Illegitimate Source IP Addresses At Internet Exchange Points

Similar documents
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

Software Systems for Surveying Spoofing Susceptibility


Software Systems for Surveying Spoofing Susceptibility

BGP Communities: A measurement study

Network Security. Thierry Sans

Network Policy Enforcement

Collective responsibility for security and resilience of the global routing system

Remember Extension Headers?

A Multi-Perspective Analysis of Carrier-Grade NAT Deployment

Security in inter-domain routing

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

Collective responsibility for security and resilience of the global routing system

Express or Local Lanes: On Assessing QoE over Private vs. Public Peering Links

Understanding the Share of IPv6 Traffic in a Dual-Stack ISP

Internet Noise: a tale of two subnets

Experience with SPM in IPv6

DDoS Defense Mechanisms for IXP Infrastructures

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Amaranth Networks Inc. Category: Best Current Practice May 2000

Using Loops Observed in Traceroute to Infer the Ability to Spoof

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering

Distributed Denial of Service (DDoS)

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

A Sampling of Internetwork Security Issues Involving IPv6

Peering at Peerings: On the Role of IXP Route Servers

Master Course Computer Networks IN2097

Back-Office Web Traffic on the Internet. IMC 2014 Vancouver, BC, CANADA November 5-7, 2014

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

IP Spoofer Project. Observations on four-years of data. Rob Beverly, Arthur Berger, Young Hyun.

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Imma Chargin Mah Lazer

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Master Course Computer Networks IN2097

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Understanding IPv6 Internet Background Radia6on

Routing Security We can do better!

Mutually Agreed Norms for Routing Security NAME

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Security Issues of BGP in Complex Peering and Transit Networks

MANRS Mutually Agreed Norms for Routing Security

Internet Engineering Task Force (IETF) Request for Comments: 6441 BCP: 171 November 2011 Category: Best Current Practice ISSN:

Initial results from an IPv6 Darknet

Configuring Unicast Reverse Path Forwarding

Insights on IPv6 Security

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

Traffic in Network /8. Background. Initial Experience. Geoff Huston George Michaelson APNIC R&D. April 2010

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Post IPv4 completion. Making IPv6 deployable incrementally by making it. Alain Durand

Practical everyday BGP filtering with AS_PATH filters: Peer Locking

Insights on IPv6 Security

DDoS Protection in Backbone Networks

Multihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Authors: Rupa Krishnan, Harsha V. Madhyastha, Sridhar Srinivasan, Sushant Jain, Arvind Krishnamurthy, Thomas Anderson, Jie Gao

BGP Security. Kevin s Attic for Security Research

Request for Comments: 5569 Category: Informational January 2010 ISSN:

Security by BGP 101 Building distributed, BGP-based security system

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. September 3, 2003 RIPE 46, Amsterdam

BGP Configuration for a Transit ISP

Routing and router security in an operator environment

Check Point DDoS Protector Simple and Easy Mitigation

On the State of the Inter-domain and Intra-domain Routing Security

Simple Multihoming. ISP Workshops. Last updated 9 th December 2015

Capability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One)

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

Configuring IPv6 First-Hop Security

Network Defense Applications Using Stationary and Event-Driven IP Sinkholes

Advanced BGP using Route Reflectors

Customer IPv6 Delivery

On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Multicast operational concerns

IPv4/IPv6 BGP Routing Workshop. Organized by:

Data Plane Protection. The googles they do nothing.

network security s642 computer security adam everspaugh

BGP Routing Table Report

Advisory Guidelines for 6to4 Deployment

A Measurement Study of BGP Misconfiguration

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

TDC 375 Network Protocols TDC 563 P&T for Data Networks

GARR customer triggered blackholing

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Table of Contents. Cisco How NAT Works

Scaling Internet TV Content Delivery ALEX GUTARIN DIRECTOR OF ENGINEERING, NETFLIX

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

Denial of Service Protection Standardize Defense or Loose the War

Control Plane Protection

Understanding the Internet

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Transcription:

Illegitimate Source IP Addresses At Internet Exchange Points @ DENOG8, Darmstadt Franziska Lichtblau, Florian Streibelt, Philipp Richter, Anja Feldmann 23.11.2016 Internet Network Architectures, TU Berlin www.inet.tu-berlin.de

Introduction

What are illegitimate source IP addresses? Packets with source addresses that are not valid within the scope of the public Internet. 1

