blackholing from a_providers_perspektive_theo_voss
TRANSCRIPT
![Page 1: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/1.jpg)
Blackholing from a Provider’s perspectiveTheo Voss / Network Engineer SysEleven GmbH (AS25291)
DE-CIX Technical MeetingFrankfurt, 29.06.2016
![Page 2: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/2.jpg)
Who is SysEleven?
Managed Hoster and Upstream-Provider, founded in 2007.300+ customers, PoPs in Berlin, Frankfurt, Amsterdam.
2
![Page 3: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/3.jpg)
DDoS attacks3
![Page 4: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/4.jpg)
Source: https://www.reddit.com/r/pics/comments/2a22zd/server_blessing_in_poland/
![Page 5: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/5.jpg)
Providers perspectiveUpstreams
![Page 6: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/6.jpg)
Blackholing at upstreams
We’ve turned it on, but…
6
![Page 7: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/7.jpg)
Blackholing at upstreams
Generally works, but:
not enabled by default
no common community
65535:666(https://tools.ietf.org/id/draft-ymbk-grow-blackholing-01.txt)
7
![Page 8: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/8.jpg)
Providers perspectiveInternet Exchange Points
![Page 9: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/9.jpg)
Blackholing at IXPs9
![Page 10: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/10.jpg)
Blackholing at IXPs
But peers still do NOT accept..
• more-specifics for /24 & /48.
• rewrite of the next-hop
10
![Page 11: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/11.jpg)
Blackholing at IXPs
DE-CIX supports it, let’s make it more successful. Modify your policy, accept blackhole announcements!
term IMPORT-DECIX-BLACKHOLE { from { next-hop 80.81.193.66; prefix-list-filter $PEER orlonger; route-filter 0.0.0.0/0 prefix-length-range /32-/32; } then { community add no-export; accept; } }
11
![Page 12: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/12.jpg)
Unwanted Traffic Removal Servicehttps://www.cymru.com/jtk/misc/utrs.html
Source: https://www.team-cymru.org/UTRS
![Page 13: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/13.jpg)
UTRS
Route-server based blackhole relay
13
announce /32 no-export 64496:0 receiving /32
with NH 192.0.2.1
![Page 14: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/14.jpg)
UTRS
• RIPEstat API for route validation
• 142 networks connected • 9500 announcements yearly
14
SysEleven:
inet.0: 594972 destinations, 4408624 routes (591272 active, 0 holddown, 7418 hidden) Prefix Nexthop MED Lclpref AS path * 37.44.0.1/32 192.0.2.1 64496 25291 I
UTRS participant:
37.44.0.1/32 *[BGP/170] 02:23:40, localpref 200, from 154.35.**.** AS path: 64496 25291 I, validation-state: unverified Discard
![Page 15: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/15.jpg)
UTRS
Implementation is easy. policy-statement 4-CYMRU-UTRS-OUT { term BLACKHOLE { from { community SYS11_BLACKHOLE; route-filter 0.0.0.0/0 prefix-length-range /32-/32; } then { community add CYMRU-UTRS_BLACKHOLE; community add no-export; next-hop 192.0.2.1; accept; } }
15
policy-statement 4-CYMRU-UTRS-IN { term BLACKHOLE { from { community CYMRU-UTRS_BLACKHOLE; route-filter 0.0.0.0/0 prefix-length-range /32-/32; } then { community add SYS11_BLACKHOLE; community add no-export; next-hop discard; accept; } }
![Page 16: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/16.jpg)
Providers perspective
DDoS attack detection
![Page 17: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/17.jpg)
FastNetMon
• Open-Source DDoS attack detection
• Based on user-defined thresholds • Uses NetFlow, sFlow, IPFIX & more.. • Support for Graphite, ExaBGP & more..
https://github.com/pavel-odintsov/fastnetmon
17
![Page 18: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/18.jpg)
![Page 19: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/19.jpg)
FastNetMon
In case of attack script will be triggered:
/usr/local/bin/notify_about_attack.sh
19
![Page 20: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/20.jpg)
Providers perspective
Blackholing in case of attack
![Page 21: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/21.jpg)
Blackholing in case of attack
If there’s a DDoS detected: tvoss@router1# show | compare [edit routing-options flow] + route 109.68.230.206/32 { + match { + destination 109.68.230.206/32; + protocol udp; + port [ 0 4444 ]; + } + then { + discard; + }
21
![Page 22: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/22.jpg)
Blackholing in case of attack
If there’s a DDoS detected:
tvoss@router2> show route table inetflow.0
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 109.68.230.206,*,proto=17,port=0,=4444/term:1 (1 entry, 1 announced) *BGP Preference: 170/-101 Next hop type: Fictitious Announcement bits (1): 0-Flow Communities: traffic-rate:0:0 Accepted Validation state: Accept, Originator: 37.44.7.60 Via: 109.68.230.0/24, Active
22
![Page 23: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/23.jpg)
Blackholing in case of attack
If we can’t handle the attack bandwidth:
23
Announce /24to Upstreams & DE-CIX
Start /32 blackholing toUpstreams, DE-CIX & UTRS
route 37.44.0.0/24 { next-hop $nexthop; community 25291:555; }
route 37.44.0.1/32 { discard; community 25291:666; }
route 37.44.0.0/24 { next-hop $nexthop; community 25291:444; }
Stop announcing/24 at DE-CIX
![Page 24: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/24.jpg)
Blackholing in case of attack24
Upstreams more-specific attracts traffic
/32 will be discarded
/32 discard in sourcenetwork by UTRS
Source Networks
X
X
![Page 25: Blackholing from a_providers_perspektive_theo_voss](https://reader031.vdocuments.mx/reader031/viewer/2022022203/586f90f91a28ab54768b7a9b/html5/thumbnails/25.jpg)
Thanks!