understanding and mitigating internet routing threats
play

Understanding and Mitigating Internet Routing Threats John Kristoff - PowerPoint PPT Presentation

Nov 15, 2022 •208 likes •495 views

Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com Danny McPherson dmcpherson@verisign.com FIRST 2011 John Kristoff & Danny McPherson 1 One of two critical systems Routing (BGP) and naming

  1. Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com Danny McPherson dmcpherson@verisign.com FIRST 2011 John Kristoff & Danny McPherson 1

  2. One of two critical systems Routing (BGP) and naming (DNS) are by far the two most critical subsystems of the Internet infrastructure. In the case of BGP, participation in and access to the routing system itself is generally, or rather should be, limited to a subset of trustworthy nodes and admins. FIRST 2011 John Kristoff & Danny McPherson 2

  3. Agenda • BGP Refresher • Threats • Mitigation FIRST 2011 John Kristoff & Danny McPherson 3

  4. BGP Refresher • Basic protocol overview • BGP message types • BGP path attributes • Properties that affect BGP route decision process • Jargon FIRST 2011 John Kristoff & Danny McPherson 4

  5. Path Vector Routing FIRST 2011 John Kristoff & Danny McPherson 5

  6. BGP over TCP port 179 • One-to-one peering relationship • Inherit TCP behaviors, advantages and threats FIRST 2011 John Kristoff & Danny McPherson 6

  7. Common BGP Header FIRST 2011 John Kristoff & Danny McPherson 7

  8. BGP message types 1 – OPEN 2 – UPDATE 3 – NOTIFICATION 4 – KEEPALIVE 5 – ROUTE-REFRESH FIRST 2011 John Kristoff & Danny McPherson 8

  9. BGP OPEN FIRST 2011 John Kristoff & Danny McPherson 9

  10. BGP UPDATE FIRST 2011 John Kristoff & Danny McPherson 10

  11. BGP NOTIFICATION FIRST 2011 John Kristoff & Danny McPherson 11

  12. Common BGP Path Attributes Well-known Well-known Optional Optional Attribute mandatory discretionary transitive non-transitive ORIGIN X AS_PATH X NEXT_HOP X MULTI_EXIT_DISC X ATOMIC_AGGREGATE X AGGREGATOR X COMMUNITY X MP_REACH_NLRI X FIRST 2011 John Kristoff & Danny McPherson 12

  13. Affecting BGP Route Decisions • Prefix length • LOCAL_PREF • ORIGIN • AS_PATH length • MULTI_EXIT_DISC • Router import and export policies • … and more ... FIRST 2011 John Kristoff & Danny McPherson 13

  14. BGP Operational Challenges • Each AS operates autonomously • Implicit trust (“routing by rumor”) • Configuration and policy intensive • In-band control traffic FIRST 2011 John Kristoff & Danny McPherson 14

  15. Threats • Availability • Confidentiality • Integrity FIRST 2011 John Kristoff & Danny McPherson 15

  16. Threats to Availability • TCP and lower layer attacks • Packet floods and control path congestion • Route instability and churn • Route flap dampening • Disaggregation and route table exhaustion • Implementation bugs and configuration errors • Route hijacking and black holes • Policy disputes FIRST 2011 John Kristoff & Danny McPherson 16

  17. Threats to Confidentiality • Clear text communications • Routing leaks • Policy configuration leaks • Route hijacking FIRST 2011 John Kristoff & Danny McPherson 17

  18. Threats to Integrity • Implementation bugs • Protocol design weaknesses • Compromised systems • Route hijacking • Path editing • Overt or covert transit theft • Divergence FIRST 2011 John Kristoff & Danny McPherson 18

  19. A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan • “...we have identified over 540,000 publicly accessible embedded devices configured with factory default root passwords.” • “...range from enterprise equipment such as firewalls and routers to consumer appliances such as VoIP adapters, cable and IPTV boxes to office equipment...” • “Vulnerable devices were detected in 144 countries, across 17,427 unique private enterprise, ISP, government, educational, satellite provider as well as residential network environments.” FIRST 2011 John Kristoff & Danny McPherson 19

  20. Mitigation • Protecting the transport • Router BCPs • Route monitoring • Policies and Defensive filtering • RPKI and BGPSEC FIRST 2011 John Kristoff & Danny McPherson 20

  21. Protecting the transport • TCP MD5 signature option and TCP-AO http://tools.ietf.org/html/rfc2385 http://tools.ietf.org/html/rfc5925 • IPSec http://tools.ietf.org/html/rfc4301 • RFC 5082 Generalized TTL Security Mechanism http://tools.ietf.org/html/rfc5082 FIRST 2011 John Kristoff & Danny McPherson 21

