
22 Configuring BGP FlowSpec on IOS XR Routers Verifying the Session Establishment (on Client) RP/0/RP0/CPU0:Client#sh bgp ipv4 flowspec summary BGP router identifier , local AS number 1 BGP generic scan interval 60 secs Non-stop routing is enabled BGP table state: Active Table ID: 0x0 RD version: 7072 BGP main routing table version 7072 BGP NSR Initial initsyncversion 0 (Reached) BGP NSR/ISSU Sync-Group versions 7072/0 BGP scan interval 60 secs BGP is operating in STANDALONE mode. Process RcvTblVer brib/rib LabelVer ImportVer SendTblVer StandbyVer Speaker Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd w1d 1001 RP/0/RP0/CPU0:Client#
23 Configuring BGP FlowSpec on IOS XR Routers Configuring Rules on the Controller In many aspects, the rules configuration on the controller is similar to the MQC (Modular QoS Configuration) Rules are defined in Cisco Common Classification Policy Language (C3PL) format: Traffic Matching is defined in class-map Action is defined in a policy-map and refers a class-map This policy-map is advertised by the service-policy type pbr
24 Configuring BGP FlowSpec on IOS XR Routers Configuring Rules on the Controller class-map type traffic match-all match-udp53 match destination-port 53 match protocol udp end-class-map class-map type traffic match-all match-src-ipv4-addr match destination-address ipv end-class-map policy-map type pbr FS class type traffic match-src-ipv4-addr police rate bps class type traffic match-udp53 redirect next class type traffic class-default end-policy-map flowspec address-family ipv4 service-policy type pbr FS
25 Configuring BGP FlowSpec on IOS XR Routers Configuring Rules on the Controller class-map type traffic match-all MATCH-UDP123 match destination-port 123 match protocol udp end-class-map class-map type traffic match-all MATCH-SRCv4 match destination-address ipv /24 end-class-map policy-map type pbr FS1 class type traffic MATCH-SRCv4 police rate bps end-policy-map policy-map type pbr FS2 class type traffic MATCH-UDP123 redirect nexthop end-policy-map flowspec address-family ipv4 service-policy type pbr FS1 service-policy type pbr FS2 class-map type traffic match-all MATCH-UDP123 match destination-port 123 match protocol udp end-class-map class-map type traffic match-all MATCH-SRCv4 match destination-address ipv /24 end-class-map policy-map type pbr FS class type traffic MATCH-SRCv4 police rate bps class type traffic MATCH-UDP123 redirect nexthop end-policy-map flowspec address-family ipv4 service-policy type pbr FS
26 Configuring BGP FlowSpec on IOS XR Routers Configuring Type 1 match Destination IP RP/0/0/CPU0:Ctrl(config)#class-map type traffic match-all MATCHING-RULE RP/0/0/CPU0:Ctrl(config-cmap)#match destination-address ipv /24 RP/0/0/CPU0:Ctrl(config-cmap)# RP/0/RP0/CPU0:Client#sh flowspec ipv4 detail AFI: IPv4 Flow :Dest: /24 Actions :Traffic-rate: bps (bgp.1) Statistics (packets/bytes) Matched : 0/0 Transmitted : 0/0 Dropped : 0/0 RP/0/RP0/CPU0:Client#sh flowspec ipv4 nlri AFI: IPv4 NLRI (Hex dump) : 0x011851fdc1 Actions :Traffic-rate: bps (bgp.1) RP/0/RP0/CPU0:Client# Type Prefix length Prefix 1 byte 1 byte Variable 1 / x01 0x18 0x51 fd c1 0x011851fdc1
27 Cisco IOS XR Routers BGP FS Implementation NLRI type Match fields Value input method Type 1 IPv4 Destination address XR PI ASR9K CRS NCS6000 Prefix length Type 2 IPv4 Source address Prefix length Type 3 IPv4 protocol Multi value range Type 4 Type 5 IPv4 source or destination port IPv4 destination port Multi value range Multi value range Type 6 IPv4 source port Multi value range Type 7 IPv4 ICMP type Multi value range Type 8 IPv4 ICMP code Multi value range Type 9 IPv4 TCP flags Bit mask Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Type 10 IPv4 packet length Multi value range Type 11 IPv4 DSCP Multi value range Type 12 IPv4 fragmentation bits Bit mask Only indication of fragment
