Embed Size (px)
Citation preview
BCP-38 demo
Alan Barrett
Geert Jan de Groot
& cast of thousands
Agenda
• BCP-38 DNS DDOS demo
• Build spoofed packet traffic generator– “be the bad-behaving customer”
• Configure the network to filter– “be the responsible ISP”
Basic network
Client DNS
DNS request
DNS response
Network diagram
R
PC
Row A
R
PC
Row B
R
PC
Row C
R
PC
Row J
….
DNSVICTIM
Step 1: install and run software
• Download packet spoofing software
• Configure
• Run
More details on next pages
1(a): Download packet spoofing software
• cd $HOME
• mkdir spoofing-demo; cd spoofing-demo
• ftp 196.200.222.1– login as “anonymous”– cd /pub/e2/bcp38– binary– mget * (enter “a” to get all files)
1(b): Configure
• From your PC, ping the IP address of your router:ping -c 1 ip.ad.re.ss
• Find out and write down the MAC address of your router:arp -an
• Edit spoof_script and change:– TABLE_ROW– ROUTER_MAC
1(c): Run the spoofer
• chmod 755 spoof_script tcpreplay
• Start the generator (as root):./spoof_script
Step 2: Observe spoofed packets and responses
• Instructors use “tcpdump” to capture traffic on backbone.
• Observe the spoofed packets, and responses to them.
Step 3: Enable unicast reverse-path filtering (URPF)
• Login to router
• Configureinterface fastEthernet0/0
ip verify unicast reverse-path
• For all destinations that are routed outwards through this interface, incoming traffic in the opposite direction is allowed.
Step 4: See that it worked
• Observe that the tcpdump display stops showing spoofed packets
• show ip interface fastEthernet0/0– Near the end, see “verification drops”
URPF variant for multi-homed customer
! access-list 42 will permit the routes
! that would otherwise fail the test
! (e.g. downlink through a different ISP)
ip access-list 42 permit 192.0.2.0 0.0.0.255
interface fastEthernet0/0
ip verify unicast reverse-path 42
Another variant: Filtering using access-group
! access-list 123 permits all packets
! from the customer
ip access-list 123 permit ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255
interface fastEthernet0/0
ip access-group 123 in
• This is less efficient and more difficult to configure
