[j-nsp] DDoS to core interface - mitigation

Saku Ytti saku at ytti.fi
Thu Mar 8 15:35:31 EST 2018 

Hey Daniel,

Apologies for not answering your question, but generally this is not a
problem, because:

a) have edgeACL which polices ICMP and UDP high ports to your links
and drops rest
b) don't advertise your links in IGP or iBGP



On 8 March 2018 at 22:17, Dan Římal <dan at danrimal.net> wrote:
> Hi all,
>
> I would like to discuss, how do you handle ddos attack pointing to IP address of any router core interface, if your UPLINK/ISP support RTBH and you would like to drop traffic at ISP level because of congested links.
>
> I have tried to implement "classic" BGP signalized RTBH, via changing next-hop to discard route. It works good for customers IPs, but applied to core-interface IP address, it drops routing protocol running on this interfaces between routers (because /32 discard route is more specific than, at least, /31 p2p). I tried to implement export filter between RIB and FIB (routing-options forwarding-table export) to not to install this routes to FIB. It looks better, it doesn't drop BGP/BFD/... anymore, but it works just by half. Try to explain:
>
> I have two routers, both have transit operator (UPLINK-A, UPLINK-B) and they are connected to each other. Routers interconnect is let's say 192.168.72.248/31 (248 router-A, 249 router-B). I will start to propagate via iBGP discard route 192.168.72.248/32 from ddos detection appliance to both routers. Router-B get RTBH route as the best, skip install to FIB because of export filter between RIB and FIB and will start to propagate appropriate route with blackhole community to UPLINK-B. UPLINK-B drops dst at their edge. Good.
>
> But, router A get the same blackhole route, but not as the best, because it has the same route (/32) as a local route with lower route preference:
>
> 192.168.72.248/32  *[Local/0] 34w1d 07:59:10
>                       Local via ae2.3900
>                     [BGP/170] 07:43:20, localpref 2000
>                       AS path: I, validation-state: unverified
>                     > to 10.110.0.12 via ae1.405
>
> So, router-A doesn't start propagate blackhole route to UPLINK-A (because it is not the best, i guess) and DDOS still came from UPLINK-A.
>
> How can i handle this situation? Maybe set lower route preference from detection appliance than default 170? But "Directly connected network" has preference 0 and i cannot go lower and cannot get more specific than local /32. Or maybe use bgp advertise-inactive toward my UPLINKs? Will this help?
>
> Thanks!
>
> Daniel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti

More information about the juniper-nsp mailing list