SlideShare une entreprise Scribd logo

BGP Flowspec (RFC5575) Case study and Discussion

Télécharger en tant que PPTX, PDF
APNIC
APNIC

A presentation given at APRICOT 2015 during the Routing Session.

Internet
1  sur  28
BGP Flowspec(RFC5575) Case study and Discussion Shishio Tsuchiya shtsuchi@cisco.com
• BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
DDOS Traffic are always changing… http://www.digitalattackmap.com/
Affect of DDOS attack Customer aggregation node/line Bandwidth of Backbone Customer line/node/servic e Target Service 203.0.113.1 The affect would be all of network wide…
RTBH(Remote Triggered Black Hole Filtering) Target Service 203.0.113.1 203.0.113.1 via 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 • RTBH(RFC5635) is well known technic in ISP • static route to null(Black hole) preliminarily • If incidence happen then BGP advertises route • DDOS traffic will be stopped
Netflow+BGP Attribute Why BGP Flow Specification will be needed  Non DDOS user also would be stopped.  It is difficult to discover/ attempt rule against DDOS attack which rapidly change and increasing
BGP Flowspec(RFC5575)+draft-ietf-idr-flow-spec-v6 Dst IP Src IP protocol port Dst port Src Port ICMP Type ICMP Code TCP Flags Packet Length DSCP Fragment traffic-rate traffic-action redirect traffic-marking Flow Type Action Rule +---------------------------------------------------------+ | AFI(2 octets) 1 and 2 | +---------------------------------------------------------+ | SAFI (1 octet) 133 and 134 | +---------------------------------------------------------+ | Length of Next Hop Network Address (1 octet) | +---------------------------------------------------------+ | Network Address of Next Hop (variable) | +---------------------------------------------------------+ | Reserved (1 octet) | +---------------------------------------------------------+ | Network Layer Reachability Information (variable) | +---------------------------------------------------------+ SAFI 133 Dissemination of flow specification rules 134 L3VPN dissemination of flow specification rules BGP Flowspec defined in RFC5575. draft-ietf-idr-flow-spec-v6 for IPv6 BGP Flowspec Flow type to identify traffic , Action Rule to execute policy against the traffic “Flow Type” and “Action Rule” will be advertised by BGP update
BGP Flowspec(RFC5575) Target Service 203.0.113.1 A,B,C to 203.0.113.1 drop D and E to 203.0.113.1 100kbps F markdown to dscp 0 100kbps Netflow collector Flowspec uses netflow to collect traffic information Flow rule and action will be distributed by BGP
• BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
• DDOS Problem • Affect Large/Often to end user • Not only end user but also Infrastructure Risk • OPEX increase • DDoS Analysis • Large DDOS attack by botnet armies/Script Kiddies • TCP Syn Flood greater than 1Mpps • UDP fragment • Most of Attack source APNIC(Chinese) IP source , difficult to track due to national NAT • Deployed Flowspec for Peer & Transit router from RR • Mitigation from egress point to cleaning vrf • What was missing ? • Multi vendor support (deployed Juniper and Arbor) • Inter-Carrier • Matching DSCP Flowspec Use case 1 world wide Time Warner Telecom (TWTC) NANOG38 2006 Deployment Experience With BGP Flow Specification https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowsp
