Scalable DDoS mitigation using BGP Flowspec

Similar documents
Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

BGP DDoS Mitigation. Gunter Van de Velde. Sr Technical Leader NOSTG, Cisco Systems. May Cisco and/or its affiliates. All rights reserved.

Firewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

IS-IS Extensions for Flow Specification

F5 Silverline DDoS Protection Onboarding: Technical Note

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

Introduction Inter-AS L3VPN

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

IPv6 over MPLS VPN. Contents. Prerequisites. Document ID: Requirements

Introducing Basic MPLS Concepts

Firewalls and Intrusion Detection

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Table of Contents. Introduction

Network Virtualization Network Admission Control Deployment Guide

Cisco IOS Flexible NetFlow Technology

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam

NetFlow/IPFIX Various Thoughts

Eudemon8000E Anti-DDoS SPU

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb

SEC , Cisco Systems, Inc. All rights reserved.

- Multiprotocol Label Switching -

MPLS-based Layer 3 VPNs

How Routers Forward Packets

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Testing Network Security Using OPNET

Wireless Networks: Network Protocols/Mobile IP

OpenDaylight Project Proposal Dynamic Flow Management

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Firewall on Demand Multidomain

Flow Analysis Versus Packet Analysis. What Should You Choose?

Tackling the Challenges of MPLS VPN Testing. Todd Law Product Manager Advanced Networks Division

Juniper / Cisco Interoperability Tests. August 2014

SBSCET, Firozpur (Punjab), India

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Quality of Service (QoS) Setup Guide (NB604n)

Radware s Attack Mitigation Solution On-line Business Protection

Network provider filter lab

MPLS VPN Security BRKSEC-2145

Cisco Configuring Commonly Used IP ACLs

UPDATE = [Withdrawn prefixes (Optional)] + [Path Attributes] + [NLRIs].

Quidway MPLS VPN Solution for Financial Networks

Administra0via. STP lab due Wednesday (in BE 301a!), 5/15 BGP quiz Thursday (remember required reading), 5/16

Cisco Network Foundation Protection Overview

Internet Security Firewalls

Table of Contents. Cisco Configuring a Basic MPLS VPN

MPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

IP Filter/Firewall Setup

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

DEFENSE NETWORK FAQS DATA SHEET

Strategies to Protect Against Distributed Denial of Service (DD

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

How Cisco IT Protects Against Distributed Denial of Service Attacks

Transition to IPv6 in Service Providers

Scalable Extraction, Aggregation, and Response to Network Intelligence

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

DDoS Mitigation Techniques

Internet Security Firewalls

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

DDoS Mitigation via Regional Cleaning Centers

Vulnerabili3es and A7acks

IP interconnect interface for SIP/SIP-I

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

WAN Topologies MPLS. 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Systems, Inc. All rights reserved.

MPLS-based Virtual Private Network (MPLS VPN) The VPN usually belongs to one company and has several sites interconnected across the common service

Security of the MPLS Architecture

Chapter 3 Restricting Access From Your Network

Provisioning Cable Services

Chapter 4 Restricting Access From Your Network

Application Note. Onsight Connect Network Requirements v6.3

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Denial of Service (DOS) Testing IxChariot

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Firewall Design Principles

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

The Case for Source Address Routing in Multihoming Sites

Implementing Cisco Service Provider Next-Generation Edge Network Services **Part of the CCNP Service Provider track**

Hunting down a DDOS attack

ΕΠΛ 674: Εργαστήριο 5 Firewalls

VPN. Date: 4/15/2004 By: Heena Patel

Internetworking II: MPLS, Security, and Traffic Engineering

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Versatile Routing and Services with BGP. Understanding and Implementing BGP in SR-OS

Network Address Translation (NAT)

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Adding an Extended Access List

DDoS Protection Technology White Paper

Transcription:

Scalable DDoS mitigation using BGP Flowspec Wei Yin TAY Consulting Systems Engineer Cisco Systems 2010 Cisco and/or its affiliates. All rights reserved.

Goals of DDoS Mi,ga,on Problem descrip,on Tradi,onal DDoS Mi,ga,on Scalable DDoS Mi,ga,on Cisco Confidential 2

Stop the a:ack Drop only the DDoS traffic Applica,on aware filtering/redirect/ mirroring Dynamic and adap,ve technology Simple to configure Easy to disseminate Cisco Confidential 3

DDoD Scenario 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Data Center Provider Infra IP=1.2.3.4 Website Transit1 CE BGP : 1.2.3.0/24 PE Internet Transit2 Cisco Confidential 5

Data Center Provider Infra IP=1.2.3.4 Website Transit1 DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet Transit2 Cisco Confidential 6

Data Center Provider Infra IP=1.2.3.4 Website Transit1 DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet Transit2 Cisco Confidential 7

Data Center Provider Infra IP=1.2.3.4 Website Transit1 DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet Transit2 Cisco Confidential 8

Data Center Provider Infra IP=1.2.3.4 Website Transit1 DDoS Traffic DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet Transit2 Cisco Confidential 9

DDoD Mitigation Solutions 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

Distributed denial- of- service (DDoS) a:acks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. Server resources are used up in serving the fake requests resul,ng in denial or degrada,on of legi,mate service requests to be served Addressing DDoS a:acks Detec&on Detect incoming fake requests Mi&ga&on Diversion Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legi,mate packets Return Send back the clean traffic to the server Cisco Confidential 11

It is time to use the blackhole community given by the provider (i.e. 64500:666) Data Center Provider Infra IP=1.2.3.4 Website Transit1 DDoS Traffic DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet BGP : 1.2.3.4/32 Com. : 64500:666 Transit2 Cisco Confidential 12

It is time to use the blackhole community given by the provider (i.e. 64500:666) Data Center Provider Infra IP=1.2.3.4 Website Transit1 DDoS Traffic DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet BGP : 1.2.3.4/32 Com. : 64500:666 Transit2 Cisco Confidential 13

It is time to use the blackhole community given by the provider (i.e. 64500:666) Data Center Provider Infra IP=1.2.3.4 Website 1.2.3.4/32 Discard Transit1 DDoS Traffic DDoS Traffic CE BGP : 1.2.3.0/24 PE Internet BGP : 1.2.3.4/32 Com. : 64500:666 Transit2 1.2.3.4/32 Discard Cisco Confidential 14

It is time to use the blackhole community given by the provider (i.e. 64500:666) Data Center IP=1.2.3.4 Website Provider Infra 1.2.3.4/32 Discard Transit1 DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet BGP : 1.2.3.4/32 Com. : 64500:666 Transit2 1.2.3.4/32 Discard Cisco Confidential 15

Great, I have my website back online! No more DDoS traffic on my network But no more traffic at all on my website. Well, maybe it was not the solu,on I was looking for. Cisco Confidential 16

Iden,fica,on of DDoS traffic: based around a condi,ons regarding MATCH statements Source/Des,na,on address Protocol Packet size Etc Ac,ons upon DDoS traffic Discard Logging Rate- Limi,ng Redirec,on Etc Doesn t this sound as a great solu,on? Cisco Confidential 17

Good solu,on for Done with hardware accelera,on for carrier grade routers Can provide chirurgical precision of match statements and ac,ons to impose But Customer need to call my provider Customer need the provider to accept and run this filter on each of their backbone/edge routers Customer need to call the provider and remove the rule azer! Reality: It won t happen Cisco Confidential 18

Scalable DDoS Mitigation 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Comparison with the other solu,ons Makes sta,c PBR a dynamic solu,on! Allows to propagate PBR rules Exis,ng control plane communica,on channel is used How? By using your exis,ng MP- BGP infrastructure Cisco Confidential 20

Why using BGP? Simple to extend by adding a new NLRI with MP_REACH_NLRI and MP_UNREACH_NLRI Networkwide loopfree point- to- mul,point path is already setup Already used for every other kind of technology (IPv4, IPv6, VPN, Mul,cast, Labels, etc ) Inter- domain support Networking engineers and architects understand perfectly BGP Capability to send via a BGP Address Family Match criteria Ac,on criteria Cisco Confidential 21

New NLRI defined (AFI=1, SAFI=133) 1. Des,na,on IP Address (1 component) 2. Source IP Address (1 component) 3. IP Protocol (+1 component) 4. Port (+1 component) 5. Des,na,on port (+1 component) 6. Source Port (+1 component) 7. ICMP Type 8. ICMP Code 9. TCP Flags 10. Packet length 11. DSCP 12. Fragment The MP_REACH_NLRI RFC 4760 Notice from the RFC: Flow specification components must follow strict type ordering. A given component type may or may not be present in the specification, but if present, it MUST precede any component of higher numeric type value. Cisco Confidential 22

Flowspec Traffic Ac,ons Extended Community RFC 4360 RFC5575 Flowspec available ac,ons Cisco Confidential 23

It is time to use the blackhole community given by the provider (i.e. 64500:666) Data Center Provider Infra IP=1.2.3.4 Website Transit1 UDP DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet UDP DDoS Traffic Transit2 Cisco Confidential 24

Data Center Provider Infra IP=1.2.3.4 Website Transit1 UDP DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet UDP DDoS Traffic IP Destination: 1.2.3.4/32 IP Protocol 17 (UDP) PacketSize <=28 Rate-limit 10M Transit2 Cisco Confidential 25

Data Center Provider Infra IP=1.2.3.4 Website Transit1 UDP DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet IP Destination: 1.2.3.4/32 IP Protocol 17 (UDP) PacketSize <=28 Rate-limit 10M Transit2 Cisco Confidential 26

Data Center Provider Infra IP=1.2.3.4 Website Transit1 UDP DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet IP Destination: 1.2.3.4/32 IP Protocol 17 (UDP) PacketSize <=28 Rate-limit 10M Transit2 Legitimate TCP Traffic Cisco Confidential 27

In reality this architecture is not deployed Service Provider DO NOT trust the Customer It requires new BGP AFI/SAFI combina,on to be deployed between Customer and Service provider Both these result in Flowspec not being deployed between Customer and service provider What is done instead? SP u,lize a central Flowspec speaker(s) Have it BGP meshed within the Service Provider routers Only the central Flowspec speaker is allowed to distribute Flowspec rules Central Flowspec speaker is considered trusted by the network Central Flowspec speaker is managed by the service provider Cisco Confidential 28

Data Center Provider Infra IP=1.2.3.4 Website Flowspec Transit1 UDP DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet Transit2 Cisco Confidential 29

Rules inserted by: CLI Customer Portal Workflow etc Data Center Provider Infra IP=1.2.3.4 Website Flowspec Transit1 UDP DDoS Traffic BGP : 1.2.3.0/24 CE PE Internet Legitimate TCP Traffic Transit2 Cisco Confidential 30

Traffic- rate, traffic- marking are useful for simple a:acks, but. Traffic- redirect Lets you redirect traffic in a VRF (by specifying the VPN RT value) Allows to change dynamically the path of a flow without injec,ng addi,onal BGP routes Great too to clean DDoS traffic with a DPI probe Cisco Confidential 31

Thank you.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information