Remote Trigger Black Hole 111. Remotely Triggered Black Hole Filtering We use BGP to trigger a network wide response to a range of attack flows. A simple.

Slides:

Advertisements

Similar presentations

An Operational Perspective on BGP Security Geoff Huston February 2005.

Advertisements

ISP Security - Real World Techniques

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP Diverse Paths draft-ietf-grow-diverse-bgp-paths-dist-02 Keyur Patel.

Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

Dynamic Routing Scalable Infrastructure Workshop, AfNOG2008.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

Best Practices for ISPs

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 7: BGP Route Reflection.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

1 Controlling High Bandwidth Aggregates in the Network.

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.

Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

TUNDRA The Ultimate Netflow Data Realtime Analysis Jeffrey Papen Yahoo! Inc.

BGP Flow specification Update

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai

Control Plane Protection 111. BGP Attack Vectors Understanding BGP Attack Vectors will help you plan and prioritize the techniques deployed to build greater.

BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

BGP Man in the Middle Attack Jason Froehlich December 10, 2008.

DoS/DoS Detection and Mitigation Mujahid Khan

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

ISP Edge NAT 10/8 “Home” Network Upstreams and Peers /32

Distributed Denial of Service Attacks

A Measurement Study on the Impact of Routing Events on End-to-End Internet Path Performance Feng Wang 1, Zhuoqing Morley Mao 2 Jia Wang 3, Lixin Gao 1,

Eliminating Packet Loss Caused by BGP Convergence Nate Kushman Srikanth Kandula, Dina Katabi, and Bruce Maggs.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

Meet the Falcons Ciprian Marginean Aris Lambrianidis

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 8: BGP Confederations.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Autonomous System Numbers How to describe Routing Policy.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Understanding Customer-to-Provider Connectivity.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Module Summary The multihomed customer network must exchange BGP information with both ISP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Lab 6-2 Debrief.

Dynamic P2P with BGP Route Servers BFD for data-plane verification Magnus Bergroth NORDUnet.

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP Diagnostic Message draft-raszuk-bgp-diagnostic-message-00 Robert Raszuk,

Internet Traffic Engineering Motivation: –The Fish problem, congested links. –Two properties of IP routing Destination based Local optimization TE: optimizing.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

DDoS Mitigation Using BGP Flowspec

DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1.

Source/Destination Routing Fred Baker Cisco Systems.

MPLS Virtual Private Networks (VPNs)

Connecting an Enterprise Network to an ISP Network

PCAP BGP Parser RIPE 73, Madrid Christoph Dietzel, Tobias Hannaske

Virtual Aggregation (VA)

Border Gateway Protocol

Defending Against DDoS

BGP Overview BGP concepts and operation.

Cours BGP-MPLS-IPV6-QOS

Connecting an Enterprise Network to an ISP Network

– Chapter 4 – Secure Routing

Session 3 Response Measure

Interconnection services UPDATE

Computer Networks Protocols

FIRST How can MANRS actions prevent incidents .

Presentation transcript:

Remote Trigger Black Hole 111

Remotely Triggered Black Hole Filtering We use BGP to trigger a network wide response to a range of attack flows. A simple static route and BGP will allow an SP to trigger network wide black holes as fast as iBGP can update the network. This provides SPs a tool that can be used to respond to security related events or used for DOS/DDOS Backscatter Tracebacks.

Customer is DOSed – After – Packet Drops Pushed to the Edge NOC A B C D E F G iBGP Advertises List of Black Holed Prefixes Target Peer B Peer A IXP-W IXP- E Upstream A Upstream B POP Upstream A

Inter-Provider Mitigation F Target POP ISP - A ISP - B ISP - C ISP - D ISP - H ISP - G ISP - E ISP - F ISP - I

What can you do to help? Remote Triggered Black Hole Filtering is the most common ISP DOS/DDOS mitigation tool. Prepare your network: –ftp://ftp-eng.cisco.com/cons/isp/essentials/ (has whitepaper)ftp://ftp-eng.cisco.com/cons/isp/essentials/ –ftp://ftp-eng.cisco.com/cons/isp/security/ (has PDF Presentations)ftp://ftp-eng.cisco.com/cons/isp/security/ –NANOG Tutorial: (has public VOD with UUNET) –Turk, D., "Configuring BGP to Block Denial-of- Service Attacks", RFC 3882, September 2004.