Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
BGP Techniques for Network Operators, by Philip Smith.
A presentation given at APRICOT 2016’s BGP Techniques for Network Operators (Part 1 and 2) sessions on 23 February 2016.
This document provides an overview and student guide for the "Implementing Cisco MPLS (MPLS) Version 2.2" course. It introduces basic MPLS concepts including the MPLS architecture, labels, label stacks, and applications such as MPLS VPNs and traffic engineering. It also covers frame-mode MPLS implementation on Cisco IOS platforms, including configuration, monitoring, and troubleshooting tasks. Finally, it discusses MPLS VPN technology in depth, including the MPLS VPN architecture, routing model, and packet forwarding mechanisms.
The Palo Alto NGFW uses single-pass software and single-pass parallel processing (SP3) to efficiently classify and inspect network traffic. SP3 separates the control plane, used for management, from the data plane which includes signature matching, security, and network processors to identify threats, enforce policies, and forward traffic with features like decryption and routing in a single pass.
This document provides an overview of a 150-video, 25-hour Palo Alto Networks NGFW advanced training course covering PAN-OS versions 8.0 and 8.1. The course contains 20 modules that cover topics such as networking, security policies, objects, User-ID, authentication, URL filtering, application control, certificates, threat prevention, WildFire, high availability, advanced networking, and VPN. It is designed to prepare students for the PCNSA and PCNSE certification exams but does not cover Panorama, cloud platforms, IPv6, or dynamic routing protocols.
- Clustering allows up to 16 firewall devices to operate as a single logical device for high availability and scalability. One unit is elected as the master to handle management and centralized functions while other units act as slaves.
- Packets are distributed across units with one unit assigned as the flow owner to ensure symmetric inspection. A flow director uses a hash to determine which unit owns a new connection. Flow forwarders help redirect packets to the owner.
This document discusses different types of firewalls:
- Traditional firewalls filter packets based on source/destination IP/port and protocol but cannot classify applications or inspect encrypted traffic.
- Unified threat management (UTM) firewalls can classify traffic by application rather than just port, and provide intrusion detection/prevention, web filtering, and malware protection.
- Next generation firewalls (NGFW) build on UTM with additional capabilities like inspecting encrypted traffic and advanced threat protection.
BGP Techniques for Network Operators, by Philip Smith.
A presentation given at APRICOT 2016’s BGP Techniques for Network Operators (Part 1 and 2) sessions on 23 February 2016.
This document provides an overview and student guide for the "Implementing Cisco MPLS (MPLS) Version 2.2" course. It introduces basic MPLS concepts including the MPLS architecture, labels, label stacks, and applications such as MPLS VPNs and traffic engineering. It also covers frame-mode MPLS implementation on Cisco IOS platforms, including configuration, monitoring, and troubleshooting tasks. Finally, it discusses MPLS VPN technology in depth, including the MPLS VPN architecture, routing model, and packet forwarding mechanisms.
The Palo Alto NGFW uses single-pass software and single-pass parallel processing (SP3) to efficiently classify and inspect network traffic. SP3 separates the control plane, used for management, from the data plane which includes signature matching, security, and network processors to identify threats, enforce policies, and forward traffic with features like decryption and routing in a single pass.
This document provides an overview of a 150-video, 25-hour Palo Alto Networks NGFW advanced training course covering PAN-OS versions 8.0 and 8.1. The course contains 20 modules that cover topics such as networking, security policies, objects, User-ID, authentication, URL filtering, application control, certificates, threat prevention, WildFire, high availability, advanced networking, and VPN. It is designed to prepare students for the PCNSA and PCNSE certification exams but does not cover Panorama, cloud platforms, IPv6, or dynamic routing protocols.
- Clustering allows up to 16 firewall devices to operate as a single logical device for high availability and scalability. One unit is elected as the master to handle management and centralized functions while other units act as slaves.
- Packets are distributed across units with one unit assigned as the flow owner to ensure symmetric inspection. A flow director uses a hash to determine which unit owns a new connection. Flow forwarders help redirect packets to the owner.
This document discusses different types of firewalls:
- Traditional firewalls filter packets based on source/destination IP/port and protocol but cannot classify applications or inspect encrypted traffic.
- Unified threat management (UTM) firewalls can classify traffic by application rather than just port, and provide intrusion detection/prevention, web filtering, and malware protection.
- Next generation firewalls (NGFW) build on UTM with additional capabilities like inspecting encrypted traffic and advanced threat protection.
This document provides instructor materials on static routing concepts and configuration for the CCNA Routing and Switching course. It covers static routing advantages and types of static routes such as standard, default, summary, and floating static routes. The document also details how to configure IPv4 and IPv6 static and default routes using the ip route and ipv6 route commands. Additionally, it discusses troubleshooting static route configurations and how routers process packets when static routes are used.
The document discusses virtual private networks (VPNs) and virtual private routed networks (VPRNs). It defines VPNs as private networks constructed within a public network infrastructure like the internet. VPRNs are IP-based layer 3 VPNs that emulate multi-site wide area routed networks over IP facilities. The document outlines requirements for VPNs and VPRNs like opaque transport, data security, QoS guarantees, and tunneling mechanisms. It also discusses different VPN categories and implementation issues for building VPRNs.
