Krebs on Security booted off Akamai network after DDoS attack proves pricey

Stephen Satchell list at
Sun Sep 25 22:59:15 UTC 2016

On 09/25/2016 07:32 AM, Jay R. Ashworth wrote:
>> From: "Jay Farrell via NANOG" <nanog at>
>> > And of course Brian Krebs has a thing or two to say, not the least is which
>> > to push for BCP38 (good luck with that, right?).
>> >
>> >
> Well, given how few contributions we've gotten at in the last,
> what, 4 years, yeah, I guess so...

Yeah, right.  I looked at, and there is very little concrete 
information.  I've been slogging through the two RFCs, 2827 and 3794, 
and find it tough sledding to extract the nuggets to put into my 
firewall and routing table.  One of the more interesting new additions 
to my systems is this, to the routing tables:

ip route add blackhole	# broadcast (deprecated)
ip route add blackhole 	# “this”
ip route add blackhole 	# private network
ip route add blackhole 	# carrier-grade NAT
ip route add blackhole 	# loopback
ip route add blackhole 	# link-local
ip route add blackhole 	# private network
ip route add blackhole	# IANA special purpose registry
ip route add blackhole	# TEST-NET
ip route add blackhole	# 6to4 anycast relay (optional)
ip route add blackhole	# private network
ip route add blackhole	# inter-network testing
ip route add blackhole	# TEST-NET-2
ip route add blackhole	# TEST-NET-3
ip route add blackhole	# Multicast
(all the implied routes from interface definitions that are inserted 
automatically into the routing table by the operating system)
ip route add <downstream-subnet> via <gateway> dev <interface>
ip route add <downstream-subnet> via <gateway> dev <interface>

(Has this been published anywhere before?  I haven't found any yet.)

Notice I've omitted, because I have quite a bit of 
software that uses this broadcast address, and it needs to get onto my 
intranets; I just have to be sure that the edge link doesn't let it out 
to the world.  One such program that uses broadcast is Dropbox.

This routing table addition forms the nucleus from which I can derive 
most of the source-address input packet filtering (adding, as well as destination-address output filtering with 
code, instead of having to compile the rules by hand.

Then there are other packet filters:
* TCP “Lamp test/XMAS” et. al.  (mask, set)
     --tcp-flags FIN,SYN,RST,PSH,ACK,URG   NONE
     --tcp-flags FIN,SYN,RST,ACK,URG       FIN,SYN,RST,ACK,URG
     --tcp-flags FIN,SYN,RST,PSH,ACK,URG   FIN,PSH,URG
     --tcp-flags FIN,ACK  FIN
     --tcp-flags PSH,ACK  PSH
     --tcp-flags URG,ACK  URG
     --tcp-flags SYN,FIN  SYN,FIN
     --tcp-flags SYN,RST  SYN,RST
     --tcp-flags FIN,RST  FIN,RST
* DNS flood
* DNS amplification
* NTP flood
* NTP amplification
* ICMP flood
* IGRP flood
* protocol/port “small services” connections

And I'm just getting started.  It helps that I have a few books talking 
about the design of firewalls that discuss some of these filters.

For DNS amplification, I'm using these IPTABLES rules:

> # Limit UDP DNS "root NS" queries (must come before generic stream ACCEPT)
> #                                                                  012000010000000000010000020001
> -A INPUT -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|012000010000000000010000020001|" --algo bm --from 20 --to 1550 -m recent --set --name dnsrootquery --rsource
> -A INPUT -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|012000010000000000010000020001|" --algo bm --from 20 --to 1550 -m recent --rcheck --seconds 20 --hitcount 3 --name dnsrootquery --rsource -m comment --comment "UDP DNS ROOT flood" -j DROP

(Another possibility would be to read the DNS hints file for all the 
root servers, and impose rate-limiting to those IP addresses...but I 
didn't think of that before and so it's not part of the current DNS 
server firewall.  But the filters above seem to work quite well -- it's 
been a long time since my ISP upstream's uplink has been nailed up solid.)

In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY 
filtering system -- BSD, Linux, Cisco.

More information about the NANOG mailing list