The document discusses various techniques that internet service providers can use to prevent IP reflection attacks, including:
- Implementing BCP38 and BCP140, which involve validating the source IP address of incoming packets to prevent spoofing. This is recommended to be deployed as close to the edge of the network as possible.
- Enforcing validation using access control lists (ACLs) to filter packets and unicast reverse path forwarding (uRPF) to check the return path of source IP addresses. Strict uRPF is recommended for customers.
- Example ACL and uRPF configurations are provided for Cisco and Juniper routers to filter traffic from customer networks connected to the ISP edge router.
In this webinar, we start the discussion with an introduction to BGP like AS to AS connection, comparison BGP routing and traditional routing, also BGP peering. we then talk about problem that might occur during BGP peering, its effects, and the solution. finally we cover an example of how to configure BGP filter on mikrotik.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Webinar topic: BGP on RouterOS7 - Part 1
Presenter: Achmad Mardiansyah & M. Taufik Nurhuda
In this webinar series, How BGP on RouterOS7 works
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/CYTHOlY4WU0
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
Der Switch in meinem Linux-Rechner - was ist eine Bridge und wie benutze ich sie? Was sind VLANs und gar vlan-aware-Bridges? Fesselspiele mit Netzwerkkabeln - Bonding/Channel/Trunks mit und ohne LACP.
Auf Layer 3 tauchen wir ab in die Routingtabellen jedes Linux-Systems (derer gibt’s immer mindestens 3) sowie fortschrittlichere Magie wie policy-based Routing, VRFs und Network Namespaces; Beispiele aus dem echten Leben zeigen, wozu das alles gut ist und wie man damit arbeitet.
In this webinar, we start the discussion with an introduction to BGP like AS to AS connection, comparison BGP routing and traditional routing, also BGP peering. we then talk about problem that might occur during BGP peering, its effects, and the solution. finally we cover an example of how to configure BGP filter on mikrotik.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Webinar topic: BGP on RouterOS7 - Part 1
Presenter: Achmad Mardiansyah & M. Taufik Nurhuda
In this webinar series, How BGP on RouterOS7 works
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/CYTHOlY4WU0
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
Der Switch in meinem Linux-Rechner - was ist eine Bridge und wie benutze ich sie? Was sind VLANs und gar vlan-aware-Bridges? Fesselspiele mit Netzwerkkabeln - Bonding/Channel/Trunks mit und ohne LACP.
Auf Layer 3 tauchen wir ab in die Routingtabellen jedes Linux-Systems (derer gibt’s immer mindestens 3) sowie fortschrittlichere Magie wie policy-based Routing, VRFs und Network Namespaces; Beispiele aus dem echten Leben zeigen, wozu das alles gut ist und wie man damit arbeitet.
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
La formation CCNP ENCOR 1 est le premier cours pour la préparation à la certification 350-401 ENCOR. Ce cours permet d’apprendre, d’appliquer et de mettre en pratique les connaissances et les compétences de CCNP Enterprise grâce aux concepts théoriques à une série d'expériences pratiques approfondies qui renforce l’apprentissage. Avec cette formation et la formation CCNP ENCOR, vous possédera les outils pour envisager une inscription à l’examen de certification 350-401.
Best Current Practice (BCP) 38 Ingress Filtering for SecurityGLC Networks
Webinar topic: Best Current Practice (BCP) 38 Ingress Filtering for Security
Presenter: Achmad Mardiansyah
In this webinar series, we discussed about IBest Current Practice (BCP) 38 Ingress Filtering for Security
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/0YQRQ046Lg8
On-demand recording: nginx.com/resources/webinars/nginx-basics-best-practices
You’ve heard of NGINX and the benefits it can provide to your web application, but maybe you’re not sure how to get started. There are a lot of tutorials online, but they can be outdated and contradict each other, making things more challenging. In this webinar we’ll cover the basics of NGINX to help you effectively begin using it as part of your existing or new web app.
This webinar covers how to:
* Install NGINX and verify it's properly running
* Create NGINX configurations for reverse proxy, load balancer, etc.
