Protection against DDOS attacks using BGP
Servers hosted on the network administered by AS are often subjected to various DDOS attacks. The purpose of the attackers can be, as separate resources located on the servers, the servers themselves and the entire site as a whole. Every month the number, complexity and power of attacks increases. Attacks at 300-400Mb / s increased to 70-80Gb / s. In this situation, not all attacks can be reflected by server tuning, and large attacks can interfere with the operation of the entire site as a whole. It is necessary to fight such attacks by the forces of the entire hosting team. Network administrators must also have the means to deal with such attacks at the network level. About such funds and will be discussed under the cut.
The article will consider the main method of protection against DDOS attacks by means of dynamic routing: - Blackhole method (“black hole”).
This method allows you to completely stop the flow of traffic to the attacked server and remove the load from the AS channels and the provider. In terms of providing high-availability virtual hosting services, this method is an extreme measure, but remains an effective means to combat major DDOS attacks when it cannot be managed by other means.
We will explain several terms that will appear in the article:
BGP (Border Gateway Protocol) is the main dynamic routing protocol in the global Internet. Allows routers to exchange routing tables. Provides flexible means to manage traffic.
The BGP community is an attribute of the BGP dynamic routing protocol that allows you to set specific labels on routes that are transmitted. The attribute allows you to create and set custom values ​​(only the recommended community format is set) and, based on them, flexibly configure the router filters.
peering - an established BGP session for exchanging routes.
Network announcement - in the terminology of dynamic routing protocols, sending routes from the local routing table to a neighboring router.
AS (Autonomous System) is a set of IP networks managed by one operator according to the established rules of the global Internet.
eBGP (External Border Gateway Protocol) - a type of exchange of BGP routes between routers of different ASs.
iBGP (Internal Border Gateway Protocol) is a type of BGP route exchange between routers within an AS.
policy-statement — as part of a Juniper router configuration, is a set of rules that determine the filtering conditions for routes received or transmitted via dynamic routing protocols.
DDOS (Distributed Denial of Service) is a distributed denial of service attack. An attack that uses a network of computers around the world infected with malware (botnet) that generates traffic or attacks on the victim.
UDP Amplification is a type of DDOS attack, which is implemented using third-party servers with open UDP ports and SNMP, NTP, DNS services. As a rule, this type of attack is aimed at the bandwidth of the victim’s channel.
ISP (Internet Service Provider) - an organization that provides Internet access services, is simply a provider.
Blackhole allows you to manage traffic at the provider level, before getting into our AS. It is effective for dealing with major attacks on bandwidth (most often DNS Amplification ). In the classical scheme, the method assumes setting the next-hop for the advertised route to the ip address from the private network. Since trunk providers have routes to private networks, for the most part, they should be sent to Null0 (Cisco terminology, in Juniper - discard) packets with a destination address from this network will be automatically rejected - falling into the “black hole” still in the provider’s network. Unfortunately, in real networks of backbone providers, private network routes are not always established in Null0, since the providers themselves use these addresses for routing or simply do not follow RFC recommendations. To install the blackhole, most often, the advanced management capabilities of the BGP - BGP community are used. The method is implemented by creating a special group (community) for routes, the traffic of which must be sent to the “black hole”. At the time of the attack, the network administrator of the attacked AS will be able to send a route from a long mask / 32, backing it up with this community, thereby informing the ISP routers that the packets to this ip address should be dropped. Packet filtering on the ISP side can be done using both the ACL and the Null interface, but the most correct approach involves a recursive blackhole. A schematic of the recursive blackhole method is shown below:
Attackers from AS3 and AS4 perform an attack on a web server with the ip address 1.1.1.1 which is in AS2. The AS2 network administrator sets the server address in blackhole by passing the route to its ip address from community 666. The ISP router receiving the route / 32 with the blackhole installed the community begins to drop all packets directed to the ip address 1.1.1.1. In addition, in order to take the load off their own channels, the ISP (AS1) passes this route to its providers by installing the blackhole community provided by them (in the diagram this is community 3: 666 and 4: 666). This method of protection is much more efficient than simple packet filtering on the AS2 router, since it relieves the load from the channels between AS1 and AS2, as well as the eBGP channels of the AS1 provider. The drop of packets directed to the IP address 1.1.1.1 occurs on the routers of the providers to which the attackers are directly connected. If the attacker is connected to a different AS (does not belong to the AS provider), then each of the AS3 and AS4 providers can announce the route from the blackhole community to their providers, and their turn in turn, etc. Thus, all networks of backbone providers will be unloaded from DDOS traffic.
