BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands

Agenda BCP-38 DNS DDOS demo Build spoofed packet traffic generator –“be the bad-behaving customer” Configure the network to filter –“be the responsible ISP”

Basic network ClientDNS DNS request DNS response

Network diagram R PC Row A R PC Row B R PC Row C R PC Row J …. DNSVICTIM

Step 1: install and run software Download packet spoofing software Configure Run More details on next pages

1(a): Download packet spoofing software cd $HOME mkdir spoofing-demo; cd spoofing-demo ftp –login as “anonymous” –cd /pub/e2/bcp38 –binary –mget * (enter “a” to get all files)

1(b): Configure From your PC, ping the IP address of your router: ping -c 1 ip.ad.re.ss Find out and write down the MAC address of your router: arp -an Edit spoof_script and change: –TABLE_ROW –ROUTER_MAC

1(c): Run the spoofer chmod 755 spoof_script tcpreplay Start the generator (as root):./spoof_script

Step 2: Observe spoofed packets and responses Instructors use “tcpdump” to capture traffic on backbone. Observe the spoofed packets, and responses to them.

Step 3: Enable unicast reverse-path filtering (URPF) Login to router Configure interface fastEthernet0/0 ip verify unicast reverse-path For all destinations that are routed outwards through this interface, incoming traffic in the opposite direction is allowed.

Step 4: See that it worked Observe that the tcpdump display stops showing spoofed packets show ip interface fastEthernet0/0 –Near the end, see “verification drops”

URPF variant for multi-homed customer ! access-list 42 will permit the routes ! that would otherwise fail the test ! (e.g. downlink through a different ISP) ip access-list 42 permit interface fastEthernet0/0 ip verify unicast reverse-path 42

Another variant: Filtering using access-group ! access-list 123 permits all packets ! from the customer ip access-list 123 permit ip interface fastEthernet0/0 ip access-group 123 in This is less efficient and more difficult to configure