[j-nsp] DDoS to core interface - mitigation
Daniel Suchy
danny at danysek.cz
Fri Mar 9 03:02:15 EST 2018
Hi,
yes - there's "advertise-inactive" option in BGP, which might help in
such case (in combination with FIB filters): "The advertise-inactive
statement causes Junos OS to advertise the best BGP route that is
inactive because of IGP preference."
You cannot modify preference of directly-connected network - it's always
set to zero...
With regards,
Daniel
On 03/08/2018 09:17 PM, Dan Římal wrote:
> Hi all,
>
> I would like to discuss, how do you handle ddos attack pointing to IP address of any router core interface, if your UPLINK/ISP support RTBH and you would like to drop traffic at ISP level because of congested links.
>
> I have tried to implement "classic" BGP signalized RTBH, via changing next-hop to discard route. It works good for customers IPs, but applied to core-interface IP address, it drops routing protocol running on this interfaces between routers (because /32 discard route is more specific than, at least, /31 p2p). I tried to implement export filter between RIB and FIB (routing-options forwarding-table export) to not to install this routes to FIB. It looks better, it doesn't drop BGP/BFD/... anymore, but it works just by half. Try to explain:
>
> I have two routers, both have transit operator (UPLINK-A, UPLINK-B) and they are connected to each other. Routers interconnect is let's say 192.168.72.248/31 (248 router-A, 249 router-B). I will start to propagate via iBGP discard route 192.168.72.248/32 from ddos detection appliance to both routers. Router-B get RTBH route as the best, skip install to FIB because of export filter between RIB and FIB and will start to propagate appropriate route with blackhole community to UPLINK-B. UPLINK-B drops dst at their edge. Good.
>
> But, router A get the same blackhole route, but not as the best, because it has the same route (/32) as a local route with lower route preference:
>
> 192.168.72.248/32 *[Local/0] 34w1d 07:59:10
> Local via ae2.3900
> [BGP/170] 07:43:20, localpref 2000
> AS path: I, validation-state: unverified
> > to 10.110.0.12 via ae1.405
>
> So, router-A doesn't start propagate blackhole route to UPLINK-A (because it is not the best, i guess) and DDOS still came from UPLINK-A.
>
> How can i handle this situation? Maybe set lower route preference from detection appliance than default 170? But "Directly connected network" has preference 0 and i cannot go lower and cannot get more specific than local /32. Or maybe use bgp advertise-inactive toward my UPLINKs? Will this help?
>
> Thanks!
>
> Daniel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list