Preventing Traffic with Spoofed Source IP Addresses in MikroTik
Size: px
Start display at page:

Download "Preventing Traffic with Spoofed Source IP Addresses in MikroTik"

Transcription

1 Preventing Traffic with Spoofed Source IP Addresses in MikroTik Presented by Md. Abdullah Al Naser Sr. Systems Specialist MetroNet Bangladesh Ltd Founder, mn-lab

2 The routing system of the Internet is vulnerable to many security threats such as: Presented by Md. Abdullah Al Naser Page # 2

3 The routing system of the Internet is vulnerable to many security threats such as: Presented by Md. Abdullah Al Naser Page # 3

4 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 4

5 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 5

6 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 6

7 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 7

8 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 8

9 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 9

10 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 10

11 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 11

12 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 12

13 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 13

14 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 14

15 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 15

16 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 16

17 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 17

18 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 18

19 Prefix Hijacks Solution: Inbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 19

20 Prefix Hijacks Solution: Inbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 20

21 Route Leaks Presented by Md. Abdullah Al Naser Page # 21

22 Route Leaks Presented by Md. Abdullah Al Naser Page # 22

23 Route Leaks Presented by Md. Abdullah Al Naser Page # 23

24 Route Leaks Presented by Md. Abdullah Al Naser Page # 24

25 Route Leaks Presented by Md. Abdullah Al Naser Page # 25

26 Route Leaks Presented by Md. Abdullah Al Naser Page # 26

27 Route Leaks Presented by Md. Abdullah Al Naser Page # 27

28 Route Leaks Presented by Md. Abdullah Al Naser Page # 28

29 Route Leaks Presented by Md. Abdullah Al Naser Page # 29

30 Route Leaks Presented by Md. Abdullah Al Naser Page # 30

31 Route Leaks Presented by Md. Abdullah Al Naser Page # 31

32 Route Leaks Presented by Md. Abdullah Al Naser Page # 32

33 Route Leaks Presented by Md. Abdullah Al Naser Page # 33

34 Route Leaks Solution: Outbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 34

35 Route Leaks Solution: Outbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 35

36 Control Plane vs Data Plane Security Control Plane Prefix filtering can protect your BGP Table/control plane ROA/RPKI can also be used to protect control plane Data Plane But what about if anyone sends packets with spoofed source IP address? Source address validation should be there to deal with that!! Presented by Md. Abdullah Al Naser Page # 36

37 IP Address Spoofing IP source address spoofing is the practice of originating IP datagrams with source addresses other than those assigned to the host of origin Put simply, the host pretends to be some other host Normally when your router receives unicast IP packets it only cares about one thing: What is the destination IP address of this IP packet so I can forward it? Presented by Md. Abdullah Al Naser Page # 37

38 IP Address Spoofing Presented by Md. Abdullah Al Naser Page # 38

39 IP Address Spoofing Presented by Md. Abdullah Al Naser Page # 39

40 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 40

41 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 41

42 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 42

43 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 43

44 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 44

45 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 45

46 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 46

47 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 47

48 IP Address Spoofing Implications DDoS Amplification is achieved by small queries resulting in much larger responses Open DNS resolvers, NTP servers and Memcache are commonly used as reflectors/amplifiers IP Spoofing can be more destructive if a valid TCP session is hijacked Presented by Md. Abdullah Al Naser Page # 48

49 IP Address Spoofing Implications Significant DoS attacks are costing Service Providers These costs hurt the brand, damage customer operations, and have collateral operational/cost impact on other customers Presented by Md. Abdullah Al Naser Page # 49

50 Spoofing Tools Spoofing Tools nping (available in Zenmap and other tools) synner kali linux (popular to pen testers) even IP Spoofing can be done from Windows CMD Presented by Md. Abdullah Al Naser Page # 50

51 Anti-Spoofing Anti-Spoofing DDoS Reflection-Amplification attacks would be impossible without spoofing however, they are preventable Implementing anti-spoofing filtering to prevent packets with incorrect source IP address from entering the network Presented by Md. Abdullah Al Naser Page # 51

52 Anti-Spoofing Anti-Spoofing Techniques Ingress Packet Filtering unicast Reverse Path Forwarding Presented by Md. Abdullah Al Naser Page # 52

53 Anti-Spoofing Anti-Spoofing Techniques Considerations Identify points/devices in the network topology where anti-spoofing measures should be applied Identify adequate techniques to be used (for example, urpf, or filtering) Apply configuration commands Verify that the protection works Presented by Md. Abdullah Al Naser Page # 53

54 Anti-Spoofing Anti-Spoofing Techniques To prevent source IP address spoofing, it's recommended to implement Ingress Filtering methods which include: Ingress Filtering, urpf etc Presented by Md. Abdullah Al Naser Page # 54

55 Anti-Spoofing Anti-Spoofing Techniques - Ingress Packet Filtering Presented by Md. Abdullah Al Naser Page # 55

56 Anti-Spoofing Anti-Spoofing Techniques - Ingress Packet Filtering Presented by Md. Abdullah Al Naser Page # 56

57 Anti-Spoofing Anti-Spoofing Techniques - Ingress Packet Filtering /ip firewall filter add action=drop chain=forward \ comment="spoofed from AS64501 \ in-interface=$interface log-prefix=" \ src-address=! /24 /ipv6 firewall filter add action=drop chain=forward\ comment="spoofed from AS64501 \ in-interface=$interface log-prefix=" \ src-address=!2001:db8:1001::/48 Presented by Md. Abdullah Al Naser Page # 57

58 urpf Anti-Spoofing Techniques - urpf urpf is a security feature that prevents these spoofing attacks. Whenever your router receives an IP packet it will check if it has a matching entry in the routing table for the source IP address. If it doesn t match, the packet will be discarded urpf as defined in RFC 3704 urpf is often implemented on the edges of the networks where customers, servers, and/or clients are connected Presented by Md. Abdullah Al Naser Page # 58

59 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 59

60 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 60

61 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 61

62 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 62

63 urpf There are four modes for urpf: Loose Mode Strict Mode Feasible Mode VRF Mode MikroTik supports Loose Mode and Strict Mode For single-homed stub customers, it's recommended that urpf strict mode is implemented For dual-homed stub customers, it is best to use urpf feasible mode instead Presented by Md. Abdullah Al Naser Page # 63

64 urpf urpf Strict Mode In Strict mode router will perform two checks: 1. Do I have a matching entry for the source in the routing table? 2. Do I use the same interface to reach this source as where I received this packet on? Presented by Md. Abdullah Al Naser Page # 64

65 urpf urpf Strict Mode When the incoming IP packets passes both checks, it will be permitted. Otherwise it will be dropped. This is perfectly fine for IGP routing protocols since they use the shortest path to the source of IP packets. Presented by Md. Abdullah Al Naser Page # 65

66 urpf urpf Strict Mode Presented by Md. Abdullah Al Naser Page # 66

67 urpf urpf Loose Mode In Loose mode router will perform only single check: 1. Do I have a matching entry for the source in the routing table? Presented by Md. Abdullah Al Naser Page # 67

68 urpf urpf Loose Mode When it passed this check, the packet is permitted. It doesn t matter if we use this interface to reach the source or not. Loose mode is useful when you are connected to more than one ISP and you use asymmetric routing. Presented by Md. Abdullah Al Naser Page # 68

69 urpf Anti-Spoofing Techniques urpf /ip settings set rp-filter=strict Or /ip settings set rp-filter=loose Presented by Md. Abdullah Al Naser Page # 69

70 Recap To Keep Internet Routing Secure Presented by Md. Abdullah Al Naser Page # 70

71 Recap Filtering In order to prevent propagation of incorrect routing information, network operators must ensure the correctness of their own announcements, and announcements from their customers to adjacent networks with prefix and AS-path granularity. Presented by Md. Abdullah Al Naser Page # 71

72 Recap Anti-Spoofing In order to prevent traffic with spoofed source IP addresses, network operators must enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure. Presented by Md. Abdullah Al Naser Page # 72

73 Acknowledgement Rene Molenaar MANRS MikroTik Wiki Presented by Md. Abdullah Al Naser Page # 73

74 Keep Internet Secure Thank You

Similar documents

Contents. Configuring urpf 1

Contents. Configuring urpf 1 Contents Configuring urpf 1 Overview 1 urpf check modes 1 Features 1 urpf operation 2 Network application 3 Configuration procedure 4 Displaying and maintaining urpf 4 urpf configuration example 4 Configuring

More information

Data Plane Protection. The googles they do nothing.

Data Plane Protection. The googles they do nothing. Data Plane Protection The googles they do nothing. Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing. Can be, ICMP (smurf, POD), SYN, Application attacks.

