Secured Internet Gateway for ISP with pfsense & FRR

1. Secured Internet Gateway for ISP with
and
Out of the Routing Box
Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
rkarim@omnitechone.com suman@adnsl.net

2. DDoS Attacks Trending Up for Service Providers
● 2021 Q1 Sees 2.9 Million DDoS Attacks Launched
● ATLAS Security Engineering & Response Team
(ASERT) has warned that last year's record-breaking
volume of DDoS attacks could be exceeded in 2021.
● In 2020, more than 10 million DDoS incidents
● Analyzing which industries attackers chose to hit,
researchers observed that healthcare, education and
online services were prime targets.

3. DDoS is New Normal
● Many attacks (42%) lasted between five and ten minutes, while assaults lasting fewer than five minutes dropped from
24% to 19%.
● Global estimates of the total number of DDoS attacks are anticipated to double to 14.5 million by 2022.
● No DDoS mitigation tools is full proof.
● UDP-based DDoS attack vectors fuel attack increases.
Duration of Attack

4. Other Attack Vectors for ISPs
1. Spyware , Malware, Botnet.
2. Spamming.
3. Phishing.
4. Darkweb.
5. Ransomware.
6. Cryptocurrency Mining.

5. Spot on Bangladesh
● Round the year among the network operators DDoS were most shouted incident.
● Though there is no statistics but even some operators experienced few times in a month.
● Mostly volumetric DDoS attack.
● Mostly Mikrotik is used as core router there is only few options to handle the incidents.
● Some operators use BGP community to drop malicious sources.
● A hacker group called ‘Hafnium’ has launched attacks on more than 200 organizations in Bangladesh.
Destination ports Used for Attacks

6. Out of the Router Appliance Box Solution Planning
● We have router box Cisco,Juniper, Mikrotik in current network.
● Now we can use BGP community feed to stop bad actors.
● ISPs fetching frequent outage due to DDoS.
● In most cases operators using Mikrotik Routers.
● We were looking for a open source technology that is easy to implement and cost effective.
● Some ISPs has only few resources to maintain core network ,we tried to find a simple solution.
● We choose FRR for BGP and pfSense to make the router security aware and to maintain cyber
hygiene from core network.

7. pfSense: Firewall with threat intel feeds
● pfSense , A free, open source customized distribution of FreeBSD tailored for using as a smart-firewall and router.
● Netgate is current maintainer of pfSense.
● Firewall.
● Routing.
● Redundancy.
● Traffic shaping.
● Routers not aware of security incidents and threats.
● We are talking in a locality where mostly used Mikrotik in operator’s network.

8. Some Community Threat intel IP & DNS Feed Sources (Blocklist)
● Spamhaus
● CINS Army
● Talosintelligence
● Firehol ( Collection of Cybercrime IP Feeds).
● MaxMind GeoIP Blocklist. (& Top Spammers).
● Juniper Security.
● malwaredomainlist.com
● Adway.
● Easy List (Privacy, Tracker).
● DNSBL SafeSearch by Google, Yandex, DuckDuckGo, Bing and Pixabay.
● … and many more.

9. pfSense : pfblockerNG

10. Threat Intel:Proofpoint ET IQRISK IPv4 Reputation

11. FRR:Roots from Quagga
● FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms with the collaboration of Linux Foundation.
● It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.
● RPKI supported
● SDN can be overlay with FRR
● Support Segment routing
● TNSR has developed carrier grade router using FRR (incl VPP+DPDK)
● Packet forwarding is challenge that can overcome with Vector Packet Processing & DPDK

12. RECOMMENDED SYSTEM REQUIREMENTS
Processor: Intel Xeon D1541/ Intel 2600 Series v3/v4 2.4GHz+, 8-Core/16 Thread
RAM: 16GB | SSD: 128G
NIC: Intel/Mellanox/Chelsio Multique NIC / Smart-NIC
pfSense version 2.4.5-p1 - Most Stable (FreeBSD 11x) - Recommended
pfSense version 2.5.1-p0 - New Stable (FreeBSD 12x) - For Latest Hardware
Tested Throughput :
# IMIX TRAFFIC #
L3 Forwarding: 10Gbps
Firewall: 5Gbps+ (10k ACLs)

13. Case study 1: (Replaced MikroTik)
-> Better User Experience, Less Threat Vector.
-> Very Less Customer complaint
-> Does not require frequent rebooting of core devices.
-> Stable and Better Services than MikroTik.
-> Blocks Most of the Malware, Spyware, Adware, Tracking.
-> Several steps ahead to gain safe internet experience.
-> Support /31 Network Configuration

14. Case study 1 : More Stable Service and Better User Experience, Less Threat Vector.

15. Case Study 1: Filtering based on Attacker Geo location and threat intel
● It can also filter bad actors IP based on
threat intelligence data.
● When pfSense block threat source IPs , that
is huge sanitization for the whole network
from malicious traffic.

16. Case Study 1: Visibility on malicious activity

17. Case study 2:incorporate pfSense in existing MikroTik Based Network
-> Does not need to change existing setup over-night.
-> Gain Better User Experience, Less Threat Vector.
-> Blocks Most of the Malware, Spyware, Adware, Tracking.
-> Several steps ahead to gain safe internet experience.
-> Spammer IPs can be blocked based on threat intel data

18. Case Study 2: pfSense along with Mikrotik
● pfSense placed as core router and firewall
● FRR will be used to peer with Internet only
● Other IX and local peer will be with Mikrotik to maintain local traffic queues as ease as usual.
● pfSense will be a safeguard for internet facing threats

19. Gain Cyber Hygiene from power of open source
● It’s always challenging to maintain good cyber hygiene for customer network
● pfSense firewall is efficient without losing quality of service and easy to implement and easy to
maintain
● Through pfSense network operator can get good number of reputed threat intelligence data
and protection from threat sources based on the theat data.
● Network Operators will get better visibility to his network
● Log server can be integrate easily for compliance

20. Thank you
QA?
Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
rkarim@omnitechone.com suman@adnsl.net