Presentation is loading. Please wait.

Presentation is loading. Please wait.

10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1.

Published byArleen Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1."— Presentation transcript:

1

2 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1

3 Target 11.22.33.44 RTBH Controller Upstream Peer My POI Router My AS Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 Upstream AS @ 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest2

4 Target 11.22.33.44 RTBH Controller Upstream Peer My POI Router My AS Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 @ Upstream AS 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest3

5 Target 11.22.33.44 RTBH Controller Upstream Peer My POI Router IBGP Update: 11.22.33.44/32 -> null BGP-COMM: MyASN:911 My AS Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 @ Upstream AS 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest4

6 Target 11.22.33.44 RTBH Controller Upstream Peer My POI Router IBGP Update: 11.22.33.44/32 BGP-COMM: MyASN:911 My AS Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 EBGP Update: 11.22.33.44/32 BGP-COMM: MyASN:911 @ Upstream AS 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest5

7 Attack Source 66.66.66.66 RTBH Controller Upstream Peer My POI Router My AS uRPF Loose mode Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 @ Upstream AS Target 11.22.33.44 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest6

8 Attack Source 66.66.66.66 RTBH Controller Upstream Peer My POI Router My AS uRPF Loose mode Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 @ Upstream AS Target 11.22.33.44 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest7

9 Attack Source 66.66.66.66 RTBH Controller Upstream Peer My POI Router My AS uRPF Loose mode Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 @ Upstream AS Target 11.22.33.44 IBGP Update: 66.66.66.66/32 BGP-COMM: MyASN:911 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest8

10 Attack Source 66.66.66.66 RTBH Controller Upstream Peer My POI Router IBGP Update: 66.66.66.66/32 BGP-COMM: MyASN:911 My AS uRPF Loose mode Static route 192.0.2.0/24 null IBGP Policy: Match BGP-COMM MyASN:911 Set next-hop 192.0.2.1 EBGP Update: 66.66.66.66/32 BGP-COMM: MyASN:911 @ Upstream AS Target 11.22.33.44 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest9

11 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest10

12 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest11

13 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest12

14 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest13

15 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest14

16 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest15

17 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest16

18 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest17

19 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest18

20 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest19

21 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest20

22 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest21

23 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest22

24 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest23

25 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest24

26 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest25

27 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest26

28 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest27

29 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest28

30 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest29

31 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest30

32 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest31

33 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest32

34 BGP-FS Controller Upstream Peer My POI Router My AS Flowspec enabled on Transit Links @ Upstream AS Target 11.22.33.44, UDP/53 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest33 Attack Sources 66.66.66.66 69.69.69.69 72.72.72.72

35 Attack Sources 66.66.66.66 69.69.69.69 72.72.72.72 BGP-FS Controller Upstream Peer My POI Router My AS Flowspec enabled on Transit Links @ Upstream AS Target 11.22.33.44, UDP/53 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest34

36 Upstream Peer My POI Router IBGP (FS) Update: Match Dst Prefix: 11.22.33.44/32 Protocol: eq 17 (UDP) Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop) My AS Flowspec enabled on Transit Links @ Upstream AS 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest35 BGP-FS Controller Target 11.22.33.44, UDP/53 Attack Sources 66.66.66.66 69.69.69.69 72.72.72.72

37 Upstream Peer My POI Router My AS Flowspec enabled on Transit Links @ Upstream AS 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest36 BGP-FS Controller Target 11.22.33.44, UDP/53 Attack Sources 66.66.66.66 69.69.69.69 72.72.72.72 IBGP (FS) Update: Match Dst Prefix: 11.22.33.44/32 Protocol: eq 17 (UDP) Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop) EBGP (FS) Update: Match Dst Prefix: 11.22.33.44/32 Protocol: eq 17 (UDP) Dst Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop)

38 Upstream Peer My POI Router My AS Flowspec enabled on Transit Links @ Upstream AS 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest37 BGP-FS Controller Target 11.22.33.44, UDP/53 Attack Sources 66.66.66.66 69.69.69.69 72.72.72.72 IBGP (FS) Update: Match Dst Prefix: 11.22.33.44/32 Protocol: eq 17 (UDP) Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop) EBGP (FS) Update: Match Dst Prefix: 11.22.33.44/32 Protocol: eq 17 (UDP) Dst Port: eq 53 Packet-len: gt 100 Action Rate-Limit: 0 (Drop)

39 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest38

40 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest39

41 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest40

42 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest41

43 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest42

44 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest43

45 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest44

46 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest45

47 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest46

48 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest47

49 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest48

50 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest49 Service Upstream Peer My POI Router Upstream AS @ Application Firewall NetFlow/SPAN/Tap IDS/ Analyser My AS BGP RR

51 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest50 Service BGP RR Upstream Peer My POI Router Upstream AS @ Application Firewall NetFlow/SPAN/Tap IDS/ Analyser My AS Events/Alarms Event Aggregator/Controller

52 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest51 Service Upstream Peer My POI Router Upstream AS @ Application Firewall NetFlow/SPAN/Tap IDS/ Analyser My AS Events/Alarms BGP BGP-FS BGP RR Event Aggregator/Controller

53 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest52

54 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest53

55 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest54

56 10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest55

Download ppt "10-03-16DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1."

Similar presentations

An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
CS 672 1 Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.

CS Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.

COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.
Best Practices for ISPs

Best Practices for ISPs
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 7: BGP Route Reflection.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 7: BGP Route Reflection.
1 © 2003, Cisco Systems, Inc. All rights reserved. Computer Networks 6 Layer 3 troubleshooting Halmstad University Olga Torstensson 035-167575

1 © 2003, Cisco Systems, Inc. All rights reserved. Computer Networks 6 Layer 3 troubleshooting Halmstad University Olga Torstensson
1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.

1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.
A View of the AS Hierarchy Provider - customer. A View of the AS Hierarchy No transitivity No SP concatenation Provider - customerData path.

A View of the AS Hierarchy Provider - customer. A View of the AS Hierarchy No transitivity No SP concatenation Provider - customerData path.
CS 672 1 Summer 2003 Lecture 4. CS 672 2 Summer 2003 Route Aggregation The process of representing a group of prefixes with a single prefix is known as.

CS Summer 2003 Lecture 4. CS Summer 2003 Route Aggregation The process of representing a group of prefixes with a single prefix is known as.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter 2007-2008.

Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.

© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.

Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.
R OUTING IN THE INTERNET. A UTONOMOUS SYSTEM ( AS ) Collections of routers that has the same protocol, administative and technical control Intra-AS routing.

R OUTING IN THE INTERNET. A UTONOMOUS SYSTEM ( AS ) Collections of routers that has the same protocol, administative and technical control Intra-AS routing.

Similar presentations

Ads by Google