* Improve performance using keepalives and other NGINX directives
* Debug and troubleshoot using NGINX logs
if your are always confused about ip tunneling L2/L3 tunneling ipsec acces vpn u have to come to right place This presentation in pdf will get you started on right path towards tunnling concept & implementaion
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
BGP (Border Gateway Routing Protocol) is a standardized exterior gateway protocol designed to
exchange routing and reachability information between autonomous systems (AS) on the Internet. The
Border Gateway Protocol makes routing decisions based on paths, network policies or rule-sets
configured by a network administrator, and are involved in making core routing decisions.
BGP is a very robust and scalable routing protocol, as evidenced by the fact that BGP is the routing
protocol employed on the Internet.
This report is a contribution to a group work done by Saurav Anand, Malihe Mabody, Ashina Nurkoo, Seyedkourosh Sajjadi, Shubham Subhankar Sharma for the course Enterprize Digital Infrastructure (EDI) presented at Pavia University as a Computer Engineering Master's course. The content of the report is as follows. The Domain Name System (DNS) serves as a critical component of internet infrastructure, facilitating the translation of domain names to IP addresses. However, DNS security remains a pressing concern due to various malicious activities targeting its vulnerabilities. This report focuses on DNS cache poisoning, an attack that
aims to manipulate the DNS resolution process, diverting legitimate requests to unintended destinations. To comprehensively explore DNS cache poisoning, this study begins with an examination of foundational knowledge, terminology, and the setup of virtual environments and tools. Subsequently, a sequence of attacks is conducted, including host file poisoning, DNS spoofing, and ultimately, DNS cache poisoning, highlighting the motivations behind attackers’ preference for this method. Mitigation measures and encountered challenges during the project
setup are also discussed. By investigating these aspects, this report enhances understanding of DNS cache poisoning, its significance as an attack vector, and the need for robust security measures to safeguard the DNS infrastructure.
Many network operators still struggle with which type of data-plane encoding they should use for segment routing. The world is hyper-connected and we can’t afford to be late to deliver 5G. Using IPv4, IPv6 and MPLS data-plane encoding keeps us moving forward.
Common Java wisdom is to use PreparedStatements and Batch DML in order to achieve top performance.
It turns out one cannot just blindly follow the best practices. In order to get high throughput, you need
to understand the specifics of the database in question, and the content of the data.
In the talk we will see how proper usage of PostgreSQL protocol enables high performance operation while fetching
and storing the data. We will see how trivial application and/or JDBC driver code changes can result
in dramatic performance improvements. We will examine how server-side prepared statements should be activated,
and discuss pitfalls of using server-prepared statements.
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptxINFitunes
Cisco has implemented a proprietary, point-to-point protocol called Dynamic Trunking protocol (DTP) that negotiates a common trunking mode between two switches. DTP is used on Cisco IOS switches to negotiate if the interface should become an access port or trunk port.EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers.
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
La formation CCNP ENCOR 1 est le premier cours pour la préparation à la certification 350-401 ENCOR. Ce cours permet d’apprendre, d’appliquer et de mettre en pratique les connaissances et les compétences de CCNP Enterprise grâce aux concepts théoriques à une série d'expériences pratiques approfondies qui renforce l’apprentissage. Avec cette formation et la formation CCNP ENCOR, vous possédera les outils pour envisager une inscription à l’examen de certification 350-401.
Best Current Practice (BCP) 38 Ingress Filtering for SecurityGLC Networks
Webinar topic: Best Current Practice (BCP) 38 Ingress Filtering for Security
Presenter: Achmad Mardiansyah
In this webinar series, we discussed about IBest Current Practice (BCP) 38 Ingress Filtering for Security
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/0YQRQ046Lg8
On-demand recording: nginx.com/resources/webinars/nginx-basics-best-practices
You’ve heard of NGINX and the benefits it can provide to your web application, but maybe you’re not sure how to get started. There are a lot of tutorials online, but they can be outdated and contradict each other, making things more challenging. In this webinar we’ll cover the basics of NGINX to help you effectively begin using it as part of your existing or new web app.
This webinar covers how to:
* Install NGINX and verify it's properly running
* Create NGINX configurations for reverse proxy, load balancer, etc.
* Improve performance using keepalives and other NGINX directives
* Debug and troubleshoot using NGINX logs
if your are always confused about ip tunneling L2/L3 tunneling ipsec acces vpn u have to come to right place This presentation in pdf will get you started on right path towards tunnling concept & implementaion
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
BGP (Border Gateway Routing Protocol) is a standardized exterior gateway protocol designed to
exchange routing and reachability information between autonomous systems (AS) on the Internet. The
Border Gateway Protocol makes routing decisions based on paths, network policies or rule-sets
configured by a network administrator, and are involved in making core routing decisions.
