[afnog] [AfrISPA.Discuss] Securing our network

Mark Tinka mtinka at globaltransit.net
Fri May 2 02:59:32 UTC 2008 

On Monday 28 April 2008, Global One Solution wrote:

> I am sure you know well, ACL alone does not protect you
> ANYTHING, unless you willing to block legitimate traffic.
> You are really in the mercy of your ISP. If your ISP is
> not placing the ACL in the edge router, what good your
> ACL will do?  all the hacker need is a way to flood your
> link, and they can take you tout of service. so let's say
> you even place CiscoGuard(which i agree it's expensive)
> and i m not saying this is the solution, but even if you
> place some intelligent device in behind your CE router,
> you will not be given the opportunity to study the health
> of the packet, since the hackers goal is just to take you
> out of service.  I am really advocate a VERY close
> relationship between the *customer *and *ISP*.  RTB
> (Remote Trigger Blockhole) is also another feature that
> kind of helps clients

Protecting against DoS and DDoS is not easy and is as much 
dependent on good networking practices as it is excellent 
NOC procedures.

The first thing to have is the right tools, tools that will 
help detect anomalies quickly, e.g., NetFlow, cFlowd, MRTG, 
Cacti, Ourmon, Nfsen, commercial products, e.t.c.

Once you have that, having a trained NOC that knows what to 
do, step-for-step, is crucial. If your NOC are slow or do 
not have proper procedures to follow, all your fancy 
equipment is useless.

The next is looking at how best to mitigate the attacks. 
Larger ISP's do this with money, i.e., use hardware-based 
routers (forwarding packets using ASIC's and/or network 
processors, rather than software processes) + huge 
bandwidth. Probably not an option for a small ISP, but then 
again, typically, large and small ISP's see different 
attack profiles (although you shouldn't always take this 
for granted).

For customers whose upstreams have fat pipes and big 
hardware-based platforms, you can purchase anti-DoS 
services where the upstreams will have a fairly low 
utilization threshold, e.g., 40% (or more) of all bandwidth 
should remain available at all times. They can then use 
this extra bandwidth to suppress any attacks heading your 
way, thereby freeing up YOUR pipe to them.

Note that destination-based blackholing is faster to 
implement, but, for all intents and purposes, completes the 
DoS attack anyway :-).

Source-based blackholing is possible, but harder as many 
attacks these days are DDoS-based, i.e., the attack 
originates from multiple sources.

Simple things you can do within your network to mitigate the 
spread of such occurrences (in addition to the points in 
the first few paragraphs, above):

1. Deploy BCP-38 on your border, peering and edge routers.

2. Compliment this with RFC 1918 blocking.

3. Add RFC 3330 blocking.

4. Use uRPF (loose and/or strict, depending on where you
   place it).

5. Use prefix lists or route filters for BGP sessions with
   your customers (remember the PCCW-PTA incident?).

6. Have a community-based blackhole policy, with a dedicated
   blackhole router, i.e., remote-triggered blackholing, as
   you mention above.

7. Use RPSL to manage external peering filters.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part.
URL: <http://afnog.org/pipermail/afnog/attachments/20080502/1e0a95c6/attachment-0002.bin>

More information about the afnog mailing list