More information

Collective responsibility for security and resilience of the global routing system

Collective responsibility for security and resilience of the global routing system Collective responsibility for security and resilience of the global routing system Phil Roberts roberts@isoc.org Andrei Robachevsky www.internetsociety.org Let us look at the problem

More information

Collective responsibility for security and resilience of the global routing system

Collective responsibility for security and resilience of the global routing system Collective responsibility for security and resilience of the global routing system Andrei Robachevsky www.internetsociety.org Let us look at the problem first BGP is based on trust

More information

Prevent DoS using IP source address spoofing

Prevent DoS using IP source address spoofing Prevent DoS using IP source address spoofing MATSUZAKI maz Yoshinobu 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 1 ip spoofing creation of IP packets with source addresses

More information

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview

More information

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event, DDoS made easy IP reflection attacks for fun and profit Gert Döring, SpaceNet AG, München DECIX/ECO security event, 04.12.14, Frankfurt Agenda what are IP reflection attacks? why are they so effective

More information

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01 Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01 K. Sriram and D. Montgomery OPSEC Working Group Meeting, IETF-99 July 2017 Acknowledgements: The authors are

More information

Unicast Reverse Path Forwarding Loose Mode

Unicast Reverse Path Forwarding Loose Mode The feature creates a new option for Unicast Reverse Path Forwarding (Unicast RPF), providing a scalable anti-spoofing mechanism suitable for use in multihome network scenarios. This mechanism is especially

More information

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security Routing Security DDoS and Route Hijacks Merike Kaeo CEO, Double Shot Security merike@doubleshotsecurity.com DISCUSSION POINTS Understanding The Growing Complexity DDoS Attack Trends Packet Filters and

More information

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt SpaceNet AG Internet Business Produkte für den Mittelstand Produkt- und Firmenpräsentation DENOG6, 20.11.14, Darmstadt DDoS made easy IP reflection attacks for fun and profit Gert Döring, SpaceNet AG,

More information

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam Network Infrastructure Filtering at the border maz@iij.ad.jp stole slides from Fakrul Alam fakrul@bdhbu.com Acknowledgement Original slides prepared by Merike Kaeo What we have in network? Router Switch

More information

Remember Extension Headers?

Remember Extension Headers? IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering

More information

Routing and router security in an operator environment

Routing and router security in an operator environment DD2495 p4 2011 Routing and router security in an operator environment Olof Hagsand KTH CSC 1 Router lab objectives A network operator (eg ISP) needs to secure itself, its customers and its neighbors from

More information

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet

More information

Security in inter-domain routing

Security in inter-domain routing DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks

More information

Network Policy Enforcement

Network Policy Enforcement CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous

More information

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1 Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17

More information

Mutually Agreed Norms for Routing Security NAME

Mutually Agreed Norms for Routing Security NAME Mutually Agreed Norms for Routing Security NAME EMAIL The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks such as hijacking, leaks,

More information

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui MANRS Mutually Agreed Norms for Routing Security Aftab Siddiqui siddiqui@isoc.org The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks

More information

Routing Security We can do better!

Routing Security We can do better! Routing Security We can do better! And how MANRS can help Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 90 60 Hijack Leak 30 0 1/5/17 1/16/17 1/27/17

More information

Internet Security: Firewall

Internet Security: Firewall Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015 Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:

More information

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting

More information

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together! 15 October 2018 Internet2 Technology Exchange MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together! Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org

More information

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920) Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest 16.5.1 (Cisco ASR 920) First Published: 2017-05-06 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San

More information

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1 Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17

More information

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World

More information

BGP Origin Validation

BGP Origin Validation BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated

More information

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series) Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series) First Published: 2017-12-24 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San

More information

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation W is a Firewall firewall = wall to protect against fire propagation Internet Security: Firewall More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

BGP101. Howard C. Berkowitz. (703)

BGP101. Howard C. Berkowitz. (703) BGP101 Howard C. Berkowitz hcb@clark.net (703)998-5819 What is the Problem to be Solved? Just configuring the protocol? Participating in the Internet and/or running Virtual Private Networks A Life Cycle

More information

Securing Networks with MikroTik Router OS

Securing Networks with MikroTik Router OS Securing Networks with MikroTik Router OS Zagreb,Croatia, March 14 th 2013 Presenter Tom Smyth CTO Wireless Connect Ltd. http://wirelessconnect.eu/ Copyright 2007-2013 1 Wireless Connect Ltd. Irish Company

