understanding and mitigating internet routing threats
play

Understanding and Mitigating Internet Routing Threats John Kristoff - PowerPoint PPT Presentation

Nov 15, 2022 •208 likes •495 views

Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com Danny McPherson dmcpherson@verisign.com FIRST 2011 John Kristoff & Danny McPherson 1 One of two critical systems Routing (BGP) and naming

  1. Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com Danny McPherson dmcpherson@verisign.com FIRST 2011 John Kristoff & Danny McPherson 1

  2. One of two critical systems Routing (BGP) and naming (DNS) are by far the two most critical subsystems of the Internet infrastructure. In the case of BGP, participation in and access to the routing system itself is generally, or rather should be, limited to a subset of trustworthy nodes and admins. FIRST 2011 John Kristoff & Danny McPherson 2

  3. Agenda • BGP Refresher • Threats • Mitigation FIRST 2011 John Kristoff & Danny McPherson 3

  4. BGP Refresher • Basic protocol overview • BGP message types • BGP path attributes • Properties that affect BGP route decision process • Jargon FIRST 2011 John Kristoff & Danny McPherson 4

  5. Path Vector Routing FIRST 2011 John Kristoff & Danny McPherson 5

  6. BGP over TCP port 179 • One-to-one peering relationship • Inherit TCP behaviors, advantages and threats FIRST 2011 John Kristoff & Danny McPherson 6

  7. Common BGP Header FIRST 2011 John Kristoff & Danny McPherson 7

  8. BGP message types 1 – OPEN 2 – UPDATE 3 – NOTIFICATION 4 – KEEPALIVE 5 – ROUTE-REFRESH FIRST 2011 John Kristoff & Danny McPherson 8

  9. BGP OPEN FIRST 2011 John Kristoff & Danny McPherson 9

  10. BGP UPDATE FIRST 2011 John Kristoff & Danny McPherson 10

  11. BGP NOTIFICATION FIRST 2011 John Kristoff & Danny McPherson 11

  12. Common BGP Path Attributes Well-known Well-known Optional Optional Attribute mandatory discretionary transitive non-transitive ORIGIN X AS_PATH X NEXT_HOP X MULTI_EXIT_DISC X ATOMIC_AGGREGATE X AGGREGATOR X COMMUNITY X MP_REACH_NLRI X FIRST 2011 John Kristoff & Danny McPherson 12

  13. Affecting BGP Route Decisions • Prefix length • LOCAL_PREF • ORIGIN • AS_PATH length • MULTI_EXIT_DISC • Router import and export policies • … and more ... FIRST 2011 John Kristoff & Danny McPherson 13

  14. BGP Operational Challenges • Each AS operates autonomously • Implicit trust (“routing by rumor”) • Configuration and policy intensive • In-band control traffic FIRST 2011 John Kristoff & Danny McPherson 14

  15. Threats • Availability • Confidentiality • Integrity FIRST 2011 John Kristoff & Danny McPherson 15

  16. Threats to Availability • TCP and lower layer attacks • Packet floods and control path congestion • Route instability and churn • Route flap dampening • Disaggregation and route table exhaustion • Implementation bugs and configuration errors • Route hijacking and black holes • Policy disputes FIRST 2011 John Kristoff & Danny McPherson 16

  17. Threats to Confidentiality • Clear text communications • Routing leaks • Policy configuration leaks • Route hijacking FIRST 2011 John Kristoff & Danny McPherson 17

  18. Threats to Integrity • Implementation bugs • Protocol design weaknesses • Compromised systems • Route hijacking • Path editing • Overt or covert transit theft • Divergence FIRST 2011 John Kristoff & Danny McPherson 18

  19. A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan • “...we have identified over 540,000 publicly accessible embedded devices configured with factory default root passwords.” • “...range from enterprise equipment such as firewalls and routers to consumer appliances such as VoIP adapters, cable and IPTV boxes to office equipment...” • “Vulnerable devices were detected in 144 countries, across 17,427 unique private enterprise, ISP, government, educational, satellite provider as well as residential network environments.” FIRST 2011 John Kristoff & Danny McPherson 19

  20. Mitigation • Protecting the transport • Router BCPs • Route monitoring • Policies and Defensive filtering • RPKI and BGPSEC FIRST 2011 John Kristoff & Danny McPherson 20

