The document discusses security issues with the Border Gateway Protocol (BGP) and methods to detect and prevent BGP attacks. It describes common BGP attacks like prefix hijacking and denial of service. It then provides recommendations for secure BGP configurations, including routing filters, prefix limits, and detecting invalid route announcements through services like RPKI. The document uses examples and demos in GNS3 to illustrate BGP security concepts.
How to manage internet clients of an ISP with PPPoE and MikroTik. For
centralized AAA (Authentication, Authorization and Accounting), freeRadius is used.
With the emerging security threat nowadays, we should know how to detect and analyze every possible threat to your network.
Just with simple solution we could make our MikroTik to became a powerful tool to fool the hacker.
MikroTik as Low Interaction HoneyPot.
How to manage internet clients of an ISP with PPPoE and MikroTik. For
centralized AAA (Authentication, Authorization and Accounting), freeRadius is used.
How to manage internet clients of an ISP with PPPoE and MikroTik. For
centralized AAA (Authentication, Authorization and Accounting), freeRadius is used.
With the emerging security threat nowadays, we should know how to detect and analyze every possible threat to your network.
Just with simple solution we could make our MikroTik to became a powerful tool to fool the hacker.
MikroTik as Low Interaction HoneyPot.
How to manage internet clients of an ISP with PPPoE and MikroTik. For
centralized AAA (Authentication, Authorization and Accounting), freeRadius is used.
Multicast routing configuration and lab example in MikroTik
video multicast routing 1 router
https://www.youtube.com/watch?v=nqUlUIB93Mg
video multicast routing 2 router over wireless
https://www.youtube.com/watch?v=eYEocGYsGZ4
Konfig VLC sebagai stream server multicast
https://www.youtube.com/watch?v=Z1lthcBSSrM
Konfig VLC sebagai player
https://www.youtube.com/watch?v=s2uTs8NRQpY
Marek Isalski, Faelix.net Ltd, describes the MikroTik range of routers and their applications, gives a pros and cons summary, and recommendations for budget provider edge deployment.
Webinar topic: Running BGP with Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Running BGP with Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
The recording is available on Youtube
https://youtu.be/jqlz7C_Otv8
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
With so many new line of products and features from MikroTik, choosing one might be bit confusing. This topic will cover how to choose the right devices for your network!
Multicast routing configuration and lab example in MikroTik
video multicast routing 1 router
https://www.youtube.com/watch?v=nqUlUIB93Mg
video multicast routing 2 router over wireless
https://www.youtube.com/watch?v=eYEocGYsGZ4
Konfig VLC sebagai stream server multicast
https://www.youtube.com/watch?v=Z1lthcBSSrM
Konfig VLC sebagai player
https://www.youtube.com/watch?v=s2uTs8NRQpY
Marek Isalski, Faelix.net Ltd, describes the MikroTik range of routers and their applications, gives a pros and cons summary, and recommendations for budget provider edge deployment.
Webinar topic: Running BGP with Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Running BGP with Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
The recording is available on Youtube
https://youtu.be/jqlz7C_Otv8
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
With so many new line of products and features from MikroTik, choosing one might be bit confusing. This topic will cover how to choose the right devices for your network!
This presentation was presented at MUM Indonesia at Bali in 2008. Discussed about how to put extra layer of security into your MikroTik Router using Port Knocking mechanism.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Ā
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Ā
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Ā
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Ā
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Ā
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties ā USA
Expansion of bot farms ā how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks ā Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Ā
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Ā
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But thereās more:
In a second workflow supporting the same use case, youāll see:
Your campaign sent to target colleagues for approval
If the āApproveā button is clicked, a Jira/Zendesk ticket is created for the marketing design team
Butāif the āRejectā button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
Ā
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
2. ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
2
About Rofiq Fauzi
CONSULTANT
CERTIFIED TRAINER
h;p://www.mikroAk.com/consultants/asia/indonesia
ā¢āÆUsing MikroTik (v.2.97) since 2005, as Network Engineer at WISP.
ā¢āÆ2007, Network & Wireless Engineer at INDOSAT Central Java Area
ā¢āÆ2008, IT Network & Telco Procurement at INDOSAT HQ
ā¢āÆ2012-Now, MikroTik Consultant & CerAļ¬ed Trainer at ID-Networkers
(PT Integrasi Data Nusantara).
ā¢āÆ2013-Now, Network Manager at WISP Indomedianet, Indonesia
ā¢āÆ2013-Now, Network ConsulAng Engineer at Connexin Limited, Hull, UK
h;p://www.mikroAk.com/training/partners/asia/indonesia
3. ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
3
About ID-Networkers
In the Most PresAgious Networking CerAļ¬caAon
EXPERT LEVEL TRAINERS & CONSULTANS
OVERVIEW
We are young entrepreneurs, we are only
one training partner & consultant who has
expert level trainers in the most presAgious
networking cerAļ¬caAon, CCIE Guru , JNCIE
Guru and MTCINE guru, which very limited
number in Indonesia even Asia. Proven that
hundred of our students pass the
cerAļ¬caAon exam every year. We are the
biggest cerAļ¬caAon factory in Indonesia.
