Attacks on BGP Routing Ranges

Saku Ytti saku at ytti.fi
Wed Apr 18 14:54:35 UTC 2018


Hey,


On 18 April 2018 at 14:03, Ryan Hamel <Ryan.Hamel at quadranet.com> wrote:

>> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp are sent (policed) to infrastructure addresses
>
> While I can implement an edge filter to drop such traffic, it's impacting our clients traffic as well.

I don't understand why that would be true, your customers shouldn't be
using links for anything useful.
But again, in your case the attack is coming from far-end, so they
need to do this, to benefit you.

>> b) do not advertise link networks in iBGP

> This has never been an issue.

If is now. If the links is far-end assigned, and if far-end does not
advertise it, then attack has to come from same far-end router as
where you're connected, greatly reducing attack surface.

>> c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255
>
>  Could you explain how this can resolve my issue? I am not sure how this would work.

If your link isn't protected, then attacking just your BGP session
allows to bring down the BGP with very modest Mbps, like <5Mbps. If
you do GTSM and drop <255 TTL BGP, then typically attacker can't bring
down the BGP session, or at very least they need to congest whole
linerate.

-- 
  ++ytti


More information about the NANOG mailing list