SlideShare a Scribd company logo

Fight DDoS Attacks with Community Tools from Team Cymru

Fakrul Alam
Fakrul Alam

Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.

1 of 28
Download to read offline
Community tools to fight against DDoS Fakrul Alam bdHUB Limited fakrul@bdhub.com
bdNOG3 Conference | 18th May 2015 | Dhaka
DDoS •  Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. •  Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served bdNOG3 Conference | 18th May 2015 | Dhaka
Addressing DDoS attacks •  Detection –  Detect incoming fake requests •  Mitigation –  Diversion : Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets –  Return : Send back the clean traffic to the server bdNOG3 Conference | 18th May 2015 | Dhaka
3 Community tools from Team Cymru •  Bogon Filter –  https://www.team-cymru.org/bogon-reference.html •  Flow Sonar –  https://www.team-cymru.org/Flow-Sonar.html •  UTRS (Unwanted Traffic Removal Service) –  https://www.team-cymru.org/UTRS/index.html bdNOG3 Conference | 18th May 2015 | Dhaka
1. Bogon Filter
Bogon Filter •  A bogon prefix is a route that should never appear in the Internet routing table –  Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a RIR by the IANA •  These are commonly found as the source addresses of DDoS attacks •  Study shows 60% of the naughty packets were obvious bogons •  Bogon and fullbogon lists are NOT static lists bdNOG3 Conference | 18th May 2015 | Dhaka
Bogon Filter : Configuration IPv4 bdNOG3 Conference | 18th May 2015 | Dhaka / you can forward these traffic and analyze /
Bogon Filter : Configuration IPv6 bdNOG3 Conference | 18th May 2015 | Dhaka / you can forward these traffic and analyze /
Bogon Filter : Output bdNOG3 Conference | 18th May 2015 | Dhaka
Bogon Filter : Status •  The IPv4 traditional bogons list is currently 13 prefixes. •  fullbogons list is approximately 3,618 prefixes. •  The IPv6 fullbogons list is approximately 58,401 prefixes. –  [date : 18th May 2015] bdNOG3 Conference | 18th May 2015 | Dhaka
Bogon Filter : Peering •  Contact bogonrs@cymru.com 1.  Which bogon types you wish to receive (traditional IPv4 bogons, IPv4 fullbogons, and/or IPv6 fullbogons) 2.  Your AS number 3.  The IP address(es) you want us to peer with 4.  Does your equipment support MD5 passwords for BGP sessions? 5.  Optional: your GPG/PGP public key •  https://www.team-cymru.org/bogon-reference- bgp.html bdNOG3 Conference | 18th May 2015 | Dhaka
2. Flow Sonar
Flow Sonar •  The Team Cymru Flow Sonar system is a powerful tool for network managers to visually identify and understand what is happening on their network at any given time •  Leveraging the free and open-source framework provided by Peter Haag of SWITCH •  Special plugins "dosrannu" developed by Team Cymru to track malicious activity on your network •  Unique dosrannu feeds alerted to DDoS attacks, compromised machines, and the presence of connections to C&C hosts bdNOG3 Conference | 18th May 2015 | Dhaka
Flow Sonar It’s  nfsens/nfdump!!!   bdNOG3 Conference | 18th May 2015 | Dhaka
Flow Sonar : Get It •  Contact outreach@cymru.com 1.  Team Cymru will send hardware •  1 Server •  1 Router •  https://www.team-cymru.org/Flow-Sonar.html bdNOG3 Conference | 18th May 2015 | Dhaka
3. UTRS (Unwanted Traffic Removal Service)
RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic DDoS Traffic DDoS Traffic bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic DDoS Traffic DDoS Traffic BGP : 1.2.3.4/32 COM : 65420:666 bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic BGP : 1.2.3.4/32 COM : 65420:666 IP : 1.2.3.4/32 -> discard IP : 1.2.3.4/32 -> discard bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH Upstream •  Check whether your upsteam provider support RTBH •  Configure & Test RTBH before incident •  Only announce IPv4 /32's from address space you originate or your customer bdNOG3 Conference | 18th May 2015 | Dhaka
UTRS •  It’s based on the basic principle of DDoS filtering; Remotely Triggered Black Hole Filtering •  UTRS is a system that helps mitigate large infrastructure attacks by leveraging an existing network of cooperating BGP speakers such as ISPs, hosting providers and educational institutions that automatically distributes verified BGP-based filter rules from victim to cooperating networks bdNOG3 Conference | 18th May 2015 | Dhaka
UTRS : Configuration bdNOG3 Conference | 18th May 2015 | Dhaka Make sure you tag the route properly
UTRS : Apply •  Newly launched service –  Quite picky to choose whom to peer –  Do organization verification •  https://www.team-cymru.org/UTRS/index.html bdNOG3 Conference | 18th May 2015 | Dhaka
How UTRS varies from RTBH with upstream!
Other Efforts •  NANOG BCOP : DDoS-DoS-attack-BCOP –  http://bcop.nanog.org/index.php/DDoS-DoS-attack-BCOP bdNOG3 Conference | 18th May 2015 | Dhaka
Thank You