• Compare RTBH/PBR and Flowspec • RTBH(Remote Triggered Black Hole) Website can protect from DDOS attack, but no more traffic on website • PBR(Policy Based Routing) Can control traffic precisely by hardware But need contact to service provide operator to run/remove policy when ddos detect • Flowspec Makes static PBR to dyanmic/Propagate PBR rules/do no need additional communication channel • Deployed Flowspec on transit router Would like to use on eBGP as architecture but can not trust customer/don’t like to use flow for ebgp session for stability reason • What’s Next • IPv6 and VPNv6 support • Traffic Monitoring • More vendors(only Juniper and Alcatel support at that time) Flowspec Use case 2 world wide Neo Telecoms FRNOG18 2011 Flowspec http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
• Background • Attacker use zombies, if number of army of zombies then DDOS traffic will be massive (ex. DNS amp) • Need Better tools - Granularity : per flow - Action : drop/rate-limit/redirect, - Speedy/ Efficiency / Automation / Manageability • Deployed FireCircle • Wizard based UI to define policy from customer • Apply XML configuration to BGP flowspec router via NETCONF • eBGP flowspec propagate policy to GRNET router • Expanding the service to GEANT community https://fod.grnet.gr/ Flowspec Use case 3 world wide GRNET(Greek Research and Technology Network) TNC2012 FireCircle: GRNET’s approach to advanced network security services’ management via bgp flow-spec and NETCONF https://tnc2012.terena.org/core/presentation/41 NETCONF FireCircle GRNET GEANT Participant NREN
• DDOS Volume(average) • JAPAN Q2:491.63Mbps Q3:365.8Mbps • Asia Q2:530.5Mbps Q3:588.74Mbps • World Wide Q2:759.83Mbps Q3:858.98Mbps • NTP Amp trend(average volume) • JAPAN Q2:3.22Gbps Q3:281.76Mbps • Asia Q2:2.57Gbps Q3:2.70Gbps • Attack Duration • 92% DDOS stops within 1hour • JAPAN: >1hour 92% average 3h21m • Asia: >1hour 94.1% average 31m • Professional DDOS service is exist ex)5min free 4$/hour Atlas DDOS Trend report Services UDP Source Port Q3 Maximum DDOS Volume Q3 Average DDOS Volume SNMP 161 3.75Gbps 769.1Mbps Chargen 19 21.26Gbps 1.12Gbps DNS 53 43.45Gbps 1.31Gbps SSDP 1900 51Gbps 5.11Gbps • What’s Next • NTP Amp attack can create big volume. • So Attacker using other protocol. • SSDP(1900) is increasing http://www.janog.gr.jp/meeting/janog35/files/2014/2077/3840/janog35-bgpfs-agatsuma-1.pdf
• ISP who is interesting in BGP Flowspec • Amp attack are increasing under 5%-> over 70% • and valuable • Src 53 Dst 0/Src 123/Src 1900/Dst 80 Flowspec Use case 1 Protect Method For Point If Flowspec deployed RTBH rapid action protect short duration DDOS more specific flow can use policer for DDOS amp ACL permanent action flexible/need time to deploy to be rapidly/manage acl rule Mitigation premier service expensive would be effective
• ISP who already deployed by Juniper • and would like to deploy to be more wide by Cisco • Flowspec is very useful feature against today’s DDOS, but one consideration point is scalability spec of forwarding router • Rule was too long, so forwarding router could not apply filter as the result not only DDOS but also normal traffic down Flowspec Use case2 DDOS detect/BGP update send Rule was too long for forwarding router, cold not apply filter
• BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
• JANOG had a session of BGP Flowspec in JANOG35 Shishio Tsuchiya Cisco Systems G.K. Shojiro Hirasawa BIGLOBE Inc. Satoshi Agatsuma TOYO Corporation http://www.janog.gr.jp/en/index.php?JANOG35_Meeting%2FJANOG35_Program_Contents%2FBGPFS http://www.janog.gr.jp/meeting/janog35/program/bgpfs/ • Share question/discussion on JANOG35 meeting Discussion summary
• Let’s confirm in detail for RFC and IETF WG draft. Q1. Does Flowspec really useful? Typ e IPv4 (RFC5575) IPv6 (flow-spec-v6) 1 Destination Prefix Destination IPv6 Prefix 2 Source Prefix Source IPv6 Prefix 3 IP Protocol Next Header 4 Port Port 5 Destination port Destination port 6 Source port Source Port 7 ICMP type ICMP type 8 ICMP code ICMP type 9 TCP flags TCP flags 10 Packet length Packet length 11 DSCP DSCP 12 Fragment Fragment 13 N/A Flow Label Flow Type has operator code which can specify lt(less than) gt(grater than) eq(equal) .
