BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.
-
Upload
rudolf-grant -
Category
Documents
-
view
214 -
download
0
Transcript of BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.
![Page 1: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/1.jpg)
BCP-38 demo
Alan Barrett
Geert Jan de Groot
& cast of thousands
![Page 2: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/2.jpg)
Agenda
• BCP-38 DNS DDOS demo
• Build spoofed packet traffic generator– “be the bad-behaving customer”
• Configure the network to filter– “be the responsible ISP”
![Page 3: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/3.jpg)
Basic network
Client DNS
DNS request
DNS response
![Page 4: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/4.jpg)
Network diagram
R
PC
Row A
R
PC
Row B
R
PC
Row C
R
PC
Row J
….
DNSVICTIM
![Page 5: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/5.jpg)
Step 1: install and run software
• Download packet spoofing software
• Configure
• Run
More details on next pages
![Page 6: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/6.jpg)
1(a): Download packet spoofing software
• cd $HOME
• mkdir spoofing-demo; cd spoofing-demo
• ftp 196.200.222.1– login as “anonymous”– cd /pub/e2/bcp38– binary– mget * (enter “a” to get all files)
![Page 7: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/7.jpg)
1(b): Configure
• From your PC, ping the IP address of your router:ping -c 1 ip.ad.re.ss
• Find out and write down the MAC address of your router:arp -an
• Edit spoof_script and change:– TABLE_ROW– ROUTER_MAC
![Page 8: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/8.jpg)
1(c): Run the spoofer
• chmod 755 spoof_script tcpreplay
• Start the generator (as root):./spoof_script
![Page 9: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/9.jpg)
Step 2: Observe spoofed packets and responses
• Instructors use “tcpdump” to capture traffic on backbone.
• Observe the spoofed packets, and responses to them.
![Page 10: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/10.jpg)
Step 3: Enable unicast reverse-path filtering (URPF)
• Login to router
• Configureinterface fastEthernet0/0
ip verify unicast reverse-path
• For all destinations that are routed outwards through this interface, incoming traffic in the opposite direction is allowed.
![Page 11: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/11.jpg)
Step 4: See that it worked
• Observe that the tcpdump display stops showing spoofed packets
• show ip interface fastEthernet0/0– Near the end, see “verification drops”
![Page 12: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/12.jpg)
URPF variant for multi-homed customer
! access-list 42 will permit the routes
! that would otherwise fail the test
! (e.g. downlink through a different ISP)
ip access-list 42 permit 192.0.2.0 0.0.0.255
interface fastEthernet0/0
ip verify unicast reverse-path 42
![Page 13: BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.](https://reader036.fdocuments.net/reader036/viewer/2022072016/56649ef25503460f94c035d7/html5/thumbnails/13.jpg)
Another variant: Filtering using access-group
! access-list 123 permits all packets
! from the customer
ip access-list 123 permit ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255
interface fastEthernet0/0
ip access-group 123 in
• This is less efficient and more difficult to configure