SlideShare ist ein Scribd-Unternehmen logo

Improving routing security through concerted action

CSUC - Consorci de Serveis Universitaris de Catalunya
CSUC - Consorci de Serveis Universitaris de Catalunya

The document discusses routing security issues on the internet and proposes solutions through the Mutually Agreed Norms for Routing Security (MANRS) initiative. It outlines how routing works and common issues like route hijacking. It then details the MANRS framework, which establishes baseline security recommendations and builds a community to promote adoption. The goals are to reduce routing incidents through concerted action and make routing more resilient without regulation. Metrics and tools are provided to help operators implement recommendations and measure progress over time.

Technologie
1 von 44
Downloaden Sie, um offline zu lesen
Improving routing security through concerted action 1 Andrei Robachevsky robachevsky@isoc.org CATNIX Technical Commission meeting, June 26, 2020
Insecurity by Design 2 When the Internet was developed, they didn’t build in security by design. The objective was resilience, simplicity and ease of deployment That created the Internet as the best effort, interdependent, general purpose network of networks supporting permission-less innovation. While these qualities have made the Internet so successful, they also contribute to many of its security issues.
The Basics: How Routing Works 3 There are ~68,000 networks (Autonomous Systems) across the Internet, each using a unique Autonomous System Number (ASN) to identify itself to other networks. Routers use Border Gateway Protocol (BGP) to exchange “reachability information” - networks they know how to reach. Routers build a “routing table” and pick the best route when sending a packet, typically based on the shortest path. Much of this exchange is based on trust.
Route Hijacking Route hijacking, also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https://www.ripe.net/publications/news/industry- developments/youtube-hijacking-a-ripe-ncc-ris-case-study) 4
Route Leak 5 A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: June 2019. Allegheny leaked routes from another provider to Verizon, causing significant outage. https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer- knocked-large-parts-of-the-internet-offline-today/
IP Address Spoofing 6 IP address spoofing is used to hide the true identity of the server or to impersonate another server. This technique can be used to amplify an attack. Example: DNS amplification attack. By sending multiple spoofed requests to different DNS resolvers, an attacker can prompt many responses from the DNS resolver to be sent to a target, while only using one system to attack. Fix: Source address validation: systems for source address validation can help tell if the end users and customer networks have correct source IP addresses (combined with filtering).
Routing Incidents Cause Real World Problems 7 Event Explanation Repercussions Example Prefix/Route Hijacking A network operator or attacker impersonates another network operator, pretending that a server or network is their client. Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception. The 2008 YouTube hijack April 2018 Amazon Route 53 hijack Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. Can be used for a MITM, including traffic inspection, modification and reconnaissance. November 2018. Google faced a major outage in many parts of the world thanks to a BGP leak. This incident that was caused by a Nigerian ISP MainOne. June 2019. Allegheny leaked routes from another provider to Verizon, causing significant outage. IP Address Spoofing Someone creates IP packets with a false source IP address to hide the identity of the sender or to The root cause of reflection DDoS attacks March 1, 2018. Memcached 1.3Tb/s reflection-amplification attack reported by Akamai
There is a problem (2019) 8 • 10,036 total incidents - either outages or attacks, like route leaks and hijacks • 2.5% of all networks were affected by an outage • 3.8% of all networks were affected by a routing incident • 2% of all networks were responsible for 4232 routing incidents Source: https://www.bgpstream.com/ 58% 4232; 42% Incidents in 2019 Outage Routing incident
