Routing and router security in an operator environment

Transcription

1 DD2495 p Routing and router security in an operator environment Olof Hagsand KTH CSC 1

2 Router lab objectives A network operator (eg ISP) needs to secure itself, its customers and its neighbors from attacks. Most attacks are originated in end-hosts. Most notably windows PCs. The attacks are usually against single hosts or servers. These attacks often use bandwidth and are normally not a problem for the operators themselves, since most operators have wire-speed routers. It is difficult to generate that large amount of bandwidth. But an operator may want to protect its customers Attacks can also be set against the infra-structure itself. Such as towards the control-plane of the router. Effects of such attacks may be disastrous Operators also do not want to originate attacks Attacks may be based in its own customers 2

3 Attack traffic Arbor Networks, (2009) 3

4 Routing failures by mistake AS7007 incident (1997) One router in AS7007 defragmented all Internet routes into /24 and announced all routes with itself as origin AS9121 incident (2004) > /24 routes announced upstreams Youtube incident (2008) Instead of blocking, announce all youtube prefixes to the Internet (next slide) 4

5 5

6 TCP attacks Since BGP uses TCP for peering, BGP is sensitive to TCP attacks. RST injection causes peering to terminate SYN floods may cause denial-of service due to overload TCP sequence prediction attack Guessing next sequence can be used to inject false data Protect peering physically, TTLs, Authentication: MD5, IPSEC. 6

7 Indirect attacks Since the BGP peering runs on the same link as the data, an overloaded link may bring the BGP pering down. Examples where this has happened: SQL Slammer Nimda Large-scale DOS attacks One can also send large number of packets to the control-plane (see next slide) Packets directed at the route processor eg terminating traffic (destined to router) Packets of novel functionality handled by RP only (eg IPv6) You need to filter traffic to the RP rate-limit and identify which traffic the router requires e.g.: ssh/bgp/is-is Set firewall-filters for terminating traffic In juniper this is done by filtering to interface 'lo' 7

8 Fast path, slow path Control Processor CPU Memory Routing Table Slow path Line Card Line Card Fast path Line Card Line Card Fast path If line cards can determine outgoing port Slow path Control processor must determine outgoing port 8

9 Route filtering Route filtering: examine all imported/exported routes and place policies on which routes are imported and announced. Typically at the edges of a network: towards customers or peers. Never run your internal routing protocol on interfaces where there may be external nodes So that the IGP may not be compromised by false routes Egress filtering dont give transit by mistake Ingress filtering Check validity of received routes Check with registries (eg RIPE) (But these are not always updated) Combine with traffic/packet filters (ACLs) Only accept packets with source addresses matching the announced prefixes 9

10 Securing routing information within BGP But suppose a BGP router has been taken over by an attacker How do you protect against falsified BGP information? BGP relies on mutual and 'transitive' trust Attack forms: Blackholing (malicious) Announce prefix to attack traffic and then drop it Redirection Traffic to a destination is redirected to another (incorrect) destination Subversion Force the traffic to pass through a specifc link to eavesdrop or modify data, but reaches the original destination Instability Successive adverisement, withdrawals => trigger route flap damping Practical BGP: pages Beware of BGP attacks 10

11 Attack method: prefix hijacking Announce false updates Claim reachability of a prefix it does not have Claim it owns (originates) a prefix it does not own Multiple Origin AS (MOAS) Prefix hijacking is limited by the connectivity and locality of the compromised router 11

12 Example: prefix hijacking A claims reachability to AS6 and ownership of prefixes of AS6, but cannot affect routers in AS4 and AS6 (and AS5 and AS3 to a certain degree) AS1 AS2 A AS3 AS4 AS5 AS6 12

13 AS graph and peering relations Tier 1: Full Internet connectivity AS1 AS2 Transit NSPs ISPs AS3 Peer AS4 AS5 Customer Stubs/ Customers AS6 AS7 AS8 AS9 13

