How to black hole (stop) an attacker inside your network
Remote triggered Black Hole filtering and preventing of spoofed, DDOS active subnets is a great way to save router resources and prevent the attacker from damaging your network.
A common DoS attack directed against a customer of a service provider involves generating a greater volume of attack traffic destined for the target than will fit down the links from the service provider(s) to the victim (customer). This traffic "starves out" legitimate traffic and often results in collateral damage or negative effects to other customers or the network infrastructure as well. Rather than having all destinations on their network be affected by the attack, the customer may ask their service provider to filter traffic destined to the target destination IP address(es), or the service provider may determine that this is necessary themselves, in order to preserve network availability.
However, with destination-based RTBH filtering, the impact of the attack on the target is complete. That is, destination-based RTBH filtering injects a discard route into the forwarding table for the target prefix. All packets towards that destination, attack traffic AND legitimate traffic, are then dropped by the participating routers, thereby taking the target completely offline. The benefit is that collateral damage to other systems or network availability at the customer location or in the ISP network is limited, but the negative impact to the target itself is arguably increased.
In this small scenario I will use a eBGP speaking router that will advertise the "spoofed DDOS subnet" of 99.99.99.0/24. All of the iBGP routers inside the AS100 domain will have this prefix installed in the BGP table.
The iBGP router CX2 is used as a trigger device, that has a simple task, to advertise the DDOS prefix inside the AS100,
and put those packets inside the Black Hole. Let us use the configuration of the Trigger router.
CX2
interface Loopback1
ip address 192.0.2.1 255.255.255.255
!
route-map BLACK-HOLE permit 10
match tag 999
set local-preference 200
set origin igp
set community no-export
set ip next-hop 192.0.2.1
!
route-map BLACK-HOLE deny 20
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 5.5.5.5 mask 255.255.255.255
redistribute static route-map BLACK-HOLE
neighbor 16.2.1.1 remote-as 100
neighbor 18.1.1.2 remote-as 100
no auto-summary
We have created a simple route map that will tagg the static route of our given prefix and set the next hop towards the 192.0.2.1 interface.
This address belongs to the discard address space. Every other iBGP router must have a
static route for the 192.0.2.1 address that points those packets to the NULL0 interface.
CX1#ip route 192.0.2.1 255.255.255.255 Null0
Customer#ip route 192.0.2.1 255.255.255.255 Null0
Now let us take a look at the BGP table of the CX1 router. We can see the 99.99.99.0 prefix is being advertised
into the table and we have connectivity with the SPOOFED address.
CX1#sh ip bgp 99.99.99.0
BGP routing table entry for 99.99.99.0/24, version 18
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
200 65535
16.1.1.2 from 16.1.1.2 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, internal, best
We can test the route by pinging the spoofed address.
CX1#ping 99.99.99.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.99.99.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/96 ms
Now to deny this traffic trough the AS100 we must redistribute and create a static route on the
trigger router
that will be distributed inside the AS100. I will let a long ping period from the CX1 router to
demonstrate how the traffic stops inside the AS100 as soon as I create the static route for the 99.99.99.0/24 subnet.
As soon as I typed in the static route the PING has stopped. And if we look at the BGP table of
the CX1 router now, we can se that the route is being advertised from the TRIGGER router
, and the next-hop is set to the 192.0.2.1 , the discard IP address.
CX1#sh ip route 99.99.99.0 Routing entry for 99.99.99.0/24 Known via "bgp 100", distance 200, metric 0, type internal Last update from 192.0.2.1 00:02:23 ago Routing Descriptor Blocks: * 192.0.2.1, from 16.2.1.2, 00:02:23 ago Route metric is 0, traffic share count is 1 AS Hops 0
This very simple DDOS mechanism can be used in more complex scenarios, with redundant Route Reflectors inside a large BGP domain.
One can stop an attacker in a very short time
period. There are more explanations on the RFC5635 document.
Feel free to comment.
No comments:
Post a Comment