Routing

Expand all | Collapse all

DDoS POC Auto-Rerouting Inquiry

Jump to Best Answer
  • 1.  DDoS POC Auto-Rerouting Inquiry

    Posted 07-21-2020 05:30

    Hi, 

     

    We're doing a POC with a partner wherein we are testing an auto-rerouting for a DDoS attack.

     

    Attached is the diagram(POC Diagram.jpg).

     

    Test IP: x.x.88.0/24 
    Corp Network ASN: 123456
    Scrubbing Center ASN: 134190
    DDoS Trigger Server( or INI): 45352
    Community tag for auto-rerouting is: 123456:911

    Target end-state:
    1. Once a DDoS attack going to x.x.88.x has entered the Corporate network, the INI will advertise the x.x.88.0/24  prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1.
    2. Once BorderRouter1 receives the prefix from the INI, it should not export it to its other iBGP neighbors (CoreRouter(s)).
    3. It should prefer the route from the INI but should not prefer the INI as the next-hop for x.x.88.0/24  but instead will rely on the next-hop set by the INI on the test prefix which is Core Router(x.x.x.246).
    4. Once BorderRouter1 receives the prefix from the INI with community tag, it will automatically advertise the prefix to the Scrubbing Center.
    5. Then BorderRouter1 will deny the x.x.88.0/24  prefix advertisement with community tag to its other ISP(Other peerings).


    Current state(Manually triggering the INI, prior to live attack):
    1. Once INI advertises the the x.x.88.0/24  prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1, BorderRouter1 preferred next-hop to the x.x.88.0/24  prefix is the p2p peering with the INI instead of Core Router.
    2. Because of this, points 2-5 of the target end-state are not accomplished.

    ***Even though INI advertises the x.x.88.0/24  prefix it should not be the path going to x.x.88.0/24 .

     

    During the manual triggering of the INI, attached image(BorderRouter1 Output during manual triggering.jpg) shows the results we got on BorderRouter1.

     

    We're receiving x.x.88.0/24  from the INI with community tag and next hop ip x.x.x.246 but the preferred next hop interface is gr-4/0/0 which is the tunnel interface facing INI. I'm also seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

     

    Thus, points 2-5 of the target end-state are not accomplished.

     

     

    Hoping somebody can help.

     

    If you have questions, feel free to ask.

     

    Thanks in advance.

     

    Attachment(s)

    txt
    config for POC.txt   1K 1 version


  • 2.  RE: DDoS POC Auto-Rerouting Inquiry
    Best Answer

    Posted 07-21-2020 06:47

    Hello,

     


    @Saul17 wrote:

    I'm also seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

     

     

    Thanks in advance.

     


     

    Please add following knob to Your INI peer group:

     

     

     

    set protocols bgp group INI-BLAH neighbor X.Y.X.Y accept-remote-nexthop

     

     

    HTH

    Thx

    Alex

     

     

     



  • 3.  RE: DDoS POC Auto-Rerouting Inquiry

    Posted 07-21-2020 06:57

    Hi 

     

    Thank you for the input. I'll try it out tomorrow.



  • 4.  RE: DDoS POC Auto-Rerouting Inquiry

    Posted 07-21-2020 23:49

    Hi