bgp security techniques
play

BGP Security Techniques Danny McPherson danny@arbor.net Kyoto, - PowerPoint PPT Presentation

Sep 14, 2023 •159 likes •450 views

BGP Security Techniques Danny McPherson danny@arbor.net Kyoto, Japan APRICOT 2005 1 Agenda Overview & Discussion Context BGP Blackhole Routing BGP Diversion BGP Route Tagging BGP Flow Specification Analyzing

  1. BGP Security Techniques Danny McPherson danny@arbor.net Kyoto, Japan APRICOT 2005 1

  2. Agenda • Overview & Discussion Context • BGP Blackhole Routing • BGP Diversion • BGP Route Tagging • BGP Flow Specification • Analyzing “Dark IP” Data Kyoto, Japan APRICOT 2005 2

  3. Overview • The purpose of this discussion is to both discuss BGP security techniques employed by network operators today, as well as to introduce some new mechanisms and techniques currently under development and request feedback from the community Kyoto, Japan APRICOT 2005 3

  4. About this talk…. • What this talk is about: – Using BGP as a security response tool – Benefits of employing unutilized/unallocated address space • What this talk is NOT about: – Securing the BGP protocol (e.g., MD5 or IPSEC for Transport connection) – Securing information carried by BGP (e.g., prefix filters, soBGP & SBGP, RIRs & IRRs, etc..) – Configuration syntax - however, appropriate references provided Kyoto, Japan APRICOT 2005 4

  5. Interesting Notes… • Have seen DoS attacks greater than 10Gbps aggregate capacity! • Of 1127 DoS attacks seen on a very large network since JAN 03, only 4 employed address spoofing - "spoofing is out of vogue”? • 140415 node botnet largest "seen" in the wild - larger botnets probable. • Miscreants are avoiding RFC1918 and other bogon address space and explicitly targeting "easy pickens” prefixes such as 24/8. • Miscreants often patch exploitable code once they compromise a system in order to "keep it” -- they probably install more patches than users! • DOS attack vectors are changing (e.g., UDP brute force as opposed to TCP-based, arbitrary DDOS toolkit) Kyoto, Japan APRICOT 2005 5

  6. The Problem… • The magnitude of DDOS attacks result in network instability and often times collateral damage to the network infrastructure • Mitigation policies need to be deployed at the network ingress and propagated to upstream networks in near real-time • ACL management, deployment and implementation/ performance implications inhibit their use considerably - consider deployment of attack mitigation policies to 2000 interfaces on 400 routers, augmenting existing policies and removing said policies once attack has ceased Kyoto, Japan APRICOT 2005 6

  7. BGP Blackhole Routing • Commonly referred to as BGP Real-Time Blackhole Routing (RTBH), or Blackhole Filtering ; results in packets being forwarded to a routers bit bucket, also known as: – Null Interface – Discard Interface • Several Techniques: – Destination-based BGP Blackhole Routing – Source-based BGP Blackhole Routing (coupling uRPF) – Customer-triggered • Exploits router’s forwarding logic - typically results in desired packets being dropped with minimal or no performance impact • Enables BGP Backscatter Traceback Technique Kyoto, Japan APRICOT 2005 7

  8. Exploits Forwarding Logic Packets FIB Egress Ingress Packet --------------------- Filter Arrive Interface --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- Null0/Discard --------------------- • Forward packet to the Bit Bucket • Saves on CPU and ACL processing Kyoto, Japan APRICOT 2005 8

  9. Customer is DOSed – Before – Collateral Damage Peer A IXP-W A Peer B IXP- E Upstream D A Upstream B A C Upstream Upstream B B E Target Customers NOC G Attack causes POP F Collateral Damage Kyoto, Japan APRICOT 2005 9

  10. Customer is DOSed – After – Packet Drops Pushed to Network Ingress Peer A IXP-W A Peer B IXP-E Upstream A D Upstream B A C Upstream Upstream B B E BGP Target Advertises Black Holed Prefixes NOC G POP F Kyoto, Japan APRICOT 2005 10

  11. Monitoring Backscatter • Inferring Internet Denial-of-Service Activity – http://www.caida.org/outreach/papers/2001/BackScatter/ • Backscatter Traceback (NANOG 23) Kyoto, Japan APRICOT 2005 11