What are illegitimate source IP addresses? Intentionally spoofed traffic Internal traffic leaked by mistake General misconfiguration, unknown Packets with source addresses that are not valid within the scope of the public Internet. 1

Why looking at illegitimate source IPs? Includes attack traffic (DoS, DDoS, ) Studying unwanted traffic can give insights to come up with mitigation strategies Potentially exposes information about internal infrastructure Utilizes (expensive) bandwidth 2

Illegitimate Traffic: Our Categories Bogon: RFC1918, IANA reserved, Multicast, Future Use, etc Unrouted: Source IP address is not announced in the global routing table Invalid: Traffic sent by a network that is not responsible for the corresponding prefix 3

What is BCP38? IETF - Best Current Practice document 38, RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Idea: Only allow traffic leaving your network with source adresses from legitimately advertised prefixes. 4

BCP38 In other words, if an ISP is aggregating routing announcements for multiple downstream networks, strict traffic filtering should be used to prohibit traffic which claims to have originated from outside of these aggregated announcements. (RFC2827/BCP38) 5

What we do Previous studies like the Spoofer Project send probes to check for BCP38 compliance Our work is a passive approach to check for BCP38 deployment Provides insights about specific traffic volume and characteristics 6

Identifying Traffic

Identifying Bogon and Unrouted Bogon RFC1918, Multicast, Future Use, IANA reserved Unrouted Routing information: IXP Route Server, RIPE/RIS, RouteViews Compile a list of observed prefixes at all routing sources Ignored: Announcements larger than /8 and smaller than /24 Traffic with a source address which is covered by this list is of class Bogon Traffic with a source address which is not covered by this list is of class Unrouted 7

Routing Information We utilize as many data sources as possible to minimize false positives RIPE/RIS (14 collectors) RouteViews (16 collectors) Bogon/Martian prefix list as provided by Team Cymru 8

Bogon And Unrouted Overview Bogon Prefixes As defined in RFC1918 and RFC5737 2.3M /24 14% of the IPv4 address space Unrouted Prefixes 11.3M validly announce /24 (78% of the IPv4 address space) 3.16M unrouted /24 (excluding Bogon) Routed Unrouted Bogon 0.0 0.2 0.4 0.6 0.8 1.0 Fraction of total IPv4 space 9

AS specific: Identifying Invalid other ASes AS C AS A Public Internet AS B AS D 10

AS specific: Identifying Invalid traffic with SRC IP announced by AS A other ASes AS C AS A Public Internet AS B AS D Assumption: An AS announcing a prefix is also a legitimate source for traffic originating from this prefix. 11

AS specific: Identifying Invalid traffic with SRC IP announced by AS A other ASes AS C AS A Public Internet AS B AS A announcing prefixes p1, p2, p3 to the other ASes AS D 12

AS specific: Identifying Invalid traffic with SRC IP announced by AS A other ASes AS C AS A Public Internet AS D AS B AS A announcing prefixes p1, p2, p3 to the other ASes p1 p2 p3... List of valid prefixes for AS A Construct list of valid prefixes for each AS 13

AS specific: Identifying Invalid other ASes AS C AS A Public Internet traffic with SRC IP announced by downsteam of AS A AS B AS D 14

AS specific: Identifying Invalid other ASes announces p3 AS C AS A Public Internet traffic with SRC IP announced by downsteam of AS A AS B AS D announces p4, p5, p6 15

AS specific: Identifying Invalid other ASes announces p3 AS C AS A Public Internet traffic with SRC IP announced by downsteam of AS A AS D AS B p1 p2 p3 p4 p5 p6... extend prefix list of AS A by prefixes of downstream ASes announces p4, p5, p6 Prefix lists are also created for AS B, AS C and AS D (derived from public routing data) and added to the list of AS A 16

AS specific: Identifying Invalid AS C traffic from AS A with SRC IP not announced by AS A or its downstream AS AS A p666 p667 Public Internet other ASes AS D AS B p1 p2 p3 p4 p5 p6... p666 and p677 not included in list for AS A Invalid: Traffic with a SRC IP from a Prefix NOT covered by the prefix list of AS A 17

Identifying Invalid: Limitations False positives No full picture of the complete BGP state Can not capture direct private interconnects False negatives AS must just be somewhere on the AS Path to be valid source Lots of number crunching involved The process works completely offline, using a lot of computation time and memory. 18

Applying our methodology at a Large European IXP

Flow Data Measurements taken at a Large European IXP (LIXP) More than 700 members and peak traffic up to 5 Tb/s 5 weeks of uninterrupted IPFIX from 2016-01-18 to 2016-02-21 Sampling rate 1/32K We only considered IPv4 (until now no need to queue for this question ;) ) 19

Fractions of Bogon, Unrouted, Invalid in terms of total traffic Absolute traffic Bytes Packets Bogon 28.11 TB 0.004% 0.029% Unrouted 72.56 TB 0.010% 0.053% Invalid 509.68 TB 0.076% 0.087% 20

Fractions of Bogon, Unrouted, Invalid in terms of total traffic Absolute traffic Bytes Packets Bogon 28.11 TB 0.004% 0.029% Unrouted 72.56 TB 0.010% 0.053% Invalid 509.68 TB 0.076% 0.087% Relative amount is small, but absolutely we have 610TB of traffic for all 3 classes within one week. 20

Overview: Traffic Classes Over One Week All Traffic BOGON\1918 RFC1918 INVALID UNROUTED Packets per hour (Sampled) 1e+04 1e+06 Packets per hour (Sampled) day 0 day 1 day 2 day 3 day 4 day 5 day 6 day 7 day 0 day 1 day 2 day 3 day 4 day 5 day 6 1e+04 1e+06 day 7 Hours since 2016 01 18 : TCP Hours since 2016 01 18 : UDP Figure 1: LIXP: TCP Time series week 2016-01-18 Figure 2: LIXP: UDP Time series week 2016-01-18 21

Top 20 UDP Destination Ports Regular UDP traffic mix 22

Top 20 UDP Destination Ports Regular UDP traffic mix "Invalid" UDP traffic mix 23

Top 20 UDP Destination Ports Regular UDP traffic mix "Invalid" UDP traffic mix 24

Contribution to invalid by IXP member 1 2 3 4 5 6 0.0 0.2 0.4 0.6 0.8 1.0 Contribution to class INVALID per member (Packets) 80% of the invalid traffic can be attributed to 3 IXP members 25

Member Categorization (Bogon) unwanted > 10 % > 1 % Content NSP Hosting ISP Non Profit other > 0,1 % > 0,01 % > 0,001 % > 0 % 0 % Per Member Traffic Volume: TCP SRC PKTS (SAMPLED) Figure 3: LIXP Bogon 26

Member Categorization (Bogon) unwanted > 10 % Content NSP Hosting ISP Non Profit other > 1 % > 0,1 % > 0,01 % > 0,001 % > 0 % 0 % Per Member Traffic Volume: TCP SRC PKTS (SAMPLED) Majority does not leak anything TCP SYNs leaked: Probably misconfigured NAT Mostly low traffic ISPs and small hosters Figure 3: LIXP Bogon 26

Member Categorization (Unrouted and Invalid) unwanted > 10 % > 1 % Content NSP Hosting ISP Non Profit other > 0,1 % > 0,01 % > 0,001 % > 0 % 0 % Per Member Traffic Volume: TCP SRC PKTS (SAMPLED) Figure 4: LIXP: Unrouted and Invalid 27

Member Categorization (Unrouted and Invalid) unwanted > 10 % > 1 % > 0,1 % > 0,01 % > 0,001 % > 0 % 0 % Content NSP Hosting ISP Non Profit other Per Member Traffic Volume: TCP SRC PKTS (SAMPLED) Figure 4: LIXP: Unrouted and Invalid More members involved than in Bogon Still lots of members with 0% High traffic members have low unwanted level Lots of low traffic ISPs and hosters 27

Conclusion

What we found Network ingress filtering is not deployed everywhere, but some do it right 28

What we found Network ingress filtering is not deployed everywhere, but some do it right Large networks tend to deploy their filtering correctly (Yes, it can be done!) Many small networks lack proper filtering Only a small amount of members contribute most of the unwanted traffic 28

What we found Network ingress filtering is not deployed everywhere, but some do it right Large networks tend to deploy their filtering correctly (Yes, it can be done!) Many small networks lack proper filtering Only a small amount of members contribute most of the unwanted traffic Continue the ongoing efforts by the community to educate people and get rid of excuses! 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback