Black Hole Routers Damir Rajnovic Incident manager, Cisco PSIRT

Similar documents
Sink Holes, Dark IP, and HoneyNets

Phase 4 Traceback the Attack. 2002, Cisco Systems, Inc. All rights reserved.

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Multihoming with BGP and NAT

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

BGP Flowspec Interoperability Interop Tokyo 2015 ShowNet ShowNet NOC Team member Shuichi Ohkubo Presenter :Cisco as ShowNet contributor

BGP Attributes and Path Selection

Introduction to BGP ISP/IXP Workshops

Border Gateway Protocol - BGP

InterAS Option B. Information About InterAS. InterAS and ASBR

Security Issues of BGP in Complex Peering and Transit Networks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Operation Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Introduction to BGP. ISP/IXP Workshops

Security in inter-domain routing

Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER

This appendix contains supplementary Border Gateway Protocol (BGP) information and covers the following topics:

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

BGP Security. Kevin s Attic for Security Research

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

GARR customer triggered blackholing

Control Plane Protection

Chapter 10: Denial-of-Services

TELE 301 Network Management

Chapter 4: outline. Network Layer 4-1

DE-CIX Academy: BGP - Multihoming

ACL and ABF Commands

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF

Prevent DoS using IP source address spoofing

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

Chapter 7. Denial of Service Attacks

Robust Firewalls with OpenBSD and PF

Example: Conditionally Generating Static Routes

DDoS Protection in Backbone Networks

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

NetFlow Configuration Guide

The information in this document is based on Cisco IOS Software Release 15.4 version.

Unicast Reverse Path Forwarding Loose Mode

NAT Support for Multiple Pools Using Route Maps

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

Label Distribution Protocol and Basic MPLS Configuration. APNIC Technical Workshop October 23 to 25, Selangor, Malaysia Hosted by:

Firewall Stateful Inspection of ICMP

SP Infrastructure Security Survey & Attack Classification

Introduction to Computer Networks

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

BGP Routing and BGP Policy. BGP Routing. Agenda. BGP Routing Information Base. L47 - BGP Routing. L47 - BGP Routing

Chapter 4: Network Layer

Interdomain routing with BGP4 Part 4/5

Data Plane Protection. The googles they do nothing.

Configuring Advanced BGP

Internet inter-as routing: BGP

Remember Extension Headers?

Configuring Commonly Used IP ACLs

INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4

Implementing Cisco IP Routing

Internet Routing : Fundamentals of Computer Networks Bill Nace

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Configuring Unicast Reverse Path Forwarding

Cisco CCIE Security Written.

MPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label

CCIE R&S Techtorial MPLS

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Configuring Unicast Reverse Path Forwarding

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

HP 5920 & 5900 Switch Series

Introduction to IP Routing. Geoff Huston

BGP101. Howard C. Berkowitz. (703)

Inter-AS routing and BGP. Network Layer 4-1

LARGE SCALE IP ROUTING

IPv6 IMPLEMENTATION IN VNPT

Filtering Trends Sorting Through FUD to get Sanity

Monitoring BGP. Configuring the Router

Module 16 An Internet Exchange Point

Routing in the Internet

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

How BGP Routers Use the Multi Exit Discriminator for Best Path Selection

Access Control List Enhancements on the Cisco Series Router

BGP4 workshop scenario

Denial of Service Protection Standardize Defense or Loose the War

Network Policy Enforcement

Dynamics of Hot-Potato Routing in IP Networks

IP Routing Volume Organization

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

ASA Has High CPU Usage Due to a Traffic Loop When VPN Clients Disconnect

Troubleshooting LSP Failure in MPLS VPN

BGP Part-1.

BGP Attributes and Policy Control

Cisco recommends that you have basic knowledge of Performance Routing (PfR).

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

Campus Networking Workshop CIS 399. Core Network Design

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

BGP in the Internet Best Current Practices

Multihoming Complex Cases & Caveats

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

TDC DoS Protection Service Description and Special Terms

Transcription:

Black Hole Routers Damir Rajnovic Incident manager, Cisco PSIRT <gaus@cisco.com> 2002, Cisco Systems, Inc. All rights reserved. 1

What will be covered Why? What? How? 2002, Cisco Systems, Inc. All rights reserved. 2

BHR the Purpose To capture and characterize packets To assist mitigating DoS attacks 2002, Cisco Systems, Inc. All rights reserved. 3

Why routers? Capturing packets on a general purpose OS (e.g., Solaris, Linux) becomes questionable above certain speed limit 2002, Cisco Systems, Inc. All rights reserved. 4

Poor man comparison How fast packets are coming. Please note that this is only for the Illustration purposes and do not represent the real performance numbers. pps/ 10000/ 10 5 / 10 6 / 10 7 / BW (256 bytes/packet) 20.5Mbs 200Mbs 2Gbs 20Gbs time between packets 100ms 10ms 1ms 100ns R5000 (200MHz) 20000 2000 200 20 Pentium [1] (1.5GHz) 50000 5000 500 50 [1] An estimate of 3 cycles/instruction 2002, Cisco Systems, Inc. All rights reserved. 5

Why Not Use ACLs? The method is described at http://www.cisco.com/warp/public/707/22.html access-list 169 permit icmp any any echo access-list 169 permit icmp any any echo-reply access-list 169 permit udp any any eq echo access-list 169 permit udp any eq echo any access-list 169 permit tcp any any established access-list 169 permit tcp any any access-list 169 permit ip any any The idea is to install it on the victim s router 2002, Cisco Systems, Inc. All rights reserved. 6

Pitfals of Using ACLs? ACL will degrade a router s performance Degradation severity will depend upon the following: ACL type ACL complexity Router type Network load 2002, Cisco Systems, Inc. All rights reserved. 7

BHR What Is It? It is just another router! Dedicated for this purpose only Placed somewhere in your network No customers attached to it! Physically, it can be a small subnet with multiple router and workstation 2002, Cisco Systems, Inc. All rights reserved. 8

Characteristics of the BHR Router with quick packet dropping capability, e.g. Cisco 7200 with the fastest Network Processing Engine (NPE) ibgp peer in your network 2002, Cisco Systems, Inc. All rights reserved. 9

Example of BHR In a Network IXP-W Peer A Peer B IXP-E Upstream A Black Hole Network Upstream A Upstream B Upstream B 171.68.19.0/24 Target POP NOC 2002, Cisco Systems, Inc. All rights reserved. 10

Preparing to Analyze an Attack Do not do it on the victim s router Pull all the traffic to a BHR BHR should be able to withstand the attack (this is a hope!) Your links towards the BHR must be able to withstand the attack 2002, Cisco Systems, Inc. All rights reserved. 11

Initial Stage of an Attack Black Hole Network * 171.168.19.0/24 target s network Target of Attack 171.168.19.1 is attacked * By NASA Hubble Space Telescope 2002, Cisco Systems, Inc. All rights reserved. 12

Divert the Traffic From the Victim Black Hole Network 171.168.19.0/24 target s network Target of Attack 171.168.19.1 is attacked 2002, Cisco Systems, Inc. All rights reserved. 13

Analyze the Attack The attack is pulled to BHR and from your aggregation router You can now classify the attack using ACL, Flow Analysis, Sniffer, etc. The objective is to minimize the risk to the network while investigating 171.168.19.0/24 target s network 171.168.19.1 is attacked Target of Attack Black Hole Network 2002, Cisco Systems, Inc. All rights reserved. 14

What the Analysis Will Provide You What you will get: A packet type (UDP, TCP, ICMP, SYN, ACK,.) ACL and rate limiting A volume (pps, Mbs) Rate limiting An offending source IP addresses (dubious) ACL and rate limiting What you will not get: Entry point(s) in your network 2002, Cisco Systems, Inc. All rights reserved. 15

Possible Entry Points? IXP-W Peer A Peer B IXP-E Upstream A? Black Hole Network Upstream A? Upstream B? Upstream B 171.68.19.0/24 Target? POP NOC 2002, Cisco Systems, Inc. All rights reserved. 16

Where To Apply Countermeasures By using BHR and Backscatter technique you can learn entry points of the offending traffic. Created by Chris Morrow and Brian Gemberling @ UUNET as a means of finding the entry point of a spoofed DOS/DDOS. http://www.secsup.org/tracking/ 2002, Cisco Systems, Inc. All rights reserved. 17

Backscatter Concepts Drop the offending traffic at any entry router in the network Generate an ICMP destination unreachable for every dropped packet Collect some Unreachables from the spoofed sources at the BHR Read out which routers/interfaces are dropping the traffic 2002, Cisco Systems, Inc. All rights reserved. 18

Backscatter - preparation Pick an unused IP address and route it to nowhere: ip route 172.20.20.1 255.255.255.255 Null0 Repeat this on every edge device 2002, Cisco Systems, Inc. All rights reserved. 19

Where are edge routers? IXP-W Peer A Peer B IXP-E Upstream A Black Hole Network Upstream A Upstream B Upstream B 171.68.19.0/24 Target POP NOC 2002, Cisco Systems, Inc. All rights reserved. 20

Configuration of the BHR BHR advertising a large block of un-allocated address space with the BGP no-export community and BGP Egress route filters to keep the block inside. 96.0.0.0/3 is an example. Check with IANA for unallocated blocks: www.iana.org/assignments/ipv4-address-space BGP Egress filter should keep this advertisement inside your network. Use BGP no-export community to insure it stays inside your network. 2002, Cisco Systems, Inc. All rights reserved. 21

BHR - preparation IXP-W Peer A Peer B BHR advertise 96.0.0.0/3 IXP-E Upstream A Black Hole Network Upstream A Upstream B Upstream B 171.68.19.0/24 Target POP NOC 2002, Cisco Systems, Inc. All rights reserved. 22

BHR configuration router bgp 31337! redistribute static route-map static-to-bgp!! add a stanza to the route-map to set our special nexthop! route-map static-to-bgp permit 5 match tag 666 set ip next-hop 172.20.20.1 set local-preference 50 set origin igp 2002, Cisco Systems, Inc. All rights reserved. 23

Backscatter Activation Only during attacks You must do the analysis first since the advertised block may need to be changed However, in most cases 96.0.0.0/3 should be fine since attackers are spoofing the whole IP range blindly The magic line is: ip route victimip 255.255.255.255 Null0 tag 666 2002, Cisco Systems, Inc. All rights reserved. 24

Backscatter Packet Exchange Remote router Edge router BHR Type = TCP SYN Src IP = valid_ip Dst IP = victim_ip victim_ip routed to Null0 generate ICMP Unreachable Type = ICMP Unreachable Src IP = edge_router_ip Dst IP = valid_ip 2002, Cisco Systems, Inc. All rights reserved. 25

Backscatter Packet Exchange (Cont.) Remote router Edge router BHR Type = TCP SYN Src IP = 96.0.1.2 Dst IP = victim_ip victim_ip routed to Null0 generate ICMP Unreachable Type = ICMP Unreachable Src IP = edge_router_ip Dst IP = 96.0.1.2 2002, Cisco Systems, Inc. All rights reserved. 26

How To Display ICMPs The result is that you will start receiving ICMPs at the BHR Configure BHR with this ACL access-list 150 permit icmp any any unreachables log access-list 150 permit ip any any And you will start seeing this. 2002, Cisco Systems, Inc. All rights reserved. 27

Backscatter the result SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.47.251.104 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.70.92.28 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.222.127.7 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.96.223.54 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.14.21.8 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.105.33.126 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.77.198.85 (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 171.68.66.18 -> 96.50.106.45 (3/1), 1 packet 2002, Cisco Systems, Inc. All rights reserved. 28

Combating DoS When you managed to determine the entry point(s), you can apply ACL and/or rate limiting to them. Do not forget to withdraw the victim_ip route from the Null0! 2002, Cisco Systems, Inc. All rights reserved. 29

Backscatter Considerations You must have ICMP Unreachables enabled on your edge routers. If ICMP Unreachables threaten to overload your edge device then rate limit them to some acceptable value (use ip icmp rate-limit unreachable command). 2002, Cisco Systems, Inc. All rights reserved. 30

BHR configuration Juniper example #Setup the bgp protocol to export our special policy, like # redistributing, NOTE: "XXX" is the IBGP bgp group... we don't # want to send this to customers. set protocols bgp group XXX export BlackHoleRoutes # # Set static route with right tag, set local-pref low, internal, no-export # and set the nexthop to the magical next-hop. # set policy-statement BlackHoleRoutes term match-tag666 from protocol static tag 666 set policy-statement BlackHoleRoutes term match-tag666 then local-preference 50 set policy-statement BlackHoleRoutes term match-tag666 then origin igp set policy-statement BlackHoleRoutes term match-tag666 then community add no-export set policy-statement BlackHoleRoutes term match-tag666 then nexthop 172.20.20.1 set policy-statement BlackHoleRoutes term match-tag666 then accept 2002, Cisco Systems, Inc. All rights reserved. 31

PSIRT contact details <psirt@cisco.com> for non-emergency <security-alert@cisco.com> for emergencies +1 877 228 7302 (toll-free in North America) +1 408 525 6532 (elsewhere in the world) Contact TAC and ask for PSIRT http://www.cisco.com/go/psirt 2002, Cisco Systems, Inc. All rights reserved. 32

TF-CSIRT, 24-Jan-2002 2002, Cisco Systems, Inc. All rights reserved. 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback