Attack of DDOS

Sergey Popovich popovich_sergei at mail.ru
Mon May 5 11:21:01 CEST 2014 

В письме от 5 мая 2014 00:03:03 пользователь Virgilio Pavel написал:
> Hi,
> 
> I have a question. How can I do my bird.conf reject a DDOS Attack?
> 
> Can I do this in my bird.conf?
> 
> protocol static {
> (...)
>   route x.w.y.z/32 reject;
> (...)
> }

Yes, you probably may do this by installing blackhole using simple
static protocol. Furthermore use "blackhole", which is silently discards 
,instead of reject as "reject" installs "unreachable" type of route (in 
Linux), which sends ICMP Destination Unreachable in reply for each packet 
targeted blackholed destination (however kernel in default configuration does 
ratelimiting of such message types).

There is similar target "prohibit" which also sends ICMP Admin Prohibited.

If you really need to see ICMP Destination Unreachable on traceroute to the
blackholed target you may have look at Linux dummy interface which
discards all transmitted traffic to it (and no traffic could be received from 
it).

Using such interface enables normal routing rules performed for packet
and packet transmitted to dummy interface, where discarded (you can even see
with tcpdump traffic going to dummy interface as with may other interface
types, and get statistics from interface counters or SNMP).

ICMP TTL Exceeded is generated during packet routing as routing engine 
considers dummy as regular network interface, thus making traceroute work 
(loweer TTLs).

Simple config may look like following

# ip link add dev dummy0 type dummy
# ip link set dev dummy0 up type dummy

# ip -4 addr add 192.0.2.1/24 dev dummy0
# ip -6 addr add 100::/64 dev dummy0

protocol static static4 {
	route x.w.y.z/32 via 192.0.2.5;
}

protocol static static6 {
	route ::x:w:y:z/128 via 100::1;
}

Make sure, 192.0.2.0/24 and 100::/64 are in the BIRD routing tables (learned 
with BIRD's "direct" or "kernel" protocol).

Similar schema may be implemented with dynamic routing protocol to implement 
blackholing to fight with DDoS. Except "gw" attribute should be used to direct 
traffic to dummy interface.

There are couple of docs on the uRPF and SRC/DST blackholing on the web
in the form of standards (rfc, etc.) and drafts.

> 
> Best regards,
> 
> []'s Virgilio Pavel

-- 
SP5474-RIPE
Sergey Popovich

More information about the Bird-users mailing list