Protect your edge, BGP security made simple

Theo Voss

Playlists: 'denog8' videos starting here / audio / related events

Pioneers of the internet are putting great effort in protecting their networks by establishing strict filtering, trying to eliminate the last holes in their walls and using third-party DDoS mitigation solutions. However, we have seen avoidable route leaks and a tremendous increase in DDoS attacks in the last years. Unfortunately, the majority of ISPs in the world still filter on max-prefix limits at most and hope for the best. We at SysEleven have combined common filter best-practices with a self-made generator for prefix-filters and RPKI to establish strict filtering at the edge. Additionally, we have integrated a simple open-source tool for detecting and mitigating volumetric DDoS attacks. And by adding FlowSpec, the maximum attack bandwidth is no longer limited to our edge capacity. Altogether, this is a concept that has proven his capability in the past. I believe that every ISP who shares his individual and even non-perfect concept enables others to protect themselves better and finally makes the internet more secure. Therefore, I would like to present our solution as a thought-provoking impulse and give an exclusive insight into our Juniper based network.