  12. Beyond Destination-based RTBH • Employing uRPF in conjunction with RTBH can provide source-based solution v. destination-based • Why not allow customer triggered blackholing for more-specifics of their prefixes? Kyoto, Japan APRICOT 2005 12

  13. BGP Diversion Techniques • Rather than employing BGP to simply discard traffic (and often effectively complete a Denial of Service attack), use BGP to divert traffic to data analysis or packet “scrubbing” centers, often referred to as Sinkholes • Divert via resetting BGP next hop to IP address of analysis system(s) or matching community tags that result in different BGP next hops being assigned for a given prefix (or PBR, or static, or…) Kyoto, Japan APRICOT 2005 13

  14. Typical Aggregate Sources AS 100 AS 65530 G C D 10.1.32/19 10.1/16 A F AS 65531 E B H 10.1.0/19 10.1.64/19 • 10.1/16 allocated to AS 100 • 10.1.0/19 used for infrastructure • 10.1.32/19 AS 65530 • 10.1.64/19 AS 65531 • 10.1/16 (10.1.96-10.1.255.255) implicitly nailed to null interface on core routers (C,B,D&E) Kyoto, Japan APRICOT 2005 14

  15. Routers Collect Garbage Data Scans, Backscatter, Other Garbage AS 100 AS 65530 G C D 10.1.32/19 10.1/16 A F AS 65531 E B H 10.1.0/19 10.1.64/19 • Routers collect all the garbage (backscatter, scans, etc..) destined for 10.1/19, 10.1.96/19 & 10.1.128/17 addresses • Routers are required to process data, send ICMP unreachables, etc.. Kyoto, Japan APRICOT 2005 15

  16. Why not Divert to Sinkhole? Scans, Backscatter, Worms, Other Garbage AS 100 10.1.0/19 AS 65530 G C D 10.1.32/19 10.1.0/19 & 10.1/16 A 10.128/17 F AS 65531 H E B 10.1.64/19  Why not divert garbage to sinkhole, if not for further analysis, at least to off-load data processing from routers  Traffic forwarded to sinkhole for analysis, removes processing overhead from routers  Provide collection point for further analysis Kyoto, Japan APRICOT 2005 16

  17. Sinkholes – Advertising Dark IP Advertise CIDR Target router To ISP Backbone blocks with receives the Static Lock-ups garbage pointing to the Target Router target router To ISP Backbone Sinkhole Gateway Sniffers and Analyzers To ISP Backbone • Move the CIDR Block Advertisements (or at least more-specifics of those advertisements) to Sinkholes • Does not impact BGP routing – route origination can happen anywhere in the iBGP mesh (careful about MEDs and aggregates) • Control where you drop the packet • Turns networks inherent behaviors into a security tool! Kyoto, Japan APRICOT 2005 17

  18. BGP Route Tagging • Employ same technique as previously discussed mechanisms to tag routes (usually via BGP Communities) in order to apply some firewall, packet filter, rate limit, quality of service or similar policy to packets matching the prefix (or attributes identified by the policy) • E.g., Cisco’s BGP Policy Propagation (BPP) Kyoto, Japan APRICOT 2005 18

  19. BGP Flow Specification • Defined in: – http://www.ietf.org/internet-drafts/draft-marques-idr-flow-spec-02.txt • Specifies procedures for the distribution of flow specification rules via BGP • Defines AN application for the purpose of packet filtering in order to mitigate (distributed) denial of service attacks • Defines procedure to encode flow specification rules as BGP NLRI which can be used in any way the implementer desires Kyoto, Japan APRICOT 2005 19

  20. What’s a Flow Specification? • A flow specification is an n-tuple consisting of several matching criteria that can be applied to IP packet data • May or May not include reachability information (e.g., NEXT_HOP) • Well-known or AS-specific COMMUNITIES can be used to encode/trigger a pre-defined set of actions (e.g., blackhole, PBR, rate-limit, divert, etc..) • Application is identified by a specific (AFI, SAFI) pair and corresponds to a distinct set of RIBs • BGP itself treats the NLRI as an opaque key to an entry in its database Kyoto, Japan APRICOT 2005 20

  21. What’s it for? • Primarily/Initially: DDOS/Worm Mitigation • Continue evolution from: – Destination-based blackhole routing – uRPF/source-based BGP blackhole routing • To: – Much more precise/granular mechanism that contains all the benefits of it’s predecessors • At least one implementation complete, another (more?) on the way Kyoto, Japan APRICOT 2005 21

  22. We Need Operator Feedback! • Is this useful? • What’s missing (e.g., more flexible specification language) • Does this belong in BGP? • What are our alternatives? • Comments to authors are welcome! – flow-spec@tcb.net Kyoto, Japan APRICOT 2005 22

  23. About Dark IP… • Various IP address classifications – RFC 1918 (e.g., 10/8, 172.16/12 & 192.168/16) – Bogon addresses are address blocks that have not yet been allocated by IANA or a RIR (e.g., APNIC or ARIN) – Dark IP addresses have been allocated to a network operator and are currently being advertised, but have not yet been allocated to end-users/customers; typically subsets of allocated blocks – Active address space has been allocated to end- users/customers and end systems Kyoto, Japan APRICOT 2005 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic algorithms 7.4 Digital signatures 7.5 Cryptography pragmatics 7.1. Introduction Why need security mechanisms in DS? Share of resources

364 views • 24 slides
Introduction Out Outline e Imagine an Ad-hoc network Introduction Security techniques

Introduction Out Outline e Imagine an Ad-hoc network Introduction Security techniques

Wireless Ad Hoc and Sensor Networks Outline Out e - Trust and Soft Security Introduction Security techniques Trust and reputation systems Generic Trust and Reputation Model Scheme Proposed models for ad hoc and sensor

161 views • 12 slides
Classical Encryption Techniques Substitution Transposition Steganography CSS441: Security and

Classical Encryption Techniques Substitution Transposition Steganography CSS441: Security and

CSS441 Classical Techniques Encrypt for Confidentiality Classical Encryption Techniques Substitution Transposition Steganography CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University

726 views • 39 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
Verifying email security techniques for Dutch organizations Student: Vincent van Dongen

Verifying email security techniques for Dutch organizations Student: Vincent van Dongen

Verifying email security techniques for Dutch organizations Student: Vincent van Dongen Supervised by: Ralph Dolmans, George Thessalonikefs (NLnet Labs) Security and Network Engineering (UvA) Master Thesis, 3 July 2018 Vincent van Dongen (UvA)

187 views • 17 slides
Social Engineering Techniques, Methods, Tools & Mitigation Panagiotis Gkatziroulis, Security

Social Engineering Techniques, Methods, Tools & Mitigation Panagiotis Gkatziroulis, Security

Social Engineering Techniques, Methods, Tools & Mitigation Panagiotis Gkatziroulis, Security Consultant Agenda Social Engineering Methodology Attacks & Techniques Demos Tools of the trade Prevention Methods and Advice

502 views • 27 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols

937 views • 60 slides
Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining

Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining

Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining intraday signals with longer time frame support or resistance. 141 Daily chart for support (slide 1 of 2) June 14 We see a solid band of support

979 views • 20 slides
Application of ecological sanitation and permaculture techniques: food and water security for

Application of ecological sanitation and permaculture techniques: food and water security for

Federal University of Mato Grosso do Sul Campo Grande, MS, Brazil Application of ecological sanitation and permaculture techniques: food and water security for indigenous tribes and rural areas in Brazil Adriana F. Galbiati, Gustavo C. da Silva,

260 views • 21 slides
Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques (NIT-K) S. K. Pal Defence Research & Development Organization (DRDO) SAG, Metcalfe House, Delhi 27-Jul-2020 1 What is Cyberspace? Refers to

766 views • 17 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use and apply them to professional security software. The Team Eric - Code Mike Code AJ - Code - CONFIDENTIAL - Professor Shue Professor

344 views • 18 slides
Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# !

Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# !

Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# ! Involved#from#sample#prepara>on#to#report#wri>ng# ! Op>cal#systems#setup## ! Sample#prepara>on# ! Delayering# ! Imagery# ! SoCware#developments #

1.11k views • 72 slides
Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 Understanding the Security Properties of Ballot-Based Verification 1 WARNING This talk contains no research content.

284 views • 15 slides
Board Meeting The Falmouth Historical Society June 2, 2020 Agenda Local History

Board Meeting The Falmouth Historical Society June 2, 2020 Agenda Local History

Board Meeting The Falmouth Historical Society June 2, 2020 Agenda Local History Secretarys Report Communications Treasurers Report Merchandise Committee Reports Programs Museum Buildings & Grounds Museum

445 views • 23 slides
RPSL in the Wild Presentation to Apricot 2000, Seoul, Korea Mark Prior Agenda Overview of

RPSL in the Wild Presentation to Apricot 2000, Seoul, Korea Mark Prior Agenda Overview of

RPSL in the Wild Presentation to Apricot 2000, Seoul, Korea Mark Prior Agenda Overview of environment in Australia Summary of Connects routing policy Why use RPSL? Examples Problems Background Four major IAPs in

353 views • 16 slides
ANSIBLE BEST PRACTICES: THE ESSENTIALS Ansible Automates: DC Jamie Duncan @jamieeduncan

ANSIBLE BEST PRACTICES: THE ESSENTIALS Ansible Automates: DC Jamie Duncan @jamieeduncan

ANSIBLE BEST PRACTICES: THE ESSENTIALS Ansible Automates: DC Jamie Duncan @jamieeduncan cloudguy@redhat.com about jduncan 6+ years with Red Hat Coming Soon #shamelessPlug My daughter Elizabeth #cutestThingEver 2 THIS SESSION IS ABOUT

656 views • 37 slides
Logarithmic Time Prediction John Langford Microsoft Research DIMACS Workshop on Big Data through

Logarithmic Time Prediction John Langford Microsoft Research DIMACS Workshop on Big Data through

Logarithmic Time Prediction John Langford Microsoft Research DIMACS Workshop on Big Data through the Lens of Sublinear Algorithms The Multiclass Prediction Problem Repeatedly 1 See x 2 Predict y { 1 , ..., K } 3 See y The Multiclass

608 views • 56 slides
Logos Class Book of Joel Online class for August 2, 2020 8/1/20 1 Agenda for todays class

Logos Class Book of Joel Online class for August 2, 2020 8/1/20 1 Agenda for todays class

Logos Class Book of Joel Online class for August 2, 2020 8/1/20 1 Agenda for todays class Open chat room from 8:50am to 9:05am 9:05-9:15 Prayer time and updates Welcome our guests today This week book of Joel Intro

255 views • 14 slides
Team Build War Stories Beth Marcus, Ph.D. March 3, 2009 Who am I? Ph.D. in Biomechanics

Team Build War Stories Beth Marcus, Ph.D. March 3, 2009 Who am I? Ph.D. in Biomechanics

Team Build War Stories Beth Marcus, Ph.D. March 3, 2009 Who am I? Ph.D. in Biomechanics Specialist in new product development Serial Entrepreneur Started EXOS in late 1988 Medical business grew to 25 people & $1.5MM and

363 views • 21 slides
Principles of agent-based modeling Prof. Lars-Erik Cederman ETH - Center for Comparative and

Principles of agent-based modeling Prof. Lars-Erik Cederman ETH - Center for Comparative and

Introduction to Computational Modeling of Social Systems Principles of agent-based modeling Prof. Lars-Erik Cederman ETH - Center for Comparative and International Studies (CIS) Seilergraben 49, Room G.2, lcederman@ethz.ch Nils Weidmann, CIS

462 views • 24 slides
SIR ISAAC NEWTON (1642-1727) Born in the small village of Woolsthorpe, Newton quickly made an

SIR ISAAC NEWTON (1642-1727) Born in the small village of Woolsthorpe, Newton quickly made an

PCES 2.39 SIR ISAAC NEWTON (1642-1727) Born in the small village of Woolsthorpe, Newton quickly made an impression as a student at Cambridge- he was appointed full Prof. there The young Newton in 1669, at the age of 27! He remained there

106 views • 6 slides

More recommend