BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

Slides:

Advertisements

Similar presentations

Denial of Service By: Samarth Shah and Navin Soni.

Advertisements

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

DNS Amplification and DNS Hijack Risk Mitigation

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Computer Security and Penetration Testing

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.

Lecture 15 Denial of Service Attacks

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—3-1 Frame-Mode MPLS Implementation on Cisco IOS Platforms Configuring Frame-Mode MPLS on Cisco.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

– Chapter 4 – Secure Routing

Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

TCOM 515 Lecture 6.

Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai

Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.

Operational Security Capabilities for IP Network Infrastructure

Access Control List (ACL)

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.

Working Group #4: Network Security Best Practices March 22, 2012 Presenter: Tony Tauber, Comcast WG #4 Member Via teleconference: Rod Rasmussen, Internet.

BGP Man in the Middle Attack Jason Froehlich December 10, 2008.

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

© 2004 AARNet Pty Ltd Measurement in aarnet3 4 July 2004.

(we need your advice!) Jon Peterson MIT– December 2010 IETF & Privacy.

Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.

Distributed Denial of Service Attacks

FUTURE INTERNET: PROPOSAL “PROBLEMS IN CURRENT INTERNET” M S Siddiqui [ID ] Networking LAB, KHU

Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

By Rod Lykins.  Brief DDoS Introduction  Packet Marking Overview  Other DDoS Defense Mechanisms.

ACCESS CONTROL LIST.

1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Outbound Route Filtering.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Forwarding Packets in a Transit AS.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Module Summary The multihomed customer network must exchange BGP information with both ISP.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

Denial-of-Service Attacks

Draft-lewis-infrastructure-security-00.txt Infrastructure Protection BCP Darrel Lewis, James Gill, Paul Quinn, Peter Schoenmaker.

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Tokyo Institute of Technology

Filtering Spoofed Packets

Who should be responsible for risks to basic Internet infrastructure?

Alexander Azimov Anti Spoofing. Reboot. Alexander Azimov

DDoS Attack and Its Defense

Outline The spoofing problem Approaches to handle spoofing

Presentation transcript:

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed

Lots of Advice re Anti-Spoofing BCP38 (RFC2827) was standardized in May 2000 – Network Ingress Filtering: Defeating DoS Attacks Which Employ IP Source Address Spoofing – BCP84 (RFC3704) was standardized in March 2004 – Ingress Filtering for Multihomed networks – Expired draft on deployment experiences – Experiences from Using Unicast RPF – Draft-savola-bcp84-urpf-experiences-03.txt

And there’s more advice…. ICANN Security and Stability Advisory Committee (SSAC) Documents – SAC004 – Securing the Edge (Oct 2002) en.pdf – SAC065 – Advisory on Ddos Attacks Leveraging DDoS Infrastructure (Feb 2014) en.pdf

Deployment Status Hard to definitively measure – – Others? Know this is still problem due to ongoing attacks – DNS, SNMP, NTP, etc – Amplification Hell rossow.de/articles/Amplification_DDoS.php

DNS Amplification Attacks Utilizing Forged (Spoofed) IP Addresses Attacker Victim Open recursive DNS servers send legitimate queries to authoritative servers Authoritative servers send back legitimate replies to recursive DNS servers Open recursive DNS server legitimate responses create massive DDoS attack to victim’s IP address. Authoritative DNS Servers Authoritative DNS Servers Authoritative servers send replies directly to the victim Open Resolvers Use forged IP address of intended victim to send legitimate queries to open recursive DNS servers. BotNet Attacker has control of a BotNet Abusing Open Recursive DNS ServersAbusing Authoritative DNS Servers Attacker BotNet sends queries appearing to come from victim to authoritative servers

What’s Goal In This Work Many documents tell you WHAT to do Few documents tell you HOW to do it – RIPE Anti-Spoofing Task Force How-To (May 2008) – bcp38.info (ongoing) Not much information exists on vendor bugs and workarounds Not much information exists on practical use cases

Where Provide Anti-Spoofing? router bgp neighbor remote-as neighbor prefix-list customer in ip prefix-list customer permit ip prefix-list customer deny Home Customer SMB Customer ISP EGRESS INGRESS Deploy anti-spoofing filters as close to potential source as possible ipv6 access-list extended DSL-ipv6-Inbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Inbound in INGRESS ipv6 access-list extended DSL-ipv6- Outbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Outbound out

Where Input Needed How you implement anti-spoofing mechanisms? – Packet filters vs uRPF vs route filters vs ?? Why are you not implementing anti-spoof mechanisms? What bugs have you run into? IXPs, ISPs Also Enterprises

How to get involved List coming soon Draft ETA End of November.