3.6 KiB
Module 8: Attack & Defense Labs
Course: ISP Backbone Lab Course Previous: Module 7: Traffic Engineering
Network Diagram
Attack surface map — 5 attack vectors from Kali box with corresponding 5-layer defense strategy
Red Team / Blue Team on Your Own ISP
This is where it gets fun. You built this ISP — now break it.
Attack 1: BGP Hijacking
Scenario: Kali box (connected to PE-EDGE2's network) sends BGP updates pretending to own Customer A's prefixes.
The Attack: On Kali, run a BGP speaker (ExaBGP or FRRouting):
# ExaBGP config — advertise someone else's prefix
neighbor 10.100.0.1 {
router-id 6.6.6.6;
local-as 65001;
peer-as 65000;
static {
route 192.168.100.0/24 next-hop 10.100.0.2;
route 192.168.100.0/25 next-hop 10.100.0.2; # More specific = wins!
}
}
The Defense:
! On PE-EDGE2 — filter what CE-CUST1 can advertise
ip prefix-list CUST-A-ALLOWED seq 10 permit 192.168.100.0/24
ip prefix-list CUST-A-ALLOWED seq 999 deny 0.0.0.0/0 le 32
!
router bgp 65000
address-family ipv4 vrf CUST_A
neighbor 10.100.0.2 prefix-list CUST-A-ALLOWED in
neighbor 10.100.0.2 maximum-prefix 10 80 ! Alert at 80%, tear down at 100%
Attack 2: IS-IS Adjacency Flooding
Scenario: Inject a rogue router into the IS-IS domain to poison the SPF tree.
The Defense:
! IS-IS authentication on ALL links
router isis YOURSP
authentication mode md5 level-2
authentication key-chain ISIS-AUTH level-2
!
key chain ISIS-AUTH
key 1
key-string S3cur3ISISk3y!
Attack 3: MPLS Label Manipulation
Scenario: Craft packets with forged MPLS labels to reach VRFs you shouldn't have access to.
The Defense:
- CoPP (Control Plane Policing) — Rate-limit protocol traffic to the CPU
- iACL (Infrastructure ACL) — Only allow known sources to send labeled traffic
- TTL propagation disabled — Hides internal topology from traceroute
no mpls ip propagate-ttl
!
ip access-list extended INFRASTRUCTURE-PROTECTION
permit tcp 10.0.0.0 0.0.0.255 any eq bgp
permit udp 10.0.0.0 0.0.0.255 any eq 646 ! LDP
deny ip any any log
Attack 4: OSPF/IS-IS Route Injection
Scenario: A compromised CE router attempts to inject routes into the ISP's IGP.
The Defense: This is why IS-IS runs on P and PE routers only, never on CE links. CE routers speak BGP, which is filtered. The IGP is completely isolated from customer influence. Architecture is the defense.
Attack 5: DDoS Against the Control Plane
Scenario: Flood a PE router with spoofed packets targeting BGP (TCP 179).
The Defense:
! CoPP — protect the control plane
ip access-list extended COPP-BGP
permit tcp 10.0.0.0 0.0.0.255 any eq bgp
permit tcp any any eq bgp established
deny tcp any any eq bgp
!
class-map COPP-BGP-CLASS
match access-group name COPP-BGP
!
policy-map COPP-POLICY
class COPP-BGP-CLASS
police rate 500 pps burst 100 packets
conform-action transmit
exceed-action drop
class class-default
police rate 1000 pps
!
control-plane
service-policy input COPP-POLICY
Key Takeaways
- Offense informs defense — You can't protect what you don't understand how to attack
- Layered security — No single defense is enough; combine prefix filtering, authentication, CoPP, and architectural isolation
- Architecture IS security — The IS-IS/BGP separation, MPLS label isolation, and VRF design are all security features by nature
Back to Course: ISP Backbone Lab Course ←