More information

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source

More information

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013 Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive

More information

Denial of Service Protection Standardize Defense or Loose the War

Denial of Service Protection Standardize Defense or Loose the War Denial of Service Protection Standardize Defense or Loose the War ETSI : the threats, risk and opportunities 16th and 17th - Sophia-Antipolis, France By: Emir@cw.net Arslanagic Head of Security Engineering

More information

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Shim6: Network Operator Concerns Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Not Currently Supporting IPv6? Many parties are going forward with IPv6 Japan

More information

Connecting to a Service Provider Using External BGP

Connecting to a Service Provider Using External BGP Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)

More information

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting

More information

MANRS Mutually Agreed Norms for Routing Security

MANRS Mutually Agreed Norms for Routing Security 27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:

More information

TDC 375 Network Protocols TDC 563 P&T for Data Networks

TDC 375 Network Protocols TDC 563 P&T for Data Networks TDC 375 Network Protocols TDC 563 P&T for Data Networks Routing Threats TDC 375/563 Spring 2013/14 John Kristoff DePaul University 1 One of two critical systems Routing (BGP) and naming (DNS) are by far

More information

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing

More information

Internet Routing Basics

Internet Routing Basics Internet Routing Basics Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E connectivity (app-to-app) Port

More information

Global Information Assurance Certification Paper

Global Information Assurance Certification Paper Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without

More information

Security in an IPv6 World Myth & Reality

Security in an IPv6 World Myth & Reality Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann MYTH: IPv6 Has Security Designed In MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4

More information

The routing challenges in IPv6 DoS mitigation. David Freedman Claranet IPv6 Security Workshop July 2017

The routing challenges in IPv6 DoS mitigation. David Freedman Claranet IPv6 Security Workshop July 2017 The routing challenges in IPv6 DoS mitigation David Freedman Claranet IPv6 Security Workshop July 2017 This talk is about Using routing to steer or block traffic. This talk is not about What you do with

More information

Service Provider Multihoming

Service Provider Multihoming BGP Traffic Engineering Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit ISPs strive to balance traffic flows in both directions

More information

IPv6 Commands: ipv6 su to m

IPv6 Commands: ipv6 su to m ipv6 summary-address eigrp, on page 3 ipv6 tacacs source-interface, on page 4 ipv6 traffic interface-statistics, on page 5 ipv6 traffic-filter, on page 6 ipv6 unicast-routing, on page 8 ipv6 unnumbered,

More information

Mobile IP. Mobile IP 1

Mobile IP. Mobile IP 1 Mobile IP Mobile IP 1 Motivation for Mobile IP Routing based on IP destination address, network prefix (e.g. 129.13.42) determines physical subnet change of physical subnet implies change of IP address

More information

Routing Basics ISP/IXP Workshops

Routing Basics ISP/IXP Workshops Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to

More information

An Operational Perspective on BGP Security. Geoff Huston February 2005

An Operational Perspective on BGP Security. Geoff Huston February 2005 An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended

More information

UDP-based Amplification Attacks and its Mitigations

UDP-based Amplification Attacks and its Mitigations UDP-based Amplification Attacks and its Mitigations Yoshiaki Kasahara kasahara@nc.kyushu-u.ac.jp 1/21/2014 APAN 37th in Bandung, Indonesia 1 Summary If you have servers with global IP addresses 1. Make

More information

Internet Routing with MANRS

Internet Routing with MANRS Internet Routing with MANRS Executive Summary By Fred Baker The Internet as we know it is approximately 35 years old. The Border Gateway Protocol (BGP), the primary backbone routing protocol, was designed

More information

Securing network infrastructure

Securing network infrastructure Securing network infrastructure Matsuzaki maz Yoshinobu maz@iij.ad.jp 1 Our Goals Ensuring Network Availability Controlling Routing Policy Protecting Information Preventing Misuse Mitigating

More information

Configuring IP Version 6

Configuring IP Version 6 CHAPTER 24 Configuring IP Version 6 Internet Protocol version 6 (IPv6), formerly called IPng (next generation), is the latest version of IP. IPv6 offers many advantages over the previous version of IP,

More information

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols Routing Basics 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 Addresses are 32 bits long Range from 1.0.0.0 to 223.255.255.255 0.0.0.0