BGP is a very robust and scalable routing protocol, as evidenced by the fact that BGP is the routing
protocol employed on the Internet.
This report is a contribution to a group work done by Saurav Anand, Malihe Mabody, Ashina Nurkoo, Seyedkourosh Sajjadi, Shubham Subhankar Sharma for the course Enterprize Digital Infrastructure (EDI) presented at Pavia University as a Computer Engineering Master's course. The content of the report is as follows. The Domain Name System (DNS) serves as a critical component of internet infrastructure, facilitating the translation of domain names to IP addresses. However, DNS security remains a pressing concern due to various malicious activities targeting its vulnerabilities. This report focuses on DNS cache poisoning, an attack that
aims to manipulate the DNS resolution process, diverting legitimate requests to unintended destinations. To comprehensively explore DNS cache poisoning, this study begins with an examination of foundational knowledge, terminology, and the setup of virtual environments and tools. Subsequently, a sequence of attacks is conducted, including host file poisoning, DNS spoofing, and ultimately, DNS cache poisoning, highlighting the motivations behind attackers’ preference for this method. Mitigation measures and encountered challenges during the project
setup are also discussed. By investigating these aspects, this report enhances understanding of DNS cache poisoning, its significance as an attack vector, and the need for robust security measures to safeguard the DNS infrastructure.
Many network operators still struggle with which type of data-plane encoding they should use for segment routing. The world is hyper-connected and we can’t afford to be late to deliver 5G. Using IPv4, IPv6 and MPLS data-plane encoding keeps us moving forward.
Common Java wisdom is to use PreparedStatements and Batch DML in order to achieve top performance.
It turns out one cannot just blindly follow the best practices. In order to get high throughput, you need
to understand the specifics of the database in question, and the content of the data.
In the talk we will see how proper usage of PostgreSQL protocol enables high performance operation while fetching
and storing the data. We will see how trivial application and/or JDBC driver code changes can result
in dramatic performance improvements. We will examine how server-side prepared statements should be activated,
and discuss pitfalls of using server-prepared statements.
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptxINFitunes
Cisco has implemented a proprietary, point-to-point protocol called Dynamic Trunking protocol (DTP) that negotiates a common trunking mode between two switches. DTP is used on Cisco IOS switches to negotiate if the interface should become an access port or trunk port.EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers.
IPv6 Deployment in Bangladesh, by Sumon Ahmed Sabir.
A presentation given at APRICOT 2016’s IPv6 Readiness Measurement BoF and APIPv6TF session on 24 February 2016.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
IPv6 is slowly making its way into our environments and we need to be aware of how it impacts the systems we manage. This presentation takes us through a basic review of the protocol from a pentesters perspective
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
"Implementing an IPv6 Enabled Environment for a Public Cloud Tenant" case study I delivered in OpenStack Vancouver Summit (May, 2015) jointly with Anik and Sharmin from Cisco System.
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
True stories on the analysis of network activity using Pythondelimitry
The presentation from SPbPython community / PiterPy meetup.
The presentation tells about the problems of analysing the network activity of applications on Linux using Python. The following topics are covered: analysis of network packets, analysis of packet filters, packets crafting using Scapy, analysis of open ports.
This slide is presented in Dec., 2013 as part of Triangle OpenStack meet up sponsored by Cisco System in Raleigh-Durham area, North Carolina.
We did proof of concept back in June, 2013 to evaluate IPv6 readiness of OpenStack as the initial step to make IPv6 and Cloud work together seamlessly.
After 6-week of intensive efforts, we enabled OpenStack Grizzly release over IPv6. Later on, we also successfully launched dual-stack VM in Havana release. This slide summarized what problems we tried to tackle and how we resolved them. The presentation is based on the whitepaper we published at:
http://www.nephos6.com/pdf/OpenStack-Havana-on-IPv6.pdf.
The ideas captured in this slide will be leveraged by OpenStack Neutron IPv6 sub team to fulfill mid-term goals suggested by Neutron IPv6 roadmap. The target release is IceHouse in April, 2014.
We will publish more white papers and slides when we reach next milestone. Stay tuned!
