COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION BGP FLOWSPEC OVERVIEW

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS IPS/IDS Enterprise or IDC Service Provider Network Router DDoS attack traffic consumes SP network capacity DDoS attacks are launched from compromised systems (bots) DDoS attack traffic saturates inline security devices DDoS attack traffic targets applications & services Firewall Botnet Legitimate Users Victim

4 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DDoS attacks against customers is the number 1 operational threat for SP [1], ahead of outages due to failures or BW saturation. Largest attack this year: 400Gbps NTP amplification attack in Feb Frequency of attacks growing alarmingly [1], some SP with over 100 attacks per month. Over one third of Data Centers experienced attacks exceeding the total BW available to the Data Center [1].

5 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION Service Providers must protect their network infrastructure against DDoS attacks, and can also provide DDoS protection services to their customers. ISP network security design considerations: ­ Typically uses a “Defense in Depth” model: ­ Same security function replicated in different layers of the network ­ DDoS protection functionality can be enabled in multiple network components present in different layers of the network: ­ Routers, DDoS Scrubbers, IDS/IPS appliances, Load Balancers, Firewalls. Router’s security features play a key role in helping to secure Service Provider’s network infrastructure and its customers against DDoS attacks. ­ Routers are the first line of defense along the entire perimeter of the network ­ Routers can mitigate the attack at the network edge, minimizing the impact of the attack traffic ­ Routers have a better chance to handle high BW attacks than most other devices ­ Techniques: D/RTBH, S/RTBH, ACLs, BGP Flowspec SERVICE PROVIDER NETWORK SECURITY DESIGN

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. DDoS MITIGATION – D/RTBH FILTERING IPS/IDS Enterprise or IDC Service Provider Network Router D/RTBH applied at SP edge: all traffic destined to the prefix announced (victim) is discarded. Traffic could be originated from anywhere. Customer BGP peer initiates BGP update with prefix to be mitigated pointing to the blackhole route or marked with Community (SP could also initiate it). Firewall Botnet Legitimate Users Router Good traffic Attack traffic BGP Announcement RTBH Sixth most used tool to mitigate DDoS attacks [1] RFCs: RFC 3882, RFC 5635 (includes D/RTBH and S/RTBH) Edge routers configured with blackhole route Victim

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. DDoS MITIGATION – S/RTBH FILTERING IPS/IDS Enterprise or IDC Service Provider Network Router S/RTBH applied at SP edge: all traffic originated from the prefix announced (attackers) is discarded. Traffic can be destined to anywhere. Edge routers configured with blackhole route and uRPF enabled in loose mode on the external interfaces (if source IP matches the blackhole, uRPF treats packets as having failed uRPF check). Firewall Botnet Legitimate Users RTBH Eigth most used tool to mitigate DDoS attacks [1] RFCs: RFC 5635 (includes D/RTBH and S/RTBH) SP BGP peer initiates BGP update with prefix to be mitigated. Good traffic Attack traffic BGP Announcement Victim

8 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION BGP Flowspec defines a new BGP Network Layer Reachability Information (NLRI) format used to distribute traffic flow specification rules. Specified in RFC 5575 [2]- Dissemination of Flow Specification Rules (extended to IPv6 in draft-ietf-idr-flow-spec-v6-02) [3] ­ NLRI (AFI=1, SAFI=133): IPv4 unicast filtering ­ NLRI (AFI=1, SAFI=134): VPNv4 BGP/MPLS filtering Main application today is to automate the distribution of traffic filter lists to routers from a single point of control, for the mitigation of DDoS attacks. ­ Selectively drop traffic flows based on L3/L4 information. ­ Intelligent control platform builds filter rules to filter harmful traffic, encodes them as BGP flowspec routes and advertises them to BGP peers. ­ The traffic filtering rules can drop or redirect packets that are deemed invalid or suspicious DDoS MITIGATION – BGP FLOWSPEC

9 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION The Flow specification can match on the following criteria: ­ Source / Destination Prefix ­ IP Protocol (UDP, TCP, ICMP, etc.) ­ Source and/or Destination Port ­ ICMP Type and Code ­ TCP Flags ­ Packet Length ­ DSCP (Diffserv Code Point) ­ Fragment (DF, IsF, FF, LF) Actions are defined using Extended Communities: ­ 0x8006: traffic-rate (rate 0 discards all traffic for the flow) ­ 0x8007: traffic-action (sample) ­ 0x8008: redirect to VRF ­ 0x8009: traffic-marking (DSCP value ) DDoS MITIGATION – BGP FLOWSPEC

10 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION ACLs are still the most widely used tool to mitigate DDoS attacks [1] ­ But…ACLs are demanding in configuration & maintenance. BGP Flowspec leverages the BGP Control Plane to simplify the distribution of ACLs, greatly improving operations: ­ Inject new filter rules to all routers simultaneously without changing configuration. ­ Reuse existing BGP operational knowledge & and best practices. Improve response time to mitigate mitigate DDoS attacks! Arbor Networks WISR 2014 WHY USE BGP FOR ACLs?

