SlideShare a Scribd company logo

LACNOG - Logging in the Post-IPv4 World

Download as PPTX, PDF
Carlos Martinez Cagnazzo
Carlos Martinez Cagnazzo

The document discusses logging best practices for incident response in a post-IPv4 internet where Carrier Grade NATs (CGNs) are commonly used. It notes that with CGNs, a single public IPv4 address can represent thousands of users, meaning the source IP address alone is no longer enough to identify individual attackers. It recommends logging additional details like source ports and high-resolution timestamps to aid incident response. It provides examples of configuring Apache and Exim servers to log source ports. It also stresses the importance of network time synchronization across logging systems.

TechnologyEducation
1 of 18
Logging for Incident Response in the Post-IPv4 World Carlos Martinez Cagnazzo LACNIC carlos @ lacnic.net @carlosm3011
Agenda • The Post-IPv4 Internet – No IPv4, CGNs, some IPv6 • Logging for incident response • Logging and incident response in the post-IPv4 Internet
The Post-IPv4 Internet • The Internet is at a crossroads. IPv4 exhaustion means that there will not be enough IPv4 addresses for every one, much less for every device • To an extent, this is already happening, but from now it will the norm 120 100 80 60 40 20 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 …
The Current, Almost End-to-End, Internet • Once upon a time there was something called the ‘End to End Principle’ – … describing how packets should travel from origin to destination untouched by the evil middle boxes • The current Internet is _almost_, but not quite, end-toend – Proxies, home routers, firewalls, traffic shapers, all of them do something to packets – But packets travel mostly unharmed
The Current End-to-End Internet • Well, almost end to end** D_Addr | O_Addr | Payload D_Addr | O_Addr | Payload • Packets remain (mostly) unchanged along their network path • A given source IP can be a marker of an individual, a household or an employee of a certain company
What happens when there is no IPv4 for every device ? • The post-IPv4 Internet: Single public IP address Web server sees thousands of users coming from the *same* IP • IPv4 will be provided, in many places, by employing CGNs, or Carrier-Grade NAT boxes
The CGN-ized Internet • The CGN Internet hides many users behind a small set of IP addresses • Our previous assumptions about what a source IP address means are no longer valid – Can represent thousands of users, of different households and different companies • Many abuse mitigation measures need to be reexamined – Be careful of blankly filtering out a single /24, that could now mean 10.000 users
Current practice for Incident Response • Think for a minute about your usual IR workflow – Phishing, Spam, DDoSing, you name it • When your incident involves network traffic, you try to find the following information: – – – – Source IP addresses Destination IP addresses and destination ports Maybe a packet dump, if available All of this decorated with nice timing information, preferable with a common time zone • You then look the sources in WHOIS or in your friendly CSIRT contact list and send the appropriate notifies
The Post-IPv4 Incident Response Workflow • Well, source IPv4 address may not be enough of an identifier anymore – The source network will not be able to identify the actual offender(s) just based on the source IPv4 address • ISPs will need source port data to actually track any abusers • Law enforcement also needs to realize what this means – Judges now need to look at an additional number before jailing a person
Jeez, what do we do now ? • First of all, accept that now your life as an incident response or site administrator will be harder – Hopefully for a short time, until the world gets its IPv6 act together • Additional requirements for post-IPv4 logging – Logging of source ports – Using the highest possible timing resolution – Time sync on distributed logging platforms becomes critical
Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files # # The following directives define some format nicknames for use # with a CustomLog directive (see below). # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common
Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files <VirtualHost [2001:13c7:7001:4000::10]:80> ServerAdmin carlos@lacnic.net DocumentRoot /var/www/html/ ServerName w6.labs.lacnic.net LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined CustomLog logs/w6.labs.lacnic.net-access_log "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common ErrorLog logs/w6.labs.lacnic.net-error_log
Example configuration, Source Port Logging in Apache • Must enable “mod_log_config” if not already enabled [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57366 - [31/Oct/2013:15:01:33 -0200] "GET /site/modules/openid/openid.js?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36" [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57365 - [31/Oct/2013:15:01:33 -0200] "GET /site/themes/newlabs/print.css?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36”
Example configuration, Exim4 logging • Sample configuration: – [ http://www.exim.org/exim-htmlcurrent/doc/html/spec_html/ch-log_files.html ] # uncomment this for debugging # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all subject -arguments .ifdef MAIN_LOG_SELECTOR log_selector = MAIN_LOG_SELECTOR +incoming_port .endif 2013-10-28 17:22:17 1VasOD-0005hG-KT <= carlos@lacnic.net H=localhost (coco) [127.0.0.1]:47264 P=esmtp S=474 2013-10-28 17:22:17 1VasOD-0005hG-KT => marcelo <marcelo@localhost> R=local_user T=maildir_home 2013-10-28 17:22:17 1VasOD-0005hG-KT Completed
Distributed logging • Did I say ‘time sync’ before ?  • Use NTP Luke, You Must. – It was invented for a reason • Look into fast data stores and mining tools – Splunk – ElasticSearch – NoSQL databases (Redis, MongoDB)
Key Takeaways • Yes, our sys/netadmin life will be harder, at least until IPv6 is widely deployed – Let’s embrace it with a smile • Do not assume that a source attack IPv4 address uniquely identifies an attacker anymore – Or a victim, in some cases, like phishing sites • Start logging source ports now. If you are a CSIRT, do not forget to reach out to your constituency and let them know this • Send source ports when reporting incidents. Ask for source ports when receiving incident reports
Key Takeaways (ii) • Log with the highest timing resolution your equipment allows • And repeat with me… – I will time sync my systems – I will time sync my systems – I will time sync my systems
Thank you very much! Questions? @carlosm3011

