Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.
An Operational Perspective on BGP Security Geoff Huston February 2005.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Inter-domain Routing security Problems Solutions.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
The Resource Public Key Infrastructure Geoff Huston APNIC.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DUKE UNIVERSITY DNSSEC 101 Kevin Miller.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Working Group #4: Network Security Best Practices March 22, 2012 Presenter: Tony Tauber, Comcast WG #4 Member Via teleconference: Rod Rasmussen, Internet.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
BGP Validation Russ White Rule11.us.
Lecture 18 Page 1 CS 236 Online Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
Securing BGP: The current state of RPKI
Securing BGP Bruce Maggs.
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Filtering Spoofed Packets
The Issue We all depend on the Internet
Some Thoughts on Integrity in Routing
APNIC Trial of Certification of IP Addresses and ASes
MANRS IXP Partnership Programme
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COS 561: Advanced Computer Networks
Securing BGP Bruce Maggs.
Improving global routing security and resilience
FIRST How can MANRS actions prevent incidents .
Presentation transcript:

Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs

NLnet Labs What Is Internet Infrastructure? What makes the network of networks eventually the Internet –IP (v4/v6): protocol to exchange data between end- points –DNS: resolving human readable names to IP addresses –routing: inter-domain routing between networks, making IP addresses globally reachable Thus presentation not about end-points –nothing about trojans, botnets, viruses, etc –it is about the network between the end-points

NLnet Labs The Nature of Attacks on the Internet Infrastructure DNS spoofing –redirect to websites that are “evil twins” –stealing personal information or money DDoS amplification reflection attacks –knock-out competitor: business or in gaming –blackmailing: receive money to stop DDoS Route hijacks –knock-out competitor or inspecting traffic –intention (malicious or mistake) difficult to assess

NLnet Labs DNS SPOOFING AND DNSSEC

NLnet Labs DNS Spoofing and DNSSEC DNS Spoofing by cache poisoning –attacker flood a DNS resolver with phony information with bogus DNS results –by the law of large numbers, these attacks get a match and plant a bogus result into the cache Man-in-the-middle attacks –redirect to wrong Internet sites – to non-authorized server

NLnet Labs What is DNSSEC? Digital signatures are added to responses by authoritative servers for a zone Validating resolver can use signature to verify that response is not tampered with Trust anchor is the key used to sign the DNS root Signature validation creates a chain of overlapping signatures from trust anchor to signature of response the one slide version credits Geoff Huston

NLnet Labs DNSSEC and Validation.nlnetlabs.nl. A record + signature.nl.. validating resolver DNSKEY record.nlnetlabs.nl. + signature DS record.nlnetlabs.nl. + signature DNSKEY record.nl. + signature DS record.nl. + signature local root key (preloaded) in a single picture

NLnet Labs DNSSEC Deployment Open source authoritative DNS name servers supporting DNSSEC –e.g., NSD, BIND 9, and Knot Open source DNSSEC validating resolvers –e.g., Unbound, BIND 9 Google Public DNS – DNSSEC validation – and –2001:4860:4860::8888 and 2001:4860:4860::8844

NLnet Labs DNSSEC and Community RIPE DNS Working Group at RIPE meetings DNS Working Group mailing list DNSSEC training course services/training/courses services/training/courses IETF DNSOP Working Group at IETF meetings DNSOP Working Group mailing list RFC on operational practiceshttp://tools.ietf.or g/html/rfc6781http://tools.ietf.or g/html/rfc6781

NLnet Labs Other References to DNSSEC ISOC Deploy360 – –information on basics, deployment, training, etc. DNSSEC Deployment Initiative – –mailing list deployment.org OpenDNSSEC –open-source turn-key solution for DNSSEC –

NLnet Labs AMPLIFICATION ATTACKS AND SOURCE ADDRESS FILTERING

NLnet Labs Spoofed Source Address Attacks DNS server auth/resolver attacker victim query source address A record [+ signature] destination address bytes avg. around 600 bytes

NLnet Labs DNS Amplification Attack

NLnet Labs Recent DDoS Attacks with Spoofed Traffic The new normal: Gbps DDoS Attacks March 2013: 300 Gbps DDoS attack –victim Spamhaus –DNS amplication attack –[offender arrested by Spanish police and handed over to Dutch police] Februari 2014: 400 Gbps DDoS attack –victim customers of CloudFlare –NTP amplification

NLnet Labs Mitigation to Amplification Attacks DNS amplification attacks –response rate limiting (RRL) –RRL available in NSD, BIND 9, and Knot NTP –secure NTP template from Team Cymru cymru.org/ReadingRoom/Templates/secure- ntp-template.html cymru.org/ReadingRoom/Templates/secure- ntp-template.html

NLnet Labs … or BCP38 and Filter Spoofed Traffic BCP 38 (and related BCP 84) Filter your customers –strict filter traffic from your customers –strict unicast reverse path forwarding (uRPF) –don’t be part of the problem Filter your transit –difficult to strict filter your transit –feasible or loose uRPF –feasible not well supported by hardware vendors

NLnet Labs Address Spoofing and Community RIPE RIPE meetings in plenary and working groups RIPE document 431 and 432 – /ripe-431http:// /ripe-431 – /ripe-432http:// /ripe-432 RIPE training course services/training/courses services/training/courses IETF and others BCP 38 and BCP 84 IETF SAVI WG Open Resolver Project openresolverproject.org openresolverproject.org Open NTP Project openntpproject.org openntpproject.org

NLnet Labs ROUTE HIJACKS AND RPKI

NLnet Labs Recent News on Internet Routing Security April 2, 2014: “Indonesia Hijacks the World” –Indosat leaked over 320,000 routes (out of 500,000) of the global routing table multiple times over a two-hour period –claimed that it “owned” many of the world’s networks –few hundred were widely accepted 0.2% low impact (5-25% of routes) 0.06% medium impact (25-50% of routes) 0.03% high impact (more than 50% of routes) –for details see world/ world/

NLnet Labs Less Recent News on Internet Routing Security April 8, 2010: “China Hijacks 15% of the Internet” –50,000 of 340,000 IP address blocks makes 15% –for roughly 15 minutes Hijacking 15% of the routes, does not imply 15% of Internet traffic More realistic guesses –order of 1% to 2% traffic actually diverted much less in Europe and US –order of 0.015% based on 80 ATLAS ISP observations but still an estimation

NLnet Labs Even Less Recent News on Internet Routing Security February 2008: Pakistan’s attempt to block YouTube access within their country takes down YouTube globally –mistakenly the YouTube block was also sent to a network outside of Pakistan, and propagated August 2008: Kapela & Pilosov showed effective man-in-the-middle attack –already known to the community, but never tested in real

NLnet Labs Old News on Internet Routing Security January 2006: Con-Edison hijacks a chunk of the Internet December 24, 2004: TTNet in Turkey hijacks the Internet (aka Christmas Turkey hijack) May 2004: Malaysian ISP blocks Yahoo Santa Clara data center May 2003: Northrop Grumman hit by spammers April 1997: The "AS 7007 incident”, maybe the earliest notable example?

NLnet Labs Today’s Routing Infrastructure is Insecure The Border Gateway Protocol (BGP) is the sole inter-domain routing protocol used BGP is based on informal trust models –routing by rumor –business agreements between networks Routing auditing is a low value activity –and not always done with sufficient thoroughness

NLnet Labs IP Hijacking Explained A /16: A D E C B /16: E /16: C, A /16: A /16: E /16: C, A

NLnet Labs Typical Threats Derivation of traffic (man-in-the-middle) –third party inspection, denial of service, subversion Dropping traffic –denial of service, compound attacks Adding false addresses –support for compound attacks Isolating/removing routers from the network

NLnet Labs Current Methods to Secure Routing Infrastructure Filtering, filtering, filtering, … –IP prefix filtering –AS path filtering –max prefix filtering Monitoring IP prefix / AS path –detect changes in route origin announcement –services provided by e.g. RIPE NCC, open source projects, and commercial partners However, there is no trusted and authoritative data repository

NLnet Labs Secure Inter-Domain Routing Focus of the IETF Secure Inter-Domain Routing (SIDR) working group Create trusted and authoritative resource data infrastructure –IP addresses and AS networks Improve on IP prefix filtering and AS path filtering –who holds the “right-of-usage” of a resource

NLnet Labs Resource PKI: First Step to Improve Security Regional Internet Registries (RIPE, APNIC, etc.) issue resource certificates –proof of ownership of resources (IP addresses) –… and recursively repeated by NIR/LIR/… owner of IP addresses publishes signed route origin attestations –private key signed ROA states right of use of addresses by a network (the route origin) ISPs can validate BGP routing announcements –validate ownership of route origin by checking signature in ROA with public key in resource certificate

NLnet Labs Routing with RPKI Explained A /16: A D E C B /16: E /16: C, A /16: A /16: E /16: C, A ✔ ✗ ✗ ✔ ✔ ✔

NLnet Labs Routing Security and Community RIPE Enable RPKI in RIPE LIR portal for your resources RPKI origin validation in Cisco, Juniper, Alcatel- Lucent, … and open source software Quagga and BIRD RIPE meetings in plenary and Routing WG routing- IETF and others IETF SIDR WG for RPKI and BGPSEC protocol standardization IETF GROW WG on operational problems ISOC Deploy360 Programme bgp/tools/ bgp/tools/

NLnet Labs Summary Internet a dangerous place? –yes/no, not different from the real world We have a shared responsibility in securing our infrastructure (the Internet is you!) –deploy DNSSEC –BCP 38 and BCP 84 –route filtering and RPKI Excellent training courses by RIPE NCC Contact me or staff of RIPE NCC for questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.