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
The Linux packet filtering technology, iptables, has its roots in times when networking was relatively simple and network bandwidth was measured in mere megabits. Emerging technologies, such as distributed NAT, overlay networks and containers require enhanced functionality and additional flexibility. In parallel, the next generation of network cards with speeds of 40Gb and 100Gb will put additional pressure on performance.
In the upcoming Red Hat Enterprise Linux 7, a new dynamic firewall service, FirewallD, is planned to provide greater flexibility over iptables by eliminating service disruptions during rule updates, abstraction, and support for different network trust zones. Additionally, a new virtual machine-based packet filtering technology, nftables, addresses the functionality and flexibility requirements of modern network workloads.
In this session you’ll:
Deep dive into the newly introduced packet filtering capabilities of Red Hat Enterprise Linux 7 beta.
Learn best practices.
See the new set of configuration utilities that allow new optimization possibilities.
Similar to Network Security Best Practice (BCP38 & 140) (20)
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
3. 2014/5/24
maz@iij.ad.jp
3
DNS
amplificaIon
aJack
DNS
DNS
DNS
vicIm
Command&Control
DNS
DNS
stub-‐resolvers
full-‐resolvers
root-‐servers
tld-‐servers
example-‐servers
botnet
IP
spoofed
DNS
queries
ISP
Cache
DNS
CPE/Routers
5. weakness
• AJackers
love
weakness,
as
it’s
useful
– ‘weaker’
means
‘easier’
for
them
• AJackers
will
waste
your
resources
if
you
don’t
improve
your
security
– internaIonal
bandwidth
– cpu
power
– etc.
2014/5/24
maz@iij.ad.jp
5
6. 2014/5/24
maz@iij.ad.jp
6
aJacker
soluIons
against
IP
reflecIon
aJacks
IP
spoofed
packets
vicIm
open
amplifier
prevenIng
IP
spoofing
client
authorizaIon
BCP38
BCP140
7. 2014/5/24
maz@iij.ad.jp
7
Source
Address
ValidaIon/BCP38
• ValidaIng
source
IP
address
of
incoming
packets
– BCP38/RFC2827
• All
providers
of
Internet
connecIvity
are
urged
to
implement
filtering
described
in
this
document
to
prohibit
aJackers
from
using
forged
source
addresses...
– BCP84/RFC3704
• It
is
important
for
ISPs
to
implement
ingress
filtering
to
prevent
spoofed
addresses
being
used,
both
to
curtail
DoS
aJacks
and
to
make
them
more
traceable,
and
to
protect
their
own
infrastructure.
8. BCP38
should
be
deployed
as
close
to
the
edge
as
possible
• It’s
reasonable
to
deploy
BCP38
at
provider
edge
routers
precise
rule
can
be
applied
for
the
packet.
J
not
enough
informaIon
to
apply
strict
rule,
just
able
to
check
if
its
source
IP
is
routable
or
not
2014/5/24
maz@iij.ad.jp
8
packet
9. 2014/5/24
maz@iij.ad.jp
9
enforcing
the
verificaIon
by:
• ACL
– packet
filter
– permit
valid-‐source,
then
drop
any
• uRPF
check
– using
‘rouIng
table’
– look-‐up
the
return
path
for
the
source
IP
address
– use
strict
mode
for
your
customers
• you
can’t
stop
IP
reflecIon
aJacks
by
loose
mode
10. 10
cisco
ACL
example
customer
network
192.168.0.0/24
2001:db8:ff::/48
ip
access-‐list
extended
fromCUSTMER4
permit
ip
192.168.0.0
0.0.255.255
any
permit
ip
10.0.0.0
0.0.0.3
any
deny
ip
any
any
!
