SlideShare a Scribd company logo

Selective blackholing - how to use & implement

APNIC
APNIC

A presentation given at APRICOT 2015 during the Routing Session.

Internet
1 of 28
Download to read offline
Selec%ve  blackholing   How  to  use  &  implement       Job  Snijders   job@n=.net     APRICOT  2015  
Who  am  I?   Job  Snijders     NTT  Communica%ons     Founder  of  NLNOG  RING     Twi=er:  @JobSnijders   Email:  job@ins%tuut.net     Hobbies:  IP  Rou%ng,  LISP,  MPLS,  IPv6,  RPSL     Shoe  size:  45/EU     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   2  
Agenda   •  What  is  “selec&ve  blackholing”?   •  Defini%on   •  Examples  based  on  RIPE  ATLAS   •  How  to  set  up  selec%ve  blackholing  as  a  carrier   •  Defining  scopes   •  Route-­‐maps   •  Some  python   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   3  
What  is  selec%ve  blackholing?   Selec%ve  blackholing  ~  selec%ve  discarding      1.  Use  BGP  communi%es  to  instruct  your  Service   Provider  to  discard  packets  when  certain  condi0ons   are  met.      2.  A  region  of  space-­‐%me  from  which  gravity   prevents  anything,  including  light,  from  escaping,   except  the  colour  purple.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   4  
What  does  it  ma=er?!   Content  is  most  oben  the  vic%m  (webshop,   gameserver,  webserver)     Most  prefixes/content  have  a  geographical   significance  which  decreases  as  distance  between  the   sender  and  receiver  increases.      (theorem  stems  from  sFlow  data  gathered  at  global  ISP).   In  other  words:  Chances  are  a  Japanese  web-­‐shop   owner  cares  most  about  Japanese  eyeballs.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   5  
Scope  is  relevant!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   6  
What’s  wrong  with  normal   blackholing?   Classic  blackholing  is  an  all  or  nothing  proposi0on:     you  throw  away  all  revenue  generated  by  the  vic%m   IP  address,  in  order  to  avoid  conges%ng  your   upstream  links.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   7  
Damage  control  is  not  mi%ga%on   Selec%ve  blackholing  should  be  considered  as  yet   another  tool  in  the  toolbox  when  under  duress.     Asser%on  #1:    “it  is  be6er  to  remain  par&ally  reachable  than  not   reachable  at  all  during  a  DDoS  a6ack”     Asser%on  #2:    “I  can  take  a  percentage  of  the  DDoS  traffic,  but   not  all”       APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   8  
Effects:   Discard  outside  1000  KM  radius   Customer  connects  in  Amsterdam,  Netherlands   White  dot  means  traffic  cannot  reach  des%na%on   Colored  dot  implies  reachability   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   9  
Effects:   Discard  outside  ‘this’  country   White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability,  Customer  connected  in  Amsterdam,  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   10  
White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability   ‘discard  outside  NL’  is  perfect   reachability  inside  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   11  
2914:664  -­‐  “only  blackhole  outside  the   country  the  announcement   originated”   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   12  
Part  2:  How  to  set  this  up  as  carrier   Focus  on  four  features:   Scope   End-­‐user  BGP  community   Outside  ‘This’  country   15562:664   Outside  ‘This’  con%nent   15562:660   Outside  1000  KM  radius   15562:663   Outside  2500  KM  radius   15562:662   ‘This’  means  ‘where  the  customer  interconnec%on  is  located’     Distance  is  from  Edge  router  to  Edge  router  in  the  SP’s  network  “as  the   crow  flies”  (not  actual  op%cal  fiber  path  length!).  Can  only  be   guaranteed  for  own  backbone   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   13  
Assign  your  routers  some  integers   name   Con0nent   id   ISO31661   City  ID   La0tude,  Longitude   tky.jp   3   392   46   35.65671,  139.80342   sjo.us   1   840   29   37.44569,-­‐122.16111   dal.us   1   840   33   32.80096,  -­‐96.81962   nyc.us   1   840   26   40.71780,  -­‐74.00885   lon.uk   2   276   23   51.51173,  -­‐0.00197   ams.nl   2   528   20   52.35600,  4.95068   sto.se   2   752   22   59.36264,  17.95560   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   14  
Router  specific  configura%on  –  IOS’ish   nyc.us:   ip community-list THIS:METRO seq 5 permit 65123:10026 ip community-list THIS:COUNTRY seq 5 permit 65123:840 ip community-list THIS:CONTINENT seq 5 permit 65123:1000 lon.uk:   ip community-list THIS:METRO seq 5 permit 65123:20023 ip community-list THIS:COUNTRY seq 5 permit 65123:276 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ams.nl:   ip community-list THIS:METRO seq 5 permit 65123:20020 ip community-list THIS:COUNTRY seq 5 permit 65123:528 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ……  etc!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   15  
What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   16  
