Jon Lewis's Blog

Thu, 28 Mar 2013

BCP 38 - Or why all edge networks need some form of valid prefix filtering

The Internet has been dealing with amplification attacks dependent on source address spoofing at least as far back as the mid to late 1990s. Smurf attacks were the first such attack to which I had any exposure. In a smurf attack, the attacker would send large numbers of ping packets (icmp echo requests) to the broadcast addresses on a large number of networks with the source IP address spoofed to be their DDoS target's IP. All of the hosts on these networks would receive the broadcast echo requests and many or all would respond en-masse, flooding the spoofed target IP with echo replies. It wasn't hard to fill a T1 with one of these attacks. T1's were pretty common transit pipes for small to mid sized ISPs back in the 90s. Over time, most networks disabled directed broadcast, and Smurf attacks became relatively ineffective and went out of style.

Today, the hip method for DDoSing is the DNS amplification attack. In this attack, the attacker sends queries as fast as they can for some DNS record of large size to a large list of "open recursive DNS servers". These are DNS servers willing to answer recursive queries for anyone on the Internet. It's believed there are currently roughly 27 million such DNS servers. The queries are sent with the source address forged to be the DDoS target's IP. Amplification factors of >70x can be achieved with these attacks due to the difference in size between the DNS query and the response. This means for every 1gb/s of available bandwidth to the attacker, they can generate ~70gb/s of attack traffic. Using this type of attack, someone with comparatively little bandwidth can generate an attack large enough to overwhelm nearly any network.

The common thread here is that both Smurf and DNS amplification attacks wouldn't be possible if the attackers couldn't spoof their target's IP address.

BCP 38 was written thirteen years ago (May, 2000), to encourage network operators to institute source address validity filters in their networks. i.e. if a packet enters your network from a customer, you should drop that packet if its source address is not known to be one of your customer's addresses. Router vendors have implemented such filtering as an automated feature, but not on all platforms. Cisco calls it Unicast Reverse Path Forwarding or uRPF. With uRPF enabled on an interface, traffic entering via that interface is dropped if its source address is not covered by a route pointing to that interface. i.e. suppose you have a customer on an interface such as:

interface FastEthernet1/0
 ip address
 ip verify unicast source reachable-via rx allow-self-ping
ip route

With the above interface and route statement, only traffic received on FastEthernet1/0 with source addresses in or will be forwarded. Traffic arriving via FastEthernet1/0 with any other source address will be dropped.

Unfortunately, not all gear supports this feature. Some gear "supports it", but with such severe limitations as to make it unusuable. This is likely why BCP38 has made so little traction over the years. On gear where uRPF is not supported or not usable, you're left with having to write and maintain an input ACL for every customer interface. On a layer 3 switch with 48 customer ports, that's 48 ACLs, and some multiple of 48 chances to screw up which might cause customer outages, hundreds of additional lines of config, and for no obvious benefit to you or your customers.

For these reasons, many networks have gone without BCP38-style filtering.

This can't be allowed to continue. Attackers have recently demonstrated, using DNS amplification, that attacks in the hundreds of gbit/s are possible. Presumably, they're only limited by the number of either hacked or other high bandwidth hosts they have access to, and their imagination. Spamhaus has been the recent high profile target. Next week, it could be the major stock exchanges or entire countries. It's time for all networks to take responsibility for their traffic and stop spoofed source address packets from making it out to the Internet.

If you haven't implemented BCP38 filtering because your gear doesn't do uRPF and maintaining an ACL for every customer is "too hard", "doesn't scale", or perhaps is more ACL/config than your gear can handle, consider this alternative solution.

On a typical small ISP / service provider / hosting provider network, if you were to ACL every customer, you might need hundreds or even thousands of ACLs. However, if you were to put output filters on your transit connections, allowing traffic sourced from all IP networks "valid" inside your network, you might find that all you need is a single ACL of a handful to several dozen entries. i.e. All your transit output ACL needs to list are all of your IP space, and any IP spaces belonging to your customers who have their own IP space.

Having one ACL to maintain that only needs changing if you get a new IP allocation or add/remove a customer who has their own IPs really isn't all that difficult. As far at the rest of the internet is concerned, this solves the issue of spoofed IP packets leaving your network.

If you want to test your ISP to see if it allows spoofing, the MIT Spoofer Project has binaries for common OS's and source code that can be downloaded and run to test various classes of spoofing from a host.

[/internet/routing] permanent link

Sat, 05 Feb 2011

Black Hole Routing

A number of Tier-1/Tier-2 network service providers support a feature called real time black hole routing triggered via BGP. In simple terms, what this means is that with providers that support this, you can advertise a route to your transit provider(s) that tells them "I'd like you to null route this instead of routing it to me." Why would this be useful? The most likely situation is an IP on your network is being DDoS'd (Distributed Denial of Service attack) hard enough that it's congesting your transit pipe(s) causing increased latency and/or packet loss for all of your internet traffic.

