Information Technology Reference
In-Depth Information
A popular solution for the ISP is to null-route the victim host on all the edge routers. This
requires the ISP to touch every edge router to configure the null route. The null routes must
later be removed from all routers to restore service to the victim host. If this is not done
correctly, connectivity problems will result.
This case study explains a dynamic method for null-routing DDoS traffic on all the edge
routers, with minimal configuration required during the actual attack. This DDoS
mitigation design also provides the ability to redirect the DDoS traffic to a sink router,
where it can be analyzed if needed.
The key to quickly mitigating the impact of a DDoS is to have the infrastructure and process
in place before the attack happens. Unfortunately, as is the case with volume-based denial
of service attacks, currently it is not possible to discard the attack traffic and leave valid
traffic intact for the victim host.
Dynamic Black Hole Routing
The proposed solution to combating DDoS attacks is a dynamic black hole routing system.
This system must be put in place before the actual DDoS attack. This system has two major
design goals:
•
Quickly initiate network-wide null routing for a prefix or network with minimal
configuration
•
Quickly initiate network-wide redirection of traffic for a prefix or network to a sink
router with minimal configuration
The dynamic black hole system is based on the concept of advertising a BGP prefix and
setting the next-hop attribute to an address that is covered by a null route, which is a route
pointing toward null0. The null route is configured on every router. The victim's prefix or
address is then advertised into BGP with the next hop set to the static null route. iBGP
advertises the route to all the edge routers, and then the route is installed into the CEF table
with a next hop of Null0. This effectively stops the DDoS traffic at the network edge.
You can extend this system to support a sink router by setting the prefix's next hop to the
sink router instead of the prefix directed at Null0. The victim address or network should be
injected on a special sinkhole router. If the route is configured on an edge router, the next
hop is reset because of the
next-hop-self
setting on the BGP sessions to the aggregation
routers, and all traffic is drawn to that edge router. It is inadvisable to make unnecessary
configuration changes on core or aggregation routers or to inject routing information on
these routers.
Example 9-13 shows the configuration for the static redistribution.