28 Configuring BGP FlowSpec on IOS XR Routers Mixing several matching statements class-map type traffic match-all MATCHING-RULE1 match source-port match protocol udp match dscp ef match packet length match destination-port 80 match destination-address ipv end-class-map RP/0/RSP0/CPU0:Client#sh flowspec afi-all detail AFI: IPv4 Flow :Dest: /24,Proto:=17,DPort:=80,SPort:=10 =20 >=30&<=40 >=50&<=52 >=60&<=70,Length:>=10&<=100 >= 102&<=200 >=202&<=400 >=402&<=1500,DSCP:=46 Actions :Traffic-rate: bps (bgp.1) Statistics (packets/bytes) Matched : 0/0 Dropped : 0/0 RP/0/RSP0/CPU0:Client#sh flowspec afi-all nlri AFI: IPv4 NLRI (Hex dump) : 0x01180bc a e cc5460a030a c803ca d505dc0b812e Actions :Traffic-rate: bps (bgp.1) RP/0/RSP0/CPU0:Client#
29 Configuring BGP FlowSpec on IOS XR Routers We can mix several Actions: Rate-limit + Redirect VRF/IP Rate-limit + DSCP Marking Redirect VRF/IP + DSCP Marking Rate-limit + Redirect VRF/IP + DSCP Marking It s not possible to mix: Redirect VRF + Redirect NH IP Redirect NH IP@A + Redirect NH IP@B Rate limit DSCP marking Redirect RP/0/RP0/CPU0:Client#sh flowspec ipv4 detail AFI: IPv4 Flow :Dest: /32,Proto:=17,Length:>=500&<=1550 Actions :Traffic-rate: bps DSCP: ef Nexthop: (bgp.1) Statistics (packets/bytes) Matched : / Dropped : / RP/0/RP0/CPU0:Client#
30 Benefits of DDoS Mitigation with BGP FS Single point of control to program rules in many clients Allows a very precise description/matching of the attack traffic Can be used for both mitigation and diversion of the attack traffic, without impact the course of the rest of the traffic targeted to the victim Filtering stateless attacks on the edge route permits mitigation of millions of PPS of dirty traffic while liberating precious CPU cycle on the scrubbing device for more advanced mitigation needs The Cisco ASR9000 supports Arbor Peakflow SP TMS software on the VSM service card XRv can be used as a controller Free to test with CCO account
31 DDoS Mitigation on ASR9K Virtualised Service Module Cisco/Arbor Partnership Peakflow SP TMS embedded on VSM Supported with RSP440 onwards (not RSP2) All 9000 chassis except 9001 Multi-purpose service card CGN IPSec Mobile GW DPI ASAv DDoS Mitigation Service chaining KVM virtualised environment
32 F5 Silverline DDOS protection - Global Coverage SOC 24/7 Support F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes - Seattle, WA US Global Coverage Fully redundant and globally distributed data centers world wide in each geographic region - San Jose, CA US - Ashburn, VA US - Frankfurt, DE - Singapore, SG Industry-Leading Bandwidth Scrubbing capacity of over 2.0 Tbps Guaranteed bandwidth with Tier 1 carriers
33 F5 Silverline DDOS protection Service Options Always on Primary protection as the first line of defense The Always On service stops bad traffic from ever reaching your network by continuously processing all traffic through the cloud-scrubbing service and returning only legitimate traffic through your website. Always available Primary protection available on-demand The Always Available service runs on stand-by and can be initiated when under a DDoS attack. F5 Silverline will being mitigation as soon as your traffic is sent to us.
34 F5 Silverline DDOS protection Two Ways to Direct Traffic to Silverline Scrubbing Centers Multiple Ways to Return Clean Traffic GRE TUNNELS BGP (BORDER GATEWAY PROTOCOL) ROUTED MODE L2VPN / VIRTUAL ETHERNET SERVICE IP REFLECTION EQUINIX CLOUD EXCHANGE DNS PROXY MODE PROXY
35 Routed Configuration BGP Route Advertisement: F5 route for /24 becomes preferred TCP Connection: SYN-ACK SRC: :80 DST: :27182 Data Center TCP Connection: SYN SRC: :27182 DST: :80 F5 Router F5 Silverline DDoS Protection F5 Router Internet GRE Tunnel ISP Router Customer Router TCP Connection: SRC: :4243 DST: :80 Clean traffic is returned via GRE Tunnel to customer s data center BGP Configuration Change: withdraw advertisement for /24 Customer Admin
36 Proxy Configuration DNS Configuration Change # Customer Admin DNS Query: DNS Query: DNS Query: Data Center DNS Response: Local DNS DNS Response: TCP Connection: SRC: :27182 DST: :80 TCP Connection: SRC: :4243 DST: :80 Public DNS Servers F5 Silverline DDoS Protection Proxy DNS Response: NAT Pool /24 TCP Connection: SRC: :31415 DST: :80 ISP Router Customer Router Authoritative DNS TCP Connection: SRC: :4242 DST: :80 ISP Router ACL permit: / /32 deny: any /32
37 DDoS Architecture Scrubbing Center Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects blackhole routes and steers traffic Flow collection aggregates attack data from all sources Portal provides realtime reporting and configuration Scrubbing Center Inspection Plane Cloud Inspection Toolsets Traffic Actioner Route Management Flow Collection Visibility Portal Signaling Management Cloud Scrubbing Service Copied traffic for inspection BGP signaling Netflow Data Plane Netflow GRE Tunnel Proxy IP Reflection Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Switching Routing/ACL Network Mitigation Proxy Mitigation Routing (Customer VRF) X-Connect Customer Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and blackholes traffic Network Mitigation removes advanced L4 attacks Proxy Mitigation removes L7 Application attacks Egress Routing returns good traffic back to customer
38 Summary Traditional DDoS Mitigation Remote Triggered Blackhole Filtering Scalable DDoS Mitigation BGP FlowSpec Cloud DDoS Protection F5 Silverline
39 Thank you
Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013
Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Distributed Denial of Service (DDoS) Attacks DDoS attack traffic consumes
More informationScalable DDoS mitigation using BGP Flowspec
Scalable DDoS mitigation using BGP Flowspec Wei Yin TAY Consulting Systems Engineer Cisco Systems 2010 Cisco and/or its affiliates. All rights reserved. Goals of DDoS Mi,ga,on Problem descrip,on Tradi,onal
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationTask 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.
Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.2: Configure an access-list to block all networks addresses that is commonly used to hack SP networks. Task 20.3:
More informationMPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre
The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This
More informationF5 Silverline DDoS Protection Onboarding: Technical Note
F5 Silverline DDoS Protection Onboarding: Technical Note F5 Silverline DDoS Protection onboarding F5 Networks is the first leading application services company to offer a single-vendor hybrid solution
More informationCommunity tools to fight against DDoS
Community tools to fight against DDoS Fakrul Alam Senior Training Officer SANOG 27 & APNIC Regional Meeting, Kathmandu, Nepal 25 Jan - 01 Feb, 2016 Issue Date: Revision: 26-12-2015 1.3 DDoS Denial of Service
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationAPNIC elearning: BGP Basics. Contact: training@apnic.net. erou03_v1.0
erou03_v1.0 APNIC elearning: BGP Basics Contact: training@apnic.net Overview What is BGP? BGP Features Path Vector Routing Protocol Peering and Transit BGP General Operation BGP Terminology BGP Attributes
More informationHunting down a DDOS attack
2006-10-23 1 Hunting down a DDOS attack By Lars Axeland +46 70 5291530 lars.axeland@teliasonera.com 2006-10-23 What we have seen so far What can an operator do to achieve core security What solution can
More informationBGP DDoS Mitigation. Gunter Van de Velde. Sr Technical Leader NOSTG, Cisco Systems. May 2013. 2012 Cisco and/or its affiliates. All rights reserved.