IPv6
access-‐list
fromCUSTMER6
permit
ipv6
2001:db8::/64
any
permit
ipv6
any
2001:db8::/64
any
permit
ipv6
2001:db8:ff::/48
any
permit
ipv6
fe80::/10
fe80::/10
permit
ipv6
fe80::/10
ff02::/16
deny
ipv6
any
any
!
interface
Gigabitethernet0/0
ip
access-‐group
fromCUSTOMER4
in
ipv6
traffic-‐filter
fromCUSTOMER6
in
point-‐to-‐point
10.0.0.0/30
2001:db8::/64
ISP
Edge
Router
2014/5/24
maz@iij.ad.jp
11. 11
juniper
IPv4
ACL
example
firewall
family
inet
{
filter
fromCUSTOMER4
{
term
CUSTOMER4
{
from
source-‐address
{
192.168.0.0/16;
10.0.0.0/30;
}
then
accept;
}
term
Default
{
then
discard;
}}}
[edit
interface
ge-‐0/0/0
unit
0
family
inet]
filter
{
input
fromCUSTOMER;
}
customer
network
192.168.0.0/24
2001:db8:ff::/48
point-‐to-‐point
10.0.0.0/30
2001:db8::/64
ISP
Edge
Router
2014/5/24
maz@iij.ad.jp
12. 12
juniper
IPv6
ACL
example
firewall
family
inet6
{
filter
fromCUSTOMER6
{
term
CUSTOMER6
{
from
source-‐address
{
2001:db8::/64;
2001:db8:ff::/48;
}
then
accept;
}
term
LINKLOCAL
{
from
source-‐address
{
fe80::/10;
}
desInaIon-‐address
{
fe80::/10;
ff02::/16;
}
then
accept;
}
term
Default
{
then
discard;
}}}
[edit
interface
ge-‐0/0/0
unit
0
family
inet6]
filter
{
input
fromCUSTOMER6;
}
customer
network
192.168.0.0/24
2001:db8:ff::/48
point-‐to-‐point
10.0.0.0/30
2001:db8::/64
ISP
Edge
Router
2014/5/24
maz@iij.ad.jp
16. uRPF
• lookup
a
reverse
path
by
source
IP
address
• strict
mode
– the
incoming
interface
should
match
with
the
rouIng
table
• loose
mode
– there
should
be
a
valid
rouIng
entry
for
the
source
IP
address
2014/5/24
maz@iij.ad.jp
16
17. packet
forwarding
–
dst-‐ip
based
• rouIng_table(dst-‐ip)
=>
outgoing
interface
– lookup
by
10.0.0.1
=>
if.i
– then
router
forwards
the
packet
IP
packet
dst-‐ip
src-‐ip
data
src
ip:
192.0.2.1
dst-‐ip
ip:
10.0.0.1
dst
2014/5/24
17
maz@iij.ad.jp
if.o
if.i
192.0.2.0/28
10.0.0.0/8
if.o
if.i
rouIng
table
18. uRPF
–
lookup
by
the
src-‐ip
• rouIng_table(src-‐ip)
=>
interface
– lookup
by
192.0.2.1
=>
if.o
– The
result
MUST
match
the
incoming
interface
IP
packet
dst-‐ip
src-‐ip
data
src
ip:
192.0.2.1
dst-‐ip
ip:
10.0.0.1
dst
2014/5/24
18
maz@iij.ad.jp
if.o
if.i
192.0.2.0/28
10.0.0.0/8
if.o
if.i
rouIng
table
19. aJack
against
a
web
site
• 110Kpps
of
TCP
SYN
flood
was
observed
2014/5/24
maz@iij.ad.jp
19
20. uRPF
loose
did
reduce
the
aJack
• The
aJack
was
prevented
if
the
admin
at
the
aJack
source
has
deployed
BCP38
about
30%
of
the
aJack
packets
were
reduced
by
uRPF
loose
mode
2014/5/24
maz@iij.ad.jp
20
22. BCP38
is
useful
to
protect
yourself
• many
access
controls
are
depending
on
validity
of
source
IP
address
– source
IP
address
based
filtering
– ACL
on
vty,
snmp
and
etc
• If
your
users
can
spoof
source
IP
address,
sIll
it’s
reliable
2014/5/24
maz@iij.ad.jp
22
23. BCP140
(RFC5358)
• PrevenIng
Use
of
Recursive
Nameservers
in
Reflector
AJacks
– Best
Current
PracIce
– hJps://tools.iex.org/html/bcp140
• RecommendaIons:
1. Disabling
recursive
service
where
it’s
not
necessary
2. ImplemenIng
client
authorizaIon
maz@iij.ad.jp
23
2014/5/24
24. implemenIng
BCP140
• Several
ISPs
in
Japan
have
operated
‘open’
recursive
nameservers
for
many
years.
