Presentation is loading. Please wait.

Presentation is loading. Please wait.

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

Published byIrene Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed."— Presentation transcript:

1 BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed

2 Lots of Advice re Anti-Spoofing BCP38 (RFC2827) was standardized in May 2000 – Network Ingress Filtering: Defeating DoS Attacks Which Employ IP Source Address Spoofing – http://tools.ietf.org/html/bcp38 BCP84 (RFC3704) was standardized in March 2004 – Ingress Filtering for Multihomed networks – http://tools.ietf.org/html/bcp84 Expired draft on deployment experiences – Experiences from Using Unicast RPF – Draft-savola-bcp84-urpf-experiences-03.txt

3 And there’s more advice…. ICANN Security and Stability Advisory Committee (SSAC) Documents – SAC004 – Securing the Edge (Oct 2002) https://www.icann.org/en/system/files/files/sac-004- en.pdf – SAC065 – Advisory on Ddos Attacks Leveraging DDoS Infrastructure (Feb 2014) https://www.icann.org/en/system/files/files/sac-065- en.pdf

4 Deployment Status Hard to definitively measure – http://spoofer.cmand.org – Others? Know this is still problem due to ongoing attacks – DNS, SNMP, NTP, etc – Amplification Hell http://www.christian- rossow.de/articles/Amplification_DDoS.php

5 DNS Amplification Attacks Utilizing Forged (Spoofed) IP Addresses Attacker Victim Open recursive DNS servers send legitimate queries to authoritative servers Authoritative servers send back legitimate replies to recursive DNS servers Open recursive DNS server legitimate responses create massive DDoS attack to victim’s IP address. Authoritative DNS Servers Authoritative DNS Servers Authoritative servers send replies directly to the victim Open Resolvers Use forged IP address of intended victim to send legitimate queries to open recursive DNS servers. BotNet Attacker has control of a BotNet 1 1 1 2 1 3 1 4 Abusing Open Recursive DNS ServersAbusing Authoritative DNS Servers Attacker 1 1 1 2 1 3 BotNet sends queries appearing to come from victim to authoritative servers

6 What’s Goal In This Work Many documents tell you WHAT to do Few documents tell you HOW to do it – RIPE Anti-Spoofing Task Force How-To (May 2008) http://www.ripe.net/ripe/docs/ripe-431 – bcp38.info (ongoing) Not much information exists on vendor bugs and workarounds Not much information exists on practical use cases

7 Where Provide Anti-Spoofing? router bgp neighbor remote-as neighbor prefix-list customer in ip prefix-list customer permit ip prefix-list customer deny Home Customer SMB Customer ISP EGRESS INGRESS Deploy anti-spoofing filters as close to potential source as possible ipv6 access-list extended DSL-ipv6-Inbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Inbound in INGRESS ipv6 access-list extended DSL-ipv6- Outbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Outbound out

8 Where Input Needed How you implement anti-spoofing mechanisms? – Packet filters vs uRPF vs route filters vs ?? Why are you not implementing anti-spoof mechanisms? What bugs have you run into? IXPs, ISPs Also Enterprises

9 How to get involved Merike+bcop@doubleshotsecurity.com List coming soon Draft ETA End of November.

Download ppt "BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed."

Similar presentations

Denial of Service By: Samarth Shah and Navin Soni.

Denial of Service By: Samarth Shah and Navin Soni.
Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
DNS Amplification and DNS Hijack Risk Mitigation

DNS Amplification and DNS Hijack Risk Mitigation
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.

Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—3-1 Frame-Mode MPLS Implementation on Cisco IOS Platforms Configuring Frame-Mode MPLS on Cisco.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—3-1 Frame-Mode MPLS Implementation on Cisco IOS Platforms Configuring Frame-Mode MPLS on Cisco.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.

#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Similar presentations

Ads by Google