Anti DDoS Bot with gobgpd + flowspec

Transcript

1. Anti-DDoS Bot with gobgpd + flowspec https://www.flickr.com/photos/iloveui/7090895435/ +"/0(
   4IJOUBSP
   ,PKJNB
   
   !DPEFPVU

2. 4IJOUBSP
   ,PKJNB
   DPEFBODF
   codeout http://about.me/codeout

3. %%P4
   NJUJHBUJPO
   JT
   UPP
   DPNQMJDBUFE
   ʜ

4. 5IJT
   JT
   OPU
   TP
   HPPE %FUFDUJPO
   TZTUFN
   EFUFDUT
   %%P4
   $MJDL
   .JHJHBUF
   CVUUPO
   PO
   EBTICPBSE
   5IFO
   %%P4
   NBHJDBMMZ
   HPFT
   BXBZ

5. 5IJT
   JT
   OPU
   TP
   HPPE %FUFDUJPO
   TZTUFN
   EFUFDUT
   %%P4
   $MJDL
   .JHJHBUF
   CVUUPO
   PO
   EBTICPBSE
   5IFO
   %%P4
   NBHJDBMMZ
   HPFT
   BXBZ False positives maybe? DDoS

   is not volumetric No idea what happens inside Need more speed!

6. "OUJ%%P4
   #PU ChatOps initiates flowspec route origination to migigate DDoS at

   AS border (flowspec
 origination is done at a non-production router for operational reason)

7. "OUJ%%P4
   #PU ChatOps initiates flowspec routes origination to migigate DDoS at

   AS border (flowspec
 origination is done at a non-production router for operational reason) gobgpd looks good to place here

8. PTSHHPCHQ https://github.com/osrg/gobgp • bgpd implemented in Go • gRPC between

   bgpd and CLI client • Committer is here in JANOG !

9. (SFBU
   4VQQPSU
   ⚡

10. H31$ • Google's RPC Framework • HTTP2 Transport • Serializer:

    Protocol Buffer • Provides RPC Modeling Layer like NETCONF

11. H31$
    PS
    /&5$0/'

12. H31$ /&5$0/' protobuf / http2 Auto- generated Serializer Auto-generated De-serializer

    XML (YANG) / SSH, TLS Vendor's Serializer 3rd Party De-serializer

13. $PNQBSBCMF
    QSPHSBNNBCJMJUZ 1 var grpc = require('grpc'); 2 var api

    = grpc.load('node_modules/gobgp/deps/gobgp/gobgp.proto').gobgpapi; 3 var stub = new api.GobgpApi('localhost:50051', grpc.Credentials.createInsecure()); 4 5 var call = stub.getNeighbors({}); 6 call.on('data', function(neighbor) { 7 console.log(JSON.stringify(neighbor)); 8 }); H31$ 1 var netconf = require('netconf'); 2 var router = new netconf.Client({ 3 host: 'localhost', 4 port: 830, 5 username: 'codeout', 6 password: 'password' 7 }); 8 9 router.open(function afterOpen(err) { 10 if (!err) { 11 router.rpc('get-bgp-neighbor-information', function (err, reply) { 12 router.close(); 13 if (err) { 14 throw (err); 15 } 16 console.log(JSON.stringify(reply)); 17 }); 18 } else { 19 throw (err); 20 } 21 }); /&5$0/'

14. 4QFFE
    ʂ x10

15. 8IZ
    H31$
    JT
    CFUUFS •Auto-generated client •No additional code for basic client features


    eg) Error handling without sending requests to server •Speed ！

16. -FUT
    XSJUF
    B
    DPEF

17. 8IBU
    QFPQMF
    FYQFDUFE 1 var Gobgp = require('gobgp'); 2 var gobgp =

    new Gobgp('localhost:50051'); 3 4 gobgp.modPath('ipv4-flowspec', 5 'match source 10.0.0.0/24 then rate-limit 10000');

18. 8IBU
    HPCHQ
    "1*
    SFRVJSFT
    1 var Gobgp = require('gobgp'); 2 var gobgp

    = new Gobgp('localhost:50051'); 3 4 gobgp.modPath({path: { nlri: <Buffer >, 5 pattrs: 6 [ <Buffer 80 0e 0b 00 01 85 00 00 05 02 18 0a 00 00>, 7 <Buffer 40 01 01 02>, 8 <Buffer c0 10 08 80 06 00 00 46 1c 40 00> ] }});

19. 8IZ
    #JOBSZ
    1"5)
    "UUSJCVUF

20. 0,
    #VU
    EPOU
    XBOU
    UP
    TQPJM
    QSPHSBNNBCJMJUZ

21. 7
    $ BEEPO
    $ 7
    $ /PEF+4 H31$
    +4 1MBO
    "
    

    /PEF+4
    4FSJBMJ[FS Serialize by NodeJS /PEF+4 H31$
    $ HPCHQ
    $ Serialize by C-Shared Library built from gobgp 1MBO
    #
    $
    4FSJBMJ[FS

22. 7
    $ BEEPO
    $ /PEF+4 H31$
    +4 Build gobgp C-

    Shared Library only for Serializer HPCHQ
    $ 4FSJBMJ[F
    JO
    $
    BOE
    FWFSZUIJOH
    FMTF
    JO
    /PEF+4

23. DPEFPVUHPCHQOPEF https://github.com/codeout/gobgp-node • gobgp client library for NodeJS • RIB

    manipulation features • Hubot script:
 https://gist.github.com/codeout/20bc799560b6efe7b2be

24. 'FBUVSFT
    0SJHJOBUF
    %FMFUF
    4IPX
    3PVUFT Besides, • Unicast routes lookup •

    Host address to prefix conversion for flowspec routes origination

25. /FYU
    4UFQ %FUFDUJPO
    TZTUFN
    EFUFDUT
    %%P4
    5BML
    UP
    IVCPU
    XJUI
 %%P4
    UJDLFU
    *%
    IVCPU
    HFUT
    %%P4
    USBGpD
    JOGPSNBUJPO
    CZ
    UIF
    *%
    BOE
    PSJHJOBUF
    qPXTQFD
    SPVUF
    BDDPSEJOHMZ 
 5IFO
    %%P4
    HPFT
    BXBZ

26. /FYU
    4UFQ %FUFDUJPO
    TZTUFN
    EFUFDUT
    %%P4
    5BML
    UP
    IVCPU
    XJUI
 %%P4
    UJDLFU
    *%
    IVCPU
    HFUT
    %%P4
    USBGpD
    JOGPSNBUJPO
    CZ
    UIF
    *%
    BOE
    PSJHJOBUF
    qPXTQFD
    SPVUF
    BDDPSEJOHMZ 
 5IFO
    %%P4
    HPFT
    BXBZ *U
    SFRVJSFT
    "1*
    PG
    

    %%P4
    %FUFDUJPO
    4ZTUFN
    UP
    EP
    UIJT

27. $PODMVTJPO •gobgpd + flowspec can mitigation DDoS •By ChatOps !

28. 5JQT • Flowspec route validation behavior depends on the implementation

    of each router vendor • draft-ietf-idr-bgp-flowspec-oid-02 • Another implementation of Anti-DDoS Bot (ACL auto-generator) can be done