')
An article would not be complete without an example of practical implementation. The method of practical application is shown on the example of Juniper routers, but can be implemented on the equipment of any vendor.
First you need to create a specific community to indicate the prefixes installed in the blackhole:
where 1 is the AS provider number (allows the community to remain unique even when transferring other ISPs over networks), 666 is the unique community number (it can be any, but it is recommended to use 666). Next, create a Policy for importing prefixes from our peer, select one of them with community blackhole prefixes and wrap them in Null (in Juniper this is a discard):
We assign this policy-statement to the eBGP session for imported (received) prefixes from clients.
Similarly, at first, the community is created to denote the prefixes set in the blackhole:
The values ​​are the same as on the provider side, with the only difference that the AS number must correspond to the AS of the provider, that is, who issues the community and sets its designation. Next, create a policy-statement to add the community to the prefixes that need to be sent to the ISP router.
Prefixes are selected from static routes. Since the router initially only knows about more than / 32 networks, a specific prefix needs to be created separately. As you can see from the rule, this policy-statement will select all static routes with a tag of 666 (the tag number can be any). We assign this policy-statement as an export filter to an eBGP session to our provider. Now, if there is a need to put the server address in the blackhole, create a static / 32 route on our router.
For example, to install the address specified on the diagram in the blackhole, the following command should be executed:
where 1.1.1.1 is the ip address set in the blackhole.
The described method allows you to fight attacks that interfere with the correct operation of the entire site. Such attacks can reach hundreds of Gigabits / sec and even the backbone provider cannot always cope with them. The BGP community attribute is widely used by trunk providers for traffic classification and operational management. Many ISPs provide a whole set of communities that allow you not only to set certain addresses in a blackhole, but also to control the traffic coming to their AS, that is, to control traffic even on the provider's channels. Analysis of the provider community allows the network administrator to develop a scheme to combat DDOS attacks, and sometimes automate the process of eliminating attacks.
The article will consider the main method of protection against DDOS attacks by means of dynamic routing: - Blackhole method (“black hole”).
This method allows you to completely stop the flow of traffic to the attacked server and remove the load from the AS channels and the provider. In terms of providing high-availability virtual hosting services, this method is an extreme measure, but remains an effective means to combat major DDOS attacks when it cannot be managed by other means.
We will explain several terms that will appear in the article:
BGP (Border Gateway Protocol) is the main dynamic routing protocol in the global Internet. Allows routers to exchange routing tables. Provides flexible means to manage traffic.
The BGP community is an attribute of the BGP dynamic routing protocol that allows you to set specific labels on routes that are transmitted. The attribute allows you to create and set custom values ​​(only the recommended community format is set) and, based on them, flexibly configure the router filters.
peering - an established BGP session for exchanging routes.
Network announcement - in the terminology of dynamic routing protocols, sending routes from the local routing table to a neighboring router.
AS (Autonomous System) is a set of IP networks managed by one operator according to the established rules of the global Internet.
eBGP (External Border Gateway Protocol) - a type of exchange of BGP routes between routers of different ASs.
iBGP (Internal Border Gateway Protocol) is a type of BGP route exchange between routers within an AS.
policy-statement — as part of a Juniper router configuration, is a set of rules that determine the filtering conditions for routes received or transmitted via dynamic routing protocols.
DDOS (Distributed Denial of Service) is a distributed denial of service attack. An attack that uses a network of computers around the world infected with malware (botnet) that generates traffic or attacks on the victim.
UDP Amplification is a type of DDOS attack, which is implemented using third-party servers with open UDP ports and SNMP, NTP, DNS services. As a rule, this type of attack is aimed at the bandwidth of the victim’s channel.
ISP (Internet Service Provider) - an organization that provides Internet access services, is simply a provider.
