[j-nsp] DDoS to core interface - mitigation

Daniel Suchy danny at danysek.cz
Fri Mar 9 03:02:15 EST 2018 

Hi,
yes - there's "advertise-inactive" option in BGP, which might help in
such case (in combination with FIB filters): "The advertise-inactive
statement causes Junos OS to advertise the best BGP route that is
inactive because of IGP preference."

You cannot modify preference of directly-connected network - it's always
set to zero...

With regards,
Daniel


On 03/08/2018 09:17 PM, Dan Římal wrote:
> Hi all,
> 
> I would like to discuss, how do you handle ddos attack pointing to IP address of any router core interface, if your UPLINK/ISP support RTBH and you would like to drop traffic at ISP level because of congested links.
> 
> I have tried to implement "classic" BGP signalized RTBH, via changing next-hop to discard route. It works good for customers IPs, but applied to core-interface IP address, it drops routing protocol running on this interfaces between routers (because /32 discard route is more specific than, at least, /31 p2p). I tried to implement export filter between RIB and FIB (routing-options forwarding-table export) to not to install this routes to FIB. It looks better, it doesn't drop BGP/BFD/... anymore, but it works just by half. Try to explain:
> 
> I have two routers, both have transit operator (UPLINK-A, UPLINK-B) and they are connected to each other. Routers interconnect is let's say 192.168.72.248/31 (248 router-A, 249 router-B). I will start to propagate via iBGP discard route 192.168.72.248/32 from ddos detection appliance to both routers. Router-B get RTBH route as the best, skip install to FIB because of export filter between RIB and FIB and will start to propagate appropriate route with blackhole community to UPLINK-B. UPLINK-B drops dst at their edge. Good.
> 
> But, router A get the same blackhole route, but not as the best, because it has the same route (/32) as a local route with lower route preference:
> 
> 192.168.72.248/32  *[Local/0] 34w1d 07:59:10
>                       Local via ae2.3900
>                     [BGP/170] 07:43:20, localpref 2000
>                       AS path: I, validation-state: unverified
>                     > to 10.110.0.12 via ae1.405
> 
> So, router-A doesn't start propagate blackhole route to UPLINK-A (because it is not the best, i guess) and DDOS still came from UPLINK-A.
> 
> How can i handle this situation? Maybe set lower route preference from detection appliance than default 170? But "Directly connected network" has preference 0 and i cannot go lower and cannot get more specific than local /32. Or maybe use bgp advertise-inactive toward my UPLINKs? Will this help?
> 
> Thanks!
> 
> Daniel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list