Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

Free

Company Name : NIST

This publication provides technical guidance and recommendations for technologies that facilitate resilient interdomain traffic exchange (RITE).

Description

This guide provides technical guidelines and recommendations for deploying protocols and technologies that improve the security of interdomain traffic exchange. These recommendations reduce the risk of accidental attacks (caused by misconfiguration) and malicious attacks in the routing control plane, and they help detect and prevent IP address spoofing and resulting DoS/DDoS attacks. These recommendations primarily cover protocols and techniques to be used in BGP routers. However, they also extend, in part, to other systems that support reachability on the internet (e.g., RPKI repositories, DNS, and other open internet services).

Technologies recommended in this document for securing interdomain routing control traffic include RPKI, BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks include prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies (including some application plane methods) such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms.

This document addresses many of the same concerns as highlighted in [CSRIC6-WG3] regarding BGP vulnerabilities and DoS/DDoS attacks but goes into greater technical depth in describing standards-based security mechanisms and providing specific security recommendations.

You may also like…

Featured Products

  • Crystal Eye UTM Series 10+ Gateway

    Enterprise to SMB/Home Office Solutions - Crystal Eye Series 10 - 200