automatic rtbh trigger using flow data

Michel Py michel.py at tsisemi.com
Thu Aug 30 20:59:18 UTC 2018


> Aaron Gould wrote :
> Thanks, but what if the attacker is many... like thousands ?  ...isn't that typically what we see, is tons and tons of sources (hence distributed....dos) ?

At this very moment I blacklist ~ 56,000 individual /32s and historically it has been up to 135,000 at times. It's not a problem for most routers, unless you're on one of these old clunkers with un-upgradable TCAM and a full feed (if you are, you don't have much time left anyway).

> Ryan Hamel wrote :
> Exactly Aaron. No provider will allow a customer to null route a source IP address.

Yes, unless you have your own router on their side of the link and pay for it, or have your own VRF on their router which is not going to be cheap either.

> I could only assume that a null route on Michel's network is tanking the packets at their edge to 192.0.2.1 (discard/null0).

Correct, and I clearly understand its limitations, paragraph below taken from https://arneill-py.sacramento.ca.us/cbbc/
There indeed is a value in blacklisting the IP address of the host being attacked and feed that with the appropriate community to the upstream that will accept it as it is part of your own space. You sacrifice one host to save the bandwidth to the rest.
That being said, if the DDOS targets your entire IP range, none of these will help.

I have to withstand DDOS attacks all the time, can the CBBC feed help ?
It depends on the type of attack; the CBBC feed is not designed as DDOS mitigation tool. There is no such thing as a free lunch : your ISP will not take the full CBBC feed for free when they can make you pay big bucks for their own one. The CBBC does not prevent the DDOS attack to get to you, it may help with attacks that are based on PPS, not raw bandwidth. What the CBBC does is to block the offending traffic at the router level, so it is blocked before it even reaches your server / firewall. However, the CBBC does not prevent the DDOS traffic from coming to you, so if you have a slow connection to the Internet and the DDOS sends more bandwidth than you have, you still are down. However, if the DDOS is based not on bandwidth but on a higher-level protocol such as DNS or HTTPS, it helps by taking the load off the server.

Michel.

-Aaron

-----Original Message-----
From: Michel Py [mailto:michel.py at tsisemi.com] 
Sent: Thursday, August 30, 2018 3:17 PM
To: Aaron Gould; Nanog at nanog.org
Subject: RE: automatic rtbh trigger using flow data 

> Aaron Gould wrote :
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  ...I'm thinking we could use
> quagga or a script of some sort to interact with a router to advertise to
bgp the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to
inject the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to
write your own scripts it does the job.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are
intended only for the recipients named above and contain information that
may be confidential or privileged. If you are not the intended recipient,
you must not forward, copy, use or otherwise disclose this communication or
the information contained herein. In the event you have received this
message in error, please notify the sender immediately by replying to this
message, and then delete all copies of it from your system. Thank you!...



More information about the NANOG mailing list