Hello,
We are receiving TCP attacks that our switch firewall is not capable of blocking. After some research it seems that the best course of action would be to route attack traffic through a DDoS filtration server that would then pass 'clean' traffic back into the switch and have it route this traffic normally once cleaned.
In attempts to do this I've setup 2 iBGP sessions between the filtration server and the switch, one of them has the filtration server advertising the under attack /32 prefix (this sessions goal is to route traffic into the scrubbing box and it does), and the other has the switch advertising the under attack /32 prefix (this sessions goal is to route traffic out from the scrubbing box and it does not).
The main problem seems to be routing traffic seamlessly from an under attack subnet to the scrubber server and back into the switch again. I can accomplish this in half-duplex by establishing a iBGP session and routing a single /32 prefix through it, this will cause traffic from the switch to route into the filtration server, but it does not exit the filtration server, instead it seems to be processing the traffic as if the IP was assigned on the server itself.
I believe this is because the routing is fundamentally flawed, connectivity from the internet reaches this IP from a single homed ISP default route advertising a /24 prefix in BGP, trying to re-advertise an IP within this prefix as a /32 to the filtration server in iBGP will not work because it is being advertised already to our ISP, so either the switch doesn't export the route to the iBGP peer, or the iBGP peer rejects it. There's probably some whole other issue about routing loops in here that I've yet to get to.
So what can I do to either force BGP to route this subnet, or somehow get traffic out of the box and back into my switches regular routing table to be processed normally and sent into the end device assigned with the under attack IP?
No comments:
Post a Comment