Recommended

Apache Flume and its use case in Manufacturing
Apache Flume and its use case in ManufacturingApache Flume and its use case in Manufacturing
Apache Flume and its use case in Manufacturing
Rapheephan Thongkham-Uan
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
netvis
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
Aysylu Greenberg
 
ApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practicesApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practices
Timothy Spann
 
Streaming SQL
Streaming SQLStreaming SQL
Streaming SQL
Jungtaek Lim
 
Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010
Cloudera, Inc.
 

Recommended

Apache Flume and its use case in Manufacturing
Apache Flume and its use case in ManufacturingApache Flume and its use case in Manufacturing
Apache Flume and its use case in Manufacturing
Rapheephan Thongkham-Uan
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
netvis
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
Aysylu Greenberg
 
ApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practicesApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practices
Timothy Spann
 
Streaming SQL
Streaming SQLStreaming SQL
Streaming SQL
Jungtaek Lim
 
Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010
Cloudera, Inc.
 
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Steve Hoffman
 
Cracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworksCracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworks
Timothy Spann
 
fluentd -- the missing log collector
fluentd -- the missing log collectorfluentd -- the missing log collector
fluentd -- the missing log collector
Muga Nishizawa
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Apache Flume
Apache FlumeApache Flume
Apache Flume
GetInData
 
Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)
Swiss Big Data User Group
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
confluent
 
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit SoftwaretestsEffizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
DECK36
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
Redge Technologies
 
Debugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden KarauDebugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden Karau
Spark Summit
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric Tools
Phase2
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
Daniel Stenberg
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminskyDan Kaminsky
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
Daniel Stenberg
 
The Future of Apache Storm
The Future of Apache StormThe Future of Apache Storm
The Future of Apache Storm
DataWorks Summit/Hadoop Summit
 
Developing Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache StormDeveloping Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache Storm
Lester Martin
 
DNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e IntroducciónDNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e Introducción
Carlos Martinez Cagnazzo
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
Carlos Martinez Cagnazzo
 

More Related Content

What's hot

Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Steve Hoffman
 
Cracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworksCracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworks
Timothy Spann
 
fluentd -- the missing log collector
fluentd -- the missing log collectorfluentd -- the missing log collector
fluentd -- the missing log collector
Muga Nishizawa
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Apache Flume
Apache FlumeApache Flume
Apache Flume
GetInData
 
Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)
Swiss Big Data User Group
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
confluent
 
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit SoftwaretestsEffizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
DECK36
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
Redge Technologies
 
Debugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden KarauDebugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden Karau
Spark Summit
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric Tools
Phase2
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
Daniel Stenberg
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
Daniel Stenberg
 
The Future of Apache Storm
The Future of Apache StormThe Future of Apache Storm
The Future of Apache Storm
DataWorks Summit/Hadoop Summit
 
Developing Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache StormDeveloping Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache Storm
Lester Martin
 

What's hot (20)

Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
 
Cracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworksCracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworks
 
fluentd -- the missing log collector
fluentd -- the missing log collectorfluentd -- the missing log collector
fluentd -- the missing log collector
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Apache Flume
Apache FlumeApache Flume
Apache Flume
 
Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
 
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit SoftwaretestsEffizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
 
Debugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden KarauDebugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden Karau
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric Tools
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
 
The Future of Apache Storm
The Future of Apache StormThe Future of Apache Storm
The Future of Apache Storm
 
Developing Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache StormDeveloping Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache Storm
 

