Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Anti DDoS Bot with gobgpd + flowspec

Anti DDoS Bot with gobgpd + flowspec

You can use gobgpd + BGP flowspec to mitigate DDoS with ChatOps.
I published gobgp-node which is a gobgp client library for NodeJS to allow Hubot to control gobgpd, and made a lightning talk in JANOG37 about the motivation and design of the library.

Shintaro Kojima

January 30, 2016
Tweet

More Decks by Shintaro Kojima

Other Decks in Technology

Transcript

  1. "OUJ%%P4#PU ChatOps initiates flowspec route origination to migigate DDoS at

    AS border (flowspec
 origination is done at a non-production router for operational reason)
  2. "OUJ%%P4#PU ChatOps initiates flowspec routes origination to migigate DDoS at

    AS border (flowspec
 origination is done at a non-production router for operational reason) gobgpd looks good to place here
  3. H31$ • Google's RPC Framework • HTTP2 Transport • Serializer:

    Protocol Buffer • Provides RPC Modeling Layer like NETCONF
  4. H31$ /&5$0/' protobuf / http2 Auto- generated Serializer Auto-generated De-serializer

    XML (YANG) / SSH, TLS Vendor's Serializer 3rd Party De-serializer
  5. $PNQBSBCMF QSPHSBNNBCJMJUZ 1 var grpc = require('grpc'); 2 var api

    = grpc.load('node_modules/gobgp/deps/gobgp/gobgp.proto').gobgpapi; 3 var stub = new api.GobgpApi('localhost:50051', grpc.Credentials.createInsecure()); 4 5 var call = stub.getNeighbors({}); 6 call.on('data', function(neighbor) { 7 console.log(JSON.stringify(neighbor)); 8 }); H31$ 1 var netconf = require('netconf'); 2 var router = new netconf.Client({ 3 host: 'localhost', 4 port: 830, 5 username: 'codeout', 6 password: 'password' 7 }); 8 9 router.open(function afterOpen(err) { 10 if (!err) { 11 router.rpc('get-bgp-neighbor-information', function (err, reply) { 12 router.close(); 13 if (err) { 14 throw (err); 15 } 16 console.log(JSON.stringify(reply)); 17 }); 18 } else { 19 throw (err); 20 } 21 }); /&5$0/'
  6. 8IZH31$JTCFUUFS •Auto-generated client •No additional code for basic client features


    eg) Error handling without sending requests to server •Speed !
  7. 8IBUQFPQMFFYQFDUFE 1 var Gobgp = require('gobgp'); 2 var gobgp =

    new Gobgp('localhost:50051'); 3 4 gobgp.modPath('ipv4-flowspec', 5 'match source 10.0.0.0/24 then rate-limit 10000');
  8. 8IBUHPCHQ"1* SFRVJSFT 1 var Gobgp = require('gobgp'); 2 var gobgp

    = new Gobgp('localhost:50051'); 3 4 gobgp.modPath({path: { nlri: <Buffer >, 5 pattrs: 6 [ <Buffer 80 0e 0b 00 01 85 00 00 05 02 18 0a 00 00>, 7 <Buffer 40 01 01 02>, 8 <Buffer c0 10 08 80 06 00 00 46 1c 40 00> ] }});
  9. 7 $ BEEPO $ 7 $ /PEF+4 H31$ +4 1MBO"

    /PEF+44FSJBMJ[FS Serialize by NodeJS /PEF+4 H31$ $ HPCHQ $ Serialize by C-Shared Library built from gobgp 1MBO# $ 4FSJBMJ[FS
  10. 7 $ BEEPO $ /PEF+4 H31$ +4 Build gobgp C-

    Shared Library only for Serializer HPCHQ $ 4FSJBMJ[FJO$BOE FWFSZUIJOHFMTFJO/PEF+4
  11. DPEFPVUHPCHQOPEF https://github.com/codeout/gobgp-node • gobgp client library for NodeJS • RIB

    manipulation features • Hubot script:
 https://gist.github.com/codeout/20bc799560b6efe7b2be
  12. 'FBUVSFT 0SJHJOBUF %FMFUF 4IPX3PVUFT Besides, • Unicast routes lookup •

    Host address to prefix conversion for flowspec routes origination
  13. 5JQT • Flowspec route validation behavior depends on the implementation

    of each router vendor • draft-ietf-idr-bgp-flowspec-oid-02 • Another implementation of Anti-DDoS Bot (ACL auto-generator) can be done