This document proposes a Recurrence Quantification Analysis (RQA) scheme to detect Border Gateway Protocol (BGP) anomalies in real-time. It models BGP speakers as dynamic systems and uses RQA, a nonlinear analysis technique based on phase plane concepts, to measure characteristics of BGP traffic that can identify anomalies. The scheme is evaluated using a BGP controlled testbed and real-world anomaly events. An open-source real-time BGP anomaly detection tool is also presented.
The document provides an overview of the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents like hijacking and misdirection. It discusses how RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that an Autonomous System is authorized to originate routes for specific IP address blocks. The key components of RPKI include Certificate Authorities, Relying Parties, and routers configured with RPKI support to filter routes based on validation of origin AS authorization. Deployment status at the Regional Internet Registries and an APNIC RPKI service are also covered.
This document provides information about Resource Public Key Infrastructure (RPKI) and IPv4 transfers. It discusses how RPKI helps secure internet routing by preventing route hijacking and minimizing errors. Details are given on how to create and maintain ROA objects. Statistics show uptake of RPKI in various countries and economies in Southeast Asia. The document also covers who can do IPv4 transfers, the transfer process in MyAPNIC, and tips for pre-approval and listing transfers.
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
This document contains an agenda and presentation slides for a meeting discussing an Internet Exchange Point (IXP) in Kuala Lumpur, Malaysia. The presentation covers how IXPs work, the benefits they provide, background on MyIX (the local IXP), its peering nodes and membership, traffic growth, and plans for a new office location.
Frank Brockners' presentation from the 2017 Open Networking Summit.
While troubleshooting or planning, did you ever wish to get full insight into which paths *all* your packets take in your network, understand whether your SLA is really in place, or were you ever asked to prove that your traffic really follows the path you specified by service chaining or traffic engineering? We approach this problem by adding meta-data to *all* packets. In-band OAM adds forwarding path information and other information/stats to every data packet - as opposed to relying on probe packets, which is the traditional method that tools like ping or traceroute use. This session will introduce In-band OAM, explain the technology and outline the reference implementation in FD.io/VPP and OpenDaylight using a example demos.
BGP Flow Specification allows network operators to define and distribute traffic filtering rules via BGP. This helps operators quickly mitigate DDoS attacks by filtering traffic at an upstream level rather than just blackholing entire prefixes. It separates filtering information from routing data using new BGP address families. Validating flow specifications against the best unicast route helps prevent spoofing. Common filtering actions include traffic policing, sampling, and redirection. While some ISPs have begun implementations, widespread adoption is still needed to realize the benefits of centralized DDoS defense using BGP Flow Specification.
The Next Generation Internet Number Registry ServicesMyNOG
This document provides an overview of registry services, including the Registration Data Access Protocol (RDAP) and the Resource Public Key Infrastructure (RPKI). RDAP is designed to replace the aging WHOIS protocol by providing structured query and response formats to enable automation. RDAP also supports access control, internationalization, redirection and extensibility. RPKI is a PKI framework that adds Internet number resource information to certificates to cryptographically validate resource ownership and authorization of routing announcements. It enables applications like route origin validation to secure the routing system. The document discusses how RDAP and RPKI work and provide benefits like improved security, automation and verification of registry data.
BGP FlowSpec experience and future developmentsPavel Odintsov
This document discusses BGP FlowSpec, which is a technique for mitigating DDoS attacks. It provides an overview of FlowSpec implementations by various vendors and open source tools. It also discusses operational experience with FlowSpec deployments. While FlowSpec works well against many amplification attacks, the document notes some limitations and areas for improvement. This includes improving router scale, adding flexibility to payload matching, and developing standards for traffic reporting across administrative domains. Overall, FlowSpec is presented as a mature mitigation technique, but one that requires continued development and vendor/operator collaboration to address evolving attacks.
The document provides an overview of the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents like hijacking and misdirection. It discusses how RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that an Autonomous System is authorized to originate routes for specific IP address blocks. The key components of RPKI include Certificate Authorities, Relying Parties, and routers configured with RPKI support to filter routes based on validation of origin AS authorization. Deployment status at the Regional Internet Registries and an APNIC RPKI service are also covered.
This document provides information about Resource Public Key Infrastructure (RPKI) and IPv4 transfers. It discusses how RPKI helps secure internet routing by preventing route hijacking and minimizing errors. Details are given on how to create and maintain ROA objects. Statistics show uptake of RPKI in various countries and economies in Southeast Asia. The document also covers who can do IPv4 transfers, the transfer process in MyAPNIC, and tips for pre-approval and listing transfers.
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
This document contains an agenda and presentation slides for a meeting discussing an Internet Exchange Point (IXP) in Kuala Lumpur, Malaysia. The presentation covers how IXPs work, the benefits they provide, background on MyIX (the local IXP), its peering nodes and membership, traffic growth, and plans for a new office location.
