Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IP anycasting

83 views

Published on


IP anycasting

Published in: Internet
  • Be the first to comment

  • Be the first to like this

IP anycasting

  1. 1. IP anycasting Matsuzaki ‘maz’ Yoshinobu <maz@iij.ad.jp> bdNOG7 maz@iij.ad.jp 1
  2. 2. IP anycast • Routing Practice mostly used at servers’ side • Actually based on unicast routing – the same IP addresses on multiple locations – routers just forward packets to the ‘nearest’ node based on its routing information • It’s difficult for users to detect about other anycast nodes – Uses have little knowledge about network topology – BGP is good at hiding information bdNOG7 maz@iij.ad.jp 2
  3. 3. Clients and a server 192.0.2.0/24 2001:db8:2::/64 192.0.2.1 2001:db8:2::1 Server clientclient bdNOG7 maz@iij.ad.jp 3
  4. 4. Duplication, and it’s IP anycast 192.0.2.0/24 2001:db8:2::/64 192.0.2.0/24 2001:db8:2::/64 192.0.2.1 2001:db8:2::1 192.0.2.1 2001:db8:2::1 anycast node anycast node bdNOG7 maz@iij.ad.jp 4
  5. 5. BGP anycast 192.0.2.1 2001:db8:2::1 192.0.2.1 2001:db8:2::1 AS AS AS AS 192.0.2.0/24 2001:db8::/32 BGP announcement BGP annoucement 192.0.2.0/24 2001:db8::/32 bdNOG7 maz@iij.ad.jp 5
  6. 6. IGP anycast 192.0.2.0/24 2001:db8:2::/64 192.0.2.0/24 2001:db8:2::/64 192.0.2.1 2001:db8:2::1 192.0.2.1 2001:db8:2::1 AS bdNOG7 maz@iij.ad.jp 6
  7. 7. IGP anycast deployment • By usual unicast routing • Any routing technique can be used for anycast – connected – static – OSPF、IS-IS、BGP • At IIJ, we have IGP anycasted services – DNS authoritative servers – DNS resolvers bdNOG7 maz@iij.ad.jp 7
  8. 8. Advantages of IP anycast • Geological distribution – Lower latency – Load sharing among anycast nodes • Localizing traffic – Even attacks, failures and congestions – Routing decides which node should be used for a particular user bdNOG7 maz@iij.ad.jp 8
  9. 9. 2007/02、DoS against root-dns bdNOG7 maz@iij.ad.jp 9
  10. 10. IP anycast in the Internet • Authoritative DNS – root DNS • http://www.root-servers.org/ – and many other TLD nameservers • Some CDN operators – http and https – public DNS resolvers bdNOG7 maz@iij.ad.jp 10
  11. 11. IP FRAGMENTATION INJECTION bdNOG7 maz@iij.ad.jp 11
  12. 12. IP fragments injection attack • Information injection by a spoofed packet bdNOG7 maz@iij.ad.jp 12 1st fragment2nd fragment3rd fragment 2nd fragment 2nd fragment 2nd fragment
  13. 13. IP header bdNOG7 maz@iij.ad.jp 13 version IHL TOS Total Length Identification(16bits) Flags Fragment Offset(13bits) TTL Protocol Header Checksum Source IP address Destination IP address (Options and Padding if any) Data...
  14. 14. DNS bdNOG7 maz@iij.ad.jp 14 Flags ANCOUNT ARCOUNT Identification QDCOUNT NSCOUNT Questions Answer RRs Authoritative RRs Additional RRs To succeed in the attack, these response fields should be placed on 2nd or later fragments
  15. 15. ICMP Too Big • An error message from an intermediate router that indicates the sender needs to send smaller “SIZE” of packet to get the destination bdNOG7 maz@iij.ad.jp 15 3 4 Checksum Unused Next hop-MTU Original IP Packet Too BigUnreach
  16. 16. ICMP too big to adjust the offset • Then attacker can overwrite ‘interesting’ part bdNOG7 maz@iij.ad.jp 16 1st fragment2nd fragment3rd fragment 2nd fragment 2nd fragment 2nd fragment ICMP too big
  17. 17. It’s proved in lab environments • Many researchers claim that they succeed in the IP fragment injection attack bdNOG7 maz@iij.ad.jp 17 1st fragment2nd fragment3rd fragment 2nd fragment 2nd fragment 2nd fragment ICMP too big
  18. 18. SIDE EFFECT OF IP ANYCAST anycast may break path MTU discovery bdNOG7 maz@iij.ad.jp 18
  19. 19. path MTU discovery bdNOG7 maz@iij.ad.jp 19 big packet [DF] smaller packet [DF] 1. 2. icmp: packet too big 3. A router needs to generate an icmp error A host needs to handle the icmp error
  20. 20. IP anycast may break pMTUd • An ICMP error message from an intermediate router might reach another anycast node bdNOG7 maz@iij.ad.jp 20 big packet [DF] 1. 2. icmp: packet too big anycast node anycast node
  21. 21. It might be a protection • Attackers are *not* able to send ICMP messages to a particular anycast node bdNOG7 maz@iij.ad.jp 21 1st fragment2nd fragment3rd fragment 2nd fragment 2nd fragment 2nd fragment ICMP too big anycast node anycast node
  22. 22. Condition • Components of an injection attack 1. IP source address spoofing 2. IP-ID (16bit) match 3. Appropriate fragment offset • BCP38 can eliminate 1) – All networks admins should deploy BCP38 • IP anycast can introduce some difficulties to 3) bdNOG7 maz@iij.ad.jp 22
  23. 23. Summary • IP anycast is widely used – Mostly to deploy DNS related services – It’s actually a powerful technique • It has a side effect – IP anycast may break pMTUd as an ICMP erro message from an intermediate router might reach another node – It also introduces a benefit that might prevent IP fragment injection attack bdNOG7 maz@iij.ad.jp 23

×