iBGP  inbound  route-­‐map   ip route 10.0.0.1 255.255.255.255 null0 route-map INBOUND-IBGP permit 100 match community 15562:666 ! classic blackhole community set ip next-hop 10.0.0.1 ! discard route-map INBOUND-IBGP permit 200 match community 15562:660 15562:662 15562:663 15562:664 continue 1100 ! Jump over regular ‘accept’ @ 1000 ! towards scope checking route-map INBOUND-IBGP permit 1000 ! No match statement == accept anything route-map INBOUND-IBGP permit 1100 match community THIS:METRO THIS:COUNTRY THIS:CONTINENT ! If match is found, accept prefix and stop ! evaluating the route-map route-map INBOUND-IBGP permit 1101 ! Anything that arrives here: discard set ip next-hop 10.0.0.1 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   17  
Customer  facing  route-­‐map   01. route-map IMPORT:FROM:CUSTOMER-A permit 200 02. match ip address prefix-list CUSTOMER-A-PREFIXES 03. match community 15562:666 04. set community no-export additive 05. set ip next-hop 10.0.0.1 06. route-map IMPORT:FROM:CUSTOMER-A permit 300 07. match ip address prefix-list CUSTOMER-A-PREFIXES 08. match community SCOPED:ACTION 09. continue 600 ! Remember this jump ! 10. route-map IMPORT:FROM:CUSTOMER-A permit 400 11. match ip address prefix-list CUSTOMER-A-PREFIXES 12. set local-preference 650 13. route-map IMPORT:FROM:CUSTOMER-A deny 500 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   18  
Customer  facing  (cont.)   Add/Rewrite  scoping  informa%on  when  a  ‘scoped  ac%on’  is  used   14. route-map IMPORT:FROM:CUSTOMER-A permit 600 ! Here is 600 again 15. match community OUTSIDE:1000KM:RADIUS:DISCARD ! 15562:663 16. set community 65123:10029 additive 17. route-map IMPORT:FROM:CUSTOMER-A permit 700 18. match community OUTSIDE:2500KM:RADIUS:DISCARD ! 15562:662 19. set community 65123:10033 65123:10029 additive 20. route-map IMPORT:FROM:CUSTOMER-A permit 900 21. match community OUTSIDE:THIS:COUNTRY:DISCARD ! 15562:664 22. set community 65123:840 additive 23. route-map IMPORT:FROM:CUSTOMER-A permit 1100 24. match community OUTSIDE:THIS:CONTINENT:DISCARD ! 15562:660 25. set community 65123:1000 additive APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   19  
What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   20  
But  wait  a  second…  how  do  you  figure  out  what   needs  to  be  rewri=en  to…  what?     Gratis download! http://instituut.net/~job/example_community_calculator.py   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   21  
Proof:  Sobware  is  cool  –  SDN  finally  arrived!   derp:~ job$ wget -q http://instituut.net/~job/example_community_calculator.py derp:~ job$ python example_community_calculator.py r1.lon.uk - rewrite targets: 1000 km: 65123:20020 65123:276 2500 km: 65123:2000 r1.dal.us - rewrite targets: 1000 km: 65123:10033 2500 km: 65123:840 r1.sjo.us - rewrite targets: 1000 km: 65123:10029 2500 km: 65123:10033 65123:10029 r1.nyc.us - rewrite targets: 1000 km: 65123:10026 2500 km: 65123:10026 65123:10033 <snip> APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   22  
The  integers  in  essence  provide   groupings  of  routers,  which  the   sobware/route-­‐maps  use   COMM /RTR   :276   :2000   :10033   :840   :10029   :10026   :30046   :20022   :20020   ams.nl   X   X   lon.uk   X   X   sto.se   X   X   nyc.us   X   X   dal.us   X   X   sjo.us   X   X   tky.jp   X   (incomplete  table,  but  you  get  the  gist…  )   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   23  
Considera%ons   •  Automate  all  route-­‐map  deployments  (actually,  automate  everything!)   •  Use  or  make  a  CMDB  where  you  store  integers   •  Selec%ve  Blackholing  is  a  pre=y  advanced  feature..    with  very  li=le  router  specific  configura%on  J   •  Can  be  deployed  on  any  vendor.  Crappy  vendors  are    not  an  excuse.  This  requires  no  extra  CAPEX   •  Customers  don’t  ask  for  this    feature  because  they  don’t      know  it  exists  (yet)     •  Saves  both  the  service  provider    and  customer  money:  win/win   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   24  
Selec%ve  blackholing  at  NTT  /  AS2914     available  today!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   25   BGP  Community   Rou0ng  policy   2914:666   Global  discard  /  classic  blackhole   2914:660   Only  blackhole  outside  the  region   2914:664   Only  blackhole  outside  the  country   2914:661   Only  blackhole  inside  the  region   2914:663   Only  blackhole  inside  the  country  
And  you,  as  a  customer?   Announce  the  selec%ve  blackhole  prefix  but   don’t  blackhole  it  yourself!  To  achive  “blackhole   outside  this  region”   This is probably bad:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 discard community 2914:660 Something like this is better:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 no-install community 2914:660 NANOG63  -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   26  
Ques%ons?   Ask  now,  or  email  job@n=.net   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   27  
Resources  &  Credits   Technical  narra%ve  in  text  form:     h=p://mailman.nanog.org/pipermail/nanog/2014-­‐February/064381.html         I  want  to  thank  Saku  Yw,  Torsten  Blum  and  Peter  van  Dijk   for  contribu%ng  to  this  methodology.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   28  

Recommended

14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOGIndonesia Network Operators Group
 
The $1000 Internet Exchange
The $1000 Internet ExchangeThe $1000 Internet Exchange
The $1000 Internet ExchangeAPNIC
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT TelecomAPNIC
 
Latency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networksLatency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networksSiddharth Mathur
 
Presentation olps vf
Presentation olps vfPresentation olps vf
Presentation olps vfabdellah93
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
 

Recommended

14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOGIndonesia Network Operators Group
 
The $1000 Internet Exchange
The $1000 Internet ExchangeThe $1000 Internet Exchange
The $1000 Internet ExchangeAPNIC
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT TelecomAPNIC
 
Latency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networksLatency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networksSiddharth Mathur
 
Presentation olps vf
Presentation olps vfPresentation olps vf
Presentation olps vfabdellah93
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
 
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays
 
CCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVCCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVShapeBlue
 
An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 UpdateAPNIC
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceAPNIC
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Hello Cloud
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021Tatsuo Kudo
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats NewSolarWinds
 
Automating Networks by using API
Automating Networks by using APIAutomating Networks by using API
Automating Networks by using API一清 井上
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Automating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAutomating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAPNIC
 
CloudStack and NFV
CloudStack and NFVCloudStack and NFV
CloudStack and NFVShapeBlue
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsCisco Canada
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]APNIC
 
Successfully Interconnecting Data Centers
Successfully Interconnecting Data CentersSuccessfully Interconnecting Data Centers
Successfully Interconnecting Data CentersCisco Canada
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarioscarlosralli
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 

More Related Content

Similar to Selective blackholing - how to use & implement

apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays
 
CCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVCCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVShapeBlue
 
