1 / 13

Network Security with BCP-38: DNS DDoS Protection Guide

Learn how to defend against DNS DDoS attacks using BCP-38 techniques. Configure network filters to protect and ensure responsible ISP behavior.

cpresley
Download Presentation

Network Security with BCP-38: DNS DDoS Protection Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands

  2. Agenda • BCP-38 DNS DDOS demo • Build spoofed packet traffic generator • “be the bad-behaving customer” • Configure the network to filter • “be the responsible ISP”

  3. Basic network DNS request Client DNS DNS response

  4. R R R PC PC PC Row A Network diagram VICTIM DNS R PC …. Row B Row C Row J

  5. Step 1: install and run software • Download packet spoofing software • Configure • RunMore details on next pages

  6. 1(a): Download packet spoofing software • cd $HOME • mkdir spoofing-demo; cd spoofing-demo • ftp 196.200.222.1 • login as “anonymous” • cd /pub/e2/bcp38 • binary • mget * (enter “a” to get all files)

  7. 1(b): Configure • From your PC, ping the IP address of your router: ping -c 1 ip.ad.re.ss • Find out and write down the MAC address of your router: arp -an • Edit spoof_script and change: • TABLE_ROW • ROUTER_MAC

  8. 1(c): Run the spoofer • chmod 755 spoof_script tcpreplay • Start the generator (as root): ./spoof_script

  9. Step 2: Observe spoofed packets and responses • Instructors use “tcpdump” to capture traffic on backbone. • Observe the spoofed packets, and responses to them.

  10. Step 3: Enable unicast reverse-path filtering (URPF) • Login to router • Configure interface fastEthernet0/0 ip verify unicast reverse-path • For all destinations that are routed outwards through this interface, incoming traffic in the opposite direction is allowed.

  11. Step 4: See that it worked • Observe that the tcpdump display stops showing spoofed packets • show ip interface fastEthernet0/0 • Near the end, see “verification drops”

  12. URPF variant for multi-homed customer ! access-list 42 will permit the routes ! that would otherwise fail the test ! (e.g. downlink through a different ISP) ip access-list 42 permit 192.0.2.0 0.0.0.255 interface fastEthernet0/0 ip verify unicast reverse-path 42

  13. Another variant: Filtering using access-group ! access-list 123 permits all packets ! from the customer ip access-list 123 permit ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255 interface fastEthernet0/0 ip access-group 123 in • This is less efficient and more difficult to configure

More Related