Why routing security is so hard? 9 • Each player can contribute to routing security • And be the cause of an incident • Most of them would like to have a more secure routing system • Routing incidents are hard to debug and fix • Most of them have little incentive • One’s network security is in the hands of others We have a typical collective action problem
Can this problem be solved without regulation? 10 Norms may provide a solution in some cases • Need to agree on values. And behaviors that support these values Common Value • Resilient and secure global routing system Behaviors • Do not accept and propagate others mistakes (Validate what you accept from the neighbors) • Protect your neighbors from your own mistakes (avoid policy violations) • Do not hijack • Do not leak • Enable others to validate
From Behaviors to Norms 11 Widely accepted as a good practice Not exactly a least common denominator, but not too high either Visible and Measurable
We Are In This Together 12 Network operators have a collective responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that mitigates incidents from bad actors and accidental misconfigurations that wreak havoc on the Internet. Security of your network depends on measures taken by other operators. The more network operators work together, the fewer incidents there will be, and the less damage they can do.
13 Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to reduce the most common routing threats
14 Mutually Agreed Norms for Routing Security MANRS provides baseline recommendations in the form of Actions • Distilled from common behaviors – BCPs, optimized for low cost and low risk of deployment • With high potential of becoming norms MANRS builds a visible community of security minded operators • Social acceptance and peer pressure
MANRS – increasing adoption 15
Action – who can make an impact? • Enterprise and access networks • Transit providers • IXPs • CDNs and Cloud providers IX Content Cloud Transit Access
Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common databases (RIR whois, IRR, PeeringDB) Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Network operators – MANRS launch, November 2014 Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate 17
MANRS IXP Programme 18 There is synergy between MANRS and IXPs • IXPs form communities with a common operational objective • MANRS is a reference point with a global presence – useful for building a “safe neighborhood” How can IXPs contribute? • Implement a set of Actions that demonstrate the commitment of an IXP and bring significant improvement to the resilience and security of the peering relationships
MANRS IXP Actions Action 1 Prevent propagation of incorrect routing information This mandatory action requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). 19 Action 2 Promote MANRS to the IXP membership IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions. Action 3 Protect the peering platform This action requires that the IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic. Action 4 Facilitate global operational communication and coordination The IXP facilitates communication among members by providing necessary mailing lists and member directories. Action 5 Provide monitoring and debugging tools to the members. The IXP provides a looking glass for its members.
MANRS IXP Program – launched in April 2018 20
The CDN and Cloud programme (launched on March 31) 21 Leverage their peering power, but also bring benefits: • Create a secure network peering environment, preventing potential attacks at their border • Encourage better routing hygiene from your peering partners • Signal organization security-forward posture • Demonstrate responsible behavior • Improve operational efficiency for peering interconnections, minimizing incidents and providing more granular insight for troubleshooting
The Task Force 22 Alejandro Becerra Gonzalez (Telefonica) Andrei Robachevsky (Internet Society, Editor) Arturo Servin (Google) Carlos Asensio (Nexica) Chris Morrow (Google) Christian Kaufmann (Akamai) Daniel Ponticello (Redder) Gary Ratterree (Microsoft) Ibrahim Seremet (Verisign) Jerome Fleury (Cloudflare) JJ Crawford (Facebook) Kay Rechthien (Akamai) Kevin Blumberg (TORIX) Marcus Grando (Azion) Martin J. Levy (Cloudflare) Marty Strong (Facebook) Rob Spiger (Microsoft) Rogério Mariano (Azion) Ronan Mullally (Akamai) Ray Sliteris (Facebook) Steve Peters (Facebook) Tale Lawrence (Oracle) Tony Tauber (Comcast) Yong Kim (Verisign)
MANRS Actions for CDN&Cloud Action 1 Prevent propagation of incorrect routing information Egress filtering Ingress filtering – non-transit peers, explicit whitelists 23 Action 2 Prevent traffic with illegitimate source IP addresses Anti-spoofing controls to prevent packets with illegitimate source IP address Action 3 Facilitate global operational communication and coordination Contact information in PeeringDB and relevant RIR databases Action 4 Facilitate validation of routing information on a global scale Publicly document ASNs and prefixes that are intended to be advertised to external parties. Action 5 Encourage MANRS adoption Actively encourage MANRS adoption among the peers Action 6 Provide monitoring and debugging tools to peering partners Provide monitoring tools to indicate incorrect announcements from peers that were filtered by the CDN&Cloud operator.
24
2014-11-06 2015-05-06 2015-11-06 2016-05-06 2016-11-06 2017-05-06 2017-11-06 2018-05-06 2018-11-06 2019-05-06 2019-11-06 2020-05-06 GROWTH OF THE MANRS MEMBERSHIP (NETWORK OPERATORS) 200 100 50 25 375 ISPs 55 IXPs 10 CDN&Clouds 300
Demography of participants 26 BR US IT DE UK JP NL CA RU BD CH ES SE BR US IT DE UK JP NL CA RU BD CH ES SE
27
MANRS – capacity building 28
MANRS Implementation Guide 29 A resource to help Operators implement MANRS Actions. • Based on Best Current Operational Practices deployed by network operators around the world • https://www.manrs.org/bcop/ • Has received recognition from the RIPE community by being published as RIPE-706
MANRS Training Tutorials 30 6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial. https://www.manrs.org/tutorials
MANRS Hands-on Lab 31 The prototype lab is ready, finalizing the production version. • Cisco • Juniper • Mikrotik Can be used as a standalone lab or as an end-exam
Measuring MANRS Readiness 32
Motivation Inform MANRS members about their degree of commitment • Improve reputation and transparency of the effort • Facilitate continuous improvement and correction Provide a factual state of routing security as it relates to MANRS • Support the problem statement with data • Demonstrate the impact and progress • Network, country, region, over time Improve robustness of the evaluation process • Make it more comprehensive and consistent • Reduce the load • Allow preparation (self-assessment)
Measurement framework • Passive • Based on third party open data sources 34
Data sources and caveats 35 Action Measurement Data source Caveats Filtering M1, M1C, M2, M2C Route hijacks and leaks BGPStream.com False positives, obscure algorithms, vantage points Filtering M3, M3C, M4, M4C “Bogon” announcements CIDR report Limited vantage points Anti-spoofing M5 Negative tests CAIDA Spoofer Sparse, active Coordination M8 Registered contacts RIRs Whois DBs Stale/non-responsive contacts not detected Global validation M7IRR, M7RPKI, M7RPKIN Coverage of routing announcements IRRs, RPKI
MANRS Observatory Public view – granularity: region, economy, pre-defined groups (e.g. MANRS) Private view – granularity: region, economy, ASN 36
MANRS Observatory 37 Provides a factual state of routing security as it relates to MANRS
MANRS Observatory 38 Provides a factual state of routing security as it relates to MANRS
Informs MANRS members about their degree of commitment MANRS Observatory 39
MANRS is an Important Step 40 Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. MANRS is the minimum an operator should consider, with low risk and cost-effective actions. MANRS is not a one-stop solution to all of the Internet’s routing problems, but it is an important step toward a globally robust and secure routing infrastructure.
Why join MANRS? • Improve your security posture and reduce the number and impact of routing incidents • Demonstrate that these practices are reality • Meet the expectations of the operators community • Join a community of security-minded operators working together to make the Internet better • Use MANRS as a competitive differentiator 41
Join Us 42 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives
manrs.org #ProtectTheCore MANRS Observatory: https://observatory.manrs.org 43
Questions? 44 https://www.manrs.org Feedback: manrs@isoc.org

