| October 2019 • Rich Compton • Principal Network Security Engineer with Charter Communications • M3AAWG DDoS Special Interest Group Chair (along with Darshak Thakore) • 20+ years experience at ISPs
All ISPs deal with DDoS attacks • Most ISPs & large companies don’t monitor outbound traffic • Goal: Provide ISPs with reliable info on DDoS attack sources on their networks
(trusted 3rd party) Open Source - based on CRITS Exposes RESTful API’s JSON payloads (specified in JSON Schemas) The Client Extremely light-weight python script Pulls data from your DDoS mitigation Focus – Make it easy
Sheth (Juniper), Robert Raszuk (Cisco), Barry Greene (Juniper), Jared Mauch (NTT America), and Danny McPherson (Arbor) • IETF RFC 5575 August 2009 (https://tools.ietf.org/html/rfc5575) • Created to mitigate DDoS attacks but has other uses JP-AAWG November 14th 2019
and advertised to routers via BGP • Controller can be another router sending rules via eBGP or iBGP • Router must enable IPv4 or IPv6 Flowspec address family • Numerous routers support IPv6 rules but it is not yet an RFC (https://tools.ietf.org/html/draft-ietf-idr-flow- spec-v6-08) JP-AAWG November 14th 2019
(can define range of ports and greater than/less than) • IP Protocol • ICMP Type/Code • TCP Flags (defined by a bitmask) • Packet Length • DSCP Value • Fragment Bits JP-AAWG November 14th 2019
very quickly • Flowspec rules can be sent out programmatically by a controller to large number of routers • For example send out rules to block DDoS attack • Most attacks are < 15 mins! • ACLs can be scripted but this increases complexity JP-AAWG November 14th 2019
If rules will be permanent and filtering needs to be in place at boot, then use ACLs • If rules need to be applied temporarily or if filtering rules need to be generated and distributed programmatically then use Flowspec JP-AAWG November 14th 2019
router it does a validation on the rule to verify that: • The controller sending the Flowspec rule is also advertising the best-match unicast route for the destination IP/prefix • Most routers have the ability to manually disable this validation JP-AAWG November 14th 2019
Most routers have option to disable rules on specific interfaces or groups of interfaces • Ex: Rules on peering interfaces of peering router and not on other interfaces • Rules are immediately removed by a router when: • Rule is withdrawn via a BGP update • BGP session with controller is terminated JP-AAWG November 14th 2019
rules to block attack traffic • Works well for UDP amplification attacks • Flowspec rules to divert traffic to Intelligent DDoS Mitigation System (IDMS) for scrubbing • Send to VRF or set next hop • Can get more granular about what traffic is diverted than regular set next hop injection • Flowspec rules to block attacking source IPs • Can run into the 2000 rule limit very quickly since 1st D in DDoS is distributed JP-AAWG November 14th 2019
for certain types of bad traffic • Ex. Rule to block traffic sourced from UDP port 11211 with a packet size of 1424 bytes to stop malicious Memcache attacks • For long term blocking use ACLs JP-AAWG November 14th 2019