130 likes | 147 Views
Learn how to defend against DNS DDoS attacks using BCP-38 techniques. Configure network filters to protect and ensure responsible ISP behavior.
E N D
BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands
Agenda • BCP-38 DNS DDOS demo • Build spoofed packet traffic generator • “be the bad-behaving customer” • Configure the network to filter • “be the responsible ISP”
Basic network DNS request Client DNS DNS response
R R R PC PC PC Row A Network diagram VICTIM DNS R PC …. Row B Row C Row J
Step 1: install and run software • Download packet spoofing software • Configure • RunMore details on next pages
1(a): Download packet spoofing software • cd $HOME • mkdir spoofing-demo; cd spoofing-demo • ftp 196.200.222.1 • login as “anonymous” • cd /pub/e2/bcp38 • binary • mget * (enter “a” to get all files)
1(b): Configure • From your PC, ping the IP address of your router: ping -c 1 ip.ad.re.ss • Find out and write down the MAC address of your router: arp -an • Edit spoof_script and change: • TABLE_ROW • ROUTER_MAC
1(c): Run the spoofer • chmod 755 spoof_script tcpreplay • Start the generator (as root): ./spoof_script
Step 2: Observe spoofed packets and responses • Instructors use “tcpdump” to capture traffic on backbone. • Observe the spoofed packets, and responses to them.
Step 3: Enable unicast reverse-path filtering (URPF) • Login to router • Configure interface fastEthernet0/0 ip verify unicast reverse-path • For all destinations that are routed outwards through this interface, incoming traffic in the opposite direction is allowed.
Step 4: See that it worked • Observe that the tcpdump display stops showing spoofed packets • show ip interface fastEthernet0/0 • Near the end, see “verification drops”
URPF variant for multi-homed customer ! access-list 42 will permit the routes ! that would otherwise fail the test ! (e.g. downlink through a different ISP) ip access-list 42 permit 192.0.2.0 0.0.0.255 interface fastEthernet0/0 ip verify unicast reverse-path 42
Another variant: Filtering using access-group ! access-list 123 permits all packets ! from the customer ip access-list 123 permit ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255 interface fastEthernet0/0 ip access-group 123 in • This is less efficient and more difficult to configure