Ddos Mitigation
Comments
Content
Scalable DDoS mitigation using
BGP Flowspec
Wei Yin TAY
Consulting Systems Engineer
Cisco Systems
© 2010 Cisco and/or its affiliates. All rights reserved.
• Goals of DDoS Mi,ga,on
• Problem descrip,on
• Tradi,onal DDoS Mi,ga,on
• Scalable DDoS Mi,ga,on
Cisco Confidential
2
© 2011 Cisco and/or its affiliates. All rights reserved.
• Stop the a:ack
• Drop only the DDoS traffic
• Applica,on aware filtering/redirect/
mirroring
• Dynamic and adap,ve technology
• Simple to configure
• Easy to disseminate
Cisco Confidential
3
© 2011 Cisco and/or its affiliates. All rights reserved.
DDoD Scenario
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
5
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
6
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
7
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
8
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
9
© 2011 Cisco and/or its affiliates. All rights reserved.
DDoD Mitigation Solutions
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
• Distributed denial-‐of-‐service (DDoS) a:acks target network
infrastructures or computer services by sending
overwhelming number of service requests to the server
from many sources.
• Server resources are used up in serving the fake requests
resul,ng in denial or degrada,on of legi,mate service
requests to be served
• Addressing DDoS a:acks
Detec&on – Detect incoming fake requests
Mi&ga&on
Diversion – Send traffic to a specialized device that removes the
fake packets from the traffic stream while retaining the
legi,mate packets
Return – Send back the clean traffic to the server
Cisco Confidential
11
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
Cisco Confidential
12
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
Cisco Confidential
13
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
1.2.3.4/32
IP=1.2.3.4
DDoS Traffic
Website
DDoS
Traffic
Discard
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
1.2.3.4/32
Cisco Confidential
14
Discard
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
1.2.3.4/32
IP=1.2.3.4
Discard
DDoS Traffic
Website
Transit1
BGP : 1.2.3.0/24
Internet
PE
CE
BGP : 1.2.3.4/32
Com. : 64500:666
Transit2
1.2.3.4/32
Cisco Confidential
15
Discard
© 2011 Cisco and/or its affiliates. All rights reserved.
• Great, I have my website back online !
No more DDoS traffic on my network
But no more traffic at all on my website….
• Well, maybe it was not the solu,on I was looking for….
Cisco Confidential
16
© 2011 Cisco and/or its affiliates. All rights reserved.
• Iden,fica,on of DDoS traffic: based around a condi,ons regarding MATCH
statements
Source/Des,na,on address
Protocol
Packet size
Etc…
• Ac,ons upon DDoS traffic
Discard
Logging
Rate-‐Limi,ng
Redirec,on
Etc…
• Doesn’t this sound as a great solu,on?
Cisco Confidential
17
© 2011 Cisco and/or its affiliates. All rights reserved.
• Good solu,on for
Done with hardware accelera,on for carrier grade routers
Can provide chirurgical precision of match statements and ac,ons to impose
• But…
Customer need to call my provider
Customer need the provider to accept and run this filter on each of their
backbone/edge routers
Customer need to call the provider and remove the rule aZer!
• Reality: It won’t happen…
Cisco Confidential
18
© 2011 Cisco and/or its affiliates. All rights reserved.
Scalable DDoS Mitigation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
• Comparison with the other solu,ons
Makes sta,c PBR a dynamic solu,on!
Allows to propagate PBR rules
Exis,ng control plane communica,on channel is used
• How?
By using your exis,ng MP-‐BGP infrastructure
Cisco Confidential
20
© 2011 Cisco and/or its affiliates. All rights reserved.
• Why using BGP?
Simple to extend by adding a new NLRI with MP_REACH_NLRI and
MP_UNREACH_NLRI
Networkwide loopfree point-‐to-‐mul,point path is already setup
Already used for every other kind of technology (IPv4, IPv6, VPN, Mul,cast,
Labels, etc…)
Inter-‐domain support
Networking engineers and architects understand perfectly BGP
• Capability to send via a BGP Address Family
Match criteria
Ac,on criteria
Cisco Confidential
21
© 2011 Cisco and/or its affiliates. All rights reserved.
New NLRI defined (AFI=1, SAFI=133)
1. Des,na,on IP Address (1 component)
7. ICMP Type
2. Source IP Address (1 component)
8. ICMP Code
3. IP Protocol (+1 component)
9. TCP Flags
4. Port (+1 component)
10. Packet length
5. Des,na,on port (+1 component)
11. DSCP
6. Source Port (+1 component)
12. Fragment
The MP_REACH_NLRI – RFC 4760
Notice from the RFC: “Flow specification components must follow strict type ordering. A given
component type may or may not be present in the specification, but if present, it MUST precede any
component of higher numeric type value.”
Cisco Confidential
22
© 2011 Cisco and/or its affiliates. All rights reserved.
• Flowspec Traffic Ac,ons
Extended Community – RFC 4360
• RFC5575 Flowspec available ac,ons
Cisco Confidential
23
© 2011 Cisco and/or its affiliates. All rights reserved.
It is time to use the blackhole community given by the provider (i.e. 64500:666)
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
UDP DDoS
Traffic
Transit2
Cisco Confidential
24
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
UDP DDoS
Traffic
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
25
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
Internet
PE
CE
26
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
IP Destination: 1.2.3.4/32
IP Protocol 17 (UDP)
PacketSize <=28
Rate-limit 10M
Cisco Confidential
Internet
PE
CE
27
Transit2
Legitimate TCP
Traffic
© 2011 Cisco and/or its affiliates. All rights reserved.
• In reality this architecture is not deployed
Service Provider DO NOT trust the Customer
It requires new BGP AFI/SAFI combina,on to be deployed between Customer
and Service provider
Both these result in Flowspec not being deployed between Customer and service
provider
• What is done instead?
SP u,lize a central Flowspec speaker(s)
Have it BGP meshed within the Service Provider routers
Only the central Flowspec speaker is allowed to distribute Flowspec rules
Central Flowspec speaker is considered “trusted” by the network
Central Flowspec speaker is managed by the service provider
Cisco Confidential
28
© 2011 Cisco and/or its affiliates. All rights reserved.
Data Center
Provider Infra
Flowspec
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Internet
PE
CE
Transit2
Cisco Confidential
29
© 2011 Cisco and/or its affiliates. All rights reserved.
Rules inserted by:
CLI
Customer Portal
Workflow
etc
Data Center
Provider Infra
Flowspec
IP=1.2.3.4
Website
Transit1
UDP DDoS
Traffic
BGP : 1.2.3.0/24
Legitimate TCP
Traffic
Cisco Confidential
Internet
PE
CE
30
Transit2
© 2011 Cisco and/or its affiliates. All rights reserved.
• Traffic-‐rate, traffic-‐marking are useful for simple a:acks, but….
• Traffic-‐redirect
Lets you redirect traffic in a VRF (by specifying the VPN RT value)
Allows to change dynamically the path of a flow without injec,ng addi,onal BGP
routes
• Great too to clean DDoS traffic with a DPI probe
Cisco Confidential
31
© 2011 Cisco and/or its affiliates. All rights reserved.
Thank you.
Sponsor Documents