11:37 Bgp blackhole an effective tool against ddos | |
| C such unpleasant phenomena as a DDoS attack, sooner or later faces every administrator of a public resource. It makes little sense to paint what DDoS, today about this phenomenon knows every hitter. Unfortunately, there is no way to protect against DDoS suitable for all situations. However, the most effective and commonly used is null routing - full filtering traffic to the attacked IP. After the host zafiltrovan, you can (relatively) quiet atmosphere to move the resource to another IP-address (and possibly change the DNS name) or just accept the temporary unavailability of one resource, saving the remaining capacity for work. But a simple filtering is also not so simple. After all, cutting traffic on its own border router is quite expensive. First, the router-class Cisco 3745-enabled trinkets, such as ACL and QoS, for SYN Flood begins to show signs of death already ridiculous stream of 2-3 Mbit / c. Secondly, loading the physical channel interferes with the normal operation of legitimate customers. Well, in the third, if you do not anlim, the ISP must you'll be billed for all you trash-drenched gigabytes. Out here alone - to filter the traffic as close as possible to the source, ie, the uplink. There is a good old-fashioned way: pick up the phone and explain the situation to tech support provider with a request zafiltrovat traffic on their side. This way there is a significant drawback: the explanations and negotiations take an unacceptably long time. And if some providers, this time increases proportionally. Podstelit straw and prepare for a DDoS help method called BGP blackhole (RFC3882). Its essence is simple: a "black hole" for traffic on the side of the ISP, remotely controlled by the client. Technically, it looks like BGP-announcement of the prefix / 32 marked a special community. As the name implies, for a method to BGP-the neighborhood with your ISP. And naturally, it requires little additional configuration on both sides. We'll see how it works for example, routers, Cisco. Party ISP.! Do I select a random IP and turn it into null0. ! It will be next-hop-ohm for wheeled traffic. Ip route <BLACKHOLE IP> 255.255.255.255 Null0 ! router bgp XXX ! assign the route-map for client neighbor <CUSTOMER> route-map CUSTOMER-IN in ! allows the client to announce a / 32 from his unit neighbor <CUSTOMER> prefix-list <ACL> in ! Even if the client is connected without the use of ebgp multi-hop, this line ! necessary because the peculiarities of ios. Because to assess the attainability netxhop-a ! a cisco used the same argument that ebgp multi-hop. Neighbor <CUSTOMER> ebgp multi-hop 2 ! Here is all the magic route-map CUSTOMER-IN permit 10 match ip community 0:666 set ip next-hop <BLACKHOLE IP> set community additive no-export client side.It's all a bit easier: ! describes a filter for redistribution. ! The static routes with a tag 666 set community 0:666 route-map BGP-BLACKHOLE permit 5 match tag 666 set community 0:666 additive ! router bgp YYY ! Allow redistribution of static routes in our filter redistribute static route-map BGP-BLACKHOLE ! resolve the sending of our community uplink neighbor <UPLINK> send-community So if it's time to fight a DDoS, it just adds a route to Null on the attacked host, and hangs on his tag 666: ip route 192.168.66.6 255.255.255.255 Null0 tag 666 The route to community 666, is announced ISP, which also wraps up the traffic in null0. If the ISP is also podstelil straw and configured the BGP Blackhole with its uplink, the chain will continue and "black hole" expands, eliminating unnecessary burdens on providers and wheeled traffic. Unfortunately, this "service" is still rare among Russian providers. However, the process goes on, and many providers are willing to go closer to clients and implement the mechanism. I hope the above information will be useful. If this article would motivate at least one more provider to introduce this service, my goal will be achieved. | |
|
| |
| Total comments: 0 | |