PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer
Agenda Why use the DDoS Mitigation Service What the service does not do (currently) Understanding traffic flow PennREN member requirements Activating traffic scrubbing Deactivating traffic scrubbing Cisco CPE Configuration / DEMO JUNIPER CPE Configuration / DEMO Questions 5/22/18 2
Why use the DDoS Mitigation Service Less disruptive than Route to Black Hole (RTBH) Allow good traffic through, eliminate malicious traffic Allow sites and services to continue to operate online with minimal degradation Renders the attack unsuccessful No usage time allocation 5/22/18 3
What the service does not do (currently) Protect from attacks originating from other PennREN members Protect from IPv6 based attacks Act as a firewall or IPS; protect from viruses, hackers, phishing Auto detect and auto mitigate DDoS attacks Protect prefix(es) of members not subscribed to the service 5/22/18 4
Understanding traffic flow - Normal Operation 5/22/18 5
Understanding traffic flow - DDoS Attack 5/22/18 6
Understanding traffic flow - Mitigation Activated 5/22/18 7
Understanding traffic flow - Telia Carrier 5/22/18 8
Understanding traffic flow - Telia Carrier 5/22/18 9
PennREN member requirements Caller must be listed as an authorized representative of the member institution within the PennREN NOC Database Member institution must be a valid subscriber of the PennREN DDoS Mitigation service Member institution must have active PennREN Commodity Internet Service Prefix requested for mitigation Must be IPv4 Can not be longer than /24 Must already be filed with and approved by the PennREN NOC 5/22/18 10
Activating traffic scrubbing 1. Call the PennREN NOC at 833-PENNREN (833-736-6736) and request immediate DDoS scrubbing on the prefix(es). Be prepared to identify your name, the organization you are with, and the specific prefix range(s) you wish to scrub 2. Stop advertising the a ff ected prefix(es), including more specific prefixes, to other Internet Service Providers and private peers. 3. Advertise the a ff ected prefix(es) to all PennREN Commodity Internet and Internet2 connections with the community string 14877:911 4. PennREN NOC will notify via phone once tra ffi c scrubbing is confirmed active by the service vendor 5/22/18 11
Deactivating traffic scrubbing 1. Call the PennREN NOC at 833-PENNREN (833-736-6736) and request DDoS scrubbing be deactivated. Be prepared to identify yourself and notify the PennREN NOC of an email address to have scrubbing reports forwarded to. 2. Stop advertising community string 14877:911 to all PennREN connections 3. Resume normal advertisements to other Internet Service Providers and private peers. 4. The PennREN NOC will email mitigation reports as they become available from the service vendor. 5/22/18 12
Cisco CPE Configuration - Route Map route-map PREN-DDOS permit 10 set community 14877:911 router bgp {ASN} network w.x.y.z/16 route-map PREN-DDOS 5/22/18 13
CISCO CPE DEMO 5/22/18 14
JUNIPER CPE Configuration - Static Route set routing-options static route w.x.y.z/16 discard set routing-options static route w.x.y.z/16 community 14877:911 5/22/18 15
JUNIPER CPE Configuration - Export Policy set policy-options community PREN-DDOS-COMM members 14877:911 set policy-options policy-statement PREN-DDOS term MARK from prefix-list-filter PREN-DDOS-PREFIX orlonger set policy-options policy-statement PREN-DDOS term MARK then community add PREN-DDOS-COMM set policy-options policy-statement PREN-DDOS term MARK then next policy set policy-options prefix-list PREN-DDOS-PREFIX w.x.y.z/16 set protocols bgp group PennREN neighbor a.b.c.d export PREN-DDOS 5/22/18 16
JUNIPER CPE DEMO 5/22/18 17
Q&A - Discussion NOC.PENNREN.NET > Maps & Documentation > PennREN Member DDoS Mitigation Procedures ZBare@KINBER.org 5/22/18 18
Recommend
More recommend
