conference logo

Playlist "DENOG8"

Protect your edge, BGP security made simple

Theo Voss

Pioneers of the internet are putting great effort in protecting their networks by establishing strict filtering, trying to eliminate the last holes in their walls and using third-party DDoS mitigation solutions. However, we have seen avoidable route leaks and a tremendous increase in DDoS attacks in the last years. Unfortunately, the majority of ISPs in the world still filter on max-prefix limits at most and hope for the best. We at SysEleven have combined common filter best-practices with a self-made generator for prefix-filters and RPKI to establish strict filtering at the edge. Additionally, we have integrated a simple open-source tool for detecting and mitigating volumetric DDoS attacks. And by adding FlowSpec, the maximum attack bandwidth is no longer limited to our edge capacity. Altogether, this is a concept that has proven his capability in the past. I believe that every ISP who shares his individual and even non-perfect concept enables others to protect themselves better and finally makes the internet more secure. Therefore, I would like to present our solution as a thought-provoking impulse and give an exclusive insight into our Juniper based network.