DDoS Mitigation Using BGP FlowSpec

BGP FlowSpec

My dear Iranian Colleagues, as you may know we were facing enormous DDoS Attacks in our Infrastructures which nearly brought us to our knees ! This post helps you to Protect your network from #DDoS Attacks with #BGP #Flowspec!

Nowadays we use RTBH or Iran Access Community for Protecting our infrastructure from DDoS Attacks but there is a big Disadvantage in RTBH. with RTBH you Remove your Victim routes from all BGP Tables and as a result your #Service #Provider won't Route any Traffic Toward you. The result is that the attacker and no one else can reach you know!

The benefit of using BGP FlowSpec is that you can match on the type of traffics that you don't want to be routed towards you and you do all these dynamically using BGP. This BGP Afi works on Layer 3 & 4 and you can match traffics on Source & Destination Address , Source & Destination Ports , Protocols and ...

BGP FlowSpec has 2 Important Elements:

1) Controller : The Controller is responsible of injecting your DDoS Mitigation Policies to your Routers. Basically Controllers Data Plane is optional but Control Plane and BGP neighborship with all Routers is Mandatory.

Controllers With Data Plane : ALL IOS XR Capable Routers (ASR9K , CRS , NCS5500 , NCS 6000 ,XR 12000 and ...)

Controllers Without Data Plane : IOS XRv , ExaBGP,YABGP,Open Day Light, BIRD 2.0, Arbor SP , Radware , ...)

2) Clients : The client is basically you Router that supports BGP IPv4 FlowSpec AFI. All Policies from Controller will be deployed on the Clients so the Client's Data Plane is Mandatory.

Clients : Most Of the IOS XE Routers , All IOS XR Capable Routers , CSR1000v and ...

BGP FlowSpec can #mitigate some of DDoS Attacks happening in Layer 3 and 4 .

Here are the list of some of famous L3/L4 DDoS Attacks that you can mitigate using BGP FlowSpec :

1) #Amplification Attacks :?

For Example DNS DDoS Amplification happens When the Attacker send some requests to the DNS Resolvers with the victims IP Address. In order to create a large amount of traffic , the attacker structures the request in a way that generates as large as response from the DNS resolvers as possible. So you will face HUGE #DNS #Response Packets.?

NTP,DNS,SNMP,CharGen,MemCacheD and ... could be the protocol used in this type of attacks.

2) #TCP #Fragmentation?Attacks (also known as #TearDrop Attacks) :

The Fragmentation Flag bit will be set when the packet size was more than the link capacity so the router Fragments the Packet and then send it on the Link.

This Attack targets #TCP/IP reassembly mechanisms. In such a case, fragmented packets are prevented from being reassembled. The result is that data packets overlap and the targeted server becomes completely overwhelmed and ultimately fails.

This attack is so #dangerous because they force the destination to use resources to attempt to reassemble the packets which will often result in network devices and servers crashing. Lastly, as the non-initial fragments do not contain any information about which service they belong to, it is difficult to decide which packets are safe to drop and which are not.

3) #ICMP #storms (also know as #Ping #Flood):

?By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.

Others types of ICMP request attacks may involve custom tools or code, such as #hping and #scapy. Attack traffic that emanates from multiple devices is considered #Distributed #Denial of #Service (#DDoS) attack. In this type of DDoS attack, both incoming and outgoing channels of the network are overwhelming, consuming significant bandwidth and resulting in a denial of service.

You can also Dynamically Redirect the #impure traffics to the Device that has stateful inspection like #Arbor #TMS ( #Threat #Mitigation #System ) . Arbor Can communicate with your Edge Router and Dynamically Assign Proper Policies and Dynamic ACLs on it . In this way you can Protect your network from L3 to L7 #Stateful DDoS Attacks.

I Used this Lab for Mastering BGP FlowSpec. BGP FlowSpec.

The XRv 9K on the AS6500 would be the controller of the PE router (CSR).

First of all you must have BGP IPv4 Unicast Neighborship between Your Controller and Client Then you must activate BGP IPv4 FlowSpec Afi on both Controller and Client.

IOS XRv (Controller) Commands :

router bgp 6500

?address-family ipv4 flowspec

neighbor 172.17.1.2

address-family ipv4 flowspec

IOS XE (Client) Commands :

router bgp 6500

address-family ipv4 flowspec

?neighbor 172.17.1.4 activate

?neighbor 172.17.1.4 send-community both

After these commands your BGP Session will Flap because Neighbor BGP Capabilities will be changed.

In The next step you must configure interfaces that participate in BGP FlowSpec Policies. I have configured BGP FlowSpec on all Interfaces :

IOS XRv (if your XRv is the Client) :

flowspec

?local-install interface-all

?address-family ipv4

?local-install interface-all

IOS XE (Client) :

flowspec

?local-install interface-all

?address-family ipv4

?local-install interface-all

In The last step you must configure your policy that you wanna be pushed in Clients Data Plane. you must configure it on the Controller (IOS XR). This step is absolutely like Creating Policy Map for QoS. First you should Create a Class-map so you can match on your desired traffic.

class-map type traffic match-all Flowspec

match destination-address ipv4 192.168.10.0 255.255.255.0

match source-address ipv4 172.17.10.0 255.255.255.0

match protocol icmp

end-class-map

Then you must create a Policy-map type pbr and bind your class type to it and choose the action you wanna happen. you can drop / Police (rate limiting) / redirect / set QoS Flags / set destination-address and ... i personally dropped all icmp packets from 192.168.10.0/24 network towards 172.17.10.0/24.

policy-map type pbr FS

?class type traffic FS?

?drop???

?end-policy-map

After all steps above you must see an NLRI on BGP Flowspec Afi and you can verify it by using these commands :

show bgp ipv4 flowspec

You can also verify your Policies by using this command :

show flowspec ipv4 detail

you can check the number of Matched and drop packets on the your client using this command :

show flowspec ipv4 detail

As you can see There are 5 Packets Matched with my policy and i dropped them all.

If you wanna Deep Dive into This Advanced BGP Security Feature you can go to these links :

Cisco Live : BRKSPG-3012

https://www.ciscolive.com/on-demand/on-demand-library.html?search=BRKSPG-3012#/session/16360598272350017z81

https://community.cisco.com/t5/service-providers-documents/asr9000-xr-understanding-bgp-flowspec-bgp-fs/ta-p/3139916

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-5/routing/configuration/guide/b-routing-cg-asr9000-65x/b-routing-cg-asr9000-65x_chapter_011.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16-10/irg-xe-16-10-book/C3PL-BGP-Flowspec-Client.html

Feel Free to Reach me on my Linkedin / What's APP / Email and ...