A2-2_BGP Flowspec Best Practices and the DDoS Info Sharing Project

Transcript

1. BGP Flowspec Best Practices and the DDoS Info Sharing Project

   Rich Compton – Charter Communications JP-AAWG November 14th 2019

2. Who am I? M3AAWG 47th General Meeting | Montreal, Canada

   | October 2019 • Rich Compton • Principal Network Security Engineer with Charter Communications • M3AAWG DDoS Special Interest Group Chair (along with Darshak Thakore) • 20+ years experience at ISPs

3. Who is this presentation for? • Engineers at NSPs (Network

   Service Providers), Hosting Companies, or Enterprises • Assuming some basic knowledge of BGP (Border Gateway Protocol) JP-AAWG November 14th 2019

4. DDoS Info Sharing JP-AAWG November 14th 2019

5. DDoS Info Sharing (DIS) Project JP-AAWG November 14th 2019 •

   All ISPs deal with DDoS attacks • Most ISPs & large companies don’t monitor outbound traffic • Goal: Provide ISPs with reliable info on DDoS attack sources on their networks

6. Benefit to both ISP #1 and ISP #2 JP-AAWG November

   14th 2019

7. Architecture JP-AAWG November 14th 2019

8. DDoS Info Sharing Components JP-AAWG November 14th 2019 The Server

   (trusted 3rd party) Open Source - based on CRITS Exposes RESTful API’s JSON payloads (specified in JSON Schemas) The Client Extremely light-weight python script Pulls data from your DDoS mitigation Focus – Make it easy

9. Input (Ingest) Data Format JP-AAWG November 14th 2019 • ISP

   sends data in JSON format • Includes source of ISP • Attack source info – IP address – Start & stop timestamps – Type of attacks – Attack volume

10. Output (Distribution) Data Format JP-AAWG November 14th 2019 • Receive

    data in JSON format • Indicates source of requesting ISP • Statistics on IPs – Number of times reported – Reporters – Attack details

11. DEMO! JP-AAWG November 14th 2019

12. What is Flowspec? • Network Layer Reachability Information (NLRI) type

    for BGP • Used to apply specific actions on network traffic defined by specific filters to traffic flowing through routers JP-AAWG November 14th 2019

13. Who Created Flowspec and Why? • Pedro Marques (Cisco), Nischal

    Sheth (Juniper), Robert Raszuk (Cisco), Barry Greene (Juniper), Jared Mauch (NTT America), and Danny McPherson (Arbor) • IETF RFC 5575 August 2009 (https://tools.ietf.org/html/rfc5575) • Created to mitigate DDoS attacks but has other uses JP-AAWG November 14th 2019

14. Flowspec Protocol Details • Rules usually generated by a controller

    and advertised to routers via BGP • Controller can be another router sending rules via eBGP or iBGP • Router must enable IPv4 or IPv6 Flowspec address family • Numerous routers support IPv6 rules but it is not yet an RFC (https://tools.ietf.org/html/draft-ietf-idr-flow- spec-v6-08) JP-AAWG November 14th 2019

15. Flowspec Rule Match • Src/Dst IP Address/Subnet • Src/Dst Port

    (can define range of ports and greater than/less than) • IP Protocol • ICMP Type/Code • TCP Flags (defined by a bitmask) • Packet Length • DSCP Value • Fragment Bits JP-AAWG November 14th 2019

16. Flowspec Actions • Drop • Rate Limit • Send to

    a VRF • Set DSCP value in the packet header • Traffic sampling (very limited support) JP-AAWG November 14th 2019

17. Flowspec Actions cont. • Set next hop (two competing drafts)

    • Simpson Draft (https://tools.ietf.org/html/draft- simpson-idr-Flowspec-redirect-02) • IETF Draft (https://tools.ietf.org/html/draft-ietf-idr- Flowspec-redirect-ip-02) JP-AAWG November 14th 2019

18. ACLs vs Flowspec • Flowspec rules are sent/withdrawn via BGP

    very quickly • Flowspec rules can be sent out programmatically by a controller to large number of routers • For example send out rules to block DDoS attack • Most attacks are < 15 mins! • ACLs can be scripted but this increases complexity JP-AAWG November 14th 2019

19. When to Use ACLs vs. Flowspec • General rule: •

    If rules will be permanent and filtering needs to be in place at boot, then use ACLs • If rules need to be applied temporarily or if filtering rules need to be generated and distributed programmatically then use Flowspec JP-AAWG November 14th 2019

20. Flowspec Details • Usually when Flowspec rule is received by

    router it does a validation on the rule to verify that: • The controller sending the Flowspec rule is also advertising the best-match unicast route for the destination IP/prefix • Most routers have the ability to manually disable this validation JP-AAWG November 14th 2019

21. Flowspec Details • Normally rules installed on all interfaces •

    Most routers have option to disable rules on specific interfaces or groups of interfaces • Ex: Rules on peering interfaces of peering router and not on other interfaces • Rules are immediately removed by a router when: • Rule is withdrawn via a BGP update • BGP session with controller is terminated JP-AAWG November 14th 2019

22. Flowspec Details • Routers should be configured as route reflectors

    to advertise Flowspec rules • Some vendors (e.g. IOS-XR) will not redistribute Flowspec rules unless: • eBGP session • iBGP route-reflector session JP-AAWG November 14th 2019

23. Flowspec Filtering Routers • Cisco Routers running IOS-XR • Juniper

    Networks Routers • Nokia Networks Routers • Huawei Routers JP-AAWG November 14th 2019

24. Flowspec Controllers • ExaBGP (https://github.com/Exa-Networks/exabgp) • BIRD (http://bird.network.cz/) • GoBGP

    (https://github.com/osrg/gobgp) • YABGP (https://github.com/smartbgp/yabgp) • Open Daylight (https://www.opendaylight.org/) • FastNetMon (https://fastnetmon.com/) • Arbor SP (https://www.arbornetworks.com/) JP-AAWG November 14th 2019

25. Flowspec Controllers cont. • Deepfield Defender (https://networks.nokia.com/solutions/deepfield-ip- network-analytics-DDoS-protection) • Radware

    DefenseFlow (https://www.radware.com/products/defenseflow/) • Auto-Flowspec Docker Container (https://github.com/racompton/docker-auto-Flowspec) • BgpFlowspectool (https://github.com/Pragma- Innovation/bgpFlowspectool) • Flowspy (https://github.com/grnet/flowspy) • Fortinet FortiDDoS (https://www.fortinet.com/products/ddos/fortiddos.html) JP-AAWG November 14th 2019

26. Use Cases • Most common is DDoS mitigation • Flowspec

    rules to block attack traffic • Works well for UDP amplification attacks • Flowspec rules to divert traffic to Intelligent DDoS Mitigation System (IDMS) for scrubbing • Send to VRF or set next hop • Can get more granular about what traffic is diverted than regular set next hop injection • Flowspec rules to block attacking source IPs • Can run into the 2000 rule limit very quickly since 1st D in DDoS is distributed JP-AAWG November 14th 2019

27. DDoS Filtering Example JP-AAWG November 14th 2019

28. Use Cases • Flowspec rules to quickly deploy a block

    for certain types of bad traffic • Ex. Rule to block traffic sourced from UDP port 11211 with a packet size of 1424 bytes to stop malicious Memcache attacks • For long term blocking use ACLs JP-AAWG November 14th 2019

29. Conclusion • Flowspec is similar to ACLs, uses BGP •

    Primarily used for DDoS mitigation • DO LAB TESTING before rolling out into production JP-AAWG November 14th 2019