Transcript BGP Flowspec (RFC5575)

BGP Flowspec(RFC5575) Case study and Discussion
Shishio Tsuchiya
[email protected]
Agenda
•
BGP Flowspec Overview
•
BGP Flowspec case study
•
JANOG35 Q&A
DDOS Traffic are always changing…
http://www.digitalattackmap.com/
Affect of DDOS attack
Customer
line/node/servic
e
Target
Service
Customer
aggregation
node/line
203.0.113.1
Bandwidth of Backbone
The affect would be all of network wide…
RTBH(Remote Triggered Black Hole Filtering)
203.0.113.1 via
192.0.2.1
Target
Service
203.0.113.1
192.0.2.1 null0
203.113.1 192.0.2.1
192.0.2.1 null0
203.113.1 192.0.2.1
192.0.2.1 null0
203.113.1 192.0.2.1
•
•
•
•
RTBH(RFC5635) is well known technic in ISP
static route to null(Black hole) preliminarily
If incidence happen then BGP advertises route
DDOS traffic will be stopped
Why BGP Flow Specification will be needed

Non DDOS user also would be stopped.

It is difficult to discover/ attempt rule against DDOS
attack which rapidly change and increasing
Netflow+BGP Attribute
BGP Flowspec(RFC5575)+draft-ietf-idr-flow-spec-v6
Flow Type
Dst IP
Src IP
protocol
port
Dst port
Src Port
ICMP Type
ICMP Code
TCP Flags
Packet Length
DSCP
Fragment
Action Rule
traffic-rate
traffic-action
redirect
traffic-marking
+---------------------------------------------------------+
|
AFI(2 octets) 1 and 2
|
+---------------------------------------------------------+
|
SAFI (1 octet) 133 and 134
|
+---------------------------------------------------------+
| Length of Next Hop Network Address (1 octet)
+---------------------------------------------------------+
| Network Address of Next Hop (variable)
|
+---------------------------------------------------------+
| Reserved (1 octet)
|
+---------------------------------------------------------+
| Network Layer Reachability Information (variable)
+---------------------------------------------------------+
|
|
SAFI
133 Dissemination of flow specification rules
134 L3VPN dissemination of flow specification rules
BGP Flowspec defined in RFC5575. draft-ietf-idr-flow-spec-v6 for IPv6 BGP Flowspec
Flow type to identify traffic , Action Rule to execute policy against the traffic
“Flow Type” and “Action Rule” will be advertised by BGP update
BGP Flowspec(RFC5575)
Netflow
collector
Target
Service
203.0.113.1
F markdown to dscp 0
A,B,C to
203.0.113.1 drop
100kbps
D and E to 203.0.113.1 100kbps
Flowspec uses netflow to collect traffic information
Flow rule and action will be distributed by BGP
Agenda
•
BGP Flowspec Overview
•
BGP Flowspec case study
•
JANOG35 Q&A
Flowspec Use case 1 world wide
Time Warner Telecom (TWTC) NANOG38 2006
Deployment Experience With BGP Flow Specification
https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowsp
•
•
DDOS Problem
•
Affect Large/Often to end user
•
Not only end user but also Infrastructure Risk
•
OPEX increase
DDoS Analysis
•
Large DDOS attack by botnet armies/Script Kiddies
•
TCP Syn Flood greater than 1Mpps
•
UDP fragment
•
Most of Attack source APNIC(Chinese) IP source , difficult to track due to national NAT
•
Deployed Flowspec for Peer & Transit router from RR
•
Mitigation from egress point to cleaning vrf
•
What was missing ?
•
Multi vendor support (deployed Juniper and Arbor)
•
Inter-Carrier
•
Matching DSCP
Flowspec Use case 2 world wide
Neo Telecoms FRNOG18 2011
Flowspec
http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
•
Compare RTBH/PBR and Flowspec
•
RTBH(Remote Triggered Black Hole)
Website can protect from DDOS attack, but no more traffic on website
•
PBR(Policy Based Routing)
Can control traffic precisely by hardware
But need contact to service provide operator to run/remove policy when ddos detect
•
Flowspec
Makes static PBR to dyanmic/Propagate PBR rules/do no need additional communication channel
•
Deployed Flowspec on transit router
Would like to use on eBGP as architecture but can not trust customer/don’t like to use flow for ebgp session for
stability reason
•
What’s Next
•
IPv6 and VPNv6 support
•
Traffic Monitoring
•
More vendors(only Juniper and Alcatel support at that time)
Flowspec Use case 3 world wide
GRNET(Greek Research and Technology Network) TNC2012
FireCircle: GRNET’s approach to advanced network security services’
management via bgp flow-spec and NETCONF
https://tnc2012.terena.org/core/presentation/41
•
Background
•
