Add all 8 course modules with converted markdown links

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

modules/08-attack-defense.md

@@ -0,0 +1,137 @@
+# Module 8: Attack & Defense Labs
+
+> **Course**: [ISP Backbone Lab Course](../README.md)
+> **Previous**: [Module 7: Traffic Engineering](07-traffic-engineering.md)
+
+---
+
+## Network Diagram
+
+![Attack Surface Map](../diagrams/Module8_AttackDefense.png)
+*Attack surface map — 5 attack vectors from Kali box with corresponding 5-layer defense strategy*
+
+---
+
+## Red Team / Blue Team on Your Own ISP
+
+This is where it gets fun. You built this ISP — now **break it**.
+
+---
+
+## Attack 1: BGP Hijacking
+
+**Scenario:** Kali box (connected to PE-EDGE2's network) sends BGP updates pretending to own Customer A's prefixes.
+
+**The Attack:**
+On Kali, run a BGP speaker (ExaBGP or FRRouting):
+```
+# ExaBGP config — advertise someone else's prefix
+neighbor 10.100.0.1 {
+    router-id 6.6.6.6;
+    local-as 65001;
+    peer-as 65000;
+    static {
+        route 192.168.100.0/24 next-hop 10.100.0.2;
+        route 192.168.100.0/25 next-hop 10.100.0.2;  # More specific = wins!
+    }
+}
+```
+
+**The Defense:**
+```
+! On PE-EDGE2 — filter what CE-CUST1 can advertise
+ip prefix-list CUST-A-ALLOWED seq 10 permit 192.168.100.0/24
+ip prefix-list CUST-A-ALLOWED seq 999 deny 0.0.0.0/0 le 32
+!
+router bgp 65000
+ address-family ipv4 vrf CUST_A
+  neighbor 10.100.0.2 prefix-list CUST-A-ALLOWED in
+  neighbor 10.100.0.2 maximum-prefix 10 80  ! Alert at 80%, tear down at 100%
+```
+
+---
+
+## Attack 2: IS-IS Adjacency Flooding
+
+**Scenario:** Inject a rogue router into the IS-IS domain to poison the SPF tree.
+
+**The Defense:**
+```
+! IS-IS authentication on ALL links
+router isis YOURSP
+ authentication mode md5 level-2
+ authentication key-chain ISIS-AUTH level-2
+!
+key chain ISIS-AUTH
+ key 1
+  key-string S3cur3ISISk3y!
+```
+
+---
+
+## Attack 3: MPLS Label Manipulation
+
+**Scenario:** Craft packets with forged MPLS labels to reach VRFs you shouldn't have access to.
+
+**The Defense:**
+- **CoPP (Control Plane Policing)** — Rate-limit protocol traffic to the CPU
+- **iACL (Infrastructure ACL)** — Only allow known sources to send labeled traffic
+- **TTL propagation disabled** — Hides internal topology from traceroute
+
+```
+no mpls ip propagate-ttl
+!
+ip access-list extended INFRASTRUCTURE-PROTECTION
+ permit tcp 10.0.0.0 0.0.0.255 any eq bgp
+ permit udp 10.0.0.0 0.0.0.255 any eq 646  ! LDP
+ deny ip any any log
+```
+
+---
+
+## Attack 4: OSPF/IS-IS Route Injection
+
+**Scenario:** A compromised CE router attempts to inject routes into the ISP's IGP.
+
+**The Defense:** This is why IS-IS runs on **P and PE routers only**, never on CE links. CE routers speak BGP, which is filtered. The IGP is completely isolated from customer influence. Architecture *is* the defense.
+
+---
+
+## Attack 5: DDoS Against the Control Plane
+
+**Scenario:** Flood a PE router with spoofed packets targeting BGP (TCP 179).
+
+**The Defense:**
+```
+! CoPP — protect the control plane
+ip access-list extended COPP-BGP
+ permit tcp 10.0.0.0 0.0.0.255 any eq bgp
+ permit tcp any any eq bgp established
+ deny tcp any any eq bgp
+!
+class-map COPP-BGP-CLASS
+ match access-group name COPP-BGP
+!
+policy-map COPP-POLICY
+ class COPP-BGP-CLASS
+  police rate 500 pps burst 100 packets
+   conform-action transmit
+   exceed-action drop
+ class class-default
+  police rate 1000 pps
+!
+control-plane
+ service-policy input COPP-POLICY
+```
+
+---
+
+## Key Takeaways
+
+- **Offense informs defense** — You can't protect what you don't understand how to attack
+- **Layered security** — No single defense is enough; combine prefix filtering, authentication, CoPP, and architectural isolation
+- **Architecture IS security** — The IS-IS/BGP separation, MPLS label isolation, and VRF design are all security features by nature
+
+---
+
+> **Back to Course**: [ISP Backbone Lab Course ←](../README.md)