Open Shortest Path First (OSPF) is an interior gateway protocol that uses link state routing and the Dijkstra algorithm to calculate the shortest path to destinations within an autonomous system. It elects a Designated Router to generate network link advertisements and assist in database synchronization between routers. Routers run the Shortest Path First algorithm on their link state databases to determine the best routes and populate their routing tables.
This presentation was presented at MUM Indonesia at Bali in 2008. Discussed about how to put extra layer of security into your MikroTik Router using Port Knocking mechanism.
A
PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
The document provides information about the Cisco Nexus 7009 switch, including:
- It is a modular network switch with up to 9 slots that can support 336 10GbE or 1GbE ports.
- It uses up to 5 Crossbar Fabric Modules and 2 power supplies.
- The Nexus 7009 specifications section provides additional details about its hardware capabilities and supported interface speeds.
The document provides information about MikroTik RouterOS training for an advanced class on routing, covering topics such as simple routing, ECMP, OSPF, policy routing, and labs on implementing various routing configurations and concepts between networked devices. Details are given on static routes, multi-path routing, OSPF areas and settings, route redistribution, and using different area types. Instructions are provided for hands-on exercises to configure routing behaviors like redundancy and traffic load balancing.
This chapter discusses path control implementation using Cisco technologies. It covers Cisco Express Forwarding (CEF) switching and how it improves performance over process and fast switching. It also discusses using policy-based routing (PBR) and Cisco IOS IP SLAs to implement path control and dynamically change paths based on network conditions. The chapter provides configuration examples for PBR and IP SLAs to control traffic flow.
This document discusses MPLS VPN and its three main types: point-to-point VPNs using pseudowires to encapsulate traffic between two sites; layer 2 VPNs called VPLS that provide switched VLAN services across sites; and layer 3 VPNs known as VPRN that utilize VRF tables to segment routing for each customer using BGP. It describes how MPLS VPN works using CE, PE, and P routers to forward labeled packets through the provider network and pop the label at the destination PE to deliver the packet. Finally, it provides additional resources for learning more about MPLS VPN technologies.
NAT (network address translation) & PAT (port address translation)Netwax Lab
NAT (Network Address Translation) allows private IP networks to connect to the Internet by translating private IP addresses to public IP addresses. It operates on a router, connecting internal and external networks. NAT provides security by hiding internal network addresses and conserving IP addresses. There are various NAT types, including static NAT for one-to-one address mapping, dynamic NAT for mapping private addresses to public addresses from a pool, and NAT overload/PAT for mapping multiple private addresses to a single public address using ports.
Segment routing is a technology that is gaining popularity as a way to simplify MPLS networks. It has the benefits of interfacing with software-defined networks and allows for source-based routing. It does this without keeping state in the core of the network and needless to use LDP and RSVP-TE.
EVPN is a network virtualization technology that allows Ethernet services to be delivered across MPLS or IP networks. It uses BGP for the control plane to distribute MAC and IP addresses and can support both single-active and all-active multi-homing topologies. EVPN provides flexibility in service delivery and has been widely adopted by major service providers and cloud providers for a variety of use cases including data center interconnect and virtual machine mobility. Automation of EVPN configuration can simplify provisioning and management through the use of tools like NetBox, Python scripts, Ansible, and workflow managers.
This document provides instructor materials for teaching a chapter on access control lists (ACLs), including:
- An overview of the chapter content and associated activities.
- Details on the planning guide, classroom presentation, and assessment.
- Best practices for teaching the key topics in an hands-on way through examples and packet tracer exercises.
- Objectives for each section, including explaining ACL operations, configuring standard IPv4 ACLs, and troubleshooting ACLs.
This document contains configuration details for setting up an ACI Multi-Pod topology including IPN switches, APIC clusters, POD fabrics, access policies, and BGP route reflectors. It provides instructions on configuring the network topology with leaf-spine switches connected across multiple PODs, configuring the APICs with fabric profiles and settings, and setting policies for switch, interface, and fabric configurations.
The document provides an overview of the CCNA 7.0 curriculum from Cisco. Some key points:
- CCNA 7.0 has been enhanced with a modular course design to improve learning effectiveness and skills progression.
- The curriculum is delivered over three courses (Introduction to Networks, Switching/Routing Essentials, and Enterprise Networking) to provide hands-on experience and career skills for associate-level networking roles.
- CCNA 7.0 helps prepare students for the new consolidated CCNA certification exam by building skills in networking, security, automation, and other foundational areas.
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPROIDEA
Ethernet VPN (EVPN) is a new standards-based protocol that interconnects Layer 2 domains over a shared IP/MPLS network. It improves on previous protocols like VPLS by supporting features like all-active multi-homing and control plane learning of MAC addresses. EVPN is ideally suited for datacenter interconnectivity but can also be used in other cases beyond just data centers. Major networking vendors support EVPN as shown by their participation in the relevant IETF working group.
The document discusses OSPF link-state routing protocol. It describes OSPF's use of link-state databases containing topology information and Dijkstra's algorithm to calculate the shortest path to all destinations. It also explains OSPF's hierarchical area-based network structure and use of link-state advertisements to exchange routing information between neighbors.
