SlideShare ist ein Scribd-Unternehmen logo

Protect your edge BGP security made simple

Pavel Odintsov
Pavel Odintsov

Theo Voss Technical Lead Network SysEleven GmbH

Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Protect your edge BGP security made simple Theo Voss Technical Lead Network
 SysEleven GmbH DENOG8
Who is SysEleven? Managed Hoster & Upstream-Provider
 300+ customers, 10 Points-of-Presence
Current Situation
Current Situation
The majority of ISPs in the world still filter on max-prefix limits at most and hope for the best.
Is filtering not easy enough? HowTo’s or BCPs missing?
Routing Policy We filter.. • Bogon ASNs • Bogon prefixes • IXP networks • Own networks • Prefix length • Invalid prefixes term REJECT-BOGON-ASN from as-path-group BOGON-ASN term REJECT-BOGON-ASN then reject term REJECT-BOGON-PREFIXES from prefix-list-filter BOGON-PREFIXES orlonger term REJECT-BOGON-PREFIXES then reject term REJECT-SYS11-PREFIXES from prefix-list-filter SYSELEVEN-NETWORKS orlonger term REJECT-SYS11-PREFIXES then reject term REJECT-IXP-NETWORKS from prefix-list-filter IXP-NETWORKS orlonger term REJECT-IXP-NETWORKS then reject term FILTER-PREFIX-LENGTH-1 from route-filter 0.0.0.0/0 prefix-length-range /0-/8 term FILTER-PREFIX-LENGTH-1 then reject term FILTER-PREFIX-LENGTH-2 from route-filter 0.0.0.0/0 prefix-length-range /25-/32 term FILTER-PREFIX-LENGTH-2 then reject term RPKI_REJECT_INVALID from community SYS11_ORIGIN_RPKI_INVALID term RPKI_REJECT_INVALID then reject
No Dynamic prefix filter generator
Autogen • Reads AS-SETs from file • Generates XML „prefix-list“ • Applied via NETCONF • Executed every night router;type;lclpref;metric;enabled;import;export;passive;rpki;addr;email;ipv;peer-name;peer-ip;asn;as-set;md5;prefix-limit router ; DECIX ; 110 ; 90 ; Y ; Y ; Y ; Y ; N ;;; 4 ; YAHOO ; 80.81.192.115 ; 10310 ; AS-YAHOO ; term PEERING from prefix-list-filter 4-AS-YAHOO orlonger; then accept
Autogen • Reads AS-SETs from file • Generates XML „prefix-list“ • Applied via NETCONF • Executed every night router;type;lclpref;metric;enabled;import;export;passive;rpki;addr;email;ipv;peer-name;peer-ip;asn;as-set;md5;prefix-limit router ; DECIX ; 110 ; 90 ; Y ; Y ; Y ; Y ; N ;;; 4 ; YAHOO ; 80.81.192.115 ; 10310 ; AS-YAHOO ; term PEERING from prefix-list-filter 4-AS-YAHOO orlonger; then accept
Autogen / bgpq3 • Prefix-filter generator • Extracts prefixes from route-objects • Default IRR: RADB • Supports Cisco & Juniper https://github.com/snar/bgpq3
Autogen / aggregate EVERYBODY LOVES AGGREGATION! # apt-get install aggregate https://github.com/job/aggregate6
Autogen Generates Juniper XML: echo "<configuration ><groups> <name>AUTOGEN-$ip_version</name><apply-flags><omit/></apply-flags> • <policy-options replace="replace">" for a in $objects; do • echo "<prefix-list replace="replace"><name>$ip_version-$a</name>" /usr/bin/bgpq3 -h whois.syseleven.net $a | awk '{print $5}' | aggregate -q while read line; do • echo "<prefix-list-item>$line</prefix-list-item>" • done • echo "</prefix-list>" done echo "</policy-options></groups></configuration>"
Autogen / NETCONF • Juniper NETCONF client • edit_configuration.pl for JunOS 14+ • Reads xml-formatted configuration /usr/bin/perl edit_configuration.pl -l $user -p $pass -m ssh $xmlfile $target:22 https://github.com/juniper/netconf-perl
Autogen / Challenges • RPKI/max-prefix for peers with 10k+ prefixes • Using ASN if no AS-SET exists • Install own mirror instead of using RADB
whois.syseleven.net • Running on IRRd v3.0.8 • RIPE, RADB, BBOI, LEVEL3, NTTCOM, ARIN, ALTDB • Using downsized RIPE database https://github.com/irrdnet/irrd https://launchpad.net/~syseleven-platform/+archive/ubuntu/irrd
RPKI • RIPE validator v2.23 used • Please create ROAs via LIR Portal https://github.com/RIPE-NCC/rpki-validator/
RPKI Modes configured per peer: • MODERATE Reject invalid announcements • STRICT Accept only valid announcements router;type;localpref;metric;enabled;import;export;passive;rpki;localaddr;email;ip-version;peer-name;peer-ip;asn;as-set;md5 router ; UPSTREAM ; 100 ; 100 ; Y ; Y ; Y ; N ; {M,S} ;;; 4 ; LEVEL3 ; 212.*.*.* ; 3356 ;;
