SlideShare a Scribd company logo

BGP Flowspec (RFC5575) Case study and Discussion

Download as PPTX, PDF
APNIC
APNIC

BGP Flowspec is a technique for distributing flow specification rules via BGP. It allows an ISP to dynamically distribute filtering and redirection rules to mitigate DDoS attacks. The document discusses several real-world use cases where BGP Flowspec was deployed to successfully block large DDoS attacks in a targeted manner without affecting legitimate traffic. However, interoperability between vendors and scalability challenges remain open issues requiring further work and testing.

1 of 28
BGP Flowspec(RFC5575) Case study and Discussion Shishio Tsuchiya shtsuchi@cisco.com
• BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
DDOS Traffic are always changing… http://www.digitalattackmap.com/
Affect of DDOS attack Customer aggregation node/line Bandwidth of Backbone Customer line/node/servic e Target Service 203.0.113.1 The affect would be all of network wide…
RTBH(Remote Triggered Black Hole Filtering) Target Service 203.0.113.1 203.0.113.1 via 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 • RTBH(RFC5635) is well known technic in ISP • static route to null(Black hole) preliminarily • If incidence happen then BGP advertises route • DDOS traffic will be stopped
Netflow+BGP Attribute Why BGP Flow Specification will be needed  Non DDOS user also would be stopped.  It is difficult to discover/ attempt rule against DDOS attack which rapidly change and increasing
BGP Flowspec(RFC5575)+draft-ietf-idr-flow-spec-v6 Dst IP Src IP protocol port Dst port Src Port ICMP Type ICMP Code TCP Flags Packet Length DSCP Fragment traffic-rate traffic-action redirect traffic-marking Flow Type Action Rule +---------------------------------------------------------+ | AFI(2 octets) 1 and 2 | +---------------------------------------------------------+ | SAFI (1 octet) 133 and 134 | +---------------------------------------------------------+ | Length of Next Hop Network Address (1 octet) | +---------------------------------------------------------+ | Network Address of Next Hop (variable) | +---------------------------------------------------------+ | Reserved (1 octet) | +---------------------------------------------------------+ | Network Layer Reachability Information (variable) | +---------------------------------------------------------+ SAFI 133 Dissemination of flow specification rules 134 L3VPN dissemination of flow specification rules BGP Flowspec defined in RFC5575. draft-ietf-idr-flow-spec-v6 for IPv6 BGP Flowspec Flow type to identify traffic , Action Rule to execute policy against the traffic “Flow Type” and “Action Rule” will be advertised by BGP update
BGP Flowspec(RFC5575) Target Service 203.0.113.1 A,B,C to 203.0.113.1 drop D and E to 203.0.113.1 100kbps F markdown to dscp 0 100kbps Netflow collector Flowspec uses netflow to collect traffic information Flow rule and action will be distributed by BGP
• BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
• DDOS Problem • Affect Large/Often to end user • Not only end user but also Infrastructure Risk • OPEX increase • DDoS Analysis • Large DDOS attack by botnet armies/Script Kiddies • TCP Syn Flood greater than 1Mpps • UDP fragment • Most of Attack source APNIC(Chinese) IP source , difficult to track due to national NAT • Deployed Flowspec for Peer & Transit router from RR • Mitigation from egress point to cleaning vrf • What was missing ? • Multi vendor support (deployed Juniper and Arbor) • Inter-Carrier • Matching DSCP Flowspec Use case 1 world wide Time Warner Telecom (TWTC) NANOG38 2006 Deployment Experience With BGP Flow Specification https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowsp
• Compare RTBH/PBR and Flowspec • RTBH(Remote Triggered Black Hole) Website can protect from DDOS attack, but no more traffic on website • PBR(Policy Based Routing) Can control traffic precisely by hardware But need contact to service provide operator to run/remove policy when ddos detect • Flowspec Makes static PBR to dyanmic/Propagate PBR rules/do no need additional communication channel • Deployed Flowspec on transit router Would like to use on eBGP as architecture but can not trust customer/don’t like to use flow for ebgp session for stability reason • What’s Next • IPv6 and VPNv6 support • Traffic Monitoring • More vendors(only Juniper and Alcatel support at that time) Flowspec Use case 2 world wide Neo Telecoms FRNOG18 2011 Flowspec http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
• Background • Attacker use zombies, if number of army of zombies then DDOS traffic will be massive (ex. DNS amp) • Need Better tools - Granularity : per flow - Action : drop/rate-limit/redirect, - Speedy/ Efficiency / Automation / Manageability • Deployed FireCircle • Wizard based UI to define policy from customer • Apply XML configuration to BGP flowspec router via NETCONF • eBGP flowspec propagate policy to GRNET router • Expanding the service to GEANT community https://fod.grnet.gr/ Flowspec Use case 3 world wide GRNET(Greek Research and Technology Network) TNC2012 FireCircle: GRNET’s approach to advanced network security services’ management via bgp flow-spec and NETCONF https://tnc2012.terena.org/core/presentation/41 NETCONF FireCircle GRNET GEANT Participant NREN
• DDOS Volume(average) • JAPAN Q2:491.63Mbps Q3:365.8Mbps • Asia Q2:530.5Mbps Q3:588.74Mbps • World Wide Q2:759.83Mbps Q3:858.98Mbps • NTP Amp trend(average volume) • JAPAN Q2:3.22Gbps Q3:281.76Mbps • Asia Q2:2.57Gbps Q3:2.70Gbps • Attack Duration • 92% DDOS stops within 1hour • JAPAN: >1hour 92% average 3h21m • Asia: >1hour 94.1% average 31m • Professional DDOS service is exist ex)5min free 4$/hour Atlas DDOS Trend report Services UDP Source Port Q3 Maximum DDOS Volume Q3 Average DDOS Volume SNMP 161 3.75Gbps 769.1Mbps Chargen 19 21.26Gbps 1.12Gbps DNS 53 43.45Gbps 1.31Gbps SSDP 1900 51Gbps 5.11Gbps • What’s Next • NTP Amp attack can create big volume. • So Attacker using other protocol. • SSDP(1900) is increasing http://www.janog.gr.jp/meeting/janog35/files/2014/2077/3840/janog35-bgpfs-agatsuma-1.pdf
• ISP who is interesting in BGP Flowspec • Amp attack are increasing under 5%-> over 70% • and valuable • Src 53 Dst 0/Src 123/Src 1900/Dst 80 Flowspec Use case 1 Protect Method For Point If Flowspec deployed RTBH rapid action protect short duration DDOS more specific flow can use policer for DDOS amp ACL permanent action flexible/need time to deploy to be rapidly/manage acl rule Mitigation premier service expensive would be effective
• ISP who already deployed by Juniper • and would like to deploy to be more wide by Cisco • Flowspec is very useful feature against today’s DDOS, but one consideration point is scalability spec of forwarding router • Rule was too long, so forwarding router could not apply filter as the result not only DDOS but also normal traffic down Flowspec Use case2 DDOS detect/BGP update send Rule was too long for forwarding router, cold not apply filter
• BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
• JANOG had a session of BGP Flowspec in JANOG35 Shishio Tsuchiya Cisco Systems G.K. Shojiro Hirasawa BIGLOBE Inc. Satoshi Agatsuma TOYO Corporation http://www.janog.gr.jp/en/index.php?JANOG35_Meeting%2FJANOG35_Program_Contents%2FBGPFS http://www.janog.gr.jp/meeting/janog35/program/bgpfs/ • Share question/discussion on JANOG35 meeting Discussion summary
• Let’s confirm in detail for RFC and IETF WG draft. Q1. Does Flowspec really useful? Typ e IPv4 (RFC5575) IPv6 (flow-spec-v6) 1 Destination Prefix Destination IPv6 Prefix 2 Source Prefix Source IPv6 Prefix 3 IP Protocol Next Header 4 Port Port 5 Destination port Destination port 6 Source port Source Port 7 ICMP type ICMP type 8 ICMP code ICMP type 9 TCP flags TCP flags 10 Packet length Packet length 11 DSCP DSCP 12 Fragment Fragment 13 N/A Flow Label Flow Type has operator code which can specify lt(less than) gt(grater than) eq(equal) .
