FIRST How can MANRS actions prevent incidents .

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
AFRINIC Update Anne-Rachel Inné COO, AFRINIC ARIN 32, Phoenix October 2013.
Building a More Trusted and Secure Internet RIPE 70, May
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Chapter 6: Securing the Local Area Network
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.
Information-Centric Networks Section # 4.2: Routing Issues Instructor: George Xylomenos Department: Informatics.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Meet the Falcons Ciprian Marginean Aris Lambrianidis
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
A BCOP document: Implementing MANRS Job Snijders (NTT) Andrei Robachevsky (ISOC)
Benefits and Value of an IXP The IXP Value Proposition.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 Internet Society Collaborative Security & MANRS ENOG 10 – 14 October 2015, Odessa Maarit Palovirta
BGP security some slides borrowed from Jen Rexford (Princeton U)
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Instructor Materials Chapter 5: Network Security and Monitoring
Securing BGP Bruce Maggs.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Defending Against DDoS
Internet Routing Health Measurement Bar BoF
Beyond Technical Solutions
Stateless Source Address Mapping for ICMPv6 Packets
Legacy Resources in the Research & Education Community
Firewalls.
We Care About Data Quality at IXPs
Chapter 5: Network Security and Monitoring
How do we decide where to deploy to next?
Defending Against DDoS
COS 561: Advanced Computer Networks
AKAMAI INTELLIGENT PLATFORM™
Introduction to ARIN and the Internet Registry System
Some Thoughts on Integrity in Routing
Jessica Yu ANS Communication Inc. Feb. 9th, 1998
Working together to improve routing security for all
Unit 1.6 Systems security Lesson 2
MANRS IXP Partnership Programme
Measuring routing (in)security
Propuestas Concepción 2018
MANRS for IXPs Why we did it? What did we do?
The real-time Internet routing observatory
COS 561: Advanced Computer Networks
Implement Inter-VLAN Routing
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
DDoS Attack and Its Defense
AFRINIC's services to Universities/RENs in AFRICA
Securing BGP Bruce Maggs.
Improving global routing security and resilience
Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny
MANRS Implementation Guides
By Keessun Fokeerah Member Services(MS) Team
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Validating MANRS of a network
Presentation transcript:

FIRST How can MANRS actions prevent incidents 

Why MANRS How routing works PACKETS DESTINATIONS / ANNOUNCEMENTS REACHABILITY FORWARDING

What problems are we trying to mitigate: Routing incidents Event Explanation Repercussions Example Prefix/Route Hijacking A network operator or attacker impersonates another network operator, pretending that a server or network is their client. Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception. The 2008 YouTube hijack Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. Can be used for traffic inspection and reconnaissance. September 2014. VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. IP Address Spoofing Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system. The root cause of reflection DDoS attacks March 1, 2018. Memcached 1.3Tb/s reflection-amplificationattack reported by Akamai

How users are affected

How can MANRS actions prevent incidents: MANRS defines four simple but concrete actions that network operators must implement to improve Internet security and reliability. The first two operational improvements eliminate the root causes of common routing issues and attacks, while the second two procedural steps improve mitigation and decrease the likelihood of future incidents. MANRS builds a visible community of security minded network operators and IXPs

How can MANRS actions prevent incidents: MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS- path granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single- homed stub customer networks, their own end- users, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate

WWW.MANRS.ORG

Where are those actions configured and how users are protected? Actions 1 BGP configuration core network team network planning & engineering Prevents route leaks & Hijacking Action 2 RPF & packet filtering user port configuration service delivery team, process and BCOP implementation DDoS impact Action 3 (core team socialization) Action 4 core team IRR LACNIC on RPKI

How to use MANRS information in a CSIRT Where is the information available ? BGP Stream https://bgpstream.com Caida Report http://www.caida.org/data/overview/ RIPE Stat CAIDA Spoofer Project https://www.caida.org/projects/spoofer/ Peeringdb https://peeringdb.com Whois.[RIR].net lacnic rpki, IRRs Radb, RIPE, Level3, etc. https://rpki.lacnic.net MANRS observatory https://observatory.manrs.org/

MANRS observatory

MANRS Observatory

How to contribute to MANRS from your CSIRT Identify networks not following BCOPS Usually involved in security incidents Reported in CAIDA spoofer or rpki violations Networks not present in peering db, whois or IRR Help them Promote NOGs, IXPs, NRENS, operational communities Refer them to MANRS.org Engage them in LACNOG  Generating awareness regarding routing incidents ( reports, presentations, surveys, etc) There are tools available

MANRS Training Modules Module 1: Introduction to MANRS What is MANRS, and why should you join? MANRS is a global initiative to implement crucial fixes needed to eliminate the most common routing threats. In this module you will learn about vulnerabilities of the Internet routing system and how four simple steps, called MANRS Actions, can help dramatically improve Internet security and reliability. Module 2: IRRs, RPKI, and PeeringDB This module helps you understand the databases and repositories MANRS participants should use to document routing policy and maintain contact information. You’ll learn what database objects to use to document routing information related to your network and how to register information in the RPKI system. Finally, you will learn how to use the Peering DB and other databases to publish your contact information. Module 3: Global Validation: Facilitating validation of routing information on a global scale In this module, you will learn how to prevent incorrect routing announcements from your customers and your own network. The module explains how filters can be built, including the tools used to build them. It also shows how to signal to other networks which announcements from the network are correct. Module 4: Filtering: Preventing propagation of incorrect routing information This module will help you apply anti-spoofing measures within your network. After this module you will be able to identify points/devices in the network topology where anti-spoofing measures should be applied, identify adequate techniques to be used (for example, uRPF, or ACL filtering), configure your devices to prevent IP spoofing, and verify that the protection works. Module 5: Anti-Spoofing: Preventing traffic with spoofed source IP addresses This module is to understand how to create and maintain contact information in publicly accessible places. It explains why it is important to publish and maintain contact information, how to publish contact information to Regional Internet Registries (RIRs), Internet Routing Registries (IRRs), and PeeringDB, and what contact information you should publish to a company website. Module 6: Coordination: Global communication between network operators This module helps you understand how to enable others to validate route announcements originating from your network by documenting a Network Routing Policy. You’ll learn what a Network Routing Policy is, how to document your organization’s Network Routing Policy and make it publicly available in order to signal to other networks which announcements from your network are correct.

MANRS IXPP MANRS IXP Partnership Programme Action 1 – Filtering BGP, RPKI, etc Action 2. Promotion Events, membership, fees, etc Action 3 - Protect Peering Fabric L2 BCOP Action 4 – Coordination Updated and shared contact information Action 5. Operation support tools Looking Glass, etc

MANRS is a community effort CSIRTs can contribute significantly Message to Network Operators: ”Your security is in someone else’s hands. The actions of others directly impact you and your network security (and vice versa)” QUESTIONS? lucimara@cert.br oflaherty@isoc.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.