  21. Protecting the transport • TCP MD5 signature option and TCP-AO http://tools.ietf.org/html/rfc2385 http://tools.ietf.org/html/rfc5925 • IPSec http://tools.ietf.org/html/rfc4301 • RFC 5082 Generalized TTL Security Mechanism http://tools.ietf.org/html/rfc5082 FIRST 2011 John Kristoff & Danny McPherson 21

  22. Router BCPs • Configuration templates http://www.team-cymru.org/ReadingRoom/Templates/ http://www.nsa.gov/ia/guidance/security_configuration_guides/ • Control plane protection • Limited and protected remote access • Current software • Configuration management FIRST 2011 John Kristoff & Danny McPherson 22

  23. Route monitoring • http://bgpmon.net • http://bgplay.routeviews.org/bgplay/ • http://puck.nether.net/bgp/leakinfo.cgi • http://www.ripe.net/data-tools/stats/ris/ • http://www.team-cymru.org/Monitoring/BGP/ • http://bgp.he.net FIRST 2011 John Kristoff & Danny McPherson 23

  24. Policies and Defensive Filtering • Document policy with peers • Internet Routing Registries (IRRs) • Max prefix and path length limits • Limiting disaggregation • Remote triggered black hole filtering (RTBH) http://tools.ietf.org/search/rfc5635 • Dissemination of Flow Specification Rules http://tools.ietf.org/search/rfc5575 http://www.cymru.com/jtk/misc/community-fs.html FIRST 2011 John Kristoff & Danny McPherson 24

  25. RPKI and BGPSEC • Observation: There is no official, and consequently, no strong association between address assignment and routing announcements • Problem: How do you guard against routing threats, such as hijacks, without a means to verify the routing announcements? FIRST 2011 John Kristoff & Danny McPherson 25

  26. Resource Public Key Infrastructure (RPKI) • RIRs maintain RPKI infrastructure • Prefixes linked to authorized AS • In-band via soBGP or S-BGP • Out-of-band for near-time validation and monitoring • IETF SIDR WG spearheading RPKI work • Only for origin validation • BGPSEC working on path validation • Similar in scope to DNSSEC architectural changes FIRST 2011 John Kristoff & Danny McPherson 26

  27. A Future of IRR with RPKI FIRST 2011 John Kristoff & Danny McPherson 27

  28. In Closing • RFC 4271 A Border Gateway Protocol 4 (BGP-4) • RFC 4593 Generic Threats to Routing Protocols • IETF Secure Inter-Domain Routing (sidr) WG • Academic papers: • Securing BGP – A Literature Survey • A Survey of BGP Security Issues and Solutions • Securing BGP with BGPsec • Feedback or questions to: • dmcpherson@verisign.com and jtk@cymru.com FIRST 2011 John Kristoff & Danny McPherson 28

Recommend

Internet routing is based on routing protocols that collect the input data No off-line route

Internet routing is based on routing protocols that collect the input data No off-line route

Introduction to Routing in Internet Internet basics IPv4 and ICMP Internet Addressing ARP - Address Resolution Protocol Routing Information (Distance Vector ) Protocol Principles 3-1 S-38.121 S-02 Rka, NB Internet routing is based on

214 views • 18 slides
Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture Addressing, routing principles Protocols: IPv4, ICMP, ARP (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-07 / RKa, NB Ethernet Most

635 views • 26 slides
CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996 Internet Routing Instability Labovitz, Malan, Jahanian, 1997 Spring 2013 End to End Routing Behavior Objective: Understand the actual behavior of

595 views • 22 slides
Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan Routing Routing Rout ing prot ocol 5 Goal: det ermine good pat h (sequence of rout ers) t hru 3 B C net work f rom source t o dest .

636 views • 40 slides
Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based ac6on to pro-ac6ve measures Primary Goal : To iden6fy and take ac6on against domains

195 views • 5 slides
Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map

Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map

Routing Jeff Chase Duke University IP Routing From Click IP Routing From Click Internet Map The Internet From CAIDA IP Address Allocation Originally (classful addrs), 4 address classes A: 0 | 7 bit network | 24 bit

573 views • 21 slides
SmartEntry: Mitigating Routing Update Overhead with Reinforcement Learning for Traffic Engineering

SmartEntry: Mitigating Routing Update Overhead with Reinforcement Learning for Traffic Engineering

SmartEntry: Mitigating Routing Update Overhead with Reinforcement Learning for Traffic Engineering Junjie Zhang, Zehua Guo, Minghao Ye , H. Jonathan Chao Background Traffic Engineering (TE): Configure routing to improve network performance

691 views • 15 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via

Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via

Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via Real-World Measurements Jared M . Smith , Kyle Birkeland, Tyler McDaniel, Max Schuchard University of Tennessee, Knoxville volsec.org Internet

1.25k views • 70 slides
10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II

10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II

10/20/08 Today P561: Network Systems Internet routing (BGP) Week 4: Internetworking II Tunneling and MPLS Wireless routing Wireless handoffs Tom Anderson Ratul Mahajan TA: Colin Dixon 2 Internet today Key goals for Internet routing

488 views • 11 slides
End-to-End Routing Behavior in the Internet in the Internet

End-to-End Routing Behavior in the Internet in the Internet

End-to-End Routing Behavior in the Internet in the Internet Objective Understand the large-scale behavior of routing in the

533 views • 25 slides
End-to-end principle All control in end stations by Dave Clark e.g. error and flow

End-to-end principle All control in end stations by Dave Clark e.g. error and flow

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.121 / Fall-04 / RKa, NB Internet Architecture Principles End-to-end principle All

893 views • 21 slides
Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
Danish Internet Day Security of the Internet of Things Mitigating infections spread through

Danish Internet Day Security of the Internet of Things Mitigating infections spread through

Danish Internet Day Security of the Internet of Things Mitigating infections spread through immunisation techniques Farell FOLLY, Ph.D Researcher folly.farell@unibw.de Copenhague, October 1st. 1 Agenda 1. Introduction to the IoT 2.

447 views • 27 slides
Global Partnership Program: Title Goes Here Mitigating Biological Threats 5 September 2016

Global Partnership Program: Title Goes Here Mitigating Biological Threats 5 September 2016

Global Partnership Program: Title Goes Here Mitigating Biological Threats 5 September 2016 UNCLASSIFIED GPP is Canadas contribution to the Global Partnership Against the Spread of Weapons and Materials of Mass Destruction; More than

521 views • 14 slides
BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. RIPE 66 BIRD overview

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. RIPE 66 BIRD overview

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. RIPE 66 BIRD overview BIRD Internet Routing Daemon Routing protocols BGP, OSPF and RIP IPv4 and IPv6 support Linux and BSD kernel support Free and open

241 views • 13 slides
Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing Intra-AS: RIP and OSPF (quick recap) Inter-AS: BGP and Policy Routing Internet Control Message Protocol: ICMP network management

888 views • 61 slides
Internet Routing Dr. Miled M. Tezeghdanti May 8, 2012 Dr. Miled M. Tezeghdanti () Internet

Internet Routing Dr. Miled M. Tezeghdanti May 8, 2012 Dr. Miled M. Tezeghdanti () Internet

Internet Routing Dr. Miled M. Tezeghdanti May 8, 2012 Dr. Miled M. Tezeghdanti () Internet Routing May 8, 2012 1 / 71 Introduction Networks may be interconnected using Repeaters Work at the Physical layer Bridges Work at the Data-Link

997 views • 84 slides
On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane

Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane

Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane Foams Clare Perry Environmental Investigation Agency (EIA) International Symposium On The Unexpected Increase in Emissions of Ozone-Depleting

348 views • 18 slides
CS 525M Mobile and Ubiquitous Computing Seminar Ted Goodwin Mitigating Routing Misbehavior

CS 525M Mobile and Ubiquitous Computing Seminar Ted Goodwin Mitigating Routing Misbehavior

CS 525M Mobile and Ubiquitous Computing Seminar Ted Goodwin Mitigating Routing Misbehavior in Mobile Ad Hoc Networks Sergio Marti, T.J. Giuli, Kevin Lai, and Mary Baker Department of Computer Science Stanford University Stanford, CA

454 views • 34 slides
BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. 2015-02-16 Proceedings

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. 2015-02-16 Proceedings

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. 2015-02-16 Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada BIRD overview BIRD Internet Routing Daemon Routing protocols BGP, OSPF, RIP and BFD

630 views • 27 slides
Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides

More recommend