Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alexander Azimov <aa@qrator.net> Anti Spoofing. Reboot. Alexander Azimov <aa@qrator.net>

Published byAmie Miller Modified over 6 years ago

Similar presentations

Presentation on theme: "Alexander Azimov <aa@qrator.net> Anti Spoofing. Reboot. Alexander Azimov <aa@qrator.net>"— Presentation transcript:

1 Alexander Azimov <aa@qrator.net>
Anti Spoofing. Reboot. Alexander Azimov

2 IP Spoofing Attacks on TCP stack; TCP floods (SYN, ACK,…);
Reflection Attacks; Amplification Attacks.

3 DDoS Amplifiers Source: Qrator Labs annual report 2017

4 BCP84: uRPF https://tools.ietf.org/html/bcp84 Strict mode;
Feasible mode; Loose mode.

5 Rule: incoming interface = interface for the best route for SRC_IP
Strict Mode Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X x.x.x.0/24 x.x.x.0/24 CustomerX Rule: incoming interface = interface for the best route for SRC_IP

6 Rule: there is a route for SRC_IP
Loose Mode Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X x.x.x.0/24 x.x.x.0/24 CustomerX Rule: there is a route for SRC_IP

7 Rule: incoming interface = interface for the best route for SRC_IP
Feasible Mode Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X x.x.x.0/24 x.x.x.0/24 CustomerX Rule: incoming interface = interface for the best route for SRC_IP

8 Rule: incoming interface = interface for the best route for SRC_IP
Feasible Mode Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X C A X x.x.x.0/24 CustomerX Rule: incoming interface = interface for the best route for SRC_IP

9 BCP84: uRPF https://tools.ietf.org/html/bcp84
Strict mode – not working; Loose mode – does nothing. Feasible mode – not working;

10 Problem Statement A distance-vector protocol isn't the best way to propagate availability information.

11 Option №1: New SAFI

12 Hacking

13 Rule: Check that SRC_IP belongs to customer’s AS_SET
Option №2: AS-SETs Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X x.x.x.0/24 x.x.x.0/24 CustomerX Rule: Check that SRC_IP belongs to customer’s AS_SET

14 Option №2: AS-SETs Transformation of ingress filters into ACLs.
Positive: We do not need to change specification; We do not need to ship new software; Can be used by any ISP, isn't it? Negative: AS-SETs are outdated, unauthorized; Scalability problems.

15 Option 3: GRSH + Feasible Mode
Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X C A X x.x.x.0/24 x.x.x.0/24 GRSH CustomerX A new transit well-known community that sets LOCAL_PREF to 0.

16 Option 3: GRSH + Feasible Mode
Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X C A X x.x.x.0/24 x.x.x.0/24 GRSH CustomerX Provider B sees x.x.x.0/24 route, but doesn’t use it. x.x.x.0/24 route marked with GRSH – informational message

17 Option 3: GRSH + Feasible Mode
Provider C Ingress Traffic Egress Traffic Provider A Provider B Provider AS_PATH A X B C A X C A X x.x.x.0/24 x.x.x.0/24 GRSH CustomerX Works only for multihomed ISPs… But it more then 85% of all ISPs in the world!

18 Option 3: GRSH + Feasible Mode
GRACEFUL_SHTUTDOWN community creates informational message for directly connected peers. Positive: We do not need to change specification; We do not need to ship new software; We solve problem for multihomed of ISPs. Negative: A lot of work with customers is required; Doesn’t work between transit ISPs.

19 Option 4: Do Nothing. But are you prepared?

20

21

Download ppt "Alexander Azimov <aa@qrator.net> Anti Spoofing. Reboot. Alexander Azimov <aa@qrator.net>"

Similar presentations

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.

MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim 02.18.2009.

CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim
Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter 2007-2008.

Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.

Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
1 Autonomous Systems An autonomous system is a region of the Internet that is administered by a single entity. Examples of autonomous regions are: UVA’s.

1 Autonomous Systems An autonomous system is a region of the Internet that is administered by a single entity. Examples of autonomous regions are: UVA’s.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
– Chapter 4 – Secure Routing

– Chapter 4 – Secure Routing
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
TCOM 515 Lecture 6.

TCOM 515 Lecture 6.
23 rd Annual Computer Security Application Conference Miami, Florida 12/13/2007 Dongqing Yuan Department of Information Technology Management University.

23 rd Annual Computer Security Application Conference Miami, Florida 12/13/2007 Dongqing Yuan Department of Information Technology Management University.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
Raw Sockets - 101 Vivek Ramachandran. A day in the life of Network Packet.

Raw Sockets Vivek Ramachandran. A day in the life of Network Packet.

Similar presentations

Ads by Google