Routing Security We can do better!

Similar documents
MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Mutually Agreed Norms for Routing Security NAME

MANRS Mutually Agreed Norms for Routing Security

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

MANRS Mutually Agreed Norms for Routing Security

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

MANRS Mutually Agreed Norms for Routing Security

Collective responsibility for security and resilience of the global routing system

Collective responsibility for security and resilience of the global routing system

Working together to improve routing security for all

IXP Partnership: Improving Global Routing Security and Resilience

Working together to improve routing security for all

Security)Track) NANOG)65)

MANRS How to behave on the internet

BGP Route Hijacking - What Can Be Done Today?

Security in inter-domain routing

The Transition to BGP Security Is the Juice Worth the Squeeze?

An introduction to BGP security

On the State of the Inter-domain and Intra-domain Routing Security

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Routing Security. Daniel Karrenberg RIPE NCC.

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Misdirection / Hijacking Incidents

Secure Routing with RPKI. APNIC44 Security Workshop

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Deploying RPKI An Intro to the RPKI Infrastructure

Securing the Internet at the Exchange Point Fernando M. V. Ramos

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Understanding BGP Miscounfiguration


Link State Routing & Inter-Domain Routing

Just give me a button!

Routing Security Workshop Internet Routing Registries

Intelligent Programmatic Peering Summary Report

BGP Anomaly Detection. Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage.

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Introduc)on to Computer Networks

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Networking Review & Grand Challenges

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

Secure Inter-domain Routing with RPKI

Software Systems for Surveying Spoofing Susceptibility

AS-CRED: Reputation Service for Trustworthy Inter-domain Routing

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CNT Computer and Network Security: BGP Security

MULTINATIONAL BANKING CORPORATION INVESTS IN ROUTE ANALYTICS TO AVOID OUTAGES

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Networking Review & Grand Challenges

Software Systems for Surveying Spoofing Susceptibility

Security by BGP 101 Building distributed, BGP-based security system


the real-time Internet routing observatory

Region-based BGP Announcement Filtering for Improved BGP Security

Lecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

RPKI and Internet Routing Security ~ The regional ISP operator view ~

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

Detecting routing anomalies using RIPE Atlas

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

The Interactive Guide to Protecting Your Election Website

Illegitimate Source IP Addresses At Internet Exchange Points

Accurate Real-time Identification of IP Hijacking. Presented by Jacky Mak

Introducción al RPKI (Resource Public Key Infrastructure)

A Measurement Study of BGP Misconfiguration

Robust Inter-Domain Routing

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

DDoS MITIGATION BEST PRACTICES

BGP Origin Validation

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

Verified Secure Routing

Methods for Detection and Mitigation of BGP Route Leaks

BGPMON.IO: THE MANY NEW FACES OF BGPMON

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

bgpand - Architecting a modular BGP4 Attack & Anomalies Detection Platform

BGP Security. Kevin s Attic for Security Research

Inter-Domain Routing Trends

Reduce Your Network's Attack Surface

PART III. Implementing Inter-Network Relationships with BGP

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

CS 204: BGP. Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

Securing BGP Networks using Consistent Check Algorithm

Routing Security Roadmap

Internet Exchange Points An Internet Society Public Policy Briefing

Internet Routing with MANRS

Autonomous Security for Autonomous Systems

An ARIN Update. Susan Hamlin Director of Communications and Member Services

Sophos Central Admin. help

SCION: Scalability, Control and Isolation On Next-Generation Networks

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

BGP. Border Gateway Protocol A short introduction. Karst Koymans. Informatics Institute University of Amsterdam. (version 18.3, 2018/12/03 13:53:22)

RPKI. Resource Pubic Key Infrastructure

Transcription:

Routing Security We can do better! And how MANRS can help Andrei Robachevsky robachevsky@isoc.org 1

No Day Without an Incident 120 6 month of suspicious activity 90 60 Hijack Leak 30 0 1/5/17 1/16/17 1/27/17 2/7/17 2/18/17 3/1/17 3/13/17 3/24/17 4/4/17 4/15/17 4/26/17 5/7/17 5/18/17 5/29/17 6/9/17 6/20/17 7/1/17 7/12/17 7/23/17 http://bgpstream.com/!2

Routing Incidents Cause Real World Problems Insecure routing is one of the most common paths for malicious threats. Attacks can take anywhere from hours to months to even recognize. Inadvertent errors can take entire countries offline, while attackers can steal an individual s data or hold an organization s network hostage. 3

The Basics: How Routing Works There are ~60,000 networks (Autonomous Systems) across the Internet, each using a unique Autonomous System Number (ASN) to identify itself to other networks. Routers use Border Gateway Protocol (BGP) to exchange reachability information - networks they know how to reach. Routers build a routing table and pick the best route when sending a packet, typically based on the shortest path. 4

The Honor System: Routing Issues Border Gateway Protocol (BGP) is based entirely on trust between networks No built-in validation that updates are legitimate The chain of trust spans continents Lack of reliable resource data 5

Which Leads To

The Threats: What s Happening? Event Explanation Repercussions Solution Prefix/Route Hijacking A network operator or attacker impersonates another network operator, pretending that a server or network is their client. Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception. Stronger filtering policies Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. Can be used for traffic inspection and reconnaissance. Stronger filtering policies IP Address Spoofing Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system. The root cause of reflection DDoS attacks Source address validation!7

Route Hijacking Route hijacking, also known as BGP hijacking when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https:// www.ripe.net/publications/news/industry-developments/ youtube-hijacking-a-ripe-ncc-ris-case-study) 8

Route Leak A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: September 2014. VolumeDrive (AS46664) is a Pennsylvania-based hosting company that uses Cogent (AS174) and Atrato (AS5580) for Internet transit. VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. (https://dyn.com/blog/ why-the-internet-broke-today/) 9

IP Address Spoofing IP address spoofing is used to hide the true identity of the server or to impersonate another server. This technique can be used to amplify an attack. Example: DNS amplification attack. By sending multiple spoofed requests to different DNS resolvers, an attacker can prompt many responses from the DNS resolver to be sent to a target, while only using one system to attack. Fix: Source address validation: systems for source address validation can help tell if the end users and customer networks have correct source IP addresses (combined with filtering).!10

2017 in review: 14000 routing incidents Statistics of routing incidents generated from BGPStream data Caveats: Sometimes it is impossible to distinguish an attack from a legitimate (or consented) routing change CC attribution is based on geolocation MaxMind's GeoLite City data set!11

Global stats Twelve months of routing incidents 13,935 total incidents (either outages or attacks like route leaks and hijacks) Over 10% of all Autonomous Systems on the Internet were affected 3,106 Autonomous Systems were a victim of at least one routing incident 1,546 networks caused at least one incident 38% 62% Outage Routing incident Source: https://www.bgpstream.com/ 12

Outages Outages per country Percent of AS'es in a country with an outage 300 303 312 406 651 273 111 164 2853 BR US IR IN ID RU UA AR NG BD 1,2519 0,4194 0,2317 0,5764 0,0535 1,4762 BR US IR IN ID RU UA AR NG BD 890 Source: https://www.bgpstream.com/ 0,1661 0,327 0,2845 0,0602 13

Potential victims Incidents with a victim in a country, Top 10 Top 10 victims of routing incidents 125 132 138 233 242 118 106 1193 US BR IN RU KN BD IR GB DE HK 16 16 18 18 19 16 15 14 233 AS13489 (CO) AS27066 (US) AS7018 (US) AS1541 (US) AS21928 (US) AS35994 (US) AS20940 (US/EU) AS174 (US) AS63852 (MM) AS35091 (GH) 22 299 450 Source: https://www.bgpstream.com/ 14

Potential culprits Incidents with a culprit in a country, top 10 Percent of AS's in a country responsible for a routing incident (a route leak or hijack) 118 121 131 214 351 102 95 1170 US BR RU CN IN HK SG RO UNAL BD 8 4 4 7 1 2 3 4 BR US RU GB IN HK DE ID IR NL 413 2 765 9 Source: https://www.bgpstream.com/ 15

Tools to Help Prefix and AS-PATH filtering RPKI validator, IRR toolset, IRRPT, BGPQ3 BGPSEC is standardized But Not enough deployment Lack of reliable data We need a systemic approach to improving routing security!16

We Are In This Together Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network s safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The more network operators work together, the fewer incidents there will be, and the less damage they can do.!17

Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to eliminate the most common routing threats 18

MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. MANRS sets a new norm in routing hygiene 19

Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions that network operators must implement to improve Internet security and reliability. The first two operational improvements eliminate the root causes of common routing issues and attacks, while the second two procedural steps improve mitigation and decrease the likelihood of future incidents.!20

MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and ASpath granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least singlehomed stub customer networks, their own endusers, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate!21

Implementing MANRS Actions: Signals an organization s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. Heads off routing incidents, helping networks readily identify and address problems with customers or peers. Improves a network s operational efficiency by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. Implementing best practices alleviates many routing concerns of security-focused enterprises and other customers.!22

Everyone Benefits Joining MANRS means joining a community of security-minded network operators committed to making the global routing infrastructure more robust and secure. Consistent MANRS adoption yields steady improvement, but we need more networks to implement the actions and more customers to demand routing security best practices. The more network operators apply MANRS actions, the fewer incidents there will be, and the less damage they can do.!23

MANRS is an Important Step Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. MANRS is the minimum an operator should consider, with low risk and cost-effective actions. MANRS is not a one-stop solution to all of the Internet s routing woes, but it is an important step toward a globally robust and secure routing infrastructure.!24

Why join MANRS? Improve your security posture and reduce the number and impact of routing incidents Join a community of security-minded operators working together to make the Internet better Use MANRS as a competitive differentiator 25

Join Us Visit https://www.manrs.org Fill out the sign up form with as much detail as possible. We may ask questions and run tests Get Involved in the Community Members support the initiative and implement the actions in their own networks Members maintain and improve the document and promote MANRS objectives!26

MANRS Implementation Guide If you re not ready to join yet, implementation guidance is available to help you. Based on Best Current Operational Practices deployed by network operators around the world https://www.manrs.org/bcop/!27

MANRS Training Modules 6 training modules based on information in the Implementation Guide. Walks through the tutorial with a test at the end of each module. Working with and looking for partners that are interested in integrating it in their curricula. https://www.manrs.org/tutorials!28

What s Next: MANRS IXP Partnership Programme There is synergy between MANRS and IXPs IXPs form a community with a common operational objective MANRS is a reference point with a global presence useful for building a safe neighborhood How can IXPs contribute? Technical measures: Route Server with validation, alerting on unwanted traffic, providing debugging and monitoring tools Social measures: MANRS ambassadors, local audit as part of the on-boarding process A development team is working on a set of useful actions!29

LEARN MORE: https://www.manrs.org 30

Thank you. Andrei Robachevsky robachevsky@isoc.org manrs.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback