[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

[Sam Crooks]

-----Original Message-----
From: Bill Wichers [mailto:billw at waveform.net] 
Sent: Thursday, June 09, 2005 7:51 PM
To: Sam Crooks
Cc: Bill Wichers; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Modern BGP peering border router and DDoS attack
defense recommendations?


> What are opinions of say, 2xN Mbps rate-limited ethernet connections
> (1 per border router, 2 routers, through different physical paths),
> starting out at 10Mbps, burstable up to 100Mbps... in a
> carrier-neutral building with 42 carriers?

I have personally seen a 10Mb/s Ethernet link get completely wiped out by
a DDoS. The link filled up completely, and the BGP session would drop,
then the traffic would stop, the BGP session would come back, the traffic
would come back, then the BGP sessiong would drop.... Then I get really
busy when the network gets damped for that carrier ;-) Not fun. We haven't
see this problem on burstable 100Mb/s circuits, but I have heard of DDoS
attacks of more than 100Mb/s, but they seem to be rare.

>> I'm evaluating http://www.dpte.net, and they offer a bundle of the
>> above connectivity to the 42 carriers (they call it blending?), along
>> with a 10x10 ft cage ... it would seem to make data connections to a
>> standby site (t1-OC-x, whatever I need to scale up to) very easy to
>> get, and get very quickly.

>Never heard of them myself, but there are a lot of tier-2's out there that
>can do a pretty good job at a good price. I would certainly look into
>their offerings, especially if they are friendly and flexible and will
>help you start small and upgrade incrementally. Burstable connections will
>really help you handle attacks without a large cost if you can get large
>maximum capacities and a small monthly revenue commitment.


>From my research, dpte.net  basically sits near or on the fiber trench from
San Diego to Dallas (geographical constraints being the Grand Canyon and the
Sierra Nevada Mountains in the region) for 22+ national/regional
providers... they have a requirement of min 2 entrance vaults for SP's, up
to 4 entrance vaults... buried power transformers and entrance vaults for
power... from my research, THE colo center in the Phoenix market (5th
largest metro area) for physical infrastructure and carrier connectivity....
the others I've looked at haven't come close, as far as SLA guarantees and
infrastructure to support it... the only higher-value regional target would
be 1 Wilshire in Los Angeles... Which is somewhat of a concern for the
company, but regionally, I haven't seen anything better....




>> How does BGP peering work in such an environment, for an end-user AS?

>That's a pretty big question... Basically you take a feed of routes from
>each of your peers, and your router then can make decisions as to the
>optimal path to a given site. The same basically works in reverse too,
>except that you advertise your block to your various peers. If one link
>goes down, everything uses the remaining link(s) and you maintain
>connectivity to the general Internet. There have been several threads
>recently on this list about much more detailed configurations. You'll need
>an AS, and at least a /24 netblock to run BGP, along with a router that
>can handle a full view (ideally) from each peer you plan to link into.


So... given this type of arrangement (Ethernet physical connectivity)...
being an end-user to 2+ SPs, but no peering (ISP business-sense... I have no
customers to provide transit for) with regional or global AS's, I need
either BGP with default route only or partial with default routes?  

Would full routes with default be wasted on me, since I have 2+ exits, and
am peering (BGP sense) for access (transit), not peering to provide transit
for my customers?


Given Ethernet physical connectivity ... would a 3750, 4948, 6500, etc make
more sense as a "border router" than a say 7200, 7600 etc... DDoS is the
primary concern, followed closely by cost... if a 3750 switch used as the
border router/switch to a BGP peer will fall over under and moderate to
medium DDoS attack vs. a 7200 vs a 6500/7600 ... better to buy the 7200
router or 7600 router.... difference in price seems to be at least an order
of magnitude for 3750 or 4948 or 7200 vs a 6500/7600, given my performance
needs near the low end of the 6500/7600 (not to mention 12000) spectrum...



My understanding is:

I colo in a particular facility

As part of the colo bundle, I get 10 Mbps (burstable to 100Mbps) to the
layer 2 LAN where the 42+ carriers peer with customers and each other.

I have to separately arrange paid transit with whatever 2+ carriers are
ultimately decided upon as the SPs

Get an AS (maybe before previous step)

I have to either have my own /24 CIDR block (ARIN assigned, maybe difficult
to get) OR get a /24+ from an SP, and get the other N+ carriers to announce
it for me



....Something similar for a backup colo facility, ie: connectivity, and
transit agreement for announcing a small CIDR block of another SP, as going
to my AS.

Arrange whatever connectivity (metro Ethernet, DS-x, whatever) from coloA
and coloB to my office for my management/maintenance purposes, as well as
what ever point-to-point connection services between coloA and coloB I need.



Well,

12:30am... time to shelve this issue until tomorrow.

:-)


Thanks for guidance and responses to previous questions thus far... much
appreciated by me.

Regards,


Sam