This document discusses the use of BGP communities and route servers at CATNIX to facilitate interconnection and mitigate DDoS attacks. It provides a history of BGP and RFCs related to communities. CATNIX uses well-known and custom communities on its route servers to control route propagation and implement a blackholing service. The blackholing service allows members to redirect traffic for attacked prefixes to a blackhole server where it is dropped, providing DDoS mitigation. An example is given of how a member would configure route announcements to make use of the blackholing service during an attack.
3. History and RFCs (II)
2016 2017 2017 2018 2021
2006 2006 2007 2009 2014
BGP Support
for Four-octet
AS Number
Space
(RFC 4893)
4-Octet
AS Specific
BGP Extended
Community
(RFC 5668)
Blackhole
community
(RFC 7999)
Use of BGP
large
communities
(RFC 8195)
Extended
Communities
(RFC4360)
BGP large
communities
(RFC 8092)
Graceful BGP
Session
Shutdown
(RFC 8326)
BGPv4 CIDR
(RFC4271)
IANA
Registries for
Extended
Communities
(RFC4360)
Extended
Optional
Parameters
for BGP Open
Message
(RFC 9072)
5. Communities – Well-known and Not-so-well-known
Created to facilitate and simplify the control of routing information.
A community “classifies” routes.
Each AS can define to which communities a network belongs.
A router (BGP speaker) can modify the communities according to its own
policy.
Usign them to indicate local-preferences is quite common.
Communities for some companies at https://onestep.net/communities/
6. Communities at CATNIX
ACTION
BGP
Standard
Community
(RFC 1997)
BGP Extended
Community
(RFC 4360)
BGP Large Community
(RFC 8092)
No export 65535:65281 rt:65281:peer_as 65535:65281:peer_as
No advertise 65535:65282 rt:65282:peer_as 65535:65282:peer_as
No advertise to anybody 0:60082 rt:0:60082 60082:0:0
No advertise to a peer 0:peer_as rt:0:peer_as 60082:0:peer_as
Advertise to a peer 60082:client_asn rt:60082:client_asn 60082:1:client_asn
Prepend to a peer 65511:peer_as rt:65511:peer_as 60082:101:peer_as
2 prepends to a peer 65512:peer_as rt:65512:peer_as 60082:102:peer_as
3 prepends to a peer 65513:peer_as rt:65513:peer_as 60082:103:peer_as
Prepend to all 65501:60082 rt:65501:60082 60082:101:0
2 prepends to all 65502:60082 rt:65502:60082 60082:102:0
3 prepends to all 65503:60082 rt:65503:60082 60082:103:0
Blackhole 65535:666 rt:65535:666 60082:666:0
7. Route-Servers at CATNIX (I)
They help simplifying the interconnection ( peers without RS vs
n peers with RS).
Route-servers tell the other ASs where your routes are, but your traffic
does not traverse them (they are in the control plane, not the data plane).
RS1
AS60082
RS2
AS60082
RS3
AS60082
AS64497
I announce
192.0.2.0/24 to the RS
I peer with the RS, I
receive the next-
hop for 192.0.2.0/24
is the router in
AS64496
AS64496
BGP
Data
2
)
1
(
n
n
8. Route-Servers at CATNIX (II)
The communities are optional attributes to tag the routes, that you can
include in your announcements to make the route-servers take an action
(add prepends, filter announcements, etc).
All the route-servers apply RPKI filtering (they filter according to the data
in the IRR and the RPKI ROAs).
Our RSs are MANRS-compliant.
RS1
AS60082
RS2
AS60082
RS3
AS60082
9. Route-servers at CATNIX (III)
06-04-2018: First route-server:
• AS60082
• 193.242.98.98/24
• 2001:7f8:2a:0:1:1:6:0082/48
21-06-2019: Second route server at bitNAP:
• AS60082
• 193.242.98.103/24
• 2001:7F8:2A:0:3:2:6:82/48
10-10-2019: blackholing service operational
25-06-2020: Third route-server at Equinix:
• AS60082
• 193.242.98.100/24
• 2001:7f8:2a:0:2:1:6:82 /48
All the route servers have the blackholing service activated.
10. Blackholing in CATNIX
CATNIX #39 Nov’18:
To adopt the the RFC 7999 to implement blackholing with
communities in order to signal and stop possible DDoS
attacks traversing the IX.
BLACKHOLE = 0xFFFF029A
To configure the RFC 7999 recommended communities in
the route-servers.
The low-order two octets in decimal are 666, a value commonly
associated with BGP blackholing among network operators.
CATNIX members can use this well-known community to stop possible
DDoS attacks traversing the IX.
11. Blackholing Service
The blackhole server is at Campus Nord:
• 193.242.98.101/24 in IPv4
• 2001:7F8:002A:0:1:1:6:5666/48 in IPv6
If you need the route servers to send the traffic of one of your prefixes to
blackhole (close to /32 in IPv4 and /128 in IPv6), label it with:
• The community 65535:666 (0xFFFF029A) or
• The extended community rt:65535:666 or
• The large community 60082:666:0
in the announcements to the route-servers.
