BGP FLOWSPEC OVERVIEW

BGP FLOWSPEC OVERVIEW

DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

IPS/IDS

Enterprise or IDC

Service Provider Network

Router

DDoS

attack traffic consumes SP network capacity

DDoS

attacks are launched from compromised systems (bots)

DDoS

attack traffic saturates inline security devices

DDoS

attack traffic targets applications & services

Firewall

Botnet

Legitimate

Users

Victim

DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

DDoS

attacks

against customers is the

number 1

operational threat for

SP [1],

ahead of outages due to failures or BW saturation.

Largest attack this year:

400Gbps

NTP amplification attack in Feb 2014.

Frequency of attacks growing

alarmingly [1],

some SP with over

100 attacks per month

.

Over one third of Data Centers experienced

attacks exceeding the total BW available

to the Data Center

[1].

Service Providers must protect their network infrastructure against DDoS attacks, and can also provide DDoS protection services to their customers.ISP network security design considerations:Typically uses a “Defense in Depth” model:Same security function replicated in different layers of the networkDDoS protection functionality can be enabled in multiple network components present in different layers of the network: Routers, DDoS Scrubbers, IDS/IPS appliances, Load Balancers, Firewalls.Router’s security features play a key role in helping to secure Service Provider’s network infrastructure and its customers against DDoS attacks.Routers are the first line of defense along the entire perimeter of the networkRouters can mitigate the attack at the network edge, minimizing the impact of the attack trafficRouters have a better chance to handle high BW attacks than most other devicesTechniques: D/RTBH, S/RTBH, ACLs, BGP Flowspec

SERVICE PROVIDER NETWORK SECURITY DESIGN

DDoS

MITIGATION – D/RTBH FILTERING

IPS/IDS

Enterprise or IDC

Service Provider Network

Router

D/RTBH applied at SP edge: all traffic

destined to

the prefix announced (victim) is discarded. Traffic could be originated from anywhere.

Customer BGP peer initiates BGP update with prefix to be mitigated pointing to the

blackhole

route or marked with Community (SP could also initiate it).

Firewall

Botnet

Legitimate

Users

Router

Good traffic

Attack traffic

BGP Announcement

RTBH

RTBH

Sixth most used tool to mitigate

DDoS

attacks

[1]

RFCs: RFC 3882, RFC 5635 (includes D/RTBH and S/RTBH)

Edge routers configured with

blackhole

route

Victim

DDoS

MITIGATION – S/RTBH FILTERING

IPS/IDS

Enterprise or IDC

Service Provider Network

Router

S/RTBH applied at SP edge: all traffic

originated from

the prefix announced (attackers) is discarded. Traffic can be destined to anywhere.

Edge routers configured with

blackhole

route and

uRPF

enabled in loose mode on the external interfaces (if source IP matches the

blackhole

,

uRPF

treats packets as having failed

uRPF

check).

Firewall

Botnet

Legitimate

Users

RTBH

RTBH

Eigth

most used tool to mitigate

DDoS

attacks

[1]

RFCs: RFC 5635 (includes D/RTBH and S/RTBH)

SP BGP peer initiates BGP update with prefix to be mitigated.

Good traffic

Attack traffic

BGP Announcement

Victim

BGP Flowspec defines a new BGP Network Layer Reachability Information (NLRI) format used to distribute traffic flow specification rules.Specified in RFC 5575 [2]- Dissemination of Flow Specification Rules (extended to IPv6 in draft-ietf-idr-flow-spec-v6-02) [3]NLRI (AFI=1, SAFI=133): IPv4 unicast filteringNLRI (AFI=1, SAFI=134): VPNv4 BGP/MPLS filteringMain application today is to automate the distribution of traffic filter lists to routers from a single point of control, for the mitigation of DDoS attacks. Selectively drop traffic flows based on L3/L4 information.Intelligent control platform builds filter rules to filter harmful traffic, encodes them as BGP flowspec routes and advertises them to BGP peers.The traffic filtering rules can drop or redirect packets that are deemed invalid or suspicious

DDoS

MITIGATION – BGP FLOWSPEC

The Flow specification can match on the following criteria:Source / Destination PrefixIP Protocol (UDP, TCP, ICMP, etc.)Source and/or Destination PortICMP Type and Code TCP FlagsPacket LengthDSCP (Diffserv Code Point)Fragment (DF, IsF, FF, LF)Actions are defined using Extended Communities:0x8006: traffic-rate (rate 0 discards all traffic for the flow)0x8007: traffic-action (sample)0x8008: redirect to VRF0x8009: traffic-marking (DSCP value )

DDoS

MITIGATION – BGP FLOWSPEC

ACLs are still the most widely used tool to mitigate DDoS attacks [1]But…ACLs are demanding in configuration & maintenance.BGP Flowspec leverages the BGP Control Plane to simplify the distribution of ACLs, greatly improving operations:Inject new filter rules to all routers simultaneously without changing configuration.Reuse existing BGP operational knowledge & and best practices.Improve response time to mitigate mitigate DDoS attacks!Arbor Networks WISR 2014

WHY USE BGP FOR ACLs?

BGP FLOWSPEC MITIGATION

IPS/IDS

Enterprise or IDC

Victim

Service Provider Network

Router

Flowspec

filter applied on the external interfaces, only traffic matching that flow is discarded.

