Re: RTBH and Flowspec Measurements - Stop guessing when the attack will over

[Tom Beecher <beecher () beecher cc>]

> Do I read it right that there is no workaround, but the solution is to
> upgrade to an updated version which include the fix?

"Upgrade to fixed code" is the most common solution for every vendor.

To answer 'are they still vulnerable', IF someone is running one of the
listed versions, AND they have flowspec enabled, there is exposure.

On Wed, Feb 3, 2021 at 5:32 AM Jean St-Laurent via NANOG <nanog () nanog org>
wrote:

> Interesting,
>
>
>
> Do I read it right that there is no workaround, but the solution is to
> upgrade to an updated version which include the fix?
>
>
>
> The solution is just above the workaround. From the same page posted.
>
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11101&cat=SIRT_1&actp=LIST
>
>
>
> *Solution:*
>
> The following software releases have been updated to resolve this specific
> issue:
>
> Junos OS: 15.1R7-S8, 15.1X49-D240, 17.3R3-S10, 17.4R2-S12, 17.4R3-S4,
> 18.1R3-S12, 18.2R2-S8, 18.2R3-S6, 18.3R3-S4, 18.4R1-S8, 18.4R2-S6,
> 18.4R3-S6, 19.1R2-S2, 19.1R3-S3, 19.2R3-S1, 19.3R2-S5, 19.3R3-S1,
> 19.4R1-S3, 19.4R2-S3, 19.4R3, 20.1R2, 20.2R1-S3, 20.2R2, 20.3R1-S1, 20.3R2,
> 20.4R1, and all subsequent releases.
>
> Junos OS Evolved: 20.3R1-S1-EVO, 20.3R2-EVO, 20.4R1-EVO, and all
> subsequent releases.
>
>
>
>
>
> It has a cvss score of 10.0 which is the highest.
>
>
>
> Is Juniper still vulnerable or not?
>
>
>
> Thanks
>
>
>
> [image: ddosTest me Security inc]
>
> Jean St-Laurent
>
> CISSP #634103
>
>
>
> ddosTest me security inc
>
> tel:  438 806-9800 <+14388069800>
>
> site:  https://ddostest.me
>
> email:  jean () ddostest me
>
>
>
>
>
>
>
>
>
> *From:* NANOG <nanog-bounces+jean=ddostest.me () nanog org> *On Behalf Of *Hank
> Nussbacher
> *Sent:* February 3, 2021 12:41 AM
> *To:* nanog () nanog org
> *Subject:* Re: RTBH and Flowspec Measurements - Stop guessing when the
> attack will over
>
>
>
> You forgot to mention software bugs:
>
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11101&cat=SIRT_1&actp=LIST
>
>
>
> Note what Juniper states:
>
>
> *Workaround:There are no viable workarounds for this issue*
>
>
>
> -Hank
>
>
>
>
>
> But, this still does not helps to find a solution do an organization A
> that sends some flowspec our RTBH to organization B(presuming organization
> B will accept that),  and organization B do some reports of what is match
> with that flowspec or RTBH.
>
> That, in my opinion, is the only way to stop guessing how long will an
> attack will last, and start to define the end of a flowspec/RTBH action
> based on real information related to that.
> I want to close the feedback loop.
>
>
>
>
>
> Em ter., 2 de fev. de 2021 às 13:07, Tom Beecher <beecher () beecher cc>
> <beecher () beecher cc> escreveu:
>
> Personally, I would absolutely, positively, never ever under any
> circumstances provide access to a 3rd party company to push a FlowSpec rule
> or trigger RTBH on my networks. No way.  You would be handing over a
> nuclear trigger and saying "Please break me at my earliest inconvenience."
>
>
>
> On Tue, Feb 2, 2021 at 5:56 AM Douglas Fischer <fischerdouglas () gmail com>
> wrote:
>
> OK, but do you know any company the sells de Flowspec as a service, in the
> way that the Attack Identifications are not made by their equipment, just
> receiving de BGP-FlowSpec and applying that rules on that equipments... And
> even then give back to the customer some way to access those statistics?
>
> I just know one or two that do that, and(sadly) they do it on fancy web
> reports or PDFs.
> Without any chance of using that as structured data do feedback the
> anomaly detection tools to determine if already it is the time to remove
> that Flowsperc rule.
>
> What I'm looking for is something like:
> A) XML/JSON/CSV files streamed to my equipment from the Flowspec Upstream
> Equipments saying "Heepend that, that, and that." Almost in real time.
> B) NetFlow/IPFIX/SFlow streamed to my equipment from the Upstream
> Equipment, restricted to the DST-Address that matches to the IP blocks that
> were involved to the Flowspec or RTBH that I Annouced to then.
> C) Any other idea that does the job of gives me the visibility of what is
> happening with FlowSpec-rules, or RTBH on theyr network.
>
>
>
>
>
> Em seg., 1 de fev. de 2021 às 22:07, Dobbins, Roland <
> Roland.Dobbins () netscout com> escreveu:
>
>
>
>
>
> On Feb 2, 2021, at 00:34, Douglas Fischer <fischerdouglas () gmail com>
> wrote:
>
>
>
> Or even know if already there is a solution to that and I'm trying to
> invent the wheel.
>
>
>
> Many flow telemetry export implementations on routers/layer3 switches
> report both passed & dropped traffic on a continuous basis for DDoS
> detection/classification/traceback.
>
>
>
> It's also possible to combine the detection/classification/traceback &
> flowspec trigger functions.
>
>
>
> [Full disclosure: I work for a vendor of such systems.]
>
>
>
> --------------------------------------------
>
> Roland Dobbins <roland.dobbins () netscout com>
>
>
>
>
> --
>
> Douglas Fernando Fischer
> Engº de Controle e Automação
>
>
>
>
> --
>
> Douglas Fernando Fischer
> Engº de Controle e Automação