More Related Content


More from Bangladesh Network Operators Group(20)


Secured Internet Gateway for ISP with pfsense & FRR

  1. Secured Internet Gateway for ISP with and Out of the Routing Box Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
  2. DDoS Attacks Trending Up for Service Providers ● 2021 Q1 Sees 2.9 Million DDoS Attacks Launched ● ATLAS Security Engineering & Response Team (ASERT) has warned that last year's record-breaking volume of DDoS attacks could be exceeded in 2021. ● In 2020, more than 10 million DDoS incidents ● Analyzing which industries attackers chose to hit, researchers observed that healthcare, education and online services were prime targets.
  3. DDoS is New Normal ● Many attacks (42%) lasted between five and ten minutes, while assaults lasting fewer than five minutes dropped from 24% to 19%. ● Global estimates of the total number of DDoS attacks are anticipated to double to 14.5 million by 2022. ● No DDoS mitigation tools is full proof. ● UDP-based DDoS attack vectors fuel attack increases. Duration of Attack
  4. Other Attack Vectors for ISPs 1. Spyware , Malware, Botnet. 2. Spamming. 3. Phishing. 4. Darkweb. 5. Ransomware. 6. Cryptocurrency Mining.
  5. Spot on Bangladesh ● Round the year among the network operators DDoS were most shouted incident. ● Though there is no statistics but even some operators experienced few times in a month. ● Mostly volumetric DDoS attack. ● Mostly Mikrotik is used as core router there is only few options to handle the incidents. ● Some operators use BGP community to drop malicious sources. ● A hacker group called ‘Hafnium’ has launched attacks on more than 200 organizations in Bangladesh. Destination ports Used for Attacks
  6. Out of the Router Appliance Box Solution Planning ● We have router box Cisco,Juniper, Mikrotik in current network. ● Now we can use BGP community feed to stop bad actors. ● ISPs fetching frequent outage due to DDoS. ● In most cases operators using Mikrotik Routers. ● We were looking for a open source technology that is easy to implement and cost effective. ● Some ISPs has only few resources to maintain core network ,we tried to find a simple solution. ● We choose FRR for BGP and pfSense to make the router security aware and to maintain cyber hygiene from core network.
  7. pfSense: Firewall with threat intel feeds ● pfSense , A free, open source customized distribution of FreeBSD tailored for using as a smart-firewall and router. ● Netgate is current maintainer of pfSense. ● Firewall. ● Routing. ● Redundancy. ● Traffic shaping. ● Routers not aware of security incidents and threats. ● We are talking in a locality where mostly used Mikrotik in operator’s network.
  8. Some Community Threat intel IP & DNS Feed Sources (Blocklist) ● Spamhaus ● CINS Army ● Talosintelligence ● Firehol ( Collection of Cybercrime IP Feeds). ● MaxMind GeoIP Blocklist. (& Top Spammers). ● Juniper Security. ● ● Adway. ● Easy List (Privacy, Tracker). ● DNSBL SafeSearch by Google, Yandex, DuckDuckGo, Bing and Pixabay. ● … and many more.
  9. pfSense : pfblockerNG
  10. Threat Intel:Proofpoint ET IQRISK IPv4 Reputation
  11. FRR:Roots from Quagga ● FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms with the collaboration of Linux Foundation. ● It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP. ● RPKI supported ● SDN can be overlay with FRR ● Support Segment routing ● TNSR has developed carrier grade router using FRR (incl VPP+DPDK) ● Packet forwarding is challenge that can overcome with Vector Packet Processing & DPDK
  12. RECOMMENDED SYSTEM REQUIREMENTS Processor: Intel Xeon D1541/ Intel 2600 Series v3/v4 2.4GHz+, 8-Core/16 Thread RAM: 16GB | SSD: 128G NIC: Intel/Mellanox/Chelsio Multique NIC / Smart-NIC pfSense version 2.4.5-p1 - Most Stable (FreeBSD 11x) - Recommended pfSense version 2.5.1-p0 - New Stable (FreeBSD 12x) - For Latest Hardware Tested Throughput : # IMIX TRAFFIC # L3 Forwarding: 10Gbps Firewall: 5Gbps+ (10k ACLs)
  13. Case study 1: (Replaced MikroTik) -> Better User Experience, Less Threat Vector. -> Very Less Customer complaint -> Does not require frequent rebooting of core devices. -> Stable and Better Services than MikroTik. -> Blocks Most of the Malware, Spyware, Adware, Tracking. -> Several steps ahead to gain safe internet experience. -> Support /31 Network Configuration
  14. Case study 1 : More Stable Service and Better User Experience, Less Threat Vector.
  15. Case Study 1: Filtering based on Attacker Geo location and threat intel ● It can also filter bad actors IP based on threat intelligence data. ● When pfSense block threat source IPs , that is huge sanitization for the whole network from malicious traffic.
  16. Case Study 1: Visibility on malicious activity
  17. Case study 2:incorporate pfSense in existing MikroTik Based Network -> Does not need to change existing setup over-night. -> Gain Better User Experience, Less Threat Vector. -> Blocks Most of the Malware, Spyware, Adware, Tracking. -> Several steps ahead to gain safe internet experience. -> Spammer IPs can be blocked based on threat intel data
  18. Case Study 2: pfSense along with Mikrotik ● pfSense placed as core router and firewall ● FRR will be used to peer with Internet only ● Other IX and local peer will be with Mikrotik to maintain local traffic queues as ease as usual. ● pfSense will be a safeguard for internet facing threats
  19. Gain Cyber Hygiene from power of open source ● It’s always challenging to maintain good cyber hygiene for customer network ● pfSense firewall is efficient without losing quality of service and easy to implement and easy to maintain ● Through pfSense network operator can get good number of reputed threat intelligence data and protection from threat sources based on the theat data. ● Network Operators will get better visibility to his network ● Log server can be integrate easily for compliance
  20. Thank you QA? Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom