jramos/isp-backbone-course
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
isp-backbone-course/modules/08-attack-defense.md

138 lines
3.6 KiB
Markdown
Raw Permalink Normal View History

Add all 8 course modules with converted markdown links Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 10:28:45 -07:00
# Module 8: Attack & Defense Labs
> **Course**: [ISP Backbone Lab Course](../README.md)
> **Previous**: [Module 7: Traffic Engineering](07-traffic-engineering.md)
---
## Network Diagram
![Attack Surface Map](../diagrams/Module8_AttackDefense.png)
*Attack surface map — 5 attack vectors from Kali box with corresponding 5-layer defense strategy*
---
## Red Team / Blue Team on Your Own ISP
This is where it gets fun. You built this ISP — now **break it**.
---
## Attack 1: BGP Hijacking
**Scenario:** Kali box (connected to PE-EDGE2's network) sends BGP updates pretending to own Customer A's prefixes.
**The Attack:**
On Kali, run a BGP speaker (ExaBGP or FRRouting):
```
# ExaBGP config — advertise someone else's prefix
neighbor 10.100.0.1 {
router-id 6.6.6.6;
local-as 65001;
peer-as 65000;
static {
route 192.168.100.0/24 next-hop 10.100.0.2;
route 192.168.100.0/25 next-hop 10.100.0.2; # More specific = wins!
}
}
```
**The Defense:**
```
! On PE-EDGE2 — filter what CE-CUST1 can advertise
ip prefix-list CUST-A-ALLOWED seq 10 permit 192.168.100.0/24
ip prefix-list CUST-A-ALLOWED seq 999 deny 0.0.0.0/0 le 32
!
router bgp 65000
address-family ipv4 vrf CUST_A
neighbor 10.100.0.2 prefix-list CUST-A-ALLOWED in
neighbor 10.100.0.2 maximum-prefix 10 80 ! Alert at 80%, tear down at 100%
```
---
## Attack 2: IS-IS Adjacency Flooding
**Scenario:** Inject a rogue router into the IS-IS domain to poison the SPF tree.
**The Defense:**
```
! IS-IS authentication on ALL links
router isis YOURSP
authentication mode md5 level-2
authentication key-chain ISIS-AUTH level-2
!
key chain ISIS-AUTH
key 1
key-string S3cur3ISISk3y!
```
---
## Attack 3: MPLS Label Manipulation
**Scenario:** Craft packets with forged MPLS labels to reach VRFs you shouldn't have access to.
**The Defense:**
- **CoPP (Control Plane Policing)** — Rate-limit protocol traffic to the CPU
- **iACL (Infrastructure ACL)** — Only allow known sources to send labeled traffic
- **TTL propagation disabled** — Hides internal topology from traceroute
```
no mpls ip propagate-ttl
!
ip access-list extended INFRASTRUCTURE-PROTECTION
permit tcp 10.0.0.0 0.0.0.255 any eq bgp
permit udp 10.0.0.0 0.0.0.255 any eq 646 ! LDP
deny ip any any log
```
---
## Attack 4: OSPF/IS-IS Route Injection
**Scenario:** A compromised CE router attempts to inject routes into the ISP's IGP.
**The Defense:** This is why IS-IS runs on **P and PE routers only**, never on CE links. CE routers speak BGP, which is filtered. The IGP is completely isolated from customer influence. Architecture *is* the defense.
---
## Attack 5: DDoS Against the Control Plane
**Scenario:** Flood a PE router with spoofed packets targeting BGP (TCP 179).
**The Defense:**
```
! CoPP — protect the control plane
ip access-list extended COPP-BGP
permit tcp 10.0.0.0 0.0.0.255 any eq bgp
permit tcp any any eq bgp established
deny tcp any any eq bgp
!
class-map COPP-BGP-CLASS
match access-group name COPP-BGP
!
policy-map COPP-POLICY
class COPP-BGP-CLASS
police rate 500 pps burst 100 packets
conform-action transmit
exceed-action drop
class class-default
police rate 1000 pps
!
control-plane
service-policy input COPP-POLICY
```
---
## Key Takeaways
- **Offense informs defense** — You can't protect what you don't understand how to attack
- **Layered security** — No single defense is enough; combine prefix filtering, authentication, CoPP, and architectural isolation
- **Architecture IS security** — The IS-IS/BGP separation, MPLS label isolation, and VRF design are all security features by nature
---
> **Back to Course**: [ISP Backbone Lab Course ←](../README.md)
Reference in New Issue Copy Permalink