[afnog] BGP issues and strange traffic

Nishal Goburdhan nishal at controlfreak.co.za
Sun Feb 28 01:35:13 UTC 2016 

On 25 Feb 2016, at 12:33, Folarin Oluwafemi wrote:

> I was able to run Unix OPENBGPD platform and Snort IDS to highly 
> supress
> the attack.

how?  why?
(no, really - i’m am uncertain why this combination would fix 
anything)

> Meanwhile i  will take note of the contributions mentioned earlier and 
> try
> it out.

i’d suggest you pause, and think about the problem before attempting 
any whack-a-mole suggestion.  from the “flow” information that you 
posted, it would seem that:
* hosts on the internet are sending what appears to be unsolicited (or 
not?) packets to hosts on your network (on port 53).
* this “problem” occurs when you enable bgp
* the ensuing traffic flood to your network, is hurting your network

first, you might already know this, but for those that are reading, and 
too shy to ask, bgp is *not* the problem here.  it’s doing what it’s 
meant to do;  you advertise your network prefix to the internet, and, as 
a result, the internet sends you packets/data/network traffic for that 
network prefix.  so, changing your bgp daemon because you have a traffic 
flood, is a “whack-a-mole” solution, and, not likely to teach you, 
or your team, good troubleshooting techniques.
disabling the network prefix as you attempted, will remove your bgp 
announcement and, no traffic will come back to you (as should be 
obvious).   but doing that, also removes your ISPs ability to assist 
you.

then, to all the folks that was suggesting that his router had a DNS 
service enabled, why (and how) would you guess that from the OP’s 
initial post?  (i’m genuinely curious;  i have very limited experience 
with routerOS).  read:  where is the netstat -an option showing a 
listening port 53?

to the OP, what you do know, is that you were on the receiving end of a 
DNS flood.  if you did not solicit this (and you have taken reasonable 
steps to secure your network) then the only real way you’re going to 
be able to solve this, is working with your upstream/transit provider.  
no form of IDS/IPS/firewall, is going to help you, since that would 
block the traffic *at* your network, after it has crossed your “wan” 
links, creating congestion.

* you didn’t mention if there was any host live in the /24 you were 
trying to announce;  i’m guessing not (else, you would not have been 
able to play BGP games), so, did you try to have your upstream route 
this into a honeypot environment to see what the nature of the DNS 
queries were?
* did you/or your ISP, try working the attack and going upstream to see 
if this was indeed spoofed, or a simple brute force flood?

[..insert other ddos mitigation strategies here..]


> Also, my ISP said I should get a perimeter firewall like the Cisco ASA 
> 5500
> series.

if you are in the business of providing network services to many, then, 
this is terrible advice.  if you’re an enterprise, and want tight 
control of the who/what/where in your network, then this might have some 
limited use for you.  but a firewall will *not* stop a traffic flood 
*to* your network.  and stateful firewalls in front of a large service 
network, has not been best practice in a long time!

—n.

More information about the afnog mailing list