The usual way to do this (or express any other sort of desired upstream routing policy to your transit provider) is via BGP communities. These are set in the output route-map for your eBGP peering with the provider. The following is an example of how you might setup a system to allow for easy creation/removal of real time black hole routes (on cisco gear).


  1. Make sure your provider(s) support this.
  2. Look up what community strings they use for this.
  3. Step three, you'll probably need to contact each provider and make sure they're setup to receive /32 IPv4 routes from you. Assuming they do prefix filtering, they may not automatically be setup to accept such specific routes from you.

Using Level3 as the example, a search for Level3 BGP communities will turn up that 3356:9999 is Level3's customer accepted community for telling Level3 to discard traffic for the tagged route.

Now, you could edit your Level3 output route-map, BGP config (insert a network statement), and then do a static route every time you want to create a real time black hole route, but doing it that way is time consuming and error-prone and you may not want everyone who has enable access mucking around in your eBGP config. Instead, why not set things up so all you have to do is create a special static route anywhere on your network?

This config assumes you have separate routers for transit connections and for internal routing, there are config changes that will need to be done on each.

On the transit router that talks to Level3:

ip community-list standard BLACKHOLE permit <your-ASN>:9999
route-map LEVEL3-OUTPUT permit 5
 match community BLACKHOLE
 set community 3356:9999
This assumes that LEVEL3-OUTPUT is already configured as your output route-map for your Level3 peering session.

On your internal routing router(s):

ip access-list extended match32
 permit ip any host
route-map blackhole permit 10
 match ip address match32
 match tag 9999
 set community <your-ASN>:9999
router bgp 
 redistribute static route-map blackhole
 redistribute ospf 1 route-map blackhole

If you have much experience with BGP, you're hopefully saying to yourself "but redistribution, especially of the IGP, into BGP is really dangerous". Well, the blackhole route-map is limiting the redistribution to only those routes tagged with 9999 and which are /32s. This means if someone gets clumsy and creates a route for a shorter network with the tag 9999, the route-map will not match that route, and it won't be redistributed into BGP. So this setup won't let you accidentally real time blackhole an entire CIDR block. The reason for redistributing both OSPF (or you might use ISIS) and static is, this way the route can be created on this router (as a static route) or on another device participating in your IGP.

Once these config changes have been made, all you need to do to real time black hole route an IP is log into the internal router or any router in your IGP and

ip route <IP to black hole> null0 tag 9999
This will null route the IP in your network and tell your transit providers to stop sending traffic for the IP to you.

A really neat side effect of this setup is, you can real time black hole an IP without null routing it internally.

Suppose the IP you want to real time black hole is part of a customer's /28, and that /28 is configured as the IP on the customer's access port. i.e.

interface FastEthernet0/1
 ip address <customer IP network>

You can log into that device, and

ip route <IP to black hole> FastEthernet0/1 tag 9999

Now, the IP is still routed to the customer, but because it's tagged with 9999, assuming your customer aggregation routers redistribute static into your IGP (which for me is OSPF), the route will be in your IGP with the tag, your internal router will see this and redistribute it into BGP with the internally used real time black hole community, and your transit router(s) will tag the route with the appropriate community to have your transit provider(s) real time black hole route it. The IP is still reachable inside your ASN, but to the rest of the internet, it's dead as your transit providers are null routing it.

[/internet/routing] permanent link

Sat, 09 Feb 2008

One Million Routes

So, you just upgraded your cisco 6500/7600 gear to Sup720-3BXL's because that's the lowest end supervisor module that has the tcam for full internet routes (>244k routes). You may have read in the data sheet that it's capable of "1,000,000 IPv4 routes; 500,000 IPv6 routes." That should be plenty of room for growth, right? Well, maybe not as much as you think.

Somewhere burried in the fine print (ok, I can't actually find it even in fine print or an * or anywhere on the data sheet), is the fact that it's an either or thing. i.e. The 3BXL can do 1,000,000 IPv4 routes (and no IPv6 at all), or it can do 500,000 IPv6 routes (and no IPv4 at all). In a real world installation, neither of those configs are terribly useful. The default settings allow for 524,288 IPv4 routes and 262,144 IPv6 routes...meaning in its default config, with full internet routes a Sup720-3BXL is already at nearly half it's capacity of IPv4 routes. You can examine this (using recent IOS versions), with the command:
show platform hardware capacity

Look for the output section labeled "L3 Forwarding Resources". i.e.
L3 Forwarding Resources
             FIB TCAM usage:                     Total        Used	%Used
                  72 bits (IPv4, MPLS, EoM)     524288      230589	  44%
                 144 bits (IP mcast, IPv6)      262144           5	   1%
This can be tuned with the config command mls cef maximum-routes ip <N> where N is a number in thousands of IPv4 routes you want to be able to handle. i.e. With "mls cef maximum-routes ip 750", the above output changes to:
L3 Forwarding Resources
             FIB TCAM usage:                     Total        Used       %Used
                  72 bits (IPv4, MPLS, EoM)     770048      230459         30%
                 144 bits (IP mcast, IPv6)      139264           5          1%

Such a split may make more sense, as it leaves more room for anticipated IPv4 routing table growth, and in a perfect world, we really shouldn't see much more than a single IPv6 prefix per ASN.

Note: The numbers above from a set of Sup720-3BXL's in a lab environment have slightly filtered BGP feeds. "Full routes" would be closer to 240,000 routes.

[/internet/routing] permanent link

Sat, 19 Jan 2008

RIR Minimums BGP prefix-list

I originally posted this BGP filter to a couple of mailing lists, most notably the NANOG list, back in September 2007.

The reason I put this filter together is lots of big cisco routers, in particular the 6500/7600 series with anything less than the Sup720-3bxl, were on the verge of running out of space (TCAM in the 6500/7600 case) to hold routes due to continued growth of the global BGP routing table. A large part of this global routing table "growth" is actually gratuitous deaggregation by networks that either don't care or don't even realize what they're doing. Most networks can live without these "garbage routes", and since I maintain a couple of 6500/Sup2 routers, I started working on contingency plans in case we were unable to upgrade to Sup720-3bxls before the global routing table + our internal routes hit the magic number of routes (244k) at which point the Sup2 starts doing "bad things".

It should be noted that because some of the really clue deficient networks announce only the deaggregates of their CIDRs, using this filter may cause you to entirely lose routing information to such networks. Therefore, unless you're able to get away with that level of BOFHness ("fix your BGP if you want to talk to us"), I strongly suggest you add (if you don't already have) one or more default routes to your various transit providers.

This BGP route filter is based largely on Barry Greene's work available from

While working on my version of ISP-Ingress-In-Strict, I noticed a bunch of inconsistencies in the expected RIR minimum allocations in Barry's ISP-Ingress-In-Strict and in the data actually published by the various RIRs.

I've adjusted the appropriate entries, flipped things around so that for each of the known RIR /8 or shorter prefixes, prefixes longer than RIR specified minimums (or /24 in cases where the RIR specifies longer than /24!) are denied.

At the end of the prefix-list, any prefix /24 or shorter is allowed. The advantage to this setup is known ranges are filtered on known RIR minimums. Anything omitted ends up being permitted as long as it's /24 or shorter.

If you currently use a distribute-list to filter incoming routes, you'll have to rewrite those rules in prefix-list format and merge them into the beginning of this prefix-list, as IOS (at least the versions I'm using) doesn't allow both an input prefix-list and input distribute-list on the same BGP peer.

What follows is the latest version of what I originally posted to the NANOG list in September 2007.

-- jlewis 20080118

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! APNIC !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! ip prefix-list ISP-Ingress-In-Strict SEQ 4000 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 4001 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 4002 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 4004 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 4008 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 4011 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 4013 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 4014 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 4016 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 4018 permit ge 17 le 24 ip prefix-list ISP-Ingress-In-Strict SEQ 4019 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 4021 deny ge 21 ip prefix-list ISP-Ingress-In-Strict seq 4023 deny ge 21 ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! ip prefix-list ISP-Ingress-In-Strict SEQ 5000 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 5001 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 5002 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 5010 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 5014 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 5015 deny ge 21 ! these ge 25's are redundant, but left in for accounting purposes ip prefix-list ISP-Ingress-In-Strict SEQ 5020 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 5022 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 5023 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 5032 deny ge 23 ip prefix-list ISP-Ingress-In-Strict SEQ 5033 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 5034 deny ge 21 ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! RIPE NCC !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! ip prefix-list ISP-Ingress-In-Strict SEQ 6000 deny ge 20 ip prefix-list ISP-Ingress-In-Strict SEQ 6001 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6002 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6004 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 6006 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 6007 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6008 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6012 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6014 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6015 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 6016 deny ge 22 ip prefix-list ISP-Ingress-In-Strict SEQ 6020 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 6021 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 6023 deny ge 20 ip prefix-list ISP-Ingress-In-Strict SEQ 6025 deny ge 21 ! ! ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! LANIC - !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! ip prefix-list ISP-Ingress-In-Strict SEQ 7000 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 7001 deny ge 21 ip prefix-list ISP-Ingress-In-Strict SEQ 7002 deny ge 25 ip prefix-list ISP-Ingress-In-Strict SEQ 7003 deny ge 21 ! ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! AFRINIC !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! ip prefix-list ISP-Ingress-In-Strict SEQ 8000 deny ge 23 ip prefix-list ISP-Ingress-In-Strict SEQ 8001 deny ge 23 ! ! Final "permit any any" statement. ! This is allowing all the orginal pre-RIR/RFC2050 allocations through. ! Addtional filtering can be added if so desired. ! !ip prefix-list ISP-Ingress-In-Strict seq 10100 deny le 7 ip prefix-list ISP-Ingress-In-Strict seq 10200 permit le 24

[/internet/routing] permanent link