Empfohlen

Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
IRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET Journal
 
Final report
Final reportFinal report
Final reportRaja Farhat
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
 
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...MazeBolt Technologies
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 Networks
 
Ix3615551559
Ix3615551559Ix3615551559
Ix3615551559IJERA Editor
 

Empfohlen

Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
IRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET Journal
 
Final report
Final reportFinal report
Final reportRaja Farhat
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
 
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...MazeBolt Technologies
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 Networks
 
Ix3615551559
Ix3615551559Ix3615551559
Ix3615551559IJERA Editor
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Presentation1 shweta
Presentation1 shweta Presentation1 shweta
Presentation1 shweta swet4
 
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
 
Impact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsImpact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
 
A041201010
A041201010A041201010
A041201010ijceronline
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationR. Blake Martin
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...IJECEIAES
 
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSPASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
 
The apt identification and blocking through ids in manet
The apt identification and blocking through ids in manetThe apt identification and blocking through ids in manet
The apt identification and blocking through ids in manetijctet
 
DDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseDDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseNETSCOUT
 
Study of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbedStudy of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
 
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSLATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSIJCNCJournal
 
9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time 9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time Haltdos
 
IRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET Journal
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyEliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyMazeBolt Technologies
 
Study of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksStudy of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksIRJET Journal
 
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsA Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsIJMER
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityObika Gellineau
 
Routing is at Risk - Let’s secure it together
Routing is at Risk - Let’s secure it togetherRouting is at Risk - Let’s secure it together
Routing is at Risk - Let’s secure it togetherAPNIC
 

Weitere ähnliche Inhalte

Was ist angesagt?

Presentation1 shweta
Presentation1 shweta Presentation1 shweta
Presentation1 shweta swet4
 
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
 
Impact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsImpact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationR. Blake Martin
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...IJECEIAES
 
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSPASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
 
The apt identification and blocking through ids in manet
The apt identification and blocking through ids in manetThe apt identification and blocking through ids in manet
The apt identification and blocking through ids in manetijctet
 
DDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseDDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseNETSCOUT
 
Study of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbedStudy of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
 
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSLATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSIJCNCJournal
 
9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time 9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time Haltdos
 
IRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET Journal
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyEliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyMazeBolt Technologies
 
Study of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksStudy of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksIRJET Journal
 
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsA Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsIJMER
 

Was ist angesagt? (18)

DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
Presentation1 shweta
Presentation1 shweta Presentation1 shweta
Presentation1 shweta
 
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
 
Impact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsImpact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail Applications
 
A041201010
A041201010A041201010
A041201010
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...
 
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSPASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
 
The apt identification and blocking through ids in manet
The apt identification and blocking through ids in manetThe apt identification and blocking through ids in manet
The apt identification and blocking through ids in manet
 
DDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseDDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in Defense
 
Study of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbedStudy of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbed
 
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSLATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKS
 
9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time 9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time
 
IRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network Attacks
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyEliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
 
Study of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksStudy of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc Networks
 
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsA Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
 

Ähnlich wie Improving routing security through concerted action

PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityObika Gellineau
 
Routing is at Risk - Let’s secure it together
Routing is at Risk - Let’s secure it togetherRouting is at Risk - Let’s secure it together
Routing is at Risk - Let’s secure it togetherAPNIC
 
ION Cape Town - Collective Responsibility for Routing Security and MANRS
ION Cape Town - Collective Responsibility for Routing Security and MANRSION Cape Town - Collective Responsibility for Routing Security and MANRS
ION Cape Town - Collective Responsibility for Routing Security and MANRSDeploy360 Programme (Internet Society)
 
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Internet Society
 
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET Journal
 
Ijarcet vol-2-issue-3-875-880
Ijarcet vol-2-issue-3-875-880Ijarcet vol-2-issue-3-875-880
Ijarcet vol-2-issue-3-875-880Editor IJARCET
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.RAVI RAJ
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET Journal
 
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYA NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYIJCI JOURNAL
 
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGY
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGYHOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGY
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGYcscpconf
 
How to detect middleboxes guidelines on a methodology
How to detect middleboxes guidelines on a methodologyHow to detect middleboxes guidelines on a methodology
How to detect middleboxes guidelines on a methodologycsandit
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRSAPNIC
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityIAEME Publication
 
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNS
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSDESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNS
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSIJNSA Journal
 

Ähnlich wie Improving routing security through concerted action (20)

PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
 
Routing is at Risk - Let’s secure it together
Routing is at Risk - Let’s secure it togetherRouting is at Risk - Let’s secure it together
Routing is at Risk - Let’s secure it together
 
ION Cape Town - Collective Responsibility for Routing Security and MANRS
ION Cape Town - Collective Responsibility for Routing Security and MANRSION Cape Town - Collective Responsibility for Routing Security and MANRS
ION Cape Town - Collective Responsibility for Routing Security and MANRS
 
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
 
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
 
G0421040042
G0421040042G0421040042
G0421040042
 
Ijarcet vol-2-issue-3-875-880
Ijarcet vol-2-issue-3-875-880Ijarcet vol-2-issue-3-875-880
Ijarcet vol-2-issue-3-875-880
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack Detection
 
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYA NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
 
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
 
CY.pptx
CY.pptxCY.pptx
CY.pptx
 
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGY
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGYHOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGY
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGY
 
How to detect middleboxes guidelines on a methodology
How to detect middleboxes guidelines on a methodologyHow to detect middleboxes guidelines on a methodology
How to detect middleboxes guidelines on a methodology
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRS
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
 
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNS
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSDESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNS
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNS
 

Mehr von CSUC - Consorci de Serveis Universitaris de Catalunya

Mehr von CSUC - Consorci de Serveis Universitaris de Catalunya (20)

Tendencias en herramientas de monitorización de redes y modelo de madurez en ...
Tendencias en herramientas de monitorización de redes y modelo de madurez en ...Tendencias en herramientas de monitorización de redes y modelo de madurez en ...
Tendencias en herramientas de monitorización de redes y modelo de madurez en ...
 
Quantum Computing Master Class 2024 (Quantum Day)
Quantum Computing Master Class 2024 (Quantum Day)Quantum Computing Master Class 2024 (Quantum Day)
Quantum Computing Master Class 2024 (Quantum Day)
 
Publicar dades de recerca amb el Repositori de Dades de Recerca
Publicar dades de recerca amb el Repositori de Dades de RecercaPublicar dades de recerca amb el Repositori de Dades de Recerca
Publicar dades de recerca amb el Repositori de Dades de Recerca
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Formació RDM: com fer un pla de gestió de dades amb l’eiNa DMP?
Formació RDM: com fer un pla de gestió de dades amb l’eiNa DMP?Formació RDM: com fer un pla de gestió de dades amb l’eiNa DMP?
Formació RDM: com fer un pla de gestió de dades amb l’eiNa DMP?
 
Com pot ajudar la gestió de les dades de recerca a posar en pràctica la ciènc...
Com pot ajudar la gestió de les dades de recerca a posar en pràctica la ciènc...Com pot ajudar la gestió de les dades de recerca a posar en pràctica la ciènc...
Com pot ajudar la gestió de les dades de recerca a posar en pràctica la ciènc...
 
Security Human Factor Sustainable Outputs: The Network eAcademy
Security Human Factor Sustainable Outputs: The Network eAcademySecurity Human Factor Sustainable Outputs: The Network eAcademy
Security Human Factor Sustainable Outputs: The Network eAcademy
 
The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
 
Facilitar la gestión, visibilidad y reutilización de los datos de investigaci...
Facilitar la gestión, visibilidad y reutilización de los datos de investigaci...Facilitar la gestión, visibilidad y reutilización de los datos de investigaci...
Facilitar la gestión, visibilidad y reutilización de los datos de investigaci...
 
La gestión de datos de investigación en las bibliotecas universitarias españolas
La gestión de datos de investigación en las bibliotecas universitarias españolasLa gestión de datos de investigación en las bibliotecas universitarias españolas
La gestión de datos de investigación en las bibliotecas universitarias españolas
 
Disposes de recursos il·limitats? Prioritza estratègicament els teus projecte...
Disposes de recursos il·limitats? Prioritza estratègicament els teus projecte...Disposes de recursos il·limitats? Prioritza estratègicament els teus projecte...
Disposes de recursos il·limitats? Prioritza estratègicament els teus projecte...
 
Les persones i les seves capacitats en el nucli de la transformació digital. ...
Les persones i les seves capacitats en el nucli de la transformació digital. ...Les persones i les seves capacitats en el nucli de la transformació digital. ...
Les persones i les seves capacitats en el nucli de la transformació digital. ...
 
Enginyeria Informàtica: una cursa de fons
Enginyeria Informàtica: una cursa de fonsEnginyeria Informàtica: una cursa de fons
Enginyeria Informàtica: una cursa de fons
 
Transformació de rols i habilitats en un món ple d'IA
Transformació de rols i habilitats en un món ple d'IATransformació de rols i habilitats en un món ple d'IA
Transformació de rols i habilitats en un món ple d'IA
 
Difusió del coneixement a l'Il·lustre Col·legi de l'Advocacia de Barcelona
Difusió del coneixement a l'Il·lustre Col·legi de l'Advocacia de BarcelonaDifusió del coneixement a l'Il·lustre Col·legi de l'Advocacia de Barcelona
Difusió del coneixement a l'Il·lustre Col·legi de l'Advocacia de Barcelona
 
Fons de discos perforats de cartró
Fons de discos perforats de cartróFons de discos perforats de cartró
Fons de discos perforats de cartró
 
Biblioteca Digital Gencat
Biblioteca Digital GencatBiblioteca Digital Gencat
Biblioteca Digital Gencat
 
El fons Enrique Tierno Galván: recepció, tractament i difusió
El fons Enrique Tierno Galván: recepció, tractament i difusióEl fons Enrique Tierno Galván: recepció, tractament i difusió
El fons Enrique Tierno Galván: recepció, tractament i difusió
 
El CIDMA: més enllà dels espais físics
El CIDMA: més enllà dels espais físicsEl CIDMA: més enllà dels espais físics
El CIDMA: més enllà dels espais físics
 
Els serveis del CSUC per a la comunitat CCUC
Els serveis del CSUC per a la comunitat CCUCEls serveis del CSUC per a la comunitat CCUC
Els serveis del CSUC per a la comunitat CCUC
 

Kürzlich hochgeladen

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Kürzlich hochgeladen (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Improving routing security through concerted action

  • 1. Improving routing security through concerted action 1 Andrei Robachevsky robachevsky@isoc.org CATNIX Technical Commission meeting, June 26, 2020
  • 2. Insecurity by Design 2 When the Internet was developed, they didn’t build in security by design. The objective was resilience, simplicity and ease of deployment That created the Internet as the best effort, interdependent, general purpose network of networks supporting permission-less innovation. While these qualities have made the Internet so successful, they also contribute to many of its security issues.
  • 3. The Basics: How Routing Works 3 There are ~68,000 networks (Autonomous Systems) across the Internet, each using a unique Autonomous System Number (ASN) to identify itself to other networks. Routers use Border Gateway Protocol (BGP) to exchange “reachability information” - networks they know how to reach. Routers build a “routing table” and pick the best route when sending a packet, typically based on the shortest path. Much of this exchange is based on trust.
  • 4. Route Hijacking Route hijacking, also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https://www.ripe.net/publications/news/industry- developments/youtube-hijacking-a-ripe-ncc-ris-case-study) 4
  • 5. Route Leak 5 A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: June 2019. Allegheny leaked routes from another provider to Verizon, causing significant outage. https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer- knocked-large-parts-of-the-internet-offline-today/
  • 6. IP Address Spoofing 6 IP address spoofing is used to hide the true identity of the server or to impersonate another server. This technique can be used to amplify an attack. Example: DNS amplification attack. By sending multiple spoofed requests to different DNS resolvers, an attacker can prompt many responses from the DNS resolver to be sent to a target, while only using one system to attack. Fix: Source address validation: systems for source address validation can help tell if the end users and customer networks have correct source IP addresses (combined with filtering).
  • 7. Routing Incidents Cause Real World Problems 7 Event Explanation Repercussions Example Prefix/Route Hijacking A network operator or attacker impersonates another network operator, pretending that a server or network is their client. Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception. The 2008 YouTube hijack April 2018 Amazon Route 53 hijack Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. Can be used for a MITM, including traffic inspection, modification and reconnaissance. November 2018. Google faced a major outage in many parts of the world thanks to a BGP leak. This incident that was caused by a Nigerian ISP MainOne. June 2019. Allegheny leaked routes from another provider to Verizon, causing significant outage. IP Address Spoofing Someone creates IP packets with a false source IP address to hide the identity of the sender or to The root cause of reflection DDoS attacks March 1, 2018. Memcached 1.3Tb/s reflection-amplification attack reported by Akamai
  • 8. There is a problem (2019) 8 • 10,036 total incidents - either outages or attacks, like route leaks and hijacks • 2.5% of all networks were affected by an outage • 3.8% of all networks were affected by a routing incident • 2% of all networks were responsible for 4232 routing incidents Source: https://www.bgpstream.com/ 58% 4232; 42% Incidents in 2019 Outage Routing incident
  • 9. Why routing security is so hard? 9 • Each player can contribute to routing security • And be the cause of an incident • Most of them would like to have a more secure routing system • Routing incidents are hard to debug and fix • Most of them have little incentive • One’s network security is in the hands of others We have a typical collective action problem
  • 10. Can this problem be solved without regulation? 10 Norms may provide a solution in some cases • Need to agree on values. And behaviors that support these values Common Value • Resilient and secure global routing system Behaviors • Do not accept and propagate others mistakes (Validate what you accept from the neighbors) • Protect your neighbors from your own mistakes (avoid policy violations) • Do not hijack • Do not leak • Enable others to validate
  • 11. From Behaviors to Norms 11 Widely accepted as a good practice Not exactly a least common denominator, but not too high either Visible and Measurable
  • 12. We Are In This Together 12 Network operators have a collective responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that mitigates incidents from bad actors and accidental misconfigurations that wreak havoc on the Internet. Security of your network depends on measures taken by other operators. The more network operators work together, the fewer incidents there will be, and the less damage they can do.
  • 13. 13 Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to reduce the most common routing threats
  • 14. 14 Mutually Agreed Norms for Routing Security MANRS provides baseline recommendations in the form of Actions • Distilled from common behaviors – BCPs, optimized for low cost and low risk of deployment • With high potential of becoming norms MANRS builds a visible community of security minded operators • Social acceptance and peer pressure
  • 15. MANRS – increasing adoption 15
  • 16. Action – who can make an impact? • Enterprise and access networks • Transit providers • IXPs • CDNs and Cloud providers IX Content Cloud Transit Access
  • 17. Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common databases (RIR whois, IRR, PeeringDB) Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Network operators – MANRS launch, November 2014 Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate 17