As
these
servers
tend
to
be
used
in
dns
amp
aJacks,
ISPs
decided
to
put
ACL
to
accept
queries
from
its
customers
only
-‐
BCP140.
maz@iij.ad.jp
24
2014/5/24
25. Client
AuthorizaIon
• BCP140
describes
several
ways:
1. source
IP
address
based
2. Incoming
interface
based
3. TSIG/SIG(0)
signed
queries
4. using
a
local
caching
nameserver
• The
1st
one
is
the
opIon
for
ISPs
– no
other
choice
at
this
moment
• source
IP
address
based
authorizaIon
– in
other
words,
ACL
J
maz@iij.ad.jp
25
2014/5/24
27. There
should
not
be
issues
• Usually
users
automaIcally
get
DNS
seyng
– PPPoE
– DHCP
• System
integrators
who
are
responsible
for
enterprise
network
keep
its
seyng
up-‐to-‐date
maz@iij.ad.jp
27
2014/5/24
28. real
situaIons
L
• Some
users
staIcally
setup
DNS
seyng
on
their
devices,
and
don’t
change
it
forever
even
a{er
switching
ISPs
• Lazy
system
integrators
use
nameservers
which
they
just
know
and
leave
them
forever
• Some
users
change
DNS
seyng
based
on
a
rumor
like
‘you
can
get
more
internet
speed
by
changing
DNS
seyng’
maz@iij.ad.jp
28
2014/5/24
29. IIJ
case
• public
announcement
on
Sept
2013
– “for
those
who
used
IIJ
services
before”
– corporate
web
site
• hJp://www.iij.ad.jp/company/development/tech/
acIviIes/open_resolver/
– technical
blog
• hJp://techlog.iij.ad.jp/archives/718
– news
site
• about
3months
before
implemenIng
maz@iij.ad.jp
29
2014/5/24
30. 2st
Dec
2013
12:00JST
• IIJ’s
cache
nameservers
started
to
serve
its
customers
only
• For
queries
from
outside,
the
nameservers
are
answering
staIc
A
to
lead
users
to
a
warning
web
page.
– saying
“your
dns
seyng
is
not
valid
anymore,
so
you
need
change
your
seyng
to
access
the
internet.
please
contact
your
ISP
or
network
administrator
for
further
assistance.”
maz@iij.ad.jp
30
2014/5/24
31. the
warning
page
• Simple
text
only
– no
javascript
– no
image
– no
link
• At
first
we
put
the
name
of
IIJ
at
the
boJom,
then
users
called
IIJ
by
searching
telephone
number
somehow
• So
IIJ
deleted
its
name,
and
emphasized
“contact
your
ISP
or
network
administrator”
maz@iij.ad.jp
31
2014/5/24
32. Users
• Some
users
sIll
could
post
messages
on
social
medias
-‐
probably
by
using
their
smartphone
• Some
of
them
were
suggesIng
to
use
other
publically
available
nameservers
– google’s
– just
usable
ones
L
maz@iij.ad.jp
32
2014/5/24
33. collaboraIon
with
other
ISPs
• ImplemenIng
BCP140
might
increase
#
of
customer
calls
at
other
ISPs’
helpdesk
• ISPs
shared
their
implemenIng
schedule
in
advance
each
other
so
that
ISPs
can
expect
customer
calls
• ISP
community
could
develop
a
shared
warning
page
that
shows
the
beJer
contact
based
on
the
source
IP
address
of
the
client
maz@iij.ad.jp
33
2014/5/24
34. lesson
learned
• effecIve
announcement
– public
and
also
targeted
based
on
query
log
• collaboraIng
with
other
ISPs
– for
beJer
customer
support
• phased
implementaIon
could
be
your
choice
• start
early
before
the
issue
is
geyng
bigger
– more
unexpected
users
will
use
your
nameserver
maz@iij.ad.jp
34
2014/5/24
35. many
other
‘misuseable’
services
• ntp
• snmp
• games
• useful
talk
at
RIPE68
last
week
– hJps://ripe68.ripe.net/presentaIons/227-‐RIPE68_2014_CRossow_AmplificaIon_stripped.pdf
2014/5/24
maz@iij.ad.jp
35
36. conclusion
• implement
BCP38
– enforce
source
IP
address
in
your
network
• implement
access
control
for
your
services
– source
IP
address
based
filtering
2014/5/24
maz@iij.ad.jp
36