• Most of action rule is defined both IPv4 and IPv6. • But redirect IP seems confusing , should watch idr wg activity Q1. Does Flowspec really useful? cont’d type extended community Actual Action RFC/draft 0x8006 traffic-rate Policing rate 0:drop RFC5575 0x8007 traffic-action specific acction Terminal bit:(0 is terminal) Sample bit:(1 is logging/sampling) RFC5575 0x8008 0x8208 0x800b redirect AS-2byte redirect AS-4byte redirect IPv6 specific AS redirect to specific vrf flowspec-redirect-rt-bis flowspec-redirect-rt-bis flow-spec-v6 0x8108 redirect IPv4 address redirect IPv6 address redirect to next hop address redirect to next hop address flowspec-redirect-rt-bis flowspec-redirect-ip flowspec-redirect-ip 0x8009 traffic-marking marking DSCP values flowspec-redirect-rt-bis flow-spec-v6
• Cisco IOS-XR:5.2.0- IOS-XE3.14 –(RR) Forwarding router in 3.15 • Juniper JUNOS 7.3- • Alcatel-Lucent SR-OS 9.0R1- Implementation status • Arbor Networks PeakFlow 6.0- • Genie Networks 5.5.1- • ExaBGP
Q2. How about interoperability in multi vendor? Cisco IOS Cisco IOS-XR JNPR JUNO S ALU SR-OS Arbor Genie Cisco IOS       Cisco IOS- XR       JNPR JUNOS       ALU SR-OS       Arbor       Genie       • There is some intorop report but may need more interop test to deploy ISP network
Q3.Flow is really enough to monitor ISP traffic? DDOS Traffic Normal Traffic Inline type model offramp model need many equipment to monitor all of subscribers can use shared resource have to monitor huge traffic only suspect traffic will transit to mitigation when mitigation fail, the failed equipment should just transit traffic when mitigation fail, then advertise BGP to change rule offramp solution would be reasonable
• Today’s most of mobile carrier deployed CGN as solution of IPv4 exhaustion problem. • Malware/DDOS tool of android already exist. • Flow based filtering will be more importance to reduce side affect of DDOS Q4.How is DDOS on mobile network? Global Address Global Address RFC6598 ISP Shared Address or RFC1918 Private Address
• It’s depends on router architecture. APNIC38 Geoff Huston (APNIC) - What's so special about 512? APRICOT2012 Greg Hankins, Brocade Pushing the Limits, A Perspective on Router Architecture Challenges • Usually QoS/PBR is used on TCAM, so performance impact would be minimize . Q5.Performance issue? https://supportforums.cisco.com/document/105496/asr9000xr-understanding-route-scale
• Flowspec should work in eBGP peer. But eBGP validation rule for received route should be relaxed. • On transit AS/Router server on IXP, it would be desirable service. Because if one AS sends DDOS then affects to another AS. • Validation rule should be relax so maybe we should consider co-exist solution with RPKI to be more powerful security solution. • Should check “Revised Validation Procedure for BGP Flow Specifications” draft-ietf-idr-bgp-flowspec-oid Q6.eBGP Use case? ROA Transit AS Route Server on IXP co-Exist with RPKI
• There is Openflow DDOS protection solution. • Hybrid OF use TCAM also. • Difference point are network architecture(full distributed vs controller) and API(OF vs BGP) Q7.How is OpenFlow DDOS solution?
• Current DDOS are high volume/short duration/amp attack variable and increasing • BGP Flowspec is useful solution against today’s DDOS attack • BGP Flowspec is almost ready to deploy in ISP network. • Need detail implementation information of each of vendors(scalability/nexthop address/IPv6) and interoperability test result. • eBGP should work and customer may desire on-demand Firewall/PBR services like a FireCircle. Summary
BGP Flowspec (RFC5575) Case study and Discussion

Recommandé

Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
BGP Update Source
BGP Update Source BGP Update Source
BGP Update Source NetProtocol Xpert
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
9534715
95347159534715
9534715Pavel Odintsov
 

Recommandé

Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
BGP Update Source
BGP Update Source BGP Update Source
BGP Update Source NetProtocol Xpert
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
9534715
95347159534715
9534715Pavel Odintsov
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)NetProtocol Xpert
 
Next Generation IP Transport
Next Generation IP TransportNext Generation IP Transport
Next Generation IP TransportMyNOG
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A TutorialAPNIC
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPROIDEA
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsCisco Canada
 
GTP Overview
GTP OverviewGTP Overview
GTP Overviewaliirfan04
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Cisco Canada
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN DeploymentAPNIC
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 

Contenu connexe

Tendances

Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)NetProtocol Xpert
 
Next Generation IP Transport
Next Generation IP TransportNext Generation IP Transport
Next Generation IP TransportMyNOG
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A TutorialAPNIC
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPROIDEA
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsCisco Canada
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Cisco Canada
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN DeploymentAPNIC
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 

Tendances (20)

Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
 
Next Generation IP Transport
Next Generation IP TransportNext Generation IP Transport
Next Generation IP Transport
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data Center
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload Deployments
 
GTP Overview
GTP OverviewGTP Overview
GTP Overview
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address Planning
 

En vedette

Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flPavel Odintsov
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersPavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WANCisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WANCisco Canada
 

En vedette (9)

Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WANCisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
 

Similaire à BGP Flowspec (RFC5575) Case study and Discussion

Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Bruno Teixeira
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Inside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable CloudInside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable Cloudinside-BigData.com
 
Инновации Cisco для операторов связи
Инновации Cisco для операторов связиИнновации Cisco для операторов связи
Инновации Cisco для операторов связиCisco Russia
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveMiya Kohno
 
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:Tony Antony
 
Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers Liubov Belousova
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment RoutingMyNOG
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?GeoffHuston
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?APNIC
 
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Ontico
 
Eigrp and ospf comparison
Eigrp and ospf comparisonEigrp and ospf comparison
Eigrp and ospf comparisonDeepak Raj
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterShawn Zandi
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingCisco Service Provider
 
100G Networking Berlin.pdf
100G Networking Berlin.pdf100G Networking Berlin.pdf
100G Networking Berlin.pdfJunZhao68
 
IEEE_ICC'23_SARENA.pdf
IEEE_ICC'23_SARENA.pdfIEEE_ICC'23_SARENA.pdf
IEEE_ICC'23_SARENA.pdfReza Farahani
 

Similaire à BGP Flowspec (RFC5575) Case study and Discussion (20)

Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Inside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable CloudInside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable Cloud
 
Инновации Cisco для операторов связи
Инновации Cisco для операторов связиИнновации Cisco для операторов связи
Инновации Cisco для операторов связи
 
Building a Router
Building a RouterBuilding a Router
Building a Router
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
 
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:High-performance 32G Fibre Channel Module on MDS 9700 Directors:
High-performance 32G Fibre Channel Module on MDS 9700 Directors:
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 
Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers Stingray SG- solution for internet service providers
Stingray SG- solution for internet service providers
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
 
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
 
Eigrp and ospf comparison
Eigrp and ospf comparisonEigrp and ospf comparison
Eigrp and ospf comparison
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment Routing
 
100G Networking Berlin.pdf
100G Networking Berlin.pdf100G Networking Berlin.pdf
100G Networking Berlin.pdf
 
IEEE_ICC'23_SARENA.pdf
IEEE_ICC'23_SARENA.pdfIEEE_ICC'23_SARENA.pdf
IEEE_ICC'23_SARENA.pdf
 

Plus de APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

Plus de APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Dernier

Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...sonatiwari757
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goahorny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goasexy call girls service in goa
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistKHM Anwar
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 

Dernier (20)

Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goahorny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization Specialist
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 

BGP Flowspec (RFC5575) Case study and Discussion

  • 1. BGP Flowspec(RFC5575) Case study and Discussion Shishio Tsuchiya shtsuchi@cisco.com
  • 2. • BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
  • 3. DDOS Traffic are always changing… http://www.digitalattackmap.com/
  • 4. Affect of DDOS attack Customer aggregation node/line Bandwidth of Backbone Customer line/node/servic e Target Service 203.0.113.1 The affect would be all of network wide…
  • 5. RTBH(Remote Triggered Black Hole Filtering) Target Service 203.0.113.1 203.0.113.1 via 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 192.0.2.1 null0 203.113.1 192.0.2.1 • RTBH(RFC5635) is well known technic in ISP • static route to null(Black hole) preliminarily • If incidence happen then BGP advertises route • DDOS traffic will be stopped
  • 6. Netflow+BGP Attribute Why BGP Flow Specification will be needed  Non DDOS user also would be stopped.  It is difficult to discover/ attempt rule against DDOS attack which rapidly change and increasing
  • 7. BGP Flowspec(RFC5575)+draft-ietf-idr-flow-spec-v6 Dst IP Src IP protocol port Dst port Src Port ICMP Type ICMP Code TCP Flags Packet Length DSCP Fragment traffic-rate traffic-action redirect traffic-marking Flow Type Action Rule +---------------------------------------------------------+ | AFI(2 octets) 1 and 2 | +---------------------------------------------------------+ | SAFI (1 octet) 133 and 134 | +---------------------------------------------------------+ | Length of Next Hop Network Address (1 octet) | +---------------------------------------------------------+ | Network Address of Next Hop (variable) | +---------------------------------------------------------+ | Reserved (1 octet) | +---------------------------------------------------------+ | Network Layer Reachability Information (variable) | +---------------------------------------------------------+ SAFI 133 Dissemination of flow specification rules 134 L3VPN dissemination of flow specification rules BGP Flowspec defined in RFC5575. draft-ietf-idr-flow-spec-v6 for IPv6 BGP Flowspec Flow type to identify traffic , Action Rule to execute policy against the traffic “Flow Type” and “Action Rule” will be advertised by BGP update
  • 8. BGP Flowspec(RFC5575) Target Service 203.0.113.1 A,B,C to 203.0.113.1 drop D and E to 203.0.113.1 100kbps F markdown to dscp 0 100kbps Netflow collector Flowspec uses netflow to collect traffic information Flow rule and action will be distributed by BGP
  • 9. • BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
  • 10. • DDOS Problem • Affect Large/Often to end user • Not only end user but also Infrastructure Risk • OPEX increase • DDoS Analysis • Large DDOS attack by botnet armies/Script Kiddies • TCP Syn Flood greater than 1Mpps • UDP fragment • Most of Attack source APNIC(Chinese) IP source , difficult to track due to national NAT • Deployed Flowspec for Peer & Transit router from RR • Mitigation from egress point to cleaning vrf • What was missing ? • Multi vendor support (deployed Juniper and Arbor) • Inter-Carrier • Matching DSCP Flowspec Use case 1 world wide Time Warner Telecom (TWTC) NANOG38 2006 Deployment Experience With BGP Flow Specification https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowsp
  • 11. • Compare RTBH/PBR and Flowspec • RTBH(Remote Triggered Black Hole) Website can protect from DDOS attack, but no more traffic on website • PBR(Policy Based Routing) Can control traffic precisely by hardware But need contact to service provide operator to run/remove policy when ddos detect • Flowspec Makes static PBR to dyanmic/Propagate PBR rules/do no need additional communication channel • Deployed Flowspec on transit router Would like to use on eBGP as architecture but can not trust customer/don’t like to use flow for ebgp session for stability reason • What’s Next • IPv6 and VPNv6 support • Traffic Monitoring • More vendors(only Juniper and Alcatel support at that time) Flowspec Use case 2 world wide Neo Telecoms FRNOG18 2011 Flowspec http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
