04-06-2012 11:54 AM - edited 03-04-2019 03:56 PM
Hi Experts
How to secure a BGP border router connected to upstream ISPs against DoS and DDoS attack and other attacks which exist out there in order to protect my customers since our border represents the fit..we receive just a default route from ISPs
waiting for ur kind advise
thanks
jamil
04-06-2012 02:00 PM
jamil, here are some ideas:
neighbor 1.1.1.1 password 7 XXXXXXXXXXXXX ! prevent another router from trying
neighbor 1.1.1.1 update-source GigabitEthernet0/1 ! specifically says which interface BGP uses
neighbor 1.1.1.1 version 4 ! ensure newest BGP version
neighbor 1.1.1.1 ttl-security 3 ! prevent BGP sessions more than 3 hops away
neighbor 1.1.1.1 prefix-list PL_DEFAULT_ONLY in ! only accept default
neighbor 1.1.1.1 prefix-list PL_AS65000_ONLY out ! only advertise your AS out
neighbor 1.1.1.1 maximum-prefix 750000 80 restart 30 ! not really need in your case of default only.
you can also add an ACL on the outside interface for bgp protocol. this is pretty easy, but a bit cumbersome to support.
04-06-2012 02:13 PM
Hi Ibrahim,
You can find to below a great link by Cisco, which address exactly your question.
It describes all the BGP mechanisms with Configuration sample in order to protect the BGP protocol against to common threats such as BGP Route Manipulation, BGP Route Hijacking and DoS attack.
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Hope that helps!
Vasilis
04-06-2012 11:48 PM
Guys
where the DoS and DDoS mitigation in ur great posts?u know its a border router i can't put FW and IPS
thanks
Jamil
04-07-2012 01:52 AM
Hi,
Another thing to consider is to filter Bogons from your external interface. These are source address that should not appear in an IP packet on an interface that faces the public Internet. A good example are address in the RFC 1918 address range. External attackers will try to spoof your internal addres space in order to gain acces to your network or to launch DDoS attacks.
For more information see:
http://www.team-cymru.org/Services/Bogons/
Apply an in bound ACL on your external interface to filter the subnets that can be found at this web site:
http://www.team-cymru.org/Services/Bogons/bogon-dd.html. The ACL also needs to allow legitimate inbound subnets from your ISP.
See below an example config
interface GigabitEthernet0/0
description *** Outside Interface**
ip address X.X.X.X
ip access-group PROTECT in
ip access-list extended PROTECT
remark *** Deny Spoofed traffic ***
deny ip 10.0.0.0 255.0.0.0 any log
deny ip 172.16.0.0 255.240.0.0 any log
deny ip 192.0.0.0 255.255.255.0
remark ** Permit Legitimate Traffic ***
permit ip X.X.X.X X.X.X.X
permit ip X.X.X.X X.X.X.X
remark *** DENY ALL ELSE AND LOG ***
deny ip any any log
They also have a config example for filtering Bogons via BGP
http://www.team-cymru.org/Services/Bogons/bgp-examples.html#cisco-full-v4trans
04-07-2012 06:21 AM
Hi Ibrahim,
I thought that you are interested in finding methods to protect only BGP.
It seems that you are looking for techniques to protect your network for DoS and DDoS attacks.
Please read the next doc
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml
It provides configuration techniques (e,g ip verify unicast reverse-path, AL, CAR) to eliminate the impact of any DoS attack to your network.
Hope that helps
Vasilis
04-07-2012 07:22 AM
Thanks a lot guys for ur great contribution,i gonna use thes posts as my reference now i can proceed to protect my network and a bit my customer they will be protected since our border is the first line of defense my customer will use FW and IPS this stuff up to them
i have read that asr with ios XE has a built in security features against DoS and DDoS?any comments?
CAR at the border it might shape legitimate connection , then we my get performance issue!!!!!
guys,i wondering , if u receive default route from the ISPs do y need the whole filtering
I Do appreciate ur answers
thanks
Ibrahim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide