Community Tools to Fight Against DDoS

Community tools to fight against DDoS
Fakrul Alam
bdHUB Limited
fakrul@bdhub.com
bdNOG3 Conference | 18th May 2015 | Dhaka
DDoS
•  Distributed denial-of-service (DDoS) attacks target
network infrastructures or computer services by
sending overwhelming number of service requests to
the server from many sources.
•  Server resources are used up in serving the fake
requests resulting in denial or degradation of
legitimate service requests to be served
bdNOG3 Conference | 18th May 2015 | Dhaka
Addressing DDoS attacks
•  Detection
–  Detect incoming fake requests
•  Mitigation
–  Diversion : Send traffic to a specialized device that
removes the fake packets from the traffic stream while
retaining the legitimate packets
–  Return : Send back the clean traffic to the server
bdNOG3 Conference | 18th May 2015 | Dhaka
3 Community tools from Team Cymru
•  Bogon Filter
–  https://www.team-cymru.org/bogon-reference.html
•  Flow Sonar
–  https://www.team-cymru.org/Flow-Sonar.html
•  UTRS (Unwanted Traffic Removal Service)
–  https://www.team-cymru.org/UTRS/index.html
bdNOG3 Conference | 18th May 2015 | Dhaka
1. Bogon Filter
Bogon Filter
•  A bogon prefix is a route that should never appear in
the Internet routing table
–  Bogons are defined as Martians (private and reserved
addresses defined by RFC 1918, RFC 5735, and RFC 6598)
and netblocks that have not been allocated to a RIR by the
IANA
•  These are commonly found as the source addresses of
DDoS attacks
•  Study shows 60% of the naughty packets were obvious
bogons
•  Bogon and fullbogon lists are NOT static lists
bdNOG3 Conference | 18th May 2015 | Dhaka
Bogon Filter : Configuration IPv4
bdNOG3 Conference | 18th May 2015 | Dhaka
/ you can forward these traffic and analyze /
Bogon Filter : Configuration IPv6
bdNOG3 Conference | 18th May 2015 | Dhaka
/ you can forward these traffic and analyze /
Bogon Filter : Output
bdNOG3 Conference | 18th May 2015 | Dhaka
Bogon Filter : Status
•  The IPv4 traditional bogons list is currently 13
prefixes.
•  fullbogons list is approximately 3,618 prefixes.
•  The IPv6 fullbogons list is approximately 58,401
prefixes.
–  [date : 18th May 2015]
bdNOG3 Conference | 18th May 2015 | Dhaka
Bogon Filter : Peering
•  Contact bogonrs@cymru.com
1.  Which bogon types you wish to receive (traditional IPv4
bogons, IPv4 fullbogons, and/or IPv6 fullbogons)
2.  Your AS number
3.  The IP address(es) you want us to peer with
4.  Does your equipment support MD5 passwords for BGP
sessions?
5.  Optional: your GPG/PGP public key
•  https://www.team-cymru.org/bogon-reference-
bgp.html
bdNOG3 Conference | 18th May 2015 | Dhaka
2. Flow Sonar
Flow Sonar
•  The Team Cymru Flow Sonar system is a powerful tool
for network managers to visually identify and understand
what is happening on their network at any given time
•  Leveraging the free and open-source framework provided
by Peter Haag of SWITCH
•  Special plugins "dosrannu" developed by Team Cymru to
track malicious activity on your network
•  Unique dosrannu feeds alerted to DDoS attacks,
compromised machines, and the presence of
connections to C&C hosts
bdNOG3 Conference | 18th May 2015 | Dhaka
Flow Sonar
It’s	
  nfsens/nfdump!!!	
  
