BGP FLOWSPEC OVERVIEW
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
DDoS attacks are launched from
compromised systems (bots)
DDoS attack traffic consumes
SP network capacity
DDoS attack traffic saturates
inline security devices
Victim
Router
IPS/IDS
Firewall
Botnet
Legitimate Users
Service Provider Network
Enterprise or IDC
DDoS attack traffic targets
applications & services
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
• DDoS attacks against customers is the number
1 operational threat for SP [1], ahead of
outages due to failures or BW saturation.
• Largest attack this year: 400Gbps NTP
amplification attack in Feb 2014.
• Frequency of attacks growing alarmingly [1],
some SP with over 100 attacks per month.
• Over one third of Data Centers experienced
attacks exceeding the total BW available to
the Data Center [1].
4
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
SERVICE PROVIDER NETWORK SECURITY DESIGN
• Service Providers must protect their network infrastructure against DDoS attacks,
and can also provide DDoS protection services to their customers.
• ISP network security design considerations:
- Typically uses a “Defense in Depth” model:
- Same security function replicated in different layers of the network
- DDoS protection functionality can be enabled in multiple network components present in different
layers of the network:
- Routers, DDoS Scrubbers, IDS/IPS appliances, Load Balancers, Firewalls.
• Router’s security features play a key role in helping to secure Service Provider’s
network infrastructure and its customers against DDoS attacks.
-
Routers are the first line of defense along the entire perimeter of the network
Routers can mitigate the attack at the network edge, minimizing the impact of the attack traffic
Routers have a better chance to handle high BW attacks than most other devices
Techniques: D/RTBH, S/RTBH, ACLs, BGP Flowspec
5
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
DDoS MITIGATION – D/RTBH FILTERING
Good traffic
Attack traffic
D/RTBH applied at SP edge: all traffic
destined to the prefix announced
(victim) is discarded. Traffic could be
originated from anywhere.
Edge routers configured
with blackhole route
BGP Announcement
Customer BGP peer initiates BGP update
with prefix to be mitigated pointing to
the blackhole route or marked with
Community (SP could also initiate it).
Victim
Router
RTBH
RTBH
Router
IPS/IDS
Firewall
Botnet
Legitimate Users
Service Provider Network
• Sixth most used tool to mitigate DDoS attacks [1]
• RFCs: RFC 3882, RFC 5635 (includes D/RTBH and S/RTBH)
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Enterprise or IDC
DDoS MITIGATION – S/RTBH FILTERING
Good traffic
Attack traffic
Edge routers configured with blackhole
route and uRPF enabled in loose mode
on the external interfaces (if source IP
matches the blackhole, uRPF treats
packets as having failed uRPF check).
S/RTBH applied at SP edge: all traffic
originated from the prefix
announced (attackers) is discarded.
Traffic can be destined to anywhere.
BGP Announcement
SP BGP peer initiates BGP update
with prefix to be mitigated.
Victim
RTBH
RTBH
Router
IPS/IDS
Firewall
Botnet
Legitimate Users
Service Provider Network
• Eigth most used tool to mitigate DDoS attacks [1]
• RFCs: RFC 5635 (includes D/RTBH and S/RTBH)
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Enterprise or IDC
DDoS MITIGATION – BGP FLOWSPEC
• BGP Flowspec defines a new BGP Network Layer Reachability Information (NLRI)
format used to distribute traffic flow specification rules.
• Specified in RFC 5575 [2]- Dissemination of Flow Specification Rules (extended to
IPv6 in draft-ietf-idr-flow-spec-v6-02) [3]
- NLRI (AFI=1, SAFI=133): IPv4 unicast filtering
- NLRI (AFI=1, SAFI=134): VPNv4 BGP/MPLS filtering
• Main application today is to automate the distribution of traffic filter lists to routers
from a single point of control, for the mitigation of DDoS attacks.
- Selectively drop traffic flows based on L3/L4 information.
- Intelligent control platform builds filter rules to filter harmful traffic, encodes them as BGP flowspec
routes and advertises them to BGP peers.
- The traffic filtering rules can drop or redirect packets that are deemed invalid or suspicious
8
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
DDoS MITIGATION – BGP FLOWSPEC
• The Flow specification can match on the following criteria:
-
Source / Destination Prefix
IP Protocol (UDP, TCP, ICMP, etc.)
Source and/or Destination Port
ICMP Type and Code
TCP Flags
Packet Length
DSCP (Diffserv Code Point)
Fragment (DF, IsF, FF, LF)
• Actions are defined using Extended Communities:
-
0x8006:
0x8007:
0x8008:
0x8009:
traffic-rate (rate 0 discards all traffic for the flow)
traffic-action (sample)
redirect to VRF
traffic-marking (DSCP value )
9
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
WHY USE BGP FOR ACLs?
• ACLs are still the most widely used tool to mitigate DDoS attacks [1]
- But…ACLs are demanding in configuration & maintenance.
• BGP Flowspec leverages the BGP Control Plane to simplify the distribution of
ACLs, greatly improving operations:
- Inject new filter rules to all routers
simultaneously without changing configuration.
- Reuse existing BGP operational knowledge &
best practices.
• Improve response time to mitigate
DDoS attacks!
and
mitigate
Arbor Networks WISR 2014
10
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
BGP FLOWSPEC MITIGATION
Good traffic
Attack traffic
BGP Announcement
Flowspec filter applied on the
external interfaces, only traffic
matching that flow is discarded.
Edge routers configured with
BGP flowspec sessions, and
flowspec filtering enabled on
external peering interfaces.
SP Portal initiates BGP update with
ACL filter to be applied at the edge
router external interfaces (in theory
the customer could also initiate it).
Victim
Router
FLOW
FLOW
Router
IPS/IDS
Firewall
Botnet
Legitimate Users
Service Provider Network
Enterprise or IDC
• BGP Flowspec route validation performed for eBGP sessions only.
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
BGP FLOWSPEC – VENDORS & USERS
• Router vendors supporting BGP Flowspec:
- Alcatel-Lucent 7750 SROS 9.0R1
- Juniper JunOS 7.3
• DDoS mitigation vendors:
- Arbor Peakflow SP 3.5
• BGP Tools:
- ExaBGP Injector [5]
• Users:
- North America: TW Telecom (TWTC) [6], multiple Tier 1, Tier 2
- Europe: multiple Tier 1, Tier 2
- Latin America & Caribbean: RNP (Brasil) [7]
TRAFFIC REDIRECTION
• Another application for BGP Flowspec is its use for traffic redirection to a
DDoS Scrubbing device.
- DDoS scrubbers are dedicated appliances able to mitigate complex, applicationlayer DDoS attacks using multiple techniques including: DPI inspection, signature
matching, behavior analysis, protocol authentication procedures, etc.
• DDoS Scrubbers are shared resources in the SP infrastructure, typically
deployed in designated locations called Scrubbing Centers.
- Attack traffic backhauling is required for DDoS mitigation
• Traffic anomalies entering the network need to be redirected to the
Scrubbing Centers and go through the scrubbers before reaching the intended
destination (Data Center, Customer Network, etc.):
- Traffic Diversion or Offramping
- Traffic Reinjection or Onramping
13
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
TRAFFIC REDIRECTION
• Diversion or Offramping: rerouting of traffic destined to the victim to the
DDoS mitigation appliance for scrubbing.
• Reinjection or Onramping: redirection of scrubbed (clean) traffic back to
its intended destination.
• Typically, traffic diversion takes place through more specific BGP prefix
announcements (victim addresses), usually in the GRT (called
diversion/offramp route):
- Easier to control & manipulate routes (NH, Communities)
- Can be signaled across AS boundaries if required
- All traffic to victim is redirected to scrubber (good & bad)
• Traffic Reinjection usually requires tunneling or an alternate routing
domain (VRF) to get clean traffic back to its intended destination without
looping.
TRAFFIC REDIRECTION
• Real mitigation of DNS attack
BGP FLOWSPEC TRAFFIC REDIRECTION
Diverted traffic is a
subset of all traffic
destined to victim
Scrubbing Center
Traffic Reinjection
DDoS
Scrubber
Internet
Victim
Router
FLOW
Router
BGP Flowspec filter to
redirect only specified
traffic that matches rule
Detection&
Control
IPS/IDS
Enterprise or
IDC
Enterprise
or
IDC
“Dirty” VRF
Good traffic
Attack traffic
BGP Flowspec
Diversion
Firewall
Internet
16
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
BGP FLOWSPEC REDIRECTION
Optimized Design & Operation
• No changes to the Global Routing Table (GRT)
- Diversion performed by Flowspec NLRI
- Flowspec filter Action configured to “Redirect to VRF”
- Extended Community 0x8008.
- Less intrusive to the routing system
• No need for a tunneling design for reinjection/onramping
- Clean traffic can simply be sent back to the GRT
• More granular control of diverted traffic
- Allows for the redirection of only a subset of the traffic to the victim: specific protocols,
ports, source prefix, destination prefix
• Less traffic overhead for DDoS Scrubber to deal with
BGP FLOWSPEC REDIRECTION
Enabling New Workflows
• Facilitates the implementation of new mitigation workflows for
demanding use cases:
- “Always on” Mitigations for critical resources:
- HTTPS traffic only (normal web traffic follows on-demand mitigation model)
- Victims with very large traffic volume
- Divert just traffic from a certain block, or geographical region (based on IP Location)
SUMMARY – BGP FLOWSPEC
- Improved workflow for the application ACLs for the mitigation of DDoS
attacks by infrastructure routers
- Improved traffic diversion for the mitigation of complex DDoS attacks by
Scrubbing Appliances
- Allows for a better optimization of the shared mitigation capacity of the
scrubbers.
- Simplifies the design of traffic redirection & reinjection in the network
References:
[1] Arbor Networks – 2014 Worldwide Infrastructure Security Report, Volume IX
[2] RFC 5575, Dissemination of Flow Specification Rules
[3] draft-ietf-idr-flow-spec-v6-03 – Dissemination of Flow Specification Rules for IPv6
[4] draft-ietf-idr-bgp-flowspec-oid-01 – Revised Validation Procedure for BGP Flow
Specifications
• [5] 2010 - LINX69, Thomas Mangin (Exa Networks), Andy Davidson (NetSumo), "BGP Route
Injection” http://www.andyd.net/media/talks/BGPRouteInjection.pdf
• [6] 2006 - NANOG 38, D. Gassen, R. Lozano (Time Warner Telecom), D. McPherson, C.
Labovitz (Arbor Networks), "BGP Flow Specification Deployment Experience“
• [8] GTER/GTS 2007, Raniery Pontes (RNP), “Flowspec em ação - Experiência de uso no
backbone da RNP”
•
•
•
•