RPKI Configuration on JunOS: tvoss@router> show configuration routing-options validation group RPKI { session 151.252.**.** { refresh-time 300; hold-time 600; port 8282; local-address 37.123.**.**; } session 37.44.**.** { refresh-time 300; hold-time 600; port 8282; local-address 37.123.**.**; } } tvoss@router> show configuration policy-options policy-statement 4-DOWNSTREAM-IN term RPKI-VALIDATION-VALID { from validation-database valid; then { validation-state valid; community add SYS11_ORIGIN_RPKI_VALID; } } term RPKI-VALIDATION-INVALID { from validation-database invalid; then { validation-state invalid; community add SYS11_ORIGIN_RPKI_INVALID; } } tvoss@router> show configuration policy-options policy-statement 4-CUSTOMER-IN term RPKI_REJECT_INVALID { from community SYS11_ORIGIN_RPKI_INVALID; then reject; }
RPKI / Challenges • 10k+ invalid routes rejected • Biggest polluter: a certain Tier1 • Disputable possibility of censorship tvoss@router> show route receive-protocol bgp CERTAIN-TIER1 table inet.0 hidden | count Count: 3765 lines* tvoss@router> show route receive-protocol bgp TELIA-CARRIER table inet.0 hidden | count Count: 0 lines* * 1 line subtracted for header information
RPKI / Challenges • If validator dies, invalid announcements accepted • Setup a second validator tvoss@router> show validation session Session State Flaps Uptime #IPv4/IPv6 records 37.44.**.** Up 0 1w3d 05:47:59 24999/3591 151.252.**.** Up 0 1w3d 06:04:23 24999/3591
It’s not only about filtering
Denial of Service SysEleven’s challenge: • DDoS smaller than 100 Gbps • 99% volumetric attacks • 99% stupid attacks
Denial of Service SysEleven’s approach: • Increased upstream capacity • Moved all ports into LAGs • Installed FastNetMon • Enabled FlowSpec
Denial of Service / FastNetMon • DDoS attack detection • User-defined thresholds • Collects NetFlow, sFlow, IPFIX data • Support for Graphite, InfluxDB, ExaBGP https://github.com/pavel-odintsov/fastnetmon
Detection is good Mitigation is better
Denial of Service / FlowSpec • FlowSpec (RFC5575) enabled • Filters propagated by BGP • Rate-Limit possible • Upstream sessions are FlowSpec enabled • Communities for advertising/exporting
Denial of Service / Attack • Detection and mitigation in less then 2 minutes • Script triggered: /usr/… /notify_about_attack.{sh,py} • SMS via 3rd-party API to NOC engineer on duty
Denial of Service / Attack Information from FNM capture used: tvoss@router# show | compare [edit routing-options flow] + route 109.68.230.206/32 { + match { + destination 109.68.230.206/32; + protocol udp; + port [ 0 4444 ]; + } + then { + community ANNOUNCE_UPSTREAM; + discard; + }
Denial of Service / Attack • FlowRoute propagated internally and upstream • More-specific route announced upstream inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 109.68.230.206,*,proto=17,port=0,=4444/term:1 (1 entry, 1 announced) *BGP Preference: 170/-101 Next hop type: Fictitious Announcement bits (1): 0-Flow Communities: traffic-rate:0:0 Accepted Validation state: Accept, Originator: 37.44.7.60 Via: 109.68.230.0/24, Active
Denial of Service / FastNetMon • FastNetMon v1.13 can do blackholing • Don’t try to use FlowSpec, wait for v2.0 • GoBGP used for FlowSpec in v2.0 • Ratelimit/discard in case of attack
Summary SELF-MADE-FILTERS + OPEN-SOURCE-TOOLS • Budget friendly • Less incidents • Does the job! :-)
Routing BCP • Everybody invited to submit his routing policies • Volunteers wanted to compile draft BCP https://github.com/denog/routing-bcp

Empfohlen

Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMonPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
9534715
95347159534715
9534715Pavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 

Empfohlen

Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMonPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
9534715
95347159534715
9534715Pavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentPavel Odintsov
 
