let s fix the internet routing security problem
play

Lets Fix the Internet Routing Security Problem 28 April 2020 - PDF document

Oct 01, 2022 •319 likes •708 views

4/29/20 Lets Fix the Internet Routing Security Problem 28 April 2020 (Tuesday) 1400 (UTC+10) Aftab Siddiqui Sr Manager Internet Technology Internet Society 1 1 What are we talking about today? 2 2 1 4/29/20 Understand the

  1. 4/29/20 Let’s Fix the Internet Routing Security Problem 28 April 2020 (Tuesday) – 1400 (UTC+10) Aftab Siddiqui Sr Manager Internet Technology Internet Society 1 1 What are we talking about today? 2 2 1

  2. 4/29/20 • Understand the problem first • BGP Hijacks • BGP Leak • Spoofing • Any Solution/s? • MANRS • Filtering • Anti Spoofing • Coordination • Global Validation (IRR/RPKI) 3 3 The Problem A Routing Security Overview 4 4 2

  3. 4/29/20 Routing Incidents are Increasing In 2019, 1,810 BGP Hijacks were recorded by bgpstream.com These hijacks led to a range of problems including stolen data, lost revenue, reputational damage, and more. Some of these hijacks lasted for many hours Incidents are global in scale, with one operator’s routing problems cascading to impact others. 5 5 Routing Incidents Cause Real World Problems • Unsecure routing is one of the most common problem for malicious threats. • Attacks can take anywhere from hours to months to even being identified. • Inadvertent errors can take entire countries offline, while attackers can steal an individual’s data or hold an organization’s network hostage. 6 6 3

  4. 4/29/20 The Basics: How Routing Works There are ~68,000 networks (Autonomous Systems) across the Internet, each using a unique Autonomous System Number (ASN) to identify itself to other networks. Routers use Border Gateway Protocol (BGP) to exchange “reachability information” - networks they know how to reach. Routers build a “routing table” and pick the best route when sending a packet, typically based on the shortest path. 7 7 Some Definitions Router find path forward packet, forward packet, forward packet, forward packet…. Something wrong… find alternate path forward packet, forward packet, forward packet, forward packet repeat until powered off 8 8 4

  5. 4/29/20 Some Definitions Routing vs Forwarding Routing = building maps and giving directions Forwarding = moving packets between interfaces according to the “directions” 9 9 Internet Routing Table Prefixes [28/04/2020]: 832782 https://www.cidr-report.org 10 10 5

  6. 4/29/20 Unique ASes Number of ASes in routing system: 68110 Number of ASes announcing only one prefix: 24270 https://www.cidr-report.org 11 11 The Honor System: Routing Issues Border Gateway Protocol (BGP) is based entirely on trust between networks • No built-in validation that updates are legitimate • The chain of trust spans continents • Lack of reliable resource data 12 12 6

  7. 4/29/20 Recent Events 13 13 The Threats: What’s Happening? Event Explanation Repercussions Solution Prefix/Route A network operator or attacker Packets are forwarded to the Stronger filtering Hijacking impersonates another network operator, wrong place, and can cause policies pretending that a server or network is Denial of Service (DoS) attacks their client. or traffic interception. Route Leak A network operator with multiple Can be used for traffic Stronger filtering upstream providers (often due to inspection and reconnaissance. policies accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. IP Address Someone creates IP packets with a false The root cause of reflection Source address Spoofing source IP address to hide the identity of DDoS attacks validation the sender or to impersonate another computing system. 14 14 7

  8. 4/29/20 AS Types 15 15 You are getting BGP Transit 16 16 8

  9. 4/29/20 You have BGP speaking Customer 17 17 You are directly Peering (BGP) 18 18 9

  10. 4/29/20 You are Peering with IXP (RS) 19 19 Prefix/Route Hijacking Route hijacking , also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretending that a server or network is their client. This routes traffic to a network operator, when another real route is available. Example: The 2008 YouTube hijack; an attempt to block YouTube through route hijacking led to much of the traffic to YouTube being dropped around the world. 20 20 10

  11. 4/29/20 Prefix/Route Hijacking 21 Source: bgpstream.com 21 Route Leak A route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: 2015, Malaysia Telecom and Level 3, a major backbone provider. Malaysia Telecom told one of Level 3’s networks that it was capable of delivering traffic to anywhere on the Internet. Once Level 3 decided the route through Malaysia Telecom looked like the best option, it diverted a huge amount of traffic to Malaysia Telecom. 22 22 11

  12. 4/29/20 Route Leak 23 Source: bgpstream.com 23 IP Address Spoofing IP address spoofing is used to hide the true identity of the server or to impersonate another server. This technique can be used to amplify an attack. Example: DNS amplification attack. By sending multiple spoofed requests to different DNS resolvers, an attacker can prompt many responses from the DNS resolver to be sent to a target, while only using one system to attack. Fix: Source address validation: systems for source address validation can help tell if the end users and customer networks have correct source IP addresses (combined with filtering). 24 24 12

