BGP FLOWSPEC OVERVIEW COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DDoS attacks are launched from compromised systems (bots) DDoS attack traffic consumes SP network capacity DDoS attack traffic saturates inline security devices Victim Router IPS/IDS Firewall Botnet Legitimate Users Service Provider Network Enterprise or IDC DDoS attack traffic targets applications & services COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS • DDoS attacks against customers is the number 1 operational threat for SP [1], ahead of outages due to failures or BW saturation. • Largest attack this year: 400Gbps NTP amplification attack in Feb 2014. • Frequency of attacks growing alarmingly [1], some SP with over 100 attacks per month. • Over one third of Data Centers experienced attacks exceeding the total BW available to the Data Center [1]. 4 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION SERVICE PROVIDER NETWORK SECURITY DESIGN • Service Providers must protect their network infrastructure against DDoS attacks, and can also provide DDoS protection services to their customers. • ISP network security design considerations: - Typically uses a “Defense in Depth” model: - Same security function replicated in different layers of the network - DDoS protection functionality can be enabled in multiple network components present in different layers of the network: - Routers, DDoS Scrubbers, IDS/IPS appliances, Load Balancers, Firewalls. • Router’s security features play a key role in helping to secure Service Provider’s network infrastructure and its customers against DDoS attacks. - Routers are the first line of defense along the entire perimeter of the network Routers can mitigate the attack at the network edge, minimizing the impact of the attack traffic Routers have a better chance to handle high BW attacks than most other devices Techniques: D/RTBH, S/RTBH, ACLs, BGP Flowspec 5 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION DDoS MITIGATION – D/RTBH FILTERING Good traffic Attack traffic D/RTBH applied at SP edge: all traffic destined to the prefix announced (victim) is discarded. Traffic could be originated from anywhere. Edge routers configured with blackhole route BGP Announcement Customer BGP peer initiates BGP update with prefix to be mitigated pointing to the blackhole route or marked with Community (SP could also initiate it). Victim Router RTBH RTBH Router IPS/IDS Firewall Botnet Legitimate Users Service Provider Network • Sixth most used tool to mitigate DDoS attacks [1] • RFCs: RFC 3882, RFC 5635 (includes D/RTBH and S/RTBH) COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Enterprise or IDC DDoS MITIGATION – S/RTBH FILTERING Good traffic Attack traffic Edge routers configured with blackhole route and uRPF enabled in loose mode on the external interfaces (if source IP matches the blackhole, uRPF treats packets as having failed uRPF check). S/RTBH applied at SP edge: all traffic originated from the prefix announced (attackers) is discarded. Traffic can be destined to anywhere. BGP Announcement SP BGP peer initiates BGP update with prefix to be mitigated. Victim RTBH RTBH Router IPS/IDS Firewall Botnet Legitimate Users Service Provider Network • Eigth most used tool to mitigate DDoS attacks [1] • RFCs: RFC 5635 (includes D/RTBH and S/RTBH) COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Enterprise or IDC DDoS MITIGATION – BGP FLOWSPEC • BGP Flowspec defines a new BGP Network Layer Reachability Information (NLRI) format used to distribute traffic flow specification rules. • Specified in RFC 5575 [2]- Dissemination of Flow Specification Rules (extended to IPv6 in draft-ietf-idr-flow-spec-v6-02) [3] - NLRI (AFI=1, SAFI=133): IPv4 unicast filtering - NLRI (AFI=1, SAFI=134): VPNv4 BGP/MPLS filtering • Main application today is to automate the distribution of traffic filter lists to routers from a single point of control, for the mitigation of DDoS attacks. - Selectively drop traffic flows based on L3/L4 information. - Intelligent control platform builds filter rules to filter harmful traffic, encodes them as BGP flowspec routes and advertises them to BGP peers. - The traffic filtering rules can drop or redirect packets that are deemed invalid or suspicious 8 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION DDoS MITIGATION – BGP FLOWSPEC • The Flow specification can match on the following criteria: - Source / Destination Prefix IP Protocol (UDP, TCP, ICMP, etc.) Source and/or Destination Port ICMP Type and Code TCP Flags Packet Length DSCP (Diffserv Code Point) Fragment (DF, IsF, FF, LF) • Actions are defined using Extended Communities: - 0x8006: 0x8007: 0x8008: 0x8009: traffic-rate (rate 0 discards all traffic for the flow) traffic-action (sample) redirect to VRF traffic-marking (DSCP value ) 9 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION WHY USE BGP FOR ACLs? • ACLs are still the most widely used tool to mitigate DDoS attacks [1] - But…ACLs are demanding in configuration & maintenance. • BGP Flowspec leverages the BGP Control Plane to simplify the distribution of ACLs, greatly improving operations: - Inject new filter rules to all routers simultaneously without changing configuration. - Reuse existing BGP operational knowledge & best practices. • Improve response time to mitigate DDoS attacks! and mitigate Arbor Networks