Preventing Traffic with Spoofed Source IP Addresses in MikroTik
|
|
- Matthew Melton
- 5 years ago
- Views:
Transcription
1 Preventing Traffic with Spoofed Source IP Addresses in MikroTik Presented by Md. Abdullah Al Naser Sr. Systems Specialist MetroNet Bangladesh Ltd Founder, mn-lab
2 The routing system of the Internet is vulnerable to many security threats such as: Presented by Md. Abdullah Al Naser Page # 2
3 The routing system of the Internet is vulnerable to many security threats such as: Presented by Md. Abdullah Al Naser Page # 3
4 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 4
5 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 5
6 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 6
7 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 7
8 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 8
9 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 9
10 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 10
11 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 11
12 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 12
13 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 13
14 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 14
15 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 15
16 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 16
17 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 17
18 Prefix Hijacks Presented by Md. Abdullah Al Naser Page # 18
19 Prefix Hijacks Solution: Inbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 19
20 Prefix Hijacks Solution: Inbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 20
21 Route Leaks Presented by Md. Abdullah Al Naser Page # 21
22 Route Leaks Presented by Md. Abdullah Al Naser Page # 22
23 Route Leaks Presented by Md. Abdullah Al Naser Page # 23
24 Route Leaks Presented by Md. Abdullah Al Naser Page # 24
25 Route Leaks Presented by Md. Abdullah Al Naser Page # 25
26 Route Leaks Presented by Md. Abdullah Al Naser Page # 26
27 Route Leaks Presented by Md. Abdullah Al Naser Page # 27
28 Route Leaks Presented by Md. Abdullah Al Naser Page # 28
29 Route Leaks Presented by Md. Abdullah Al Naser Page # 29
30 Route Leaks Presented by Md. Abdullah Al Naser Page # 30
31 Route Leaks Presented by Md. Abdullah Al Naser Page # 31
32 Route Leaks Presented by Md. Abdullah Al Naser Page # 32
33 Route Leaks Presented by Md. Abdullah Al Naser Page # 33
34 Route Leaks Solution: Outbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 34
35 Route Leaks Solution: Outbound Prefix Filtering Presented by Md. Abdullah Al Naser Page # 35
36 Control Plane vs Data Plane Security Control Plane Prefix filtering can protect your BGP Table/control plane ROA/RPKI can also be used to protect control plane Data Plane But what about if anyone sends packets with spoofed source IP address? Source address validation should be there to deal with that!! Presented by Md. Abdullah Al Naser Page # 36
37 IP Address Spoofing IP source address spoofing is the practice of originating IP datagrams with source addresses other than those assigned to the host of origin Put simply, the host pretends to be some other host Normally when your router receives unicast IP packets it only cares about one thing: What is the destination IP address of this IP packet so I can forward it? Presented by Md. Abdullah Al Naser Page # 37
38 IP Address Spoofing Presented by Md. Abdullah Al Naser Page # 38
39 IP Address Spoofing Presented by Md. Abdullah Al Naser Page # 39
40 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 40
41 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 41
42 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 42
43 IP Address Spoofing (Sample Attack) Presented by Md. Abdullah Al Naser Page # 43
44 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 44
45 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 45
46 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 46
47 IP Address Spoofing Implications Spoofing can be exploited in various ways, most notably to execute a DDoS Reflection-Amplification attack Presented by Md. Abdullah Al Naser Page # 47
48 IP Address Spoofing Implications DDoS Amplification is achieved by small queries resulting in much larger responses Open DNS resolvers, NTP servers and Memcache are commonly used as reflectors/amplifiers IP Spoofing can be more destructive if a valid TCP session is hijacked Presented by Md. Abdullah Al Naser Page # 48
49 IP Address Spoofing Implications Significant DoS attacks are costing Service Providers These costs hurt the brand, damage customer operations, and have collateral operational/cost impact on other customers Presented by Md. Abdullah Al Naser Page # 49
50 Spoofing Tools Spoofing Tools nping (available in Zenmap and other tools) synner kali linux (popular to pen testers) even IP Spoofing can be done from Windows CMD Presented by Md. Abdullah Al Naser Page # 50
51 Anti-Spoofing Anti-Spoofing DDoS Reflection-Amplification attacks would be impossible without spoofing however, they are preventable Implementing anti-spoofing filtering to prevent packets with incorrect source IP address from entering the network Presented by Md. Abdullah Al Naser Page # 51
52 Anti-Spoofing Anti-Spoofing Techniques Ingress Packet Filtering unicast Reverse Path Forwarding Presented by Md. Abdullah Al Naser Page # 52
53 Anti-Spoofing Anti-Spoofing Techniques Considerations Identify points/devices in the network topology where anti-spoofing measures should be applied Identify adequate techniques to be used (for example, urpf, or filtering) Apply configuration commands Verify that the protection works Presented by Md. Abdullah Al Naser Page # 53
54 Anti-Spoofing Anti-Spoofing Techniques To prevent source IP address spoofing, it's recommended to implement Ingress Filtering methods which include: Ingress Filtering, urpf etc Presented by Md. Abdullah Al Naser Page # 54
55 Anti-Spoofing Anti-Spoofing Techniques - Ingress Packet Filtering Presented by Md. Abdullah Al Naser Page # 55
56 Anti-Spoofing Anti-Spoofing Techniques - Ingress Packet Filtering Presented by Md. Abdullah Al Naser Page # 56
57 Anti-Spoofing Anti-Spoofing Techniques - Ingress Packet Filtering /ip firewall filter add action=drop chain=forward \ comment="spoofed from AS64501 \ in-interface=$interface log-prefix=" \ src-address=! /24 /ipv6 firewall filter add action=drop chain=forward\ comment="spoofed from AS64501 \ in-interface=$interface log-prefix=" \ src-address=!2001:db8:1001::/48 Presented by Md. Abdullah Al Naser Page # 57
58 urpf Anti-Spoofing Techniques - urpf urpf is a security feature that prevents these spoofing attacks. Whenever your router receives an IP packet it will check if it has a matching entry in the routing table for the source IP address. If it doesn t match, the packet will be discarded urpf as defined in RFC 3704 urpf is often implemented on the edges of the networks where customers, servers, and/or clients are connected Presented by Md. Abdullah Al Naser Page # 58
59 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 59
60 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 60
61 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 61
62 urpf Anti-Spoofing Techniques - urpf Presented by Md. Abdullah Al Naser Page # 62
63 urpf There are four modes for urpf: Loose Mode Strict Mode Feasible Mode VRF Mode MikroTik supports Loose Mode and Strict Mode For single-homed stub customers, it's recommended that urpf strict mode is implemented For dual-homed stub customers, it is best to use urpf feasible mode instead Presented by Md. Abdullah Al Naser Page # 63
64 urpf urpf Strict Mode In Strict mode router will perform two checks: 1. Do I have a matching entry for the source in the routing table? 2. Do I use the same interface to reach this source as where I received this packet on? Presented by Md. Abdullah Al Naser Page # 64
65 urpf urpf Strict Mode When the incoming IP packets passes both checks, it will be permitted. Otherwise it will be dropped. This is perfectly fine for IGP routing protocols since they use the shortest path to the source of IP packets. Presented by Md. Abdullah Al Naser Page # 65
66 urpf urpf Strict Mode Presented by Md. Abdullah Al Naser Page # 66
67 urpf urpf Loose Mode In Loose mode router will perform only single check: 1. Do I have a matching entry for the source in the routing table? Presented by Md. Abdullah Al Naser Page # 67
68 urpf urpf Loose Mode When it passed this check, the packet is permitted. It doesn t matter if we use this interface to reach the source or not. Loose mode is useful when you are connected to more than one ISP and you use asymmetric routing. Presented by Md. Abdullah Al Naser Page # 68
69 urpf Anti-Spoofing Techniques urpf /ip settings set rp-filter=strict Or /ip settings set rp-filter=loose Presented by Md. Abdullah Al Naser Page # 69
70 Recap To Keep Internet Routing Secure Presented by Md. Abdullah Al Naser Page # 70
71 Recap Filtering In order to prevent propagation of incorrect routing information, network operators must ensure the correctness of their own announcements, and announcements from their customers to adjacent networks with prefix and AS-path granularity. Presented by Md. Abdullah Al Naser Page # 71
72 Recap Anti-Spoofing In order to prevent traffic with spoofed source IP addresses, network operators must enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure. Presented by Md. Abdullah Al Naser Page # 72
73 Acknowledgement Rene Molenaar MANRS MikroTik Wiki Presented by Md. Abdullah Al Naser Page # 73
74 Keep Internet Secure Thank You
Contents. Configuring urpf 1
Contents Configuring urpf 1 Overview 1 urpf check modes 1 Features 1 urpf operation 2 Network application 3 Configuration procedure 4 Displaying and maintaining urpf 4 urpf configuration example 4 Configuring
More informationData Plane Protection. The googles they do nothing.
Data Plane Protection The googles they do nothing. Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing. Can be, ICMP (smurf, POD), SYN, Application attacks.
More informationCollective responsibility for security and resilience of the global routing system
Collective responsibility for security and resilience of the global routing system Phil Roberts roberts@isoc.org Andrei Robachevsky www.internetsociety.org Let us look at the problem
More informationCollective responsibility for security and resilience of the global routing system
Collective responsibility for security and resilience of the global routing system Andrei Robachevsky www.internetsociety.org Let us look at the problem first BGP is based on trust
More informationPrevent DoS using IP source address spoofing
Prevent DoS using IP source address spoofing MATSUZAKI maz Yoshinobu 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 1 ip spoofing creation of IP packets with source addresses
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationDDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,
DDoS made easy IP reflection attacks for fun and profit Gert Döring, SpaceNet AG, München DECIX/ECO security event, 04.12.14, Frankfurt Agenda what are IP reflection attacks? why are they so effective
More informationEnhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01
Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01 K. Sriram and D. Montgomery OPSEC Working Group Meeting, IETF-99 July 2017 Acknowledgements: The authors are
More informationUnicast Reverse Path Forwarding Loose Mode
The feature creates a new option for Unicast Reverse Path Forwarding (Unicast RPF), providing a scalable anti-spoofing mechanism suitable for use in multihome network scenarios. This mechanism is especially
More informationRouting Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security
Routing Security DDoS and Route Hijacks Merike Kaeo CEO, Double Shot Security merike@doubleshotsecurity.com DISCUSSION POINTS Understanding The Growing Complexity DDoS Attack Trends Packet Filters and
More informationSpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt
SpaceNet AG Internet Business Produkte für den Mittelstand Produkt- und Firmenpräsentation DENOG6, 20.11.14, Darmstadt DDoS made easy IP reflection attacks for fun and profit Gert Döring, SpaceNet AG,
More informationNetwork Infrastructure Filtering at the border. stole slides from Fakrul Alam
Network Infrastructure Filtering at the border maz@iij.ad.jp stole slides from Fakrul Alam fakrul@bdhbu.com Acknowledgement Original slides prepared by Merike Kaeo What we have in network? Router Switch
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More informationRouting and router security in an operator environment
DD2495 p4 2011 Routing and router security in an operator environment Olof Hagsand KTH CSC 1 Router lab objectives A network operator (eg ISP) needs to secure itself, its customers and its neighbors from
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationNetwork Policy Enforcement
CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous
More informationRouting Is At Risk. Let's Secure It Together. Andrei Robachevsky 1
Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17
More informationMutually Agreed Norms for Routing Security NAME
Mutually Agreed Norms for Routing Security NAME EMAIL The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks such as hijacking, leaks,
More informationMANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui
MANRS Mutually Agreed Norms for Routing Security Aftab Siddiqui siddiqui@isoc.org The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks
More informationRouting Security We can do better!
Routing Security We can do better! And how MANRS can help Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 90 60 Hijack Leak 30 0 1/5/17 1/16/17 1/27/17
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationMANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!
15 October 2018 Internet2 Technology Exchange MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together! Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org
More informationSecurity Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)
Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest 16.5.1 (Cisco ASR 920) First Published: 2017-05-06 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San
More informationRouting Is At Risk. Let's Secure It Together. Andrei Robachevsky 1
Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17
More informationMANRS. Mutually Agreed Norms for Routing Security. Jan Žorž
MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationSecurity Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)
Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series) First Published: 2017-12-24 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San
More informationW is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation
W is a Firewall firewall = wall to protect against fire propagation Internet Security: Firewall More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationBGP101. Howard C. Berkowitz. (703)
BGP101 Howard C. Berkowitz hcb@clark.net (703)998-5819 What is the Problem to be Solved? Just configuring the protocol? Participating in the Internet and/or running Virtual Private Networks A Life Cycle
More informationSecuring Networks with MikroTik Router OS
Securing Networks with MikroTik Router OS Zagreb,Croatia, March 14 th 2013 Presenter Tom Smyth CTO Wireless Connect Ltd. http://wirelessconnect.eu/ Copyright 2007-2013 1 Wireless Connect Ltd. Irish Company
More informationThe Spoofer Project Inferring the Extent of Source Address Filtering on the Internet
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationDenial of Service Protection Standardize Defense or Loose the War
Denial of Service Protection Standardize Defense or Loose the War ETSI : the threats, risk and opportunities 16th and 17th - Sophia-Antipolis, France By: Emir@cw.net Arslanagic Head of Security Engineering
More informationShim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI
Shim6: Network Operator Concerns Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Not Currently Supporting IPv6? Many parties are going forward with IPv6 Japan
More informationConnecting to a Service Provider Using External BGP
Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationMANRS Mutually Agreed Norms for Routing Security
27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:
More informationTDC 375 Network Protocols TDC 563 P&T for Data Networks
TDC 375 Network Protocols TDC 563 P&T for Data Networks Routing Threats TDC 375/563 Spring 2013/14 John Kristoff DePaul University 1 One of two critical systems Routing (BGP) and naming (DNS) are by far
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationInternet Routing Basics
Internet Routing Basics Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E connectivity (app-to-app) Port
More informationGlobal Information Assurance Certification Paper
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationSecurity in an IPv6 World Myth & Reality
Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann MYTH: IPv6 Has Security Designed In MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4
More informationThe routing challenges in IPv6 DoS mitigation. David Freedman Claranet IPv6 Security Workshop July 2017
The routing challenges in IPv6 DoS mitigation David Freedman Claranet IPv6 Security Workshop July 2017 This talk is about Using routing to steer or block traffic. This talk is not about What you do with
More informationService Provider Multihoming
BGP Traffic Engineering Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit ISPs strive to balance traffic flows in both directions
More informationIPv6 Commands: ipv6 su to m
ipv6 summary-address eigrp, on page 3 ipv6 tacacs source-interface, on page 4 ipv6 traffic interface-statistics, on page 5 ipv6 traffic-filter, on page 6 ipv6 unicast-routing, on page 8 ipv6 unnumbered,
More informationMobile IP. Mobile IP 1
Mobile IP Mobile IP 1 Motivation for Mobile IP Routing based on IP destination address, network prefix (e.g. 129.13.42) determines physical subnet change of physical subnet implies change of IP address
More informationRouting Basics ISP/IXP Workshops
Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationUDP-based Amplification Attacks and its Mitigations
UDP-based Amplification Attacks and its Mitigations Yoshiaki Kasahara kasahara@nc.kyushu-u.ac.jp 1/21/2014 APAN 37th in Bandung, Indonesia 1 Summary If you have servers with global IP addresses 1. Make
More informationInternet Routing with MANRS
Internet Routing with MANRS Executive Summary By Fred Baker The Internet as we know it is approximately 35 years old. The Border Gateway Protocol (BGP), the primary backbone routing protocol, was designed
More informationSecuring network infrastructure
Securing network infrastructure Matsuzaki maz Yoshinobu maz@iij.ad.jp 1 Our Goals Ensuring Network Availability Controlling Routing Policy Protecting Information Preventing Misuse Mitigating
More informationConfiguring IP Version 6
CHAPTER 24 Configuring IP Version 6 Internet Protocol version 6 (IPv6), formerly called IPng (next generation), is the latest version of IP. IPv6 offers many advantages over the previous version of IP,
More informationRouting Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols
Routing Basics 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 Addresses are 32 bits long Range from 1.0.0.0 to 223.255.255.255 0.0.0.0
More informationWorking together to improve routing security for all
Working together to improve routing security for all The MANRS IXP Programme Andrei Robachevsky manrs@isoc.org 1 Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationBGP Security. Kevin s Attic for Security Research
Kevin s Attic for Security Research kevinkoo001@gmail.com Table 1. BGP Operation (1): Concept & Topology 2. BGP Operation (2): Message Exchange, Format and Path Decision Algorithm 3. Potential Attacks
More informationRouting Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing
Routing Concepts IPv4 Routing Routing Basics ISP/IXP Workshops Forwarding Some definitions Policy options Routing Protocols 1 2 IPv4 IPv4 address format Internet uses IPv4 addresses are 32 bits long range
More informationChapter 7 LAN Configuration
Chapter 7 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Wireless ADSL Modem VPN Firewall Router. These features can be found by selecting Network Configuration
More informationService Provider Multihoming
Service Provider Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic?
More informationImproving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center
Improving DNS Security and Resiliency Carlos Vicente Network Startup Resource Center Threats to DNS Server crashes Server compromise Denial of service attacks Amplification attacks Cache poisoning Targeted
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ NANOG68, October 18th 2016 www.caida.o
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationWhy Firewalls? Firewall Characteristics
Why Firewalls? Firewalls are effective to: Protect local systems. Protect network-based security threats. Provide secured and controlled access to Internet. Provide restricted and controlled access from
More informationMemcached amplification: lessons learned. Artyom Gavrichenkov
Memcached amplification: lessons learned Artyom Gavrichenkov 1.7 Typical amplification attack Most servers on the Internet send more data to a client than they receive UDP-based servers
More informationIntroduction. Keith Barker, CCIE #6783. YouTube - Keith6783.
Understanding, Implementing and troubleshooting BGP 01 Introduction http:// Instructor Introduction Keith Barker, CCIE #6783 CCIE Routing and Switching 2001 CCIE Security 2003 kbarker@ine.com YouTube -
More informationSECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY RIPE 68 Warsaw May 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair RMv6TF Board NANOG PC NANOG-BCOP Chair IPv6 Author (Juniper
More informationConfiguring Unicast Reverse Path Forwarding
Configuring Unicast Reverse Path Forwarding This chapter describes the Unicast Reverse Path Forwarding (Unicast RPF) feature. The Unicast RPF feature helps to mitigate problems that are caused by malformed
More informationIntranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security
IP numbers and Hosts Intranets CSC362, Information Security i. IP numbers denote interfaces rather than entities ii. a single router can connect several different networks iii. a single interface can be
More informationSoftware Defined Networking
Software Defined Networking Daniel Zappala CS 460 Computer Networking Brigham Young University Proliferation of Middleboxes 2/16 a router that manipulatees traffic rather than just forwarding it NAT rewrite
More informationUsing MSDP to Interconnect Multiple PIM-SM Domains
Using MSDP to Interconnect Multiple PIM-SM Domains This module describes the tasks associated with using Multicast Source Discovery Protocol (MSDP) to interconnect multiple Protocol Independent Multicast
More informationConfigure SR-TE Policies
