10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1.

Slides:



Advertisements
Similar presentations
An Operational Perspective on BGP Security Geoff Huston February 2005.
Advertisements

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
CS Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.
Best Practices for ISPs
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 7: BGP Route Reflection.
1 © 2003, Cisco Systems, Inc. All rights reserved. Computer Networks 6 Layer 3 troubleshooting Halmstad University Olga Torstensson
1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.
A View of the AS Hierarchy Provider - customer. A View of the AS Hierarchy No transitivity No SP concatenation Provider - customerData path.
CS Summer 2003 Lecture 4. CS Summer 2003 Route Aggregation The process of representing a group of prefixes with a single prefix is known as.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.
R OUTING IN THE INTERNET. A UTONOMOUS SYSTEM ( AS ) Collections of routers that has the same protocol, administative and technical control Intra-AS routing.
BGP Attributes and Path Selections
Introduction to BGP 1. Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks – Exterior gateway protocol.
TUNDRA The Ultimate Netflow Data Realtime Analysis Jeffrey Papen Yahoo! Inc.
BGP Flow specification Update
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
Dongkee LEE 1 BorderGuard: Detecting Cold Potatoes from Peers Nick Feamster, et al.
CS 3830 Day 29 Introduction 1-1. Announcements r Quiz 4 this Friday r Signup to demo prog4 (all group members must be present) r Written homework on chapter.
The Hebe-jebes (or He-B-GPs): Understanding the Roles of EBGP, IBGP and an IGP Using Lab 7-4, IBGP, Next Hop and Synchronization Rick Graziani Cabrillo.
Nanog 14, Atlanta Interesting Peering Activities at the Exchange Points 1 Naiming Shen Cisco Systems.
Chapter 9. Implementing Scalability Features in Your Internetwork.
© Synergon Informatika Rt., 1999 Chapter 12 Connecting Enterprises to an Internet Service Provider.
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
Border Gateway Protocol
Xuan Zheng (modified by M. Veeraraghavan) 1 BGP overview BGP operations BGP messages BGP decision algorithm BGP states.
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
DDoS Monitoring/FlowSpec
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
R1R1 GD ERER ISP 1 R2R2 R3R3 R4R4 ISP 2 Normal Data Traffic AS100 AS600AS700 AS65535 AS200 Normal Operation: R1 peer to IPS1 with EBGP, and R2 peer to.
VXLAN Nexus 9000 Module 6 – MP-BGP EVPN - Design
Remote Trigger Black Hole 111. Remotely Triggered Black Hole Filtering We use BGP to trigger a network wide response to a range of attack flows. A simple.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
1 Agenda for Today’s Lecture The rationale for BGP’s design –What is interdomain routing and why do we need it? –Why does BGP look the way it does? How.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.
DDoS Monitoring/Mitigation
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Forwarding Packets in a Transit AS.
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
1 Investigating occurrence of duplicate updates in BGP announcements Jong Han Park 1, Dan Jen 1, Mohit Lad 2, Shane Amante 3, Danny McPherson 4, Lixia.
Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.
DDoS Mitigation Using BGP Flowspec
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Introducing Confederations.
Border Gateway Protocol. Intra-AS v.s. Inter-AS Intra-AS Inter-AS.
SECURITY CONTROLS FOR AN ENERGY SCIENCE DMZ Robert Marcoux 01/13/2013.
OARsec 17 Feb 2016 OARnet Agenda 17 Feb 2016 Call to Order & Introductions OARnet Updates Security Operations and Response Standards.
Networks ∙ Services ∙ People GEANT Information & Infrastructure Security Team TNC16 – Networking Conference Introduction DDoS at GÉANT Prague.
Connecting an Enterprise Network to an ISP Network
Scaling Service Provider Networks
BGP 1. BGP Overview 2. Multihoming 3. Configuring BGP.
OpenDaylight BGP Use-Cases
Border Gateway Protocol
BGP supplement Abhigyan Sharma.
Network Design & Analysis
Introduction To Networking
Module Summary BGP is a path-vector routing protocol that allows routing policy decisions at the AS level to be enforced. BGP is a policy-based routing.
BGP Overview BGP concepts and operation.
Connecting an Enterprise Network to an ISP Network
Scaling Service Provider Networks
Presentation transcript:

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1

Target RTBH Controller Upstream Peer My POI Router My AS Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop Upstream DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest2

Target RTBH Controller Upstream Peer My POI Router My AS Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop Upstream AS DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest3

Target RTBH Controller Upstream Peer My POI Router IBGP Update: /32 -> null BGP-COMM: MyASN:911 My AS Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop Upstream AS DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest4

Target RTBH Controller Upstream Peer My POI Router IBGP Update: /32 BGP-COMM: MyASN:911 My AS Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop EBGP Update: /32 BGP-COMM: Upstream AS DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest5

Attack Source RTBH Controller Upstream Peer My POI Router My AS uRPF Loose mode Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop Upstream AS Target DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest6

Attack Source RTBH Controller Upstream Peer My POI Router My AS uRPF Loose mode Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop Upstream AS Target DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest7

Attack Source RTBH Controller Upstream Peer My POI Router My AS uRPF Loose mode Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop Upstream AS Target IBGP Update: /32 BGP-COMM: MyASN: DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest8

Attack Source RTBH Controller Upstream Peer My POI Router IBGP Update: /32 BGP-COMM: MyASN:911 My AS uRPF Loose mode Static route /24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop EBGP Update: /32 BGP-COMM: Upstream AS Target DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest9

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest10

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest11

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest12

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest13

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest14

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest15

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest16

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest17

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest18

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest19

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest20

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest21

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest22

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest23

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest24

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest25

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest26

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest27

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest28

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest29

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest30

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest31

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest32

BGP-FS Controller Upstream Peer My POI Router My AS Flowspec enabled on Transit Upstream AS Target , UDP/ DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest33 Attack Sources

Attack Sources BGP-FS Controller Upstream Peer My POI Router My AS Flowspec enabled on Transit Upstream AS Target , UDP/ DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest34

Upstream Peer My POI Router IBGP (FS) Update: Match Dst Prefix: /32 Protocol: eq 17 (UDP) Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop) My AS Flowspec enabled on Transit Upstream AS DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest35 BGP-FS Controller Target , UDP/53 Attack Sources

Upstream Peer My POI Router My AS Flowspec enabled on Transit Upstream AS DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest36 BGP-FS Controller Target , UDP/53 Attack Sources IBGP (FS) Update: Match Dst Prefix: /32 Protocol: eq 17 (UDP) Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop) EBGP (FS) Update: Match Dst Prefix: /32 Protocol: eq 17 (UDP) Dst Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop)

Upstream Peer My POI Router My AS Flowspec enabled on Transit Upstream AS DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest37 BGP-FS Controller Target , UDP/53 Attack Sources IBGP (FS) Update: Match Dst Prefix: /32 Protocol: eq 17 (UDP) Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop) EBGP (FS) Update: Match Dst Prefix: /32 Protocol: eq 17 (UDP) Dst Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop)

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest38

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest39

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest40

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest41

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest42

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest43

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest44

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest45

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest46

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest47

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest48

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest49 Service Upstream Peer My POI Router Upstream Application Firewall NetFlow/SPAN/Tap IDS/ Analyser My AS BGP RR

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest50 Service BGP RR Upstream Peer My POI Router Upstream Application Firewall NetFlow/SPAN/Tap IDS/ Analyser My AS Events/Alarms Event Aggregator/Controller

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest51 Service Upstream Peer My POI Router Upstream Application Firewall NetFlow/SPAN/Tap IDS/ Analyser My AS Events/Alarms BGP BGP-FS BGP RR Event Aggregator/Controller

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest52

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest53

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest54

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest55

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.