BGP/OSPF router security

James Howlett jim.howlett at outlook.com
Sun Feb 10 11:57:45 CET 2013



> Date: Sun, 10 Feb 2013 14:47:30 +0400
> From: melifaro at FreeBSD.org
> To: jim.howlett at outlook.com
> CC: bird-users at trubka.network.cz
> Subject: Re: BGP/OSPF router security
> 
> On 10.02.2013 03:37, James Howlett wrote:
> > Hello all,
> Hello.
> >
> > I have a single FreeBSD/bird router running BGP and OSPF.
> > I have two full bgp feeds and some IXP sessions.
> > Some of my users are subject to DDoS attacks which basicly kill my router.
> > Is there anything I can do to make things better? I was thinking about
> > adding a second router and having one full bgp feed per router.
> > I was also thinking about joining BGP Blackholing project. But - the
> > question remains - what else can I do to survive a ddos, or at least be
> > able to react when a ddos occures?
> 
> It depends on kind of attacks you're facing with.
> If you're simply getting all your upstream ports getting fully utilized 
> by attack - you should ask your upstreams for DDoS protection they offer 
> (e.g. blackhole communities, or other stuff).
> 
> If we're talking about (for example, small packets flood) attack that 
> "kills" router you probably should take a look on your system to make 
> sure it is tuned well and there are no complex firewall processing rules.
> 
> There are some guidelines (still WIP) here: 
> https://wiki.freebsd.org/NetworkPerformanceTuning
> 
> Btw, what amount of traffic (PPS) we are talking about?
> 

200k pps . The problem was, that the router started to drop the OSFP related comunication, and all my network went off-line.

All best,
Jim

> >
> > All best,
> > Jim
> >
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130210/2ceb2995/attachment-0001.html>


More information about the Bird-users mailing list