SP Portal initiates BGP update with ACL filter to be applied at the edge router external interfaces (in theory the customer could also initiate it).

Firewall

Botnet

Legitimate

Users

Router

Good traffic

Attack traffic

BGP Announcement

FLOW

FLOW

BGP

Flowspec

route validation performed for

eBGP

sessions only.

Edge routers configured with BGP

flowspec

sessions, and

flowspec

filtering enabled on external peering interfaces.

BGP FLOWSPEC – VENDORS & USERS

Router vendors supporting BGP

Flowspec

:

Alcatel-Lucent 7750 SROS 9.0R1

Juniper

JunOS

7.3

DDoS

mitigation vendors:

Arbor

Peakflow

SP 3.5

BGP Tools:

ExaBGP

Injector

[5]

Users:

North America: TW Telecom (TWTC) [6],

multiple Tier

1, Tier 2

Europe:

multiple Tier

1, Tier 2

Latin America & Caribbean: RNP (

Brasil

)

[7]

Another application for BGP Flowspec is its use for traffic redirection to a DDoS Scrubbing device.DDoS scrubbers are dedicated appliances able to mitigate complex, application-layer DDoS attacks using multiple techniques including: DPI inspection, signature matching, behavior analysis, protocol authentication procedures, etc.DDoS Scrubbers are shared resources in the SP infrastructure, typically deployed in designated locations called Scrubbing Centers.Attack traffic backhauling is required for DDoS mitigationTraffic anomalies entering the network need to be redirected to the Scrubbing Centers and go through the scrubbers before reaching the intended destination (Data Center, Customer Network, etc.):Traffic Diversion or OfframpingTraffic Reinjection or Onramping

TRAFFIC

REDIRECTION

Diversion or Offramping: rerouting of traffic destined to the victim to the DDoS mitigation appliance for scrubbing.Reinjection or Onramping: redirection of scrubbed (clean) traffic back to its intended destination.Typically, traffic diversion takes place through more specific BGP prefix announcements (victim addresses), usually in the GRT (called diversion/offramp route):Easier to control & manipulate routes (NH, Communities)Can be signaled across AS boundaries if requiredAll traffic to victim is redirected to scrubber (good & bad)Traffic Reinjection usually requires tunneling or an alternate routing domain (VRF) to get clean traffic back to its intended destination without looping.

TRAFFIC REDIRECTION

Real mitigation of DNS attack

TRAFFIC

REDIRECTION

BGP FLOWSPEC TRAFFIC REDIRECTION

DDoS

Scrubber

Detection& Control

Enterprise or IDC

Good traffic

Attack traffic

BGP Flowspec Diversion

Internet

Internet

Scrubbing Center

“Dirty” VRF

IPS/IDS

Enterprise or IDC

Victim

Router

Firewall

Router

Traffic Reinjection

BGP

Flowspec

filter to redirect only specified traffic that matches rule

FLOW

Diverted traffic is a subset of all traffic destined to victim

BGP FLOWSPEC REDIRECTIONOptimized Design & Operation

No changes to the Global Routing Table (GRT)

Diversion performed by

Flowspec

NLRI

Flowspec

filter Action configured to “Redirect to VRF”

Extended Community 0x8008.

Less intrusive to the routing system

No need for a tunneling design for reinjection/

onramping

Clean traffic can simply be sent back to the GRT

More granular control of diverted traffic

Allows for the redirection of only a subset of the traffic to the victim: specific protocols, ports, source prefix, destination prefix

Less traffic overhead for

DDoS

Scrubber

to deal with

BGP FLOWSPEC REDIRECTIONEnabling New Workflows

Facilitates the implementation of new mitigation workflows for demanding use cases:

“Always on” Mitigations for critical resources:

HTTPS traffic only (normal web traffic follows on-demand mitigation model)

Victims

with very large traffic volume

Divert just traffic from a certain block, or geographical region (based on IP Location)

SUMMARY – BGP FLOWSPEC

Improved workflow for the application ACLs for the mitigation of

DDoS

attacks by infrastructure routers

Improved traffic diversion for the mitigation of complex

DDoS

attacks by Scrubbing Appliances

Allows

for a better optimization of the shared mitigation capacity of the

scrubbers.

Simplifies the design of traffic redirection &

reinjection in the network

References:

[1]

Arbor Networks – 2014 Worldwide Infrastructure Security Report, Volume IX

[2]

RFC 5575,

Dissemination of Flow Specification Rules

[3]

draft-ietf-idr-flow-spec-v6-03 – Dissemination of Flow Specification Rules for IPv6

[4]

draft-ietf-idr-bgp-flowspec-oid-01 – Revised Validation Procedure for BGP Flow

Specifications

[5]

2010 - LINX69, Thomas

Mangin

(

Exa

Networks), Andy Davidson (

NetSumo

), "BGP Route Injection” http://

www.andyd.net/media/talks/BGPRouteInjection.pdf

[6] 2006 - NANOG 38, D.

Gassen

, R. Lozano (Time Warner Telecom), D. McPherson, C.

Labovitz

(Arbor Networks), "BGP Flow Specification Deployment Experience“

[

8] GTER/GTS 2007,

Raniery

Pontes (RNP), “

Flowspec em ação - Experiência de uso no backbone da RNP”