• Most of action rule is defined both IPv4 and IPv6. • But redirect IP seems confusing , should watch idr wg activity Q1. Does Flowspec really useful? cont’d type extended community Actual Action RFC/draft 0x8006 traffic-rate Policing rate 0:drop RFC5575 0x8007 traffic-action specific acction Terminal bit:(0 is terminal) Sample bit:(1 is logging/sampling) RFC5575 0x8008 0x8208 0x800b redirect AS-2byte redirect AS-4byte redirect IPv6 specific AS redirect to specific vrf flowspec-redirect-rt-bis flowspec-redirect-rt-bis flow-spec-v6 0x8108 redirect IPv4 address redirect IPv6 address redirect to next hop address redirect to next hop address flowspec-redirect-rt-bis flowspec-redirect-ip flowspec-redirect-ip 0x8009 traffic-marking marking DSCP values flowspec-redirect-rt-bis flow-spec-v6
• Cisco IOS-XR:5.2.0- IOS-XE3.14 –(RR) Forwarding router in 3.15 • Juniper JUNOS 7.3- • Alcatel-Lucent SR-OS 9.0R1- Implementation status • Arbor Networks PeakFlow 6.0- • Genie Networks 5.5.1- • ExaBGP
Q2. How about interoperability in multi vendor? Cisco IOS Cisco IOS-XR JNPR JUNO S ALU SR-OS Arbor Genie Cisco IOS       Cisco IOS- XR       JNPR JUNOS       ALU SR-OS       Arbor       Genie       • There is some intorop report but may need more interop test to deploy ISP network
Q3.Flow is really enough to monitor ISP traffic? DDOS Traffic Normal Traffic Inline type model offramp model need many equipment to monitor all of subscribers can use shared resource have to monitor huge traffic only suspect traffic will transit to mitigation when mitigation fail, the failed equipment should just transit traffic when mitigation fail, then advertise BGP to change rule offramp solution would be reasonable
• Today’s most of mobile carrier deployed CGN as solution of IPv4 exhaustion problem. • Malware/DDOS tool of android already exist. • Flow based filtering will be more importance to reduce side affect of DDOS Q4.How is DDOS on mobile network? Global Address Global Address RFC6598 ISP Shared Address or RFC1918 Private Address
• It’s depends on router architecture. APNIC38 Geoff Huston (APNIC) - What's so special about 512? APRICOT2012 Greg Hankins, Brocade Pushing the Limits, A Perspective on Router Architecture Challenges • Usually QoS/PBR is used on TCAM, so performance impact would be minimize . Q5.Performance issue? https://supportforums.cisco.com/document/105496/asr9000xr-understanding-route-scale
• Flowspec should work in eBGP peer. But eBGP validation rule for received route should be relaxed. • On transit AS/Router server on IXP, it would be desirable service. Because if one AS sends DDOS then affects to another AS. • Validation rule should be relax so maybe we should consider co-exist solution with RPKI to be more powerful security solution. • Should check “Revised Validation Procedure for BGP Flow Specifications” draft-ietf-idr-bgp-flowspec-oid Q6.eBGP Use case? ROA Transit AS Route Server on IXP co-Exist with RPKI
• There is Openflow DDOS protection solution. • Hybrid OF use TCAM also. • Difference point are network architecture(full distributed vs controller) and API(OF vs BGP) Q7.How is OpenFlow DDOS solution?
• Current DDOS are high volume/short duration/amp attack variable and increasing • BGP Flowspec is useful solution against today’s DDOS attack • BGP Flowspec is almost ready to deploy in ISP network. • Need detail implementation information of each of vendors(scalability/nexthop address/IPv6) and interoperability test result. • eBGP should work and customer may desire on-demand Firewall/PBR services like a FireCircle. Summary
BGP Flowspec (RFC5575) Case study and Discussion