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. BGP FLOWSPEC MITIGATION IPS/IDS Enterprise or IDC Victim Service Provider Network Router Flowspec filter applied on the external interfaces, only traffic matching that flow is discarded. SP Portal initiates BGP update with ACL filter to be applied at the edge router external interfaces (in theory the customer could also initiate it). Firewall Botnet Legitimate Users Router Good traffic Attack traffic BGP Announcement FLOW BGP Flowspec route validation performed for eBGP sessions only. Edge routers configured with BGP flowspec sessions, and flowspec filtering enabled on external peering interfaces.

BGP FLOWSPEC – VENDORS & USERS Router vendors supporting BGP Flowspec: ­ Alcatel-Lucent 7750 SROS 9.0R1 ­ Juniper JunOS 7.3 DDoS mitigation vendors: ­ Arbor Peakflow SP 3.5 BGP Tools: ­ ExaBGP Injector [5] Users: ­ North America: TW Telecom (TWTC) [6], multiple Tier 1, Tier 2 ­ Europe: multiple Tier 1, Tier 2 ­ Latin America & Caribbean: RNP (Brasil) [7]

13 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION Another application for BGP Flowspec is its use for traffic redirection to a DDoS Scrubbing device. ­ DDoS scrubbers are dedicated appliances able to mitigate complex, application- layer DDoS attacks using multiple techniques including: DPI inspection, signature matching, behavior analysis, protocol authentication procedures, etc. DDoS Scrubbers are shared resources in the SP infrastructure, typically deployed in designated locations called Scrubbing Centers. ­ Attack traffic backhauling is required for DDoS mitigation Traffic anomalies entering the network need to be redirected to the Scrubbing Centers and go through the scrubbers before reaching the intended destination (Data Center, Customer Network, etc.): ­ Traffic Diversion or Offramping ­ Traffic Reinjection or Onramping TRAFFIC REDIRECTION

Diversion or Offramping: rerouting of traffic destined to the victim to the DDoS mitigation appliance for scrubbing. Reinjection or Onramping: redirection of scrubbed (clean) traffic back to its intended destination. Typically, traffic diversion takes place through more specific BGP prefix announcements (victim addresses), usually in the GRT (called diversion/offramp route): ­ Easier to control & manipulate routes (NH, Communities) ­ Can be signaled across AS boundaries if required ­ All traffic to victim is redirected to scrubber (good & bad) Traffic Reinjection usually requires tunneling or an alternate routing domain (VRF) to get clean traffic back to its intended destination without looping. TRAFFIC REDIRECTION

Real mitigation of DNS attack TRAFFIC REDIRECTION

16 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION BGP FLOWSPEC TRAFFIC REDIRECTION DDoS Scrubber Detection& Control Enterprise or IDC Good traffic Attack traffic BGP Flowspec Diversion Internet Scrubbing Center “Dirty” VRF IPS/IDS Enterprise or IDC Victim Router Firewall Router Traffic Reinjection BGP Flowspec filter to redirect only specified traffic that matches rule FLOW Diverted traffic is a subset of all traffic destined to victim

BGP FLOWSPEC REDIRECTION Optimized Design & Operation No changes to the Global Routing Table (GRT) ­ Diversion performed by Flowspec NLRI ­ Flowspec filter Action configured to “Redirect to VRF” ­ Extended Community 0x8008. ­ Less intrusive to the routing system No need for a tunneling design for reinjection/onramping ­ Clean traffic can simply be sent back to the GRT More granular control of diverted traffic ­ Allows for the redirection of only a subset of the traffic to the victim: specific protocols, ports, source prefix, destination prefix Less traffic overhead for DDoS Scrubber to deal with

BGP FLOWSPEC REDIRECTION Enabling New Workflows Facilitates the implementation of new mitigation workflows for demanding use cases: ­ “Always on” Mitigations for critical resources: ­ HTTPS traffic only (normal web traffic follows on-demand mitigation model) ­ Victims with very large traffic volume ­ Divert just traffic from a certain block, or geographical region (based on IP Location)

SUMMARY – BGP FLOWSPEC ­ Improved workflow for the application ACLs for the mitigation of DDoS attacks by infrastructure routers ­ Improved traffic diversion for the mitigation of complex DDoS attacks by Scrubbing Appliances ­ Allows for a better optimization of the shared mitigation capacity of the scrubbers. ­ Simplifies the design of traffic redirection & reinjection in the network

References: [1] Arbor Networks – 2014 Worldwide Infrastructure Security Report, Volume IX [2] RFC 5575, Dissemination of Flow Specification Rules [3] draft-ietf-idr-flow-spec-v6-03 – Dissemination of Flow Specification Rules for IPv6 [4] draft-ietf-idr-bgp-flowspec-oid-01 – Revised Validation Procedure for BGP Flow Specifications [5] LINX69, Thomas Mangin (Exa Networks), Andy Davidson (NetSumo), "BGP Route Injection” [6] NANOG 38, D. Gassen, R. Lozano (Time Warner Telecom), D. McPherson, C. Labovitz (Arbor Networks), "BGP Flow Specification Deployment Experience“ [8] GTER/GTS 2007, Raniery Pontes (RNP), “Flowspec em ação - Experiência de uso no backbone da RNP”