  • 12. • Background • Attacker use zombies, if number of army of zombies then DDOS traffic will be massive (ex. DNS amp) • Need Better tools - Granularity : per flow - Action : drop/rate-limit/redirect, - Speedy/ Efficiency / Automation / Manageability • Deployed FireCircle • Wizard based UI to define policy from customer • Apply XML configuration to BGP flowspec router via NETCONF • eBGP flowspec propagate policy to GRNET router • Expanding the service to GEANT community https://fod.grnet.gr/ Flowspec Use case 3 world wide GRNET(Greek Research and Technology Network) TNC2012 FireCircle: GRNET’s approach to advanced network security services’ management via bgp flow-spec and NETCONF https://tnc2012.terena.org/core/presentation/41 NETCONF FireCircle GRNET GEANT Participant NREN
  • 13. • DDOS Volume(average) • JAPAN Q2:491.63Mbps Q3:365.8Mbps • Asia Q2:530.5Mbps Q3:588.74Mbps • World Wide Q2:759.83Mbps Q3:858.98Mbps • NTP Amp trend(average volume) • JAPAN Q2:3.22Gbps Q3:281.76Mbps • Asia Q2:2.57Gbps Q3:2.70Gbps • Attack Duration • 92% DDOS stops within 1hour • JAPAN: >1hour 92% average 3h21m • Asia: >1hour 94.1% average 31m • Professional DDOS service is exist ex)5min free 4$/hour Atlas DDOS Trend report Services UDP Source Port Q3 Maximum DDOS Volume Q3 Average DDOS Volume SNMP 161 3.75Gbps 769.1Mbps Chargen 19 21.26Gbps 1.12Gbps DNS 53 43.45Gbps 1.31Gbps SSDP 1900 51Gbps 5.11Gbps • What’s Next • NTP Amp attack can create big volume. • So Attacker using other protocol. • SSDP(1900) is increasing http://www.janog.gr.jp/meeting/janog35/files/2014/2077/3840/janog35-bgpfs-agatsuma-1.pdf
  • 14. • ISP who is interesting in BGP Flowspec • Amp attack are increasing under 5%-> over 70% • and valuable • Src 53 Dst 0/Src 123/Src 1900/Dst 80 Flowspec Use case 1 Protect Method For Point If Flowspec deployed RTBH rapid action protect short duration DDOS more specific flow can use policer for DDOS amp ACL permanent action flexible/need time to deploy to be rapidly/manage acl rule Mitigation premier service expensive would be effective
  • 15. • ISP who already deployed by Juniper • and would like to deploy to be more wide by Cisco • Flowspec is very useful feature against today’s DDOS, but one consideration point is scalability spec of forwarding router • Rule was too long, so forwarding router could not apply filter as the result not only DDOS but also normal traffic down Flowspec Use case2 DDOS detect/BGP update send Rule was too long for forwarding router, cold not apply filter
  • 16. • BGP Flowspec Overview • BGP Flowspec case study • JANOG35 Q&A Agenda
  • 17. • JANOG had a session of BGP Flowspec in JANOG35 Shishio Tsuchiya Cisco Systems G.K. Shojiro Hirasawa BIGLOBE Inc. Satoshi Agatsuma TOYO Corporation http://www.janog.gr.jp/en/index.php?JANOG35_Meeting%2FJANOG35_Program_Contents%2FBGPFS http://www.janog.gr.jp/meeting/janog35/program/bgpfs/ • Share question/discussion on JANOG35 meeting Discussion summary
  • 18. • Let’s confirm in detail for RFC and IETF WG draft. Q1. Does Flowspec really useful? Typ e IPv4 (RFC5575) IPv6 (flow-spec-v6) 1 Destination Prefix Destination IPv6 Prefix 2 Source Prefix Source IPv6 Prefix 3 IP Protocol Next Header 4 Port Port 5 Destination port Destination port 6 Source port Source Port 7 ICMP type ICMP type 8 ICMP code ICMP type 9 TCP flags TCP flags 10 Packet length Packet length 11 DSCP DSCP 12 Fragment Fragment 13 N/A Flow Label Flow Type has operator code which can specify lt(less than) gt(grater than) eq(equal) .
  • 19. • Most of action rule is defined both IPv4 and IPv6. • But redirect IP seems confusing , should watch idr wg activity Q1. Does Flowspec really useful? cont’d type extended community Actual Action RFC/draft 0x8006 traffic-rate Policing rate 0:drop RFC5575 0x8007 traffic-action specific acction Terminal bit:(0 is terminal) Sample bit:(1 is logging/sampling) RFC5575 0x8008 0x8208 0x800b redirect AS-2byte redirect AS-4byte redirect IPv6 specific AS redirect to specific vrf flowspec-redirect-rt-bis flowspec-redirect-rt-bis flow-spec-v6 0x8108 redirect IPv4 address redirect IPv6 address redirect to next hop address redirect to next hop address flowspec-redirect-rt-bis flowspec-redirect-ip flowspec-redirect-ip 0x8009 traffic-marking marking DSCP values flowspec-redirect-rt-bis flow-spec-v6
  • 20. • Cisco IOS-XR:5.2.0- IOS-XE3.14 –(RR) Forwarding router in 3.15 • Juniper JUNOS 7.3- • Alcatel-Lucent SR-OS 9.0R1- Implementation status • Arbor Networks PeakFlow 6.0- • Genie Networks 5.5.1- • ExaBGP
  • 21. Q2. How about interoperability in multi vendor? Cisco IOS Cisco IOS-XR JNPR JUNO S ALU SR-OS Arbor Genie Cisco IOS       Cisco IOS- XR       JNPR JUNOS       ALU SR-OS       Arbor       Genie       • There is some intorop report but may need more interop test to deploy ISP network
  • 22. Q3.Flow is really enough to monitor ISP traffic? DDOS Traffic Normal Traffic Inline type model offramp model need many equipment to monitor all of subscribers can use shared resource have to monitor huge traffic only suspect traffic will transit to mitigation when mitigation fail, the failed equipment should just transit traffic when mitigation fail, then advertise BGP to change rule offramp solution would be reasonable
  • 23. • Today’s most of mobile carrier deployed CGN as solution of IPv4 exhaustion problem. • Malware/DDOS tool of android already exist. • Flow based filtering will be more importance to reduce side affect of DDOS Q4.How is DDOS on mobile network? Global Address Global Address RFC6598 ISP Shared Address or RFC1918 Private Address
  • 24. • It’s depends on router architecture. APNIC38 Geoff Huston (APNIC) - What's so special about 512? APRICOT2012 Greg Hankins, Brocade Pushing the Limits, A Perspective on Router Architecture Challenges • Usually QoS/PBR is used on TCAM, so performance impact would be minimize . Q5.Performance issue? https://supportforums.cisco.com/document/105496/asr9000xr-understanding-route-scale
  • 25. • Flowspec should work in eBGP peer. But eBGP validation rule for received route should be relaxed. • On transit AS/Router server on IXP, it would be desirable service. Because if one AS sends DDOS then affects to another AS. • Validation rule should be relax so maybe we should consider co-exist solution with RPKI to be more powerful security solution. • Should check “Revised Validation Procedure for BGP Flow Specifications” draft-ietf-idr-bgp-flowspec-oid Q6.eBGP Use case? ROA Transit AS Route Server on IXP co-Exist with RPKI
  • 26. • There is Openflow DDOS protection solution. • Hybrid OF use TCAM also. • Difference point are network architecture(full distributed vs controller) and API(OF vs BGP) Q7.How is OpenFlow DDOS solution?
  • 27. • Current DDOS are high volume/short duration/amp attack variable and increasing • BGP Flowspec is useful solution against today’s DDOS attack • BGP Flowspec is almost ready to deploy in ISP network. • Need detail implementation information of each of vendors(scalability/nexthop address/IPv6) and interoperability test result. • eBGP should work and customer may desire on-demand Firewall/PBR services like a FireCircle. Summary