Tuesday, July 21, 2020

DDoS POC Auto-Rerouting Inquiry

Hi, 

We're doing a POC with a partner wherein we are testing an auto-rerouting for a DDoS attack.

Attached is the diagram(POC Diagram.jpg).

Test IP: x.x.88.0/24
Corp Network ASN: 123456
Scrubbing Center ASN: 134190
DDoS Trigger Server( or INI): 45352
Community tag for auto-rerouting is: 123456:911

Target end-state:
1. Once a DDoS attack going to x.x.88.x has entered the Corporate network, the INI will advertise the x.x.88.0/24 prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1.
2. Once BorderRouter1 receives the prefix from the INI, it should not export it to its other iBGP neighbors (CoreRouter(s)).
3. It should prefer the route from the INI but should not prefer the INI as the next-hop for x.x.88.0/24 but instead will rely on the next-hop set by the INI on the test prefix which is Core Router(x.x.x.246).
4. Once BorderRouter1 receives the prefix from the INI with community tag, it will automatically advertise the prefix to the Scrubbing Center.
5. Then BorderRouter1 will deny the x.x.88.0/24 prefix advertisement with community tag to its other ISP(Other peerings).

Current state(Manually triggering the INI, prior to live attack):
1. Once INI advertises the the x.x.88.0/24 prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1, BorderRouter1 preferred next-hop to the x.x.88.0/24 prefix is the p2p peering with the INI instead of Core Router.
2. Because of this, points 2-5 of the target end-state are not accomplished.

***Even though INI advertises the x.x.88.0/24 prefix it should not be the path going to x.x.88.0/24.

During the manual triggering of the INI, attached image(BorderRouter1 Output during manual triggering.jpg) shows the results we got on BorderRouter1.

We're receiving x.x.88.0/24 from the INI with community tag and next hop ip x.x.x.246 but the preferred next hop interface is gr-4/0/0 which is the tunnel interface facing INI. I'm also seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

Thus, points 2-5 of the target end-state are not accomplished.

Hoping somebody can help.

If you have questions, feel free to ask.

Thanks in advance.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)