|
Ah yes, the posting of 22May which I didn't really understand and which
I printed out and have sitting on my desk here so I could ask about it
when I got time.
I haven't used transparent proxy, What does it do?
you use a filter rule with "-j REDIRECT" and all the tagged packets
are accepted locally.
Do you think the routing table setup is more efficient than the
transparent proxy? I wonder which one is easier on the CPU.
Essentially it is the same thing that I'm doing because you could build
iptables that redirect just the IP:PORT that you want and ignore the
rest so they are routed.
blackhole box is just a linux box with default route to loopback
running SNORT.
the job of the blackhole box is to list to packets sent via table 999?
The blackhole box is designed to just eat packets and burp up stats.
It will also be running BGP/OSPF with my route servers
announcing 0/0
I'm out of my depth here.
What does "route servers announcing 0/0" mean?
Why is your blackhole box running BGP/OSPF?
so it will eat any reply packets from bogus netblocks
(spammers, worms, etc.).
If the previous two questions don't make this obvious, please
explain this.
My border routers do not have a default
route. If it isn't in the BGP table it gets sent to SNORT for
logging/analysis.
OK, all routes are explicit. Anything not explicitely handled
gets sent to snort.
I have 2 border routers with 3 upstream providers. I pull full routes
without default from all providers. I do not have a default setting on
my border routers.
Spammers like to hijack IP space by announcing the netblocks over BGP,
blasting the spam and then dropping the announcement. They typically
use bogus netblocks (ones that have not been assigned by ARIN, APNIC,
RIPE ...). My routers peer with a bogus route server
(http://www.cymru.com/BGP/bogon-rs.html) and currently route that
traffic to Null0.
Virus/worm writers like to forge packets using the bogus netblocks.
With no default on my border routers the routers don't know where to
send the packet and drop it.
I need to setup a black hole box and give it an IP on my core network.
I need to modify my BGP route-map filters to aim the bogus route
announcements to the blackhole IP.
I need to have the black hole machine announce 0/0 (aka default route)
over BGP to my border routers
The blackhole machine will log/drop all bogus packets.
SPAM/worm/virus packets forged from hijacked or bogus IP space will
still hit my router, LVS, mail server but the reply packet will not
make it back to the sender. It is a lot easier for Cisco routers to
forward the packets to my blackhole box than it is drop the packets on
the floor. Forwarding is done with Distributed Cisco Express
Forwarding (dCEF) on the line cards and dropping a packet is done by
the central Route Switch Processor (RSP). I think that is how it works.
I'll put the blackhole box into a monitor port on my switch so it sees
all traffic. If Snort detects an on going attack it can update the BGP
table to take over the route so my router re-aims the traffic to the
blackhole instead of my upstream. Essentially cutting the attack in
half, packets get in but they don't get out. I'll be SYN flooding
myself but I have protection in place for that.
All this work when the *correct* solution is for every ISP to put
filters on their edge to block forged packets. It is so easy but so
many ISPs don't do it.
Check here for more info http://www.nanog.org/mtg-0306/sink.html
-Matt
| 