In my living room, I have a butt kicking, heart stopping, head pounding Klipsch Reference Series setup with a 1200-watt [peak] powered sub. I don’t need that much in my office though. My new setup had to be Klipsch, but I don’t care for their PC speakers. I wanted to get some book shelf speakers, but wasn’t sure how to hook them up without buying a huge fracking receiver.

After a bit of googling, I stumbled upon some class T amplifiers. After reading every review I could find (there aren’t that many reviews out there), I decided to spring for the Topping T-Amp TP-21 from P-Mac Audio. I also ordered a set of RB-51s from Klipsch.

I was a little worried that the T-Amp wouldn’t be able to drive the RB-51s even though a couple people said they sound great together. I was also worried about the sound quality. The amp is only $139 though. Not like I’m spending $1000 on a mid-line receiver.

Well, today they arrived!

I plugged them in to the amp and connected the amp to my sound card and fired up iTunes. I used some John Coltrain and Diana Krall to see how they sounded and was disappointed. Out of the box, the sound is very flat. After futzing around with the iTunes mixer, I got the sound just the way I like it. I probably should buy a dedicated pre-amp.

Then, I switched over to some progressive metal. Dream Theater’s Images and Words rocked. I’m a picky listener, definitely not an “audiophile”, but I think this combo rivals my home theater setup – excluding the volume and lack of a sub, of course.

Even though the amp is only 25-watts per channel, since the Klipsch are so sensitive, the can get quite loud. I turned the volume all the way up and there was only a little clipping. Could be the cheapy sound card in my pc though since I also had the PC volume way up.

[ Power switch is on the back rear ]

What I like about the amp and speakers is that they both can use banana plugs. That makes setup or tear down a breeze. Corrosion is also less of a worry since I bought some pre-soldered cables with bananas.

I like the magnetic clips. My old floor standing speakers have plastic inserts and I’m always worried about them getting broken since my defective, clumsy cat likes to jump up on them from across the room. Sometimes she makes it, sometimes not quite..

All in all, I’m very happy with the setup. Now to get back to lab practice.

The above image is a GNS3 diagram of what I imported from my manually created dynagen network file. The has a mix of CE, PE, and P routers, as well as external AS routers. All routers are 7206s, excluding the CEs, which are 1721s.

As shown in the visio image above, we have a core OSPF area. The edges are separate areas. We also use MPLS explicit nulls in the LA and CR routers. Essentially, this is a redacted (IPs, auth keys, etc) configuration in use in a production service provider network.

You can download the visio here: Production Visio (VSD)

Configurations can be found here: Configurations (ZIP)

GNS/Dynagen configuration file: Confguration (TXT)

To telnet from router to router, use the following:

Password: cisco
Enable: enable

The following ranges are what I use in this testbed.

- 172.16.0.0/24 – Range for Loopback IPs. This is what we use to source everything from in the P/PE routers (router-ids, bgp neighbors, etc)
- 10.0.0.0/24 – Range for WAN /31s

The routers are all configured with pretty thorough base config. It includes OSPF, BGP, MPLS, QoS, as well as basic Multicast (mvpn) and L3VPN configurations.

EASTCA1#sh ip bgp ipv4 mdt all sum
BGP router identifier 172.16.0.101, local AS number 65500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.0.30     4 65500      72      59        1    0    0 00:47:35        0
172.16.0.31     4 65500      71      58        1    0    0 00:47:35        0

I’ll be using this base configuration as I blog about technologies in future posts. Some of the topics I’ll be covering are (in no particular order):

• MPLS Traffic Engineering
• BGP Multihoming
• BGP Route Aggregation
• BGP Route Leaking
• MVPN Troubleshooting
• QoS Configuration and Troubleshooting
• IS-IS deployment
• IS-IS tuning
• IPv6
• OSPFv3

Stay tuned!

I have two servers that I use. One at home, and one in our lab at work.

My home server is not nearly as powerful as my work computer, but it still does the job just fine. I got a great deal from Dell on a SC1430 server with dual quad Xeons just before they retired the model. When I bought it, it came with only 1GB of RAM and Dell is about as insane as Cisco is for branded memory. So, I opted to buy from my favorite place – newegg. If I remember right, I paid just under $800 total for the server and memory. Not friggin’ bad.

My OS of choice is Fedora. I’ve used Redhat since moving away from Slackware way back in the day. Man, that makes me feel old. Any OS should be fine. Windows (runs fewer routers), MacOS, or any flavor of Linux. Use what you feel comfortable with.

Our monster at work is a Sun X4150. This bad boy also has dual quad Xeons and 16GB of ram, plus around 420GB of SAS storage. The storage array might be a bit overkill, but we also use it as a test platform for our custom Netflow collection software. It also runs Fedora 12.