Recommended

An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
Pavel Odintsov
 
9534715
95347159534715
9534715
Pavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
Pavel Odintsov
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
Pavel Odintsov
 

Recommended

An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
Pavel Odintsov
 
9534715
95347159534715
9534715
Pavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
Pavel Odintsov
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
Pavel Odintsov
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)Vamsidhar Naidu
 
OSPF
OSPF OSPF
OSPF
NetProtocol Xpert
 
Next Generation IP Transport
Next Generation IP TransportNext Generation IP Transport
Next Generation IP Transport
MyNOG
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
APNIC
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
Mobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSMobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLS
Cisco Canada
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
IS-IS vs OSPF
IS-IS vs OSPFIS-IS vs OSPF
IS-IS vs OSPF
NetProtocol Xpert
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Pavel Odintsov
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
APNIC
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
Is is
Is isIs is
Is isIrham Nurhalim
 
Ospf area types
Ospf area typesOspf area types
Ospf area types
Roger Perkin
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
KwonSun Bae
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
Febrian ‎
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06Licenciatura en Redes y Sistemas Operativos
 
Cisco MPLS
Cisco MPLSCisco MPLS
Cisco MPLSwebhostingguy
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
KHNOG
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 

More Related Content

What's hot

Next Generation IP Transport
Next Generation IP TransportNext Generation IP Transport
Next Generation IP Transport
MyNOG
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
APNIC
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
Mobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSMobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLS
Cisco Canada
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
IS-IS vs OSPF
IS-IS vs OSPFIS-IS vs OSPF
IS-IS vs OSPF
NetProtocol Xpert
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Pavel Odintsov
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
APNIC
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
Ospf area types
Ospf area typesOspf area types
Ospf area types
Roger Perkin
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
KwonSun Bae
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
Febrian ‎
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
KHNOG
 

What's hot (20)

Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 
OSPF
OSPF OSPF
OSPF
 
Next Generation IP Transport
Next Generation IP TransportNext Generation IP Transport
Next Generation IP Transport
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
Mobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSMobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLS
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
 
IS-IS vs OSPF
IS-IS vs OSPFIS-IS vs OSPF
IS-IS vs OSPF
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
 
Bgp
BgpBgp
Bgp
 
Is is
Is isIs is
Is is
 
Ospf area types
Ospf area typesOspf area types
Ospf area types
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
 
Cisco MPLS
Cisco MPLSCisco MPLS
Cisco MPLS
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
 

Viewers also liked

Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
Pavel Odintsov
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Pavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Pavel Odintsov
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
Redge Technologies
 
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WANCisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Canada
 

Viewers also liked (9)

Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WANCisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
 

Similar to BGP Flowspec (RFC5575) Case study and Discussion

Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Bruno Teixeira
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
Inside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable CloudInside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable Cloud
inside-BigData.com
 
Инновации Cisco для операторов связи
Инновации Cisco для операторов связиИнновации Cisco для операторов связи
Инновации Cisco для операторов связи
Cisco Russia
 
Building a Router
Building a RouterBuilding a Router
Building a Router
Hannes Gredler
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
Miya Kohno
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Jose Liste
 
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
Tony Antony
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
Bertrand Duvivier
 
Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers
Liubov Belousova
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
MyNOG
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
GeoffHuston
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
APNIC
 
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Ontico
 
Eigrp and ospf comparison
Eigrp and ospf comparisonEigrp and ospf comparison
Eigrp and ospf comparison
Deepak Raj
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
Shawn Zandi
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment Routing
Cisco Service Provider
 

Similar to BGP Flowspec (RFC5575) Case study and Discussion (20)

Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Inside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable CloudInside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable Cloud
 
Инновации Cisco для операторов связи
Инновации Cisco для операторов связиИнновации Cisco для операторов связи
Инновации Cisco для операторов связи
 
Building a Router
Building a RouterBuilding a Router
Building a Router
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 
Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
 
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
 
Eigrp and ospf comparison
Eigrp and ospf comparisonEigrp and ospf comparison
Eigrp and ospf comparison
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment Routing
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 

Recently uploaded (20)

急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 

BGP Flowspec (RFC5575) Case study and Discussion

  • 1. BGP Flowspec(RFC5575) Case study and Discussion Shishio Tsuchiya shtsuchi@cisco.com
  • 2. • BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
  • 3. DDOS Traffic are always changing… http://www.digitalattackmap.com/
  • 4. Affect of DDOS attack Customer aggregation node/line Bandwidth of Backbone Customer line/node/servic e Target Service 203.0.113.1 The affect would be all of network wide…
  • 5. RTBH(Remote Triggered Black Hole Filtering) Target Service 203.0.113.1 203.0.113.1 via 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 • RTBH(RFC5635) is well known technic in ISP • static route to null(Black hole) preliminarily • If incidence happen then BGP advertises route • DDOS traffic will be stopped
  • 6. Netflow+BGP Attribute Why BGP Flow Specification will be needed  Non DDOS user also would be stopped.  It is difficult to discover/ attempt rule against DDOS attack which rapidly change and increasing
  • 7. BGP Flowspec(RFC5575)+draft-ietf-idr-flow-spec-v6 Dst IP Src IP protocol port Dst port Src Port ICMP Type ICMP Code TCP Flags Packet Length DSCP Fragment traffic-rate traffic-action redirect traffic-marking Flow Type Action Rule +---------------------------------------------------------+ | AFI(2 octets) 1 and 2 | +---------------------------------------------------------+ | SAFI (1 octet) 133 and 134 | +---------------------------------------------------------+ | Length of Next Hop Network Address (1 octet) | +---------------------------------------------------------+ | Network Address of Next Hop (variable) | +---------------------------------------------------------+ | Reserved (1 octet) | +---------------------------------------------------------+ | Network Layer Reachability Information (variable) | +---------------------------------------------------------+ SAFI 133 Dissemination of flow specification rules 134 L3VPN dissemination of flow specification rules BGP Flowspec defined in RFC5575. draft-ietf-idr-flow-spec-v6 for IPv6 BGP Flowspec Flow type to identify traffic , Action Rule to execute policy against the traffic “Flow Type” and “Action Rule” will be advertised by BGP update
  • 8. BGP Flowspec(RFC5575) Target Service 203.0.113.1 A,B,C to 203.0.113.1 drop D and E to 203.0.113.1 100kbps F markdown to dscp 0 100kbps Netflow collector Flowspec uses netflow to collect traffic information Flow rule and action will be distributed by BGP
  • 9. • BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
  • 10. • DDOS Problem • Affect Large/Often to end user • Not only end user but also Infrastructure Risk • OPEX increase • DDoS Analysis • Large DDOS attack by botnet armies/Script Kiddies • TCP Syn Flood greater than 1Mpps • UDP fragment • Most of Attack source APNIC(Chinese) IP source , difficult to track due to national NAT • Deployed Flowspec for Peer & Transit router from RR • Mitigation from egress point to cleaning vrf • What was missing ? • Multi vendor support (deployed Juniper and Arbor) • Inter-Carrier • Matching DSCP Flowspec Use case 1 world wide Time Warner Telecom (TWTC) NANOG38 2006 Deployment Experience With BGP Flow Specification https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowsp
  • 11. • Compare RTBH/PBR and Flowspec • RTBH(Remote Triggered Black Hole) Website can protect from DDOS attack, but no more traffic on website • PBR(Policy Based Routing) Can control traffic precisely by hardware But need contact to service provide operator to run/remove policy when ddos detect • Flowspec Makes static PBR to dyanmic/Propagate PBR rules/do no need additional communication channel • Deployed Flowspec on transit router Would like to use on eBGP as architecture but can not trust customer/don’t like to use flow for ebgp session for stability reason • What’s Next • IPv6 and VPNv6 support • Traffic Monitoring • More vendors(only Juniper and Alcatel support at that time) Flowspec Use case 2 world wide Neo Telecoms FRNOG18 2011 Flowspec http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
  • 12. • Background • Attacker use zombies, if number of army of zombies then DDOS traffic will be massive (ex. DNS amp) • Need Better tools - Granularity : per flow - Action : drop/rate-limit/redirect, - Speedy/ Efficiency / Automation / Manageability • Deployed FireCircle • Wizard based UI to define policy from customer • Apply XML configuration to BGP flowspec router via NETCONF • eBGP flowspec propagate policy to GRNET router • Expanding the service to GEANT community https://fod.grnet.gr/ Flowspec Use case 3 world wide GRNET(Greek Research and Technology Network) TNC2012 FireCircle: GRNET’s approach to advanced network security services’ management via bgp flow-spec and NETCONF https://tnc2012.terena.org/core/presentation/41 NETCONF FireCircle GRNET GEANT Participant NREN
  • 13. • DDOS Volume(average) • JAPAN Q2:491.63Mbps Q3:365.8Mbps • Asia Q2:530.5Mbps Q3:588.74Mbps • World Wide Q2:759.83Mbps Q3:858.98Mbps • NTP Amp trend(average volume) • JAPAN Q2:3.22Gbps Q3:281.76Mbps • Asia Q2:2.57Gbps Q3:2.70Gbps • Attack Duration • 92% DDOS stops within 1hour • JAPAN: >1hour 92% average 3h21m • Asia: >1hour 94.1% average 31m • Professional DDOS service is exist ex)5min free 4$/hour Atlas DDOS Trend report Services UDP Source Port Q3 Maximum DDOS Volume Q3 Average DDOS Volume SNMP 161 3.75Gbps 769.1Mbps Chargen 19 21.26Gbps 1.12Gbps DNS 53 43.45Gbps 1.31Gbps SSDP 1900 51Gbps 5.11Gbps • What’s Next • NTP Amp attack can create big volume. • So Attacker using other protocol. • SSDP(1900) is increasing http://www.janog.gr.jp/meeting/janog35/files/2014/2077/3840/janog35-bgpfs-agatsuma-1.pdf
  • 14. • ISP who is interesting in BGP Flowspec • Amp attack are increasing under 5%-> over 70% • and valuable • Src 53 Dst 0/Src 123/Src 1900/Dst 80 Flowspec Use case 1 Protect Method For Point If Flowspec deployed RTBH rapid action protect short duration DDOS more specific flow can use policer for DDOS amp ACL permanent action flexible/need time to deploy to be rapidly/manage acl rule Mitigation premier service expensive would be effective
  • 15. • ISP who already deployed by Juniper • and would like to deploy to be more wide by Cisco • Flowspec is very useful feature against today’s DDOS, but one consideration point is scalability spec of forwarding router • Rule was too long, so forwarding router could not apply filter as the result not only DDOS but also normal traffic down Flowspec Use case2 DDOS detect/BGP update send Rule was too long for forwarding router, cold not apply filter
  • 16. • BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
  • 17. • JANOG had a session of BGP Flowspec in JANOG35 Shishio Tsuchiya Cisco Systems G.K. Shojiro Hirasawa BIGLOBE Inc. Satoshi Agatsuma TOYO Corporation http://www.janog.gr.jp/en/index.php?JANOG35_Meeting%2FJANOG35_Program_Contents%2FBGPFS http://www.janog.gr.jp/meeting/janog35/program/bgpfs/ • Share question/discussion on JANOG35 meeting Discussion summary
  • 18. • Let’s confirm in detail for RFC and IETF WG draft. Q1. Does Flowspec really useful? Typ e IPv4 (RFC5575) IPv6 (flow-spec-v6) 1 Destination Prefix Destination IPv6 Prefix 2 Source Prefix Source IPv6 Prefix 3 IP Protocol Next Header 4 Port Port 5 Destination port Destination port 6 Source port Source Port 7 ICMP type ICMP type 8 ICMP code ICMP type 9 TCP flags TCP flags 10 Packet length Packet length 11 DSCP DSCP 12 Fragment Fragment 13 N/A Flow Label Flow Type has operator code which can specify lt(less than) gt(grater than) eq(equal) .
  • 19. • Most of action rule is defined both IPv4 and IPv6. • But redirect IP seems confusing , should watch idr wg activity Q1. Does Flowspec really useful? cont’d type extended community Actual Action RFC/draft 0x8006 traffic-rate Policing rate 0:drop RFC5575 0x8007 traffic-action specific acction Terminal bit:(0 is terminal) Sample bit:(1 is logging/sampling) RFC5575 0x8008 0x8208 0x800b redirect AS-2byte redirect AS-4byte redirect IPv6 specific AS redirect to specific vrf flowspec-redirect-rt-bis flowspec-redirect-rt-bis flow-spec-v6 0x8108 redirect IPv4 address redirect IPv6 address redirect to next hop address redirect to next hop address flowspec-redirect-rt-bis flowspec-redirect-ip flowspec-redirect-ip 0x8009 traffic-marking marking DSCP values flowspec-redirect-rt-bis flow-spec-v6
  • 20. • Cisco IOS-XR:5.2.0- IOS-XE3.14 –(RR) Forwarding router in 3.15 • Juniper JUNOS 7.3- • Alcatel-Lucent SR-OS 9.0R1- Implementation status • Arbor Networks PeakFlow 6.0- • Genie Networks 5.5.1- • ExaBGP
  • 21. Q2. How about interoperability in multi vendor? Cisco IOS Cisco IOS-XR JNPR JUNO S ALU SR-OS Arbor Genie Cisco IOS       Cisco IOS- XR       JNPR JUNOS       ALU SR-OS       Arbor       Genie       • There is some intorop report but may need more interop test to deploy ISP network
  • 22. Q3.Flow is really enough to monitor ISP traffic? DDOS Traffic Normal Traffic Inline type model offramp model need many equipment to monitor all of subscribers can use shared resource have to monitor huge traffic only suspect traffic will transit to mitigation when mitigation fail, the failed equipment should just transit traffic when mitigation fail, then advertise BGP to change rule offramp solution would be reasonable
  • 23. • Today’s most of mobile carrier deployed CGN as solution of IPv4 exhaustion problem. • Malware/DDOS tool of android already exist. • Flow based filtering will be more importance to reduce side affect of DDOS Q4.How is DDOS on mobile network? Global Address Global Address RFC6598 ISP Shared Address or RFC1918 Private Address
  • 24. • It’s depends on router architecture. APNIC38 Geoff Huston (APNIC) - What's so special about 512? APRICOT2012 Greg Hankins, Brocade Pushing the Limits, A Perspective on Router Architecture Challenges • Usually QoS/PBR is used on TCAM, so performance impact would be minimize . Q5.Performance issue? https://supportforums.cisco.com/document/105496/asr9000xr-understanding-route-scale
  • 25. • Flowspec should work in eBGP peer. But eBGP validation rule for received route should be relaxed. • On transit AS/Router server on IXP, it would be desirable service. Because if one AS sends DDOS then affects to another AS. • Validation rule should be relax so maybe we should consider co-exist solution with RPKI to be more powerful security solution. • Should check “Revised Validation Procedure for BGP Flow Specifications” draft-ietf-idr-bgp-flowspec-oid Q6.eBGP Use case? ROA Transit AS Route Server on IXP co-Exist with RPKI
  • 26. • There is Openflow DDOS protection solution. • Hybrid OF use TCAM also. • Difference point are network architecture(full distributed vs controller) and API(OF vs BGP) Q7.How is OpenFlow DDOS solution?
  • 27. • Current DDOS are high volume/short duration/amp attack variable and increasing • BGP Flowspec is useful solution against today’s DDOS attack • BGP Flowspec is almost ready to deploy in ISP network. • Need detail implementation information of each of vendors(scalability/nexthop address/IPv6) and interoperability test result. • eBGP should work and customer may desire on-demand Firewall/PBR services like a FireCircle. Summary