What are the threats at IXPs and how to protect your Internet - - PowerPoint PPT Presentation

what are the threats at ixps and how to protect your
SMART_READER_LITE
LIVE PREVIEW

What are the threats at IXPs and how to protect your Internet - - PowerPoint PPT Presentation

Apr 26, 2023 336 likes •555 views

What are the threats at IXPs and how to protect your Internet architecture? Raphael Maunier raphael@acorus.net @rmaunier What are the threats at IXPs and how to protect your Internet architecture? Why using IXPs to protect your Internet

slide-1
SLIDE 1

What are the threats at IXPs and how to protect your Internet architecture?

Raphael Maunier raphael@acorus.net @rmaunier

slide-2
SLIDE 2

Why using IXPs to protect your Internet architecture against events or threats is a good idea?

Raphael Maunier raphael@acorus.net @rmaunier

What are the threats at IXPs and how to protect your Internet architecture?

slide-3
SLIDE 3

This will happen again don’t worry !! IXPs may have software issues, this can result in bgp instability and affect your traffic !

Unexpected event : IXPs instability

slide-4
SLIDE 4

Route leak !

Typo : We’ve all been there

slide-5
SLIDE 5
  • BGP Timers / filtering / Max pref : Adapt your router configuration :

cartman@core99.th2.par# show routing-instances nainternet protocols bgp group ipv4-public-peering-as51706-franceix type external; description "Group ipv4 Public Peering FranceIX AS51706"; hold-time 15; /* Accept prefixes with route tagged for this IXP AS51706 */ import ipv4-public-peering-as51706-in; family inet { unicast { prefix-limit { maximum 50; teardown 90 idle-timeout 300; } } }

  • Ask All members to change their bgp config in order to reduce the default

value of the timer ( RFC suggested value is 90 sec). We now have faster, better, stronger equipment, we can definitively change this !

  • https://tools.ietf.org/html/bcp214

How to minimise the impact ?

slide-6
SLIDE 6

Traffic Flows

slide-7
SLIDE 7

DDOS Attack

https://techcrunch.com/2018/03/02/the-worlds-largest-ddos-attack-took-github-offline-for-less-than-tens-minutes/

slide-8
SLIDE 8

How to address DDoS ?

slide-9
SLIDE 9

IXPs will have a solution for you ! Upgrade or buy more ports

https://www.franceix.net/en/solutions/pricing/ Non Full 10G/100G ports are a good alternative and provide more flexibility !

slide-10
SLIDE 10

Blackholing https://www.franceix.net/en/technical/blackholing/

slide-11
SLIDE 11

Buy a DDoS Mitigation service J

slide-12
SLIDE 12

Another Threat : BGP Hijacking

slide-13
SLIDE 13

https://dyn.com/blog/bgp-hijack-of-amazon-dns-to-steal-crypto-currency/

slide-14
SLIDE 14

The role of an IXP

slide-15
SLIDE 15

Route Servers

slide-16
SLIDE 16

Route servers

http://peering.exposed/ "A route server is considered Secure if it performs IRR and/or RPKI based filtering on all participants, and BY DEFAULT does not propagate unfiltered routing information to anyone. [RFC 7948 section 4.3 / RFC 7454 section 6] »

slide-17
SLIDE 17
slide-18
SLIDE 18

Extract from Job Snijders’s presentation during EPF2018 (@jobsnijders )

  • IXPs – start doing RPKI Origin Validation on your route servers now
  • ISPs / CDNs
  • if you are pointing default somewhere, do it now
  • If your market is mostly West-Europe, do it now
  • If you are transit-free, wait a bit
slide-19
SLIDE 19
  • It’s possible to fight against threat on an IXP, an it’s easy !
  • IXP have to be restrictive and have to implement more and more security

by default, if not, don’t go there

  • All ASN should monitor their space (with Bgpmon for example)
  • As an industry, we have to/MUST start to secure our routing ! There is no

room anymore for approximation : we have to start to deploy RPKI

slide-20
SLIDE 20

Useful links

  • https://en.wikipedia.org/wiki/BGP_hijacking
  • https://blog.cloudflare.com/rpki-details/
  • http://instituut.net/~job/routing_security_roadmap_EPF_2018_Snijd

ers.pdf

  • Tools :
  • https://bgpmon.net/
  • https://github.com/snar/bgpq3
slide-21
SLIDE 21

T.HANKS T.Hanks a lot !