The document discusses using open source tools pfSense and FRR to improve the security and reliability of Internet Service Provider (ISP) networks in Bangladesh. Case studies show how pfSense implemented as a firewall and router can block malware and threats based on intelligence feeds. This provides a better user experience than MikroTik routers by filtering attacks and bad actors at the core network level. The solution is low cost and easy for ISPs to implement and maintain.

1. Secured Internet Gateway for ISP with
and
Out of the Routing Box
Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
rkarim@omnitechone.com suman@adnsl.net

2. DDoS Attacks Trending Up for Service Providers
● 2021 Q1 Sees 2.9 Million DDoS Attacks Launched
● ATLAS Security Engineering & Response Team
(ASERT) has warned that last year's record-breaking
volume of DDoS attacks could be exceeded in 2021.
● In 2020, more than 10 million DDoS incidents
● Analyzing which industries attackers chose to hit,
researchers observed that healthcare, education and
online services were prime targets.

3. DDoS is New Normal
● Many attacks (42%) lasted between five and ten minutes, while assaults lasting fewer than five minutes dropped from
24% to 19%.
● Global estimates of the total number of DDoS attacks are anticipated to double to 14.5 million by 2022.
● No DDoS mitigation tools is full proof.
● UDP-based DDoS attack vectors fuel attack increases.
Duration of Attack

4. Other Attack Vectors for ISPs
1. Spyware , Malware, Botnet.
2. Spamming.
3. Phishing.
4. Darkweb.
5. Ransomware.
6. Cryptocurrency Mining.

5. Spot on Bangladesh
● Round the year among the network operators DDoS were most shouted incident.
● Though there is no statistics but even some operators experienced few times in a month.
● Mostly volumetric DDoS attack.
● Mostly Mikrotik is used as core router there is only few options to handle the incidents.
● Some operators use BGP community to drop malicious sources.
● A hacker group called ‘Hafnium’ has launched attacks on more than 200 organizations in Bangladesh.
Destination ports Used for Attacks

6. Out of the Router Appliance Box Solution Planning
● We have router box Cisco,Juniper, Mikrotik in current network.
● Now we can use BGP community feed to stop bad actors.
● ISPs fetching frequent outage due to DDoS.
● In most cases operators using Mikrotik Routers.
● We were looking for a open source technology that is easy to implement and cost effective.
● Some ISPs has only few resources to maintain core network ,we tried to find a simple solution.
● We choose FRR for BGP and pfSense to make the router security aware and to maintain cyber
hygiene from core network.

7. pfSense: Firewall with threat intel feeds
● pfSense , A free, open source customized distribution of FreeBSD tailored for using as a smart-firewall and router.
● Netgate is current maintainer of pfSense.
● Firewall.
● Routing.
● Redundancy.
● Traffic shaping.
● Routers not aware of security incidents and threats.
● We are talking in a locality where mostly used Mikrotik in operator’s network.

8. Some Community Threat intel IP & DNS Feed Sources (Blocklist)
● Spamhaus
● CINS Army
● Talosintelligence
● Firehol ( Collection of Cybercrime IP Feeds).
● MaxMind GeoIP Blocklist. (& Top Spammers).
● Juniper Security.
● malwaredomainlist.com
● Adway.
● Easy List (Privacy, Tracker).
● DNSBL SafeSearch by Google, Yandex, DuckDuckGo, Bing and Pixabay.
● … and many more.

9. pfSense : pfblockerNG

10. Threat Intel:Proofpoint ET IQRISK IPv4 Reputation

11. FRR:Roots from Quagga
● FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms with the collaboration of Linux Foundation.
● It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.
● RPKI supported
● SDN can be overlay with FRR
● Support Segment routing
● TNSR has developed carrier grade router using FRR (incl VPP+DPDK)
● Packet forwarding is challenge that can overcome with Vector Packet Processing & DPDK

12. RECOMMENDED SYSTEM REQUIREMENTS
Processor: Intel Xeon D1541/ Intel 2600 Series v3/v4 2.4GHz+, 8-Core/16 Thread
RAM: 16GB | SSD: 128G
NIC: Intel/Mellanox/Chelsio Multique NIC / Smart-NIC
pfSense version 2.4.5-p1 - Most Stable (FreeBSD 11x) - Recommended
pfSense version 2.5.1-p0 - New Stable (FreeBSD 12x) - For Latest Hardware
Tested Throughput :
# IMIX TRAFFIC #
L3 Forwarding: 10Gbps
Firewall: 5Gbps+ (10k ACLs)

13. Case study 1: (Replaced MikroTik)
-> Better User Experience, Less Threat Vector.
-> Very Less Customer complaint
-> Does not require frequent rebooting of core devices.
-> Stable and Better Services than MikroTik.
-> Blocks Most of the Malware, Spyware, Adware, Tracking.
-> Several steps ahead to gain safe internet experience.
-> Support /31 Network Configuration

14. Case study 1 : More Stable Service and Better User Experience, Less Threat Vector.

15. Case Study 1: Filtering based on Attacker Geo location and threat intel
● It can also filter bad actors IP based on
threat intelligence data.
● When pfSense block threat source IPs , that
is huge sanitization for the whole network
from malicious traffic.

16. Case Study 1: Visibility on malicious activity

17. Case study 2:incorporate pfSense in existing MikroTik Based Network
-> Does not need to change existing setup over-night.
-> Gain Better User Experience, Less Threat Vector.
-> Blocks Most of the Malware, Spyware, Adware, Tracking.
-> Several steps ahead to gain safe internet experience.
-> Spammer IPs can be blocked based on threat intel data

18. Case Study 2: pfSense along with Mikrotik
● pfSense placed as core router and firewall
● FRR will be used to peer with Internet only
● Other IX and local peer will be with Mikrotik to maintain local traffic queues as ease as usual.
● pfSense will be a safeguard for internet facing threats

19. Gain Cyber Hygiene from power of open source
● It’s always challenging to maintain good cyber hygiene for customer network
● pfSense firewall is efficient without losing quality of service and easy to implement and easy to
maintain
● Through pfSense network operator can get good number of reputed threat intelligence data
and protection from threat sources based on the theat data.
● Network Operators will get better visibility to his network
● Log server can be integrate easily for compliance

20. Thank you
QA?
Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
rkarim@omnitechone.com suman@adnsl.net