Use a black hole router to protect your WISP from DoS service interruptions
By Jeremy Davis, WISP Engineer and Consultant at Visp.net
Sporadic degradation of your network? Customers calling with no obvious problems? Core or edge routers suddenly overloaded? These are symptoms that indicate you may be under a denial-of-service (DoS) attack. Rest assured, this article examines the number one way of mitigating DoS attacks.
How did I acquire this knowledge? I’ve worked for more than 17 years in the WISP industry. One of my critical responsibilities is to secure networks, which include extinguishing DoS attacks. Now, as an engineer at Visp.net, I have a responsibility to support our clients’ success, which is why I’m sharing this effective technique. But, before we explore the solution, let’s review the basics…
What are DoS attacks?
DoS attacks have plagued wide area networks since the dawn of the internet. Bots, botnets, zombies or other mechanisms described as compromised devices are used in coordination to attack a single location. They overwhelm the network and the intended target.
Once an attack starts, they are tough to stop unless you know the steps to mitigate the threat.
In most cases, firewalling does not help; it only adds to the problem because processing millions of small packets does not make the CPU of your border/core routers happy. Even when your router can drop all of the bad traffic, your incoming connection can be filled to the max allowing very little bandwidth for the good traffic. In many cases, you may be at the mercy of your upstream as you file a ticket to block the attack before it hits your network.
DoS attacks are increasing in frequency and duration. The proof is in the stats [1, according to Neustar, a global IT company:
- 168% increase in attacks from Q4 2018 to Q4 2019
- 180% increase in attacks from 2018 to 2019
- 31% increase in the largest measured attack from 2018 to 2019
The problem has increased over the past few years because we have more devices designed to connect to the internet , which offers a larger potential pool of devices to compromise.
Gaming DoS strike
While working at a WISP, we experienced an attack related to gaming. A customer got into a fight with someone during an online gaming session, incurring the wrath of the party on the other end of the game. During the attack, approximately 5-million packets from thousands of sources overwhelmed our customer’s connection and our core infrastructure.
This specific attack was interesting — the DoS attack only lasted 10 to15 seconds, took a break, then reared its ugly head again. It was just enough to cause problems for the ISP customer and intermittent issues for everyone on that segment of the network, but not enough for anyone to call in. It was pretty much a worst-case scenario for the network administrator and the ISP.
Mitigate DoS attacks
We were able to mitigate the DoS attack by using a BGP blackhole. RFC799 specifies a transitive BGP community of “BLACKHOLE” which routed the attacked address via a null route. The overhead of routing is significantly less than inspecting a packet with a firewall.
In our case, we used a separate router to inject the BGP Blackhole addresses into our edge router. The size of the device is not of any consequence. We currently use a Mikrotik RB750GL as it will not be receiving a feed, just pushing the attacked addresses to our Edge routing running the complete BGP feed.
Using a separate router is essential when the edge router is unable to be logged into from degradation of performance due to the attack. We set up route filters to make sure we do not pass any IPs we do not own.
In an imaginable worst-case scenario, an ISP once added YouTube to their blackhole and, without proper filtering, effectively removed half of the world’s access to this popular video service.
Here is an example configuration for a Mikrotik where 77777 is your ASN, 192.168.88.5 is a valid IP on the black hole, 10.0.0.0/20 is a subnet range of your network address, and 10.0.0.5/32 is the address you are trying to block.
#Sets up the BGP communication between the blackhole router and the main BGP router
/routing BGP instances name=”default” as=77777 router-id=192.168.88.5 redistribute-connected=no
redistribute-static=yes redistribute-rip=no redistribute-ospf=no
redistribute-other-bgp=no out-filter=”” client-to-client-reflection=yes
# Route filters lessen the chance of us blocking addresses we do not own
/routing filter chain=blackhole_out prefix=10.0.0.0/20 prefix-length=32 distance=66
invert-match=no action=accept set-bgp-prepend-path=””
/routing bgp network add network 10.0.0.5//32
Like most things in life, preparation is the key to success. Your BGP blackhole router will be sitting there doing nothing on most days. However, when you need it, there is no better way to defend against and mitigate a DoS attack. It’s a resource that you can rely on to preserve the quality and integrity of the services you offer your customers.
There are many resources that you can rely on. Just like the BGP blackhole router, you may not know how important a resource is until a challenge comes up that you’ve never faced before. Visp.net’s Success Team is available to answer questions in real-time from a dedicated and secure channel. Their job is to ensure Visp’s billing and automation system is working as it should, but they also lend a hand with solutions and resources to help you maintain long-term success. How important is your success?
Author’s Note, June 13, 2020: While this technique can work as-is via IBGP, establishing a relationship with your upstream bandwidth provider to support this technique via eBGP will increase the effectiveness and stop all DDoS traffic before it hits your edge router.
- Cisco Magazine – DDoS attacks rose 180% from 2019 compared to 2018:
2. Weagle, S.; DDoS Attacks Rise in Size, Sophistication, and Frequency; Corero Blog online: https://www.corero.com/blog/ddos-attacks-rise-in-size-sophistication-and-frequency/