Wednesday, March 8, 2017

Default route sink-hole

"DIY" - how-to mitigate DDoS with default route

As many providers today are offering DDoS protection for small or larger gold mine -- i was experimenting recently with a cheap "DIY" solution. Its available in case your site is multihoming or you are using cloud resources.

At least 2 IP addresses are needed, ideally from completely different subnet. Keep one of the IP addresses hidden from public / don't bind it to DNS, do not use it for load balancing and other stuff.

When the publicly available IP gets under attack -- you can use a default route that is pointing to interface. 

 Easier variant how to get rid of an attacker is via a null route also known as a black-hole route. You will still receive a malicious traffic, but nothing is returning to the owner ;) 
Keep in mind that if you're using this approach, you don't want to alert malicious users that you're blocking their traffic.

Cisco CLI:

Router(config)# ip route x.x.x.x 255.255.255.0 null0

 You could configure the following on the null0 interface:
 
Router(config)# int null0
Router(config-if)# no ip unreachables

Router(config)#  ip route 0.0.0.0 0.0.0.0 eth0

Linux commands:
In our example we are receiving unwanted telnet login attempts from 189.75.74.192

 root@server:~# netstat -na | grep :22
 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
 tcp 0 0 192.168.0.197:22 189.75.74.192:57776 ESTABLISHED
To add the null route we will use the ip command
 root@server:~# ip route add blackhole 189.75.74.192/32
To verify the route is in place will will use ip route show
 root@server:~# ip route show
 default via 192.168.0.1 dev eth0 metric 100
 blackhole 189.75.74.192
After a little while the established ssh connections will time out and all subsequent connections from the blocked ip will receive the following.
 baduser@attacker:~$ ssh 192.168.0.197
 ssh: connect to host 192.168.0.197 port 22: No route to host

Removing a null route

After the attack has subsided or in case you add the wrong ip you may want to remove the blackhole route. To do so we will use the ip command again.
 root@server:~# ip route del 189.75.74.192
 root@server:~# ip route show
 default via 192.168.0.1 dev eth0 metric 100

and when you shut the interface down / disconnect it -- the DDoS traffic will go there to a hell roads ... without a nobless way to tell it to the attackers.

With IPv6 addressing and cloud VPS resources this is even easier and automation scripts can be used based on traffic weight.


at

No comments:

Post a Comment

Thank you for your comment. Will try to react as soon as possible.

Regards,

Networ King

Subscribe to: Post Comments (Atom)