  • 18. MANRS IXP Programme 18 There is synergy between MANRS and IXPs • IXPs form communities with a common operational objective • MANRS is a reference point with a global presence – useful for building a “safe neighborhood” How can IXPs contribute? • Implement a set of Actions that demonstrate the commitment of an IXP and bring significant improvement to the resilience and security of the peering relationships
  • 19. MANRS IXP Actions Action 1 Prevent propagation of incorrect routing information This mandatory action requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). 19 Action 2 Promote MANRS to the IXP membership IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions. Action 3 Protect the peering platform This action requires that the IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic. Action 4 Facilitate global operational communication and coordination The IXP facilitates communication among members by providing necessary mailing lists and member directories. Action 5 Provide monitoring and debugging tools to the members. The IXP provides a looking glass for its members.
  • 20. MANRS IXP Program – launched in April 2018 20
  • 21. The CDN and Cloud programme (launched on March 31) 21 Leverage their peering power, but also bring benefits: • Create a secure network peering environment, preventing potential attacks at their border • Encourage better routing hygiene from your peering partners • Signal organization security-forward posture • Demonstrate responsible behavior • Improve operational efficiency for peering interconnections, minimizing incidents and providing more granular insight for troubleshooting
  • 22. The Task Force 22 Alejandro Becerra Gonzalez (Telefonica) Andrei Robachevsky (Internet Society, Editor) Arturo Servin (Google) Carlos Asensio (Nexica) Chris Morrow (Google) Christian Kaufmann (Akamai) Daniel Ponticello (Redder) Gary Ratterree (Microsoft) Ibrahim Seremet (Verisign) Jerome Fleury (Cloudflare) JJ Crawford (Facebook) Kay Rechthien (Akamai) Kevin Blumberg (TORIX) Marcus Grando (Azion) Martin J. Levy (Cloudflare) Marty Strong (Facebook) Rob Spiger (Microsoft) Rogério Mariano (Azion) Ronan Mullally (Akamai) Ray Sliteris (Facebook) Steve Peters (Facebook) Tale Lawrence (Oracle) Tony Tauber (Comcast) Yong Kim (Verisign)
  • 23. MANRS Actions for CDN&Cloud Action 1 Prevent propagation of incorrect routing information Egress filtering Ingress filtering – non-transit peers, explicit whitelists 23 Action 2 Prevent traffic with illegitimate source IP addresses Anti-spoofing controls to prevent packets with illegitimate source IP address Action 3 Facilitate global operational communication and coordination Contact information in PeeringDB and relevant RIR databases Action 4 Facilitate validation of routing information on a global scale Publicly document ASNs and prefixes that are intended to be advertised to external parties. Action 5 Encourage MANRS adoption Actively encourage MANRS adoption among the peers Action 6 Provide monitoring and debugging tools to peering partners Provide monitoring tools to indicate incorrect announcements from peers that were filtered by the CDN&Cloud operator.
  • 24. 24
  • 27. 27
  • 28. MANRS – capacity building 28
  • 29. MANRS Implementation Guide 29 A resource to help Operators implement MANRS Actions. • Based on Best Current Operational Practices deployed by network operators around the world • https://www.manrs.org/bcop/ • Has received recognition from the RIPE community by being published as RIPE-706
  • 30. MANRS Training Tutorials 30 6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial. https://www.manrs.org/tutorials
  • 31. MANRS Hands-on Lab 31 The prototype lab is ready, finalizing the production version. • Cisco • Juniper • Mikrotik Can be used as a standalone lab or as an end-exam
  • 33. Motivation Inform MANRS members about their degree of commitment • Improve reputation and transparency of the effort • Facilitate continuous improvement and correction Provide a factual state of routing security as it relates to MANRS • Support the problem statement with data • Demonstrate the impact and progress • Network, country, region, over time Improve robustness of the evaluation process • Make it more comprehensive and consistent • Reduce the load • Allow preparation (self-assessment)
  • 34. Measurement framework • Passive • Based on third party open data sources 34
  • 35. Data sources and caveats 35 Action Measurement Data source Caveats Filtering M1, M1C, M2, M2C Route hijacks and leaks BGPStream.com False positives, obscure algorithms, vantage points Filtering M3, M3C, M4, M4C “Bogon” announcements CIDR report Limited vantage points Anti-spoofing M5 Negative tests CAIDA Spoofer Sparse, active Coordination M8 Registered contacts RIRs Whois DBs Stale/non-responsive contacts not detected Global validation M7IRR, M7RPKI, M7RPKIN Coverage of routing announcements IRRs, RPKI
  • 36. MANRS Observatory Public view – granularity: region, economy, pre-defined groups (e.g. MANRS) Private view – granularity: region, economy, ASN 36
  • 37. MANRS Observatory 37 Provides a factual state of routing security as it relates to MANRS
  • 38. MANRS Observatory 38 Provides a factual state of routing security as it relates to MANRS
  • 39. Informs MANRS members about their degree of commitment MANRS Observatory 39
  • 40. MANRS is an Important Step 40 Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. MANRS is the minimum an operator should consider, with low risk and cost-effective actions. MANRS is not a one-stop solution to all of the Internet’s routing problems, but it is an important step toward a globally robust and secure routing infrastructure.
  • 41. Why join MANRS? • Improve your security posture and reduce the number and impact of routing incidents • Demonstrate that these practices are reality • Meet the expectations of the operators community • Join a community of security-minded operators working together to make the Internet better • Use MANRS as a competitive differentiator 41
  • 42. Join Us 42 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives