BSides: BGP Hijacking and Secure Internet RoutingAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch and APNIC Training Delivery Manager Tashi Phuntsho present on current tool and techniques, how Resource Public Key Infrastructure (RPKI) is just a piece in the puzzle, and what we should all do to secure Internet routing at BSides in Brisbane, Australia on 12 December 2020.
PacNOG 29: Routing security is more than RPKIAPNIC
APNIC Chief Scientist presented on how much more there is to routing security than just RPKI at PacNOG 29, held online from 29 November to 9 December 2021.
APNIC Senior Network Analyst Tashi Phuntsho presents on the importance of routing security at SANOG 34 in Kolkata, India from 31 July to 7 August 2019.
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch and APNIC Training Delivery Manager Tashi Phuntsho present on current tool and techniques, how Resource Public Key Infrastructure (RPKI) is just a piece in the puzzle, and what we should all do to secure Internet routing at BSides in Brisbane, Australia on 12 December 2020.
PacNOG 29: Routing security is more than RPKIAPNIC
APNIC Chief Scientist presented on how much more there is to routing security than just RPKI at PacNOG 29, held online from 29 November to 9 December 2021.
APNIC Senior Network Analyst Tashi Phuntsho presents on the importance of routing security at SANOG 34 in Kolkata, India from 31 July to 7 August 2019.
APNIC Training Manager Tashi Phuntsho explains why securing Internet routing is so important at the first Mongolian Network Operators Group meeting in Ulaanbaatar, Mongolia from 16 to 20 September 2019.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
IPv6 Deployment Case on a Korean Governmental Website, by Jean Ryu.
A presentation given at APNIC 42's Network Operations session on Tuesday, 4 October 2016.
RPKI is one of the newest technology securing inter-domain routing. This presentation explore how ISP's in Bangladesh is adopting this solution and what is the status of RPKI deployment.
Proof of Transit: Securely Verifying a Path or Service ChainFrank Brockners
Traffic engineering, policy routing, or service function chaining are used in many networks today. Unfortunately there is still one hard question left that management or security departments tend to ask: "Can you please prove to me that all traffic that was meant to traverse a specific service chain really followed that path?" Proof-of-transit is here to help: By adding some meta-data to our traffic, we can now provide a packet by packet proof of the actual path followed. This presentation outlines the technology (based on Shamir's Secret Sharing Scheme) as well as the implementation on IOS and FD.io/VPP.
Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Part 10 : Routing in IP networks and interdomain routing with BGPOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
APNIC Training Manager Tashi Phuntsho explains why securing Internet routing is so important at the first Mongolian Network Operators Group meeting in Ulaanbaatar, Mongolia from 16 to 20 September 2019.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
IPv6 Deployment Case on a Korean Governmental Website, by Jean Ryu.
A presentation given at APNIC 42's Network Operations session on Tuesday, 4 October 2016.
RPKI is one of the newest technology securing inter-domain routing. This presentation explore how ISP's in Bangladesh is adopting this solution and what is the status of RPKI deployment.
Proof of Transit: Securely Verifying a Path or Service ChainFrank Brockners
Traffic engineering, policy routing, or service function chaining are used in many networks today. Unfortunately there is still one hard question left that management or security departments tend to ask: "Can you please prove to me that all traffic that was meant to traverse a specific service chain really followed that path?" Proof-of-transit is here to help: By adding some meta-data to our traffic, we can now provide a packet by packet proof of the actual path followed. This presentation outlines the technology (based on Shamir's Secret Sharing Scheme) as well as the implementation on IOS and FD.io/VPP.
Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Part 10 : Routing in IP networks and interdomain routing with BGPOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
(This was a Live Webinar on July 21, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time)
Watch the Replay at: bit.ly/29Mw58Q
Catch the original TV episode or any other topics at www.techwisetv.com
Description:
Networks are moving toward simplification, increased operational efficiency, and programmability using technologies such as software-defined networking. Cisco continues to demonstrate innovation by introducing the concept of segment routing in the data center, making the network more intelligent and adaptive to the applications running on top of it. Segment routing delivers application-optimized network transport. Encoding the path information directly at the source (that is, either at the virtual switch or at the top of rack) and using per-app policies, segment routing puts control in the hands of the network operators by empowering them to create secure, adaptive, and optimal paths based on the requirements of the application itself.
Please join us in the session to learn how Cisco is helping organizations increase network efficiency by allocating resources on demand and optimizing the network to better support business-critical applications, all while preserving security.
Agenda
Topics to discuss include:
- Introducing segment routing
- Why the need for application-optimized transport
- Features and benefits of segment routing
- Differences between segment routing and MPLS transport
- Relevance of segment routing in the data center
- Use cases and applicability of segment routing
- Summary and conclusion
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
APNIC Deputy Director General Sanjaya gives a keynote address on strengthening the Sri Lankan Internet infrastructure at LkNOG 3 in Colombo, Sri Lanka from 2 to 4 October 2019.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
BGP Multihoming Techniques, by Philip Smith.
A presentation given at APRICOT 2016’s BGP Multihoming Techniques (Part 1 and 2) sessions on 24 February 2016.
The bond between automation and network engineeringJimmy Lim
The slides are presented in IDNOG5. It discusses the evolving role of network engineering. Automation is an integral part of network engineering. It provides real examples on how automation is the master of network engineering in Cloudflare.
Unknown Unicast Storm Control in Internet ExchangeJimmy Lim
This presentation is the continuation of the presentation that I shared in March 2013 about Broadcast and Multicast Storm control in IX.