Google QUIC
Google QUICGoogle QUIC
Google QUICFelipe Rayel
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28Jxck Jxck
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qosTeav Sovandara
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyA. S. M. Shamim Reza
 
Best And Worst Practices Deploying IBM Connections
Best And Worst Practices Deploying IBM ConnectionsBest And Worst Practices Deploying IBM Connections
Best And Worst Practices Deploying IBM ConnectionsLetsConnect
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentPavel Odintsov
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28Jxck Jxck
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qosTeav Sovandara
 

Was ist angesagt? (20)

Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environment
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qos
 

Ähnlich wie Protect your edge BGP security made simple

Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyA. S. M. Shamim Reza
 
Best And Worst Practices Deploying IBM Connections
Best And Worst Practices Deploying IBM ConnectionsBest And Worst Practices Deploying IBM Connections
Best And Worst Practices Deploying IBM ConnectionsLetsConnect
 
Wireless Developing Wireless Monitoring and Control devices
Wireless Developing Wireless Monitoring and Control devicesWireless Developing Wireless Monitoring and Control devices
Wireless Developing Wireless Monitoring and Control devicesAidan Venn MSc
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
Performance & Scalability Improvements in Perforce
Performance & Scalability Improvements in PerforcePerformance & Scalability Improvements in Perforce
Performance & Scalability Improvements in PerforcePerforce
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
Juniper Network Automation for KrDAG
Juniper Network Automation for KrDAGJuniper Network Automation for KrDAG
Juniper Network Automation for KrDAGKwonSun Bae
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesLogan Best
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDaniel-Constantin Mierla
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: ScaleGraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: ScaleNeo4j
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocitysarahnovotny
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonGraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonNeo4j
 
Dave Williams - Nagios Log Server - Practical Experience
Dave Williams - Nagios Log Server - Practical ExperienceDave Williams - Nagios Log Server - Practical Experience
Dave Williams - Nagios Log Server - Practical ExperienceNagios
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesOrtus Solutions, Corp
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
[Tel aviv merge world tour] Perforce Server Update
[Tel aviv merge world tour] Perforce Server Update[Tel aviv merge world tour] Perforce Server Update
[Tel aviv merge world tour] Perforce Server UpdatePerforce
 

Ähnlich wie Protect your edge BGP security made simple (20)

Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
 
Best And Worst Practices Deploying IBM Connections
Best And Worst Practices Deploying IBM ConnectionsBest And Worst Practices Deploying IBM Connections
Best And Worst Practices Deploying IBM Connections
 
Wireless Developing Wireless Monitoring and Control devices
Wireless Developing Wireless Monitoring and Control devicesWireless Developing Wireless Monitoring and Control devices
Wireless Developing Wireless Monitoring and Control devices
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Performance & Scalability Improvements in Perforce
Performance & Scalability Improvements in PerforcePerformance & Scalability Improvements in Perforce
Performance & Scalability Improvements in Perforce
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
 
Juniper Network Automation for KrDAG
Juniper Network Automation for KrDAGJuniper Network Automation for KrDAG
Juniper Network Automation for KrDAG
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: ScaleGraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
 
LACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonGraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
 
Dave Williams - Nagios Log Server - Practical Experience
Dave Williams - Nagios Log Server - Practical ExperienceDave Williams - Nagios Log Server - Practical Experience
Dave Williams - Nagios Log Server - Practical Experience
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
[Tel aviv merge world tour] Perforce Server Update
[Tel aviv merge world tour] Perforce Server Update[Tel aviv merge world tour] Perforce Server Update
[Tel aviv merge world tour] Perforce Server Update
 

Mehr von Pavel Odintsov

Network telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationNetwork telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationPavel Odintsov
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedPavel Odintsov
 
Flowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoiseFlowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoisePavel Odintsov
 
Detectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOSDetectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOSPavel Odintsov
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flPavel Odintsov
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersPavel Odintsov
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
 
Containers in real world презентация
Containers in real world презентацияContainers in real world презентация
Containers in real world презентацияPavel Odintsov
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 

Mehr von Pavel Odintsov (12)

Network telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationNetwork telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentation
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume Based
 
Flowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoiseFlowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoise
 
Detectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOSDetectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOS
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
SIG-NOC Tools Survey
SIG-NOC Tools SurveySIG-NOC Tools Survey
SIG-NOC Tools Survey
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner Maia
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddos
 
Containers in real world презентация
Containers in real world презентацияContainers in real world презентация
Containers in real world презентация
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the Cloud
 

Kürzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Protect your edge BGP security made simple

  • 1. Protect your edge BGP security made simple Theo Voss Technical Lead Network
 SysEleven GmbH DENOG8
  • 2. Who is SysEleven? Managed Hoster & Upstream-Provider
 300+ customers, 10 Points-of-Presence
  • 5. The majority of ISPs in the world still filter on max-prefix limits at most and hope for the best.
  • 6. Is filtering not easy enough? HowTo’s or BCPs missing?
  • 7. Routing Policy We filter.. • Bogon ASNs • Bogon prefixes • IXP networks • Own networks • Prefix length • Invalid prefixes term REJECT-BOGON-ASN from as-path-group BOGON-ASN term REJECT-BOGON-ASN then reject term REJECT-BOGON-PREFIXES from prefix-list-filter BOGON-PREFIXES orlonger term REJECT-BOGON-PREFIXES then reject term REJECT-SYS11-PREFIXES from prefix-list-filter SYSELEVEN-NETWORKS orlonger term REJECT-SYS11-PREFIXES then reject term REJECT-IXP-NETWORKS from prefix-list-filter IXP-NETWORKS orlonger term REJECT-IXP-NETWORKS then reject term FILTER-PREFIX-LENGTH-1 from route-filter 0.0.0.0/0 prefix-length-range /0-/8 term FILTER-PREFIX-LENGTH-1 then reject term FILTER-PREFIX-LENGTH-2 from route-filter 0.0.0.0/0 prefix-length-range /25-/32 term FILTER-PREFIX-LENGTH-2 then reject term RPKI_REJECT_INVALID from community SYS11_ORIGIN_RPKI_INVALID term RPKI_REJECT_INVALID then reject
  • 8. No Dynamic prefix filter generator
  • 9. Autogen • Reads AS-SETs from file • Generates XML „prefix-list“ • Applied via NETCONF • Executed every night router;type;lclpref;metric;enabled;import;export;passive;rpki;addr;email;ipv;peer-name;peer-ip;asn;as-set;md5;prefix-limit router ; DECIX ; 110 ; 90 ; Y ; Y ; Y ; Y ; N ;;; 4 ; YAHOO ; 80.81.192.115 ; 10310 ; AS-YAHOO ; term PEERING from prefix-list-filter 4-AS-YAHOO orlonger; then accept
  • 10. Autogen • Reads AS-SETs from file • Generates XML „prefix-list“ • Applied via NETCONF • Executed every night router;type;lclpref;metric;enabled;import;export;passive;rpki;addr;email;ipv;peer-name;peer-ip;asn;as-set;md5;prefix-limit router ; DECIX ; 110 ; 90 ; Y ; Y ; Y ; Y ; N ;;; 4 ; YAHOO ; 80.81.192.115 ; 10310 ; AS-YAHOO ; term PEERING from prefix-list-filter 4-AS-YAHOO orlonger; then accept
  • 11. Autogen / bgpq3 • Prefix-filter generator • Extracts prefixes from route-objects • Default IRR: RADB • Supports Cisco & Juniper https://github.com/snar/bgpq3
  • 12. Autogen / aggregate EVERYBODY LOVES AGGREGATION! # apt-get install aggregate https://github.com/job/aggregate6
  • 13. Autogen Generates Juniper XML: echo "<configuration ><groups> <name>AUTOGEN-$ip_version</name><apply-flags><omit/></apply-flags> • <policy-options replace="replace">" for a in $objects; do • echo "<prefix-list replace="replace"><name>$ip_version-$a</name>" /usr/bin/bgpq3 -h whois.syseleven.net $a | awk '{print $5}' | aggregate -q while read line; do • echo "<prefix-list-item>$line</prefix-list-item>" • done • echo "</prefix-list>" done echo "</policy-options></groups></configuration>"
  • 14. Autogen / NETCONF • Juniper NETCONF client • edit_configuration.pl for JunOS 14+ • Reads xml-formatted configuration /usr/bin/perl edit_configuration.pl -l $user -p $pass -m ssh $xmlfile $target:22 https://github.com/juniper/netconf-perl
  • 15. Autogen / Challenges • RPKI/max-prefix for peers with 10k+ prefixes • Using ASN if no AS-SET exists • Install own mirror instead of using RADB
  • 16. whois.syseleven.net • Running on IRRd v3.0.8 • RIPE, RADB, BBOI, LEVEL3, NTTCOM, ARIN, ALTDB • Using downsized RIPE database https://github.com/irrdnet/irrd https://launchpad.net/~syseleven-platform/+archive/ubuntu/irrd
  • 17. RPKI • RIPE validator v2.23 used • Please create ROAs via LIR Portal https://github.com/RIPE-NCC/rpki-validator/