More information

Working together to improve routing security for all

Working together to improve routing security for all Working together to improve routing security for all The MANRS IXP Programme Andrei Robachevsky manrs@isoc.org 1 Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter

More information

BGP Security. Kevin s Attic for Security Research

BGP Security. Kevin s Attic for Security Research Kevin s Attic for Security Research kevinkoo001@gmail.com Table 1. BGP Operation (1): Concept & Topology 2. BGP Operation (2): Message Exchange, Format and Path Decision Algorithm 3. Potential Attacks

More information

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing Routing Concepts IPv4 Routing Routing Basics ISP/IXP Workshops Forwarding Some definitions Policy options Routing Protocols 1 2 IPv4 IPv4 address format Internet uses IPv4 addresses are 32 bits long range

More information

Chapter 7 LAN Configuration

Chapter 7 LAN Configuration Chapter 7 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Wireless ADSL Modem VPN Firewall Router. These features can be found by selecting Network Configuration

More information

Service Provider Multihoming

Service Provider Multihoming Service Provider Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic?

More information

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center Improving DNS Security and Resiliency Carlos Vicente Network Startup Resource Center Threats to DNS Server crashes Server compromise Denial of service attacks Amplification attacks Cache poisoning Targeted

More information

Software Systems for Surveying Spoofing Susceptibility

Software Systems for Surveying Spoofing Susceptibility Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ NANOG68, October 18th 2016 www.caida.o

More information

Securing BGP. Geoff Huston November 2007

Securing BGP. Geoff Huston November 2007 Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture

More information

Why Firewalls? Firewall Characteristics

Why Firewalls? Firewall Characteristics Why Firewalls? Firewalls are effective to: Protect local systems. Protect network-based security threats. Provide secured and controlled access to Internet. Provide restricted and controlled access from

More information

Memcached amplification: lessons learned. Artyom Gavrichenkov

Memcached amplification: lessons learned. Artyom Gavrichenkov Memcached amplification: lessons learned Artyom Gavrichenkov 1.7 Typical amplification attack Most servers on the Internet send more data to a client than they receive UDP-based servers

More information

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783. Understanding, Implementing and troubleshooting BGP 01 Introduction http:// Instructor Introduction Keith Barker, CCIE #6783 CCIE Routing and Switching 2001 CCIE Security 2003 kbarker@ine.com YouTube -

More information

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann SECURITY IN AN IPv6 WORLD MYTH & REALITY RIPE 68 Warsaw May 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair RMv6TF Board NANOG PC NANOG-BCOP Chair IPv6 Author (Juniper

More information

Configuring Unicast Reverse Path Forwarding

Configuring Unicast Reverse Path Forwarding Configuring Unicast Reverse Path Forwarding This chapter describes the Unicast Reverse Path Forwarding (Unicast RPF) feature. The Unicast RPF feature helps to mitigate problems that are caused by malformed

More information

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security IP numbers and Hosts Intranets CSC362, Information Security i. IP numbers denote interfaces rather than entities ii. a single router can connect several different networks iii. a single interface can be

More information

Software Defined Networking

Software Defined Networking Software Defined Networking Daniel Zappala CS 460 Computer Networking Brigham Young University Proliferation of Middleboxes 2/16 a router that manipulatees traffic rather than just forwarding it NAT rewrite

More information

Using MSDP to Interconnect Multiple PIM-SM Domains

Using MSDP to Interconnect Multiple PIM-SM Domains Using MSDP to Interconnect Multiple PIM-SM Domains This module describes the tasks associated with using Multicast Source Discovery Protocol (MSDP) to interconnect multiple Protocol Independent Multicast

More information

Configure SR-TE Policies

Configure SR-TE Policies This module provides information about segment routing for traffic engineering (SR-TE) policies, how to configure SR-TE policies, and how to steer traffic into an SR-TE policy. About SR-TE Policies, page

More information

EIGRP Support for Route Map Filtering

EIGRP Support for Route Map Filtering The feature enables Enhanced Interior Gateway Routing Protocol (EIGRP) to interoperate with other protocols to leverage additional routing functionality by filtering inbound and outbound traffic based

More information

Implementing Cisco IP Routing E-Learning

Implementing Cisco IP Routing E-Learning Implementing Cisco IP Routing E-Learning Duration: 1 Day Course Code: E-ROUTE Overview: In this course, administrators of medium-to-large network sites will learn to use advanced routing to provide scalability

