DDoS Detection, Mitigation, Orchestration, and Threat Intelligence
Consolidated Security & CGNAT
TLS/SSL Inspection
Web Application Firewall
Application Security & Load Balancing
Analytics & Management
CGNAT & IPv6 Migration
October 1, 2019
In this video, Solutions Architect, Syed Danial Zaidi, looks at what remotely triggered DDoS blackhole routing is, how it works and how it can be used to mitigate a DDoS attack.
Hello, everyone. This is Danial, I’m the TPS Solutions architect at A10 and in this session, we’re going to talk about remote triggered black hole routing, all also known as RTBH.
RTBH is a very common technique used by many service providers and large enterprises to protect against DDOS attacks.
The idea is is to block the traffic at the edge before it actually enters the protected networks. While in today’s world, the DDOS attacks itself comes in many different shapes and forms. It could be an application level attack.
It could be a protocol level attack or it could be a volumetric in nature itself.
The whole intent of the attacker is to make the service unavailable by consuming all the network and application level resources.
So, when it comes to network layer protection, this is where RTBH plays its role. And if I go by the definition, RTBH means that all traffic to a certain destination is routed to a black hole, which is equivalent to dropping the traffic.
Now, with that being said, let’s take a look into it.
I will start of by drawing and ISP core and let’s say I have a few Edge devices providing internet connectivity.
And then I have a provider Edge device. providing service to one of my customers,.
And let’s say this customer is hosting a web server and let’s give it an IP address, right? For the sake of simplicity, we’ll just say using an IP address of X.
Now, when the attack happens, let’s say that attack starts and the attack is coming from random spoof sources.
Then it’s going to try to take down this web server.
Well, another side effect of that is that it’s not just an attempt to take down the server, but it’s also going to impact the ISP core network and perhaps it could cause a degradation for another customer service as well. Now, so we need to block the traffic at the edge of the network.
So how RTBH works is there are three important things. First, we need to have a discard route.
Let’s say “A” via node zero, a discard route pre-configured on these all of these edge devices.
The second thing we need to have is a BGP Policy and that’s where it gets interesting.
So we need to have a BGP policy that’s going to say if I receive a routing update with a certain community, and if it’s a match, I’m simply going to go ahead and for the given specific prefix I’m going to change the next hop IP address to the IP address that we have actually configured in the discard route.
So this is how it’s going to look like.
We’re going to match on a community. For example, let’s say this community being “Y” and we are just asking it to change your next hop to the IP address that we have used in the discard route.
Now, we have this thing pre-configured. What’s going to happen now is whenever an update is received with a community of “Y”, the match is going to happen, and we’re going to change the next hop pointing towards the null route.
Now the questionnaire is, who’s going to triggered that update? Well for that, we need another device in the network and we going to call this device.
Our triggered device or a router. So this trigger device needs to have IGBP pairings with all your edge devices,
Right? And this triggered device needs to be configured with another BGP policy. And this policy is going to actually redistribute static route with community that this guy is actually looking for which is going to be “Y”.
So now, when the DDoS attack happens and you need to block the traffic at the edge, somebody being a network admin or a systematic operator needs to log in to thetrigger device and simply add a static route with a certain tag in it.
And this is static route will be redistributed using this BGP policy and will be advertised toward the edge devices. The match is going to happen and he eventually the traffic will get blocked on your edge devices.
One thing I would like to highlight is that in A10’s DDOS protection solution, this whole process is actually completely automated.
You actually don’t need a trigger device water. That’s what I’m trying to say.
If someone is using A10’s TPS device for providing DDOS mitigation service or maybe infrastructure protection, all the need to have is IGBP pairings with the edge devices and whenever a entity is under attack, and if the action is to Black Hole the traffic, we can simply, in an autonomous fashion, advertise a BGP update the certain community that has device is actually looking for. And that’s how the traffic will get blocked.
Thank you for watching this video and hopefully, we’ll see you in the next session.