Frank Brockners' presentation from the 2017 Open Networking Summit.
While troubleshooting or planning, did you ever wish to get full insight into which paths *all* your packets take in your network, understand whether your SLA is really in place, or were you ever asked to prove that your traffic really follows the path you specified by service chaining or traffic engineering? We approach this problem by adding meta-data to *all* packets. In-band OAM adds forwarding path information and other information/stats to every data packet - as opposed to relying on probe packets, which is the traditional method that tools like ping or traceroute use. This session will introduce In-band OAM, explain the technology and outline the reference implementation in FD.io/VPP and OpenDaylight using a example demos.
BGP Flow Specification allows network operators to define and distribute traffic filtering rules via BGP. This helps operators quickly mitigate DDoS attacks by filtering traffic at an upstream level rather than just blackholing entire prefixes. It separates filtering information from routing data using new BGP address families. Validating flow specifications against the best unicast route helps prevent spoofing. Common filtering actions include traffic policing, sampling, and redirection. While some ISPs have begun implementations, widespread adoption is still needed to realize the benefits of centralized DDoS defense using BGP Flow Specification.
The Next Generation Internet Number Registry ServicesMyNOG
This document provides an overview of registry services, including the Registration Data Access Protocol (RDAP) and the Resource Public Key Infrastructure (RPKI). RDAP is designed to replace the aging WHOIS protocol by providing structured query and response formats to enable automation. RDAP also supports access control, internationalization, redirection and extensibility. RPKI is a PKI framework that adds Internet number resource information to certificates to cryptographically validate resource ownership and authorization of routing announcements. It enables applications like route origin validation to secure the routing system. The document discusses how RDAP and RPKI work and provide benefits like improved security, automation and verification of registry data.
BGP FlowSpec experience and future developmentsPavel Odintsov
This document discusses BGP FlowSpec, which is a technique for mitigating DDoS attacks. It provides an overview of FlowSpec implementations by various vendors and open source tools. It also discusses operational experience with FlowSpec deployments. While FlowSpec works well against many amplification attacks, the document notes some limitations and areas for improvement. This includes improving router scale, adding flexibility to payload matching, and developing standards for traffic reporting across administrative domains. Overall, FlowSpec is presented as a mature mitigation technique, but one that requires continued development and vendor/operator collaboration to address evolving attacks.
Combating DDoS and why peering is important in AsiaMyNOG
The document discusses CloudFlare's services for mitigating DDoS attacks and the importance of peering in Asia. CloudFlare works at the network level by routing traffic through its global network of data centers where it performs functions like DNS management, caching, and security. Peering is important because it improves performance, reduces costs, and helps CloudFlare better control routing and isolate attack traffic. The document demonstrates through tests how peering with different Asian providers results in traffic taking more optimal and local paths. Peering is especially important in Asia due to the region's network architecture and ensures CloudFlare can better ingest and mitigate DDoS attacks from multiple ports and locations.
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
APNIC Senior R&D Scientist George Michaelson presents on a rDNS outage APNIC experienced in May 2018 at the DNS Day session at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
This document summarizes the results of observing over 60,000 malware download URLs over a period of 1.5 years. It finds that while reports have shown a decrease in the number of websites containing malware, malware download sites tend to be long-lived. Most exist on cloud services or hosting companies, and many relive multiple times by changing IP addresses or ASes. The document discusses implications for operators, including the need for long-term monitoring and information sharing between network organizations.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
The document discusses challenges and realities of IPv6 deployment based on presentations from a security conference. Key points include:
- IPv6 deployments are growing but not yet widespread, with challenges around remote discovery, dual-stack systems, and outdated tools/firewalls.
- IPv6 support is required by PCI standards but reduces implementation risks if using new IPv6-prepared infrastructure.
- Cloud providers are starting to support IPv6 but full native support will take time and resources to implement across all network devices.
- When assessing IPv6 environments, tools need to discover addresses via various methods and monitor related IPv4 and IPv6 addresses/names.
- Organizations should evaluate their IPv6 capabilities and prepare a security
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
The document discusses how segment routing can help networks support new services by providing simplified, automated, and scalable IP transport. Segment routing uses source routing techniques and standard routing protocols to enable network slicing, which allows for the efficient sharing of network resources across different services. The key capabilities of segment routing include simplification of network protocols, improved scalability, simplified traffic engineering, and universal forwarding across access and data center networks.
Netflix operates a large content delivery network (CDN) to stream video to over 50 million subscribers globally. To reduce costs and improve performance, Netflix built its own CDN called OpenConnect, using open source software like FreeBSD and Nginx. Netflix has significantly improved the performance of OpenConnect over time by contributions to open source projects, such as reducing locking contention and improving networking, storage, and virtual memory subsystems. Netflix aims to continue optimizing OpenConnect and working with open source communities to achieve its goal of over 80Gbps performance per appliance.
This document provides an overview of network state awareness and troubleshooting techniques. The agenda covers troubleshooting methodology, packet forwarding review, active and passive monitoring, quality of service, control plane, and routing protocol stability. It distinguishes between the control plane, which creates routing information based on aggregated data, and the data plane, which makes forwarding decisions based on packet details. Various troubleshooting tools are discussed like traceroute, interface statistics, NetFlow, and performance monitoring to analyze the network from the data plane perspective.
Global Server Load Balancing with NS1 and NGINXNGINX, Inc.
On-Demand Link: https://www.nginx.com/resources/webinars/global-server-load-balancing-ns1-nginx/
About the Webinar
How do you improve performance and high availability across your data centers or points of presence (PoPs)? By entrusting your DNS, DHCP, and IP address management (DDI) to NS1. Built on a modern API-first architecture that acts on real-time data, NS1’s DDI platform is an intelligent, efficient, and automated system.
Deployed behind NS1 or F5, NGINX is an all-in-one software load balancer, content cache, web server, reverse proxy, and API gateway. Attend this webinar to learn about how NGINX integrates with NS1 to improve reliability and resilience.
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
APNIC Chief Scientist Geoff Huston gave a presentation on the challenges of IPv6 implementation at the Broadband India Forum Session on IPv6, held online on 7 October 2021
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
Fortinet provides a carrier-grade NAT (CGN) solution using FortiGate firewalls. FortiGate firewalls offer high performance and scalability for CGN deployments through dedicated hardware. They can support millions of concurrent sessions and terabits of throughput. FortiGate firewalls also provide detailed logging, security features like ALGs, and redundancy for carrier networks.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
This document discusses routing security and the Mutually Agreed Norms for Routing Security (MANRS) initiative. It begins with an overview of routing security issues like route hijacking and leaks that occur due to limitations in the Border Gateway Protocol (BGP). It then describes the four key actions of MANRS - filtering, anti-spoofing, coordination, and global validation - to address these problems. The rest of the document provides examples and explanations of how network operators can implement these MANRS actions to improve routing security.
RPKI is a system that provides validation of IP address and AS number ownership through the use of digital certificates. It aims to reduce routing leaks and hijacking by allowing routers to verify that the origin AS of a route matches what is published in the RPKI database. The key components of RPKI are trust anchors maintained by Regional Internet Registries, Route Origin Authorizations (ROA) that are published by network operators, and validators that check BGP routes against the ROA database.
This document summarizes the results of measuring IPv6 performance by embedding scripts in online ads. IPv6 connections were found to be about as fast as IPv4 connections, with IPv6 being faster around half the time and within 10ms of IPv4 for most connections. However, IPv6 connections were also found to be less reliable, with an average failure rate of 1.5% compared to 0.2% for IPv4. While speeds are generally comparable once established, the higher failure rate of IPv6 connections means IPv4 still has an advantage in reliability of initial connections.
Internet Noise (A Story About Two Little Subnets - Tom PasekaMyNOG
Tom Paseka from Cloudflare presented on internet noise received on the IP blocks 1.1.1.0/24 and 1.0.0.0/24. He discussed that these blocks receive unwanted traffic such as from misconfigurations and misuse. Traffic levels have increased to 8-13Gbps from previous studies. Legitimate traffic makes up an estimated 7-13% and includes DNS queries. Availability testing found issues with over 30 ISPs null routing or using the blocks internally. Documentation recommends blocks like 192.0.2.0/24 for examples but sometimes they are still misused.
Community tools to fight against DDoS, SANOG 27APNIC
Community tools can help fight DDoS attacks in three ways:
1. Bogon filtering blocks traffic from bogon address space not assigned to any network. Networks share bogon lists and filter incoming routes.
2. Flow Sonar provides visual network traffic analysis to detect anomalies indicating attacks. It incorporates DDoS alert feeds to identify compromised sources.
3. UTRS implements remote triggered blackhole filtering to divert suspected attack traffic to a null route. Cooperating networks distribute and apply attack filters to mitigate large infrastructure attacks.
The Border Gateway Protocol (BGP) is the default
Internet routing protocol that manages connectivity among
Autonomous Systems (ASes). Although BGP disruptions are
rare, when they occur the consequences can be very damaging.
Consequently there has been considerable effort aimed at
understanding what is normal and abnormal BGP traffic and,
in so doing, enable potentially disruptive anomalous traffic to
be identified quickly. In this paper, we make two contributions.
We show that over time BGP messages from BGP speakers
have deterministic, recurrence and non-linear properties, then
build on this insight to introduce the idea of using Recurrence
Quantification Analysis (RQA) to detect BGP instability. RQA
can be used to provide rapid identification of traffic anomalies
that can lead to BGP instability. Furthermore, RQA is able to
detect abnormal behaviours that may pass without observation.
The document discusses BGP (Border Gateway Protocol) and provides an overview of BGP configuration and a lab exercise. It begins with an introduction to BGP and the differences between iBGP and eBGP. Requirements for BGP configuration are outlined along with key commands. Finally, a lab diagram and steps for setting up BGP between two routers are described.
Combating DDoS and why peering is important in AsiaMyNOG
The document discusses CloudFlare's services for mitigating DDoS attacks and the importance of peering in Asia. CloudFlare works at the network level by routing traffic through its global network of data centers where it performs functions like DNS management, caching, and security. Peering is important because it improves performance, reduces costs, and helps CloudFlare better control routing and isolate attack traffic. The document demonstrates through tests how peering with different Asian providers results in traffic taking more optimal and local paths. Peering is especially important in Asia due to the region's network architecture and ensures CloudFlare can better ingest and mitigate DDoS attacks from multiple ports and locations.
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
APNIC Senior R&D Scientist George Michaelson presents on a rDNS outage APNIC experienced in May 2018 at the DNS Day session at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
This document summarizes the results of observing over 60,000 malware download URLs over a period of 1.5 years. It finds that while reports have shown a decrease in the number of websites containing malware, malware download sites tend to be long-lived. Most exist on cloud services or hosting companies, and many relive multiple times by changing IP addresses or ASes. The document discusses implications for operators, including the need for long-term monitoring and information sharing between network organizations.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
The document discusses challenges and realities of IPv6 deployment based on presentations from a security conference. Key points include:
- IPv6 deployments are growing but not yet widespread, with challenges around remote discovery, dual-stack systems, and outdated tools/firewalls.
- IPv6 support is required by PCI standards but reduces implementation risks if using new IPv6-prepared infrastructure.
- Cloud providers are starting to support IPv6 but full native support will take time and resources to implement across all network devices.
- When assessing IPv6 environments, tools need to discover addresses via various methods and monitor related IPv4 and IPv6 addresses/names.
- Organizations should evaluate their IPv6 capabilities and prepare a security
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
The document discusses how segment routing can help networks support new services by providing simplified, automated, and scalable IP transport. Segment routing uses source routing techniques and standard routing protocols to enable network slicing, which allows for the efficient sharing of network resources across different services. The key capabilities of segment routing include simplification of network protocols, improved scalability, simplified traffic engineering, and universal forwarding across access and data center networks.
Netflix operates a large content delivery network (CDN) to stream video to over 50 million subscribers globally. To reduce costs and improve performance, Netflix built its own CDN called OpenConnect, using open source software like FreeBSD and Nginx. Netflix has significantly improved the performance of OpenConnect over time by contributions to open source projects, such as reducing locking contention and improving networking, storage, and virtual memory subsystems. Netflix aims to continue optimizing OpenConnect and working with open source communities to achieve its goal of over 80Gbps performance per appliance.
This document provides an overview of network state awareness and troubleshooting techniques. The agenda covers troubleshooting methodology, packet forwarding review, active and passive monitoring, quality of service, control plane, and routing protocol stability. It distinguishes between the control plane, which creates routing information based on aggregated data, and the data plane, which makes forwarding decisions based on packet details. Various troubleshooting tools are discussed like traceroute, interface statistics, NetFlow, and performance monitoring to analyze the network from the data plane perspective.
Global Server Load Balancing with NS1 and NGINXNGINX, Inc.
On-Demand Link: https://www.nginx.com/resources/webinars/global-server-load-balancing-ns1-nginx/
About the Webinar
How do you improve performance and high availability across your data centers or points of presence (PoPs)? By entrusting your DNS, DHCP, and IP address management (DDI) to NS1. Built on a modern API-first architecture that acts on real-time data, NS1’s DDI platform is an intelligent, efficient, and automated system.
Deployed behind NS1 or F5, NGINX is an all-in-one software load balancer, content cache, web server, reverse proxy, and API gateway. Attend this webinar to learn about how NGINX integrates with NS1 to improve reliability and resilience.
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
APNIC Chief Scientist Geoff Huston gave a presentation on the challenges of IPv6 implementation at the Broadband India Forum Session on IPv6, held online on 7 October 2021
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
Fortinet provides a carrier-grade NAT (CGN) solution using FortiGate firewalls. FortiGate firewalls offer high performance and scalability for CGN deployments through dedicated hardware. They can support millions of concurrent sessions and terabits of throughput. FortiGate firewalls also provide detailed logging, security features like ALGs, and redundancy for carrier networks.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
This document discusses routing security and the Mutually Agreed Norms for Routing Security (MANRS) initiative. It begins with an overview of routing security issues like route hijacking and leaks that occur due to limitations in the Border Gateway Protocol (BGP). It then describes the four key actions of MANRS - filtering, anti-spoofing, coordination, and global validation - to address these problems. The rest of the document provides examples and explanations of how network operators can implement these MANRS actions to improve routing security.
RPKI is a system that provides validation of IP address and AS number ownership through the use of digital certificates. It aims to reduce routing leaks and hijacking by allowing routers to verify that the origin AS of a route matches what is published in the RPKI database. The key components of RPKI are trust anchors maintained by Regional Internet Registries, Route Origin Authorizations (ROA) that are published by network operators, and validators that check BGP routes against the ROA database.
This document summarizes the results of measuring IPv6 performance by embedding scripts in online ads. IPv6 connections were found to be about as fast as IPv4 connections, with IPv6 being faster around half the time and within 10ms of IPv4 for most connections. However, IPv6 connections were also found to be less reliable, with an average failure rate of 1.5% compared to 0.2% for IPv4. While speeds are generally comparable once established, the higher failure rate of IPv6 connections means IPv4 still has an advantage in reliability of initial connections.
Internet Noise (A Story About Two Little Subnets - Tom PasekaMyNOG
Tom Paseka from Cloudflare presented on internet noise received on the IP blocks 1.1.1.0/24 and 1.0.0.0/24. He discussed that these blocks receive unwanted traffic such as from misconfigurations and misuse. Traffic levels have increased to 8-13Gbps from previous studies. Legitimate traffic makes up an estimated 7-13% and includes DNS queries. Availability testing found issues with over 30 ISPs null routing or using the blocks internally. Documentation recommends blocks like 192.0.2.0/24 for examples but sometimes they are still misused.
Community tools to fight against DDoS, SANOG 27APNIC
Community tools can help fight DDoS attacks in three ways:
1. Bogon filtering blocks traffic from bogon address space not assigned to any network. Networks share bogon lists and filter incoming routes.
2. Flow Sonar provides visual network traffic analysis to detect anomalies indicating attacks. It incorporates DDoS alert feeds to identify compromised sources.
3. UTRS implements remote triggered blackhole filtering to divert suspected attack traffic to a null route. Cooperating networks distribute and apply attack filters to mitigate large infrastructure attacks.
The Border Gateway Protocol (BGP) is the default
Internet routing protocol that manages connectivity among
Autonomous Systems (ASes). Although BGP disruptions are
rare, when they occur the consequences can be very damaging.
Consequently there has been considerable effort aimed at
understanding what is normal and abnormal BGP traffic and,
in so doing, enable potentially disruptive anomalous traffic to
be identified quickly. In this paper, we make two contributions.
We show that over time BGP messages from BGP speakers
have deterministic, recurrence and non-linear properties, then
build on this insight to introduce the idea of using Recurrence
Quantification Analysis (RQA) to detect BGP instability. RQA
can be used to provide rapid identification of traffic anomalies
that can lead to BGP instability. Furthermore, RQA is able to
detect abnormal behaviours that may pass without observation.
The document discusses BGP (Border Gateway Protocol) and provides an overview of BGP configuration and a lab exercise. It begins with an introduction to BGP and the differences between iBGP and eBGP. Requirements for BGP configuration are outlined along with key commands. Finally, a lab diagram and steps for setting up BGP between two routers are described.
1. The document provides an introduction and tutorial on RPKI (Resource Public Key Infrastructure) and how it can be used to secure Internet routing and validate route origins using digital certificates and public key cryptography.
2. It describes the goals of RPKI to reduce routing leaks and hijacks by allowing ISPs to validate the authenticity of route announcements based on IP and ASN ownership.
3. The presentation demonstrates how to create ROAs (Route Origin Authorizations) and configure routers to validate route origins and make routing decisions based on the RPKI validation results.
The document discusses BGP traffic and its recurrence behavior. It describes how BGP traffic can be analyzed at different levels, from aggregate traffic related to all unstable autonomous systems, to traffic related to individual prefixes within unstable autonomous systems. The document also outlines that BGP traffic occurs in two forms: BGP volume, which is the amount of traffic; and BGP route flapping, which is the instability of routes over time.
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Routing Security, Another Elephant in the RoomRIPE NCC
The document discusses routing security issues with the Border Gateway Protocol (BGP) and potential solutions. It notes that BGP was created without security in mind, leaving it vulnerable to hijacking and leaks. Current approaches like RPKI and ROAs provide some protections but have limitations. Future solutions may combine approaches like RPKI, ASPA, and BGPSEC, though ensuring global deployment remains a challenge. The document examines statistics on ROA signing to evaluate progress and outlines educational resources for improving routing security.
This document provides a summary of Bangladesh's network status and security landscape. It finds that many ports are open and vulnerable, including ports 53, 161, 2000, and 80 on Mikrotik devices. IPv6 deployment is growing, led by Cloudflare, Zen-ECN, and telecom companies. RPKI validation of IP addresses is largely invalid. DDoS attacks target both network and application layers. Route leaks and hijacks occur. Shodan data shows many vulnerabilities. Emerging threats include 5G, IoT, supply chain attacks, and more. The document provides references for network and device hardening.
