During the previous DDoS we saw inbound traffic from AS0 in Turnilo, which mean Pmacct didn't have a matching routing table entry to associate the source IP with.
See for example: https://w.wiki/GaH
This can be either some lag between Pmacct and the routing table (unlikely) or traffic from spoofed IPs, using ranges not present in the DFZ.
There is a tool to drop this kind of traffic at our borders: uRPF loose mode.
The concept is easy, for selected interfaces (public facing) the router will check if the source IP is covered by any prefix in its routing table. If not, it discards it.
There are a few knobs to tweak to make it less scary:
- loose mode: by default, strict mode will check if the packet is coming from the interface that is also the outbound route to this source IP (symmetric routing), which we don't want here. Thus the loose mode, that looks if there is a route along all the ones in the routing table.
- fail-filter: allow us to apply a firewall rule when a packet is flagged by uRPF, in our case we would first log them to see if there would be any false positive
- unicast-reverse-path feasible-paths: the default is to only look at active paths, which could potentially drop traffic during routing re-convergence.
You can find more details on https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-unicast-rpf.html
There is at least one report of it not working as well as it's supposed to.
If it does work it would be a great tool to reduce the impact of both amplification and flood.
Here is the first step:
[edit groups external-links interfaces <*> unit <*> family inet] + rpf-check { + fail-filter log-only4; + mode loose; + } [edit groups external-links interfaces <*> unit <*> family inet6] + rpf-check { + fail-filter log-only6; + mode loose; + } [edit forwarding-options] + rpf-loose-mode-discard { + family { + inet; + inet6; + } + } [edit routing-options forwarding-table] + unicast-reverse-path feasible-paths; [edit firewall family inet] filter vrrp-in4 { ... } + filter log-only4 { + term default { + then { + log; + accept; + } + } + } [edit firewall family inet6] filter vrrp-in6 { ... } + filter log-only6 { + term default { + then { + log; + accept; + } + } + }
Then make a Kibana dashboard
Then if all good, change the fail filter action to sample and discard