The presentation introduces the group's network and firewall architecture, including a public DMZ, private DMZ, and internal network. It discusses packet filtering and configuring iptables rules to allow certain traffic to the public DMZ servers while blocking other traffic. It also covers tweaks to prevent common attacks like IP spoofing, IP smurfing, SYN flooding and ping flooding through techniques like disabling IP spoofing and source routing, enabling SYN cookies, and rate limiting ICMP echo requests.
This document provides instructor materials on static routing concepts and configuration for the CCNA Routing and Switching course. It covers static routing advantages and types of static routes such as standard, default, summary, and floating static routes. The document also details how to configure IPv4 and IPv6 static and default routes using the ip route and ipv6 route commands. Additionally, it discusses troubleshooting static route configurations and how routers process packets when static routes are used.
The document discusses virtual private networks (VPNs) and virtual private routed networks (VPRNs). It defines VPNs as private networks constructed within a public network infrastructure like the internet. VPRNs are IP-based layer 3 VPNs that emulate multi-site wide area routed networks over IP facilities. The document outlines requirements for VPNs and VPRNs like opaque transport, data security, QoS guarantees, and tunneling mechanisms. It also discusses different VPN categories and implementation issues for building VPRNs.
Open Shortest Path First (OSPF) is an interior gateway protocol that uses link state routing and the Dijkstra algorithm to calculate the shortest path to destinations within an autonomous system. It elects a Designated Router to generate network link advertisements and assist in database synchronization between routers. Routers run the Shortest Path First algorithm on their link state databases to determine the best routes and populate their routing tables.
This presentation was presented at MUM Indonesia at Bali in 2008. Discussed about how to put extra layer of security into your MikroTik Router using Port Knocking mechanism.
A
PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
The document provides information about the Cisco Nexus 7009 switch, including:
- It is a modular network switch with up to 9 slots that can support 336 10GbE or 1GbE ports.
- It uses up to 5 Crossbar Fabric Modules and 2 power supplies.
- The Nexus 7009 specifications section provides additional details about its hardware capabilities and supported interface speeds.
The document provides information about MikroTik RouterOS training for an advanced class on routing, covering topics such as simple routing, ECMP, OSPF, policy routing, and labs on implementing various routing configurations and concepts between networked devices. Details are given on static routes, multi-path routing, OSPF areas and settings, route redistribution, and using different area types. Instructions are provided for hands-on exercises to configure routing behaviors like redundancy and traffic load balancing.
This chapter discusses path control implementation using Cisco technologies. It covers Cisco Express Forwarding (CEF) switching and how it improves performance over process and fast switching. It also discusses using policy-based routing (PBR) and Cisco IOS IP SLAs to implement path control and dynamically change paths based on network conditions. The chapter provides configuration examples for PBR and IP SLAs to control traffic flow.
This document discusses MPLS VPN and its three main types: point-to-point VPNs using pseudowires to encapsulate traffic between two sites; layer 2 VPNs called VPLS that provide switched VLAN services across sites; and layer 3 VPNs known as VPRN that utilize VRF tables to segment routing for each customer using BGP. It describes how MPLS VPN works using CE, PE, and P routers to forward labeled packets through the provider network and pop the label at the destination PE to deliver the packet. Finally, it provides additional resources for learning more about MPLS VPN technologies.
NAT (network address translation) & PAT (port address translation)Netwax Lab
NAT (Network Address Translation) allows private IP networks to connect to the Internet by translating private IP addresses to public IP addresses. It operates on a router, connecting internal and external networks. NAT provides security by hiding internal network addresses and conserving IP addresses. There are various NAT types, including static NAT for one-to-one address mapping, dynamic NAT for mapping private addresses to public addresses from a pool, and NAT overload/PAT for mapping multiple private addresses to a single public address using ports.
Segment routing is a technology that is gaining popularity as a way to simplify MPLS networks. It has the benefits of interfacing with software-defined networks and allows for source-based routing. It does this without keeping state in the core of the network and needless to use LDP and RSVP-TE.
EVPN is a network virtualization technology that allows Ethernet services to be delivered across MPLS or IP networks. It uses BGP for the control plane to distribute MAC and IP addresses and can support both single-active and all-active multi-homing topologies. EVPN provides flexibility in service delivery and has been widely adopted by major service providers and cloud providers for a variety of use cases including data center interconnect and virtual machine mobility. Automation of EVPN configuration can simplify provisioning and management through the use of tools like NetBox, Python scripts, Ansible, and workflow managers.
This document provides instructor materials for teaching a chapter on access control lists (ACLs), including:
- An overview of the chapter content and associated activities.
- Details on the planning guide, classroom presentation, and assessment.
- Best practices for teaching the key topics in an hands-on way through examples and packet tracer exercises.
- Objectives for each section, including explaining ACL operations, configuring standard IPv4 ACLs, and troubleshooting ACLs.
This document contains configuration details for setting up an ACI Multi-Pod topology including IPN switches, APIC clusters, POD fabrics, access policies, and BGP route reflectors. It provides instructions on configuring the network topology with leaf-spine switches connected across multiple PODs, configuring the APICs with fabric profiles and settings, and setting policies for switch, interface, and fabric configurations.
The document provides an overview of the CCNA 7.0 curriculum from Cisco. Some key points:
- CCNA 7.0 has been enhanced with a modular course design to improve learning effectiveness and skills progression.
- The curriculum is delivered over three courses (Introduction to Networks, Switching/Routing Essentials, and Enterprise Networking) to provide hands-on experience and career skills for associate-level networking roles.
- CCNA 7.0 helps prepare students for the new consolidated CCNA certification exam by building skills in networking, security, automation, and other foundational areas.
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPROIDEA
Ethernet VPN (EVPN) is a new standards-based protocol that interconnects Layer 2 domains over a shared IP/MPLS network. It improves on previous protocols like VPLS by supporting features like all-active multi-homing and control plane learning of MAC addresses. EVPN is ideally suited for datacenter interconnectivity but can also be used in other cases beyond just data centers. Major networking vendors support EVPN as shown by their participation in the relevant IETF working group.
The document discusses OSPF link-state routing protocol. It describes OSPF's use of link-state databases containing topology information and Dijkstra's algorithm to calculate the shortest path to all destinations. It also explains OSPF's hierarchical area-based network structure and use of link-state advertisements to exchange routing information between neighbors.
The presentation introduces the group's network and firewall architecture, including a public DMZ, private DMZ, and internal network. It discusses packet filtering and configuring iptables rules to allow certain traffic to the public DMZ servers while blocking other traffic. It also covers tweaks to prevent common attacks like IP spoofing, IP smurfing, SYN flooding and ping flooding through techniques like disabling IP spoofing and source routing, enabling SYN cookies, and rate limiting ICMP echo requests.
A firewall is hardware or software that protects private networks and computers from unauthorized access. There are different types of firewalls including packet filtering, application-level gateways, and circuit-level gateways. Firewalls work by inspecting packets and determining whether to allow or block them based on rules. They can protect networks and devices from hackers, enforce security policies, and log internet activity while limiting exposure to threats. However, firewalls cannot protect against insider threats, new types of threats, or viruses. Firewall configurations should be tested to ensure they are properly blocking unauthorized traffic as intended.
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
Henrik Strøm discusses IPv6 security from an attacker's perspective. He outlines 6 points on how attackers can exploit IPv6 vulnerabilities, including using IPv6 to bypass IPv4 access controls when on a local network, spoofing router advertisements to hijack traffic, using tunneling to enable inbound and outbound connectivity, and launching denial of service attacks. He recommends network administrators decide how to implement IPv6 security, monitor for IPv6 traffic, harden clients and servers, and filter all types of IPv6 tunneling. Further reading suggests there is still significant work needed on IPv6 firewalling and many IPv4 issues have been transferred to IPv6.
This document provides an overview of MANRS (Mutually Agreed Norms for Routing Security) for network operators in Bangladesh. It discusses key routing security issues like prefix hijacking and route leaks. It describes the four MANRS actions for network operators: filtering, anti-spoofing, coordination, and global validation. Filtering involves setting policies to accept only valid routing announcements. Anti-spoofing uses techniques like uRPF to prevent spoofed source IP addresses. Coordination means maintaining up-to-date contact details in databases. Global validation facilitates routing validation through tools like the IRR and RPKI. The document explains how these actions improve routing security and reliability. It also outlines MANRS' goals and
This document discusses services running on Cisco IOS routers that could create vulnerabilities if not secured properly. It lists services that are enabled by default like BOOTP server, CDP, and HTTP that should be disabled if not in use. It also discusses best practices like disabling unused interfaces and configuring connection timeouts. The document provides commands to disable vulnerable services and secure the router configuration.
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPROIDEA
The document discusses network security training that includes an exercise on responding to threats and mitigating distributed denial-of-service (DDoS) attacks, as well as configuring security tools like Control Plane Policing (CoPP) and remote triggered black hole (RTBH) routing.
The document discusses using open source tools pfSense and FRR to improve the security and reliability of Internet Service Provider (ISP) networks in Bangladesh. Case studies show how pfSense implemented as a firewall and router can block malware and threats based on intelligence feeds. This provides a better user experience than MikroTik routers by filtering attacks and bad actors at the core network level. The solution is low cost and easy for ISPs to implement and maintain.
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
The document discusses router and routing protocol attacks. It provides an overview of common routing protocols like RIP, OSPF, BGP and discusses their vulnerabilities. Specific attacks against these protocols are described like route injection attacks, spoofing, denial of service attacks. The document emphasizes the need for routing protocol security best practices like authentication, access control and monitoring to prevent such attacks.
This document discusses strengthening Sri Lanka's internet infrastructure by adopting best practices for network operations. It recommends that Sri Lanka develop a healthy ecosystem of interconnected networks including more service providers and consumer/corporate networks. It also provides guidance on implementing best practices for number registry, internet routing, and network security such as securing BGP configurations, implementing traffic filtering, and deploying DNSSEC. Adopting these practices would help develop a more robust internet infrastructure for Sri Lanka that is on par with other economies in the region.
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
APNIC Deputy Director General Sanjaya gives a keynote address on strengthening the Sri Lankan Internet infrastructure at LkNOG 3 in Colombo, Sri Lanka from 2 to 4 October 2019.
This document provides recommendations for securing Cisco routers by tightening access controls and permissions. It recommends:
1. Creating a written router security policy that defines who can access and configure the router.
2. Commenting and organizing offline copies of router configurations and keeping them in sync with the live configurations.
3. Implementing access lists that only allow necessary protocols, ports, and IP addresses and deny all others.
4. Running the latest available IOS version and regularly testing router security.
PLNOG 9: Piotr Wojciechowski - Multicast Security PROIDEA
The document discusses several approaches for securing multicast networks and traffic. It begins by outlining main security issues like unauthorized access, modification of traffic, and denial of service attacks. It then describes techniques for securing the edge of the multicast network, including filtering PIM messages, preventing RP mapping, using multicast boundaries, and passive interfaces. Additional methods covered include filtering multicast groups, using access control lists (ACLs) on trusted senders and receivers, and securing the rendezvous point (RP).
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
This document provides technical summaries of various network attacks and exploitation techniques. It begins with an overview of the author's background and experience in network security. It then summarizes several methods, including exploiting SNMP configurations, manipulating routing tables through policy routing, using GRE and ERSPAN tunnels to enable remote packet capture, exploiting DLSw to tunnel traffic covertly, and exploiting lawful intercept functions to duplicate traffic. The goal is to educate about various risks while maintaining an instructional tone.
This presentation discusses firewalls and how they work. It begins by defining a firewall as hardware, software, or a combination of both that prevents unauthorized access to private networks and computers from the internet. It then explains the differences between hardware and software firewalls and how software firewalls inspect packets of data. The presentation covers firewall rules, types of firewalls including packet filtering and application level gateways, and architectures like single-box and screened host. It concludes with testing a firewall configuration using examples of manual tests of traffic allowed or denied based on source and destination.
This presentation discusses firewalls and how they work. It begins by defining a firewall as hardware, software, or a combination of both that prevents unauthorized access to private networks and computers from the internet. It then explains the differences between hardware and software firewalls and how software firewalls inspect packets of data. The presentation covers firewall rules, types of firewalls including packet filtering and application level gateways, and architectures like single-box and screened host. It concludes with testing a firewall configuration using examples of manual tests of traffic allowed or denied based on source and destination.
A firewall is a choke point that controls and monitors network traffic between networks of differing trust levels. It imposes restrictions on network services by only allowing authorized traffic and auditing access. Firewalls can be characterized by the protocol level they control, including packet filtering, circuit gateways, and application gateways. A dynamic packet filter combines these approaches and captures the semantics of network connections.
The document discusses different types of firewalls. It describes packet filtering firewalls as the simplest type that examines transport layer information like IP addresses and port numbers to filter traffic. Stateful packet filters improve on this by tracking client-server sessions to better detect unauthorized packets. Application gateways provide the most security by running proxy programs for each protocol to filter traffic at the application layer according to security policies.
Similar to Preventing Traffic with Spoofed Source IP address (20)
This document discusses accelerating hyper-converged enterprise virtualization using Proxmox and Ceph. It defines hyper-converged infrastructure and describes the key features of Proxmox VE and Ceph storage. Proxmox VE is an open-source virtualization platform that can integrate computing, storage and networking. Ceph provides scalable and fault-tolerant open source storage. The document also provides steps to install Proxmox and configure Ceph storage, and summarizes a case study of deploying this solution at the University of Dhaka.
- The document discusses recent changes to the Internet Routing Registry (IRR) and Route Origin Authorization (ROA). It outlines a "Safe Transition Plan" for migrating from non-hierarchical to hierarchical AS sets in the IRR to resolve name collisions.
- The Regional Internet Registry (RIR) APNIC IRR now only permits hierarchical AS sets and reached consensus to restrict non-hierarchical AS sets.
- The RADB IRR will reject route/prefix registrations that are invalid according to RPKI ROA, to protect networks and ensure consistency between ROA and registered routes. Maintaining minimal ROAs is recommended.
This document provides a summary of Bangladesh's network status and security landscape. It finds that many ports are open and vulnerable, including ports 53, 161, 2000, and 80 on Mikrotik devices. IPv6 deployment is growing, led by Cloudflare, Zen-ECN, and telecom companies. RPKI validation of IP addresses is largely invalid. DDoS attacks target both network and application layers. Route leaks and hijacks occur. Shodan data shows many vulnerabilities. Emerging threats include 5G, IoT, supply chain attacks, and more. The document provides references for network and device hardening.
This document summarizes Janata Wi-Fi's work providing free Wi-Fi access in Bangladesh through partnerships with ISPs, merchant networks, and an advertisement-based business model. It discusses operational challenges like unreliable power and expensive access points. It then describes Janata's efforts to develop an AI-driven customer service system called CXM Network Co-Pilot to automate issue detection, data collection, root cause analysis, and solution deployment to improve support efficiency and reduce resolution times. Janata is working to expand data collection capabilities and fully automate the issue resolution process using machine learning.
This document discusses IPv6 security. It begins with an overview of IPv6 address types and headers. It then notes that some initial assumptions about IPv6 security being more robust have been disproven in reality. Specifically, IPv6 is now the target of around 20% of malicious attacks. The document outlines several IPv6 security threats such as address spoofing, extension header attacks, neighbor discovery spoofing, and rogue router advertisements. It recommends approaches like ingress filtering, RA guard, and SEND to help detect and mitigate these threats. Tools like NDPMon can monitor for anomalies in neighbor discovery behavior. Overall, network operators must apply similar security practices to IPv6 as with IPv4, including access controls, host hardening, and
1) The document discusses e-waste (electronic waste) management in Bangladesh. It defines e-waste and explains why it is an environmental and health concern due to toxic materials.
2) It states that most e-waste in Bangladesh is informally recycled, with less than 20% going through formal collection systems. The informal recycling can release toxic fumes and contaminants.
3) The document discusses the potential benefits of formal e-waste recycling for the circular economy and sustainable development goals around health, sanitation, responsible consumption and urban sustainability. It calls on citizens and organizations to participate in e-waste collection and recycling efforts.
The document discusses deploying the Wazuh SIEM solution. It describes Wazuh's architecture with agents on endpoints sending security data to a central server. It provides a step-by-step process for installing Wazuh including setting up the server, installing and configuring agents, and integrating network devices via syslog. It also discusses customizing Wazuh through additional decoders and rules to monitor any log data and enhance detection capabilities.
IPv6 adoption is growing steadily worldwide and in South Asia since 2017 according to statistics from APNIC and Google. In South Asia, India has the highest IPv6 preference rate at 78.32% while Bangladesh has a low rate of 1.91%. APNIC provides various supports for IPv6 deployment including technical training, technical assistance, IPv6 address allocation, and potential financial grants. Networks are encouraged to deploy IPv6 to avoid future issues as IPv4 addresses run out and networks increase in complexity.
This document provides an overview of software defined networking (SDN), including its evolution from traditional router architectures, the seminal Clean Slate project and OpenFlow protocol, and the current SDN architecture. It discusses key SDN concepts like the separation of the control and data planes, standardization bodies, example applications like VOLTHA and ONOS, and related technologies like NFV and P4.
The document summarizes RPKI (Resource Public Key Infrastructure) deployment status in Bangladesh. It finds that while some large internet providers have deployed RPKI, adoption remains inconsistent overall and several major operators are not performing route origin validation. Specifically, it notes 15% of IPv4 prefixes and 99% of IPv6 prefixes in Bangladesh are invalid due to maximum length issues, and examples are provided of valid and invalid route objects.
The document discusses open UDP services that can enable amplification attacks and the risks they pose. It provides statistics on open services in Bangladesh, such as its ranking of 25th in the world for open recursive DNS. The document recommends approaches for ISPs like adhering to ingress filtering and traffic shaping. The goal is to reduce the number of open UDP services in Bangladesh to lessen its vulnerabilities to cyber attacks.
This document discusses the author's 12 years of experience defending DNS infrastructure and observing various cyber attacks. It describes how the author migrated to more secure DNS configurations, deployed logging and analytics to gain insights into attacks, and incorporated additional defenses like NIDS and RPZ. It also discusses using NetFlow and Zeek to analyze network traffic patterns and investigate DNS queries in more depth. The overall experience highlighted the value of a multi-layered approach to DNS security through continuous monitoring, analytics, and active defenses.
This document discusses various initiatives for content localization to improve user experience on the internet. It describes how users connect to the internet and how content is delivered. Content localization involves optimizing how data is accessed and delivered from the closest servers to end users. This improves speed and performance. The document recommends implementing caching servers on premises and using a content delivery network to localize content closer to users. It provides guidelines on caching best practices and considerations for choosing a CDN. The overall goal is to focus on content localization as soon as possible to optimize performance for users.
This document discusses federated identity services and their applications. It provides an overview of identity federation and how it allows for single sign-on access to multiple services. It describes how federation works through the use of metadata exchanges between identity providers and service providers. Specific federated identity applications discussed include eduGAIN, eduroam, and OpenRoaming. The security of eduroam wireless access is explained through the use of 802.1x authentication, TLS tunnels, and X.509 certificates. Challenges and potential solutions for commercial ISPs to participate in eduroam are also outlined.
This document discusses route leaks between autonomous systems and proposes a solution using BGP communities. It defines different types of route leaks based on RFC 7908 and provides a real-world example. Analyzing the problem, it finds challenges with using AS path filters alone. The proposed solution tags routes received from different peers with BGP communities and filters based on the tags to prevent unintended route advertisements. This is demonstrated in a lab topology where route leaks are shown before and after applying the BGP community configurations.
The document discusses the deployment of an internet exchange point (IXP) in Bangladesh called NIX. It describes the key components of NIX including route servers, RPKI validation, SIPIX for interconnection between IP telephony service providers, root server instances, looking glass, NTP servers, and an IXP manager. It outlines the challenges faced in deployment and initiatives taken to address issues related to traffic filtering, security, call quality, and availability. The future plans include completing root server mapping, establishing multiple points of presence, and adding content caching and domain hosting services.
The document discusses using Grafana to integrate and correlate latency and usage data from multiple monitoring tools for capacity planning and performance analytics. It describes setting up Grafana data sources from tools like Cacti, Smokeping, Zabbix, and configuring Grafana to create dashboards that combine graphs from different data sources into a single view. This allows cross-platform data correlation and analysis to help with challenges like capacity planning, outage reporting and integration of existing monitoring systems.
This document discusses validating RPKI (Resource Public Key Infrastructure) data for countries. The author built tools to map ASNs (Autonomous System Numbers) to IP prefixes by country and check them against a RPKI validator. This allows tracking RPKI validation status over time for entire countries. The tools were used to analyze RPKI validation status in Asia, showing growth in valid prefixes for countries like Bangladesh. Results are stored in a database and visualized using Grafana for others to view. Feedback on the tools and approach is welcomed.
Blockchain philosophy centers around distributed trust and shared truth through transparency. It moves the custody of information from centralized control by one entity to decentralized consensus among many participants. By ensuring everyone has access to the same verified information through an immutable record, blockchain creates certainty in a digital world that has long struggled with issues of identity, data security and authenticity. It extrapolates the idea of a close-knit village community where common knowledge and synchronous truth are the basis for transactions and asset ownership.
This document discusses measuring internet traffic and value. It begins by outlining tactical and strategic reasons for measuring, such as understanding value creation, optimizing networks, and justifying investments. It then explains the network effect and how value increases exponentially with more users and connections. The rest of the document details how internet traffic can be measured at different layers and points, including at internet exchange points, within transit networks, and between peers. It emphasizes the importance of comprehensive measurement to understand profitability, trade flows, and emerging technologies.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
1. Preventing Traffic with
Spoofed Source IP Addresses
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, mn-LAB
info@mn-lab.net
Network Operational Tutorial
2. Internet Routing Security
The routing system of the Internet is vulnerable to many
security threats such as:
Presented by – Md. Abdullah Al Naser Page # 2
3. Internet Routing Security
The routing system of the Internet is vulnerable to many
security threats such as:
Presented by – Md. Abdullah Al Naser Page # 3
9. Internet Routing Security
Control Plane vs Data Plane Security
Control Plane
● Prefix filtering can protect your BGP Table/control plane
● ROA/RPKI can also be used to protect control plane
Data Plane
● But what about if anyone sends packets with spoofed
source IP address?
● Source address validation should be there to deal with
that!!
Presented by – Md. Abdullah Al Naser Page # 9
10. Internet Routing Security
IP Address Spoofing
● IP source address spoofing is the practice of originating
IP datagrams with source addresses other than those
assigned to the host of origin
● Put simply, the host pretends to be some other host
● Normally when your router receives unicast IP packets
it only cares about one thing:
What is the destination IP address of this IP packet so
I can forward it?
Presented by – Md. Abdullah Al Naser Page # 10
13. Internet Routing Security
IP Address Spoofing Implications
Spoofing can be exploited in various ways, most notably
to execute a DDoS Reflection-Amplification attack
Presented by – Md. Abdullah Al Naser Page # 13
14. Internet Routing Security
IP Address Spoofing Implications
● DDoS Amplification is achieved by small queries
resulting in much larger responses
● Open DNS resolvers and NTP servers are commonly
used as reflectors/amplifiers
● IP Spoofing can be more destructive if a valid TCP
session is hijacked
Presented by – Md. Abdullah Al Naser Page # 14
15. Internet Routing Security
IP Address Spoofing Implications
● Significant DoS attacks are
costing Service Providers
● These costs hurt the brand,
damage customer operations,
and have collateral
operational/cost impact
on other customers
Presented by – Md. Abdullah Al Naser Page # 15
16. Spoofing Tools
Spoofing Tools
● nping (available in Zenmap and other tools)
● synner
● kali linux (popular to pen testers)
● even IP Spoofing can be done from Windows CMD
Presented by – Md. Abdullah Al Naser Page # 16
17. Anti-Spoofing
Anti-Spoofing
● Implementing anti-spoofing filtering to prevent packets
with incorrect source IP address from entering the
network
● DDoS Reflection-Amplification attacks would be
impossible without spoofing – however, they are
preventable
Presented by – Md. Abdullah Al Naser Page # 17
19. Anti-Spoofing
Anti-Spoofing Considerations
● Identify points/devices in the network topology where
anti-spoofing measures should be applied
● Identify adequate techniques to be used (for example,
uRPF, or ACL filtering)
● Apply configuration commands
● Verify that the protection works, is permanent and is
kept up-to-date
Presented by – Md. Abdullah Al Naser Page # 19
20. Anti-Spoofing
Anti-Spoofing Techniques
To prevent source IP address spoofing, it's recommended
to implement Ingress Filtering methods which include:
ACL, uRPF etc
Presented by – Md. Abdullah Al Naser Page # 20
21. Anti-Spoofing
Anti-Spoofing Techniques - ACL
● ACLs are used to filter traffic at the router's interfaces
● ACLs are configured to allow specific address ranges
and deny all others
● ACLs are commonly deployed on the Provider Edge /
Customer Edge (PE / CE) boundary
● ACLs should be deployed on the downstream interfaces
of the ISP in order to verify the source addresses used
by its customers
Presented by – Md. Abdullah Al Naser Page # 21
23. Anti-Spoofing
Anti-Spoofing Techniques - ACL
ip access-list extended customer1-in-ipv4
permit ip 192.0.2.0 0.0.0.255 any
!
