Scribd
Upload
23 views8 pages

ARBOR Solution

The Arbor DDoS Protection Solution addresses the increasing threat of Distributed Denial of Service (DDoS) attacks faced by ISPs, Cloud Providers, and Enterprises. It utilizes the Arbor Threat Mitigation System (TMS) to effectively remove DDoS attack traffic while maintaining service availability, in conjunction with Arbor Sightline for visibility and threat detection. The document outlines the configuration and operational procedures for detecting and mitigating DDoS attacks, including sampling options, firewall filters, and BGP sessions for traffic management.

Uploaded by

Ah M Ed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views8 pages

ARBOR Solution

The Arbor DDoS Protection Solution addresses the increasing threat of Distributed Denial of Service (DDoS) attacks faced by ISPs, Cloud Providers, and Enterprises. It utilizes the Arbor Threat Mitigation System (TMS) to effectively remove DDoS attack traffic while maintaining service availability, in conjunction with Arbor Sightline for visibility and threat detection. The document outlines the configuration and operational procedures for detecting and mitigating DDoS attacks, including sampling options, firewall filters, and BGP sessions for traffic management.

Uploaded by

Ah M Ed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Arbor DDoS Protection Solution

Internet Service Providers (ISPs), Cloud Providers and Enterprises face a

common problem. Distributed Denial of Service (DDoS) attacks are a major

risk to service availability. The power, sophistication and frequency of DDoS

attacks continue to increase. Data center operators and network providers

need a defense that is effective, cost-efficient and easily managed. Arbor

Threat Mitigation System (TMS) is the acknowledged leader in DDoS

protection. More Service Providers, Cloud Providers and large Enterprises use

Arbor TMS as a DDoS mitigator than any other solution. Working in

conjunction with our Arbor Sightline solution, which provides visibility and

threat detection, Arbor Threat Mitigation System (TMS) surgically removes

DDoS attack traffic from your network without disrupting key network

Prepared By Eslam Elgendy


services.

We have two ARBOR systems located in two sites (AUTO &

RODA):-

 Main is connected to RODA-R42J


 Backup is connected to AUTO-R40J

RODA-R42J-C-EG> show interfaces descriptions | match ae10


ae10 up up ARBOR_TMS
ae10.100 up up L2-TRAFFIC_DC-TO-TMS
ae10.200 up up L3-TRAFFIC-TO-TMS
ae10.666 up up L3-TRAFFIC-FROM-TMS-TO-CUSTOMER
ae10.888 up up L2-TRAFFIC-FROM-TMS-TO-DC

RODA-R42J-C-EG> show interfaces descriptions | match collec


ge-4/0/1 up up SP_Collector1_MGM-Arbor_L1
ge-4/0/2 up up SP_Collector2_MGM-Arbor_L1
xe-7/0/5 up up SP_Collector1-Arbor_L1

Prepared By Eslam Elgendy


xe-14/1/5 up up SP_Collector2-Arbor_L1

How it works to detect & mitigate DDoS attack

1- Create sampling options on all IGWS to take samples


from INT traffic and send it to SP_collector server

RODA-R42J-C-EG> show configuration forwarding-options sampling | display


set
set forwarding-options sampling input rate 7000
set forwarding-options sampling input run-length 0
set forwarding-options sampling input max-packets-per-second 65000
set forwarding-options sampling family inet output flow-server
213.158.167.33 port 9996
set forwarding-options sampling family inet output flow-server
213.158.167.33 source-address 10.45.5.136
set forwarding-options sampling family inet output flow-server
213.158.167.33 version 5
set forwarding-options sampling family inet output flow-server
213.158.167.97 port 9996
set forwarding-options sampling family inet output flow-server
213.158.167.97 source-address 10.45.10.111

2- Apply input firewall filter on all INT links @ all IGWS

RODA-R42J-C-EG> show configuration interfaces et-1/0/3


description INT-IPT-Cogent-RODA-100G-NB-L11--TEN_IPT_100G_0010-
TENORTH_CST_WE;
unit 0 {
family inet {

Prepared By Eslam Elgendy


filter {
input INTRNL-TRAFFIC-IN;
output Traffic-Out;

set firewall filter INTRNL-TRAFFIC-IN term ADSL-MARK from destination-


address 156.200.128.0/17
set firewall filter INTRNL-TRAFFIC-IN term ADSL-MARK from destination-
address 156.192.0.0/16
set firewall filter INTRNL-TRAFFIC-IN term ADSL-MARK from destination-
address 154.183.224.0/21
set firewall filter INTRNL-TRAFFIC-IN term ADSL-MARK then sample
set firewall filter INTRNL-TRAFFIC-IN term ADSL-MARK then forwarding-class
Best-Effort
set firewall filter INTRNL-TRAFFIC-IN term ADSL-MARK then accept

3- There is BGP session between RODA-R42J-C-EG < >


SP_Collector to advertise all BGP table and receive only IP
that has attack with /32 with next hop TMS IP
(10.60.213.126) and create rib group to leak routes from
global to INTERNET VRF as all international LINKS become
under VRF ( INTERNET)

RODA-R42J-C-EG> show configuration protocols bgp group Arbor_Peering |


display set
set protocols bgp group Arbor_Peering type external
set protocols bgp group Arbor_Peering multihop ttl 5
set protocols bgp group Arbor_Peering import Arbor-Import
set protocols bgp group Arbor_Peering family inet unicast rib-group
GLOBAL_TO_INTERNET
set protocols bgp group Arbor_Peering family inet flow no-validate Arbor-no-
validate
Prepared By Eslam Elgendy
set protocols bgp group Arbor_Peering authentication-key "$9$-
jVbY4aUiHm2gTF3nAt8LxNdsoaUDjkgoaG"
set protocols bgp group Arbor_Peering export to_Arbor
set protocols bgp group Arbor_Peering peer-as 65000
set protocols bgp group Arbor_Peering neighbor 213.158.167.97 local-
address 10.45.10.111

RODA-R42J-C-EG> show configuration routing-options rib-groups


GLOBAL_TO_INTERNET
import-rib [ inet.0 INTERNET.inet.0 ];
import-policy GLOBAL-TO-INTERNET;

RODA-R42J-C-EG> show route receive-protocol bgp 213.158.167.97

inet.0: 44924 destinations, 99658 routes (44922 active, 2 holddown, 5


hidden)
Prefix Nexthop MED Lclpref AS path
* 41.33.207.146/32 10.60.213.126 65000 ?
* 156.200.2.159/32 10.60.213.126 65000 ?
* 196.219.3.120/32 10.60.213.126 65000 ?
* 213.158.164.117/32 10.45.18.113 65000 ?
* 213.158.164.118/32 10.45.18.113 65000 ?
* 213.158.188.33/32 10.60.213.126 65000 ?
* 213.158.188.34/32 10.60.213.126 65000 ?
* 213.158.188.35/32 10.60.213.126 65000 ?
* 213.158.188.36/32 10.60.213.126 65000 ?
* 213.158.188.37/32 10.60.213.126 65000 ?
* 213.158.188.38/32 10.60.213.126 65000 ?

Prepared By Eslam Elgendy


* 213.158.188.39/32 10.60.213.126 65000 ?
* 213.158.188.40/32 10.60.213.126 65000 ?
* 213.158.188.43/32 10.60.213.126 65000 ?

4- If the Customer subscribe in mitigation service, TMS will


clean attack traffic and send normal customer traffic to
our router (RODA-R42) under VRF “Service_VRF” then to
customer

RODA-R42J-C-EG> show interfaces descriptions | match ae10


ae10.200 up up L3-TRAFFIC-TO-TMS
ae10.666 up up L3-TRAFFIC-FROM-TMS-TO-CUSTOMER

5- We try to know which Customer is belong to that IP has


attack

RODA-R42J-C-EG> show route table Service_VRF.inet.0 41.33.207.146 detail


| match prot
Protocol next hop: 10.45.10.195

TESVDC7-R30J-GZ-EG> show route table Service_VRF.inet.0 41.33.207.146

Service_VRF.inet.0: 2256 destinations, 4470 routes (2256 active, 0


holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

Prepared By Eslam Elgendy


41.33.207.144/28 *[Static/5] 68w2d 03:30:52
> to 172.17.172.78 via xe-1/1/1.700

6- We should create leaking for mitigation Customer


subnets under vrf (Service_VRF)

TESVDC7-R30J-GZ-EG> show configuration routing-instances Service_VRF |


display set
set routing-instances Service_VRF routing-options static route
41.33.207.144/28 next-hop 172.17.172.78
set routing-instances Service_VRF instance-type vrf
set routing-instances Service_VRF route-distinguisher 8452:2389
set routing-instances Service_VRF vrf-import Service_VRF-import
set routing-instances Service_VRF vrf-export Service_VRF-export
set routing-instances Service_VRF vrf-table-label

TESVDC7-R30J-GZ-EG> show configuration routing-options rib-groups


Service_VRF | display set
set routing-options interface-routes rib-group inet Service_VRF
set routing-options rib-groups Service_VRF import-rib inet.0
set routing-options rib-groups Service_VRF import-rib Service_VRF.inet.0

In case we have attack on our network we should call IT


Network Security to detect that attack and catch targeted
IPs then stop it or we can deny these IPs on input firewall
filter on IGWs as fast work around to cover that issue
according to below configuration as example :-

Prepared By Eslam Elgendy


set firewall filter INTRNL-TRAFFIC-IN term E-Finance-Deny from destination-
address 196.46.22.159/32
set firewall filter INTRNL-TRAFFIC-IN term E-Finance-Deny then discard
set firewall filter INTRNL-TRAFFIC-IN term E-Finance-Allow from destination-
address 196.46.22.0/24
set firewall filter INTRNL-TRAFFIC-IN term E-Finance-Allow then accept

Prepared By Eslam Elgendy

You might also like