Routing and router security in an operator environment

Similar documents
Security in inter-domain routing

An Operational Perspective on BGP Security. Geoff Huston February 2005

Router Lab Reference

MPLS/RSVP/BGP lab KTH CSC. Juniper version. Group Nr. Name1. Name2. Name3. Name4. Name5. Grade. Instructor s Signature

LARGE SCALE IP ROUTING

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Examination. ANSWERS IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Introduction to routing

Configuring Firewall Filters (J-Web Procedure)

Example: Conditionally Generating Static Routes

Lecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

GARR customer triggered blackholing

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

A Survey of BGP Security: Issues and Solutions

Configuring attack detection and prevention 1

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

A Survey of BGP Security Review

Network Security. Thierry Sans

HP High-End Firewalls

CSE 565 Computer Security Fall 2018

Configuring Control Plane Policing

Lecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture

Access Control List Enhancements on the Cisco Series Router

Network Configuration Example

BGP Security. Kevin s Attic for Security Research

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

DDoS Mitigation & Case Study Ministry of Finance

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Configuring attack detection and prevention 1

Configuring Advanced BGP

ASA Access Control. Section 3

Configuring Flood Protection

Implementing Access Lists and Prefix Lists

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Configuring QoS CHAPTER

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Chapter 7. Denial of Service Attacks

DDoS Testing with XM-2G. Step by Step Guide

Attack Prevention Technology White Paper

HP High-End Firewalls

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CISCO NETWORK FOUNDATION PROTECTION: PROTECTING THE CISCO CATALYST SERIES PLATFORM

Operation Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Chapter 8 roadmap. Network Security

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Security Issues of BGP in Complex Peering and Transit Networks

The information in this document is based on Cisco IOS Software Release 15.4 version.

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

CSC 574 Computer and Network Security. TCP/IP Security

Junos Enterprise Switching

internet technologies and standards

BGP FlowSpec Route-reflector Support

Configuring QoS. Finding Feature Information. Prerequisites for QoS

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

BGP Origin Validation

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Lab 4. Firewall Filters and Class of Service. Overview. Introduction to JUNOS Software & Routing Essentials

Cisco CCIE Security Written.

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Internet Infrastructure

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Enterprise QoS. Tim Chung Network Architect Google Corporate Network Operations March 3rd, 2010

Configuring QoS. Understanding QoS CHAPTER

CSc 466/566. Computer Security. 18 : Network Security Introduction

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Configuring QoS CHAPTER

IBGP scaling: Route reflectors and confederations

Examination IP routning inom enkla datornät, DD2490 IP routing in simple networks, DD2490 KTH/CSC. Date: 20 May :00 19:00 SOLUTIONS

Sections Describing Standard Software Features

Configuring Control Plane Policing

HP Load Balancing Module

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CCNA Course Access Control Lists

Sections Describing Standard Software Features

Q&As. CCIE Routing and Switching Written. Pass Cisco Exam with 100% Guarantee

RPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017

How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

KTH/CSC, PIM-SM lab, rev: 1.13 KTH/CSC. PIM-SM lab. Juniper version. Group Nr. Name1. Name2. Name3. Name4. Name5. Grade. Instructor s Signature

Multihoming with BGP and NAT

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Topics for This Week

Network Security - ISA 656 Routing Security

Securing BGP Networks using Consistent Check Algorithm

Implementing LPTS. Prerequisites for Implementing LPTS. Information About Implementing LPTS

network security cs642 computer security adam everspaugh

Control Plane Policing

Everything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017

Interdomain Routing Reading: Sections K&R EE122: Intro to Communication Networks Fall 2007 (WF 4:00-5:30 in Cory 277)

Excessive ARP Punt Protection was supported.

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Cisco.Actualtests v by.DD.70q

IPv6 Security Safe, Secure, and Supported.

Juniper JN Enterprise Routing and Switching Support Professional (JNCSP-ENT)

Transcription:

DD2495 p4 2011 Routing and router security in an operator environment Olof Hagsand KTH CSC 1

Router lab objectives A network operator (eg ISP) needs to secure itself, its customers and its neighbors from attacks. Most attacks are originated in end-hosts. Most notably windows PCs. The attacks are usually against single hosts or servers. These attacks often use bandwidth and are normally not a problem for the operators themselves, since most operators have wire-speed routers. It is difficult to generate that large amount of bandwidth. But an operator may want to protect its customers Attacks can also be set against the infra-structure itself. Such as towards the control-plane of the router. Effects of such attacks may be disastrous Operators also do not want to originate attacks Attacks may be based in its own customers 2

Attack traffic Arbor Networks, www.arbornetworks.com (2009) 3

Routing failures by mistake AS7007 incident (1997) One router in AS7007 defragmented all Internet routes into /24 and announced all routes with itself as origin AS9121 incident (2004) >100000 /24 routes announced upstreams Youtube incident (2008) Instead of blocking, announce all youtube prefixes to the Internet (next slide) 4

5

TCP attacks Since BGP uses TCP for peering, BGP is sensitive to TCP attacks. RST injection causes peering to terminate SYN floods may cause denial-of service due to overload TCP sequence prediction attack Guessing next sequence can be used to inject false data Protect peering physically, TTLs, Authentication: MD5, IPSEC. 6

Indirect attacks Since the BGP peering runs on the same link as the data, an overloaded link may bring the BGP pering down. Examples where this has happened: SQL Slammer Nimda Large-scale DOS attacks One can also send large number of packets to the control-plane (see next slide) Packets directed at the route processor eg terminating traffic (destined to router) Packets of novel functionality handled by RP only (eg IPv6) You need to filter traffic to the RP rate-limit and identify which traffic the router requires e.g.: ssh/bgp/is-is Set firewall-filters for terminating traffic In juniper this is done by filtering to interface 'lo' 7

Fast path, slow path Control Processor CPU Memory Routing Table Slow path Line Card Line Card Fast path Line Card Line Card Fast path If line cards can determine outgoing port Slow path Control processor must determine outgoing port 8

Route filtering Route filtering: examine all imported/exported routes and place policies on which routes are imported and announced. Typically at the edges of a network: towards customers or peers. Never run your internal routing protocol on interfaces where there may be external nodes So that the IGP may not be compromised by false routes Egress filtering dont give transit by mistake Ingress filtering Check validity of received routes Check with registries (eg RIPE) (But these are not always updated) Combine with traffic/packet filters (ACLs) Only accept packets with source addresses matching the announced prefixes 9

Securing routing information within BGP But suppose a BGP router has been taken over by an attacker How do you protect against falsified BGP information? BGP relies on mutual and 'transitive' trust Attack forms: Blackholing (malicious) Announce prefix to attack traffic and then drop it Redirection Traffic to a destination is redirected to another (incorrect) destination Subversion Force the traffic to pass through a specifc link to eavesdrop or modify data, but reaches the original destination Instability Successive adverisement, withdrawals => trigger route flap damping Practical BGP: pages 343-370 Beware of BGP attacks 10

Attack method: prefix hijacking Announce false updates Claim reachability of a prefix it does not have Claim it owns (originates) a prefix it does not own Multiple Origin AS (MOAS) Prefix hijacking is limited by the connectivity and locality of the compromised router 11

Example: prefix hijacking A claims reachability to AS6 and ownership of prefixes of AS6, but cannot affect routers in AS4 and AS6 (and AS5 and AS3 to a certain degree) AS1 AS2 A AS3 AS4 AS5 AS6 12

AS graph and peering relations Tier 1: Full Internet connectivity AS1 AS2 Transit NSPs ISPs AS3 Peer AS4 AS5 Customer Stubs/ Customers AS6 AS7 AS8 AS9 13

Netsec lab topology Tier1 Core: 192.168.X.0/24 Customers: 10.X.0.0/16 Tier 1: Full Internet connectivity AS65000.1 0/0/1 192.71.24.32/27 RTX1.2 1/0/0 1/0/1 NSPs ISPs 1/0/1 1/0/0 RTX2 RTX4 2/0/0 2/0/0 1/0/0 1/0/1 RTX3 1/0/1 1/0/0 AS650(X-1)1 AS650X1 AS650(X+1)1 Customers X3 14

