BGP/OSPF router security

Alexander V. Chernikov melifaro at FreeBSD.org
Sun Feb 10 12:15:36 CET 2013 

On 10.02.2013 14:57, James Howlett wrote:
>
>
>  > Date: Sun, 10 Feb 2013 14:47:30 +0400
>  > From: melifaro at FreeBSD.org
>  > To: jim.howlett at outlook.com
>  > CC: bird-users at trubka.network.cz
>  > Subject: Re: BGP/OSPF router security
>  >
>  > On 10.02.2013 03:37, James Howlett wrote:
>  > > Hello all,
>  > Hello.
>  > >
>  > > I have a single FreeBSD/bird router running BGP and OSPF.
>  > > I have two full bgp feeds and some IXP sessions.
>  > > Some of my users are subject to DDoS attacks which basicly kill my
> router.
>  > > Is there anything I can do to make things better? I was thinking about
>  > > adding a second router and having one full bgp feed per router.
>  > > I was also thinking about joining BGP Blackholing project. But - the
>  > > question remains - what else can I do to survive a ddos, or at least be
>  > > able to react when a ddos occures?
>  >
>  > It depends on kind of attacks you're facing with.
>  > If you're simply getting all your upstream ports getting fully utilized
>  > by attack - you should ask your upstreams for DDoS protection they offer
>  > (e.g. blackhole communities, or other stuff).
>  >
>  > If we're talking about (for example, small packets flood) attack that
>  > "kills" router you probably should take a look on your system to make
>  > sure it is tuned well and there are no complex firewall processing rules.
>  >
>  > There are some guidelines (still WIP) here:
>  > https://wiki.freebsd.org/NetworkPerformanceTuning
>  >
>  > Btw, what amount of traffic (PPS) we are talking about?
>  >
>
> 200k pps . The problem was, that the router started to drop the OSFP
> related comunication, and all my network went off-line.
Well, this is not very much. Properly tuned server should handle such 
amount without any problems and without significant CPU usage.

(e.g. we're doing complex firewalling for 1-2MPPS amounts of traffic per 
2xE5645 machine, and the most cpu usage is consumed by ipfw, not routing).

Probably something can be tuned a bit better (like number of queues, or 
thread binding, or firewall ruleset, or ..).

You can write me off-list for some additional hints if you have any 
questions related to ipfw or network stack tuning.

>
> All best,
> Jim
>
>  > >
>  > > All best,
>  > > Jim
>  > >
>  >

More information about the Bird-users mailing list