[afnog] BGP issues and strange traffic
Nishal Goburdhan
nishal at controlfreak.co.za
Sun Feb 28 01:35:13 UTC 2016
On 25 Feb 2016, at 12:33, Folarin Oluwafemi wrote:
> I was able to run Unix OPENBGPD platform and Snort IDS to highly
> supress
> the attack.
how? why?
(no, really - i’m am uncertain why this combination would fix
anything)
> Meanwhile i will take note of the contributions mentioned earlier and
> try
> it out.
i’d suggest you pause, and think about the problem before attempting
any whack-a-mole suggestion. from the “flow” information that you
posted, it would seem that:
* hosts on the internet are sending what appears to be unsolicited (or
not?) packets to hosts on your network (on port 53).
* this “problem” occurs when you enable bgp
* the ensuing traffic flood to your network, is hurting your network
first, you might already know this, but for those that are reading, and
too shy to ask, bgp is *not* the problem here. it’s doing what it’s
meant to do; you advertise your network prefix to the internet, and, as
a result, the internet sends you packets/data/network traffic for that
network prefix. so, changing your bgp daemon because you have a traffic
flood, is a “whack-a-mole” solution, and, not likely to teach you,
or your team, good troubleshooting techniques.
disabling the network prefix as you attempted, will remove your bgp
announcement and, no traffic will come back to you (as should be
obvious). but doing that, also removes your ISPs ability to assist
you.
then, to all the folks that was suggesting that his router had a DNS
service enabled, why (and how) would you guess that from the OP’s
initial post? (i’m genuinely curious; i have very limited experience
with routerOS). read: where is the netstat -an option showing a
listening port 53?
to the OP, what you do know, is that you were on the receiving end of a
DNS flood. if you did not solicit this (and you have taken reasonable
steps to secure your network) then the only real way you’re going to
be able to solve this, is working with your upstream/transit provider.
no form of IDS/IPS/firewall, is going to help you, since that would
block the traffic *at* your network, after it has crossed your “wan”
links, creating congestion.
* you didn’t mention if there was any host live in the /24 you were
trying to announce; i’m guessing not (else, you would not have been
able to play BGP games), so, did you try to have your upstream route
this into a honeypot environment to see what the nature of the DNS
queries were?
* did you/or your ISP, try working the attack and going upstream to see
if this was indeed spoofed, or a simple brute force flood?
[..insert other ddos mitigation strategies here..]
> Also, my ISP said I should get a perimeter firewall like the Cisco ASA
> 5500
> series.
if you are in the business of providing network services to many, then,
this is terrible advice. if you’re an enterprise, and want tight
control of the who/what/where in your network, then this might have some
limited use for you. but a firewall will *not* stop a traffic flood
*to* your network. and stateful firewalls in front of a large service
network, has not been best practice in a long time!
—n.
More information about the afnog
mailing list