Wednesday, September 4, 2013

DDOS attack mitigation via remote black hole

How to black hole (stop) an attacker inside your network

Remote triggered Black Hole filtering and preventing of spoofed, DDOS active subnets is a great way to save router resources and prevent the attacker from damaging your network. 
A common DoS attack directed against a customer of a service provider involves generating a greater volume of attack traffic destined for the target than will fit down the links from the service provider(s) to the victim (customer). This traffic "starves out" legitimate traffic and often results in collateral damage or negative effects to other customers or the network infrastructure as well.  Rather than having all destinations on their network be affected by the attack, the customer may ask their service provider to filter traffic destined to the target destination IP address(es), or the service provider may determine that this is necessary themselves, in order to preserve network availability.
However, with destination-based RTBH filtering, the impact of the attack on the target is complete.  That is, destination-based RTBH filtering injects a discard route into the forwarding table for the target prefix.  All packets towards that destination, attack traffic AND legitimate traffic, are then dropped by the participating routers, thereby taking the target completely offline.  The benefit is  that collateral damage to other systems or network availability at the customer location or in the ISP network is limited, but the negative impact to the target itself is arguably increased.
In this small scenario I will use a eBGP speaking router that will advertise the "spoofed DDOS subnet" of 99.99.99.0/24. All of the iBGP routers inside the AS100 domain will have this prefix installed in the BGP table. 

The iBGP router CX2 is used as a trigger device, that has a simple task, to advertise the DDOS prefix inside the AS100, 
and put those packets inside the Black Hole. Let us use the configuration of the Trigger router.
CX2
interface Loopback1 ip address 192.0.2.1 255.255.255.255
!
route-map BLACK-HOLE permit 10 match tag 999 set local-preference 200 set origin igp set community no-export set ip next-hop 192.0.2.1 ! route-map BLACK-HOLE deny 20
!
router bgp 100 no synchronization bgp log-neighbor-changes network 5.5.5.5 mask 255.255.255.255 redistribute static route-map BLACK-HOLE neighbor 16.2.1.1 remote-as 100 neighbor 18.1.1.2 remote-as 100 no auto-summary
We have created a simple route map that will tagg the static route of our given prefix and set the next hop towards the 192.0.2.1 interface. 
This address belongs to the discard address space. Every other iBGP router must have a 
static route for the 192.0.2.1 address that points those packets to the NULL0 interface.
CX1#ip route 192.0.2.1 255.255.255.255 Null0
Customer#ip route 192.0.2.1 255.255.255.255 Null0
Now let us take a look at the BGP table of the CX1 router. We can see the 99.99.99.0 prefix is being advertised 
into the table and we have connectivity with the SPOOFED address.
CX1#sh ip bgp 99.99.99.0 BGP routing table entry for 99.99.99.0/24, version 18 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 200 65535 16.1.1.2 from 16.1.1.2 (1.1.1.1) Origin IGP, metric 0, localpref 100, valid, internal, best
We can test the route by pinging the spoofed address.
CX1#ping 99.99.99.1 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 99.99.99.1, timeout is 2 seconds: Packet sent with a source address of 4.4.4.4 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/96 ms
Now to deny this traffic trough the AS100 we must redistribute and create a static route on the 
trigger router 
that will be distributed inside the AS100. I will let a long ping period from the CX1 router to 
demonstrate how the traffic stops inside the AS100 as soon as I create the static route for the 99.99.99.0/24 subnet.
As soon as I typed in the static route the PING has stopped. And if we look at the BGP table of 
the CX1 router now, we can se that the route is being advertised from the TRIGGER router
, and the next-hop is set to the 192.0.2.1 , the discard IP address.

CX1#sh ip route 99.99.99.0
Routing entry for 99.99.99.0/24
  Known via "bgp 100", distance 200, metric 0, type internal
  Last update from 192.0.2.1 00:02:23 ago
  Routing Descriptor Blocks:
  * 192.0.2.1, from 16.2.1.2, 00:02:23 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0

This very simple DDOS mechanism can be used in more complex scenarios, with redundant Route Reflectors inside a large BGP domain. 
One can stop an attacker in a very short time 
period. There are more explanations on the RFC5635 document.

Feel free to comment.

No comments:

Post a Comment