Thursday, December 10, 2020

FRR

FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.

This article uses the Docker DDoS testbed to explore FRRouting's BGP Flowspec capability. Follow the steps in the Docker DDoS testbed article, but instead of running ExaBGP, run the following command to start the pre-built sflow/frr image:
docker run --rm -d --privileged --name frr sflow/frr
Run the following command to show the router configuration:
docker exec frr vtysh -c "show running-config"
The results will be displayed:
Building configuration...

Current configuration:
!
frr version 7.5_git
frr defaults traditional
hostname ed9e435c6f3d
no ipv6 forwarding
log stdout
!
router bgp 65000
 bgp router-id 0.0.0.1
 neighbor 192.168.65.2 remote-as 65001
 neighbor 192.168.65.2 port 1179
 neighbor 192.168.65.2 ebgp-multihop 255
 neighbor 192.168.65.2 timers connect 10
 !
 address-family ipv4 unicast
  neighbor 192.168.65.2 route-map ALLOW-ALL in
  neighbor 192.168.65.2 route-map ALLOW-ALL out
 exit-address-family
 !
 address-family ipv4 flowspec
  neighbor 192.168.65.2 activate
  neighbor 192.168.65.2 route-map ALLOW-ALL in
  neighbor 192.168.65.2 route-map ALLOW-ALL out
 exit-address-family
 !
 address-family ipv6 unicast
  neighbor 192.168.65.2 activate
  neighbor 192.168.65.2 route-map ALLOW-ALL in
  neighbor 192.168.65.2 route-map ALLOW-ALL out
 exit-address-family
 !
 address-family ipv6 flowspec
  neighbor 192.168.65.2 activate
  neighbor 192.168.65.2 route-map ALLOW-ALL in
  neighbor 192.168.65.2 route-map ALLOW-ALL out
 exit-address-family
!
route-map ALLOW-ALL permit 100
!
ip nht resolve-via-default
!
line vty
!
end

Simulate a DDoS attack as describes in Docker DDoS testbed.

Now run the following command to see the Flowspec rule:

docker exec frr vtysh -c "show bgp ipv4 flowspec detail"

The following rule was sent to the router:

BGP flowspec entry: (flags 0x418)
	Destination Address 172.17.0.1/32
	IP Protocol = 17 
	Source Port = 53 
	FS:rate 0.000000
	received for 00:00:48
	not installed in PBR

Displayed  1 flowspec entries

The rule isn't installed in the policy based routing (PBR) table since the current version of FRRouting doesn't include the necessary Netfilter driver.

FRRouting software is widely used in open source network operating systems such as SONiC, OpenSwitch, and DENT. Once the Flowspec driver integration is complete, the white box switch hardware supported by these network operation systems will provide a cost effective method of mitigating DDoS attacks - combining the real-time visibility of sFlow with the real-time control capabilities of Flowspec.