ipv6 access-list customer1-in-ipv6
permit ipv6 2001:db8:1001::/48 any
!
interface gi0/0
ip access-group customer1-in-ipv4 in
ipv6 traffic-filter customer1-in-ipv6 in
Presented by – Md. Abdullah Al Naser Page # 23
24. Anti-Spoofing
Anti-Spoofing Techniques - ACL
firewall {
family inet {
filter customer1-in-ipv4 {
term allowed-sources {
from {
source-address {
192.0.2.0/24;
}
}
then accept;
}
}
}
Presented by – Md. Abdullah Al Naser Page # 24
25. Anti-Spoofing
Anti-Spoofing Techniques - ACL
/ip firewall filter add action=drop chain=forward
comment="spoofed from AS64501“
in-interface=$interface log-prefix="“
src-address=!192.0.2.0/24
/ipv6 firewall filter add action=drop chain=forward
comment="spoofed from AS64501“
in-interface=$interface log-prefix="“
src-address=!2001:db8:1001::/48
Presented by – Md. Abdullah Al Naser Page # 25
26. uRPF
Anti-Spoofing Techniques - uRPF
● uRPF is a security feature that prevents these spoofing
attacks. Whenever your router receives an IP packet it
will check if it has a matching entry in the routing table
for the source IP address. If it doesn’t match, the
packet will be discarded
● uRPF as defined in RFC 3704
● uRPF is often implemented on the edges of the networks
where customers, servers, and/or clients are connected
Presented by – Md. Abdullah Al Naser Page # 26
30. uRPF
There are four modes for uRPF:
● Loose Mode ● Strict Mode
● Feasible Mode ● VRF Mode
● For single-homed stub customers, it's recommended
that uRPF strict mode is implemented
● For dual-homed stub customers, it is best to use uRPF
feasible mode instead
Presented by – Md. Abdullah Al Naser Page # 30
31. uRPF
uRPF Strict Mode
In Strict mode router will perform two checks:
1. Do I have a matching entry for the source in
the routing table?
2. Do I use the same interface to reach this source as
where I received this packet on?
Presented by – Md. Abdullah Al Naser Page # 31
32. uRPF
uRPF Strict Mode
When the incoming IP packets passes both checks, it will be
permitted. Otherwise it will be dropped. This is perfectly fine
for IGP routing protocols since they use the shortest path to the
source of IP packets.
Presented by – Md. Abdullah Al Naser Page # 32
34. uRPF
uRPF Loose Mode
In Loose mode router will perform only single check:
1. Do I have a matching entry for the source in
the routing table?
Presented by – Md. Abdullah Al Naser Page # 34
35. uRPF
uRPF Loose Mode
When it passed this check, the packet is permitted. It doesn’t
matter if we use this interface to reach the source or not.
Loose mode is useful when you are connected to more than
one ISP and you use asymmetric routing.
Presented by – Md. Abdullah Al Naser Page # 35
36. uRPF
Additional Features
● Logging and Exemptions: uRPF allows the usage of an
access-list so you can decide what sources it should check
and if required, log the packets that are dropped using
access-list logging
● Self-pinging: Allow the router to ping itself using uRPF
strict mode on the interface
Presented by – Md. Abdullah Al Naser Page # 36
37. uRPF
Additional Features
● Default route: You can configure uRPF to check source
IP addresses against a default route. You can use this
when you want to accept all packets from your internet
connection while protecting yourself against spoofed
packets with source IP address from your internal
network
Presented by – Md. Abdullah Al Naser Page # 37
38. uRPF
Anti-Spoofing Techniques – uRPF
interface gi0/0
ip verify unicast reachable-via rx
ipv6 verify unicast reachable-via rx
Presented by – Md. Abdullah Al Naser Page # 38
39. uRPF
Anti-Spoofing Techniques – uRPF
family inet {
rpf-check;
}
family inet6 {
rpf-check;
}
Presented by – Md. Abdullah Al Naser Page # 39
41. MANRS
Mutually Agreed Norms for Routing Security
● MANRS community is made up of
security-minded network operators
● MANRS care about routing security
● MANRS is prepared to spend resources
on routing security
● MANRS is prepared to be held
accountable by the community
Presented by – Md. Abdullah Al Naser Page # 41
www.manrs.org
43. MANRS
Global Validation
In order to facilitate validation of routing information on
a global scale, network operators must publish their
routing information so that other parties can validate it.
Presented by – Md. Abdullah Al Naser Page # 43
44. MANRS
Filtering
In order to prevent propagation of incorrect routing
information, network operators must ensure the
correctness of their own announcements, and
announcements from their customers to adjacent
networks with prefix and AS-path granularity.
Presented by – Md. Abdullah Al Naser Page # 44
45. MANRS
Anti-Spoofing
In order to prevent traffic with spoofed source IP
addresses, network operators must enable source address
validation for at least single-homed stub customer
networks, their own end-users, and infrastructure.
Presented by – Md. Abdullah Al Naser Page # 45
46. MANRS
Coordination
In order to facilitate global operational communication
and coordination between network operators, they must
maintain globally accessible, and up-to-date contact
information.
Presented by – Md. Abdullah Al Naser Page # 46