Page 1
Implemen'ngBGP Flowspec atIPtransitnetwork
DmitryOnuchin
root@core# show magic class-map type traffic match-all fs_ex match destination-address ipv4 a.b.c.d/32 match protocol udp match destination-port 137-139 80 8080 end-class-map policy-map type pbr fs_table_ex class type traffic fs_ex police rate 8000 bps class class-default end-policy-map
Page 2
BGPFlowspec
About:– RFC5575– AnnounceFlowSpecifica-onviaBGP– Itcanberepresentedasdistributedaccess-listontheoperator`snetwork
– OBenusedtopreventsometypesofDDoSaEacksonthefourthlevelofOSI(Amplifica'on/UDPflood)
Page 3
FlowSpecifica5onOp'ons(NLRI):1. Des'na'onprefix2. Sourceprefix3. IPprotocol4. Port5. Des'na'onport6. Sourceport7. ICMPtype8. ICMPcode9. TCPflags10. Packetlength11. DSCP12. Fragment
Ac'ons(extended-community):• Traffic-rate• Traffic-ac'on• Redirect• Traffic-marking
Page 4
Typicala9ackscenario(beforeddos)
Page 5
Typicala9ackscenario(ddos)
Page 6
Typicala9ackscenario(usingflowspec)
Page 7
Discussedimplementa5onop5ons• Enableaddress-familyIPv4/IPv6flowspeconPEroutersandcustomer
sessions:– Rulesvalida'on?(vendor-specific,more-specific,etc)– Youcan“lose”therouterreceivingthewrongrules– NeedhardwaresupportforBGPFlowspec
• WritesoBware(BGPFScontroller):– Thepossibilityofanytypeofvalida'on– Separa'onoftheoperator'snetworkfromclientsessionsBGPFS– Abilitytosetruleswithouthardwaresupportfromtheclient– Scaling
Page 8
Flowspecrulevalida5on
• Musthavedes5na5onprefix• Des5na5onprefixmustbebestonoperator`snetworkandreceivedfromcustomersession
• Denyportspecifica'on(dst/src)isnotinprotocolstcp/udp
• Denytcp-flagisnotinprotocoltcp• Denyicmp-type/codeisnotinprotocolicmp• Limita'onswithregardtotheequipmentusedonthenetwork(vendor-specific).
Page 9
Implemen5ngBGPFlowspec(stage1)
Page 10
Implemen5ngBGPFlowspec(stage2:+stat/mon)
Page 11
Implemen5ngBGPFlowspec(stage3:+web)
Page 12
Sta5s5cs/Monitoring
• Collectsta's'csfromPErouters• Sendmetricstoanalyze• Periodicrevalida'onofrules• Checkinstalledrulesonrouters
Page 13
Webcustomerportal• Sta's'csandcontrolrules• Checkhistoryonflowspecrules• Exportcounters(match/drop)injson• PossibilitytosendFlowspec:– Forcustomerswithouthardwaresupportbgpflowspec– Incasesyoudonothaveaccesstotherouter– Simple/fast/convenient
Page 14
Installingflowspecviacustomerportal
Page 15
GraphsexampleForcustomersinCustomerportal
AdminportalJ:
Page 16
Rate-limit
CiscoASR9Kinstallsflowspecaspolicy-mapinput.
Page 17
DDoSdetec5on• AEacksonoverload(UDPFlood/Amplifica'on):
– BGPFlowspecappliestoalmostallcases– Detec'onisrela'velyinexpensive(Nellow/Sflow),includingonIPtransitnetwork
• AEackstothenetworkstack(Syn/Ackflood,conntrack…):
– BGPFlowspecrarelyused– Detec'onontransitisnotalwayspossible
• Applica'on-basedaEacks:– BGPFlowspecnotapplicable– Simpledetec'onontransitisimpossible(withoutDPIandanaly'cs)
Page 18
Top10DDoSa9acksvectors(AKAMAI)BGPFlowspecapplicableinmorethan75%ofcases
Page 19
Sta5s5cs(Rascomnetwork)Asampleof>5000realrules
Page 20
Sta5s5cs(Rascomnetwork)
Page 21
Sta5s5cs(Rascomnetwork)>85%ofthetrafficofddosa9acksdetectedusingBGPFlowspec(clientrules)comefromforeigninterfaces(mostlyTier1operators)
Page 22
• Hardwarelimita5on.Itisnotrecommendedtouseflowspecasapermanentaccess-listandalwaysremoveunused
• Badvalida5on.Donottestthestrengthoftheoperator
(vendor)valida'onrulesandalwaysfollowtheRFC:– FallCloudflarenetworkcore(matchpacket-length>64K)– Duringthetests,theJunipervMX(RPDoutage)waslostseveral'mesbyincorrectrules
• Understanding.Ifyoudonotunderstandbgpflowspecanditsapplica'ons,thendonotusethisservice.
Recommenda5ons
Page 23
Developmentplans• Theintroduc'onofthesecondcontrollerbasedonGoBGP
– Reserva'on– Insurancefrom"bugs"soBware
• API– Seqng/removingrules– Sta's'cs(raw)– Informing/removingrulesforwhichthereisnotraffic
• Integra'onwiththeproductofthedetec'onofaEacksbasedonnellow/sflow
• Improvementwebcustomerportal
Page 24
Theend!
Ques'onsandsugges'ons-email:[email protected]
2017 root@core# cat flood > /dev/null