SlideShare a Scribd company logo

BGP Route Leaks at Ripe74

Qrator Labs
Qrator Labs

At the Ripe74 routing working group, Qrator Labs leading engineer Alexander Azimov gave a status update on the BGP route leaks issue. These are the slides to the video: https://youtu.be/4NAlJzVRwM0

Internet
1 of 25
Download to read offline
Route Leaks: Status Update Alexander Azimov, Qrator Labs <aa@qrator.net>
Definition Route Leaks are propagation of BGP prefixes which violate assumptions of BGP topology relationships; e.g. passing a route learned from one peer to another peer or to a transit provider, passing a route learned from one transit provider to another transit provider or to a peer.
Leaked Prefixes If your prefixes are leaked: 1. Increased delays; 2. DoS; 3. MiTM attack.
Leaked Prefixes 0 5000 10000 15000 20000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Prefixes 0 10000 20000 30000 40000 50000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
Accepting Leaked Prefixes If your AS accepts leaked prefixes: 1. Increased delays; 2. DoS; 3. MiTM attack.
Accepting Leaked Prefixes 0,89 0,9 0,91 0,92 0,93 0,94 0,95 0,96 0,97 0,98 0,99 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Leakers If your AS leaks prefixes: 1. DoS attack, was it your goal? 2. MiTM attack, was it your goal? 3. If not, money loss, packet loss, reputation loss.
Leakers 520 540 560 580 600 620 640 660 680 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Leakers 0 200 400 600 800 1000 1200 1400 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
Communities No enforcement of policy existence and its correctness Set communities depending on policy Filter routes depending on set communities
Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET?
Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET? What if leak happens inside AS cone?
Monitoring • BGPStream + Caida AS Relations; • DYN/Renesys; • Radar by Qrator.
Preliminary Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; No opportunity to stop leak propagation in automated way
Peering Relations/Roles Provider: sends their own routes and (possibly) a subset of routes learned from their other customers, peers, and transit providers to their customer. Customer: accepts 'transit routes' from its provider(s) and announces their own routes and the routes they have learned from the transitive closure of their customers to their provider(s). Peer: announces their routes and the routes from their customer cone to other Peers. Internal: announces all routes, accepts all routes.
BGP Roles OPEN with customer role OPEN with peer role NotificationNotification 3 pairs of non-conflict roles: 1. Peer <---> Peer 2. Customer <---> Provider 3. Internal <---> Internal
Considerations • Roles are native; • Roles are not revealing any sensitive data to other parties; • Roles have a number of applications.
Route Leak Prevention: iOTC If route was learned from a provider or peer it should not be announced to another provider or peer Set iOTC if role is customer or peer Internal Session No iOTC change Filter routes if iOTC is set and role is customer or peer
Route Leak Detection: eOTC If role is provider or peer eOTC is set and eOTC!=AS2 AS1 AS3AS2 If route was learned from a customer or peer and eOTC is set and eOTC != neighbor AS then route was leaked If role is provider or peer eOTC=AS1 No Filters
What should we do with Route Leak?
What should we do with Route Leak? • What if there is no alternatives? • What if somebody violated eOTC value? Deprioritization instead of filtering!
Implementation protocol bgp IAMOPERATOR { local as MY_AS; neighbor X.X.X.X as AS_PROVIDER; role customer; } Github: https://github.com/QratorLabs/bird
No Fat Fingers Inside
IETF: Slow Motion March 2016: OTC attribute and roles; October 2016: OTC functionality split between eOTC and iOTC; March 2017: clarification of peering relations, eOTC is moved to a separate draft. Current version: https://www.ietf.org/id/draft-ymbk-idr-bgp-open-policy-03 https://tools.ietf.org/html/draft-ymbk-idr-bgp-eotr-policy-00
IETF: Slow Motion https://tools.ietf.org/html/rfc7908 Problem Definition and Classification https://tools.ietf.org/html/draft-ietf-idr-route-leak- detection-mitigation Alternative to eOTC https://tools.ietf.org/html/draft-ietf-grow-bgp-reject Change of BGP default behaviour
Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; • Roles + iOTC + eOTC can solve the general problem of route leaks that are result of mistake; • Collaborate with IETF!!! • Give us feedback: init.qrator.net/details/route-leak-mitigation

Recommended

Ch20
Ch20Ch20
Ch20IDRIS USMANI
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. Qrator Labs
 
BGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesBGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesAPNIC
 
TASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureTASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureCybersecurity Education and Research Centre
 
Visualizing Network Security Threats
Visualizing Network Security ThreatsVisualizing Network Security Threats
Visualizing Network Security ThreatsThousandEyes
 
Networking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIINetworking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIIVasanti Dutta
 
Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Paul Yang
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityBangladesh Network Operators Group
 

Recommended

Ch20
Ch20Ch20
Ch20IDRIS USMANI
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. Qrator Labs
 
BGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesBGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesAPNIC
 
TASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureTASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureCybersecurity Education and Research Centre
 
Visualizing Network Security Threats
Visualizing Network Security ThreatsVisualizing Network Security Threats
Visualizing Network Security ThreatsThousandEyes
 
Networking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIINetworking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIIVasanti Dutta
 
Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Paul Yang
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityBangladesh Network Operators Group
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network OperatorsBangladesh Network Operators Group
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filtersRafael Alcazar
 
evaluation2.pptx
evaluation2.pptxevaluation2.pptx
evaluation2.pptxadnanmunirkhokhar
 
Ospf
OspfOspf
Ospfankit_saluja
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
IP ROUTING
IP ROUTINGIP ROUTING
IP ROUTINGanilinvns
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updatedSagarR24
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part bSagarR24
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTINGanilinvns
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
Networking in college
Networking in collegeNetworking in college
Networking in collegeHarpreet Gaba
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficTal Lavian Ph.D.
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxManuelRojas960410
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithmsMoctardOLOULADE
 
Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Qrator Labs
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs
 

More Related Content

Similar to BGP Route Leaks at Ripe74

Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filtersRafael Alcazar
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updatedSagarR24
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part bSagarR24
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTINGanilinvns
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
Networking in college
Networking in collegeNetworking in college
Networking in collegeHarpreet Gaba
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficTal Lavian Ph.D.
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 

Similar to BGP Route Leaks at Ripe74 (20)

MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na Internet
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filters
 
evaluation2.pptx
evaluation2.pptxevaluation2.pptx
evaluation2.pptx
 
Ospf
OspfOspf
Ospf
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
IP ROUTING
IP ROUTINGIP ROUTING
IP ROUTING
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updated
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part b
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTING
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
 
Networking in college
Networking in collegeNetworking in college
Networking in college
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport traffic
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptx
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithms
 

More from Qrator Labs

Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Qrator Labs
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs
 
Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Qrator Labs
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?Qrator Labs
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Qrator Labs
 
Сколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьСколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьQrator Labs
 
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Qrator Labs
 
Caution i pv6 is here
Caution i pv6 is hereCaution i pv6 is here
Caution i pv6 is hereQrator Labs
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLSQrator Labs
 
ISP Border Definition
ISP Border DefinitionISP Border Definition
ISP Border DefinitionQrator Labs
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringQrator Labs
 
Internet Roads of Caucasus
Internet Roads of CaucasusInternet Roads of Caucasus
Internet Roads of CaucasusQrator Labs
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Qrator Labs
 
Особенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакОсобенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакQrator Labs
 
Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Qrator Labs
 
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеWhite Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеQrator Labs
 
Тренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в миреТренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в миреQrator Labs
 
Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Qrator Labs
 

More from Qrator Labs (20)

Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017
 
Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat.
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
 
Сколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьСколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делать
 
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]
 
Caution i pv6 is here
Caution i pv6 is hereCaution i pv6 is here
Caution i pv6 is here
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
 
ISP Border Definition
ISP Border DefinitionISP Border Definition
ISP Border Definition
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Internet Roads of Caucasus
Internet Roads of CaucasusInternet Roads of Caucasus
Internet Roads of Caucasus
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6
 
Особенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакОсобенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атак
 
Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016
 
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеWhite Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
 
Тренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в миреТренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в мире
 
Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015
 

Recently uploaded

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 

BGP Route Leaks at Ripe74

  • 1. Route Leaks: Status Update Alexander Azimov, Qrator Labs <aa@qrator.net>
  • 2. Definition Route Leaks are propagation of BGP prefixes which violate assumptions of BGP topology relationships; e.g. passing a route learned from one peer to another peer or to a transit provider, passing a route learned from one transit provider to another transit provider or to a peer.
  • 3. Leaked Prefixes If your prefixes are leaked: 1. Increased delays; 2. DoS; 3. MiTM attack.
  • 4. Leaked Prefixes 0 5000 10000 15000 20000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Prefixes 0 10000 20000 30000 40000 50000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
  • 5. Accepting Leaked Prefixes If your AS accepts leaked prefixes: 1. Increased delays; 2. DoS; 3. MiTM attack.
  • 6. Accepting Leaked Prefixes 0,89 0,9 0,91 0,92 0,93 0,94 0,95 0,96 0,97 0,98 0,99 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
  • 7. Leakers If your AS leaks prefixes: 1. DoS attack, was it your goal? 2. MiTM attack, was it your goal? 3. If not, money loss, packet loss, reputation loss.
  • 8. Leakers 520 540 560 580 600 620 640 660 680 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Leakers 0 200 400 600 800 1000 1200 1400 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
  • 9. Communities No enforcement of policy existence and its correctness Set communities depending on policy Filter routes depending on set communities
  • 10. Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET?
  • 11. Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET? What if leak happens inside AS cone?
  • 12. Monitoring • BGPStream + Caida AS Relations; • DYN/Renesys; • Radar by Qrator.
  • 13. Preliminary Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; No opportunity to stop leak propagation in automated way
  • 14. Peering Relations/Roles Provider: sends their own routes and (possibly) a subset of routes learned from their other customers, peers, and transit providers to their customer. Customer: accepts 'transit routes' from its provider(s) and announces their own routes and the routes they have learned from the transitive closure of their customers to their provider(s). Peer: announces their routes and the routes from their customer cone to other Peers. Internal: announces all routes, accepts all routes.
  • 15. BGP Roles OPEN with customer role OPEN with peer role NotificationNotification 3 pairs of non-conflict roles: 1. Peer <---> Peer 2. Customer <---> Provider 3. Internal <---> Internal
  • 16. Considerations • Roles are native; • Roles are not revealing any sensitive data to other parties; • Roles have a number of applications.
  • 17. Route Leak Prevention: iOTC If route was learned from a provider or peer it should not be announced to another provider or peer Set iOTC if role is customer or peer Internal Session No iOTC change Filter routes if iOTC is set and role is customer or peer
  • 18. Route Leak Detection: eOTC If role is provider or peer eOTC is set and eOTC!=AS2 AS1 AS3AS2 If route was learned from a customer or peer and eOTC is set and eOTC != neighbor AS then route was leaked If role is provider or peer eOTC=AS1 No Filters
  • 19. What should we do with Route Leak?
  • 20. What should we do with Route Leak? • What if there is no alternatives? • What if somebody violated eOTC value? Deprioritization instead of filtering!
  • 21. Implementation protocol bgp IAMOPERATOR { local as MY_AS; neighbor X.X.X.X as AS_PROVIDER; role customer; } Github: https://github.com/QratorLabs/bird
  • 22. No Fat Fingers Inside
  • 23. IETF: Slow Motion March 2016: OTC attribute and roles; October 2016: OTC functionality split between eOTC and iOTC; March 2017: clarification of peering relations, eOTC is moved to a separate draft. Current version: https://www.ietf.org/id/draft-ymbk-idr-bgp-open-policy-03 https://tools.ietf.org/html/draft-ymbk-idr-bgp-eotr-policy-00
  • 24. IETF: Slow Motion https://tools.ietf.org/html/rfc7908 Problem Definition and Classification https://tools.ietf.org/html/draft-ietf-idr-route-leak- detection-mitigation Alternative to eOTC https://tools.ietf.org/html/draft-ietf-grow-bgp-reject Change of BGP default behaviour
  • 25. Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; • Roles + iOTC + eOTC can solve the general problem of route leaks that are result of mistake; • Collaborate with IETF!!! • Give us feedback: init.qrator.net/details/route-leak-mitigation