BGP DDoS Mitigation Gunter Van de Velde Sr Technical Leader NOSTG, Cisco Systems May 2013 2012 Cisco and/or its affiliates. All rights reserved. 1 A simple DDoS mitigation mechanism explained Bertrand
More informationDESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER
DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER Sarita Sharma 1, Davender Saini 2 1 Student M. Tech. ECE (2013-2015) Gurgaon Institute of Technology Management (M.D.U)
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationMPLS-based Layer 3 VPNs
MPLS-based Layer 3 VPNs Overall objective The purpose of this lab is to study Layer 3 Virtual Private Networks (L3VPNs) created using MPLS and BGP. A VPN is an extension of a private network that uses
More informationIhr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!
Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar! Die hybride DDoS Protection und Application Security Lösung von F5 Networks Arrow Sommerforum München am 16. Juli 2015 e.kampmann@f5.com
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationIntroduction to MPLS-based VPNs
Introduction to MPLS-based VPNs Ferit Yegenoglu, Ph.D. ISOCORE ferit@isocore.com Outline Introduction BGP/MPLS VPNs Network Architecture Overview Main Features of BGP/MPLS VPNs Required Protocol Extensions
More informationConfiguring Flexible NetFlow
CHAPTER 62 Note Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X. Flow is defined as a unique set of key fields attributes, which might include fields
More informationCisco Network Foundation Protection Overview
Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and
More informationDDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques
DDoS Attacks An open-source recipe to improve fast detection and automate mitigation techniques Vicente De Luca Sr. Network Engineer vdeluca@zendesk.com AS21880 / AS61186 Introduction Tentative to solve:
More informationConfiguring NetFlow-lite
CHAPTER 55 Note NetFlow-lite is only supported on Catalyst 4948E Ethernet Switch. This chapter describes how to configure NetFlow-lite on the Catalyst 4948E switch. NetFlow-lite provides traffic monitoring
More informationFirewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos
Firewall-on-Demand GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF Leonidas Poulopoulos 1 leopoul@nocgrnetgr 1 NOC/Greek Research and Technology Network
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationTutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia
Tutorial: Options for Blackhole and Discard Routing Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia Caveats and Assumptions The views presented here are those of the authors and they do not
More informationNotice the router names, as these are often used in MPLS terminology. The Customer Edge router a router that directly connects to a customer network.
Where MPLS part I explains the basics of labeling packets, it s not giving any advantage over normal routing, apart from faster table lookups. But extensions to MPLS allow for more. In this article I ll
More informationDNS amplification attacks
amplification attacks Matsuzaki Yoshinobu 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1 amplification attacks Attacks using IP spoofed dns query generating a traffic overload
More informationTroubleshooting Bundles and Load Balancing
CHAPTER 5 This chapter explains the procedures for troubleshooting link bundles and load balancing on the Cisco ASR 9000 Aggregation Services Router. A link bundle is a group of ports that are bundled
More informationMPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN
MPLS VPN Peer to Peer VPN s Agenda MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) CE-PE OSPF Routing CE-PE Static Routing CE-PE RIP Routing
More informationWhy Is MPLS VPN Security Important?
