Detecting routing anomalies using RIPE Atlas

Similar documents
Detecting routing anomalies with RIPE Atlas

RIPE NCC Technical Services. Kaveh Ranjbar, Chief Information Officer

RIPE Labs Operator Tools, Ideas, Analysis

Update from the RIPE NCC

Accurate Real-time Identification of IP Hijacking. Presented by Jacky Mak

Introduction to Computer Networks

RIPE Atlas Intro & Use Cases

RIPE Atlas. Philip Smith Network Startup Resource Center (NSRC) PacNOG th July 2014, Port Vila, Vanuatu

RIPE Atlas. Measuring the Internet

Security in inter-domain routing

BGP Origin Validation

RIPE Atlas Update. Robert Kisteleki RIPE NCC

Data and measurement tools from the RIPE NCC. Robert Kisteleki RIPE NCC R&D

RIPE NCC Update. Nathalie Trenaman 19 April 2017 IPv6 Council - Belgium

RIPE NCC Measurements and Tools Training Course

RIPE NCC Measurements And Tools

RIPE NCC Measurements Tools Workshop. Amsterdam September 2014

RIPE Atlas. Global Internet Measurement Network March 2016 MENOG 16, Istanbul

Life After IPv4 Depletion

BGP Support for 4-byte ASN

What s new at the RIPE NCC?

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

RIPE Atlas for Network Operators

RIPE NCC Measurements and Tools Training Course

Introduction to IP Routing. Geoff Huston

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

RIPE NCC Services & Activities

Routing and router security in an operator environment

Routing Security We can do better!

Achieving scale: Large scale active measurements from PlanetLab

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. May 3rd, 2005 RIPE 50, Stockholm, SE

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Locating Prefix Hijackers using LOCK

Platforms for network experimentation

RIPE NCC Technical Services

Introduction to BGP. ISP/IXP Workshops

Internet Numbers Introduction to the RIR System

Region-based BGP Announcement Filtering for Improved BGP Security

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. January 27th, 2004 RIPE 47, Amsterdam

StrobeLight: Lightweight Availability Mapping and Anomaly Detection. James Mickens, John Douceur, Bill Bolosky Brian Noble

Internet Routing Protocols Lecture 03 Inter-domain Routing

3/10/2011. Copyright Link Technologies, Inc.

Real-time Blackhole Analysis with Hubble

Accurate Real-time Identification of IP Hijacking

Analysis of Country-wide Internet Outages Caused by Censorship

Computer Networks ICS 651. IP Routing RIP OSPF BGP MPLS Internet Control Message Protocol IP Path MTU Discovery

A FRAMEWORK FOR DEFENDING AGAINST PREFIX HIJACK ATTACKS. A Thesis KRISHNA CHAITANYA TADI

Multi-Lateral Peering Agreement

COMP/ELEC 429 Introduction to Computer Networks

RIPE Atlas. Viktor Naumov R&D Software Engineer

CS4700/CS5700 Fundamentals of Computer Networks

RIPE Atlas. Christopher Amin 14 November 2017 WTIS-17

Inter-domain Routing(BGP) Security [IP Prefix Hijacking] Akmal Khan

Just give me a button!

Rocky Mountain IPv6 Summit April 9, 2008

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

6.829 BGP Recitation. Rob Beverly September 29, Addressing and Assignment

New Developments in Address Policy and Community Tools


Dynamics of Hot-Potato Routing in IP Networks

BGP and the Internet. Enterprise Multihoming. Enterprise Multihoming. Medium/Large ISP Multihoming. Enterprise Multihoming. Enterprise Multihoming

Important Lessons From Last Lecture Computer Networking. Outline. Routing Review. Routing hierarchy. Internet structure. External BGP (E-BGP)

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

BGP Protocol & Configuration. Scalable Infrastructure Workshop AfNOG2008

On the State of the Inter-domain and Intra-domain Routing Security

internet technologies and standards

ICS 451: Today's plan

IPv6 Pollution Traffic Analysis

CS519: Computer Networks. Lecture 4, Part 5: Mar 1, 2004 Internet Routing:

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

RIPE NCC Routing Information Service (RIS)

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

IPv4/IPv6 BGP Routing Workshop. Organized by:

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Why dynamic route? (1)

BGP. BGP Overview. BGP Operation. BGP Neighbors

The information in this document is based on Cisco IOS Software Release 15.4 version.

VisTracer: A Visual Analytics Tool to Investigate Routing Anomalies in Traceroutes

Evaluation of BGP Anomaly Detection and Robustness Algorithms

Border Gateway Protocol (an introduction) Karst Koymans. Monday, March 10, 2014

Secure Routing with RPKI. APNIC44 Security Workshop

Routing Protocols of IGP. Koji OKAMURA Kyushu University, Japan

Introduction to exterior routing. Autonomous Systems

Collective responsibility for security and resilience of the global routing system

32-bit ASNs. Greg Hankins Chris Malayter APRICOT 2009 APRICOT /02/25

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Inter-Domain Routing: BGP

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Some Thoughts on Integrity in Routing

News from RIPE and RIPE NCC

IPv4 depletion & IPv6 deployment in the RIPE NCC service region. Kjell Leknes - June 2010

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. September 3, 2003 RIPE 46, Amsterdam

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

The Impact of Router Outages on the AS-Level Internet

BGP Multihoming ISP/IXP Workshops

Routing Basics. SANOG July, 2017 Gurgaon, INDIA

The Internet Ecosystem

RIPE NCC Tools. Christian Teuschel & Mirjam Kühne

Securing BGP Networks using Consistent Check Algorithm

Transcription:

Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics University of Amsterdam Wednesday, February 5, 2014 Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 1 / 17

What are routing anomalies? Introduction What are routing anomalies? Incapability of packet delivery to legitimate destinations Delivery of packets to a wrong destination Why do they occur? Out of innocent mis-configurations or bugs Government spying or Internet censorship Malicious attackers seeking blackholing, impersonation, interception Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 2 / 17

What is used to detect such anomalies? Introduction Interior gateway protocol (IGP) environments: All data is under the same administrative control Core tools: ping, traceroute, dig Other tools: Icinga, Nagios Exterior Gateway protocol (EGP) environments: Datasets part of different administrative domains Regional Internet Registries (RIR) Remote Route Collectors(RRC), formerly RouteViews RIR Internet numbering assignments datasets Internet Routing Registry (IRR) - RIPE NCC, NTT, Level3, Merit network Tools: Cyclops, PHAS, ARGUS Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 3 / 17

Research questions Introduction Main Is it possible to detect filtering, MitM(Man-in-the-Middle) routing attacks, eavesdropping or simply routing policy changes by using RIPE Atlas s historical archives or by using newly-defined active measurements? What other datasets are needed to complement data obtained from RIPE Atlas in the process of accurately detecting the aforementioned Internet routing anomalies? Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 4 / 17

RIPE Atlas system specification The largest Internet measurement network Public access, everyone can use every probe More than 4800 probes Latest probes are TP-LINK TL-MR3020 1901 IPv4 ASNs covered (4.125%) 139 countries covered (68.137%) Centralized reservation, scheduling and storage of measurements IPv4/6 Measurement tools ping traceroute dig openssl curl(upcoming) Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 5 / 17

RIPE Atlas system specification GUI for easy usage REST API for robust probe selection and measurement specification Automatic alerts for ongoing measurement (upcoming) Usage limitations - measurements cost credits (hosting probes generate) No more than 175K credits per day Max. 500 probes per measurement No more than 10 ongoing UDMs towards the same target Delay in reserving probes and starting measurements Slight offset in a measurements interval Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 6 / 17

Experiment 1 partial results Internet censorship DNS blocking Traffic blackholing Experiment specification Determine blocking of torrent and news websites - ThePiratebay, TorrentFreak, LiveJournal Approximately 1800 EU probes from unique prefixes used No results with local resolvers considered Traceroute(ICMP echo) to URL Experiment detection mechanisms DNS IN A record does not match ip/prefix of website Probe IP, DNS server IP and last-hop IP are from the same ASN Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 7 / 17

Experiment 1 ThePirateBay.org filtering Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 8 / 17

Experiment 2: De-bogonising address space ranges De-bogonised IP ranges - previously reserved IPv4 ranges get released and distributed by IANA to RIRs for further assignment RIRs first launch debogon projects Control-plane implication analysis: BGP beacons Data-plane implication analysis: background radiation monitoring Latest(and last) distributed /8 IPv4 ranges in 2011: APNIC - [36, 39, 42, 49, 101, 103, 106]/8 RIPE NCC - 185/8 Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 9 / 17

Experiment 2: De-bogonising address space ranges Experiment setup Approximately 3100 world-wide probes used from unique prefixes Ping as measurement Each probes pings both the de-bogonised prefix and another prefix from the same ASN and geo location 12 hours scanning of single, currently announced subprefix Subprefixes still advertised by RIRs ASNs with provided pingable targets Pings 20 minute apart from each probe to target prefix Pings 60 minute apart from each probe to reference point Successful reachability test: At least one ping reply from host in de-bogonised range At lest one ping reply from reference host Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 10 / 17

Experiment 2a partial results Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 11 / 17

Prefix hijacking detection Discarded measurements Each test had 28-115 probes incapable of reaching either host Type 3 replies filtered (if in one set, removed from both) Type 0, 11 considered Results - probes incapable of reaching de-bogonised prefix 103.1.0.0/22: Probe 12007 (AS45050 HI-MEDIA France) 128.0.0.0/16: None! 185.1.0.1/24: Probe 12007 185.2.136.0/22: Probes 156 (AS51127 LNET-AS GER), 12007 185.24.0.1/24: Probes 156, 3892 (AS50473 ECO-AS RU), 4532 (ASN2818 BBC UK), 12007 Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 12 / 17

Prefix hijacking Falsifying BGP advertisements with the purpose of establishing blackholing, imposture or interception for a given prefix. BGP MOAS or submoas conflicts for AS PATH advertisements with invalid origin No MOAS or submoas as invalid transit Keeping a valid route to original prefix destination forms a MitM attack! Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 13 / 17

Prefix hijacking Data-plane detection Monitoring network location Measuring path disagreement with traceroute to target prefix and a reference point Best detection systems use a hybrid approach by correlating control- and data-plane monitoring With data-usage limitations, one really needs to know what to look for Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 14 / 17

Experimet 3: Prefix hijacking Experiment setup Monitored prefix: OS3 Traceroute measurement Approximately 1200 world-wide probes from unique ASNs used Unique ASNs ASNn not part of SURFnet s immediate peers Reference point OS3 BSR SURFnet uplink neighbor Hijack simulation: own home probe with more-specific static routes Experiment results: data sufficient to detect both network location change and path disagreement Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 15 / 17

Conclusion RIPE Atlas is a robust tool for measuring network anomalies Combined with other RIPEStat data, sophisticated vantage point selection is possible Large-scale measurement ease of use Large-scale measurement scheduling does not suffer too big offsets/delays The credit limitations of the system simply makes impossible certain tasks Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 16 / 17

Questions Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 17 / 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback