Anti-DDoS Bot with gobgpd + flowspec https://www.flickr.com/photos/iloveui/7090895435/ +"/0( 4IJOUBSP,PKJNB!DPEFPVU

4IJOUBSP,PKJNB DPEFBODF codeout http://about.me/codeout

%%P4NJUJHBUJPOJT UPPDPNQMJDBUFEʜ

5IJTJTOPUTPHPPE %FUFDUJPOTZTUFNEFUFDUT%%P4 $MJDL.JHJHBUFCVUUPOPO EBTICPBSE 5IFO%%P4NBHJDBMMZHPFT BXBZ

5IJTJTOPUTPHPPE %FUFDUJPOTZTUFNEFUFDUT%%P4 $MJDL.JHJHBUFCVUUPOPO EBTICPBSE 5IFO%%P4NBHJDBMMZHPFT BXBZ False positives maybe? DDoS is not volumetric No idea what happens inside Need more speed!

"OUJ%%P4#PU ChatOps initiates flowspec route origination to migigate DDoS at AS border (flowspec
 origination is done at a non-production router for operational reason)

"OUJ%%P4#PU ChatOps initiates flowspec routes origination to migigate DDoS at AS border (flowspec
 origination is done at a non-production router for operational reason) gobgpd looks good to place here

PTSHHPCHQ https://github.com/osrg/gobgp • bgpd implemented in Go • gRPC between bgpd and CLI client • Committer is here in JANOG !

(SFBU4VQQPSU⚡

H31$ • Google's RPC Framework • HTTP2 Transport • Serializer: Protocol Buffer • Provides RPC Modeling Layer like NETCONF

H31$ PS /&5$0/'

H31$ /&5$0/' protobuf / http2 Auto- generated Serializer Auto-generated De-serializer XML (YANG) / SSH, TLS Vendor's Serializer 3rd Party De-serializer

$PNQBSBCMF QSPHSBNNBCJMJUZ 1 var grpc = require('grpc'); 2 var api = grpc.load('node_modules/gobgp/deps/gobgp/gobgp.proto').gobgpapi; 3 var stub = new api.GobgpApi('localhost:50051', grpc.Credentials.createInsecure()); 4 5 var call = stub.getNeighbors({}); 6 call.on('data', function(neighbor) { 7 console.log(JSON.stringify(neighbor)); 8 }); H31$ 1 var netconf = require('netconf'); 2 var router = new netconf.Client({ 3 host: 'localhost', 4 port: 830, 5 username: 'codeout', 6 password: 'password' 7 }); 8 9 router.open(function afterOpen(err) { 10 if (!err) { 11 router.rpc('get-bgp-neighbor-information', function (err, reply) { 12 router.close(); 13 if (err) { 14 throw (err); 15 } 16 console.log(JSON.stringify(reply)); 17 }); 18 } else { 19 throw (err); 20 } 21 }); /&5$0/'

4QFFEʂ x10

8IZH31$JTCFUUFS •Auto-generated client •No additional code for basic client features
 eg) Error handling without sending requests to server •Speed ！

-FUT XSJUFBDPEF

8IBUQFPQMFFYQFDUFE 1 var Gobgp = require('gobgp'); 2 var gobgp = new Gobgp('localhost:50051'); 3 4 gobgp.modPath('ipv4-flowspec', 5 'match source 10.0.0.0/24 then rate-limit 10000');

8IBUHPCHQ"1* SFRVJSFT 1 var Gobgp = require('gobgp'); 2 var gobgp = new Gobgp('localhost:50051'); 3 4 gobgp.modPath({path: { nlri: , 5 pattrs: 6 [ , 7 , 8 ] }});

8IZ#JOBSZ1"5) "UUSJCVUF

0, #VU EPOUXBOUUPTQPJM QSPHSBNNBCJMJUZ

7 $ BEEPO $ 7 $ /PEF+4 H31$ +4 1MBO" /PEF+44FSJBMJ[FS Serialize by NodeJS /PEF+4 H31$ $ HPCHQ $ Serialize by C-Shared Library built from gobgp 1MBO# $4FSJBMJ[FS

7 $ BEEPO $ /PEF+4 H31$ +4 Build gobgp C- Shared Library only for Serializer HPCHQ $ 4FSJBMJ[FJO$BOE FWFSZUIJOHFMTFJO/PEF+4

DPEFPVUHPCHQOPEF https://github.com/codeout/gobgp-node • gobgp client library for NodeJS • RIB manipulation features • Hubot script:
 https://gist.github.com/codeout/20bc799560b6efe7b2be

'FBUVSFT 0SJHJOBUF %FMFUF 4IPX3PVUFT Besides, • Unicast routes lookup • Host address to prefix conversion for flowspec routes origination

/FYU4UFQ %FUFDUJPOTZTUFNEFUFDUT%%P4 5BMLUPIVCPUXJUI
 %%P4UJDLFU*% IVCPUHFUT%%P4USBGpDJOGPSNBUJPO CZUIF*%BOEPSJHJOBUFqPXTQFD SPVUFBDDPSEJOHMZ 
 5IFO%%P4HPFTBXBZ

/FYU4UFQ %FUFDUJPOTZTUFNEFUFDUT%%P4 5BMLUPIVCPUXJUI
 %%P4UJDLFU*% IVCPUHFUT%%P4USBGpDJOGPSNBUJPO CZUIF*%BOEPSJHJOBUFqPXTQFD SPVUFBDDPSEJOHMZ 
 5IFO%%P4HPFTBXBZ *USFRVJSFT"1*PG %%P4%FUFDUJPO 4ZTUFNUPEPUIJT

$PODMVTJPO •gobgpd + flowspec can mitigation DDoS •By ChatOps !

5JQT • Flowspec route validation behavior depends on the implementation of each router vendor • draft-ietf-idr-bgp-flowspec-oid-02 • Another implementation of Anti-DDoS Bot (ACL auto-generator) can be done