Bgp blackhole
Blackhole allows you to manage traffic at the provider level, before getting into our AS. It is effective for dealing with major attacks on bandwidth (most often DNS Amplification ). In the classical scheme, the method assumes setting the next-hop for the advertised route to the ip address from the private network. Since trunk providers have routes to private networks, for the most part, they should be sent to Null0 (Cisco terminology, in Juniper - discard) packets with a destination address from this network will be automatically rejected - falling into the “black hole” still in the provider’s network. Unfortunately, in real networks of backbone providers, private network routes are not always established in Null0, since the providers themselves use these addresses for routing or simply do not follow RFC recommendations. To install the blackhole, most often, the advanced management capabilities of the BGP - BGP community are used. The method is implemented by creating a special group (community) for routes, the traffic of which must be sent to the “black hole”. At the time of the attack, the network administrator of the attacked AS will be able to send a route from a long mask / 32, backing it up with this community, thereby informing the ISP routers that the packets to this ip address should be dropped. Packet filtering on the ISP side can be done using both the ACL and the Null interface, but the most correct approach involves a recursive blackhole. A schematic of the recursive blackhole method is shown below:
Attackers from AS3 and AS4 perform an attack on a web server with the ip address 1.1.1.1 which is in AS2. The AS2 network administrator sets the server address in blackhole by passing the route to its ip address from community 666. The ISP router receiving the route / 32 with the blackhole installed the community begins to drop all packets directed to the ip address 1.1.1.1. In addition, in order to take the load off their own channels, the ISP (AS1) passes this route to its providers by installing the blackhole community provided by them (in the diagram this is community 3: 666 and 4: 666). This method of protection is much more efficient than simple packet filtering on the AS2 router, since it relieves the load from the channels between AS1 and AS2, as well as the eBGP channels of the AS1 provider. The drop of packets directed to the IP address 1.1.1.1 occurs on the routers of the providers to which the attackers are directly connected. If the attacker is connected to a different AS (does not belong to the AS provider), then each of the AS3 and AS4 providers can announce the route from the blackhole community to their providers, and their turn in turn, etc. Thus, all networks of backbone providers will be unloaded from DDOS traffic.
')
BGP blackhole practice
An article would not be complete without an example of practical implementation. The method of practical application is shown on the example of Juniper routers, but can be implemented on the equipment of any vendor.
Provider side setup
First you need to create a specific community to indicate the prefixes installed in the blackhole:
set policy-options community TEST_blackhole members 1:666 where 1 is the AS provider number (allows the community to remain unique even when transferring other ISPs over networks), 666 is the unique community number (it can be any, but it is recommended to use 666). Next, create a Policy for importing prefixes from our peer, select one of them with community blackhole prefixes and wrap them in Null (in Juniper this is a discard):
[edit policy-options policy-statement Blackhole-import] term to-blackhole { from community TEST_blackhole; then { community add ISP-community; # blackhole community ISP next-hop discard; accept; } } We assign this policy-statement to the eBGP session for imported (received) prefixes from clients.
Client side customization
Similarly, at first, the community is created to denote the prefixes set in the blackhole:
set policy-options community TEST_blackhole members 1:666 The values ​​are the same as on the provider side, with the only difference that the AS number must correspond to the AS of the provider, that is, who issues the community and sets its designation. Next, create a policy-statement to add the community to the prefixes that need to be sent to the ISP router.
policy-statement Blackhole-export { term blackhole { from { protocol static; tag 666; } then { community set TEST_blackhole; accept; } } then reject; } Prefixes are selected from static routes. Since the router initially only knows about more than / 32 networks, a specific prefix needs to be created separately. As you can see from the rule, this policy-statement will select all static routes with a tag of 666 (the tag number can be any). We assign this policy-statement as an export filter to an eBGP session to our provider. Now, if there is a need to put the server address in the blackhole, create a static / 32 route on our router.
For example, to install the address specified on the diagram in the blackhole, the following command should be executed:
set routing-options static route 1.1.1.1/32 discard tag 666 where 1.1.1.1 is the ip address set in the blackhole.
Conclusion
The described method allows you to fight attacks that interfere with the correct operation of the entire site. Such attacks can reach hundreds of Gigabits / sec and even the backbone provider cannot always cope with them. The BGP community attribute is widely used by trunk providers for traffic classification and operational management. Many ISPs provide a whole set of communities that allow you not only to set certain addresses in a blackhole, but also to control the traffic coming to their AS, that is, to control traffic even on the provider's channels. Analysis of the provider community allows the network administrator to develop a scheme to combat DDOS attacks, and sometimes automate the process of eliminating attacks.
Source: https://habr.com/ru/post/211176/
All Articles