Recommended

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...apidays
 
bdNOG Report
bdNOG ReportbdNOG Report
bdNOG ReportBangladesh Network Operators Group
 
Apnic update
Apnic updateApnic update
Apnic updateBangladesh Network Operators Group
 
Case study of Bangladesh IPv6 deployment
Case study of Bangladesh IPv6 deployment Case study of Bangladesh IPv6 deployment
Case study of Bangladesh IPv6 deployment Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...Worteks
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 

Recommended

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...apidays
 
bdNOG Report
bdNOG ReportbdNOG Report
bdNOG ReportBangladesh Network Operators Group
 
Apnic update
Apnic updateApnic update
Apnic updateBangladesh Network Operators Group
 
Case study of Bangladesh IPv6 deployment
Case study of Bangladesh IPv6 deployment Case study of Bangladesh IPv6 deployment
Case study of Bangladesh IPv6 deployment Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...Worteks
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Large BGP Communities
Large BGP CommunitiesLarge BGP Communities
Large BGP CommunitiesAPNIC
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainSanjeev Mishra
 
Fortinet FortiGate 100D
Fortinet FortiGate 100DFortinet FortiGate 100D
Fortinet FortiGate 100DHoai Duyen
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC UpdatesMyNOG
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
MobilityFirst FIA in OpenFlow SDNs
MobilityFirst FIA in OpenFlow SDNsMobilityFirst FIA in OpenFlow SDNs
MobilityFirst FIA in OpenFlow SDNsUS-Ignite
 
MongoDB 2.8 bug hunt
MongoDB 2.8 bug huntMongoDB 2.8 bug hunt
MongoDB 2.8 bug huntQuentin Conner
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Bangladesh Network Operators Group
 
Routing security - Budapest 2011
Routing security - Budapest 2011Routing security - Budapest 2011
Routing security - Budapest 2011Wardner Maia
 
What is a blockchain
What is a blockchainWhat is a blockchain
What is a blockchainLen Bass
 
Securing BGP
Securing BGPSecuring BGP
Securing BGPRIPE NCC
 
LACNIC Update
LACNIC UpdateLACNIC Update
LACNIC UpdateAPNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusFakrul Alam
 
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateBangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateFakrul Alam
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
DNSSec
DNSSecDNSSec
DNSSecJulien Pivotto
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Fakrul Alam
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNSJainul Musani
 

More Related Content

What's hot

Large BGP Communities
Large BGP CommunitiesLarge BGP Communities
Large BGP CommunitiesAPNIC
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainSanjeev Mishra
 
Fortinet FortiGate 100D
Fortinet FortiGate 100DFortinet FortiGate 100D
Fortinet FortiGate 100DHoai Duyen
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC UpdatesMyNOG
 
MobilityFirst FIA in OpenFlow SDNs
MobilityFirst FIA in OpenFlow SDNsMobilityFirst FIA in OpenFlow SDNs
MobilityFirst FIA in OpenFlow SDNsUS-Ignite
 
Routing security - Budapest 2011
Routing security - Budapest 2011Routing security - Budapest 2011
Routing security - Budapest 2011Wardner Maia
 
What is a blockchain
What is a blockchainWhat is a blockchain
What is a blockchainLen Bass
 
Securing BGP
Securing BGPSecuring BGP
Securing BGPRIPE NCC
 
LACNIC Update
LACNIC UpdateLACNIC Update
LACNIC UpdateAPNIC
 

What's hot (13)

Large BGP Communities
Large BGP CommunitiesLarge BGP Communities
Large BGP Communities
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to Blockchain
 
Fortinet FortiGate 100D
Fortinet FortiGate 100DFortinet FortiGate 100D
Fortinet FortiGate 100D
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust Anchor
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
MobilityFirst FIA in OpenFlow SDNs
MobilityFirst FIA in OpenFlow SDNsMobilityFirst FIA in OpenFlow SDNs
MobilityFirst FIA in OpenFlow SDNs
 
MongoDB 2.8 bug hunt
MongoDB 2.8 bug huntMongoDB 2.8 bug hunt
MongoDB 2.8 bug hunt
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Routing security - Budapest 2011
Routing security - Budapest 2011Routing security - Budapest 2011
Routing security - Budapest 2011
 
What is a blockchain
What is a blockchainWhat is a blockchain
What is a blockchain
 
Securing BGP
Securing BGPSecuring BGP
Securing BGP
 
LACNIC Update
LACNIC UpdateLACNIC Update
LACNIC Update
 

Viewers also liked

A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusFakrul Alam
 
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateBangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateFakrul Alam
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Fakrul Alam
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2Jainul Musani
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationFakrul Alam
 

Viewers also liked (15)

A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
 
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateBangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
DNSSec
DNSSecDNSSec
DNSSec
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
 

Similar to Fight DDoS Attacks with Community Tools from Team Cymru

LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
Detecting BGP Instability Using RQA
Detecting BGP Instability Using RQADetecting BGP Instability Using RQA
Detecting BGP Instability Using RQAUniversity of Kufa
 
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyConnecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyKittinan Sriprasert
 
presentation_6352_1548734037.pdf
presentation_6352_1548734037.pdfpresentation_6352_1548734037.pdf
presentation_6352_1548734037.pdfDaudSulaeman2
 
Routing Security, Another Elephant in the Room
Routing Security, Another Elephant in the RoomRouting Security, Another Elephant in the Room
Routing Security, Another Elephant in the RoomRIPE NCC
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceAPNIC
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)Rofiq Fauzi
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member GatheringAPNIC
 
RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC
 

Similar to Fight DDoS Attacks with Community Tools from Team Cymru (20)

MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
BGP
BGPBGP
BGP
 
Detecting BGP Instability Using RQA
Detecting BGP Instability Using RQADetecting BGP Instability Using RQA
Detecting BGP Instability Using RQA
 
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyConnecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of BangladeshION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
 
presentation_6352_1548734037.pdf
presentation_6352_1548734037.pdfpresentation_6352_1548734037.pdf
presentation_6352_1548734037.pdf
 
Routing Security, Another Elephant in the Room
Routing Security, Another Elephant in the RoomRouting Security, Another Elephant in the Room
Routing Security, Another Elephant in the Room
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
 
CATNIX: Desafíos y experiencia
CATNIX: Desafíos y experienciaCATNIX: Desafíos y experiencia
CATNIX: Desafíos y experiencia
 
Kinber ipv6-education-healthcare
Kinber ipv6-education-healthcareKinber ipv6-education-healthcare
Kinber ipv6-education-healthcare
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
 
RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)
 

More from Fakrul Alam

bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015Fakrul Alam
 
Bangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global PerspectiveBangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global PerspectiveFakrul Alam
 
Bangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT UpdateBangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT UpdateFakrul Alam
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)Fakrul Alam
 
IPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshIPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshFakrul Alam
 

More from Fakrul Alam (6)

bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015
 
Bangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global PerspectiveBangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global Perspective
 
Bangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT UpdateBangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT Update
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)
 
IPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshIPv6 deployment status in Bangladesh
IPv6 deployment status in Bangladesh
 