MPLS VPN Security An Overview Monique Morrow Michael Behringer May 2 2007 Future-Net Conference New York Futurenet - MPLS Security 1 Why Is MPLS VPN Security Important? Customer buys Internet Service :
More informationMPLS VPN Security BRKSEC-2145
MPLS VPN Security BRKSEC-2145 Session Objective Learn how to secure networks which run MPLS VPNs. 100% network focus! Securing routers & the whole network against DoS and abuse Not discussed: Security
More informationImplementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software
Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Netwk (L3VPN) services, over an IP ce netwk, using L2TPv3 multipoint
More informationConfiguring NetFlow Secure Event Logging (NSEL)
75 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationConfiguring a Load-Balancing Scheme
Configuring a Load-Balancing Scheme Finding Feature Information Configuring a Load-Balancing Scheme Last Updated: August 15, 2011 This module contains information about Cisco Express Forwarding and describes
More informationIntroducing Basic MPLS Concepts
Module 1-1 Introducing Basic MPLS Concepts 2004 Cisco Systems, Inc. All rights reserved. 1-1 Drawbacks of Traditional IP Routing Routing protocols are used to distribute Layer 3 routing information. Forwarding
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationUsing OSPF in an MPLS VPN Environment
Using OSPF in an MPLS VPN Environment Overview This module introduces the interaction between multi-protocol Border Gateway Protocol (MP-BGP) running between Provider Edge routers (s) and Open Shortest
More informationConfiguring Control Plane Policing
CHAPTER 53 This chapter describes how to configure control plane policing (CoPP) with Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see
More informationDDoS Mitigation Strategies
DDoS Mitigation Strategies Internet2 Security Working Group 23 Feb 2016 Mark Beadles Information Security Officer mbeadles@oar.net Kevin Nastase Network Security Engineer knastase@oar.net www.oar.net Slide
More informationUsing the Border Gateway Protocol for Interdomain Routing
CHAPTER 12 Using the Border Gateway Protocol for Interdomain Routing The Border Gateway Protocol (BGP), defined in RFC 1771, provides loop-free interdomain routing between autonomous systems. (An autonomous
More informationApproaches for DDoS an ISP Perspective. barry@null0.net ognian.mitev@viawest.com
Approaches for DDoS an ISP Perspective barry@null0.net ognian.mitev@viawest.com Home School How everyone starts It s all up to you It s inexpensive (compared to other forms of education) Quality may not
More informationbasic BGP in Huawei CLI
basic BGP in Huawei CLI BGP stands for Border Gateway Protocol. It is widely used among Internet Service Providers to make core routing decisions on the Internet. The current BGP version is BGP-4 defined
More informationOpenDaylight Project Proposal Dynamic Flow Management
OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table
More informationPresentation_ID. 2001, Cisco Systems, Inc. All rights reserved.
1 Session Number BGP Feature Update 12.0S July 2003 Mike Pennington mpenning@cisco.com Cisco Systems - Denver, CO 2 Overview Overview Definition of Terms BGP Convergence optimization Issues w/ Static peer-groups
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationRouting. Static Routing. Fairness. Adaptive Routing. Shortest Path First. Flooding, Flow routing. Distance Vector
CSPP 57130 Routing Static Routing Fairness Adaptive Routing Shortest Path First Flooding, Flow routing Distance Vector RIP Distance Vector Sometimes called Bellman-FOrd Original Arpanet, DECNet, Novell,
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationConfigure Policy-based Routing
How To Note How To Configure Policy-based Routing Introduction Policy-based routing provides a means to route particular packets to their destination via a specific next-hop. Using policy-based routing
More informationQuidway MPLS VPN Solution for Financial Networks
Quidway MPLS VPN Solution for Financial Networks Using a uniform computer network to provide various value-added services is a new trend of the application systems of large banks. Transplanting traditional
More informationCisco Performance Monitor Commands
1 action (policy react and policy inline react) Cisco Performance Monitor Commands action (policy react and policy inline react) To configure which applications which will receive an alarm or notification,
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationDescription: Objective: Upon completing this course, the learner will be able to meet these overall objectives:
Course: Building Cisco Service Provider Next-Generation Networks, Part 2 Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,750.00 Learning Credits: 38 Description: The Building Cisco Service Provider
More informationPEERING BOF XVII NANOG 42
PEERING BOF XVII NANOG 42 What is this peering BOF thing? Explain what the peering BOF is Text Who attends these things? What should we expect? What do Peering People do anyway? Anonymous Video contribution
More informationConfiguring NetFlow Secure Event Logging (NSEL)
73 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationIntroduction Inter-AS L3VPN
Introduction Inter-AS L3VPN 1 Extending VPN services over Inter-AS networks VPN Sites attached to different MPLS VPN Service Providers How do you distribute and share VPN routes between ASs Back- to- Back
More informationDeploying and Configuring MPLS Virtual Private Networks In IP Tunnel Environments
Deploying and Configuring MPLS Virtual Private Networks In IP Tunnel Environments Russell Kelly rukelly@cisco.com Craig Hill crhill@cisco.com Patrick Naurayan pnauraya@cisco.com 2009 Cisco Systems, Inc.
More informationMPLS VPN Route Target Rewrite
The feature allows the replacement of route targets on incoming and outgoing Border Gateway Protocol (BGP) updates Typically, Autonomous System Border Routers (ASBRs) perform the replacement of route targets
More informationMultiprotocol Label Switching Load Balancing
Multiprotocol Label Switching Load Balancing First Published: July 2013 The Cisco ME 3800 and ME 3600 switches support IPv4 and IPv6 load balancing at the LER and LSR. Effective with Cisco IOS Release
More informationApproach to build MPLS VPN using QoS capabilities
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 7, Issue 8 (June 2013), PP. 26-32 Approach to build MPLS VPN using QoS capabilities
More informationImplementing MPLS VPNs over IP Tunnels
Implementing MPLS VPNs over IP Tunnels The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Netwk (L3VPN) services, over an IP ce netwk, using L2TPv3 multipoint tunneling instead
More informationMPLS. Cisco MPLS. Cisco Router Challenge 227. MPLS Introduction. The most up-to-date version of this test is at: http://networksims.com/i01.
MPLS Cisco MPLS MPLS Introduction The most up-to-date version of this test is at: http://networksims.com/i01.html Cisco Router Challenge 227 Outline This challenge involves basic frame-mode MPLS configuration.
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationNetFlow Aggregation. Feature Overview. Aggregation Cache Schemes
NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to
More informationUnicast Reverse Path Forwarding
Unicast Reverse Path Forwarding This feature module describes the Unicast Reverse Path Forwarding (RPF) feature, which helps to mitigate problems caused by malformed or forged IP source addresses passing
More informationBGP Terminology, Concepts, and Operation. Chapter 6 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
BGP Terminology, Concepts, and Operation 1 IGP versus EGP Interior gateway protocol (IGP) A routing protocol operating within an Autonomous System (AS). RIP, OSPF, and EIGRP are IGPs. Exterior gateway
More informationGuide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP
Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationBGP Link Bandwidth. Finding Feature Information. Prerequisites for BGP Link Bandwidth
The Border Gateway Protocol (BGP) Link Bandwidth feature is used to advertise the bandwidth of an autonomous system exit link as an extended community. This feature is configured for links between directly
More informationIS-IS Extensions for Flow Specification
IS-IS Extensions for Flow Specification draft-you-isis-flowspec-extensions-01 Jianjie You (youjianjie@huawei.com) Qiandeng Liang (liangqiandeng@huawei.com) Keyur Patel (keyupate@cisco.com) Peng Fan (fanpeng@chinamobile.com)
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationConfiguring Denial of Service Protection
24 CHAPTER This chapter contains information on how to protect your system against Denial of Service (DoS) attacks. The information covered in this chapter is unique to the Catalyst 6500 series switches,
More informationThe benefits of BGP for every service provider
The benefits of BGP for every service provider UKUUG - Spring 2011 24th of March 2011 Thomas Mangin Exa Networks Whatever a speaker is missing in depth he will compensate for in length Montesquieu NO Networking
More informationCourse Contents CCNP (CISco certified network professional)
Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,
More informationNetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6
(Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means
More informationAdvanced BGP Policy. Advanced Topics
Advanced BGP Policy George Wu TCOM690 Advanced Topics Route redundancy Load balancing Routing Symmetry 1 Route Optimization Issues Redundancy provide multiple alternate paths usually multiple connections
More informationAT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0
AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0 Introduction...2 Overview...2 1. Technology Background...2 2. MPLS PNT Offer Models...3
More informationPractical Advice for Small and Medium Environment DDoS Survival
Practical Advice for Small and Medium Environment DDoS Survival Chris "Mac" McEniry Sony Network Entertainment @macmceniry November 8 13, 2015 Washington, D.C. www.usenix.org/lisa15 #lisa15 1 Practical
More informationIn this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing
In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing protection) How the different Inter-AS and Carrier s Carrier
More informationRadware s Attack Mitigation Solution On-line Business Protection
Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationMethods of interconnecting MPLS Networks
Methods of interconnecting MPLS Networks NANOG31, May 2005 San Francisco Cable & Wireless Internet Engineering Udo Steinegger What this talk is about General This presentation covers technologies on how
More informationHow To Mirror On An Ipfix On An Rspan Vlan On A Pc Or Mac Or Ipfix (Networking) On A Network On A Pnet 2.2.2 (Netnet) On An Uniden (Netlan
Content Content CHAPTER 1 MIRROR CONFIGURATION... 1-1 1.1 INTRODUCTION TO MIRROR... 1-1 1.2 MIRROR CONFIGURATION TASK LIST... 1-1 1.3 MIRROR EXAMPLES... 1-2 1.4 DEVICE MIRROR TROUBLESHOOTING... 1-3 CHAPTER
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationCS 457 Lecture 19 Global Internet - BGP. Fall 2011
CS 457 Lecture 19 Global Internet - BGP Fall 2011 Decision Process Calculate degree of preference for each route in Adj-RIB-In as follows (apply following steps until one route is left): select route with
More informationNetFlow-Lite offers network administrators and engineers the following capabilities:
Solution Overview Cisco NetFlow-Lite Introduction As networks become more complex and organizations enable more applications, traffic patterns become more diverse and unpredictable. Organizations require
More informationFlow Monitor for WhatsUp Gold v16.2 User Guide
Flow Monitor for WhatsUp Gold v16.2 User Guide Contents Table of Contents Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 System
More informationFast Re-Route in IP/MPLS networks using Ericsson s IP Operating System
Fast Re-Route in IP/MPLS networks using s IP Operating System Introduction: Today, Internet routers employ several routing protocols to exchange routes. As a router learns its potential routes, it builds
More informationCertes Networks Layer 4 Encryption. Network Services Impact Test Results
Certes Networks Layer 4 Encryption Network Services Impact Test Results Executive Summary One of the largest service providers in the United States tested Certes Networks Layer 4 payload encryption over
More informationIPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič
IPv4/IPv6 Transition Mechanisms Luka Koršič, Matjaž Straus Istenič IPv4/IPv6 Migration Both versions exist today simultaneously Dual-stack IPv4 and IPv6 protocol stack Address translation NAT44, LSN, NAT64
More informationHow To Import Ipv4 From Global To Global On Cisco Vrf.Net (Vf) On A Vf-Net (Virtual Private Network) On Ipv2 (Vfs) On An Ipv3 (Vv
BGP Support for IP Prefix Import from Global Table into a VRF Table The BGP Support for IP Prefix Import from Global Table into a VRF Table feature introduces the capability to import IPv4 unicast prefixes
More informationBGP Link Bandwidth. Finding Feature Information. Contents
The BGP (Border Gateway Protocol) Link Bandwidth feature is used to advertise the bandwidth of an autonomous system exit link as an extended community. This feature is configured for links between directly
More informationHow To Make A Network Secure
1 2 3 4 -Lower yellow line is graduate student enrollment -Red line is undergradate enrollment -Green line is total enrollment -2008 numbers are projected to be near 20,000 (on-campus) not including distance
More informationIPv6 Security. Scott Hogg, CCIE No. 5133 Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Contents Introduction xix Chapter 1 Introduction to IPv6 Security 3 Reintroduction
More informationl.cittadini, m.cola, g.di battista
MPLS VPN l.cittadini, m.cola, g.di battista motivations customer s problem a customer (e.g., private company, public administration, etc.) has several geographically distributed sites and would like to
More informationMPLS over IP-Tunnels. Mark Townsley Distinguished Engineer. 21 February 2005
MPLS over IP-Tunnels Mark Townsley Distinguished Engineer 21 February 2005 1 MPLS over IP The Basic Idea MPLS Tunnel Label Exp S TTL MPLS VPN Label Exp S TTL MPLS Payload (L3VPN, PWE3, etc) MPLS Tunnel
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More information