Attacks on BGP Routing Ranges

Saku Ytti saku at ytti.fi
Wed Apr 18 10:48:01 UTC 2018


Hey Ryan,


I'm assuming edge link in your network facing another administrative domain.

You'll have two scenarios

1) attack coming from your side
2) attack coming from far side

You can easily stop 1, obviously.
But for 2, you really need to have far-side who is cooperative and
understanding of best practices and there isn't any magic you alone
can do with entirely uncooperative far-end.

Things to consider at both ends:

a) edge filter, on all edge interfaces ensure that only udp
traceroute, icmp are sent (policed) to infrastructure addresses
b) do not advertise link networks in iBGP
c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255




On 18 April 2018 at 13:37, Ryan Hamel <Ryan.Hamel at quadranet.com> wrote:
> Hello,
>
> I wanted to poll everyones thoughts on how to deal with attacks directly on BGP peering ranges (/30's, /127's).
>
> I know that sending an RTBH for our side of the upstream routing range does not resolve the issue, and it would actually make things worse by blackholing all inbound traffic on the carrier I send the null to. What are my options for carriers that are not willing to help investigate the situation or write up a firewall rule to mitigate it on the circuit? I am not a fan of naming and shaming because it has unintended consequences.
>
> Thanks in advance for everyone's suggestions.
>
> Ryan Hamel



-- 
  ++ytti


More information about the NANOG mailing list