The document discusses BGP anomalies and the need for a BGP testbed to study anomaly detection techniques. It summarizes the types of BGP anomalies, such as direct disruptions from hijacking or misconfigurations. The author proposes building a large-scale BGP testbed using VIRL software to inject anomalies and evaluate detection methods in a repeatable way. The testbed would help address challenges around validating anomaly detection in the complex, global BGP routing system.
Bahaa Al-Musawi presented on BGP anomaly detection. He discussed how BGP works and its vulnerabilities. Four types of BGP anomalies were described: direct intended disruptions, direct unintended disruptions, indirect attacks, and hardware failures. Al-Musawi emphasized the need for a testbed to examine BGP anomalies in order to aid detection. He demonstrated how the VIRL software provides a useful virtual testbed for building and analyzing large scale BGP networks.
The document summarizes information about detecting BGP hijacks in 2014. It provides background on BGP, how prefixes are announced and removed, and examples of prefix hijacks. It describes how a hijacker redirected cryptocurrency miners to earn an estimated $83,000 from February to May 2014. It also outlines active and passive countermeasures networks can take to detect and mitigate against BGP hijacks.
Things I wish I had known about IPv6 before I startedFaelix Ltd
The document discusses things the author wishes they had known about IPv6 before starting to implement it for their small provider network. It covers IPv6 justification in terms of IPv4 address scarcity and rising costs, advice on IPv6 addressing plans and transition technologies, and gotchas like IPv6 neighbor discovery exhaustion issues. The author advocates for embracing IPv6 to avoid expensive IPv4 solutions and make the most of the large IPv6 allocations provided.
- The document provides guidance on configuring BGP and receiving prefixes from different sources such as customers, peers, and upstream providers.
- It emphasizes the importance of proper filtering to only accept prefixes that the source is authorized to announce. This includes checking assignments in regional internet registries.
- Guidelines are given for Cisco IOS configurations to implement the recommended filtering practices for each source type.
The document discusses the 6NET project, which built and operated an IPv6 network across Europe to test IPv6 applications. It provides an overview of the 6NET network topology and details several applications that were tested over the network, including video conferencing using GnomeMeeting and OpenMCU, SIP voice calls using SIP Express Router, and IPv6 streaming demonstrations. The goal of the project was to gain experience with IPv6 and help drive further deployment through testing interoperability and applications.
This document contains information about routing protocols like EIGRP, OSPF, BGP and IPv6 routing. It discusses various topics such as configuring and tuning EIGRP parameters like timers, authentication and metrics. It also covers topics related to OSPF like network types, route filtering, summarization etc. Redistribution between protocols and IPv6 routing concepts are also mentioned. The document contains practical exercises for configuring various routing features on sample networks.
Xerrada a càrrec de Paolo Lucente, de NTT Communications, sobre el BGP Monitoring Protocol (BMP), prèvia a la reunió número 44 de la Comissió Tècnica del CATNIX del 2 de juliol de 2021.
BRT is a tool to replay past BGP updates with time stamp. Comparing with other BGP replay and inject tools, BGP replay tool does not require kernel modification at host’s OS and support different BGP attributes. The evaluation of this tool has been done using Virtual Internet Routing Lab (VIRL) as a controlled testbed.
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
Presentation of ARouteServer, a Python tool to automatically build (and test) feature-rich configurations for BGP route servers.
RIPE NCC::Educa, 10 April 2018
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Decentralized Justice in Gaming and EsportsFederico Ast
Discover how Kleros is transforming the landscape of dispute resolution in the gaming and eSports industry through the power of decentralized justice.
This presentation, delivered by Federico Ast, CEO of Kleros, explores the innovative application of blockchain technology, crowdsourcing, and incentivized mechanisms to create fair and efficient arbitration processes.
Key Highlights:
- Introduction to Decentralized Justice: Learn about the foundational principles of Kleros and how it combines blockchain with crowdsourcing to develop a novel justice system.
- Challenges in Traditional Arbitration: Understand the limitations of conventional arbitration methods, such as high costs and long resolution times, particularly for small claims in the gaming sector.
- How Kleros Works: A step-by-step guide on the functioning of Kleros, from the initiation of a smart contract to the final decision by a jury of peers.
- Case Studies in eSports: Explore real-world scenarios where Kleros has been applied to resolve disputes in eSports, including issues like cheating, governance, player behavior, and contractual disagreements.
- Practical Implementation: Detailed walkthroughs of how disputes are handled in eSports tournaments, emphasizing speed, cost-efficiency, and fairness.
- Enhanced Transparency: The role of blockchain in providing an immutable and transparent record of proceedings, ensuring trust in the resolution process.
- Future Prospects: The potential expansion of decentralized justice mechanisms across various sectors within the gaming industry.
For more information, visit kleros.io or follow Federico Ast and Kleros on social media:
• Twitter: @federicoast
• Twitter: @kleros_io
How to make a complaint to the police for Social Media Fraud.pdf
Rapid Detection of BGP Anomalies
1. Rapid Detection of BGP Anomalies
Bahaa Al-Musawi, Philip Branch and Grenville Armitage
balmusawi, pbranch, garmitage@swin.edu.au
Internet for Things (I4T) Research Group
Swinburne University of Technology
4. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 4APNIC44
BGP Anomalies
§ BGP is the Internet's default inter-domain routing protocol
§ Managing NRI between ASes with guarantees of avoiding routing loops
5. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 5APNIC44
BGP Anomalies
§ BGP is an incremental protocol
§ Routing Information Base (RIB)
§ Updates
6. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 6APNIC44
BGP Anomalies
§ BGP is an incremental protocol
§ Routing Information Base (RIB)
§ Updates
7. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 7APNIC44
BGP Anomalies
§ Real-world BGP traffic is a substantial volume traffic that do not appear related
to events
§ It is difficult to define what is meant by an anomaly
§ We classify BGP traffic into
§ Unstable BGP traffic
§ Anomalous BGP traffic
1
B. Al-Musawi, P. Branch, and G. Armitage, “BGP Anomaly Detection Techniques: A Survey,” IEEE Communications Surveys Tutorials, vol. 19,
no. 1, pp. 377–396, First quarter 2017
8. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 8APNIC44
BGP Anomalies
§ A single BGP update is categorised as an anomalous update if
§ Contains an invalid AS number
§ Invalid or reserved IP prefixes
§ A prefix announced by an illegitimate AS
§ A set of BGP updates are classified as an anomaly if
§ Show a rapid change in the number of BGP updates
§ Containing longest and shortest paths
§ Changes in the behaviour of total BGP traffic over time
9. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 9APNIC44
BGP Anomalies
§ A single BGP update is categorised as an anomalous update if
§ Contains an invalid AS number
§ Invalid or reserved IP prefixes
§ A prefix announced by an illegitimate AS
§ A set of BGP updates are classified as an anomaly if
§ Show a rapid change in the number of BGP updates
§ Containing longest and shortest paths
§ Changes in the behaviour of total BGP traffic over time
10. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 10APNIC44
BGP Anomalies
§ BGP traffic has been characterised as
§ Complex
§ Noisy
§ Voluminous, BGP speakers generate up to a GB of BGP traffic/day
Sample of BGP traffic sent by peer AS197264
11. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 11APNIC44
BGP Anomalies
§ BGP anomaly detection
§ Can differentiate between unstable and anomalous traffic
§ Can rapidly detect BGP anomalies
§ 20% of anomalies can affect 90% of the Internet < 2 minutes
§ A lightweight and can work in real-time
1
X. Shi, Y. Xian, Z. Wang, X. Yin, and J. Wu, “Detecting prefix Hijacking in the Internet with Argus,” in Proceeding of the 2012 ACM Conference
on Internet Measurement Conference, IMC’12, 2012
13. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 13APNIC44
Detecting BGP Anomalies using RQA Scheme
§ We model BGP speakers as dynamic systems
§ Our modelling uses phase plane concepts
http://www.acs.psu.edu/drussell/Demos/phase-diagram/phase-diagram.html
14. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 14APNIC44
Detecting BGP Anomalies using RQA Scheme
§ We model BGP speakers as dynamic systems
§ Our modelling uses phase plane concepts
https://en.wikipedia.org
15. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 15APNIC44
Detecting BGP Anomalies using RQA Scheme
§ The outcomes of our modelling
§ Deterministic
§ Stable
§ Non-linear
§ Recurrent
16. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 16APNIC44
Detecting BGP Anomalies using RQA Scheme
§ Recurrence Quantification Analysis (RQA)
§ An advanced non-linear analysis technique based on a phase plane concepts
§ Has multiple measurements
§ RR, probability that a system will recurs after N time states
§ TT, how long a system remains in a specific state
§ T2, a measure of time taken to move taken to move from one state to another
20. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 20APNIC44
Detecting BGP Anomalies using RQA Scheme
§ BGP Controlled Testbed
§ Lack of time-stamp information for past BGP events
§ Provide ground truth validation
§ Helps to understand BGP behaviour at BGP speaker level
§ It also helps to classify BGP updates
21. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 21APNIC44
BGP Controlled Testbed
§ Virtual Internet Routing Lab (VIRL)
§ Linux KVM hypervisor
§ OpenStack
§ A set of virtual machines running real Cisco operating systems
§ BRT, a tool to replay past BGP updates with time stamps
§ Uses Net::BGP and Multiprotocol Extensions for BGP, RFC4760
§ Supports different BGP attributes, IPv6 BGP updates and peering