Fight DDoS Attacks with Community Tools from Team Cymru

  • 1. Community tools to fight against DDoS Fakrul Alam bdHUB Limited fakrul@bdhub.com
  • 2. bdNOG3 Conference | 18th May 2015 | Dhaka
  • 3. DDoS •  Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. •  Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served bdNOG3 Conference | 18th May 2015 | Dhaka
  • 4. Addressing DDoS attacks •  Detection –  Detect incoming fake requests •  Mitigation –  Diversion : Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets –  Return : Send back the clean traffic to the server bdNOG3 Conference | 18th May 2015 | Dhaka
  • 5. 3 Community tools from Team Cymru •  Bogon Filter –  https://www.team-cymru.org/bogon-reference.html •  Flow Sonar –  https://www.team-cymru.org/Flow-Sonar.html •  UTRS (Unwanted Traffic Removal Service) –  https://www.team-cymru.org/UTRS/index.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 7. Bogon Filter •  A bogon prefix is a route that should never appear in the Internet routing table –  Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a RIR by the IANA •  These are commonly found as the source addresses of DDoS attacks •  Study shows 60% of the naughty packets were obvious bogons •  Bogon and fullbogon lists are NOT static lists bdNOG3 Conference | 18th May 2015 | Dhaka
  • 8. Bogon Filter : Configuration IPv4 bdNOG3 Conference | 18th May 2015 | Dhaka / you can forward these traffic and analyze /
  • 9. Bogon Filter : Configuration IPv6 bdNOG3 Conference | 18th May 2015 | Dhaka / you can forward these traffic and analyze /
  • 10. Bogon Filter : Output bdNOG3 Conference | 18th May 2015 | Dhaka
  • 11. Bogon Filter : Status •  The IPv4 traditional bogons list is currently 13 prefixes. •  fullbogons list is approximately 3,618 prefixes. •  The IPv6 fullbogons list is approximately 58,401 prefixes. –  [date : 18th May 2015] bdNOG3 Conference | 18th May 2015 | Dhaka
  • 12. Bogon Filter : Peering •  Contact bogonrs@cymru.com 1.  Which bogon types you wish to receive (traditional IPv4 bogons, IPv4 fullbogons, and/or IPv6 fullbogons) 2.  Your AS number 3.  The IP address(es) you want us to peer with 4.  Does your equipment support MD5 passwords for BGP sessions? 5.  Optional: your GPG/PGP public key •  https://www.team-cymru.org/bogon-reference- bgp.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 14. Flow Sonar •  The Team Cymru Flow Sonar system is a powerful tool for network managers to visually identify and understand what is happening on their network at any given time •  Leveraging the free and open-source framework provided by Peter Haag of SWITCH •  Special plugins "dosrannu" developed by Team Cymru to track malicious activity on your network •  Unique dosrannu feeds alerted to DDoS attacks, compromised machines, and the presence of connections to C&C hosts bdNOG3 Conference | 18th May 2015 | Dhaka
  • 15. Flow Sonar It’s  nfsens/nfdump!!!   bdNOG3 Conference | 18th May 2015 | Dhaka
  • 16. Flow Sonar : Get It •  Contact outreach@cymru.com 1.  Team Cymru will send hardware •  1 Server •  1 Router •  https://www.team-cymru.org/Flow-Sonar.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 17. 3. UTRS (Unwanted Traffic Removal Service)
  • 18. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet bdNOG3 Conference | 18th May 2015 | Dhaka
  • 19. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic DDoS Traffic DDoS Traffic bdNOG3 Conference | 18th May 2015 | Dhaka
  • 20. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic DDoS Traffic DDoS Traffic BGP : 1.2.3.4/32 COM : 65420:666 bdNOG3 Conference | 18th May 2015 | Dhaka
  • 21. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic BGP : 1.2.3.4/32 COM : 65420:666 IP : 1.2.3.4/32 -> discard IP : 1.2.3.4/32 -> discard bdNOG3 Conference | 18th May 2015 | Dhaka
  • 22. RTBH Upstream •  Check whether your upsteam provider support RTBH •  Configure & Test RTBH before incident •  Only announce IPv4 /32's from address space you originate or your customer bdNOG3 Conference | 18th May 2015 | Dhaka
  • 23. UTRS •  It’s based on the basic principle of DDoS filtering; Remotely Triggered Black Hole Filtering •  UTRS is a system that helps mitigate large infrastructure attacks by leveraging an existing network of cooperating BGP speakers such as ISPs, hosting providers and educational institutions that automatically distributes verified BGP-based filter rules from victim to cooperating networks bdNOG3 Conference | 18th May 2015 | Dhaka
  • 24. UTRS : Configuration bdNOG3 Conference | 18th May 2015 | Dhaka Make sure you tag the route properly
  • 25. UTRS : Apply •  Newly launched service –  Quite picky to choose whom to peer –  Do organization verification •  https://www.team-cymru.org/UTRS/index.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 26. How UTRS varies from RTBH with upstream!
  • 27. Other Efforts •  NANOG BCOP : DDoS-DoS-attack-BCOP –  http://bcop.nanog.org/index.php/DDoS-DoS-attack-BCOP bdNOG3 Conference | 18th May 2015 | Dhaka