  22. Router BCPs • Configuration templates http://www.team-cymru.org/ReadingRoom/Templates/ http://www.nsa.gov/ia/guidance/security_configuration_guides/ • Control plane protection • Limited and protected remote access • Current software • Configuration management FIRST 2011 John Kristoff & Danny McPherson 22

  23. Route monitoring • http://bgpmon.net • http://bgplay.routeviews.org/bgplay/ • http://puck.nether.net/bgp/leakinfo.cgi • http://www.ripe.net/data-tools/stats/ris/ • http://www.team-cymru.org/Monitoring/BGP/ • http://bgp.he.net FIRST 2011 John Kristoff & Danny McPherson 23

  24. Policies and Defensive Filtering • Document policy with peers • Internet Routing Registries (IRRs) • Max prefix and path length limits • Limiting disaggregation • Remote triggered black hole filtering (RTBH) http://tools.ietf.org/search/rfc5635 • Dissemination of Flow Specification Rules http://tools.ietf.org/search/rfc5575 http://www.cymru.com/jtk/misc/community-fs.html FIRST 2011 John Kristoff & Danny McPherson 24

  25. RPKI and BGPSEC • Observation: There is no official, and consequently, no strong association between address assignment and routing announcements • Problem: How do you guard against routing threats, such as hijacks, without a means to verify the routing announcements? FIRST 2011 John Kristoff & Danny McPherson 25

  26. Resource Public Key Infrastructure (RPKI) • RIRs maintain RPKI infrastructure • Prefixes linked to authorized AS • In-band via soBGP or S-BGP • Out-of-band for near-time validation and monitoring • IETF SIDR WG spearheading RPKI work • Only for origin validation • BGPSEC working on path validation • Similar in scope to DNSSEC architectural changes FIRST 2011 John Kristoff & Danny McPherson 26

  27. A Future of IRR with RPKI FIRST 2011 John Kristoff & Danny McPherson 27

  28. In Closing • RFC 4271 A Border Gateway Protocol 4 (BGP-4) • RFC 4593 Generic Threats to Routing Protocols • IETF Secure Inter-Domain Routing (sidr) WG • Academic papers: • Securing BGP – A Literature Survey • A Survey of BGP Security Issues and Solutions • Securing BGP with BGPsec • Feedback or questions to: • dmcpherson@verisign.com and jtk@cymru.com FIRST 2011 John Kristoff & Danny McPherson 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Internet routing is based on routing protocols that collect the input data No off-line route

Internet routing is based on routing protocols that collect the input data No off-line route

Introduction to Routing in Internet Internet basics IPv4 and ICMP Internet Addressing ARP - Address Resolution Protocol Routing Information (Distance Vector ) Protocol Principles 3-1 S-38.121 S-02 Rka, NB Internet routing is based on

214 views • 18 slides
Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture Addressing, routing principles Protocols: IPv4, ICMP, ARP (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-07 / RKa, NB Ethernet Most

635 views • 26 slides
CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996 Internet Routing Instability Labovitz, Malan, Jahanian, 1997 Spring 2013 End to End Routing Behavior Objective: Understand the actual behavior of

595 views • 22 slides
Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan Routing Routing Rout ing prot ocol 5 Goal: det ermine good pat h (sequence of rout ers) t hru 3 B C net work f rom source t o dest .

636 views • 40 slides
Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based ac6on to pro-ac6ve measures Primary Goal : To iden6fy and take ac6on against domains

195 views • 5 slides
Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map

Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map

Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map The Internet From CAIDA IP Address Allocation Originally (classful addrs), 4 address classes A: 0 | 7 bit network | 24 bit

573 views • 21 slides
SmartEntry: Mitigating Routing Update Overhead with Reinforcement Learning for Traffic Engineering

SmartEntry: Mitigating Routing Update Overhead with Reinforcement Learning for Traffic Engineering

SmartEntry: Mitigating Routing Update Overhead with Reinforcement Learning for Traffic Engineering Junjie Zhang, Zehua Guo, Minghao Ye , H. Jonathan Chao Background Traffic Engineering (TE): Configure routing to improve network performance

691 views • 15 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via

Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via

Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via Real-World Measurements Jared M . Smith , Kyle Birkeland, Tyler McDaniel, Max Schuchard University of Tennessee, Knoxville volsec.org Internet

1.25k views • 70 slides
10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II

10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II

10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II Tunneling and MPLS Wireless routing Wireless handoffs Tom Anderson Ratul Mahajan TA: Colin Dixon 2 Internet today Key goals for Internet routing

488 views • 11 slides
End-to-End Routing Behavior in the Internet in the Internet

End-to-End Routing Behavior in the Internet in the Internet

End-to-End Routing Behavior in the Internet in the Internet Objective Understand the large-scale behavior of routing in the

533 views • 25 slides
End-to-end principle All control in end stations by Dave Clark e.g. error and flow

End-to-end principle All control in end stations by Dave Clark e.g. error and flow

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.121 / Fall-04 / RKa, NB Internet Architecture Principles End-to-end principle All

893 views • 21 slides
Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
Danish Internet Day Security of the Internet of Things Mitigating infections spread through

Danish Internet Day Security of the Internet of Things Mitigating infections spread through

Danish Internet Day Security of the Internet of Things Mitigating infections spread through immunisation techniques Farell FOLLY, Ph.D Researcher folly.farell@unibw.de Copenhague, October 1st. 1 Agenda 1. Introduction to the IoT 2.

447 views • 27 slides
Global Partnership Program: Title Goes Here Mitigating Biological Threats 5 September 2016

Global Partnership Program: Title Goes Here Mitigating Biological Threats 5 September 2016

Global Partnership Program: Title Goes Here Mitigating Biological Threats 5 September 2016 UNCLASSIFIED GPP is Canadas contribution to the Global Partnership Against the Spread of Weapons and Materials of Mass Destruction; More than

521 views • 14 slides
BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. RIPE 66 BIRD overview

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. RIPE 66 BIRD overview

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. RIPE 66 BIRD overview BIRD Internet Routing Daemon Routing protocols BGP, OSPF and RIP IPv4 and IPv6 support Linux and BSD kernel support Free and open

241 views • 13 slides
15-441/641: Computer Networks BGP Inter-domain Routing 15-441 Spring 2019 Profs Peter

15-441/641: Computer Networks BGP Inter-domain Routing 15-441 Spring 2019 Profs Peter

15-441/641: Computer Networks BGP Inter-domain Routing 15-441 Spring 2019 Profs Peter Steenkiste & Justine Sherry Fall 2019 https://www.myheartisinthenetwork.com Ive missed you! What have you learned while Ive been away? Chat

1.48k views • 106 slides
CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching

CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching

CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching hardware [PD] chapter 4.1.2 Xiaowei Yang xwy@cs.duke.edu Today Border Gateway Protocol (BGP) Lab 2 The Internet The Internet: Zooming In 2x

932 views • 50 slides
Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing History 1989 AIDS TROJAN DISK distributed/infected via floppy disk developer was caught and put into jail 2005 first internet attack

748 views • 54 slides
AD ADVANCE CED M MALWARE RE ALEXANDRE BORGES MALWARE AND SECURITY RESEARCHER THR THREATS

AD ADVANCE CED M MALWARE RE ALEXANDRE BORGES MALWARE AND SECURITY RESEARCHER THR THREATS

AD ADVANCE CED M MALWARE RE ALEXANDRE BORGES MALWARE AND SECURITY RESEARCHER THR THREATS NO HAT 2019 (Bergamo / IT ITALY) by y Alexandre Bor Borges 1 NO HAT 2019 (BERGAMO / ITALY) Agenda: In Intr troductio ion Anti

1.45k views • 105 slides
Overview q Review of theoretical routing algorithms v Link state & Dijkstras algorithm v

Overview q Review of theoretical routing algorithms v Link state & Dijkstras algorithm v

Smith College, CSC 249 March 8, 2017 1 Overview q Review of theoretical routing algorithms v Link state & Dijkstras algorithm v Distance vector & Bellman-Ford equation q Routing in the Internet v Implementation of Link-state and

739 views • 14 slides
Convergence Xiaoqiang Wang 1 , Olivier Bonaventure 2 , Peidong Zhu 1 1 National University of

Convergence Xiaoqiang Wang 1 , Olivier Bonaventure 2 , Peidong Zhu 1 1 National University of

Stabilizing BGP Routing without Harming Convergence Xiaoqiang Wang 1 , Olivier Bonaventure 2 , Peidong Zhu 1 1 National University of Defense Technology, China 2 University Catholique de Louvain, Belgium Outline Background Motivation

811 views • 26 slides
Implementation of BGP in a Network Simulator Ljiljana Trajkovi Tony Dongliang Feng Rob

Implementation of BGP in a Network Simulator Ljiljana Trajkovi Tony Dongliang Feng Rob

Implementation of BGP in a Network Simulator Ljiljana Trajkovi Tony Dongliang Feng Rob Ballantyne Communication Networks Laboratory http://www.ensc.sfu.ca/cnl Simon Fraser University Road map Introduction Background Design and

630 views • 49 slides
Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

253 views • 10 slides

More recommend