Internet2 Network Security SIG

["Spurling, Shannon" <>]

Check out OpenBMP. You can also use BGB-ls to get your IGP exported into the server for monitoring. 

Sent via the Samsung GALAXY S®4 Active™, an AT&T 4G LTE smartphone

-------- Original message --------

From: Michael Hare

Date:07/27/2016 11:06 AM (GMT-06:00)

To: ,

Cc: ,

Subject: RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing

Nice, thanks for the links.

 

It looks like the ISIS logs might be non functional, I think only SALT is currently working.

 

Modern zebra supports MRTv2 for IPv6, I use it for flow analysis.  I'd rather use a real time RIB feed, but I haven't figured out a good working model to do the latter inside perl [ the difference between a programmer [me] and a Programmer (professional) ].  exaBGP->JSON is certainly more portable and user friendly, just a tradeoff.

 

John and I are musing offlist the idea of using netflow and bgp communities to do event based blackhole estimation/accounting.

 

-Michael

 

From: [mailto:] On Behalf Of Matthew J Zekauskas
Sent: Wednesday, July 27, 2016 9:57 AM
To: ;
Cc: ;
Subject: Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing

 

Interesting thought.  FWIW, the R&E portion of the network has BGP and IGP dumps from most of the routers (not CLEV, not newly merged TR-CPS and R&E routers), using old Zebra code so the whole mechanism should be refreshed (in particular, I don't believe it deals at all with 4 byte ASNs):

<http://ndb7.net.internet2.edu/bgp/>
<http://ndb7.net.internet2.edu/isis/>
a wee bit of description, and pointers to these are on this NOC page (toward the bottom):
<http://noc.net.internet2.edu/i2network/research-and-education-network.html>

--Matt

On 7/27/16 9:53 AM, Michael Hare wrote:

Paul [and others],

 

When/if accounting announcements becomes a priority, I'd recommend having a look at exaBGP.  I'm using it inside AS 3128 [and a small perl script, less than 100 lines] to log all RIB changes to JSON.  I currently roll up daily summaries based on this data.  Feel free to contact me off-list for any details.

 

As far as traffic counts being blocked, that's tricky.  On the MX line we have an output filter on the dsc0 interface which will give you per router info [and firewall filter detail level of what is dropped] but this won't give you stats per route/event.  I think we could port mirror out a real interface but we haven't wanted to burn port or forwarding capacity to do this.

 

-Michael

 

From: [] On Behalf Of Paul Howell
Sent: Wednesday, July 27, 2016 4:15 AM
To: David Farmer ; ; Grover Browning
Cc: ; ;
Subject: Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing

 

Hi,

 

To answer the question about monitoring current BH announcements, we don’t have automated monitoring & reporting in place for this but I have been routinely checking the BH announcements via the router proxy and have not found a time when there wasn’t at /32 and/or /24 being blocked.  Spot checking just now, there about 30 prefixes being blocked with several that are 8 weeks old and some that are about 4 days old.  

 

I agree that statistics and trends would be good to have on this and it’s on the list of items to do but I can’t promise that it’ll be completed by Jan 2017.

 

Regards,

Paul

 

===

Paul Howell

Chief Cyberinfrastructure Security Officer

Network Services, Internet2

100 Phoenix Drive, STE 111

Ann Arbor, MI 48108

Office: 734-352-4212

Email:

 

 

From: David Farmer <>
Date: Tuesday, July 26, 2016 at 3:37 PM
To: "" <>, Grover Browning <>, Paul Howell <>
Cc: "" <>, "" <>, "" <>
Subject: Re: [Security-WG] New Well-Known BGP Community for Blackholing

 

 

 

On Tue, Jul 26, 2016 at 9:46 AM, John Kristoff <> wrote:

On Mon, 25 Jul 2016 23:55:31 +0000
David Farmer <> wrote:

> We (the Internet2 Community) should discuss if the Internet2 Backbone
> should transition to using this Well-Known BGP Community, either
> keeping or eliminating the Internet2 specific Blackhole communities
> below.
>
> Internet2-R&E: 11537:911
> Internet2-TR-CPS: 11164:53666

Is the usage of these being monitored?  Statistics and trends on usage
and possibly a survey who is actually utilizing (announcing to I2) the
current communities would be nice to see.

 

That's a really good question, Grover, Paul?  I was thinking about this last night too.  I'd like to know; how many routes/IPs are blackholed, how often, what duration, some idea of the amount of traffic dropped, maybe how much each router is dropping.  Just doing some brainstorming, please don't actually take that as a formal request, at least yet.

 

> Additionally, this new community is defined as a transitive BGP
> community, so we should discuss if we want to propagate routes with
> this community from the Internet2 Backbone to other members of the
> Internet2 community.  This may or may not advantageous and is
> probably not appropriate in all cases, so we should only do this if
> there is a clear consensus for it.

I think this would be fine as long as these routes are originated from
within I2 and the announcements can be verified by connectors or the
backbone folks.  I may be wary of accepting those transitive
communities if they originated from outside of I2.  Perhaps add a tag
that indicates as much.

 

Like I said I'm skeptical of this really being useful, mostly because I too would only really consider this for routes for this community, and while there is a component of some DOS attacks coming from within this community it is a relatively small part of the overall issue most of the time.   

 

A web-based interface for a participants to use for managing black hole
routes would be really nice to have.  These should automatically expire
after some period.

 

This sounds interesting and maybe a more useful way to think about this, could you flesh this out a bit more.

 

Thanks

 

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================