Attacks on BGP Routing Ranges

• Subject: Attacks on BGP Routing Ranges
• From: saku at ytti.fi (Saku Ytti)
• Date: Wed, 18 Apr 2018 17:54:35 +0300
• In-reply-to: <[email protected]>
• References: <[email protected]> <CAAeewD9y+6[email protected]> <[email protected]>

Hey,


On 18 April 2018 at 14:03, Ryan Hamel <Ryan.Hamel at quadranet.com> wrote:

>> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp are sent (policed) to infrastructure addresses
>
> While I can implement an edge filter to drop such traffic, it's impacting our clients traffic as well.

I don't understand why that would be true, your customers shouldn't be
using links for anything useful.
But again, in your case the attack is coming from far-end, so they
need to do this, to benefit you.

>> b) do not advertise link networks in iBGP

> This has never been an issue.

If is now. If the links is far-end assigned, and if far-end does not
advertise it, then attack has to come from same far-end router as
where you're connected, greatly reducing attack surface.

>> c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255
>
>  Could you explain how this can resolve my issue? I am not sure how this would work.

If your link isn't protected, then attacking just your BGP session
allows to bring down the BGP with very modest Mbps, like <5Mbps. If
you do GTSM and drop <255 TTL BGP, then typically attacker can't bring
down the BGP session, or at very least they need to congest whole
linerate.

-- 
  ++ytti

• References:
  • Attacks on BGP Routing Ranges
    • From: Ryan.Hamel at quadranet.com (Ryan Hamel)
  • Attacks on BGP Routing Ranges
    • From: saku at ytti.fi (Saku Ytti)
  • Attacks on BGP Routing Ranges
    • From: Ryan.Hamel at quadranet.com (Ryan Hamel)

• Prev by Date: ANRW 2018
• Next by Date: Attacks on BGP Routing Ranges
• Previous by thread: Attacks on BGP Routing Ranges
• Next by thread: Attacks on BGP Routing Ranges
• Index(es):
  • Date
  • Thread