More information

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way

More information

Multihoming with BGP and NAT

Multihoming with BGP and NAT Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2

More information

SJTU 2018 Fall Computer Networking. Wireless Communication

SJTU 2018 Fall Computer Networking. Wireless Communication SJTU 2018 Fall Computer Networking 1 Wireless Communication Internet Protocol Stack 2 Application: supporting network applications - FTP, SMTP, HTTP Transport: data transfer between processes - TCP, UDP

More information

Migrating from OSPF to IS-IS

Migrating from OSPF to IS-IS Migrating from OSPF to IS-IS ISP Workshops Last updated 25 th August 2015 1 Introduction p With the advent of IPv6 and dual stack networks, more ISPs expressing interest to migrate to IS-IS n Migration

More information

network security cs642 computer security adam everspaugh

network security cs642 computer security adam everspaugh network security cs642 computer security adam everspaugh ace@cs.wisc.edu today Reminder: HW3 due in one week: April 18, 2016 CIDR addressing Border Gateway Protocol Network reconnaissance via nmap Idle

More information

Interdomain Routing Design for MobilityFirst

Interdomain Routing Design for MobilityFirst Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network

More information

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015 Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet

More information

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year PASS4TEST IT Certification Guaranteed, The Easy Way \ http://www.pass4test.com We offer free update service for one year Exam : 642-691 Title : CCIP BGP + MPLS Exam (BGP + MPLS) Vendors : Cisco Version

More information

BGP Named Community Lists

BGP Named Community Lists The feature allows the network operator to assign meaningful names to community lists and increases the number of community lists that can be configured. Finding Feature Information, page 1 Information

More information

Configuring Advanced Firewall Settings

Configuring Advanced Firewall Settings Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule

More information

Chapter 10: Denial-of-Services

Chapter 10: Denial-of-Services Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different

More information

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: Threat Pragmatics 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: Issue Date: Revision: 1 Target Many sorts of targets: Network infrastructure Network services Application services User

More information

Unit 4: Firewalls (I)

Unit 4: Firewalls (I) Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is

More information

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience

More information

Multicast operational concerns

Multicast operational concerns Multicast operational concerns John Kristoff jtk@northwestern.edu http://aharp.ittns.northwestern.edu +1 847 467 5878 Northwestern University Evanston, IL 60208 DPU CTI Seminar John Kristoff Northwestern

More information

CIS 5373 Systems Security

CIS 5373 Systems Security CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What

More information

IPv6 Bootcamp Course (5 Days)

IPv6 Bootcamp Course (5 Days) IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain

More information

Chapter 3 LAN Configuration

Chapter 3 LAN Configuration Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. This chapter contains the following sections

More information

Internet Protocols Fall Lectures Inter-domain routing, mobility support, multicast routing Andreas Terzis

Internet Protocols Fall Lectures Inter-domain routing, mobility support, multicast routing Andreas Terzis Internet Protocols Fall 2006 Lectures 11-12 Inter-domain routing, mobility support, multicast routing Andreas Terzis Outline Inter-domain Internet Routing BGP Routing for mobile nodes Multicast routing

More information

MANRS Mutually Agreed Norms for Routing Security

MANRS Mutually Agreed Norms for Routing Security 6 July 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org Presentation title Client name Internet Society 1992 2018 1 The Problem

More information

C. The ESP that is installed in the Cisco ASR 1006 Router does not support SSO.

C. The ESP that is installed in the Cisco ASR 1006 Router does not support SSO. Volume: 197 Questions Question No : 1 SSO was configured on a Cisco ASR 1006 Router by using two RPs. When the main RP failed, a service disruption occurred. What are two reasons that the SSO did not work?

More information

Security)Track) NANOG)65)

Security)Track) NANOG)65) Security)Track) NANOG)65) BGPStream) Nanog65) Andree)Toonk) andree@bgpmon.net) ) BGPStream) ) ) Ques%ons(we d(like(to(answer( Someone&hijacked&my&Prefix!& ) & &Now&what?&Was&it&targeted?&Were&others&affected&as&

More information

Customer IPv6 Delivery

Customer IPv6 Delivery Customer IPv6 Delivery The Nextgen Experience Chris Chaundy, Nextgen Networks October 2011 Agenda Nextgen Network s strategy Just get a prefix and turn it on!?!? Scope of the project Hardware considerations

More information

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6) Routing Basics Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E connectivity (app-to-app) Port numbers

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback