BGP/OSPF router security

Alexander V. Chernikov melifaro at FreeBSD.org
Sun Feb 10 11:47:30 CET 2013


On 10.02.2013 03:37, James Howlett wrote:
> Hello all,
Hello.
>
> I have a single FreeBSD/bird router running BGP and OSPF.
> I have two full bgp feeds and some IXP sessions.
> Some of my users are subject to DDoS attacks which basicly kill my router.
> Is there anything I can do to make things better? I was thinking about
> adding a second router and having one full bgp feed per router.
> I was also thinking about joining BGP Blackholing project. But - the
> question remains - what else can I do to survive a ddos, or at least be
> able to react when a ddos occures?

It depends on kind of attacks you're facing with.
If you're simply getting all your upstream ports getting fully utilized 
by attack - you should ask your upstreams for DDoS protection they offer 
(e.g. blackhole communities, or other stuff).

If we're talking about (for example, small packets flood) attack that 
"kills" router you probably should take a look on your system to make 
sure it is tuned well and there are no complex firewall processing rules.

There are some guidelines (still WIP) here: 
https://wiki.freebsd.org/NetworkPerformanceTuning

Btw, what amount of traffic (PPS) we are talking about?

>
> All best,
> Jim
>




More information about the Bird-users mailing list