Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Routing Security in 2017 – We can do better!

926 views

Published on

Presentation by Andrei Robachevsky at APRICOT 2018 on Tuesday, 27 February 2018.

Published in: Internet
  • Be the first to comment

Routing Security in 2017 – We can do better!

  1. 1. Internet Society © 1992–2016 And how MANRS can help Routing Security in 2017 – We can do better! Andrei Robachevsky robachevsky@isoc.org APRICOT 2018 Presentation title – Client name 1
  2. 2. A Routing Security Primer The Problem 2
  3. 3. The Problem Caption 10/12pt Caption body copy 3 Border Gateway Protocol (BGP) is based entirely on trust • No built-in validation of the legitimacy of updates • The chain of trust spans continents • Lack of reliable resource data
  4. 4. https://bgpstream.com/ Which leads to …
  5. 5. No Day Without an Incident 5 0 20 40 60 80 100 120 1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17 6 month of suspicious activity Hijack Leak http://bgpstream.com/
  6. 6. What’s Happening? IP prefix hijack • AS announces prefix it doesn’t originate and wins the ‘best route’ selection • AS announces more specific prefix than what may be announced by originating AS • AS announces it can route traffic through shorter route, whether it exists or not • Packets end up being forwarded to wrong part of Internet • Denial-of-Service (DoS), traffic interception, or impersonating network or service Route leaks • Violation of valley-free routing (e.g. re-announcing transit provider routes to another provider) • Usually due to misconfigurations, but can be used for traffic inspection and reconnaissance • Can be equally devastating 6
  7. 7. What is happening? Route Hijacking Route hijacking, also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https://www.ripe.net/publications/news/industry- developments/youtube-hijacking-a-ripe-ncc-ris-case-study) 7
  8. 8. What is happening? Route Leak 8 A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: September 2014. VolumeDrive (AS46664) is a Pennsylvania-based hosting company that uses Cogent (AS174) and Atrato (AS5580) for Internet transit. VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. (https://dyn.com/blog/why-the-internet-broke-today/)
  9. 9. Statistics of routing incidents generated from BGPStream data Caveats: • Sometimes it is impossible to distinguish an attack from a legitimate (or consented) routing change • CC attribution is based on geolocation MaxMind's GeoLite City data set 2017 in review: 14000 routing incidents 9
  10. 10. Global stats 10 • 13,935 total incidents (either outages or attacks like route leaks and hijacks) • Over 10% of all Autonomous Systems on the Internet were affected • 3,106 Autonomous Systems were a victim of at least one routing incident • 1,546 networks caused at least one incident 8631, 62% 5304, 38% Twelve months of routing incidents Outage Routing incident Source: https://www.bgpstream.com/
  11. 11. Outages: APAC 11 406 312 111 103 79 72 37 32 27 16 Outages per country IN ID BD CN KR PK TH AU VN SG 5.7 5.6 6.1 8.55.6 1.4 3.7 8.9 2.6 2.0 Percent of AS's in a country having an outage IN ID KR CN BD AU TH PK VN PH Source: https://www.bgpstream.com/
  12. 12. APAC: potential victims 12 Source: https://www.bgpstream.com/ 299 138 99 93 90 85 69 61 53 44 Incidents with a victim in a country, Top 10 IN BD CN ID MM PH TH AU JP SG 15 14 13 12 12 11 11 11 9 9 Top 10 victims of routing incidents AS63852 AS18399 AS4134 AS38456 AS9498 AS54538 AS134736 AS14762 AS4837 AS24319
  13. 13. APAC: potential culprits 13 351 214 121 95 72 69 67 58 42 31 Incidents with a culprit in a country, top 10 CN IN SG BD MM ID JP PH AU MY Source: https://www.bgpstream.com/ 321 81 33 32 29 27 22 20 19 18 Top 10 potential culprits in routing incidents AS4134 AS7473 AS133385 AS132167 AS10026 AS58601 AS17676 AS17494 AS55644 AS10201
  14. 14. Bogons: APAC 14 6 2 8 25 2 22 1 1 10 1 1 1 # bogon prefixes AU BD CN HK ID IN JP PH ID IN KR TH 52 1 3 1 1 2 1 4 # bogon ASNs AU CN HK IN MY PH TH TH Source: https://www.cidr-report.org/as2.0/
  15. 15. Are There Solutions? 15 Tools - Yes! • Prefix and AS-PATH filtering • RPKI validator, IRRToolset, IRRPT, BGPQ3 • BGPSEC is standardised But… • Lack of reliable data • Lack of deployment
  16. 16. A Tragedy of the Commons 16 From a routing perspective, securing your own network does not necessarily make it more secure. Network security is in someone else’s hands. — The more hands – the better the security Is there a clear, visible, and industry- supported line between good and bad? — A cultural norm?
  17. 17. A vital part of the security solution Mutually Agreed Norms for Routing Security 17
  18. 18. MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. 18
  19. 19. Building a culture of routing hygiene 19 MANRS defines four concrete actions that network operators should implement — Technology-neutral baseline for global adoption — 4 Actions: a minimum set of requirements MANRS builds a visible community of security- minded operators — Promotes culture of collaborative responsibility
  20. 20. MANRS Actions Filtering – Prevent propagation of incorrect routing information • Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing – Prevent traffic with spoofed source IP addresses • Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination – Facilitate global operational communication and coordination between network operators • Maintain globally accessible up-to-date contact information Global Validation – Facilitate validation of routing information on a global scale • Publish your data, so others can validate 20
  21. 21. Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks 21 Use an IRR (e.g. APINIC IRR) • In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to register their expected announcements as route objects in the IRR • AS64500 will need to register its own route object, define its customer-cone using an as-set object, and publish its routing policy with an aut-num object. • AS64500 will use IRRToolset, BGPQ3, IRRPT to generate filters
  22. 22. Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks 22 Use RPKI • In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to get RPKI certificates from APNIC and create ROAs for their expected announcements • AS64500 will do the same • AS64500 can use RPKI validator to directly tag the announcements, e.g. route-map rpki permit 10 match rpki valid set local-preference 999 …
  23. 23. Anti-spoofing: Prevent traffic with spoofed source IP addresses 23 Use ingress ACLs ip access-list extended customer1-in-ipv4 permit ip 192.0.2.0 0.0.0.255 any ! ipv6 access-list customer1-in-ipv6 permit ipv6 2001:db8:1001::/48 any ! interface x ip access-group customer1-in-ipv4 in ipv6 traffic-filter customer1-in-ipv6 in Convince the customer to egress-filter Interface y ip access-group egress-provider out Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
  24. 24. Anti-spoofing: Prevent traffic with spoofed source IP addresses 24 Use uRPF ip verify unicast reachable-via rx ipv6 verify unicast reachable-via rx Convince the customer to egress-filter Interface y ip access-group egress-provider out Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
  25. 25. mntner role Inetnum Inet6num . 25 Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information aut-num as-set route-set MyAPNIC Portal Abuse Policy Technical NOC Public Relations Sales Network Operations Center Support Team Abuse Team Security Team
  26. 26. ROA: 2001:db8:2002::/4 8 origin: AS64502 ROA: 2001:db8:2002::/4 8 origin: AS64502 ROA: 2001:db8:2002::/4 8 origin: AS64502 Global Validation: Facilitate validation of routing information on a global scale 26 Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties aut-num: AS64500 mp-import: from AS64501 accept AS64501 mp-export: to AS64501 announce ANY ... mp-import: from AS64511 accept AS64511:AS- ALL mp-export: to AS64511 announce 64500:AS-ALL ... source: APNIC route: 192.0.2.0/24 origin: AS64501 source: APNIC route6: 2001:db8:1001::/48 origin: AS64501 source: APNIC route: 198.51.100.0/24 origin: AS64502 source: APNIC route6: 2001:db8:2002::/48 origin: AS64502 source: APNIC route: 203.0.113.0/24 origin: AS64500 source: APNIC route6: 2001:db8:1000::/3 6 origin: AS64500 source: APNIC as-set: AS64500:AS-ALL members: AS64500 members: AS64501, AS64502 source: APNIC ROA: 2001:db8:2002::/4 8 origin: AS64502
  27. 27. More detailed guidance • MANRS Implementation guide • Based on Best Current Operational Practices deployed by network operators around the world • http://www.manrs.org/bcop/ 27 • MANRS online modules • https://www.internetsociety.org/tutorials/manrs/ • Can be delivered in a form of moderated classes
  28. 28. Why to join MANRS? 28 • Improve your security posture and reduce number and impact of routing incidents • Join the community of security minded operators • Use MANRS as a competitive differentiator
  29. 29. Join Us 29 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives
  30. 30. 30 LEARN MORE: https://www.manrs.org manrs@isoc.org
  31. 31. Routing security & MANRS: a poll Vote link: http://etc.ch/3uEg 31
  32. 32. Let us look at the results 32 • https://directpoll.com/r?XDbzPBd3ixYqg82ZSamae3gr Z6zRHWuZzYEepTwV3
  33. 33. Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. Andrei Robachevsky robachevsky@isoc.org 33

×