bdNOG3 Conference | 18th May 2015 | Dhaka
Flow Sonar : Get It
•  Contact outreach@cymru.com
1.  Team Cymru will send hardware
•  1 Server
•  1 Router
•  https://www.team-cymru.org/Flow-Sonar.html
bdNOG3 Conference | 18th May 2015 | Dhaka
3. UTRS (Unwanted Traffic Removal
Service)
RTBH 101
CE
IP : 1.2.3.4
BGP : 1.2.3.0/24
PE
Transit I
Transit II
Provider InfraCustomer Infra
Website
Internet
bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH 101
CE
IP : 1.2.3.4
BGP : 1.2.3.0/24
PE
Transit I
Transit II
Provider InfraCustomer Infra
Website
Internet
DDoS Traffic
DDoS Traffic DDoS Traffic
bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH 101
CE
IP : 1.2.3.4
BGP : 1.2.3.0/24
PE
Transit I
Transit II
Provider InfraCustomer Infra
Website
Internet
DDoS Traffic
DDoS Traffic DDoS Traffic
BGP : 1.2.3.4/32
COM : 65420:666
bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH 101
CE
IP : 1.2.3.4
BGP : 1.2.3.0/24
PE
Transit I
Transit II
Provider InfraCustomer Infra
Website
Internet
DDoS Traffic
BGP : 1.2.3.4/32
COM : 65420:666
IP : 1.2.3.4/32 -> discard
IP : 1.2.3.4/32 -> discard
bdNOG3 Conference | 18th May 2015 | Dhaka
RTBH Upstream
•  Check whether your upsteam provider support RTBH
•  Configure & Test RTBH before incident
•  Only announce IPv4 /32's from address space you
originate or your customer
bdNOG3 Conference | 18th May 2015 | Dhaka
UTRS
•  It’s based on the basic principle of DDoS filtering;
Remotely Triggered Black Hole Filtering
•  UTRS is a system that helps mitigate large
infrastructure attacks by leveraging an existing
network of cooperating BGP speakers such as ISPs,
hosting providers and educational institutions that
automatically distributes verified BGP-based filter
rules from victim to cooperating networks
bdNOG3 Conference | 18th May 2015 | Dhaka
UTRS : Configuration
bdNOG3 Conference | 18th May 2015 | Dhaka
Make sure you tag the route properly
UTRS : Apply
•  Newly launched service
–  Quite picky to choose whom to peer
–  Do organization verification
•  https://www.team-cymru.org/UTRS/index.html
bdNOG3 Conference | 18th May 2015 | Dhaka
How UTRS varies from RTBH with
upstream!
Other Efforts
•  NANOG BCOP : DDoS-DoS-attack-BCOP
–  http://bcop.nanog.org/index.php/DDoS-DoS-attack-BCOP
bdNOG3 Conference | 18th May 2015 | Dhaka
Thank You
1 of 28

Recommended

Community tools to fight against DDoS, SANOG 27 by
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
1.4K views29 slides
Secure BGP and Operational Report of Bangladesh by
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshBangladesh Network Operators Group
569 views16 slides
Application of local Internet content by
Application of local Internet content Application of local Internet content
Application of local Internet content Bangladesh Network Operators Group
868 views43 slides
BKNIX Peering Forum 2017: Community tools to fight DDoS by
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
618 views30 slides
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi by
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiMyNOG
2K views12 slides

More Related Content

What's hot

31, Get more from your IPv4 resources by
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resourcesBangladesh Network Operators Group
3.3K views32 slides
Traffic Insight Using Netflow and Deepfield Systems by
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsMyNOG
958 views13 slides
The Next Generation Internet Number Registry Services by
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesMyNOG
314 views44 slides
Routing Security - its importance and status in South Asia by
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
256 views25 slides
Network State Awareness & Troubleshooting by
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
988 views46 slides
MANRS for Network Operators - bdNOG12 by
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
281 views114 slides

What's hot(20)

Traffic Insight Using Netflow and Deepfield Systems by MyNOG
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield Systems
MyNOG958 views
The Next Generation Internet Number Registry Services by MyNOG
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG314 views
Network State Awareness & Troubleshooting by APNIC
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC988 views
BSides: BGP Hijacking and Secure Internet Routing by APNIC
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC575 views
How to Configure NetFlow v5 & v9 on Cisco Routers by SolarWinds
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco Routers
SolarWinds19.5K views
More specific announcments in BGP by APNIC
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
APNIC486 views
NZNOG 2020: APNIC update by APNIC
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC update
APNIC189 views
PhNOG 2020: ROA and RPKI in the Philippines by APNIC
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC663 views
PhNOG 2020: Securing your resources with RPKI and IRT by APNIC
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
APNIC1.7K views
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma by MyNOG
Cloud Traffic Engineer – Google Espresso Project  by Shaowen MaCloud Traffic Engineer – Google Espresso Project  by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
MyNOG870 views
IPv6 at FPT Telecom by APNIC
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT Telecom
APNIC1.5K views
Applying IPv6 to LTE Networks by APNIC
Applying IPv6 to LTE NetworksApplying IPv6 to LTE Networks
Applying IPv6 to LTE Networks
APNIC1.9K views
DPI BOX: deep packet inspection for ISP traffic management by Ilya Mikov
DPI BOX: deep packet inspection for ISP traffic managementDPI BOX: deep packet inspection for ISP traffic management
DPI BOX: deep packet inspection for ISP traffic management
Ilya Mikov4.6K views

Viewers also liked

RPKI Deployment Status in Bangladesh by
RPKI Deployment Status in Bangladesh RPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh Bangladesh Network Operators Group
845 views35 slides
Onboard Automation with EEM by
Onboard Automation with EEM Onboard Automation with EEM
Onboard Automation with EEM Bangladesh Network Operators Group
3.5K views27 slides
Securing Asterisk: A practical approach by
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approachBangladesh Network Operators Group
1.6K views29 slides
bdNOG Conference Report by
bdNOG Conference Report bdNOG Conference Report
bdNOG Conference Report Bangladesh Network Operators Group
662 views17 slides
OpenStack Cloud Administration Through Live Demonstration by
OpenStack Cloud Administration Through Live DemonstrationOpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live DemonstrationBangladesh Network Operators Group
819 views45 slides
Prefix Filtering BCP by
Prefix Filtering BCP Prefix Filtering BCP
Prefix Filtering BCP Bangladesh Network Operators Group
812 views32 slides

Viewers also liked(20)

Similar to Community Tools to Fight Against DDoS

MANRS for Network Operators by
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network OperatorsBangladesh Network Operators Group
45 views56 slides
Introduction to RPKI by
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
1.4K views27 slides
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka by
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
426 views32 slides
LKNOG3-Keynote by
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
81 views32 slides
Manrs 7_sept__indonesia by
Manrs  7_sept__indonesiaManrs  7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
102 views88 slides
BGP by
BGPBGP
BGPKHNOG
337 views18 slides

Similar to Community Tools to Fight Against DDoS (20)

Introduction to RPKI by APNIC
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC1.4K views
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka by APNIC
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
APNIC426 views
LKNOG3-Keynote by LKNOG
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
LKNOG81 views
BGP by KHNOG
BGPBGP
BGP
KHNOG337 views
presentation_6352_1548734037.pdf by DaudSulaeman2
presentation_6352_1548734037.pdfpresentation_6352_1548734037.pdf
presentation_6352_1548734037.pdf
DaudSulaeman25 views
Routing Security, Another Elephant in the Room by RIPE NCC
Routing Security, Another Elephant in the RoomRouting Security, Another Elephant in the Room
Routing Security, Another Elephant in the Room
RIPE NCC9 views
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference by APNIC
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
APNIC2.4K views
DDoS Mitigation using BGP Flowspec by APNIC
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC2.8K views
MikroTik BGP Security - MUM 2014 (rofiq fauzi) by Rofiq Fauzi
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
Rofiq Fauzi3.7K views
Myanmar Member Gathering by APNIC
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
APNIC1.4K views
RIPE NCC RIS (Routing Information Service) by RIPE NCC
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)
RIPE NCC103 views
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec by PROIDEA
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA605 views
Hyperledger & blockchain meetup - Milano 23.10.2019 by Carlo Ferrarini
Hyperledger & blockchain meetup - Milano 23.10.2019Hyperledger & blockchain meetup - Milano 23.10.2019
Hyperledger & blockchain meetup - Milano 23.10.2019
Carlo Ferrarini166 views
RPKI Overview, Case Studies, Deployment and Operations by APNIC
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC183 views

More from Bangladesh Network Operators Group

IPv6 Deployment in South Asia 2022 by
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022Bangladesh Network Operators Group
43 views20 slides
Introduction to Software Defined Networking (SDN) by
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Bangladesh Network Operators Group
143 views27 slides
RPKI Deployment Status in Bangladesh by
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
45 views21 slides
An Overview about open UDP Services by
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP ServicesBangladesh Network Operators Group
217 views15 slides
12 Years in DNS Security As a Defender by
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a DefenderBangladesh Network Operators Group
111 views21 slides
Contents Localization Initiatives to get better User Experience by
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
74 views31 slides

More from Bangladesh Network Operators Group(20)

Recently uploaded

Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
14 views64 slides
Affiliate Marketing by
Affiliate MarketingAffiliate Marketing
Affiliate MarketingNavin Dhanuka
17 views30 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
14 views24 slides
ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides
IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
414 views22 slides
Building trust in our information ecosystem: who do we trust in an emergency by
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
110 views18 slides

Recently uploaded(9)

Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast14 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh14 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC414 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat110 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views

Community Tools to Fight Against DDoS

  • 1. Community tools to fight against DDoS Fakrul Alam bdHUB Limited fakrul@bdhub.com
  • 2. bdNOG3 Conference | 18th May 2015 | Dhaka
  • 3. DDoS •  Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. •  Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served bdNOG3 Conference | 18th May 2015 | Dhaka
  • 4. Addressing DDoS attacks •  Detection –  Detect incoming fake requests •  Mitigation –  Diversion : Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets –  Return : Send back the clean traffic to the server bdNOG3 Conference | 18th May 2015 | Dhaka
  • 5. 3 Community tools from Team Cymru •  Bogon Filter –  https://www.team-cymru.org/bogon-reference.html •  Flow Sonar –  https://www.team-cymru.org/Flow-Sonar.html •  UTRS (Unwanted Traffic Removal Service) –  https://www.team-cymru.org/UTRS/index.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 7. Bogon Filter •  A bogon prefix is a route that should never appear in the Internet routing table –  Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a RIR by the IANA •  These are commonly found as the source addresses of DDoS attacks •  Study shows 60% of the naughty packets were obvious bogons •  Bogon and fullbogon lists are NOT static lists bdNOG3 Conference | 18th May 2015 | Dhaka
  • 8. Bogon Filter : Configuration IPv4 bdNOG3 Conference | 18th May 2015 | Dhaka / you can forward these traffic and analyze /
  • 9. Bogon Filter : Configuration IPv6 bdNOG3 Conference | 18th May 2015 | Dhaka / you can forward these traffic and analyze /
  • 10. Bogon Filter : Output bdNOG3 Conference | 18th May 2015 | Dhaka
  • 11. Bogon Filter : Status •  The IPv4 traditional bogons list is currently 13 prefixes. •  fullbogons list is approximately 3,618 prefixes. •  The IPv6 fullbogons list is approximately 58,401 prefixes. –  [date : 18th May 2015] bdNOG3 Conference | 18th May 2015 | Dhaka
  • 12. Bogon Filter : Peering •  Contact bogonrs@cymru.com 1.  Which bogon types you wish to receive (traditional IPv4 bogons, IPv4 fullbogons, and/or IPv6 fullbogons) 2.  Your AS number 3.  The IP address(es) you want us to peer with 4.  Does your equipment support MD5 passwords for BGP sessions? 5.  Optional: your GPG/PGP public key •  https://www.team-cymru.org/bogon-reference- bgp.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 14. Flow Sonar •  The Team Cymru Flow Sonar system is a powerful tool for network managers to visually identify and understand what is happening on their network at any given time •  Leveraging the free and open-source framework provided by Peter Haag of SWITCH •  Special plugins "dosrannu" developed by Team Cymru to track malicious activity on your network •  Unique dosrannu feeds alerted to DDoS attacks, compromised machines, and the presence of connections to C&C hosts bdNOG3 Conference | 18th May 2015 | Dhaka
  • 15. Flow Sonar It’s  nfsens/nfdump!!!   bdNOG3 Conference | 18th May 2015 | Dhaka
  • 16. Flow Sonar : Get It •  Contact outreach@cymru.com 1.  Team Cymru will send hardware •  1 Server •  1 Router •  https://www.team-cymru.org/Flow-Sonar.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 17. 3. UTRS (Unwanted Traffic Removal Service)
  • 18. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet bdNOG3 Conference | 18th May 2015 | Dhaka
  • 19. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic DDoS Traffic DDoS Traffic bdNOG3 Conference | 18th May 2015 | Dhaka
  • 20. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic DDoS Traffic DDoS Traffic BGP : 1.2.3.4/32 COM : 65420:666 bdNOG3 Conference | 18th May 2015 | Dhaka
  • 21. RTBH 101 CE IP : 1.2.3.4 BGP : 1.2.3.0/24 PE Transit I Transit II Provider InfraCustomer Infra Website Internet DDoS Traffic BGP : 1.2.3.4/32 COM : 65420:666 IP : 1.2.3.4/32 -> discard IP : 1.2.3.4/32 -> discard bdNOG3 Conference | 18th May 2015 | Dhaka
  • 22. RTBH Upstream •  Check whether your upsteam provider support RTBH •  Configure & Test RTBH before incident •  Only announce IPv4 /32's from address space you originate or your customer bdNOG3 Conference | 18th May 2015 | Dhaka
  • 23. UTRS •  It’s based on the basic principle of DDoS filtering; Remotely Triggered Black Hole Filtering •  UTRS is a system that helps mitigate large infrastructure attacks by leveraging an existing network of cooperating BGP speakers such as ISPs, hosting providers and educational institutions that automatically distributes verified BGP-based filter rules from victim to cooperating networks bdNOG3 Conference | 18th May 2015 | Dhaka
  • 24. UTRS : Configuration bdNOG3 Conference | 18th May 2015 | Dhaka Make sure you tag the route properly
  • 25. UTRS : Apply •  Newly launched service –  Quite picky to choose whom to peer –  Do organization verification •  https://www.team-cymru.org/UTRS/index.html bdNOG3 Conference | 18th May 2015 | Dhaka
  • 26. How UTRS varies from RTBH with upstream!
  • 27. Other Efforts •  NANOG BCOP : DDoS-DoS-attack-BCOP –  http://bcop.nanog.org/index.php/DDoS-DoS-attack-BCOP bdNOG3 Conference | 18th May 2015 | Dhaka