DDoS Mitigation and Reporting portal

The internet infrastructure was built based on mutual trust between service providers to ensure advertised routes are safe, accurate and will not be maliciously altered. Although that model proved sufficient in the earlier days for internet development, it has become increasingly vulnerable to configuration mistakes or abuse and attack by malicious actors looking to redirect routes to achieve criminal goals. This is called BGP hijacking or IP hijacking.

Resource certification enables IP holders to specify which autonomous systems (AS) are authorized to originate their IP prefixes in BGP announcements. IP service providers can validate IP route announcements at peering points to ensure that announcements were originated by the AS authorized to do so and drop routes that come from unauthorized sources.

RPKI enables IP address holders to specify which autonomous systems are authorized to originate their IP address prefixes. RPKI is a standard set of protocols and services defined by The IETF (Internet Engineering Task Force) beginning with RFC 6840, “An Infrastructure to Support Secure Internet Routing,” and a dozen or so supporting RFCs. Using cryptographically verifiable statements, RPKI helps to ensure that internet IP address resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions.

You create the association between IP addresses and agencies that are permitted to originate BGP announcements for those IP address by filing a route origin authorization (ROA) with and authorized registry.

Lumen supports RPKI and most service providers are transitioning to it as well.

To redirect IP traffic to DDoS scrubbing centers, Lumen makes BGP route announcements for IP addresses that need to be routed to scrubbing centers. If these IP addresses are registered via RPKI and Lumen does not have a route origin authorization (ROA) to originate advertisements for the DDoS protected IP address space using Lumen autonomous systems, then service providers that are enforcing RPKI will drop the route announcement. This means that some or all traffic, depending on which path the traffic takes from the originator to the protected infrastructure, will not redirected to and mitigated by Lumen DDoS Mitigation.

There are several DDoS Mitigation Services that determine when and how the traffic is routed to scrubbing centers:

No, you only need to take action if you are using IP addresses that meet the following criteria:

• You have your own IP addresses and have registered them with RPKI.
  
  
• You are using IP addresses held by another agency who has registered them with RPKI.

Contact your internet numbering registry to file a route-origin authorization (ROA) to designate Lumen as an authorized agency to originate BGP route updates for your IP addresses. Information needed for this ROA includes:

• customer-held public IP addresses
• Lumen ASNs: 3356, 202, and 203
• customer-supplied public key (as all communication will be encrypted)
• the date range that this association should be active
   

Information required may vary, depending on the registry. Contact the same registry that you originally registered your IP Addresses with RPKI. Internet number registries are regional:

• ARIN (North America)
• RIPE (Europe)
• APNIC (Asia Pacific)
• LACNIC (Latin America and Caribbean nations)
• AFRINIC (Africa)

The actual holder of the IP addresses needs to file the ROA. This helps prevent fraudulent filings and helps ensure the fidelity of the registration data.

The following resources provide additional information:

• Internet Engineering Task Force (IETF)
• RFC 6480 from IETF
• The numbering registry agents listed above
• Is BGP Safe Yet
• Lumen Security Operations Center (SOC)