BGP/OSPF router security
Hello all, I have a single FreeBSD/bird router running BGP and OSPF. I have two full bgp feeds and some IXP sessions. Some of my users are subject to DDoS attacks which basicly kill my router. Is there anything I can do to make things better? I was thinking about adding a second router and having one full bgp feed per router. I was also thinking about joining BGP Blackholing project. But - the question remains - what else can I do to survive a ddos, or at least be able to react when a ddos occures? All best, Jim
On 10.02.2013 03:37, James Howlett wrote:
Hello all, Hello.
I have a single FreeBSD/bird router running BGP and OSPF. I have two full bgp feeds and some IXP sessions. Some of my users are subject to DDoS attacks which basicly kill my router. Is there anything I can do to make things better? I was thinking about adding a second router and having one full bgp feed per router. I was also thinking about joining BGP Blackholing project. But - the question remains - what else can I do to survive a ddos, or at least be able to react when a ddos occures?
It depends on kind of attacks you're facing with. If you're simply getting all your upstream ports getting fully utilized by attack - you should ask your upstreams for DDoS protection they offer (e.g. blackhole communities, or other stuff). If we're talking about (for example, small packets flood) attack that "kills" router you probably should take a look on your system to make sure it is tuned well and there are no complex firewall processing rules. There are some guidelines (still WIP) here: https://wiki.freebsd.org/NetworkPerformanceTuning Btw, what amount of traffic (PPS) we are talking about?
All best, Jim
Date: Sun, 10 Feb 2013 14:47:30 +0400 From: melifaro@FreeBSD.org To: jim.howlett@outlook.com CC: bird-users@trubka.network.cz Subject: Re: BGP/OSPF router security
On 10.02.2013 03:37, James Howlett wrote:
Hello all, Hello.
I have a single FreeBSD/bird router running BGP and OSPF. I have two full bgp feeds and some IXP sessions. Some of my users are subject to DDoS attacks which basicly kill my router. Is there anything I can do to make things better? I was thinking about adding a second router and having one full bgp feed per router. I was also thinking about joining BGP Blackholing project. But - the question remains - what else can I do to survive a ddos, or at least be able to react when a ddos occures?
It depends on kind of attacks you're facing with. If you're simply getting all your upstream ports getting fully utilized by attack - you should ask your upstreams for DDoS protection they offer (e.g. blackhole communities, or other stuff).
If we're talking about (for example, small packets flood) attack that "kills" router you probably should take a look on your system to make sure it is tuned well and there are no complex firewall processing rules.
There are some guidelines (still WIP) here: https://wiki.freebsd.org/NetworkPerformanceTuning
Btw, what amount of traffic (PPS) we are talking about?
200k pps . The problem was, that the router started to drop the OSFP related comunication, and all my network went off-line. All best, Jim
All best, Jim
On 10.02.2013 14:57, James Howlett wrote:
Date: Sun, 10 Feb 2013 14:47:30 +0400 From: melifaro@FreeBSD.org To: jim.howlett@outlook.com CC: bird-users@trubka.network.cz Subject: Re: BGP/OSPF router security
On 10.02.2013 03:37, James Howlett wrote:
Hello all, Hello.
I have a single FreeBSD/bird router running BGP and OSPF. I have two full bgp feeds and some IXP sessions. Some of my users are subject to DDoS attacks which basicly kill my router. Is there anything I can do to make things better? I was thinking about adding a second router and having one full bgp feed per router. I was also thinking about joining BGP Blackholing project. But - the question remains - what else can I do to survive a ddos, or at least be able to react when a ddos occures?
It depends on kind of attacks you're facing with. If you're simply getting all your upstream ports getting fully utilized by attack - you should ask your upstreams for DDoS protection they offer (e.g. blackhole communities, or other stuff).
If we're talking about (for example, small packets flood) attack that "kills" router you probably should take a look on your system to make sure it is tuned well and there are no complex firewall processing rules.
There are some guidelines (still WIP) here: https://wiki.freebsd.org/NetworkPerformanceTuning
Btw, what amount of traffic (PPS) we are talking about?
200k pps . The problem was, that the router started to drop the OSFP related comunication, and all my network went off-line.
Well, this is not very much. Properly tuned server should handle such amount without any problems and without significant CPU usage. (e.g. we're doing complex firewalling for 1-2MPPS amounts of traffic per 2xE5645 machine, and the most cpu usage is consumed by ipfw, not routing). Probably something can be tuned a bit better (like number of queues, or thread binding, or firewall ruleset, or ..). You can write me off-list for some additional hints if you have any questions related to ipfw or network stack tuning.
All best, Jim
All best, Jim
On Sun, 10 Feb 2013, James Howlett wrote:
There are some guidelines (still WIP) here: https://wiki.freebsd.org/NetworkPerformanceTuning
Btw, what amount of traffic (PPS) we are talking about?
200k pps . The problem was, that the router started to drop the OSFP related comunication, and all my network went off-line.
1. I suggest you read http://tools.ietf.org/html/rfc6192 for some ideas. 2. To fix the issue, you must implement QoS site-wide: you must priorize the control-plane traffic (i.e. OSPF, BGP, etc) from known-good sources, and depriorize (maybe even drop) control-plane traffic from any unknown sources on all border routers (including access routers), as well as any traffic that should not be in the control-plane traffic class. Use the highest priority class for control-plane traffic. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
On Sun, Feb 10, 2013 at 10:34:43AM -0200, Henrique de Moraes Holschuh wrote:
2. To fix the issue, you must implement QoS site-wide: you must priorize the control-plane traffic (i.e. OSPF, BGP, etc) from known-good sources, and depriorize (maybe even drop) control-plane traffic from any unknown sources on all border routers (including access routers), as well as any traffic that should not be in the control-plane traffic class.
Hello Note that this is just first half of the problem, second half is that you must have enough CPU power to process control plane traffic. On Linux, packet forwarding of regular traffic could eat all of your CPU (because it is not handled by CPU/process scheduler) so control plane processing (BIRD) does not get enough time slices (even if scheduled with maximum priority). I witnessed this issue on some older (2.4.x) Linux version on some embedded MIPS machines, i am not sure how this is handled in recent versions on more common hardware. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (4)
-
Alexander V. Chernikov -
Henrique de Moraes Holschuh -
James Howlett -
Ondrej Zajicek