• Any traffic you send to the blackhole server will be dropped by the switch at the
L2 level.
Restricted
12. Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
13. Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
14. Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
15. Let’s imagine you are AS64496, peering at CATNIX, and you receive an
attack to our IP address 192.0.2.1.
Ask the RSs to send the traffic to the blakhole using the 65535:666
community and the switches will filter the traffic with destination this server.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
and 192.0.2.1/32 with
the blackholing
community
16. Let’s imagine you are AS64496, peering at CATNIX, and you receive an
attack to our IP address 192.0.2.1.
Ask the RSs to send the traffic to the blakhole using the 65535:666
community and the switches will filter the traffic with destination this server.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
and 192.0.2.1/32 with
the blackholing
community
17. Let’s imagine you are AS64496, peering at CATNIX, and you receive an
attack to our IP address 192.0.2.1.
Ask the RSs to send the traffic to the blakhole using the 65535:666
community and the switches will filter the traffic with destination this server.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
and 192.0.2.1/32 with
the blackholing
community
x
18. Example
Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1. You can ask any of the route-
servers (193.242.98.98, 193.242.98.100, 193.242.98.103) to send the
traffic to the blakhole server and the switches will filter the traffic with
destination this server.
route-map blackhole permit 10
set community 65535:666
router bgp 64496
network 192.0.2.0 mask 255.255.255.0
network 192.0.2.1 mask 255.255.255.255 route-map blackhole
neighbor 193.242.98.98 remote-as 60082
neighbor 193.242.98.98 peer-group CATNIX-RS-IP4
neighbor 193.242.98.98 description EXAMPLE
address-family ipv4
neighbor 193.242.98.98 activate
19. Other options
You can tell your peers to send the traffic to the attacked IP directly to
the blackholing server 193.242.98.101. The switches will filter the
traffic with this destination (they must accept that your small prefixes).
RS1
AS60082
RS2
AS60082
Attacker Attacker
x
RS3
AS60082
Blackhole
193.242.98.101
I announce
192.0.2.0/24
and 192.0.2.1/32 with
the blackholing
community to my peers
20. Other options
You can tell your peers to send the traffic to the attacked IP directly to
the blackholing server 193.242.98.101. The switches will filter the
traffic with this destination (they must accpt that your small prefixes).
RS1
AS60082
RS2
AS60082
Attacker Attacker
I announce
192.0.2.0/24
and 192.0.2.1/32 with
next-hop
193.242.98.101 to my
peers
x
RS3
AS60082
Blackhole
193.242.98.101
21. Thank you for your attention!
mariaisabel.gandia@csuc.cat
Editor's Notes
1982: GGP, gateway-to-gateway protocol (desarrollado por BBN y parcialmente definido en RFC823)
1982: primera propuesta de EGP, Exterior Gateway Protocol (RFC827)
1984: “STUB” Exterior Gateway Protocol para routers de core (RFC888)
1984: se define EGP, Exterior Gateway Protocol (RFC 904)
1988: RIP (RFC1058)
1989: BGP (v1) para intercambiar información entre AS (RFC 1105). Se crean los primeros puntos neutros.
1990: BGPv2 (RFC1163)
1991: BGPv3 (RFC 1267)
1994: BGPv4 (RFC1654)
1994: IPv6 BGP (RFC1883)
1995: Revisión de BGPv4 (RFC 1771)
1996: se crean las communities (RFC1997)
1998: extensiones multiprotocolo (p.e, IPv6) para BGP (RFC2283)
2006: Revisión BGPv4 con CIDR, (RFC4271)
2006: Revisión BGPv4 con CIDR, (RFC4271)
The first 2 are the AS number.
2 more to classify the route.
But 4-bytes AS appeared...
...and extended communities didn’t work well (even if they have 8 bytes, there were only 2 for the AS) Large BGP communities
Un espacio único para AS de 16 y de 32 bits
Sin colisiones entre ASNs
Las large communities se codifican en 96 bits (12 bytes):
“AS 32-bit:valor 32-bit:valor 32-bit”
La representación canónica es $Me:$Action:$You
Comunidades informativas
Etiquetas informativas para marcar rutas con:
Código de origen geográfco (ISO 3166-1 y UN M.49)
Relación de propagación (interna, cliente, peer, tránsito)
Da información de debugging o planificación de capacidad.
El campo Global Administrator es el ASN que etiqueta las rutas.
Comunidades de acción
Indica de qué forma debe ser tratada una ruta:
Características de propagación (export, selective export, no export)
Local preference: influencia al tráfico de entrada dentro del AS.
AS Path: influencia el tráfico desde fuera del AS.
El campo Global Administrator es el ASN que ha definido la funcionalidad de la community.
Útil para proveedores de tránsito que deben ejecutar acciones en nombre de un cliente.