Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

BGP border router

Hi Experts

How to secure a BGP border router connected to upstream ISPs against DoS and DDoS attack and other attacks which exist out there in order to protect my customers since our border represents the fit..we receive just a default route from ISPs

waiting for ur kind advise

thanks

jamil

6 REPLIES
Community Member

BGP border router

jamil, here are some ideas:

neighbor 1.1.1.1 password 7 XXXXXXXXXXXXX  ! prevent another router from trying

neighbor 1.1.1.1 update-source GigabitEthernet0/1 ! specifically says which interface BGP uses

neighbor 1.1.1.1 version 4  ! ensure newest BGP version

neighbor 1.1.1.1 ttl-security 3 ! prevent BGP sessions more than 3 hops away

neighbor 1.1.1.1 prefix-list PL_DEFAULT_ONLY in ! only accept default

neighbor 1.1.1.1 prefix-list PL_AS65000_ONLY out ! only advertise your AS out

neighbor 1.1.1.1 maximum-prefix 750000 80 restart 30  ! not really need in your case of default only.

you can also add an ACL on the outside interface for bgp protocol. this is pretty easy, but a bit cumbersome to support.

BGP border router

Hi Ibrahim,

You can find to below a great link by Cisco, which address exactly your question.

It describes all the BGP mechanisms with Configuration sample in order to protect the BGP protocol against to common threats such as BGP Route Manipulation, BGP Route Hijacking and  DoS attack.

http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html

Hope that helps!

Vasilis

Community Member

BGP border router

Guys

where the DoS and DDoS mitigation in ur great posts?u know its a border router i can't put FW and IPS

thanks

Jamil

Re: BGP border router

Hi,

Another thing to consider is to filter Bogons from your external interface. These are source address that should not appear in an IP packet on an interface that faces the public Internet. A good example are address in the RFC 1918 address range. External attackers will try to spoof your internal addres space in order to gain acces to your network or to launch DDoS attacks.

For more information see:

http://www.team-cymru.org/Services/Bogons/

Apply an in bound ACL on your external interface to filter the subnets that can be found at this web site:

http://www.team-cymru.org/Services/Bogons/bogon-dd.html. The ACL also needs to allow legitimate inbound subnets from your ISP.

See below an example config

interface GigabitEthernet0/0

description *** Outside Interface**

ip address X.X.X.X

ip access-group PROTECT in

ip access-list extended PROTECT

remark *** Deny Spoofed traffic ***
deny ip 10.0.0.0 255.0.0.0 any log
deny ip 172.16.0.0 255.240.0.0 any log

deny ip 192.0.0.0 255.255.255.0

remark ** Permit Legitimate Traffic ***

permit ip X.X.X.X X.X.X.X

permit ip X.X.X.X X.X.X.X

remark *** DENY ALL ELSE AND LOG ***

deny   ip any any log

They also have a config example for filtering Bogons via BGP

http://www.team-cymru.org/Services/Bogons/bgp-examples.html#cisco-full-v4trans

BGP border router

Hi Ibrahim,

I thought that you are interested in finding methods to protect only BGP.

It seems that you are looking for techniques to protect your network for DoS and DDoS attacks.

Please read the next doc

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

It provides configuration techniques (e,g ip verify unicast reverse-path, AL, CAR) to eliminate the impact of any DoS attack to your network.

Hope that helps

Vasilis

Community Member

Re: BGP border router

Thanks a lot guys for ur great contribution,i gonna use thes posts as my reference now i can proceed to protect my network and a bit my customer they will be protected since our border is the first line of defense my customer will use FW and IPS this stuff up to them

i have read that asr with ios XE has a built in security features against DoS and DDoS?any comments?

CAR at the border it might shape legitimate connection , then we my get performance issue!!!!!

guys,i wondering , if u receive default route from the ISPs do y need the whole filtering

I Do appreciate ur answers

thanks

Ibrahim

702
Views
17
Helpful
6
Replies
CreatePlease to create content