Archive

Posts Tagged ‘DDoS’

Mitigating Source Specific DoS Attack Using Remotely Triggered BlackHole

January 28, 2011 Leave a comment

Remotely Triggered Black Hole method usualy used to dealing with the DDoS Attack that have specific destination. When we combine it with the Unicast Reverse Path Forwarding (RPF) feature, we can drop every DoS attack based on the source IP.

Here are the lab scenario to simulate that method (we are using Cisco routers):

To simulate the attacker, we are using loopback interface on router INET. INET has 2 connection to the AS 65000 (The Service Provider). In this scenario, we are prefering GW1 as the primary path for outgoing traffic to the Service Provider Network. Here are the relevant configuration from INET:

hostname INET
!
interface Loopback0
ip address 100.100.1.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback1
ip address 200.200.1.1 255.255.255.0
no ip directed-broadcast
!
interface FastEthernet1/0
ip address 172.16.0.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
interface FastEthernet1/1
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
network 100.100.1.0 mask 255.255.255.0
network 200.200.1.0
neighbor 172.16.0.2 remote-as 65000
neighbor 172.16.0.2 weight 65535
neighbor 172.16.1.2 remote-as 65000
neighbor 172.16.1.2 weight 32768
no auto-summary

For the Service Provider network, we are using 4 router, they are GW1, GW2, RR and PE-1. RR act as Route-Reflector for all the rest routers and as the trigger router. They use OSPF for IGP and BGP AS 65000. We are using BGP too to triggered router GW1 and GW2 to blackholing the attacker traffic.

Here are the relevant configuration for all of Service Provider routers:

hostname GW1
!
ip cef
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
!
interface FastEthernet1/0
ip address 172.16.0.2 255.255.255.0
!
interface FastEthernet1/1
ip address 10.1.1.2 255.255.255.0
ip ospf priority 0
!
router ospf 1
router-id 1.1.1.2
log-adjacency-changes
network 1.1.1.2 0.0.0.0 area 0
network 10.1.1.2 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.2
bgp log-neighbor-changes
redistribute connected route-map TO-INET
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 172.16.0.1 remote-as 65002
no auto-summary
!
access-list 1 permit 172.16.0.0
!
route-map TO-INET permit 10
match ip address 1

hostname GW2
ip cef
interface Loopback0
ip address 1.1.1.3 255.255.255.255
!
interface FastEthernet1/0
ip address 172.16.1.2 255.255.255.0
!
interface FastEthernet1/1
ip address 10.1.1.3 255.255.255.0
ip ospf priority 50
!
router ospf 1
router-id 1.1.1.3
log-adjacency-changes
network 1.1.1.3 0.0.0.0 area 0
network 10.1.1.3 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.3
bgp log-neighbor-changes
redistribute connected route-map INET-EDGE
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 172.16.1.1 remote-as 65002
no auto-summary
!
access-list 1 permit 172.16.1.0
!
route-map INET-EDGE permit 10
match ip address 1

hostname PE-1
!
interface Loopback0
ip address 1.1.1.4 255.255.255.255
!
interface FastEthernet1/0
ip address 10.1.1.4 255.255.255.0
ip ospf priority 0
!
interface FastEthernet1/1
ip address 192.168.0.2 255.255.255.0
!
router ospf 1
router-id 1.1.1.4
log-adjacency-changes
network 1.1.1.4 0.0.0.0 area 0
network 10.1.1.4 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.4
bgp log-neighbor-changes
redistribute connected route-map TO-CE1
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 192.168.0.1 remote-as 65001
neighbor 192.168.0.1 default-originate
no auto-summary
!
access-list 1 permit 192.168.0.0
route-map TO-CE1 permit 10
match ip address 1

hostname RR
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip ospf priority 100
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 65000
neighbor 1.1.1.2 update-source Loopback0
neighbor 1.1.1.2 route-reflector-client
neighbor 1.1.1.2 send-community both
neighbor 1.1.1.3 remote-as 65000
neighbor 1.1.1.3 update-source Loopback0
neighbor 1.1.1.3 route-reflector-client
neighbor 1.1.1.3 send-community both
neighbor 1.1.1.4 remote-as 65000
neighbor 1.1.1.4 update-source Loopback0
neighbor 1.1.1.4 route-reflector-client
neighbor 1.1.1.4 send-community both
no auto-summary

And to simulate the Victim Network, we are using loopback interface on CE-1. Here are it relevant configuration:

hostname CE-1
!
interface Loopback0
ip address 9.9.9.9 255.255.255.0
!
interface Loopback1
ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 8.8.8.0 mask 255.255.255.0
network 9.9.9.0 mask 255.255.255.0
neighbor 192.168.0.2 remote-as 65000
no auto-summary

In our scenario, host 100.100.1.1/32 is the DoS source.

After all BGP speaker in the Service Provider network have form adjancency, now on the GW1 and GW2 we create the IP next-hop for every DoS source, so we can manipulate it and forward it to dropped at Null interface. Usualy we use the non-allocated IP Address, for example 192.0.2.0/24 (Test-Net).

GW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW1(config)#ip route 192.0.2.1 255.255.255.255 Null0 tag 101
GW1(config)#route-map TEST-NET permit 10
GW1(config-route-map)#match tag 101
GW1(config-route-map)#set community no-export
GW1(config-route-map)#router bgp 65000
GW1(config-router)#redistribute static route-map TEST-NET
GW1(config-router)#^Z

GW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW2(config)#ip route 192.0.2.1 255.255.255.255 Null0 tag 101
GW2(config)#route-map TEST-NET permit 10
GW2(config-route-map)#match tag 101
GW2(config-route-map)#set community no-export
GW2(config-route-map)#router bgp 65000
GW2(config-router)#redistribute static route-map TEST-NET
GW2(config-router)#^Z


RR#sh ip bgp 192.0.2.1
BGP routing table entry for 192.0.2.1/32, version 37
Paths: (2 available, best #1, not advertised to EBGP peer)
Flag: 0x880
Advertised to update-groups:
1
Local, (Received from a RR-client)
1.1.1.2 (metric 2) from 1.1.1.2 (1.1.1.2)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Community: no-export
Local, (Received from a RR-client)
1.1.1.3 (metric 2) from 1.1.1.3 (1.1.1.3)
Origin incomplete, metric 0, localpref 100, valid, internal
Community: no-export

Note that we attached community no-export to the 192.0.2.1/32 route, in order to prevent the Service Provider routers advertise it to neighbor AS.

After that, still in GW1 and GW2, we add Unicast RPF feature in the edge interfaces. In this scenario, we use “ip verify unicast source reachable-via any” command, in order to detect the incoming traffic based on the source Address, and because we have 2 gateway router (so the incoming and outgoing traffic can be assymetric or not must using the same edge interface).

GW1(config)#int f1/0
GW1(config-if)#ip verify unicast source reachable-via any
GW1(config-if)#^Z

GW1(config)#int f1/0
GW1(config-if)#ip verify unicast source reachable-via any
GW1(config-if)#^Z

Now, we prepare the blackhole trigger configuration at RR. We must add community no-export to for the manipulated route.

RR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RR(config)#route-map TRIGGER permit 10
RR(config-route-map)#match tag 99
RR(config-route-map)#set community no-export
RR(config-route-map)#set ip next-hop 192.0.2.1
RR(config-route-map)#router bgp 65000
RR(config-router)#redistribute static route-map TRIGGER
RR(config-router)#^Z

Note that we are using 192.0.2.1/32 as the ip next-hop of the DoS source.

Now, lets we try to send the packets to the host 9.9.9.9 from host 100.100.1.1.

INET#ping
Protocol [ip]:
Target IP address: 9.9.9.9
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 100.100.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

GW1#sh ip bgp
BGP table version is 27, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i8.8.8.0/24 192.168.0.1 0 100 0 65001 i
*>i9.9.9.0/24 192.168.0.1 0 100 0 65001 i
*> 100.100.1.0/24 172.16.0.1 0 0 65002 i
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 1.1.1.3 0 100 0 ?
*> 192.0.2.1/32 0.0.0.0 0 32768 ?
*>i192.168.0.0 1.1.1.4 0 100 0 ?
*> 200.200.1.0 172.16.0.1 0 0 65002 i

GW1#sh ip bgp 100.100.1.1
BGP routing table entry for 100.100.1.0/24, version 17
Paths: (1 available, best #1)
Advertised to update-groups:
2
65002
172.16.0.1 from 172.16.0.1 (200.200.1.1)
Origin IGP, metric 0, localpref 100, valid, external, best
GW1#
GW1#sh ip route 100.100.1.1
Routing entry for 100.100.1.0/24
Known via “bgp 65000”, distance 20, metric 0
Tag 65002, type external
Last update from 172.16.0.1 04:16:53 ago
Routing Descriptor Blocks:
* 172.16.0.1, from 172.16.0.1, 04:16:53 ago
Route metric is 0, traffic share count is 1
AS Hops 1, BGP network version 0
Route tag 65002
GW1#debug ip packet 123
IP packet debugging is on for access list 123
01:13:34: IP: tableid=0, s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9 (FastEtherne
t1/1), routed via FIB
01:13:34: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9 (FastEthernet1/1), g=10
.1.1.4, len 100, forward

Now, let we assume that host 100.100.1.1 has send the DoS attack to the whatever host at the AS-65000 customer network. So, we want to drop every traffic that coming from host 100.100.1.1.

In RR (that act as a Black Hole Trigger router), we add the static IP route for 100.100.1.1/32 using tag 99, then RR will send the route via BGP with IP next-hop 192.0.2.1/32 that reside in the router GW1 and GW2.

RR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RR(config)#ip route 100.100.1.1 255.255.255.255 null0 tag 99
RR(config)#^Z
RR#

GW1#sh ip bgp
BGP table version is 26, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*>i8.8.8.0/24 192.168.0.1 0 100 0 65001 i
*>i9.9.9.0/24 192.168.0.1 0 100 0 65001 i
*> 100.100.1.0/24 172.16.0.1 0 0 65002 i
*>i100.100.1.1/32 192.0.2.1 0 100 0 ?
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 1.1.1.3 0 100 0 ?
*> 192.0.2.1/32 0.0.0.0 0 32768 ?
*>i192.168.0.0 1.1.1.4 0 100 0 ?
*> 200.200.1.0 172.16.0.1 0 0 65002 i
GW1#
GW1#sh ip bgp 100.100.1.1
BGP routing table entry for 100.100.1.1/32, version 33
Paths: (1 available, best #1, not advertised to EBGP peer)
Not advertised to any peer
Local
192.0.2.1 from 1.1.1.1 (1.1.1.1)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Community: no-export
GW1#sh ip route 100.100.1.1
Routing entry for 100.100.1.1/32
Known via “bgp 65000”, distance 200, metric 0, type internal
Last update from 192.0.2.1 03:09:15 ago
Routing Descriptor Blocks:
* 192.0.2.1, from 1.1.1.1, 03:09:15 ago
Route metric is 0, traffic share count is 1
AS Hops 0, BGP network version 0

GW1#sh ip route 192.0.2.1
Routing entry for 192.0.2.1/32
Known via “static”, distance 1, metric 0 (connected)
Tag 101
Redistributing via bgp 65000
Advertised by bgp 65000 route-map TEST-NET
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 101

INET#ping
Protocol [ip]:
Target IP address: 9.9.9.9
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 100.100.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
…………

GW1#debug ip packet 123
IP packet debugging is on for access list 123
GW1#
01:09:09: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9, len 100, unicast rpf failed
01:09:11: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9, len 100, unicast rpf failed

In the gateway router (in this case is GW1 because it is prefered by INET router), the incoming source ip packet is checked by Unicast RPF feature. It is check the reverse path/route to the source IP (in this case is 100.100.1.1/32) in the routing table. Because in the routing table the next-hop of the 100.100.1.1/32 is null0 interface, then the packet is dropped.

So, after the Blackhole route triggered, the DoS traffic is dropped in the gateway router before reach the customer. It is more effective than using Access-List method that more CPU extensive.

Advertisements