§ Evaluated using real Cisco router, VIRL, and Quagga
24. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 24APNIC44
BGP Controlled Testbed
BGP volume and average AS-PATH length features of as20r1
25. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 25APNIC44
BGP Controlled Testbed
T2 measurement for BGP volume feature
RR measurement for average AS-PATH length feature
27. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 27APNIC44
RQA Scheme Evaluation
§ TP: Number of anomalies classified as anomalies
§ TN: Number of normal events classified as normal
§ FP: Number of normal events classified as anomalous
§ FN: Number of anomalous events classified as normal
28. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 28APNIC44
RQA Scheme Evaluation
§ TP: Number of anomalies classified as anomalies
§ TN: Number of normal events classified as normal
§ FP: Number of normal events classified as anomalous
§ FN: Number of anomalous events classified as normal
Event Type of Anomaly Date
Nimda DoS attack September 2001
TTNet BGP misconfiguration December 2004
Mosco blackout Hardware failure May 2005
TMnet BGP misconfiguration June 2015
29. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 29APNIC44
RQA Scheme Evaluation-TTNet event
BGP Traffic sent by the peer AS12793 at rrc05
30. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 30APNIC44
RQA Scheme Evaluation-TTNet event
Hidden anomalous behaviour-stop sending BGP updates for two minutes
31. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 31APNIC44
RQA Scheme Evaluation-TTNet event
Hidden anomalous period in the underlying system behaviour
32. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 32APNIC44
RQA Scheme Evaluation
§ Applying RQA scheme over 1233794 seconds (14.28 days or 342.72 hours)
§ An average of one FP alarm every 42.84 hours
Event TP TN FP FN
Nimda 7 421405 5 0
TTNet 6 85201 0 0
Mosco blackout 9 597376 3 0
TMnet 8 85205 0 0
Summary 30 1233739 8 0
34. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 34APNIC44
Real-time BGP Anomaly Detection Tool (RBADT)
§ BGP collector
§ Net::BGP does not support IPV6 prefixes/connection
§ Develop a patch based on Multiprotocol Extensions for BGP, RFC4760
35. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 35APNIC44
Real-time BGP Anomaly Detection Tool (RBADT)
§ Emulate TMNet event by injecting BGP traffic using BRT
§ TMNet an example of BGP misconfiguration
§ AS4788 announced 179,0000 prefixes to level3
§ Significant packet loss
§ Slow Internet service around the world
37. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 37APNIC44
Real-time BGP Anomaly Detection Tool (RBADT)
§ Detecting high volume of BGP traffic
§ High volume time 3782 seconds, detection time 3784 seconds
38. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 38APNIC44
BGP Controlled Testbed
§ Detecting hidden anomalous period in the underlying system behaviour
§ 6984-7046 seconds Detection at 7065 seconds
40. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 40APNIC44
Conclusions
§ BGP is vulnerable to different types of attacks
§ Detecting BGP anomalies is a challenge
§ A technique is needed to rapidly differentiate between unstable and anomalous
BGP traffic
§ BGP speakers are stable, non-linear, and deterministic
§ RQA can rapidly detect BGP anomalies
§ RQA can detect hidden abnormal behaviours that may pass without observation
§ RQA can detect BGP anomalies with an average of one FP alarm every 42.84
hours
41. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 41APNIC44
Acknowledgements
§ BGP Replay Tool (BRT) v0.2 and RBADT v0.1 (under development) was
supported under part by "APNIC Internet Operations Research Grant" under the
ISIF Asia 2016 grant scheme ISIF Asia 2016 grant recipients
§ VIRL team at Cisco for providing free license and support
42. http://i4t.swin.edu.au {balmusawi, pbranch, garmitage}@swin.edu.au 12 September 2017 42APNIC44
Useful links and sources
§ Rapid detection of BGP anomalies- project http://caia.swin.edu.au/tools/bgp/brt/
§ B. Al-Musawi, P. Branch, and G. Armitage, " Detecting BGP Instability Using Recurrence Quantification
Analysis", in 34th International Performance Computing and Communications Conference (IPCCC), 14 - 16
December 2015
§ B. Al-Musawi, P. Branch, and G. Armitage, “BGP Anomaly Detection Techniques: A Survey,” IEEE
Communications Surveys Tutorials, vol. 19, no. 1, pp. 377–396, First quarter 2017
§ B. Al-Musawi, P. Branch, and G. Armitage, “Recurrence Behaviour of BGP Traffic,” in International
Telecommunication Networks and Applications Conference (ITNAC) 2017, Melbourne, Australia, 22 November
2017
§ B. Al-Musawi, R. Al-Saadi, P. Branch and G. Armitage,”BGP Replay Tool (BRT) v0.2,” I4T Research Lab,
Swinburne University of Technology, Melbourne, Australia, Tech. Rep. I4TRL-TR-170606A, 06 June 2017.
[Online]. Available: http://i4t.swin.edu.au/reports/I4TRL-TR-170606A.pdf