Ddos Mitigation
Content
Scalable DDoS mitigation using
BGP Flowspec
Wei Yin TAY
Consulting Systems Engineer
Cisco Systems
© 2010 Cisco and/or its affiliates. All rights reserved.
• Goals
of
DDoS
Mi,ga,on
• Problem
descrip,on
• Tradi,onal
DDoS
Mi,ga,on
• Scalable
DDoS
Mi,ga,on
Cisco Confidential
2
© 2011 Cisco and/or its affiliates. All rights reserved.
• Stop
the
a:ack
• Drop
only
the
DDoS
traffic
• Applica,on
aware
filtering/redirect/
mirroring
• Dynamic
and
adap,ve
technology
• Simple
to
configure
• Easy
to
disseminate
Cisco Confidential
3
© 2011 Cisco and/or its affiliates. All rights reserved.
DDoD Scenario
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
5
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
6
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
7
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
8
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
9
© 2011 Cisco and/or its affiliates. All rights reserved.
DDoD Mitigation Solutions
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
• Distributed
denial-‐of-‐service
(DDoS)
a:acks
target
network
infrastructures
or
computer
services
by
sending
overwhelming
number
of
service
requests
to
the
server
from
many
sources.
• Server
resources
are
used
up
in
serving
the
fake
requests
resul,ng
in
denial
or
degrada,on
of
legi,mate
service
requests
to
be
served
• Addressing
DDoS
a:acks
Detec&on
–
Detect
incoming
fake
requests
Mi&ga&on
Diversion
–
Send
traffic
to
a
specialized
device
that
removes
the
fake
packets
from
the
traffic
stream
while
retaining
the
legi,mate
packets
Return
–
Send
back
the
clean
traffic
to
the
server
Cisco Confidential
11
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
Cisco Confidential
12
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
Cisco Confidential
13
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
1.2.3.4/32
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Discard
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
1.2.3.4/32
Cisco Confidential
14
Discard
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
1.2.3.4/32
IP=1.2.3.4
Discard
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
1.2.3.4/32
Cisco Confidential
15
Discard
© 2011 Cisco and/or its affiliates. All rights reserved.
• Great,
I
have
my
website
back
online
!
No
more
DDoS
traffic
on
my
network
But
no
more
traffic
at
all
on
my
website….
• Well,
maybe
it
was
not
the
solu,on
I
was
looking
for….
Cisco Confidential
16
© 2011 Cisco and/or its affiliates. All rights reserved.
• Iden,fica,on
of
DDoS
traffic:
based
around
a
condi,ons
regarding
MATCH
statements
Source/Des,na,on
address
Protocol
Packet
size
Etc…
• Ac,ons
upon
DDoS
traffic
Discard
Logging
Rate-‐Limi,ng
Redirec,on
Etc…
• Doesn’t
this
sound
as
a
great
solu,on?
Cisco Confidential
17
© 2011 Cisco and/or its affiliates. All rights reserved.
• Good
solu,on
for
Done
with
hardware
accelera,on
for
carrier
grade
routers
Can
provide
chirurgical
precision
of
match
statements
and
ac,ons
to
impose
• But…
Customer
need
to
call
my
provider
Customer
need
the
provider
to
accept
and
run
this
filter
on
each
of
their
backbone/edge
routers
Customer
need
to
call
the
provider
and
remove
the
rule
aZer!
• Reality:
It
won’t
happen…
Cisco Confidential
18
© 2011 Cisco and/or its affiliates. All rights reserved.
Scalable DDoS Mitigation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
• Comparison
with
the
other
solu,ons
Makes
sta,c
PBR
a
dynamic
solu,on!
Allows
to
propagate
PBR
rules
Exis,ng
control
plane
communica,on
channel
is
used
• How?
By
using
your
exis,ng
MP-‐BGP
infrastructure
Cisco Confidential
20
© 2011 Cisco and/or its affiliates. All rights reserved.
• Why
using
BGP?
Simple
to
extend
by
adding
a
new
NLRI
with
MP_REACH_NLRI
and
MP_UNREACH_NLRI
Networkwide
loopfree
point-‐to-‐mul,point
path
is
already
setup
Already
used
for
every
other
kind
of
technology
(IPv4,
IPv6,
VPN,
Mul,cast,
Labels,
etc…)
Inter-‐domain
support
Networking
engineers
and
architects
understand
perfectly
BGP
• Capability
to
send
via
a
BGP
Address
Family
Match
criteria
Ac,on
criteria
Cisco Confidential
21
© 2011 Cisco and/or its affiliates. All rights reserved.
New NLRI defined (AFI=1, SAFI=133)
1. Des,na,on
IP
Address
(1
component)
7. ICMP
Type
2. Source
IP
Address
(1
component)
8. ICMP
Code
3. IP
Protocol
(+1
component)
9. TCP
Flags
4. Port
(+1
component)
10. Packet
length
5. Des,na,on
port
(+1
component)
11. DSCP
6. Source
Port
(+1
component)
12. Fragment
The MP_REACH_NLRI – RFC 4760
Notice from the RFC: “Flow specification components must follow strict type ordering. A given
component type may or may not be present in the specification, but if present, it MUST precede any
component of higher numeric type value.”
Cisco Confidential
22
© 2011 Cisco and/or its affiliates. All rights reserved.
• Flowspec
Traffic
Ac,ons
Extended
Community
–
RFC
4360
• RFC5575
Flowspec
available
ac,ons
Cisco Confidential
23
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
UDP DDoS
Traffic
Transit2
Cisco Confidential
24
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
UDP DDoS
Traffic
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
25
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
Internet
PE
CE
26
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
Internet
PE
CE
27
Transit2
Legitimate TCP
Traffic
© 2011 Cisco and/or its affiliates. All rights reserved.
• In
reality
this
architecture
is
not
deployed
Service
Provider
DO
NOT
trust
the
Customer
It
requires
new
BGP
AFI/SAFI
combina,on
to
be
deployed
between
Customer
and
Service
provider
Both
these
result
in
Flowspec
not
being
deployed
between
Customer
and
service
provider
• What
is
done
instead?
SP
u,lize
a
central
Flowspec
speaker(s)
Have
it
BGP
meshed
within
the
Service
Provider
routers
Only
the
central
Flowspec
speaker
is
allowed
to
distribute
Flowspec
rules
Central
Flowspec
speaker
is
considered
“trusted”
by
the
network
Central
Flowspec
speaker
is
managed
by
the
service
provider
Cisco Confidential
28
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
Flowspec
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
29
© 2011 Cisco and/or its affiliates. All rights reserved.
Rules inserted by:
CLI
Customer Portal
Workflow
etc
Data Center
Provider Infra
Flowspec
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Legitimate TCP
Traffic
Cisco Confidential
Internet
PE
CE
30
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
• Traffic-‐rate,
traffic-‐marking
are
useful
for
simple
a:acks,
but….
• Traffic-‐redirect
Lets
you
redirect
traffic
in
a
VRF
(by
specifying
the
VPN
RT
value)
Allows
to
change
dynamically
the
path
of
a
flow
without
injec,ng
addi,onal
BGP
routes
• Great
too
to
clean
DDoS
traffic
with
a
DPI
probe
Cisco Confidential
31
© 2011 Cisco and/or its affiliates. All rights reserved.
Thank you.
BGP Flowspec
Wei Yin TAY
Consulting Systems Engineer
Cisco Systems
© 2010 Cisco and/or its affiliates. All rights reserved.
• Goals
of
DDoS
Mi,ga,on
• Problem
descrip,on
• Tradi,onal
DDoS
Mi,ga,on
• Scalable
DDoS
Mi,ga,on
Cisco Confidential
2
© 2011 Cisco and/or its affiliates. All rights reserved.
• Stop
the
a:ack
• Drop
only
the
DDoS
traffic
• Applica,on
aware
filtering/redirect/
mirroring
• Dynamic
and
adap,ve
technology
• Simple
to
configure
• Easy
to
disseminate
Cisco Confidential
3
© 2011 Cisco and/or its affiliates. All rights reserved.
DDoD Scenario
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
5
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
6
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
7
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
8
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
9
© 2011 Cisco and/or its affiliates. All rights reserved.
DDoD Mitigation Solutions
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
• Distributed
denial-‐of-‐service
(DDoS)
a:acks
target
network
infrastructures
or
computer
services
by
sending
overwhelming
number
of
service
requests
to
the
server
from
many
sources.
• Server
resources
are
used
up
in
serving
the
fake
requests
resul,ng
in
denial
or
degrada,on
of
legi,mate
service
requests
to
be
served
• Addressing
DDoS
a:acks
Detec&on
–
Detect
incoming
fake
requests
Mi&ga&on
Diversion
–
Send
traffic
to
a
specialized
device
that
removes
the
fake
packets
from
the
traffic
stream
while
retaining
the
legi,mate
packets
Return
–
Send
back
the
clean
traffic
to
the
server
Cisco Confidential
11
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
Cisco Confidential
12
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
Cisco Confidential
13
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
1.2.3.4/32
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Discard
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
1.2.3.4/32
Cisco Confidential
14
Discard
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
1.2.3.4/32
IP=1.2.3.4
Discard
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
1.2.3.4/32
Cisco Confidential
15
Discard
© 2011 Cisco and/or its affiliates. All rights reserved.
• Great,
I
have
my
website
back
online
!
No
more
DDoS
traffic
on
my
network
But
no
more
traffic
at
all
on
my
website….
• Well,
maybe
it
was
not
the
solu,on
I
was
looking
for….
Cisco Confidential
16
© 2011 Cisco and/or its affiliates. All rights reserved.
• Iden,fica,on
of
DDoS
traffic:
based
around
a
condi,ons
regarding
MATCH
statements
Source/Des,na,on
address
Protocol
Packet
size
Etc…
• Ac,ons
upon
DDoS
traffic
Discard
Logging
Rate-‐Limi,ng
Redirec,on
Etc…
• Doesn’t
this
sound
as
a
great
solu,on?
Cisco Confidential
17
© 2011 Cisco and/or its affiliates. All rights reserved.
• Good
solu,on
for
Done
with
hardware
accelera,on
for
carrier
grade
routers
Can
provide
chirurgical
precision
of
match
statements
and
ac,ons
to
impose
• But…
Customer
need
to
call
my
provider
Customer
need
the
provider
to
accept
and
run
this
filter
on
each
of
their
backbone/edge
routers
Customer
need
to
call
the
provider
and
remove
the
rule
aZer!
• Reality:
It
won’t
happen…
Cisco Confidential
18
© 2011 Cisco and/or its affiliates. All rights reserved.
Scalable DDoS Mitigation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
• Comparison
with
the
other
solu,ons
Makes
sta,c
PBR
a
dynamic
solu,on!
Allows
to
propagate
PBR
rules
Exis,ng
control
plane
communica,on
channel
is
used
• How?
By
using
your
exis,ng
MP-‐BGP
infrastructure
Cisco Confidential
20
© 2011 Cisco and/or its affiliates. All rights reserved.
• Why
using
BGP?
Simple
to
extend
by
adding
a
new
NLRI
with
MP_REACH_NLRI
and
MP_UNREACH_NLRI
Networkwide
loopfree
point-‐to-‐mul,point
path
is
already
setup
Already
used
for
every
other
kind
of
technology
(IPv4,
IPv6,
VPN,
Mul,cast,
Labels,
etc…)
Inter-‐domain
support
Networking
engineers
and
architects
understand
perfectly
BGP
• Capability
to
send
via
a
BGP
Address
Family
Match
criteria
Ac,on
criteria
Cisco Confidential
21
© 2011 Cisco and/or its affiliates. All rights reserved.
New NLRI defined (AFI=1, SAFI=133)
1. Des,na,on
IP
Address
(1
component)
7. ICMP
Type
2. Source
IP
Address
(1
component)
8. ICMP
Code
3. IP
Protocol
(+1
component)
9. TCP
Flags
4. Port
(+1
component)
10. Packet
length
5. Des,na,on
port
(+1
component)
11. DSCP
6. Source
Port
(+1
component)
12. Fragment
The MP_REACH_NLRI – RFC 4760
Notice from the RFC: “Flow specification components must follow strict type ordering. A given
component type may or may not be present in the specification, but if present, it MUST precede any
component of higher numeric type value.”
Cisco Confidential
22
© 2011 Cisco and/or its affiliates. All rights reserved.
• Flowspec
Traffic
Ac,ons
Extended
Community
–
RFC
4360
• RFC5575
Flowspec
available
ac,ons
Cisco Confidential
23
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
UDP DDoS
Traffic
Transit2
Cisco Confidential
24
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
UDP DDoS
Traffic
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
25
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
Internet
PE
CE
26
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
Internet
PE
CE
27
Transit2
Legitimate TCP
Traffic
© 2011 Cisco and/or its affiliates. All rights reserved.
• In
reality
this
architecture
is
not
deployed
Service
Provider
DO
NOT
trust
the
Customer
It
requires
new
BGP
AFI/SAFI
combina,on
to
be
deployed
between
Customer
and
Service
provider
Both
these
result
in
Flowspec
not
being
deployed
between
Customer
and
service
provider
• What
is
done
instead?
SP
u,lize
a
central
Flowspec
speaker(s)
Have
it
BGP
meshed
within
the
Service
Provider
routers
Only
the
central
Flowspec
speaker
is
allowed
to
distribute
Flowspec
rules
Central
Flowspec
speaker
is
considered
“trusted”
by
the
network
Central
Flowspec
speaker
is
managed
by
the
service
provider
Cisco Confidential
28
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
Flowspec
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
29
© 2011 Cisco and/or its affiliates. All rights reserved.
Rules inserted by:
CLI
Customer Portal
Workflow
etc
Data Center
Provider Infra
Flowspec
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Legitimate TCP
Traffic
Cisco Confidential
Internet
PE
CE
30
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
• Traffic-‐rate,
traffic-‐marking
are
useful
for
simple
a:acks,
but….
• Traffic-‐redirect
Lets
you
redirect
traffic
in
a
VRF
(by
specifying
the
VPN
RT
value)
Allows
to
change
dynamically
the
path
of
a
flow
without
injec,ng
addi,onal
BGP
routes
• Great
too
to
clean
DDoS
traffic
with
a
DPI
probe
Cisco Confidential
31
© 2011 Cisco and/or its affiliates. All rights reserved.
Thank you.