An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 UpdateAPNIC
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceAPNIC
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Hello Cloud
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021Tatsuo Kudo
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats NewSolarWinds
 
Automating Networks by using API
Automating Networks by using APIAutomating Networks by using API
Automating Networks by using API一清 井上
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Automating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAutomating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAPNIC
 
CloudStack and NFV
CloudStack and NFVCloudStack and NFV
CloudStack and NFVShapeBlue
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsCisco Canada
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]APNIC
 
Successfully Interconnecting Data Centers
Successfully Interconnecting Data CentersSuccessfully Interconnecting Data Centers
Successfully Interconnecting Data CentersCisco Canada
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarioscarlosralli
 

Similar to Selective blackholing - how to use & implement (20)

apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
 
CCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVCCNA17 CloudStack and NFV
CCNA17 CloudStack and NFV
 
An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 Update
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats New
 
Automating Networks by using API
Automating Networks by using APIAutomating Networks by using API
Automating Networks by using API
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Automating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAutomating Networks by Converting into API/Webs
Automating Networks by Converting into API/Webs
 
CloudStack and NFV
CloudStack and NFVCloudStack and NFV
CloudStack and NFV
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload Deployments
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
 
Successfully Interconnecting Data Centers
Successfully Interconnecting Data CentersSuccessfully Interconnecting Data Centers
Successfully Interconnecting Data Centers
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 

Recently uploaded (20)

Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 

Selective blackholing - how to use & implement

  • 1. Selec%ve  blackholing   How  to  use  &  implement       Job  Snijders   job@n=.net     APRICOT  2015  
  • 2. Who  am  I?   Job  Snijders     NTT  Communica%ons     Founder  of  NLNOG  RING     Twi=er:  @JobSnijders   Email:  job@ins%tuut.net     Hobbies:  IP  Rou%ng,  LISP,  MPLS,  IPv6,  RPSL     Shoe  size:  45/EU     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   2  
  • 3. Agenda   •  What  is  “selec&ve  blackholing”?   •  Defini%on   •  Examples  based  on  RIPE  ATLAS   •  How  to  set  up  selec%ve  blackholing  as  a  carrier   •  Defining  scopes   •  Route-­‐maps   •  Some  python   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   3  
  • 4. What  is  selec%ve  blackholing?   Selec%ve  blackholing  ~  selec%ve  discarding      1.  Use  BGP  communi%es  to  instruct  your  Service   Provider  to  discard  packets  when  certain  condi0ons   are  met.      2.  A  region  of  space-­‐%me  from  which  gravity   prevents  anything,  including  light,  from  escaping,   except  the  colour  purple.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   4  
  • 5. What  does  it  ma=er?!   Content  is  most  oben  the  vic%m  (webshop,   gameserver,  webserver)     Most  prefixes/content  have  a  geographical   significance  which  decreases  as  distance  between  the   sender  and  receiver  increases.      (theorem  stems  from  sFlow  data  gathered  at  global  ISP).   In  other  words:  Chances  are  a  Japanese  web-­‐shop   owner  cares  most  about  Japanese  eyeballs.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   5  
  • 6. Scope  is  relevant!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   6  
  • 7. What’s  wrong  with  normal   blackholing?   Classic  blackholing  is  an  all  or  nothing  proposi0on:     you  throw  away  all  revenue  generated  by  the  vic%m   IP  address,  in  order  to  avoid  conges%ng  your   upstream  links.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   7  
  • 8. Damage  control  is  not  mi%ga%on   Selec%ve  blackholing  should  be  considered  as  yet   another  tool  in  the  toolbox  when  under  duress.     Asser%on  #1:    “it  is  be6er  to  remain  par&ally  reachable  than  not   reachable  at  all  during  a  DDoS  a6ack”     Asser%on  #2:    “I  can  take  a  percentage  of  the  DDoS  traffic,  but   not  all”       APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   8  
  • 9. Effects:   Discard  outside  1000  KM  radius   Customer  connects  in  Amsterdam,  Netherlands   White  dot  means  traffic  cannot  reach  des%na%on   Colored  dot  implies  reachability   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   9  
  • 10. Effects:   Discard  outside  ‘this’  country   White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability,  Customer  connected  in  Amsterdam,  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   10  
  • 11. White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability   ‘discard  outside  NL’  is  perfect   reachability  inside  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   11  
  • 12. 2914:664  -­‐  “only  blackhole  outside  the   country  the  announcement   originated”   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   12  
  • 13. Part  2:  How  to  set  this  up  as  carrier   Focus  on  four  features:   Scope   End-­‐user  BGP  community   Outside  ‘This’  country   15562:664   Outside  ‘This’  con%nent   15562:660   Outside  1000  KM  radius   15562:663   Outside  2500  KM  radius   15562:662   ‘This’  means  ‘where  the  customer  interconnec%on  is  located’     Distance  is  from  Edge  router  to  Edge  router  in  the  SP’s  network  “as  the   crow  flies”  (not  actual  op%cal  fiber  path  length!).  Can  only  be   guaranteed  for  own  backbone   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   13  
  • 14. Assign  your  routers  some  integers   name   Con0nent   id   ISO31661   City  ID   La0tude,  Longitude   tky.jp   3   392   46   35.65671,  139.80342   sjo.us   1   840   29   37.44569,-­‐122.16111   dal.us   1   840   33   32.80096,  -­‐96.81962   nyc.us   1   840   26   40.71780,  -­‐74.00885   lon.uk   2   276   23   51.51173,  -­‐0.00197   ams.nl   2   528   20   52.35600,  4.95068   sto.se   2   752   22   59.36264,  17.95560   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   14  
  • 15. Router  specific  configura%on  –  IOS’ish   nyc.us:   ip community-list THIS:METRO seq 5 permit 65123:10026 ip community-list THIS:COUNTRY seq 5 permit 65123:840 ip community-list THIS:CONTINENT seq 5 permit 65123:1000 lon.uk:   ip community-list THIS:METRO seq 5 permit 65123:20023 ip community-list THIS:COUNTRY seq 5 permit 65123:276 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ams.nl:   ip community-list THIS:METRO seq 5 permit 65123:20020 ip community-list THIS:COUNTRY seq 5 permit 65123:528 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ……  etc!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   15  
  • 16. What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   16  
  • 17. iBGP  inbound  route-­‐map   ip route 10.0.0.1 255.255.255.255 null0 route-map INBOUND-IBGP permit 100 match community 15562:666 ! classic blackhole community set ip next-hop 10.0.0.1 ! discard route-map INBOUND-IBGP permit 200 match community 15562:660 15562:662 15562:663 15562:664 continue 1100 ! Jump over regular ‘accept’ @ 1000 ! towards scope checking route-map INBOUND-IBGP permit 1000 ! No match statement == accept anything route-map INBOUND-IBGP permit 1100 match community THIS:METRO THIS:COUNTRY THIS:CONTINENT ! If match is found, accept prefix and stop ! evaluating the route-map route-map INBOUND-IBGP permit 1101 ! Anything that arrives here: discard set ip next-hop 10.0.0.1 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   17  
  • 18. Customer  facing  route-­‐map   01. route-map IMPORT:FROM:CUSTOMER-A permit 200 02. match ip address prefix-list CUSTOMER-A-PREFIXES 03. match community 15562:666 04. set community no-export additive 05. set ip next-hop 10.0.0.1 06. route-map IMPORT:FROM:CUSTOMER-A permit 300 07. match ip address prefix-list CUSTOMER-A-PREFIXES 08. match community SCOPED:ACTION 09. continue 600 ! Remember this jump ! 10. route-map IMPORT:FROM:CUSTOMER-A permit 400 11. match ip address prefix-list CUSTOMER-A-PREFIXES 12. set local-preference 650 13. route-map IMPORT:FROM:CUSTOMER-A deny 500 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   18  
  • 19. Customer  facing  (cont.)   Add/Rewrite  scoping  informa%on  when  a  ‘scoped  ac%on’  is  used   14. route-map IMPORT:FROM:CUSTOMER-A permit 600 ! Here is 600 again 15. match community OUTSIDE:1000KM:RADIUS:DISCARD ! 15562:663 16. set community 65123:10029 additive 17. route-map IMPORT:FROM:CUSTOMER-A permit 700 18. match community OUTSIDE:2500KM:RADIUS:DISCARD ! 15562:662 19. set community 65123:10033 65123:10029 additive 20. route-map IMPORT:FROM:CUSTOMER-A permit 900 21. match community OUTSIDE:THIS:COUNTRY:DISCARD ! 15562:664 22. set community 65123:840 additive 23. route-map IMPORT:FROM:CUSTOMER-A permit 1100 24. match community OUTSIDE:THIS:CONTINENT:DISCARD ! 15562:660 25. set community 65123:1000 additive APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   19  
  • 20. What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   20  
  • 21. But  wait  a  second…  how  do  you  figure  out  what   needs  to  be  rewri=en  to…  what?     Gratis download! http://instituut.net/~job/example_community_calculator.py   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   21  
  • 22. Proof:  Sobware  is  cool  –  SDN  finally  arrived!   derp:~ job$ wget -q http://instituut.net/~job/example_community_calculator.py derp:~ job$ python example_community_calculator.py r1.lon.uk - rewrite targets: 1000 km: 65123:20020 65123:276 2500 km: 65123:2000 r1.dal.us - rewrite targets: 1000 km: 65123:10033 2500 km: 65123:840 r1.sjo.us - rewrite targets: 1000 km: 65123:10029 2500 km: 65123:10033 65123:10029 r1.nyc.us - rewrite targets: 1000 km: 65123:10026 2500 km: 65123:10026 65123:10033 <snip> APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   22  
  • 23. The  integers  in  essence  provide   groupings  of  routers,  which  the   sobware/route-­‐maps  use   COMM /RTR   :276   :2000   :10033   :840   :10029   :10026   :30046   :20022   :20020   ams.nl   X   X   lon.uk   X   X   sto.se   X   X   nyc.us   X   X   dal.us   X   X   sjo.us   X   X   tky.jp   X   (incomplete  table,  but  you  get  the  gist…  )   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   23  
  • 24. Considera%ons   •  Automate  all  route-­‐map  deployments  (actually,  automate  everything!)   •  Use  or  make  a  CMDB  where  you  store  integers   •  Selec%ve  Blackholing  is  a  pre=y  advanced  feature..    with  very  li=le  router  specific  configura%on  J   •  Can  be  deployed  on  any  vendor.  Crappy  vendors  are    not  an  excuse.  This  requires  no  extra  CAPEX   •  Customers  don’t  ask  for  this    feature  because  they  don’t      know  it  exists  (yet)     •  Saves  both  the  service  provider    and  customer  money:  win/win   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   24  
  • 25. Selec%ve  blackholing  at  NTT  /  AS2914     available  today!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   25   BGP  Community   Rou0ng  policy   2914:666   Global  discard  /  classic  blackhole   2914:660   Only  blackhole  outside  the  region   2914:664   Only  blackhole  outside  the  country   2914:661   Only  blackhole  inside  the  region   2914:663   Only  blackhole  inside  the  country  
  • 26. And  you,  as  a  customer?   Announce  the  selec%ve  blackhole  prefix  but   don’t  blackhole  it  yourself!  To  achive  “blackhole   outside  this  region”   This is probably bad:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 discard community 2914:660 Something like this is better:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 no-install community 2914:660 NANOG63  -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   26  
  • 27. Ques%ons?   Ask  now,  or  email  job@n=.net   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   27  
  • 28. Resources  &  Credits   Technical  narra%ve  in  text  form:     h=p://mailman.nanog.org/pipermail/nanog/2014-­‐February/064381.html         I  want  to  thank  Saku  Yw,  Torsten  Blum  and  Peter  van  Dijk   for  contribu%ng  to  this  methodology.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   28