Implementing BGP Flowspec at IP transit network

Implemen'ngBGP Flowspec atIPtransitnetwork

DmitryOnuchin

root@core# show magic class-map type traffic match-all fs_ex match destination-address ipv4 a.b.c.d/32 match protocol udp match destination-port 137-139 80 8080 end-class-map policy-map type pbr fs_table_ex class type traffic fs_ex police rate 8000 bps class class-default end-policy-map

BGPFlowspec

About:–  RFC5575–  AnnounceFlowSpecifica-onviaBGP–  Itcanberepresentedasdistributedaccess-listontheoperator`snetwork

–  OBenusedtopreventsometypesofDDoSaEacksonthefourthlevelofOSI(Amplifica'on/UDPflood)

FlowSpecifica5onOp'ons(NLRI):1.  Des'na'onprefix2.  Sourceprefix3.  IPprotocol4.  Port5.  Des'na'onport6.  Sourceport7.  ICMPtype8.  ICMPcode9.  TCPflags10.  Packetlength11.  DSCP12.  Fragment

Ac'ons(extended-community):•  Traffic-rate•  Traffic-ac'on•  Redirect•  Traffic-marking

Typicala9ackscenario(beforeddos)

Typicala9ackscenario(ddos)

Typicala9ackscenario(usingflowspec)

Discussedimplementa5onop5ons•  Enableaddress-familyIPv4/IPv6flowspeconPEroutersandcustomer

sessions:–  Rulesvalida'on?(vendor-specific,more-specific,etc)–  Youcan“lose”therouterreceivingthewrongrules–  NeedhardwaresupportforBGPFlowspec

•  WritesoBware(BGPFScontroller):–  Thepossibilityofanytypeofvalida'on–  Separa'onoftheoperator'snetworkfromclientsessionsBGPFS–  Abilitytosetruleswithouthardwaresupportfromtheclient–  Scaling

Flowspecrulevalida5on

•  Musthavedes5na5onprefix•  Des5na5onprefixmustbebestonoperator`snetworkandreceivedfromcustomersession

•  Denyportspecifica'on(dst/src)isnotinprotocolstcp/udp

•  Denytcp-flagisnotinprotocoltcp•  Denyicmp-type/codeisnotinprotocolicmp•  Limita'onswithregardtotheequipmentusedonthenetwork(vendor-specific).

Implemen5ngBGPFlowspec(stage1)

Implemen5ngBGPFlowspec(stage2:+stat/mon)

Implemen5ngBGPFlowspec(stage3:+web)

Sta5s5cs/Monitoring

•  Collectsta's'csfromPErouters•  Sendmetricstoanalyze•  Periodicrevalida'onofrules•  Checkinstalledrulesonrouters

Webcustomerportal•  Sta's'csandcontrolrules•  Checkhistoryonflowspecrules•  Exportcounters(match/drop)injson•  PossibilitytosendFlowspec:–  Forcustomerswithouthardwaresupportbgpflowspec–  Incasesyoudonothaveaccesstotherouter–  Simple/fast/convenient

Installingflowspecviacustomerportal

GraphsexampleForcustomersinCustomerportal

AdminportalJ:

Rate-limit

CiscoASR9Kinstallsflowspecaspolicy-mapinput.

DDoSdetec5on•  AEacksonoverload(UDPFlood/Amplifica'on):

–  BGPFlowspecappliestoalmostallcases–  Detec'onisrela'velyinexpensive(Nellow/Sflow),includingonIPtransitnetwork

•  AEackstothenetworkstack(Syn/Ackflood,conntrack…):

–  BGPFlowspecrarelyused–  Detec'onontransitisnotalwayspossible

•  Applica'on-basedaEacks:–  BGPFlowspecnotapplicable–  Simpledetec'onontransitisimpossible(withoutDPIandanaly'cs)

Top10DDoSa9acksvectors(AKAMAI)BGPFlowspecapplicableinmorethan75%ofcases

Sta5s5cs(Rascomnetwork)Asampleof>5000realrules

Sta5s5cs(Rascomnetwork)

Sta5s5cs(Rascomnetwork)>85%ofthetrafficofddosa9acksdetectedusingBGPFlowspec(clientrules)comefromforeigninterfaces(mostlyTier1operators)

•  Hardwarelimita5on.Itisnotrecommendedtouseflowspecasapermanentaccess-listandalwaysremoveunused

•  Badvalida5on.Donottestthestrengthoftheoperator

(vendor)valida'onrulesandalwaysfollowtheRFC:–  FallCloudflarenetworkcore(matchpacket-length>64K)–  Duringthetests,theJunipervMX(RPDoutage)waslostseveral'mesbyincorrectrules

•  Understanding.Ifyoudonotunderstandbgpflowspecanditsapplica'ons,thendonotusethisservice.

Recommenda5ons

Developmentplans•  Theintroduc'onofthesecondcontrollerbasedonGoBGP

–  Reserva'on–  Insurancefrom"bugs"soBware

•  API–  Seqng/removingrules–  Sta's'cs(raw)–  Informing/removingrulesforwhichthereisnotraffic

•  Integra'onwiththeproductofthedetec'onofaEacksbasedonnellow/sflow

•  Improvementwebcustomerportal

Theend!

Ques'onsandsugges'ons-email:[email protected]

2017 root@core# cat flood > /dev/null