Hopefully this presentation finalises the BUM storm control in Internet Exchange.
Feel free to discuss and share!!
Thanks,
Jimmy
Sharing my experience on working with BIRD and OpenBGPd routing daemon...their key features, advantage, disadvantage, the general setup, comparison, etc...
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
3. Protect and accelerate any website online
● Direct visitors to nearest entry point
○ Fast
■ Lesser hops
■ Reduced latency
● Save bandwidth
○ Lesser requests to origin
○ Mitigate DDoS
● Resiliency
○ 150+ locations
6. Different type of inbound filtering
● No filtering?
○ No inbound policy filtering
○ Not acceptable
● AS path filtering
○ Filtering based on AS path - a series of autonomous system (AS) numbers
with originator’s AS number at the end of the path
○ Using regular expression
● Prefix filtering
○ Filtering based on the matching prefixes defined in the prefix list or route
filter
7. Many local IXPs are still doing AS path filtering
● Allow all prefixes that are originated by the ASN
○ No proper validation
● Prone to accidental/wrong announcement
● High risk of prefix hijacking and blackholing
8. Sample of bad thing about AS Path filtering
ISP/IXP
AS65501
Originate 10.0.0.0/24
AS_PATH _65501$
Send packet to 10.0.0.1
Hijacking routerLegitimate router
AS65001
Originate 10.0.0.0/23
9. Sample of bad thing about AS Path
● What is so bad about the previous example?
permit _65501$
● That implies accept any prefixes that are originated by AS65501
○ High chance to create accidental hijacking
○ High risk to hijack or blackhole maliciously
10. Another sample of bad thing about AS Path
filtering
● RTBH feature by ISP/IXPs
○ Allow customers or participants to
remotely trigger blackhole to prefixes
under their own ASN
■ eBGP multihop blackhole peering with ISPs
■ Direct transit BGP session
■ Using ISP/IXPs blackhole BGP community
○ Accept up to /32
Internet ISPCustomer router
ISPCustomer router
eBGP multihop
IXP
Participants
11. Why AS Path filtering still exist?
● Difficult to maintain prefix filter
○ Troublesome to validate
● No expertise to configure, too complex?
● IXPs reluctant to do strict filtering
○ Not able to attract all traffic
■ Participants do not update filter regularly/properly
12. Prefix list filtering
● Prefix based filtering
○ More validation is done
● Allow up to /24 for IPv4 prefix
● Allow up to /48 for IPv6 prefix
● Automatic update via IRR database
14. Internet Routing Registry
● Globally distributed routing information database
○ Ensure stability and consistency of Internet-wide routing
○ Sharing information between network operators
● Why use IRR?
○ Route filtering
○ Network troubleshooting
○ Router configuration
○ Global view of Internet routing
● List of IRRs
○ http://www.irr.net/docs/list.html
16. Route object information in IRR
route: 1.1.1.0/24
descr: Cloudflare, Inc.
origin: AS13335
mnt-by: MNT-CLOUD14
notify: rir@cloudflare.com
remarks: ---------------
remarks: All Cloudflare abuse reporting can be done via
remarks: https://www.cloudflare.com/abuse
remarks: ---------------
source: ARIN
18. IRRs have a very loose security model
● Some database maintainers do not check the authenticity of
the entry
○ Records exist within IRRs can be wrong and/or missing
● There are lots of IRRs
○ Mirrors are not always up to date
● No cryptographic signing of records
● Let’s talk about RPKI
19. Resource Public Key Infrastructure
● Cryptographic method of signing records
● Regional Internet Registry (RIR) has a root certificate
○ Generate a signed certificate for Local Internet Registry (network operator)
■ All resources they are assigned with (IPs and ASNs)
● LIR then signs the prefix containing origin AS that they intend to
use
○ ROA (Route Object Authorization) is created
22. Signing prefixes
● Each LIRs own and manage Internet resources has access to
RIR portal
○ Signing their prefixes through the portal or API of their RIR is the easisest
way to start with RPKI
● Cloudflare has resources in each of the 5 RIR regions
○ About 800 pefixes announcement over different ASNs
○ We need to ensure the first step is done
24. Enforcing validated prefixes
● Signing the prefixes is one thing
● Ensuring the prefixes we receive match their certificates is
another
● Validation is done by synchronizing the RIR databases of ROAs
○ Check the signature of every ROA against the RIR’s certification public key
○ Once valid records are known, it is sent to the routers
● Major vendors support a protocol called RPKI to Router
Protocol (RTR)
○ A simple protocol for passing a list of valid prefixes with their origin ASN and
expected mask length
25. RPKI to Router Protocol is insecure
● Vendors implement
the insecure
transport methods
● Routes sent in clear
text over TCP can be
tampered with
26. Introducing GoRTR
● A lightweight local RTR
server
● Distribute it via our own
Content Delivery Network
● Fetch the cache file over
HTTPS and pass the routes
over RTR
30. Wrapping up
● No filtering and AS Path filtering is not acceptable
● Prefix filtering via IRR automation is required
○ Challenge to have this applied in all IXPs
● RPKI is not a replacement yet for IRR
○ Not many has signed their prefixes
○ Not many has enforced validating the prefixes
● Implementing RPKI is achivable
○ Plenty of efforts are needed
○ It is not a bullet proof solution on securing the routing in Internet, but the
impact of BGP attacks will be greatly reduced