  13. 4/29/20 . Impersonation sender ip spoofed packet partner src: partner dst: victim Oh, my partner sent me a packet. I’ll process victim this. 25 25 . Reflection ip spoofed packet sender src: victim dst: reflector reflector reply packet r o t c m e l i f t e c r i v : c : r t s s d Oops, a lot of replies without any request… victim 26 26 13

  14. 4/29/20 IP Address Spoofing 27 https://spoofer.caida.org/country_stats.php 27 IP Address Spoofing 28 28 14

  15. 4/29/20 IP Address Spoofing – Australia 29 29 IP Address Spoofing – Australia 30 30 15

  16. 4/29/20 Tools to Help • Prefix and AS-PATH filtering • RPKI, IRR toolset, IRRPT, BGPQ3 • BGPSEC is standardized But… • Not enough deployment • Lack of reliable data We need a standard approach to improving routing security. 31 31 We Are In This Together Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The more network operators work together, the fewer incidents there will be, and the less damage they can do. 32 32 16

  17. 4/29/20 The Solution: Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to eliminate the most common routing threats 33 33 Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions that network operators must implement to dramatically improve Internet security and reliability. • The first two operational improvements eliminate the root causes of common routing issues and attacks, while the second two procedural steps improve mitigation and decrease the likelihood of future incidents. 34 34 17

  18. 4/29/20 MANRS Actions - Network operators Filtering Anti-spoofing Coordination Global Prevent propagation of Prevent traffic with Facilitate global Validation incorrect routing spoofed source IP operational information addresses communication and Facilitate validation of coordination between routing information on a network operators global scale Ensure the correctness of Enable source address Maintain globally your own announcements validation for at least accessible up-to-date and announcements from single-homed stub Publish your data, so contact information in your customers to adjacent customer networks, their common routing databases networks with prefix and own end-users, and others can validate AS-path granularity infrastructure 35 35 IXPs Action 3 Action 4 Action 2 Action 5 Action 1 Promote Protect the Facilitate global Provide Prevent MANRS to the peering platform operational monitoring and propagation of IXP membership communication debugging tools incorrect routing and coordination to the members. information This mandatory IXPs joining This action action requires MANRS are The IXP facilitates requires that the IXPs to implement expected to communication IXP has a The IXP provides filtering of route provide published policy of among members a looking glass for announcements at encouragement or by providing traffic not allowed its members. the Route Server assistance for their on the peering necessary mailing based on routing members to lists and member fabric and information data implement directories. performs filtering (IRR and/or RPKI). MANRS actions. of such traffic. 36 36 18

  19. 4/29/20 Action 1: Filtering BCP 194 – RFC7454 BGP Operations and Security 37 37 Why Filtering Your first line of defence You control what you are announcing • You have no control over what other networks announce To avoid issues, you have to decide what to accept from other networks 38 38 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Internet routing is based on routing protocols that collect the input data No off-line route

Internet routing is based on routing protocols that collect the input data No off-line route

Introduction to Routing in Internet Internet basics IPv4 and ICMP Internet Addressing ARP - Address Resolution Protocol Routing Information (Distance Vector ) Protocol Principles 3-1 S-38.121 S-02 Rka, NB Internet routing is based on

214 views • 18 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture Addressing, routing principles Protocols: IPv4, ICMP, ARP (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-07 / RKa, NB Ethernet Most

635 views • 26 slides
Mutually Agreed Norms for Routing Security manrs@isoc.org Insecurity by Design When the Internet

Mutually Agreed Norms for Routing Security manrs@isoc.org Insecurity by Design When the Internet

Mutually Agreed Norms for Routing Security manrs@isoc.org Insecurity by Design When the Internet was developed, they didnt build in security by design. The objective was resilience, simplicity and ease of deployment That created the Internet

791 views • 41 slides
CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996 Internet Routing Instability Labovitz, Malan, Jahanian, 1997 Spring 2013 End to End Routing Behavior Objective: Understand the actual behavior of

595 views • 22 slides
Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan Routing Routing Rout ing prot ocol 5 Goal: det ermine good pat h (sequence of rout ers) t hru 3 B C net work f rom source t o dest .

636 views • 40 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M

Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M

This Space Intentionally Left Blank to Hold Space Just in Case Routing Security Appears Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M Bellovin <smb@cs.columbia.edu> Randy Bush

478 views • 14 slides
Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map

Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map

Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map The Internet From CAIDA IP Address Allocation Originally (classful addrs), 4 address classes A: 0 | 7 bit network | 24 bit

573 views • 21 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
BGP Review Ming Liu Background The internet is organized as autonomous systems (AS) A

BGP Review Ming Liu Background The internet is organized as autonomous systems (AS) A

BGP Review Ming Liu Background The internet is organized as autonomous systems (AS) A corporations internal network Hierarchically aggregate routing information in a large internet The interdomain routing problem Each AS

245 views • 10 slides
10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II

10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II

10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II Tunneling and MPLS Wireless routing Wireless handoffs Tom Anderson Ratul Mahajan TA: Colin Dixon 2 Internet today Key goals for Internet routing

488 views • 11 slides
CSE 461 Section 7 5/18/2017 JOHN ABERCROMBIE The interdomain routing problem Each AS determines

CSE 461 Section 7 5/18/2017 JOHN ABERCROMBIE The interdomain routing problem Each AS determines

CSE 461 Section 7 5/18/2017 JOHN ABERCROMBIE The interdomain routing problem Each AS determines its own routing policies One AS only wants to send and receive packets from the internet One AS can carry transit traffic for others if you

416 views • 15 slides
End-to-End Routing Behavior in the Internet in the Internet

End-to-End Routing Behavior in the Internet in the Internet

End-to-End Routing Behavior in the Internet in the Internet Objective Understand the large-scale behavior of routing in the

533 views • 25 slides
End-to-end principle All control in end stations by Dave Clark e.g. error and flow

End-to-end principle All control in end stations by Dave Clark e.g. error and flow

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.121 / Fall-04 / RKa, NB Internet Architecture Principles End-to-end principle All

893 views • 21 slides
Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders Why are we doing any of this routing security? Creating EBGP routing filters based on

906 views • 44 slides
IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early

IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early

IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early address management Evolution of address management Address management today Address policy development IP allocation Pre 1992 RFC 1261

547 views • 23 slides
Prospering in the API Economy Peter Hunt FLA digital conference 24 th October 2017

Prospering in the API Economy Peter Hunt FLA digital conference 24 th October 2017

Prospering in the API Economy Peter Hunt FLA digital conference 24 th October 2017 www.growcap.co.uk What is The API economy? API = Application Programmer Interfaces = transfer of data and commands APIs arent new payment

668 views • 15 slides
Problem solved: API Management 2 API Management Web-based APIs are making it easier Build a

Problem solved: API Management 2 API Management Web-based APIs are making it easier Build a

Problem solved: API Management 2 API Management Web-based APIs are making it easier Build a more than ever to link services together but connected being able to do this securely, scalably and reliably requires an end-to-end digital

1.29k views • 10 slides
Demonstrating the CDR: Open Banking APIs 2 What is the Consumer Data Right? Product Information

Demonstrating the CDR: Open Banking APIs 2 What is the Consumer Data Right? Product Information

1 Demonstrating the CDR: Open Banking APIs 2 What is the Consumer Data Right? Product Information Data Holders and Consent to share Australian Consumers Open Banking, Energy, Telecommunications Consent based, time and scope limited

344 views • 15 slides
2016 APNIC Survey Results Asia Pacific Network Information Centre Conducted and prepared by

2016 APNIC Survey Results Asia Pacific Network Information Centre Conducted and prepared by

2016 APNIC Survey Results Asia Pacific Network Information Centre Conducted and prepared by Survey Matters. Agenda Slid Slide Survey Process and Methodology 3 Participation and Service Satisfaction 6 Respondents Challenges 11 IPv6

602 views • 32 slides
Working with the law enforcement community towards a more stable and secure Internet Craig Ng

Working with the law enforcement community towards a more stable and secure Internet Craig Ng

Working with the law enforcement community towards a more stable and secure Internet Craig Ng General Counsel APNIC George Kuo Member Services Manager APNIC Agenda Introducing APNIC About APNIC APNICs role and services

304 views • 17 slides
ITU-APNIC collaboration on the transition from IPv4 to IPv6 ITU Regional Development Forum

ITU-APNIC collaboration on the transition from IPv4 to IPv6 ITU Regional Development Forum

ITU-APNIC collaboration on the transition from IPv4 to IPv6 ITU Regional Development Forum "ICTs for Smart Sustainable Asia-Pacific" Manila, Philippines 6-7 June 2016 <duncan@apnic.net> Agenda Introduction ICT

437 views • 22 slides
& Industry Development Che-Hoo Cheng APNIC @TWNIC IP OPM 32 2019-06-20 Security matters as

& Industry Development Che-Hoo Cheng APNIC @TWNIC IP OPM 32 2019-06-20 Security matters as

ROA+ROV Deployment & Industry Development Che-Hoo Cheng APNIC @TWNIC IP OPM 32 2019-06-20 Security matters as your network is connecting to Internet You do NOT want your own routes to be hijacked by anyone, maliciously or

842 views • 37 slides

More recommend