Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1511
Views
17
Helpful
6
Replies

BGP border router

Ibrahim Jamil
Level 6
Level 6

‎04-06-2012 11:54 AM - edited ‎03-04-2019 03:56 PM

Hi Experts

How to secure a BGP border router connected to upstream ISPs against DoS and DDoS attack and other attacks which exist out there in order to protect my customers since our border represents the fit..we receive just a default route from ISPs

waiting for ur kind advise

thanks

jamil

Labels:
0 Helpful
6 Replies 6

will
Level 3
Level 3

‎04-06-2012 02:00 PM

jamil, here are some ideas:

neighbor 1.1.1.1 password 7 XXXXXXXXXXXXX  ! prevent another router from trying

neighbor 1.1.1.1 update-source GigabitEthernet0/1 ! specifically says which interface BGP uses

neighbor 1.1.1.1 version 4  ! ensure newest BGP version

neighbor 1.1.1.1 ttl-security 3 ! prevent BGP sessions more than 3 hops away

neighbor 1.1.1.1 prefix-list PL_DEFAULT_ONLY in ! only accept default

neighbor 1.1.1.1 prefix-list PL_AS65000_ONLY out ! only advertise your AS out

neighbor 1.1.1.1 maximum-prefix 750000 80 restart 30  ! not really need in your case of default only.

you can also add an ACL on the outside interface for bgp protocol. this is pretty easy, but a bit cumbersome to support.

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3
In response to will

‎04-06-2012 02:13 PM

Hi Ibrahim,

You can find to below a great link by Cisco, which address exactly your question.

It describes all the BGP mechanisms with Configuration sample in order to protect the BGP protocol against to common threats such as BGP Route Manipulation, BGP Route Hijacking and  DoS attack.

http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html

Hope that helps!

Vasilis

Ibrahim Jamil
Level 6
Level 6
In response to Vasileios Bouloukos MSc, ITIL, CCIE

‎04-06-2012 11:48 PM

Guys

where the DoS and DDoS mitigation in ur great posts?u know its a border router i can't put FW and IPS

thanks

Jamil

0 Helpful

sean_evershed
Level 7
Level 7
In response to Ibrahim Jamil

‎04-07-2012 01:52 AM

Hi,

Another thing to consider is to filter Bogons from your external interface. These are source address that should not appear in an IP packet on an interface that faces the public Internet. A good example are address in the RFC 1918 address range. External attackers will try to spoof your internal addres space in order to gain acces to your network or to launch DDoS attacks.

For more information see:

http://www.team-cymru.org/Services/Bogons/

Apply an in bound ACL on your external interface to filter the subnets that can be found at this web site:

http://www.team-cymru.org/Services/Bogons/bogon-dd.html. The ACL also needs to allow legitimate inbound subnets from your ISP.

See below an example config

interface GigabitEthernet0/0

description *** Outside Interface**

ip address X.X.X.X

ip access-group PROTECT in

ip access-list extended PROTECT

remark *** Deny Spoofed traffic ***
deny ip 10.0.0.0 255.0.0.0 any log
deny ip 172.16.0.0 255.240.0.0 any log

deny ip 192.0.0.0 255.255.255.0

remark ** Permit Legitimate Traffic ***

permit ip X.X.X.X X.X.X.X

permit ip X.X.X.X X.X.X.X

remark *** DENY ALL ELSE AND LOG ***

deny   ip any any log

They also have a config example for filtering Bogons via BGP

http://www.team-cymru.org/Services/Bogons/bgp-examples.html#cisco-full-v4trans

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎04-07-2012 06:21 AM

Hi Ibrahim,

I thought that you are interested in finding methods to protect only BGP.

It seems that you are looking for techniques to protect your network for DoS and DDoS attacks.

Please read the next doc

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

It provides configuration techniques (e,g ip verify unicast reverse-path, AL, CAR) to eliminate the impact of any DoS attack to your network.

Hope that helps

Vasilis

Ibrahim Jamil
Level 6
Level 6
In response to Vasileios Bouloukos MSc, ITIL, CCIE

‎04-07-2012 07:22 AM

Thanks a lot guys for ur great contribution,i gonna use thes posts as my reference now i can proceed to protect my network and a bit my customer they will be protected since our border is the first line of defense my customer will use FW and IPS this stuff up to them

i have read that asr with ios XE has a built in security features against DoS and DDoS?any comments?

CAR at the border it might shape legitimate connection , then we my get performance issue!!!!!

guys,i wondering , if u receive default route from the ISPs do y need the whole filtering

I Do appreciate ur answers

thanks

Ibrahim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card