WISR 2014 10 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION BGP FLOWSPEC MITIGATION Good traffic Attack traffic BGP Announcement Flowspec filter applied on the external interfaces, only traffic matching that flow is discarded. Edge routers configured with BGP flowspec sessions, and flowspec filtering enabled on external peering interfaces. SP Portal initiates BGP update with ACL filter to be applied at the edge router external interfaces (in theory the customer could also initiate it). Victim Router FLOW FLOW Router IPS/IDS Firewall Botnet Legitimate Users Service Provider Network Enterprise or IDC • BGP Flowspec route validation performed for eBGP sessions only. COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. BGP FLOWSPEC – VENDORS & USERS • Router vendors supporting BGP Flowspec: - Alcatel-Lucent 7750 SROS 9.0R1 - Juniper JunOS 7.3 • DDoS mitigation vendors: - Arbor Peakflow SP 3.5 • BGP Tools: - ExaBGP Injector [5] • Users: - North America: TW Telecom (TWTC) [6], multiple Tier 1, Tier 2 - Europe: multiple Tier 1, Tier 2 - Latin America & Caribbean: RNP (Brasil) [7] TRAFFIC REDIRECTION • Another application for BGP Flowspec is its use for traffic redirection to a DDoS Scrubbing device. - DDoS scrubbers are dedicated appliances able to mitigate complex, applicationlayer DDoS attacks using multiple techniques including: DPI inspection, signature matching, behavior analysis, protocol authentication procedures, etc. • DDoS Scrubbers are shared resources in the SP infrastructure, typically deployed in designated locations called Scrubbing Centers. - Attack traffic backhauling is required for DDoS mitigation • Traffic anomalies entering the network need to be redirected to the Scrubbing Centers and go through the scrubbers before reaching the intended destination (Data Center, Customer Network, etc.): - Traffic Diversion or Offramping - Traffic Reinjection or Onramping 13 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION TRAFFIC REDIRECTION • Diversion or Offramping: rerouting of traffic destined to the victim to the DDoS mitigation appliance for scrubbing. • Reinjection or Onramping: redirection of scrubbed (clean) traffic back to its intended destination. • Typically, traffic diversion takes place through more specific BGP prefix announcements (victim addresses), usually in the GRT (called diversion/offramp route): - Easier to control & manipulate routes (NH, Communities) - Can be signaled across AS boundaries if required - All traffic to victim is redirected to scrubber (good & bad) • Traffic Reinjection usually requires tunneling or an alternate routing domain (VRF) to get clean traffic back to its intended destination without looping. TRAFFIC REDIRECTION • Real mitigation of DNS attack BGP FLOWSPEC TRAFFIC REDIRECTION Diverted traffic is a subset of all traffic destined to victim Scrubbing Center Traffic Reinjection DDoS Scrubber Internet Victim Router FLOW Router BGP Flowspec filter to redirect only specified traffic that matches rule Detection& Control IPS/IDS Enterprise or IDC Enterprise or IDC “Dirty” VRF Good traffic Attack traffic BGP Flowspec Diversion Firewall Internet 16 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION BGP FLOWSPEC REDIRECTION Optimized Design & Operation • No changes to the Global Routing Table (GRT) - Diversion performed by Flowspec NLRI - Flowspec filter Action configured to “Redirect to VRF” - Extended Community 0x8008. - Less intrusive to the routing system • No need for a tunneling design for reinjection/onramping - Clean traffic can simply be sent back to the GRT • More granular control of diverted traffic - Allows for the redirection of only a subset of the traffic to the victim: specific protocols, ports, source prefix, destination prefix • Less traffic overhead for DDoS Scrubber to deal with BGP FLOWSPEC REDIRECTION Enabling New Workflows • Facilitates the implementation of new mitigation workflows for demanding use cases: - “Always on” Mitigations for critical resources: - HTTPS traffic only (normal web traffic follows on-demand mitigation model) - Victims with very large traffic volume - Divert just traffic from a certain block, or geographical region (based on IP Location) SUMMARY – BGP FLOWSPEC - Improved workflow for the application ACLs for the mitigation of DDoS attacks by infrastructure routers - Improved traffic diversion for the mitigation of complex DDoS attacks by Scrubbing Appliances - Allows for a better optimization of the shared mitigation capacity of the scrubbers. - Simplifies the design of traffic redirection & reinjection in the network References: [1] Arbor Networks – 2014 Worldwide Infrastructure Security Report, Volume IX [2] RFC 5575, Dissemination of Flow Specification Rules [3] draft-ietf-idr-flow-spec-v6-03 – Dissemination of Flow Specification Rules for IPv6 [4] draft-ietf-idr-bgp-flowspec-oid-01 – Revised Validation Procedure for BGP Flow Specifications • [5] 2010 - LINX69, Thomas Mangin (Exa Networks), Andy Davidson (NetSumo), "BGP Route Injection” http://www.andyd.net/media/talks/BGPRouteInjection.pdf • [6] 2006 - NANOG 38, D. Gassen, R. Lozano (Time Warner Telecom), D. McPherson, C. Labovitz (Arbor Networks), "BGP Flow Specification Deployment Experience“ • [8] GTER/GTS 2007, Raniery Pontes (RNP), “Flowspec em ação - Experiência de uso no backbone da RNP” • • • •