•
•
-
Granularity : per flow
-
Action : drop/rate-limit/redirect,
-
Speedy/ Efficiency / Automation / Manageability
Deployed FireCircle
•
•
•
•
Attacker use zombies, if number of army of zombies then DDOS traffic will be
massive (ex. DNS amp)
Need Better tools
Wizard based UI to define policy from customer
Apply XML configuration to BGP flowspec router via NETCONF
eBGP flowspec propagate policy to GRNET router
Expanding the service to GEANT community
https://fod.grnet.gr/
Participant
NREN
FireCircle
GEANT
NETCONF
GRNET
Atlas DDOS Trend report
•
DDOS Volume(average)
•
What’s Next
•
JAPAN Q2:491.63Mbps Q3:365.8Mbps
• NTP Amp attack can create big volume.
• Asia Q2:530.5Mbps Q3:588.74Mbps
• So Attacker using other protocol.
• World Wide Q2:759.83Mbps Q3:858.98Mbps • SSDP(1900) is increasing
•
NTP Amp trend(average volume)
•
JAPAN Q2:3.22Gbps Q3:281.76Mbps
• Asia Q2:2.57Gbps Q3:2.70Gbps
•
Attack Duration
•
Services
UDP
Source Port
Q3
Maximum
DDOS Volume
Q3
Average
DDOS Volume
SNMP
161
3.75Gbps
769.1Mbps
Chargen
19
21.26Gbps
1.12Gbps
92% DDOS stops within 1hour
DNS
53
43.45Gbps
1.31Gbps
• JAPAN: >1hour 92% average 3h21m
SSDP
1900
51Gbps
5.11Gbps
• Asia: >1hour 94.1% average 31m
• Professional DDOS service is exist http://www.janog.gr.jp/meeting/janog35/files/2014/2077/3840/janog35-bgpfs-agatsuma-1.pdf
ex)5min free 4$/hour
Flowspec Use case 1
•
ISP who is interesting in BGP Flowspec
•
Amp attack are increasing under 5%-> over 70%
•
and valuable
•
Src 53 Dst 0/Src 123/Src 1900/Dst 80
Protect Method
For
Point
If Flowspec deployed
RTBH
rapid action
protect short duration DDOS
more specific flow
can use policer for DDOS amp
ACL
permanent action
flexible/need time to deploy
to be rapidly/manage acl rule
Mitigation
premier service
expensive
would be effective
Flowspec Use case2
•
ISP who already deployed by Juniper
•
and would like to deploy to be more wide by Cisco
•
Flowspec is very useful feature against today’s DDOS, but one consideration
point is scalability spec of forwarding router
•
Rule was too long, so forwarding router could not apply filter as the result not
only DDOS but also normal traffic down
DDOS detect/BGP update send
Rule was too long for forwarding router, cold not apply filter
Agenda
•
BGP Flowspec Overview
•
BGP Flowspec case study
•
JANOG35 Q&A
Discussion summary
•
JANOG had a session of BGP Flowspec in JANOG35
Shishio Tsuchiya
Shojiro Hirasawa
Satoshi Agatsuma
Cisco Systems G.K.
BIGLOBE Inc.
TOYO Corporation
http://www.janog.gr.jp/en/index.php?JANOG35_Meeting%2FJANOG35_Program_Contents%2FBGPFS
http://www.janog.gr.jp/meeting/janog35/program/bgpfs/
•
Share question/discussion on JANOG35 meeting
Q1. Does Flowspec really useful?
• Let’s confirm in detail for RFC and IETF WG draft.
Typ
e
IPv4
(RFC5575)
IPv6
(flow-spec-v6)
1
Destination Prefix
Destination IPv6 Prefix
2
Source Prefix
Source IPv6 Prefix
3
IP Protocol
Next Header
4
Port
Port
5
Destination port
Destination port
6
Source port
Source Port
7
ICMP type
ICMP type
8
ICMP code
ICMP type
9
TCP flags
TCP flags
10
Packet length
Packet length
11
DSCP
DSCP
12
Fragment
Fragment
13
N/A
Flow Label
Flow Type has operator code which can
specify lt(less than) gt(grater than)
eq(equal) .
Q1. Does Flowspec really useful? cont’d
type
extended community
Actual Action
RFC/draft
0x8006
traffic-rate
Policing rate
0：drop
RFC5575
0x8007
traffic-action
specific acction
Terminal bit:(0 is terminal)
Sample bit:(1 is logging/sampling)
RFC5575
0x8008
0x8208
0x800b
redirect AS-2byte
redirect AS-4byte
redirect IPv6 specific AS
redirect to specific vrf
flowspec-redirect-rt-bis
flowspec-redirect-rt-bis
flow-spec-v6
0x8108
redirect IPv4 address
redirect to next hop address
redirect IPv6 address
redirect to next hop address
flowspec-redirect-rt-bis
flowspec-redirect-ip
flowspec-redirect-ip
traffic-marking
marking DSCP values
0x8009
flowspec-redirect-rt-bis
flow-spec-v6
•
Most of action rule is defined both IPv4 and IPv6.
•
But redirect IP seems confusing , should watch idr wg activity
Implementation status
•
Cisco
IOS-XR:5.2.0IOS-XE3.14 –(RR)
Forwarding router in
3.15
•
Juniper
JUNOS 7.3-
•
Alcatel-Lucent
SR-OS 9.0R1-
•
Arbor Networks
PeakFlow 6.0-
•
Genie Networks
5.5.1-
•
ExaBGP
Q2. How about interoperability in multi vendor?
•
Cisco IOS
Cisco IOS-XR
JNPR
JUNO
S
ALU
SR-OS
Arbor
Genie
Cisco
IOS






Cisco
IOSXR






JNPR
JUNOS






ALU
SR-OS






Arbor






Genie






There is some intorop report but may need more interop test to deploy ISP network
Q3.Flow is really enough to monitor ISP traffic?
DDOS Traffic
Normal Traffic
offramp solution
would be reasonable
Inline type model
offramp model
need many equipment to monitor all
of subscribers
can use shared resource
have to monitor huge traffic
only suspect traffic will transit to
mitigation
when mitigation fail, the failed
equipment should just transit traffic
when mitigation fail, then advertise
BGP to change rule
Q4.How is DDOS on mobile network?
Global Address
RFC6598 ISP Shared Address
or
RFC1918 Private Address
Global
Address
•
Today’s most of mobile carrier deployed CGN as solution of IPv4 exhaustion problem.
•
Malware/DDOS tool of android already exist.
•
Flow based filtering will be more importance to reduce side affect of DDOS
Q5.Performance issue?
https://supportforums.cisco.com/document/105496/asr9000xr-understanding-route-scale
•
It’s depends on router architecture.
APNIC38 Geoff Huston (APNIC) - What's so special about 512?
APRICOT2012 Greg Hankins, Brocade Pushing the Limits, A Perspective on Router Architecture Challenges
•
Usually QoS/PBR is used on TCAM, so performance impact would
be minimize .
Q6.eBGP Use case?
Transit AS
Route Server on IXP
co-Exist with RPKI
ROA
•
Flowspec should work in eBGP peer. But eBGP validation rule for received route should be relaxed.
•
On transit AS/Router server on IXP, it would be desirable service. Because if one AS sends DDOS then
affects to another AS.
•
Validation rule should be relax so maybe we should consider co-exist solution with RPKI to be more
powerful security solution.
•
Should check “Revised Validation Procedure for BGP Flow Specifications” draft-ietf-idr-bgp-flowspec-oid
Q7.How is OpenFlow DDOS solution?
•
There is Openflow DDOS protection solution.
•
Hybrid OF use TCAM also.
•
Difference point are network architecture(full distributed vs controller)
and API(OF vs BGP)
Summary
•
Current DDOS are high volume/short duration/amp attack variable
and increasing
•
BGP Flowspec is useful solution against today’s DDOS attack
•
BGP Flowspec is almost ready to deploy in ISP network.
•
Need detail implementation information of each of
vendors(scalability/nexthop address/IPv6) and interoperability test
result.
•
eBGP should work and customer may desire on-demand
Firewall/PBR services like a FireCircle.