This module provides information about segment routing for traffic engineering (SR-TE) policies, how to configure SR-TE policies, and how to steer traffic into an SR-TE policy. About SR-TE Policies, page
More informationEIGRP Support for Route Map Filtering
The feature enables Enhanced Interior Gateway Routing Protocol (EIGRP) to interoperate with other protocols to leverage additional routing functionality by filtering inbound and outbound traffic based
More informationImplementing Cisco IP Routing E-Learning
Implementing Cisco IP Routing E-Learning Duration: 1 Day Course Code: E-ROUTE Overview: In this course, administrators of medium-to-large network sites will learn to use advanced routing to provide scalability
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationMultihoming with BGP and NAT
Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2
More informationSJTU 2018 Fall Computer Networking. Wireless Communication
SJTU 2018 Fall Computer Networking 1 Wireless Communication Internet Protocol Stack 2 Application: supporting network applications - FTP, SMTP, HTTP Transport: data transfer between processes - TCP, UDP
More informationMigrating from OSPF to IS-IS
Migrating from OSPF to IS-IS ISP Workshops Last updated 25 th August 2015 1 Introduction p With the advent of IPv6 and dual stack networks, more ISPs expressing interest to migrate to IS-IS n Migration
More informationnetwork security cs642 computer security adam everspaugh
network security cs642 computer security adam everspaugh ace@cs.wisc.edu today Reminder: HW3 due in one week: April 18, 2016 CIDR addressing Border Gateway Protocol Network reconnaissance via nmap Idle
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way \ http://www.pass4test.com We offer free update service for one year Exam : 642-691 Title : CCIP BGP + MPLS Exam (BGP + MPLS) Vendors : Cisco Version
More informationBGP Named Community Lists
The feature allows the network operator to assign meaningful names to community lists and increases the number of community lists that can be configured. Finding Feature Information, page 1 Information
More informationConfiguring Advanced Firewall Settings
Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule
More informationChapter 10: Denial-of-Services
Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different
More informationThreat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:
Threat Pragmatics 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: Issue Date: Revision: 1 Target Many sorts of targets: Network infrastructure Network services Application services User
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationFlashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities
Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience
More informationMulticast operational concerns
Multicast operational concerns John Kristoff jtk@northwestern.edu http://aharp.ittns.northwestern.edu +1 847 467 5878 Northwestern University Evanston, IL 60208 DPU CTI Seminar John Kristoff Northwestern
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What
More informationIPv6 Bootcamp Course (5 Days)
IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain
More informationChapter 3 LAN Configuration
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. This chapter contains the following sections
More informationInternet Protocols Fall Lectures Inter-domain routing, mobility support, multicast routing Andreas Terzis
Internet Protocols Fall 2006 Lectures 11-12 Inter-domain routing, mobility support, multicast routing Andreas Terzis Outline Inter-domain Internet Routing BGP Routing for mobile nodes Multicast routing
More informationMANRS Mutually Agreed Norms for Routing Security
6 July 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org Presentation title Client name Internet Society 1992 2018 1 The Problem
More informationC. The ESP that is installed in the Cisco ASR 1006 Router does not support SSO.
Volume: 197 Questions Question No : 1 SSO was configured on a Cisco ASR 1006 Router by using two RPs. When the main RP failed, a service disruption occurred. What are two reasons that the SSO did not work?
More informationSecurity)Track) NANOG)65)
Security)Track) NANOG)65) BGPStream) Nanog65) Andree)Toonk) andree@bgpmon.net) ) BGPStream) ) ) Ques%ons(we d(like(to(answer( Someone&hijacked&my&Prefix!& ) & &Now&what?&Was&it&targeted?&Were&others&affected&as&
More informationCustomer IPv6 Delivery
Customer IPv6 Delivery The Nextgen Experience Chris Chaundy, Nextgen Networks October 2011 Agenda Nextgen Network s strategy Just get a prefix and turn it on!?!? Scope of the project Hardware considerations
More informationBack to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)
Routing Basics Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E connectivity (app-to-app) Port numbers
More information