(Ours is a fairly large company equivalent to a cloud provider and we see DDOS attacks everyday and quite large as well)
Existing conditions:
-
We have an in house solution that scrubs traffic (using a10 devices) once it has identified it as a DDOS attack.
-
We have edge ACL and bgp filters which block the usual bad actors (rfc 1918 etc)
We still see a lot of spoofed attacks.
My manager and his manager are half convinced that we need to implement uRPF (BCP38) on our edge routers and asked me to design/implement this solution. The goal is that we avoid spoofed attacks instead of trying to mitigate them.
- After an initial analysis, I found that this solution (strict urpf) would prevent spoofed traffic but it would most definitely drop legitimate traffic from customers as well since a lot of our peers, exchanges are sending traffic from prefixes they’ve not announced on that Edge router directly. (They might have announced it in some other region or site to us) Is this normal? In an ideal world this shouldn’t be the case but internet is not ideal.
Loose uRPF wont work because we have almost the entire ipv4 internet prefixes in our rib.
- I mentioned that this solution wouldn’t work to my manager and he says i need to come up with a solution doesn’t matter what tech. So I’m not sure how to proceed at this point
Some other things:
We pretty much have the entire internet (ipv4 prefixes) in our edge routers RIB.
We use juniper ptx.
Im sure I didn’t include all the info you need to give me an input since there is so much info, so please do ask whats needed and I’ll reply in the comments or update the post.
No comments:
Post a Comment