Slide 1

Slide 1 text

Anti-DDoS Bot with gobgpd + flowspec https://www.flickr.com/photos/iloveui/7090895435/ +"/0( 4IJOUBSP,PKJNB!DPEFPVU

Slide 2

Slide 2 text

4IJOUBSP,PKJNB DPEFBODF codeout http://about.me/codeout

Slide 3

Slide 3 text

%%P4NJUJHBUJPOJT UPPDPNQMJDBUFEʜ

Slide 4

Slide 4 text

5IJTJTOPUTPHPPE %FUFDUJPOTZTUFNEFUFDUT%%P4 $MJDL.JHJHBUFCVUUPOPO EBTICPBSE 5IFO%%P4NBHJDBMMZHPFT BXBZ

Slide 5

Slide 5 text

5IJTJTOPUTPHPPE %FUFDUJPOTZTUFNEFUFDUT%%P4 $MJDL.JHJHBUFCVUUPOPO EBTICPBSE 5IFO%%P4NBHJDBMMZHPFT BXBZ False positives maybe? DDoS is not volumetric No idea what happens inside Need more speed!

Slide 6

Slide 6 text

"OUJ%%P4#PU ChatOps initiates flowspec route origination to migigate DDoS at AS border (flowspec
 origination is done at a non-production router for operational reason)

Slide 7

Slide 7 text

"OUJ%%P4#PU ChatOps initiates flowspec routes origination to migigate DDoS at AS border (flowspec
 origination is done at a non-production router for operational reason) gobgpd looks good to place here

Slide 8

Slide 8 text

PTSHHPCHQ https://github.com/osrg/gobgp • bgpd implemented in Go • gRPC between bgpd and CLI client • Committer is here in JANOG !

Slide 9

Slide 9 text

(SFBU4VQQPSU⚡

Slide 10

Slide 10 text

H31$ • Google's RPC Framework • HTTP2 Transport • Serializer: Protocol Buffer • Provides RPC Modeling Layer like NETCONF

Slide 11

Slide 11 text

H31$ PS /&5$0/'

Slide 12

Slide 12 text

H31$ /&5$0/' protobuf / http2 Auto- generated Serializer Auto-generated De-serializer XML (YANG) / SSH, TLS Vendor's Serializer 3rd Party De-serializer

Slide 13

Slide 13 text

$PNQBSBCMF QSPHSBNNBCJMJUZ 1 var grpc = require('grpc'); 2 var api = grpc.load('node_modules/gobgp/deps/gobgp/gobgp.proto').gobgpapi; 3 var stub = new api.GobgpApi('localhost:50051', grpc.Credentials.createInsecure()); 4 5 var call = stub.getNeighbors({}); 6 call.on('data', function(neighbor) { 7 console.log(JSON.stringify(neighbor)); 8 }); H31$ 1 var netconf = require('netconf'); 2 var router = new netconf.Client({ 3 host: 'localhost', 4 port: 830, 5 username: 'codeout', 6 password: 'password' 7 }); 8 9 router.open(function afterOpen(err) { 10 if (!err) { 11 router.rpc('get-bgp-neighbor-information', function (err, reply) { 12 router.close(); 13 if (err) { 14 throw (err); 15 } 16 console.log(JSON.stringify(reply)); 17 }); 18 } else { 19 throw (err); 20 } 21 }); /&5$0/'

Slide 14

Slide 14 text

4QFFEʂ x10

Slide 15

Slide 15 text

8IZH31$JTCFUUFS •Auto-generated client •No additional code for basic client features
 eg) Error handling without sending requests to server •Speed !

Slide 16

Slide 16 text

-FUT XSJUFBDPEF

Slide 17

Slide 17 text

8IBUQFPQMFFYQFDUFE 1 var Gobgp = require('gobgp'); 2 var gobgp = new Gobgp('localhost:50051'); 3 4 gobgp.modPath('ipv4-flowspec', 5 'match source 10.0.0.0/24 then rate-limit 10000');

Slide 18

Slide 18 text

8IBUHPCHQ"1* SFRVJSFT 1 var Gobgp = require('gobgp'); 2 var gobgp = new Gobgp('localhost:50051'); 3 4 gobgp.modPath({path: { nlri: , 5 pattrs: 6 [ , 7 , 8 ] }});

Slide 19

Slide 19 text

8IZ#JOBSZ1"5) "UUSJCVUF

Slide 20

Slide 20 text

0, #VU EPOUXBOUUPTQPJM QSPHSBNNBCJMJUZ

Slide 21

Slide 21 text

7 $ BEEPO $ 7 $ /PEF+4 H31$ +4 1MBO" /PEF+44FSJBMJ[FS Serialize by NodeJS /PEF+4 H31$ $ HPCHQ $ Serialize by C-Shared Library built from gobgp 1MBO# $4FSJBMJ[FS

Slide 22

Slide 22 text

7 $ BEEPO $ /PEF+4 H31$ +4 Build gobgp C- Shared Library only for Serializer HPCHQ $ 4FSJBMJ[FJO$BOE FWFSZUIJOHFMTFJO/PEF+4

Slide 23

Slide 23 text

DPEFPVUHPCHQOPEF https://github.com/codeout/gobgp-node • gobgp client library for NodeJS • RIB manipulation features • Hubot script:
 https://gist.github.com/codeout/20bc799560b6efe7b2be

Slide 24

Slide 24 text

'FBUVSFT 0SJHJOBUF %FMFUF 4IPX3PVUFT Besides, • Unicast routes lookup • Host address to prefix conversion for flowspec routes origination

Slide 25

Slide 25 text

/FYU4UFQ %FUFDUJPOTZTUFNEFUFDUT%%P4 5BMLUPIVCPUXJUI
 %%P4UJDLFU*% IVCPUHFUT%%P4USBGpDJOGPSNBUJPO CZUIF*%BOEPSJHJOBUFqPXTQFD SPVUFBDDPSEJOHMZ 
 5IFO%%P4HPFTBXBZ

Slide 26

Slide 26 text

/FYU4UFQ %FUFDUJPOTZTUFNEFUFDUT%%P4 5BMLUPIVCPUXJUI
 %%P4UJDLFU*% IVCPUHFUT%%P4USBGpDJOGPSNBUJPO CZUIF*%BOEPSJHJOBUFqPXTQFD SPVUFBDDPSEJOHMZ 
 5IFO%%P4HPFTBXBZ *USFRVJSFT"1*PG %%P4%FUFDUJPO 4ZTUFNUPEPUIJT

Slide 27

Slide 27 text

$PODMVTJPO •gobgpd + flowspec can mitigation DDoS •By ChatOps !

Slide 28

Slide 28 text

5JQT • Flowspec route validation behavior depends on the implementation of each router vendor • draft-ietf-idr-bgp-flowspec-oid-02 • Another implementation of Anti-DDoS Bot (ACL auto-generator) can be done