Transcript BCP-38 demo
BCP-38 demo
Alan Barrett
Geert Jan de Groot
& cast of thousands
Agenda
• BCP-38 DNS DDOS demo
• Build spoofed packet traffic generator
– “be the bad-behaving customer”
• Configure the network to filter
– “be the responsible ISP”
Basic network
DNS request
Client
DNS
DNS response
Network diagram
VICTIM
DNS
R
R
R
PC
PC
PC
Row A
Row B
Row C
R
….
PC
Row J
Step 1: install and run
software
• Download packet spoofing software
• Configure
• Run
More details on next pages
1(a): Download packet
spoofing software
• cd $HOME
• mkdir spoofing-demo; cd spoofing-demo
• ftp 196.200.222.1
– login as “anonymous”
– cd /pub/e2/bcp38
– binary
– mget * (enter “a” to get all files)
1(b): Configure
• From your PC, ping the IP address of
your router:
ping -c 1 ip.ad.re.ss
• Find out and write down the MAC
address of your router:
arp -an
• Edit spoof_script and change:
– TABLE_ROW
– ROUTER_MAC
1(c): Run the spoofer
• chmod 755 spoof_script tcpreplay
• Start the generator (as root):
./spoof_script
Step 2: Observe spoofed
packets and responses
• Instructors use “tcpdump” to capture
traffic on backbone.
• Observe the spoofed packets, and
responses to them.
Step 3: Enable unicast
reverse-path filtering (URPF)
• Login to router
• Configure
interface fastEthernet0/0
ip verify unicast reverse-path
• For all destinations that are routed
outwards through this interface,
incoming traffic in the opposite direction
is allowed.
Step 4: See that it worked
• Observe that the tcpdump display stops
showing spoofed packets
• show ip interface fastEthernet0/0
– Near the end, see “verification drops”
URPF variant for multi-homed
customer
! access-list 42 will permit the routes
! that would otherwise fail the test
! (e.g. downlink through a different ISP)
ip access-list 42 permit 192.0.2.0 0.0.0.255
interface fastEthernet0/0
ip verify unicast reverse-path 42
Another variant: Filtering using
access-group
! access-list 123 permits all packets
! from the customer
ip access-list 123 permit ip 192.0.2.0
0.0.0.255 0.0.0.0 255.255.255.255
interface fastEthernet0/0
ip access-group 123 in
• This is less efficient and more difficult to
configure