Juniper routers : J4300 15

The CLI See intro material in the IP routing course http://www.csc.kth.se/utbildning/kth/kurser/dd2490/ipro1-11/labs.php The first lab (static) contains a CLI tutorial The reference manual contains common commands Two major modes: Operational mode: Monitor and troubleshoot, network connectivity, hardware Configure mode: Configuration of interfaces, routing protocols, authentication, logging, etc. Completion and query As you would expect, <TAB> and <?> Line editing Emacs operations: <ctrl-b>, <ctrl-f>, <ctrl-a>, <ctrl-e>, <ctrl-p>, <ctrl-n>,... On-line help: help reference help topic 16

Firewall configuration Applies to interfaces: in and out Identifies packets, instead of routes Filters on lo are for local traffic eth- 1/0/0 All filters have an implicit deny rule! RE lo eth- 1/0/1 Example: interfaces eth 1/0/0 { unit 0 { family inet { filter { input rule1; output rule2; firewall { filter rule1 { term allow { from { source address { 192.168.0.0/16; 10.0.0.0/8; then accept; term reject{ then { log; discard; 17

Firewall conditions and actions destination-address source-address address destination-port source-port protocol dscp icmp-code packet-length interface-group fragmentation-offset fragment-flags first-fragment is-fragment ip-options accept: Accept the packet and send it to its destination discard: Silent discard reject: Drop and send an ICMP error message to the source. alert: Log an alert for the packet. count: Count the packets sample: Sample traffic log/syslog: packet header is logged. output-queue: Assign the packet to an output-queue loss-priority: Set packet loss priority (PLP) policer: apply a policer (next slide) tcp-flags tcp-established tcp-initial 18

Policers If a policer is associated to an interface, it rate-limits the traffic to adhere to a token bucket specifying average bandwidth and maximum burst size. When the threshold is exceeded, the traffic is either discarded, its loss-priority is set, or it is placed in a specific output queue. Typic use: Apply to lo0 to protect RE Example: firewall { policer p500k { if-exceeding{ bandwidth-limit 500k; burst-size-limit 50k; then{ discard; Actions: discard, forwarding-class loss-priority 19

Support ticket 1 One of your customers, Media Solutions LDT, is using your network for a local office. Their access router is RTX3. They have recently been experiencing network slowdowns and problems connecting over SSH. From time to time their downlink has been full. They suspect they might be under a DDoS attack and asks you to try to mitigate the attack. 20

SP1: Comments A customer is overwhelmed with traffic. You need to filter traffic using firewall rules Which traffic do you drop? You have to observe traffic and from trace create drop filters. Assistants can provide dumps for you Where does attack traffic come from? Hint: identify illegal traffic Where do you apply the filters? Think about what parts of the network you want to protect 21

Support ticket 2 You have recently been contacted by the transit provider you are connected to (e.g the operator that provides the link to RTX1). There have been complaints about a large amount of packets with invalid source addresses originating in your network. You are asked to solve this problem. 22

SP2: Comments The Transit provider receives traffic with illegal source addresses Extend (or add new) firewall rules For traffic transmitted from your network, which source addresses are legal / illegal? Where do illegal source addresses come from? Where do you apply filters? 23

Support ticket 3 There have recently been several attacks on our routers. These have been both in the form of distributed DoS attacks and aimed attacks at various protocols on the routers, such as TCP reset attacks. To prevent new attacks we need to protect the routers. You have been given the task of designing and implementing a filter for the router engines (located on the loopback interface of a Juniper Router). 24

SP3: Comments Routers are under attack To protect the router engine (main CPU) Add input firewall filters on loopback Identify which traffic (eg protocols) you know the routers need: routing, ssh,... Identify which sub-networks you want to access the routers from for control and management Create firewall rules on lo that drops everything else. Also: rate-limit access traffic (but not routing) 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback