This document discusses techniques for mitigating distributed denial of service (DDoS) attacks, including remotely triggered black hole filtering (RTBH) and BGP FlowSpec. It provides an overview of DDoS attack trends, types, and impacts. It also introduces the open-source FastNetMon tool for DDoS detection using network telemetry and introducing mitigation actions like flow blocking through integration with tools like ExaBGP.
3. What is a DDoS Attack?
• A distributed attack that makes your online infrastructure totally inaccessible
• Performed by a large number of infected hosts (zombies)
• Complicated to defend
Upstream
Provider
Your
Infrastructure
Your Connection
Bots
Bots
Users
4. Attack Types
Network Layer Attacks
Exhausting your uplink
Application Layer Attacks
Overloading your servers
Upstream
Provider
Your
Infrastructure
Your Connection
Upstream
Provider
L7 Requests
Your
Infrastructure
Your Connection
5. But I am not affected…
ATTACKED MORE
THAN ONCE
75%
ATTACKED ON A
WEEKLY BASIS
10%
ATTACKED IN PAST 12
MONTHS
91%
ORGANIZATIONS
ATTACKED
45%
Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
6. DDoS Attack Trends
• 2014 vs. 2013 : Number of Attacked Doubled
• Average DDoS Attack Size in 2014: 15Gbps
• Average Damage of DDoS Attack: $40,000 /hour
• Largest Application Layer Attack: ~180,000 RPS
Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
7. Where are we going?
• DDoS attacks may last for days or weeks
• Attacks usually reappear
• Network layer attacks are getting bigger (so, your
defense should scale proportionally)
• Operators should be equipped with appropriate
equipment (and knowledge)
8. How it affects operators
• Your customers cannot defend themselves (once attack
hits a customer’s firewall, its too late)
• Attack on one customer may affect the other customers, or
the whole infrastructure
• Loss of revenue
• Loss of reputation
• Legal Issues
• Service Level degradation, missing SLA targets
9. Dealing with DDoS
• Detection
• Tools and Techniques
• Mitigation
• Best Practices
12. RTBH
• Remotely Triggered Blackhole
• D/RTBH: Based on destination address
• S/RTBH: Based on source address
• Widely in use by operators
• Injecting routes to edge routers using iBGP to discard
or redirect traffic to a sinkhole/scrubber
• Blackholes all incoming traffic for a given host/network
13. D/RTBH
• Victim’s (destination) address will be totally
unreachable during attack
• Makes victim unreachable to protect rest of the
infrastructure / customers
14. S/RTBH
• Uses uRPF (loose mode) to filter out traffic based
on source address
• Victim will be still reachable
• Only effective in case of DoS or DDoS with limited
number of source addresses
17. RTBH
Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
Trigger
Router NOC
iBGP Advertise
Blackhole
Prefixes
18. Where should attack traffic go?
• Discard
• null0 on edge routers
• Sinkhole
• For further analysis / forensics
• Scrubber
• Clean malicious traffic
19. RTBH Problems
• Discarding will keep target visible for local networks,
but will be unavailable for others
• Isn’t this what attackers wanted?
• Scrubbing as an alternative to black-holing
• It is usually done manually
20. BGP FlowSpec
• Defined in RFC 5575 (IPv4)
• Largely a work in progress - many extensions are proposed as IETF drafts
• IPv6 support is still in draft state [6] (IETF idr WG)
• Fairly new, not widely in use
• JunOS 7.3
• IOS 15.5 , XE 3.14
• Defines a new BGP NLRI (Network Layer Reachability Information) format
• Granular traffic flow matching based on L3/L4 information
21. FlowSpec use cases
• Traffic Filter List / ACL distribution
• Filtering harmful traffic based on Traffic Flow
information
• Replacement for classic S/RTBH and D/RTBH for
DDoS mitigation
23. Traffic Filtering Actions
• Defined as extended community attributes:
• 0x8006 - traffic-rate (Rate Limiting or Discarding)
• 0x8007 - traffic-action (Sampling)
• 0x8008 - redirect (Redirecting to a VRF)
• 0x8009 - traffic-marking (DSCP Tagging)
• Additional actions are proposed [7]:
• 0x8108 - redirect to IPv4
• 0x8208 - redirect to AS
24. ExaBGP
• Open Source BGP Swiss Army Knife [8]
• Supports many extensions, including IPv6, ASN4,
MPLS, BMP and FlowSpec
• Easy to use and extend (Show your Python / BASH
mastery!)
• Easily integrates with your existing tools/scripts
(e.g. FastNetMon) to automate route/policy injection
29. • Watches hosts for traffic anomalies
• High bits/second
• High packets/second
• High flows/second
• Runs External Trigger (e.g. custom script)
30. • Integration with ExaBGP (FlowSpec injection)
• Integration with GoBGP (Unicast announces)
• Custom thresholds
• L2TP Decapsulation
• MPLS untagging and VLAN processing
• Supports major network attack types (TCP SYN, UDP,
ICMP and IP Fragmentation floods)
• Write your own plugin!
31. Sample Configuration
## action in case of attack
enable_ban = on
ban_time = 3600
## Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off
## Limits for Dos/DDoS attacks
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500
32. Sample Configuration
## traffic capture method
mirror = off
mirror_netmap = off
pcap = off
netflow = on
sflow = on
netflow_port = 2055
netflow_host = 0.0.0.0
sflow_port = 6343
sflow_host = 0.0.0.0
33. Sample Configuration
## action !!!
notify_script_path = /usr/local/bin/ban.sh
# ExaBGP could announce blocked IPs with BGP
exabgp = on
exabgp_command_pipe = /var/run/exabgp/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114
exabgp_announce_whole_subnet = no
34. Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
NOCExaBGP FastNetMon
NetFlow/sFlow
Incoming DDoS
35. Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
NOC
iBGP
Advertise
Blackhole
Prefixes
ExaBGP FastNetMon
Block