flowspec @ APF 2013

  • 778 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
778
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Tom Paseka, Courtesy of Terry Rodery Aug 2013 Flowspec @ APF
  • 2. 2 Background • RFC 5575 (2009) • Piggybacks on top of existing BGP • Supported by Juniper (and Alcatel too apparently?) • Available in JunOS since 7.X • ExaBGP support too.
  • 3. 3 Operational • Configure rules on route server (config so easy a caveman could do it). • Commit config. • Rules are pushed via BGP to routers. I typically see the rules appear on my edge routers in a matter of seconds. • Flowspec counters are available for viewing from CLI using “show firewall”.
  • 4. 4 Drawbacks • Flowspec counters ARE NOT available via SNMP! Surely someone can fix this  You’ll need to write the necessary poller, database, graphing, etc. to do this. • Not able to use prefix-lists to define source/destination addresses. Must create multiple rules for multiple prefixes. • Flowspec is only supported on M,MX,T-Series devices and is not available on EX and SRX.
  • 5. 5 Sample “rule” configs Discards all traffic to UDP port 80. route DISCARD-80-UDP { match { protocol udp; destination-port 80; } then discard; }
  • 6. 6 Sample “rule” configs Rate-limit TCP SYN to 5Mbps. This will be the easiest rate limiting you’ve ever done on JunOS. No more manual policer configuration! route 108.162.203.11-RL { match { destination 108.162.203.11/32; protocol tcp; tcp-flags 2; } then rate-limit 5m; }
  • 7. 7 Sample “rule” configs route 141.101.124.242-DISCARD { match destination 141.101.124.242/32; then discard; } We no longer “nullroute” using BGP triggered blackhole to transit providers so we don’t lose visibility into the attack.
  • 8. 8 Time for the cool stuff! (Graphs)
  • 9. 9 Short Lived Syn Flood
  • 10. 10 Big attack
  • 11. 11 Decaying long lived attack
  • 12. 12 1Gbps attack
  • 13. Questions?
  • 14. Thank You
  • 15. 15 Bad Players range 198.32.176.0/24 - PAIX 198.32.176.0/24 141.101.86.1 100 0 13335 1299 701 i 198.32.176.0/24 141.101.90.1 100 0 13335 1299 701 i .......snip range 202.40.160.0/23 - HKIX 202.40.160.0/23 199.27.132.1 100 0 13335 4436 4134 4809 45474 i 202.40.160.0/23 108.162.235.1 100 0 13335 4436 4134 4809 45474 i .......snip range 206.223.123.0/24 - Equinix LA 206.223.123.0/24 103.22.203.1 100 0 13335 4637 6461 i .......snip range 218.100.59.0/24 - ACT-IX 218.100.59.0/24 108.162.247.1 100 0 13335 10026 45482 i range 91.212.235.0/24 - Balkan IX 91.212.235.0/24 141.101.69.1 100 0 13335 12615 47872 49401 49401 i range 198.32.177.0/24 - PAIX 198.32.177.0/24 141.101.67.1 100 0 13335 4436 2914 i .......snip range 206.223.123.0/24 - Equinix LA 206.223.123.0/24 103.22.203.1 100 0 13335 4637 6461 i 206.223.123.0/24 141.101.65.1 100 0 13335 4436 6461 i .......snip range 218.100.59.0/24 - ACT-IX 218.100.59.0/24 108.162.247.1 100 0 13335 10026 45482 i range 91.212.235.0/24 - Balkan IX 91.212.235.0/24 141.101.69.1 100 0 13335 12615 49401 49401 49401 i range 198.32.177.0/24 - PAIX 198.32.177.0/24 141.101.67.1 100 0 13335 4436 2914 i 198.32.177.0/24 141.101.72.1 100 0 13335 4436 2914 i .......snip range 198.32.132.0/24 - TELX 198.32.132.0/24 141.101.76.1 100 0 13335 4637 6461 22969 i 198.32.132.0/24 103.22.203.1 100 0 13335 4637 6461 22969 i 198.32.132.0/24 141.101.71.1 100 0 13335 1299 6461 22969 i 198.32.132.0/24 141.101.86.1 100 0 13335 1299 6461 22969 i .......snip