# Module 8: Attack & Defense Labs > **Course**: [ISP Backbone Lab Course](../README.md) > **Previous**: [Module 7: Traffic Engineering](07-traffic-engineering.md) --- ## Network Diagram ![Attack Surface Map](../diagrams/Module8_AttackDefense.png) *Attack surface map — 5 attack vectors from Kali box with corresponding 5-layer defense strategy* --- ## Red Team / Blue Team on Your Own ISP This is where it gets fun. You built this ISP — now **break it**. --- ## Attack 1: BGP Hijacking **Scenario:** Kali box (connected to PE-EDGE2's network) sends BGP updates pretending to own Customer A's prefixes. **The Attack:** On Kali, run a BGP speaker (ExaBGP or FRRouting): ``` # ExaBGP config — advertise someone else's prefix neighbor 10.100.0.1 { router-id 6.6.6.6; local-as 65001; peer-as 65000; static { route 192.168.100.0/24 next-hop 10.100.0.2; route 192.168.100.0/25 next-hop 10.100.0.2; # More specific = wins! } } ``` **The Defense:** ``` ! On PE-EDGE2 — filter what CE-CUST1 can advertise ip prefix-list CUST-A-ALLOWED seq 10 permit 192.168.100.0/24 ip prefix-list CUST-A-ALLOWED seq 999 deny 0.0.0.0/0 le 32 ! router bgp 65000 address-family ipv4 vrf CUST_A neighbor 10.100.0.2 prefix-list CUST-A-ALLOWED in neighbor 10.100.0.2 maximum-prefix 10 80 ! Alert at 80%, tear down at 100% ``` --- ## Attack 2: IS-IS Adjacency Flooding **Scenario:** Inject a rogue router into the IS-IS domain to poison the SPF tree. **The Defense:** ``` ! IS-IS authentication on ALL links router isis YOURSP authentication mode md5 level-2 authentication key-chain ISIS-AUTH level-2 ! key chain ISIS-AUTH key 1 key-string S3cur3ISISk3y! ``` --- ## Attack 3: MPLS Label Manipulation **Scenario:** Craft packets with forged MPLS labels to reach VRFs you shouldn't have access to. **The Defense:** - **CoPP (Control Plane Policing)** — Rate-limit protocol traffic to the CPU - **iACL (Infrastructure ACL)** — Only allow known sources to send labeled traffic - **TTL propagation disabled** — Hides internal topology from traceroute ``` no mpls ip propagate-ttl ! ip access-list extended INFRASTRUCTURE-PROTECTION permit tcp 10.0.0.0 0.0.0.255 any eq bgp permit udp 10.0.0.0 0.0.0.255 any eq 646 ! LDP deny ip any any log ``` --- ## Attack 4: OSPF/IS-IS Route Injection **Scenario:** A compromised CE router attempts to inject routes into the ISP's IGP. **The Defense:** This is why IS-IS runs on **P and PE routers only**, never on CE links. CE routers speak BGP, which is filtered. The IGP is completely isolated from customer influence. Architecture *is* the defense. --- ## Attack 5: DDoS Against the Control Plane **Scenario:** Flood a PE router with spoofed packets targeting BGP (TCP 179). **The Defense:** ``` ! CoPP — protect the control plane ip access-list extended COPP-BGP permit tcp 10.0.0.0 0.0.0.255 any eq bgp permit tcp any any eq bgp established deny tcp any any eq bgp ! class-map COPP-BGP-CLASS match access-group name COPP-BGP ! policy-map COPP-POLICY class COPP-BGP-CLASS police rate 500 pps burst 100 packets conform-action transmit exceed-action drop class class-default police rate 1000 pps ! control-plane service-policy input COPP-POLICY ``` --- ## Key Takeaways - **Offense informs defense** — You can't protect what you don't understand how to attack - **Layered security** — No single defense is enough; combine prefix filtering, authentication, CoPP, and architectural isolation - **Architecture IS security** — The IS-IS/BGP separation, MPLS label isolation, and VRF design are all security features by nature --- > **Back to Course**: [ISP Backbone Lab Course ←](../README.md)