tag:blogger.com,1999:blog-1978652979840829013.post1950824264937197806..comments2024-02-13T07:05:41.069-08:00Comments on sFlow: BGP FlowSpec on white box switchPeterhttp://www.blogger.com/profile/00856599914190257147noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-1978652979840829013.post-423409157311556492018-11-25T08:28:38.179-08:002018-11-25T08:28:38.179-08:00The JSON message shown in the article was a log of...The JSON message shown in the article was a log of internal message received by the acl.py script embedded in exabgp. In this case the BGP FlowSpec message was sent by sFlow-RT, see <a href="https://blog.sflow.com/2017/07/real-time-ddos-mitigation-using-sflow.html" rel="nofollow">Real-time DDoS mitigation using sFlow and BGP FlowSpec</a>.<br /><br />You should consult the exabgp documentation for configuration examples for sending flowspec messages.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-21541693066622703572018-11-24T18:42:21.415-08:002018-11-24T18:42:21.415-08:00Hi Peter,
Could you explain how to send bgp flows...Hi Peter,<br /><br />Could you explain how to send bgp flowspec message? I run Exabgp in one terminal and saved the json file you attached at the end to one file msg.json and run the command "cat msg.json > exabgp-4.0.10/run/exabgp.in" in the other terminal. But I received error:<br />20:52:35 | 31542 | api | command from process not understood : {<br />20:52:35 | 31542 | api | command from process not understood : "exabgp": "4.0.0" , <br />20:52:35 | 31542 | api | command from process not understood : "time": 1498868955.31 , <br />20:52:35 | 31542 | api | command from process not understood : "host": "tor-router" , <br /><br />Could you explain more on how to send bgp flowspec message to Exabgp? ThanksMumuhttps://www.blogger.com/profile/06356813952080648389noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-13534168081144298682018-11-24T18:26:27.757-08:002018-11-24T18:26:27.757-08:00Hi Peter,
I have a question about how to send mess...Hi Peter,<br />I have a question about how to send message after running ExaBGP. I saved the FlowSpec message file you attached at the end of the article to msg.json. And I opened another terminal running "cat msg.json > exabgp-4.0.10/run/exabgp.in", but I received the error :<br /><br />21:09:02 | 32509 | api | command from process not understood : {<br />21:09:02 | 32509 | api | command from process not understood : "exabgp": "4.0.10" , <br />.....<br /><br />Could you help with how to send bgpflowspec message after running Exabgp? ThanksMumuhttps://www.blogger.com/profile/06356813952080648389noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-44842354547214801662018-11-07T09:31:54.350-08:002018-11-07T09:31:54.350-08:00The Cumulus Linux Netfilter - ACLs documentation l...The Cumulus Linux <a href="https://docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs" rel="nofollow">Netfilter - ACLs</a> documentation lists the number of ACLs supported for the supported merchant silicon platforms. The maximum is in the thousands, not hundreds of thousands.<br /><br /><a href="https://blog.sflow.com/2016/02/cloudflare-ddos-mitigation-pipeline.html" rel="nofollow">CloudFlare DDoS Mitigation Pipeline</a> describes using BPF filters on hosts to implement large numbers of complex filters. You could use sFlow analytics to construct a hybrid approach, pushing filters for high volume attacks to hardware switches and implementing low volume filtering in software. sFlow-RT's BGP support could be used steer attack traffic through the scrubbing switches and/or servers by modifying the <a href="https://blog.sflow.com/2017/06/remotely-triggered-black-hole-rtbh.html" rel="nofollow">Remotely Triggered Black Hole (RTBH) Routing</a> application to steer attack traffic rather than drop it.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-15909410313254747372018-11-07T08:48:13.823-08:002018-11-07T08:48:13.823-08:00So now which switches or which chipsets that suppo...So now which switches or which chipsets that support a large amount of ACL entries? Ideally, hundreds of thousands.Hammyhttps://www.blogger.com/profile/09382085323658732379noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-75022190950982278262017-11-04T12:44:08.858-07:002017-11-04T12:44:08.858-07:00Hello Peter,
Yes we do use SYNPROXY in Centos7, b...Hello Peter,<br /><br />Yes we do use SYNPROXY in Centos7, but its not supported in centos6, and using syn cookies not much improvement, only SYNPROXY works in much better way. though we already filter spoofed ips, so not much traffic pass our security acl's, but still need a ddos filtering system.Anonymoushttps://www.blogger.com/profile/03213005294948469044noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-57150595813090993372017-11-04T12:23:31.292-07:002017-11-04T12:23:31.292-07:00SYN floods typically don't generate the amount...SYN floods typically don't generate the amount of traffic associated with UDP attacks. Layer 4+ attacks are better mitigated at the load balancer or on the servers. Have you tried using <a href="https://access.redhat.com/solutions/30453" rel="nofollow">SYN cookies</a>? Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-79399903352483193782017-11-04T08:33:43.960-07:002017-11-04T08:33:43.960-07:00Hello Peter,
Actually our router don't suppor...Hello Peter,<br /><br />Actually our router don't support BGP Flow Spec. but we want to setup DDoS Scrubbing in our whole network. just wondering how to do the setup.<br /><br />Can you guide us in the Setup ?<br /><br />We using Brocade MLXe As core router, Brocade VDX as Edgerouter and Brocade ICX as Rack Switch. MLXe have Uplinks from Upstreams, and we have 2x VDX in redundant mode, both VDX getting uplinks from MLXe. and then forwarding traffics to Rack Switches.<br /><br />We filtering most attacks using ACL but need SYN Flood filtering system which can filter all the traffics before it reach the servers inside our network.Anonymoushttps://www.blogger.com/profile/03213005294948469044noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-12668397495865342252017-11-04T08:17:09.576-07:002017-11-04T08:17:09.576-07:00The best placement for the switch depends on your ...The best placement for the switch depends on your network topology. If you are a service provider and want to offer protection to your downstream customers, then the switches would be at the edge of the network connecting to the customer WAN links.<br /><br />If you are are trying to protect a data center or campus then you want to have the switch as close to the upstream link as possible since this is the traffic you wan to filter. <br /><br />For most setups you are probably better off using <a href="http://blog.sflow.com/2014/12/rest-api-for-cumulus-linux-acls.html" rel="nofollow">REST API for Cumulus Linux ACLs</a>. The FlowSpec implementation shown in this article is useful for experimenting with FlowSpec, or to integrate with existing FlowSpec controllers.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-40665539326185432282017-11-04T00:48:03.309-07:002017-11-04T00:48:03.309-07:00This switch should be connected directly with the ...This switch should be connected directly with the Router ?<br />This switch should be in middle of Router <-> Server ?Anonymoushttps://www.blogger.com/profile/03213005294948469044noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-19635667251904079852017-07-06T07:18:48.467-07:002017-07-06T07:18:48.467-07:00Thanks! I have updated the article with a link.Thanks! I have updated the article with a link.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-35062427794251151732017-07-06T05:48:34.713-07:002017-07-06T05:48:34.713-07:00Thank you - a slightly improved version of this co...Thank you - a slightly improved version of this code is now in the ExaBGP repository:<br />https://github.com/Exa-Networks/exabgp/blob/master/lib/exabgp/application/flow.pyThomas Manginhttps://www.blogger.com/profile/15136500997642323308noreply@blogger.com