14 Netsec lab topology Tier1 Core: X.0/24 Customers: 10.X.0.0/16 Tier 1: Full Internet connectivity AS /0/ /27 RTX1.2 1/0/0 1/0/1 NSPs ISPs 1/0/1 1/0/0 RTX2 RTX4 2/0/0 2/0/0 1/0/0 1/0/1 RTX3 1/0/1 1/0/0 AS650(X-1)1 AS650X1 AS650(X+1)1 Customers X3 14

15 Juniper routers : J

16 The CLI See intro material in the IP routing course The first lab (static) contains a CLI tutorial The reference manual contains common commands Two major modes: Operational mode: Monitor and troubleshoot, network connectivity, hardware Configure mode: Configuration of interfaces, routing protocols, authentication, logging, etc. Completion and query As you would expect, <TAB> and <?> Line editing Emacs operations: <ctrl-b>, <ctrl-f>, <ctrl-a>, <ctrl-e>, <ctrl-p>, <ctrl-n>,... On-line help: help reference help topic 16

17 Firewall configuration Applies to interfaces: in and out Identifies packets, instead of routes Filters on lo are for local traffic eth- 1/0/0 All filters have an implicit deny rule! RE lo eth- 1/0/1 Example: interfaces eth 1/0/0 { unit 0 { family inet { filter { input rule1; output rule2; firewall { filter rule1 { term allow { from { source address { /16; /8; then accept; term reject{ then { log; discard; 17

18 Firewall conditions and actions destination-address source-address address destination-port source-port protocol dscp icmp-code packet-length interface-group fragmentation-offset fragment-flags first-fragment is-fragment ip-options accept: Accept the packet and send it to its destination discard: Silent discard reject: Drop and send an ICMP error message to the source. alert: Log an alert for the packet. count: Count the packets sample: Sample traffic log/syslog: packet header is logged. output-queue: Assign the packet to an output-queue loss-priority: Set packet loss priority (PLP) policer: apply a policer (next slide) tcp-flags tcp-established tcp-initial 18

19 Policers If a policer is associated to an interface, it rate-limits the traffic to adhere to a token bucket specifying average bandwidth and maximum burst size. When the threshold is exceeded, the traffic is either discarded, its loss-priority is set, or it is placed in a specific output queue. Typic use: Apply to lo0 to protect RE Example: firewall { policer p500k { if-exceeding{ bandwidth-limit 500k; burst-size-limit 50k; then{ discard; Actions: discard, forwarding-class loss-priority 19

20 Support ticket 1 One of your customers, Media Solutions LDT, is using your network for a local office. Their access router is RTX3. They have recently been experiencing network slowdowns and problems connecting over SSH. From time to time their downlink has been full. They suspect they might be under a DDoS attack and asks you to try to mitigate the attack. 20

21 SP1: Comments A customer is overwhelmed with traffic. You need to filter traffic using firewall rules Which traffic do you drop? You have to observe traffic and from trace create drop filters. Assistants can provide dumps for you Where does attack traffic come from? Hint: identify illegal traffic Where do you apply the filters? Think about what parts of the network you want to protect 21

22 Support ticket 2 You have recently been contacted by the transit provider you are connected to (e.g the operator that provides the link to RTX1). There have been complaints about a large amount of packets with invalid source addresses originating in your network. You are asked to solve this problem. 22

23 SP2: Comments The Transit provider receives traffic with illegal source addresses Extend (or add new) firewall rules For traffic transmitted from your network, which source addresses are legal / illegal? Where do illegal source addresses come from? Where do you apply filters? 23

24 Support ticket 3 There have recently been several attacks on our routers. These have been both in the form of distributed DoS attacks and aimed attacks at various protocols on the routers, such as TCP reset attacks. To prevent new attacks we need to protect the routers. You have been given the task of designing and implementing a filter for the router engines (located on the loopback interface of a Juniper Router). 24

25 SP3: Comments Routers are under attack To protect the router engine (main CPU) Add input firewall filters on loopback Identify which traffic (eg protocols) you know the routers need: routing, ssh,... Identify which sub-networks you want to access the routers from for control and management Create firewall rules on lo that drops everything else. Also: rate-limit access traffic (but not routing) 25