Installation

We need to download the packages. If you run Windows, you can download the all-in-one package from http://www.gns3.net/download. This contains everything needed to run virtual routers.

On Linux, I download the packages individually from the following locations:

• GNS3 v0.7RC1
• Dynamips 0.2.8-RC2 binary for Linux x86_64 (same link as above)
• The latest dynagen from SVN (http://sourceforge.net/projects/dyna-gen/develop)

Once I have those, I create a directory in /opt/dynamips, which is where I put dynagen and dynamips binaries.

pts/4 jrowley@enlil:/home/jrowley $> cd dyna-gen/code/trunk/
pts/4 jrowley@enlil:/home/jrowley/dyna-gen/code/trunk $> cp -R * /opt/dynamips/

Now, let’s download the dynamips binary, make it executable, and rename it.

pts/4 jrowley@enlil:/opt/dynamips $> wget http://downloads.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC2/dynamips-0.2.8-RC2-amd64.bin?use_mirror=voxel
--2010-01-02 19:59:54--  http://downloads.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC2/dynamips-0.2.8-RC2-amd64.bin?use_mirror=voxel
Resolving downloads.sourceforge.net... 216.34.181.59
Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://voxel.dl.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC2/dynamips-0.2.8-RC2-amd64.bin [following]
--2010-01-02 19:59:54--  http://voxel.dl.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC2/dynamips-0.2.8-RC2-amd64.bin
Resolving voxel.dl.sourceforge.net... 74.63.52.169, 69.9.191.19, 74.63.52.167, ...
Connecting to voxel.dl.sourceforge.net|74.63.52.169|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1017080 (993K) [application/octet-stream]
Saving to: dynamips-0.2.8-RC2-amd64.bin

100%[=================================================================================================================>] 1,017,080   1.06M/s   in 0.9s

2010-01-02 19:59:56 (1.06 MB/s) - dynamips-0.2.8-RC2-amd64.bin saved [1017080/1017080]

pts/4 jrowley@enlil:/opt/dynamips $> chmod +x dynamips-0.2.8-RC2-amd64.bin
pts/4 jrowley@enlil:/opt/dynamips $> mv dynamips-0.2.8-RC2-amd64.bin dynamips
pts/4 jrowley@enlil:/opt/dynamips $>

Finally, we download and extract GNS3. I just extract it to my desktop, though you could put it anywhere.

tar fxz GNS3-0.7RC1-src.tar.gz

Provided you have all the required dependencies*, you should be able to double click the GNS3 file.

IOS

Note: Please don’t ask me for any copies of IOS. You will be ignored.

Now, let’s prepare an IOS image for our router. This step is optional, but it speeds router start up since the images don’t need to be uncompressed. I also keep the uncompressed copies in my dynamips directory.

pts/4 jrowley@enlil:/home/jrowley/ios $> unzip c7200-advipservicesk9-mz.122-33.SRD3.bin
Archive:  c7200-advipservicesk9-mz.122-33.SRD3.bin
warning [c7200-advipservicesk9-mz.122-33.SRD3.bin]:  39000 extra bytes at beginning or within zipfile
(attempting to process anyway)
inflating: C7200-AD.BIN
pts/4 jrowley@enlil:/home/jrowley/ios $> mv C7200-AD.BIN c7200-advipservicesk9-mz.122-33.SRD3.bin
pts/4 jrowley@enlil:/home/jrowley/ios $> mkdir /opt/dynamips/ios
pts/4 jrowley@enlil:/home/jrowley/ios $> mv c7200-advipservicesk9-mz.122-33.SRD3.bin /opt/dynamips/ios
pts/4 jrowley@enlil:/home/jrowley/ios $>

Don’t worry about the message about the extra bytes.

GNS3 Configuration

If GNS3 is running, we can move on to configuring it. If you get errors about missing libraries, see the section at the end of this post.

The first thing we need to do is tell GNS3 where to find our IOS. Click Edit -> IOS images and hypervisors.

Next, we just choose the IOS we put in our /opt/dynamips/ios directory previously. Don’t worry about the idle-pc settings yet.

Close the window and now click Edit -> Preferences to give the locations of dynamips. Click Dynamips on the left to set this.

If you have the path and working directory right, click the test button.

We also need to go to General and change the terminal. Most likely, you’ll just need to change the %h to 127.0.0.1, but I also had to change xterm to gnome-terminal

gnome-terminal -e "telnet 127.0.0.1 %p" -t %d

Hit Ok to close and now, we’re ready to add some routers. To do this, select the router type you want to create and drag it to the center panel. In our case, we only have a 7200 image, so let’s use that.

Now, right click the router to configure it

The next window lets us add port adapters. I typically leave the rest defaults.

Do this for as many routers as you wish.

Now, it’s time to connect the routers. To do this, click the connector button in the toolbar.

Connecting routers is as easy as clicking two routers.

Now, we can click the play button to start the routers. You can start them individually by right clicking on each router, or start them all with the toolbar above.

After the routers are running for a bit, we’ll want to configure idle-pc values, otherwise at least one of our cores will be at 100% all the time. Right click a router and select “Idle PC”.

You’ll get a splash screen while GNS calculates the values. Select any value that as an asterisk next to it. If there are none, rerun idle pc.

Note: you should do this for each router even though GNS3 tells you there is already a value for all of them after the first is configured. If you don’t do all routers, you don’t get much benefit.

Here, we can see where the CPU usage dropped after both routers were configured.

To access the routers, simply right click them and select Console. You should get a terminal window (or telnet window on Windows platforms)

Voila! We now have two routers we can configure.

Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int gi1/0
R1(config-if)#no shut
R1(config-if)#ip add 19
*Jan  2 20:44:20.123: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
*Jan  2 20:44:21.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up2.168.0.1 255.255.255.252
R1(config-if)#end
R1#
*Jan  2 20:44:31.103: %SYS-5-CONFIG_I: Configured from console by console
telnet> quit
Connection closed.
pts/4 jrowley@enlil:/home/jrowley/Desktop $> telnet 0 2001
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connected to Dynamips VM "R2" (ID 1, type c7200) - Console port

Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int gi1/0
R2(config-if)#ip add 192.168.0.2 255.255.255.252
R2(config-if)#no shut
R2(config-if)#end
R2#
*Jan  2 20:45:04.395: %SYS-5-CONFIG_I: Configured from console by console
*Jan  2 20:45:04.875: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
*Jan  2 20:45:05.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
R2#
R2#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
R2#

From here, you can continue adding routers or just play around with the two we created.

Requirements

GNS3 depends on the following packages:

- Qt 4.3 (or higher)
- Python 2.4 (or higher)
- Sip 4.5 (or higher)
- PyQt 4.1 (or higher)

If you use yum, installing them is as easy as:

yum install qt-devel sip-devel PyQt4-devel python-devel

Windows users shouldn’t need these, as they’re included in the all-in-one package.

Other thoughts

GNS3 also allows you to create Olives (JunOS virtual routers) if you ever need to test a multi-vendor configuration. Very useful for learning your way around the CLI of my favorite router vendor.

Have fun!

What is an DoS/DDoS attack?

Essentially, a DoS attack is when someone sends bogus traffic towards an IP (or group of IPs) with the goal of overwhelming the destination circuit. In a DoS situation, an attacker usually initiates this traffic from a compromised PC or server. A DDoS (Distributed 11Denial of Service) is when a group of PCs or servers initiate the traffic.

Types of RTBH filtering

There are two types of RTBH mitigation. Source based and destination based.

Source based RTBH is the preferred method of mitigating attacks. In this instance, the source address(es) of an attack are null routed in the network. Combined with uRPF, routers will drop this traffic as it enters the network.

Destination based RTBH should only be used as a last resort, since you are essentially completing the DoS by null routing your customer. The only time this should be done is when other customers are affected and there are too many source addresses to null route (a spoofed DDoS). Additionally, you want to contact your customer as soon as possible so that you can assist them in getting back online.

Unicast Reverse Path Filtering (uRPF)

There are two types of uRPF – strict and loose mode. In strict mode, a ingress packet must be received on an interface that the router would use to forward return packets. If that fails, the packet is dropped. Loose mode is less strict in that the source address must exist in the routing table. Additionally, any source address that is attached to the Null0 interface is dropped.

In our RTBH examples, we’ll use loose mode uRPF on our peering/transit interfaces.

Deploying RTBH

There are a few steps to fully deploying RTBH in your network.

1) Null route

First, we want to add a null route that we can use as a next-hop for traffic we wish to drop. This could be one of your own IPs, RFC1918 space, or from the RFC3330 TEST-NET blocks.

westcr1(config)#ip route 192.0.2.1 255.255.255.255 null0

Note: This should never be leaked. In my deployment, we use outbound route-maps to match on, as well as a prefix-list to sanity check longest prefixes. You could also use a tag to specifically exclude this from announcements.

westcr1(config)#ip route 192.0.2.1 255.255.255.255 null0 tag 666

This should be added to any router where you wish to drop traffic. In our network, all routers contain this static route – edge, aggregation, and core.

2) uRPF

Next, we want to enable loose-mode uRPF on our transit/peering interfaces. By doing this, mitigated traffic is dropped as soon as it enters our network. We use loose mode because traffic can be asymmetrical. That is, it could enter via one peer and return traffic could exit via another peer on a different router.

On a 7600, the command is:

ip verify unicast source reachable-via any

An actual (redacted) interface:

interface GigabitEthernet1/4
 description [transit]_A.B.C.D_TWTC_ID:##/KFFN/######/TWCS
 ip address A.B.C.D 255.255.255.252
 ip verify unicast source reachable-via any
 ip route-cache flow
 load-interval 30
 speed nonegotiate
 wrr-queue cos-map 1 1 4
 wrr-queue cos-map 1 8 0
 wrr-queue cos-map 2 6 1
 wrr-queue cos-map 2 8 2
 wrr-queue cos-map 3 6 3
 wrr-queue cos-map 3 8 6 7
 service-policy input MARK-IPP-0

3) BGP Policy

Now, we need to configure the BGP policy. But, before we do this, we want to identify a single router that is used to inject these null routes. This can be a router or a Unix based server running Quagga. We use a dedicated Cisco 7206 for this purpose.

Injection router configuration

First, we have a prefix-list of “Golden” networks that we never want to accidentally null route due to spoofing. Before adding a route, we always check the owner of the netblock an attack originates from. If it’s obviously critical infrastructure, we’re dealing with a spoofing attack. We don’t want to null route a root server or anything like that.

ip prefix-list GOLDEN:NETWORKS seq 5 permit 198.41.0.0/24 le 32
ip prefix-list GOLDEN:NETWORKS seq 10 permit 192.228.79.0/24 le 32
[...]

Next, we want to make sure we don’t null route a default route.

ip prefix-list NO-DEFAULT seq 5 permit 0.0.0.0/0

Now, it’s time for the route-map.

route-map BLACKHOLE deny 5
 match ip address prefix-list GOLDEN:NETWORKS
!
route-map BLACKHOLE deny 10
 match ip address prefix-list NO-DEFAULT
!
route-map BLACKHOLE permit 20
 match tag 187
 set ip next-hop 192.0.2.1
 set local-preference 1000
 set origin igp
 set community 65500:666 no-export
!
route-map BLACKHOLE permit 30
 set ip next-hop 192.0.2.1
 set local-preference 1000
 set origin igp
 set community 65500:666 no-export

Here, we deny anything listed in the first two prefix-lists. The 3rd stanza is used to match on known netblocks assigned to organizations such as RBN and others.

The fourth matches any other routes.

4) Static route redistribution

Now, in order to announce these prefixes, we apply the route-map to static route redistribution in our BGP config.

router bgp 65500
 address-family ipv4
  redistribute static route-map BLACKHOLE

Note: I’m assuming your router already has bgp sessions to other devices to propagate the routes.

5) Adding routes

Now, when you experience a DoS, you can find the source (we use Netflow) and add a static route such as:

nullrouter(config)#ip route 192.168.202.12 255.255.255.255 Null0 tag 80

The tag doesn’t need to be included, but we use it to identify what type of attack. In this case, it was a DoS targeting port 80. If this was an address of a known c&c server, we’d use tag 187 to identify it as such.

Now, if we login to a router that receives these routes, we should see 192.0.2.1 set as the next-hop.

atlngaxxla1#sh ip bgp 192.168.202.12
BGP routing table entry for 192.168.202.12/32, version 41279494
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
     2          3          4          5          8
  Local, (Received from a RR-client), (received & used)
    192.0.2.1 from A.B.C.253 (A.B.C.253)
      Origin IGP, metric 0, localpref 1000, valid, internal, best
      Community: 65500:666 no-export

This causes uRPF to fail on your transit/peering interfaces because the route is destined to the Null0 interface, dropping traffic immediately on entering your network.

This also causes traffic initiated inside the network to be dropped.

pts/1 jrowley@SIFT01:/home/jrowley $> traceroute 192.168.202.12
traceroute to 192.168.202.12 (192.168.202.12), 30 hops max, 40 byte packets
 1  vlan18.host.domain.net (A.B.C.126)  1.791 ms  1.844 ms  1.895 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * ^C

Considerations

It is imperative that you use this sparingly. RTBH can be like shooting yourself in the foot with a bazooka if done wrong.

Always use no-export on null routes. Even though they are typically /32s, you still want to take care that they are not leaked to your peers.

Additionally, never accept RTBH announcements from your peers (customers are ok only if your inbound policies are tight enough to only permit /32s from their own address space).

Never null route your customers unless absolutely necessary.

Don’t leave null routes in place permanently. We typically remove them after one week, except for known bad nets.

The plugin was originally written by a previous employee, but I have recently rewritten it from scratch after deploying dedicated inline nprobe servers to generate netflow data, adding a few features such as auto expiration. Stay tuned.