Post on 25-May-2015
Tom Paseka, Courtesy of Terry Rodery
Aug 2013
Tom Paseka, Courtesy of Terry Rodery
Aug 2013
Flowspec @ APF Flowspec @ APF
2
BackgroundBackground
• RFC 5575 (2009)
• Piggybacks on top of existing BGP
• Supported by Juniper (and Alcatel too apparently?)
• Available in JunOS since 7.X
• ExaBGP support too.
3
OperationalOperational
• Configure rules on route server (config so easy a caveman could do it).
• Commit config.
• Rules are pushed via BGP to routers. I typically see the rules appear on my edge routers in a matter of seconds.
• Flowspec counters are available for viewing from CLI using “show firewall”.
4
DrawbacksDrawbacks
• Flowspec counters ARE NOT available via SNMP! Surely someone can fix this You’ll need to write the necessary poller, database, graphing, etc. to do this.
• Not able to use prefix-lists to define source/destination addresses. Must create multiple rules for multiple prefixes.
• Flowspec is only supported on M,MX,T-Series devices and is not available on EX and SRX.
5
Sample “rule” configsSample “rule” configs
Discards all traffic to UDP port 80.
route DISCARD-80-UDP { match { protocol udp; destination-port 80; } then discard;}
6
Sample “rule” configsSample “rule” configs
Rate-limit TCP SYN to 5Mbps. This will be the easiest rate limiting you’ve ever done on JunOS. No more manual policer configuration!
route 108.162.203.11-RL { match { destination 108.162.203.11/32; protocol tcp; tcp-flags 2; } then rate-limit 5m;}
7
Sample “rule” configsSample “rule” configs
route 141.101.124.242-DISCARD { match destination 141.101.124.242/32; then discard;}
We no longer “nullroute” using BGP triggered blackhole to transit providers so we don’t lose visibility into the attack.
8
Time for the cool stuff! (Graphs)
9
Short Lived Syn FloodShort Lived Syn Flood
10
Big attackBig attack
11
Decaying long lived attackDecaying long lived attack
12
1Gbps attack1Gbps attack
Questions?Questions?
Thank YouThank You
15
Bad PlayersBad Playersrange 198.32.176.0/24 - PAIX
198.32.176.0/24 141.101.86.1 100 0 13335 1299 701 i
198.32.176.0/24 141.101.90.1 100 0 13335 1299 701 i
.......snip
range 202.40.160.0/23 - HKIX
202.40.160.0/23 199.27.132.1 100 0 13335 4436 4134 4809 45474 i
202.40.160.0/23 108.162.235.1 100 0 13335 4436 4134 4809 45474 i
.......snip
range 206.223.123.0/24 - Equinix LA
206.223.123.0/24 103.22.203.1 100 0 13335 4637 6461 i
.......snip
range 218.100.59.0/24 - ACT-IX
218.100.59.0/24 108.162.247.1 100 0 13335 10026 45482 i
range 91.212.235.0/24 - Balkan IX
91.212.235.0/24 141.101.69.1 100 0 13335 12615 47872 49401 49401 i
range 198.32.177.0/24 - PAIX
198.32.177.0/24 141.101.67.1 100 0 13335 4436 2914 i
.......snip
range 206.223.123.0/24 - Equinix LA
206.223.123.0/24 103.22.203.1 100 0 13335 4637 6461 i
206.223.123.0/24 141.101.65.1 100 0 13335 4436 6461 i
.......snip
range 218.100.59.0/24 - ACT-IX
218.100.59.0/24 108.162.247.1 100 0 13335 10026 45482 i
range 91.212.235.0/24 - Balkan IX
91.212.235.0/24 141.101.69.1 100 0 13335 12615 49401 49401 49401 i
range 198.32.177.0/24 - PAIX
198.32.177.0/24 141.101.67.1 100 0 13335 4436 2914 i
198.32.177.0/24 141.101.72.1 100 0 13335 4436 2914 i
.......snip
range 198.32.132.0/24 - TELX
198.32.132.0/24 141.101.76.1 100 0 13335 4637 6461 22969 i
198.32.132.0/24 103.22.203.1 100 0 13335 4637 6461 22969 i
198.32.132.0/24 141.101.71.1 100 0 13335 1299 6461 22969 i
198.32.132.0/24 141.101.86.1 100 0 13335 1299 6461 22969 i
.......snip