WEBSITE
www.idn.id | www.trainingmikroAk.com
4. OUR PROJECT IN MALAYSIA
Project Langkawi
Project Wi-Fi 1Malaysia in all
tourism park in Langkawi
Island ; Cenang Beach, Pulau
Tuba, Pulau Dayang BunAng,
Cable Car, etc.
Integrated Wi-Fi network
with centralize hotspot user
in KL area, including
apartment, university,
public area, etc.
WiFi in KL
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
4
Project in Melaka
Wi-Fi project at Sekolah ALAM,
Jabatan Laut, some University
and Honda Melaka, etc.
5. About BGP
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
5
ā¢āÆ Designed as Exterior Gateway Protocol
ā¢āÆ Internet formed by BGP rouAng
ā¢āÆ BGP also has capability to carrying informaAon about
diverse routed protocols (ipv4, ipv6, l2vpn, vpnv4)
7. Interior and Exterior Gateway Protocol
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
7
ā¢āÆ Interior Gateway Protocol (IGP)
Handle rouAng within an Autonomous System (one rouAng
domain). Can be said that the IGP is a rouAng that works on
our proprietary network, or all routers are belong to us.
ā¢āÆ Exterior Gateway Protocol (EGP)
Handles the rouAng between Autonomous Systems (inter-
domain rouAng). Can be said that the EGP is working or
rouAng between our networks with not our networks.
8. AS1 AS2
Interior and Exterior Gateway Protocol
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
8
Interior Gateway Protocol: OSPF, IS-IS, IGRP, EIGRP, RIP
Exterior Gateway
Protocol: BGP
9. Autonomous Systems (AS)
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
9
ā¢āÆ AS is a combinaAon of networks and routers are usually in one
ownership or control that has a similar rouAng protocol.
ā¢āÆ AS 16 bit, or use decimal (0 - 65535)
ā¢āÆ Range 1 - 64511 used for Internet
ā¢āÆ Range 64512 - 65535 used for private
ā¢āÆ With 16-bit AS Numbers, only around 65,000 unique numbers are
possible.
ā¢āÆ The introducAon of 32-bit ASNs increases the supply of AS Numbers
to four billion.
ā¢āÆ AS Number allocaAon is managed by IANA
10. BGP between AS in the Internet
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
10
h;ps://www.pasternack.com/t-calculator-fspl.aspx
11. BGP between AS in the Internet
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
11
h;p://bgp.he.net/
12. ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
12
Full trust between peers is one of the
weaknesses of the protocol
13. IN BGP WE TRUST
AS100 give wrong informaAon
to AS200
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
13
AS 200 give the right informaAon
but coming from wrong source
Wrong informaAon will spread to network
LEAK X X
14. The Internetās Vulnerable Backbone
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
14
15. Types of BGP Attacks [workshop]
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
15
ā¢āÆ Preļ¬x Hijack
ā¢āÆ Denial of service
ā¢āÆ CreaAon of route instabiliAes (ļ¬apping)
16. Prefix Hijack
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
16
ā¢āÆ Preļ¬x hijacking, a misbehavior in which a misconļ¬gured or
malicious BGP router originates a route to an IP preļ¬x it
does not own,
ā¢āÆ Its is becoming an increasingly serious security problem in
the Internet
17. How Attackers Can Hijack BGP
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
17
18. How Attackers Can Hijack BGP
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
18
19. Demo in GNS3
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
19
Topology
20. Demo
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
20
ā¢āÆ Install GNS3, if you didnāt know how to install mikroAk on GNS3, follow our previous
MUM presentaAon slide at: www.mikro@k.com/presentaAons/ID13/roļ¬q.pdf
ā¢āÆ Create topology (slide 15)
ā¢āÆ Conļ¬gure BGP peering between all AS, donāt forget for AS 234 its using iBGP peer
(mesh peering or router refelctor)
ā¢āÆ Create loopback interface (bridge interface) in Router1 and Router6, and put ip
1.1.1.1/32 on the both bridge interfaces.
ā¢āÆ On Router6, in rouAng BGP network, adverAse network 1.1.1.1/32
ā¢āÆ Check in Router1, we can see in IP route, preļ¬x 1.1.1.1 with as path 234,600 thatās
mean preļ¬x 1.1.1.1/32 originated from 600
ā¢āÆ On Router1, in rouAng BGP network adverAse network 1.1.1.1/32 too
ā¢āÆ Check in Router1, we can see in IP route, preļ¬x 1.1.1.1 will change as path to 234,100
21. DOS Attack
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
21
Ref: h;p://www.133tsec.com/2012/04/30/0day-ddos-mikroAk-server-side-ddos-a;ack/
ā¢āÆ One of the denial of service (DDOS), happens on mikroAk routerās winbox
service when the a;acker is requesAng conAnuously a part of a .dll/plugin ļ¬le
ā¢āÆ It raises routerās CPU 100% and other acAons. The āother acAonsā depends on
the routeros version and the hardware.
ā¢āÆ For example on MikroAk Router v3.30 there was a LAN corrupAon, BGP fail,
whole router failure
ā¢āÆ MikroAk Router v2.9.6 there was a BGP failure
ā¢āÆ MikroAk Router v4.13 unstable wiļ¬ links
ā¢āÆ MikroAk Router v5.14/5.15 rarely stacking
ā¢āÆ Behaviour may vary most Ames, but ALL will have CPU Usage 100% . Most
routers loose BGP aper long Ame a;ack
22. Demo DOS Attack
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
22
ā¢āÆ Download tesAng script from
h;p://www.133tsec.com/wp-content/uploads/2012/04/mkDl.zip
ā¢āÆ Extract it in your C folder
ā¢āÆ Run in your windows command prompt
C:> mkDl.py <RouterIPAddress> DoS
[Winbox plugin downloader]
[+] Hmmm we gonna attack it..
[+] Index received!
[+] Requesting file roteros.dll till death :)
Sending evil packet.. press CTRL-C to stop ā
-āÆ Watch your router CPU usage
Warning! This content and tool are for educaAon proposed only, I am not responsible for anything that might
happen to you or your routers if you use it to DDOS your router, and or causing any damage or error.
23. Defend BGP Attacks
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
23
ā¢āÆ Always Update your RouterOS
ā¢āÆ Good BGP Router Conļ¬guraAon
ā¢āÆ Detect False Route Announcements
ā¢āÆ RPKI
24. Good Router Configuration
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
24
Use rouAng ļ¬lter to control preļ¬x exchange between BGP peering
In Filters
ā¢āÆ Donāt accept your own preļ¬xes
ā¢āÆ Donāt accept RFC 1918 (private IP address) and other reserved ones (RFC 5735)
ā¢āÆ Donāt accept default route (unless you need it)
ā¢āÆ Donāt accept preļ¬xes longer than /24
ā¢āÆ Donāt accept BOGONS preļ¬xes
ā¢āÆ Limit your Max Preļ¬x
ā¢āÆ Limit AS_ Path
Out Filters
ā¢āÆ Announce only owned preļ¬xes (in case you do not provide transit to other ASās)
Credit to Wardner Maia, ref: h;p://mdbrasil.com.br/en/downloads/1_Maia.pdf
25. Detect False Route Announcements
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
25
h;ps://stat.ripe.net/widget/bgplay
26. BGP Routing Table Size
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
26
CounAng
Source = h;p://www.cidr-report.org/
27. Detect Route Flapping
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
27
Detect RouAng table size:
/system scheduler
add interval=5m name=schedule1 on-event=detect-route start-
time=startup
/system script
add name =detect-route
source=ā:local routeSize [/ip route print count-only];
:if ($routeSize > 5400000) do={/log error " Your routing table
is $routeSize , Routing table abnormal"} else={/log warning "
Your routing table size is $routeSize , normal!"}ā
29. Limit Prefix Number
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
29
If our in ļ¬lter receive all internet preļ¬x from our peering, we should
limit the number of preļ¬x by following command:
[admin@BGP-ROUTER] > routing bgp peer set number=0 max-prefix-limit=600000
30. MikroTik Routing Filter
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
30
ā¢āÆh;p://wiki.mikroAk.com/wiki/Manual:RouAng/RouAng_ļ¬lters
ā¢āÆEasy way to manage and ļ¬lter receiving and
propagaAng preļ¬x in MikroTik RouterOS.
ā¢āÆEasy way to set any rouAng parameters
ā¢āÆUsing ip ļ¬rewall ļ¬lter algorithm (if-then condiAon)
ā¢āÆCan be assign in BGP instance (out-ļ¬lter only) and BGP
peering (in and out ļ¬lter)
32. Invalid BGP Route
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
32
From the 636871 preļ¬xes that are currently in the rouAng table, 40445 match at least one ROA. From
these matched preļ¬xes 3678 are invalid while 36767 are valid. The line chart below shows the valid
and invalid routes over the course of Ame.
h;p://rpki.surfnet.nl/trends.html
33. RPKI (Resource Public Key Infrastructure)
ID Networkers | www.trainingmikrotik.com
Expert Trainer and Consultant
33
ā¢āÆ h;p://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure
ā¢āÆ RPKI is a ļ¬rst step to secure BGP
ā¢āÆ It allows to cerAfy (and verify) that a preļ¬x is
adverAsed by original AS (in other words that an IP
points to its legiAmate owner)
ā¢āÆ Not yet support by MikroTik RouterOS 6
ā¢āÆ Will be included in RouterOS V7 ???