Viewers also liked

DNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e IntroducciónDNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e Introducción
Carlos Martinez Cagnazzo
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
Carlos Martinez Cagnazzo
 
Enabling IPv6 Services Transparently
Enabling IPv6 Services TransparentlyEnabling IPv6 Services Transparently
Enabling IPv6 Services Transparently
Carlos Martinez Cagnazzo
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
Carlos Martinez Cagnazzo
 
Una introduccion a IPv6
Una introduccion a IPv6Una introduccion a IPv6
Una introduccion a IPv6
Carlos Martinez Cagnazzo
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para Traductores
Carlos Martinez Cagnazzo
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de Internet
Carlos Martinez Cagnazzo
 
Internet of Things en el Dia de Internet
Internet of Things en el Dia de InternetInternet of Things en el Dia de Internet
Internet of Things en el Dia de Internet
Carlos Martinez Cagnazzo
 
Monitoreo de Red para Peering
Monitoreo de Red para PeeringMonitoreo de Red para Peering
Monitoreo de Red para Peering
Carlos Martinez Cagnazzo
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 

Viewers also liked (12)

DNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e IntroducciónDNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e Introducción
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
 
An Overview of RPKI
An Overview of RPKIAn Overview of RPKI
An Overview of RPKI
 
Enabling IPv6 Services Transparently
Enabling IPv6 Services TransparentlyEnabling IPv6 Services Transparently
Enabling IPv6 Services Transparently
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPs
 
Una introduccion a IPv6
Una introduccion a IPv6Una introduccion a IPv6
Una introduccion a IPv6
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para Traductores
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de Internet
 
Internet of Things en el Dia de Internet
Internet of Things en el Dia de InternetInternet of Things en el Dia de Internet
Internet of Things en el Dia de Internet
 
Monitoreo de Red para Peering
Monitoreo de Red para PeeringMonitoreo de Red para Peering
Monitoreo de Red para Peering
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 

Similar to LACNOG - Logging in the Post-IPv4 World

Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
Sagi Brody
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
Carlos Martinez Cagnazzo
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
Logan Best
 
Otimizando servidores web
Otimizando servidores webOtimizando servidores web
Otimizando servidores web
Amazon Web Services LATAM
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
Scott Carlson
 
Performance
PerformancePerformance
Performance
Christophe Marchal
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
HungWei Chiu
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
ION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David Freedman
Deploy360 Programme (Internet Society)
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Jakub Hajek
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
PROIDEA
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
Aman Kohli
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Fwdays
 
Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deck
Matt Soseman
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
NECST Lab @ Politecnico di Milano
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 

Similar to LACNOG - Logging in the Post-IPv4 World (20)

Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Otimizando servidores web
Otimizando servidores webOtimizando servidores web
Otimizando servidores web
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Performance
PerformancePerformance
Performance
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
ION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David Freedman
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
 
Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deck
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 

More from Carlos Martinez Cagnazzo

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4
Carlos Martinez Cagnazzo
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Carlos Martinez Cagnazzo
 
RPKI en America Latina y el Caribe
RPKI en America Latina y el CaribeRPKI en America Latina y el Caribe
RPKI en America Latina y el Caribe
Carlos Martinez Cagnazzo
 
Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017
Carlos Martinez Cagnazzo
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28
Carlos Martinez Cagnazzo
 
IPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size AnalysisIPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size Analysis
Carlos Martinez Cagnazzo
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
Carlos Martinez Cagnazzo
 

More from Carlos Martinez Cagnazzo (8)

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUIC
 
RPKI en America Latina y el Caribe
RPKI en America Latina y el CaribeRPKI en America Latina y el Caribe
RPKI en America Latina y el Caribe
 
Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28
 
IPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size AnalysisIPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size Analysis
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

LACNOG - Logging in the Post-IPv4 World

  • 1. Logging for Incident Response in the Post-IPv4 World Carlos Martinez Cagnazzo LACNIC carlos @ lacnic.net @carlosm3011
  • 2. Agenda • The Post-IPv4 Internet – No IPv4, CGNs, some IPv6 • Logging for incident response • Logging and incident response in the post-IPv4 Internet
  • 3. The Post-IPv4 Internet • The Internet is at a crossroads. IPv4 exhaustion means that there will not be enough IPv4 addresses for every one, much less for every device • To an extent, this is already happening, but from now it will the norm 120 100 80 60 40 20 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 …
  • 4. The Current, Almost End-to-End, Internet • Once upon a time there was something called the ‘End to End Principle’ – … describing how packets should travel from origin to destination untouched by the evil middle boxes • The current Internet is _almost_, but not quite, end-toend – Proxies, home routers, firewalls, traffic shapers, all of them do something to packets – But packets travel mostly unharmed
  • 5. The Current End-to-End Internet • Well, almost end to end** D_Addr | O_Addr | Payload D_Addr | O_Addr | Payload • Packets remain (mostly) unchanged along their network path • A given source IP can be a marker of an individual, a household or an employee of a certain company
  • 6. What happens when there is no IPv4 for every device ? • The post-IPv4 Internet: Single public IP address Web server sees thousands of users coming from the *same* IP • IPv4 will be provided, in many places, by employing CGNs, or Carrier-Grade NAT boxes
  • 7. The CGN-ized Internet • The CGN Internet hides many users behind a small set of IP addresses • Our previous assumptions about what a source IP address means are no longer valid – Can represent thousands of users, of different households and different companies • Many abuse mitigation measures need to be reexamined – Be careful of blankly filtering out a single /24, that could now mean 10.000 users
  • 8. Current practice for Incident Response • Think for a minute about your usual IR workflow – Phishing, Spam, DDoSing, you name it • When your incident involves network traffic, you try to find the following information: – – – – Source IP addresses Destination IP addresses and destination ports Maybe a packet dump, if available All of this decorated with nice timing information, preferable with a common time zone • You then look the sources in WHOIS or in your friendly CSIRT contact list and send the appropriate notifies
  • 9. The Post-IPv4 Incident Response Workflow • Well, source IPv4 address may not be enough of an identifier anymore – The source network will not be able to identify the actual offender(s) just based on the source IPv4 address • ISPs will need source port data to actually track any abusers • Law enforcement also needs to realize what this means – Judges now need to look at an additional number before jailing a person
  • 10. Jeez, what do we do now ? • First of all, accept that now your life as an incident response or site administrator will be harder – Hopefully for a short time, until the world gets its IPv6 act together • Additional requirements for post-IPv4 logging – Logging of source ports – Using the highest possible timing resolution – Time sync on distributed logging platforms becomes critical
  • 11. Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files # # The following directives define some format nicknames for use # with a CustomLog directive (see below). # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common
  • 12. Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files <VirtualHost [2001:13c7:7001:4000::10]:80> ServerAdmin carlos@lacnic.net DocumentRoot /var/www/html/ ServerName w6.labs.lacnic.net LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined CustomLog logs/w6.labs.lacnic.net-access_log "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common ErrorLog logs/w6.labs.lacnic.net-error_log
  • 13. Example configuration, Source Port Logging in Apache • Must enable “mod_log_config” if not already enabled [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57366 - [31/Oct/2013:15:01:33 -0200] "GET /site/modules/openid/openid.js?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36" [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57365 - [31/Oct/2013:15:01:33 -0200] "GET /site/themes/newlabs/print.css?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36”
  • 14. Example configuration, Exim4 logging • Sample configuration: – [ http://www.exim.org/exim-htmlcurrent/doc/html/spec_html/ch-log_files.html ] # uncomment this for debugging # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all subject -arguments .ifdef MAIN_LOG_SELECTOR log_selector = MAIN_LOG_SELECTOR +incoming_port .endif 2013-10-28 17:22:17 1VasOD-0005hG-KT <= carlos@lacnic.net H=localhost (coco) [127.0.0.1]:47264 P=esmtp S=474 2013-10-28 17:22:17 1VasOD-0005hG-KT => marcelo <marcelo@localhost> R=local_user T=maildir_home 2013-10-28 17:22:17 1VasOD-0005hG-KT Completed
  • 15. Distributed logging • Did I say ‘time sync’ before ?  • Use NTP Luke, You Must. – It was invented for a reason • Look into fast data stores and mining tools – Splunk – ElasticSearch – NoSQL databases (Redis, MongoDB)
  • 16. Key Takeaways • Yes, our sys/netadmin life will be harder, at least until IPv6 is widely deployed – Let’s embrace it with a smile • Do not assume that a source attack IPv4 address uniquely identifies an attacker anymore – Or a victim, in some cases, like phishing sites • Start logging source ports now. If you are a CSIRT, do not forget to reach out to your constituency and let them know this • Send source ports when reporting incidents. Ask for source ports when receiving incident reports
  • 17. Key Takeaways (ii) • Log with the highest timing resolution your equipment allows • And repeat with me… – I will time sync my systems – I will time sync my systems – I will time sync my systems
  • 18. Thank you very much! Questions? @carlosm3011

Editor's Notes

  1. Depletion del iana pool primeroAhora, depletion de los pools de los rirs
  2. Collecting this information may involve a back and forth exchange with the victim