  • 18. RPKI Modes configured per peer: • MODERATE Reject invalid announcements • STRICT Accept only valid announcements router;type;localpref;metric;enabled;import;export;passive;rpki;localaddr;email;ip-version;peer-name;peer-ip;asn;as-set;md5 router ; UPSTREAM ; 100 ; 100 ; Y ; Y ; Y ; N ; {M,S} ;;; 4 ; LEVEL3 ; 212.*.*.* ; 3356 ;;
  • 19. RPKI Configuration on JunOS: tvoss@router> show configuration routing-options validation group RPKI { session 151.252.**.** { refresh-time 300; hold-time 600; port 8282; local-address 37.123.**.**; } session 37.44.**.** { refresh-time 300; hold-time 600; port 8282; local-address 37.123.**.**; } } tvoss@router> show configuration policy-options policy-statement 4-DOWNSTREAM-IN term RPKI-VALIDATION-VALID { from validation-database valid; then { validation-state valid; community add SYS11_ORIGIN_RPKI_VALID; } } term RPKI-VALIDATION-INVALID { from validation-database invalid; then { validation-state invalid; community add SYS11_ORIGIN_RPKI_INVALID; } } tvoss@router> show configuration policy-options policy-statement 4-CUSTOMER-IN term RPKI_REJECT_INVALID { from community SYS11_ORIGIN_RPKI_INVALID; then reject; }
  • 20. RPKI / Challenges • 10k+ invalid routes rejected • Biggest polluter: a certain Tier1 • Disputable possibility of censorship tvoss@router> show route receive-protocol bgp CERTAIN-TIER1 table inet.0 hidden | count Count: 3765 lines* tvoss@router> show route receive-protocol bgp TELIA-CARRIER table inet.0 hidden | count Count: 0 lines* * 1 line subtracted for header information
  • 21. RPKI / Challenges • If validator dies, invalid announcements accepted • Setup a second validator tvoss@router> show validation session Session State Flaps Uptime #IPv4/IPv6 records 37.44.**.** Up 0 1w3d 05:47:59 24999/3591 151.252.**.** Up 0 1w3d 06:04:23 24999/3591
  • 22. It’s not only about filtering
  • 23. Denial of Service SysEleven’s challenge: • DDoS smaller than 100 Gbps • 99% volumetric attacks • 99% stupid attacks
  • 24. Denial of Service SysEleven’s approach: • Increased upstream capacity • Moved all ports into LAGs • Installed FastNetMon • Enabled FlowSpec
  • 25. Denial of Service / FastNetMon • DDoS attack detection • User-defined thresholds • Collects NetFlow, sFlow, IPFIX data • Support for Graphite, InfluxDB, ExaBGP https://github.com/pavel-odintsov/fastnetmon
  • 27. Denial of Service / FlowSpec • FlowSpec (RFC5575) enabled • Filters propagated by BGP • Rate-Limit possible • Upstream sessions are FlowSpec enabled • Communities for advertising/exporting
  • 28. Denial of Service / Attack • Detection and mitigation in less then 2 minutes • Script triggered: /usr/… /notify_about_attack.{sh,py} • SMS via 3rd-party API to NOC engineer on duty
  • 29. Denial of Service / Attack Information from FNM capture used: tvoss@router# show | compare [edit routing-options flow] + route 109.68.230.206/32 { + match { + destination 109.68.230.206/32; + protocol udp; + port [ 0 4444 ]; + } + then { + community ANNOUNCE_UPSTREAM; + discard; + }
  • 30. Denial of Service / Attack • FlowRoute propagated internally and upstream • More-specific route announced upstream inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 109.68.230.206,*,proto=17,port=0,=4444/term:1 (1 entry, 1 announced) *BGP Preference: 170/-101 Next hop type: Fictitious Announcement bits (1): 0-Flow Communities: traffic-rate:0:0 Accepted Validation state: Accept, Originator: 37.44.7.60 Via: 109.68.230.0/24, Active
  • 31. Denial of Service / FastNetMon • FastNetMon v1.13 can do blackholing • Don’t try to use FlowSpec, wait for v2.0 • GoBGP used for FlowSpec in v2.0 • Ratelimit/discard in case of attack
  • 32. Summary SELF-MADE-FILTERS + OPEN-SOURCE-TOOLS • Budget friendly • Less incidents • Does the job! :-)
  • 33. Routing BCP • Everybody invited to submit his routing policies • Volunteers wanted to compile draft BCP https://github.com/denog/routing-bcp