[j-nsp] DDoS to core interface - mitigation

James Bensley jwbensley at gmail.com
Fri Mar 9 05:52:51 EST 2018 

On 8 March 2018 at 20:35, Saku Ytti <saku at ytti.fi> wrote:
> Hey Daniel,
>
> Apologies for not answering your question, but generally this is not a
> problem, because:
>
> a) have edgeACL which polices ICMP and UDP high ports to your links
> and drops rest
> b) don't advertise your links in IGP or iBGP
>
>
>
> On 8 March 2018 at 22:17, Dan Římal <dan at danrimal.net> wrote:
>> Hi all,
>>
>> I would like to discuss, how do you handle ddos attack pointing to IP address of any router core interface, if your UPLINK/ISP support RTBH and you would like to drop traffic at ISP level because of congested links.
>>
>> I have tried to implement "classic" BGP signalized RTBH, via changing next-hop to discard route. It works good for customers IPs, but applied to core-interface IP address, it drops routing protocol running on this interfaces between routers (because /32 discard route is more specific than, at least, /31 p2p). I tried to implement export filter between RIB and FIB (routing-options forwarding-table export) to not to install this routes to FIB. It looks better, it doesn't drop BGP/BFD/... anymore, but it works just by half. Try to explain:
>>
>> I have two routers, both have transit operator (UPLINK-A, UPLINK-B) and they are connected to each other. Routers interconnect is let's say 192.168.72.248/31 (248 router-A, 249 router-B). I will start to propagate via iBGP discard route 192.168.72.248/32 from ddos detection appliance to both routers. Router-B get RTBH route as the best, skip install to FIB because of export filter between RIB and FIB and will start to propagate appropriate route with blackhole community to UPLINK-B. UPLINK-B drops dst at their edge. Good.
>>
>> But, router A get the same blackhole route, but not as the best, because it has the same route (/32) as a local route with lower route preference:
>>
>> 192.168.72.248/32  *[Local/0] 34w1d 07:59:10
>>                       Local via ae2.3900
>>                     [BGP/170] 07:43:20, localpref 2000
>>                       AS path: I, validation-state: unverified
>>                     > to 10.110.0.12 via ae1.405
>>
>> So, router-A doesn't start propagate blackhole route to UPLINK-A (because it is not the best, i guess) and DDOS still came from UPLINK-A.
>>
>> How can i handle this situation? Maybe set lower route preference from detection appliance than default 170? But "Directly connected network" has preference 0 and i cannot go lower and cannot get more specific than local /32. Or maybe use bgp advertise-inactive toward my UPLINKs? Will this help?
>>
>> Thanks!
>>
>> Daniel

In addition to the above, try to avoid use public IPs on internal
links if you can, they don't need to be reachable from the Internet
and it saves on IPv4 address space :)

Cheers,
James.

More information about the juniper-nsp mailing list