Attacks on BGP Routing Ranges
saku at ytti.fi
Wed Apr 18 14:54:35 UTC 2018
On 18 April 2018 at 14:03, Ryan Hamel <Ryan.Hamel at quadranet.com> wrote:
>> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp are sent (policed) to infrastructure addresses
> While I can implement an edge filter to drop such traffic, it's impacting our clients traffic as well.
I don't understand why that would be true, your customers shouldn't be
using links for anything useful.
But again, in your case the attack is coming from far-end, so they
need to do this, to benefit you.
>> b) do not advertise link networks in iBGP
> This has never been an issue.
If is now. If the links is far-end assigned, and if far-end does not
advertise it, then attack has to come from same far-end router as
where you're connected, greatly reducing attack surface.
>> c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255
> Could you explain how this can resolve my issue? I am not sure how this would work.
If your link isn't protected, then attacking just your BGP session
allows to bring down the BGP with very modest Mbps, like <5Mbps. If
you do GTSM and drop <255 TTL BGP, then typically attacker can't bring
down the BGP session, or at very least they need to congest whole
More information about the NANOG