PennREN DDoS Mitigation Service Technical Overview Zach Bare - - PowerPoint PPT Presentation

PennREN DDoS Mitigation Service
 Technical Overview

Zach Bare Network Engineer

5/22/18 2

Why use the DDoS Mitigation Service What the service does not do (currently) Understanding traffic flow PennREN member requirements Activating traffic scrubbing Deactivating traffic scrubbing Cisco CPE Configuration / DEMO JUNIPER CPE Configuration / DEMO Questions

Agenda

5/22/18 3

Less disruptive than Route to Black Hole (RTBH)
 Allow good traffic through, eliminate malicious traffic
 Allow sites and services to continue to operate online with minimal degradation 
 Renders the attack unsuccessful
 No usage time allocation

Why use the DDoS Mitigation Service

5/22/18 4

Protect from attacks originating from other PennREN members
 Protect from IPv6 based attacks
 Act as a firewall or IPS; protect from viruses, hackers, phishing
 Auto detect and auto mitigate DDoS attacks
 Protect prefix(es) of members not subscribed to the service

What the service does not do (currently)

5/22/18 5

Understanding traffic flow - Normal Operation

5/22/18 6

Understanding traffic flow - DDoS Attack

5/22/18 7

Understanding traffic flow - Mitigation Activated

5/22/18 8

Understanding traffic flow - Telia Carrier

5/22/18 9

Understanding traffic flow - Telia Carrier

5/22/18 10

Caller must be listed as an authorized representative of the member institution within the PennREN NOC Database
 Member institution must be a valid subscriber of the PennREN DDoS Mitigation service
 Member institution must have active PennREN Commodity Internet Service
 Prefix requested for mitigation Must be IPv4 Can not be longer than /24 Must already be filed with and approved by the PennREN NOC

PennREN member requirements

5/22/18 11

• 1. Call the PennREN NOC at 833-PENNREN (833-736-6736) and request

immediate DDoS scrubbing on the prefix(es). Be prepared to identify your name, the organization you are with, and the specific prefix range(s) you wish to scrub


• 2. Stop advertising the affected prefix(es), including more specific prefixes, to other

Internet Service Providers and private peers.


• 3. Advertise the affected prefix(es) to all PennREN Commodity Internet and

Internet2 connections with the community string 14877:911


• 4. PennREN NOC will notify via phone once traffic scrubbing is confirmed active by

the service vendor

Activating traffic scrubbing

5/22/18 12

• 1. Call the PennREN NOC at 833-PENNREN (833-736-6736) and request DDoS

scrubbing be deactivated. Be prepared to identify yourself and notify the PennREN NOC of an email address to have scrubbing reports forwarded to.


• 2. Stop advertising community string 14877:911 to all PennREN connections

• 3. Resume normal advertisements to other Internet Service Providers and private

peers.


• 4. The PennREN NOC will email mitigation reports as they become available from

the service vendor.

Deactivating traffic scrubbing

5/22/18 13

route-map PREN-DDOS permit 10 set community 14877:911 router bgp {ASN}
 network w.x.y.z/16 route-map PREN-DDOS


Cisco CPE Configuration - Route Map

5/22/18 14

CISCO CPE DEMO

5/22/18 15

set routing-options static route w.x.y.z/16 discard
 set routing-options static route w.x.y.z/16 community 14877:911

JUNIPER CPE Configuration - Static Route

5/22/18 16

set policy-options community PREN-DDOS-COMM members 14877:911
 set policy-options policy-statement PREN-DDOS term MARK from prefix-list-filter PREN-DDOS-PREFIX orlonger
 set policy-options policy-statement PREN-DDOS term MARK then community add PREN-DDOS-COMM
 set policy-options policy-statement PREN-DDOS term MARK then next policy
 set policy-options prefix-list PREN-DDOS-PREFIX w.x.y.z/16
 set protocols bgp group PennREN neighbor a.b.c.d export PREN-DDOS

JUNIPER CPE Configuration - Export Policy

5/22/18 17

JUNIPER CPE DEMO

5/22/18 18

Q&A - Discussion

NOC.PENNREN.NET > Maps & Documentation > PennREN Member DDoS Mitigation Procedures ZBare@KINBER.org