SlideShare ist ein Scribd-Unternehmen logo

Routing Security in 2017 – We can do better!

APNIC
APNIC

Presentation by Andrei Robachevsky at APRICOT 2018 on Tuesday, 27 February 2018.

Internet
1 von 33
Internet Society © 1992–2016 And how MANRS can help Routing Security in 2017 – We can do better! Andrei Robachevsky robachevsky@isoc.org APRICOT 2018 Presentation title – Client name 1
A Routing Security Primer The Problem 2
The Problem Caption 10/12pt Caption body copy 3 Border Gateway Protocol (BGP) is based entirely on trust • No built-in validation of the legitimacy of updates • The chain of trust spans continents • Lack of reliable resource data
https://bgpstream.com/ Which leads to …
No Day Without an Incident 5 0 20 40 60 80 100 120 1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17 6 month of suspicious activity Hijack Leak http://bgpstream.com/
What’s Happening? IP prefix hijack • AS announces prefix it doesn’t originate and wins the ‘best route’ selection • AS announces more specific prefix than what may be announced by originating AS • AS announces it can route traffic through shorter route, whether it exists or not • Packets end up being forwarded to wrong part of Internet • Denial-of-Service (DoS), traffic interception, or impersonating network or service Route leaks • Violation of valley-free routing (e.g. re-announcing transit provider routes to another provider) • Usually due to misconfigurations, but can be used for traffic inspection and reconnaissance • Can be equally devastating 6
What is happening? Route Hijacking Route hijacking, also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https://www.ripe.net/publications/news/industry- developments/youtube-hijacking-a-ripe-ncc-ris-case-study) 7
What is happening? Route Leak 8 A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: September 2014. VolumeDrive (AS46664) is a Pennsylvania-based hosting company that uses Cogent (AS174) and Atrato (AS5580) for Internet transit. VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. (https://dyn.com/blog/why-the-internet-broke-today/)
Statistics of routing incidents generated from BGPStream data Caveats: • Sometimes it is impossible to distinguish an attack from a legitimate (or consented) routing change • CC attribution is based on geolocation MaxMind's GeoLite City data set 2017 in review: 14000 routing incidents 9
Global stats 10 • 13,935 total incidents (either outages or attacks like route leaks and hijacks) • Over 10% of all Autonomous Systems on the Internet were affected • 3,106 Autonomous Systems were a victim of at least one routing incident • 1,546 networks caused at least one incident 8631, 62% 5304, 38% Twelve months of routing incidents Outage Routing incident Source: https://www.bgpstream.com/
Outages: APAC 11 406 312 111 103 79 72 37 32 27 16 Outages per country IN ID BD CN KR PK TH AU VN SG 5.7 5.6 6.1 8.55.6 1.4 3.7 8.9 2.6 2.0 Percent of AS's in a country having an outage IN ID KR CN BD AU TH PK VN PH Source: https://www.bgpstream.com/
APAC: potential victims 12 Source: https://www.bgpstream.com/ 299 138 99 93 90 85 69 61 53 44 Incidents with a victim in a country, Top 10 IN BD CN ID MM PH TH AU JP SG 15 14 13 12 12 11 11 11 9 9 Top 10 victims of routing incidents AS63852 AS18399 AS4134 AS38456 AS9498 AS54538 AS134736 AS14762 AS4837 AS24319
APAC: potential culprits 13 351 214 121 95 72 69 67 58 42 31 Incidents with a culprit in a country, top 10 CN IN SG BD MM ID JP PH AU MY Source: https://www.bgpstream.com/ 321 81 33 32 29 27 22 20 19 18 Top 10 potential culprits in routing incidents AS4134 AS7473 AS133385 AS132167 AS10026 AS58601 AS17676 AS17494 AS55644 AS10201
Bogons: APAC 14 6 2 8 25 2 22 1 1 10 1 1 1 # bogon prefixes AU BD CN HK ID IN JP PH ID IN KR TH 52 1 3 1 1 2 1 4 # bogon ASNs AU CN HK IN MY PH TH TH Source: https://www.cidr-report.org/as2.0/
Are There Solutions? 15 Tools - Yes! • Prefix and AS-PATH filtering • RPKI validator, IRRToolset, IRRPT, BGPQ3 • BGPSEC is standardised But… • Lack of reliable data • Lack of deployment
A Tragedy of the Commons 16 From a routing perspective, securing your own network does not necessarily make it more secure. Network security is in someone else’s hands. — The more hands – the better the security Is there a clear, visible, and industry- supported line between good and bad? — A cultural norm?
A vital part of the security solution Mutually Agreed Norms for Routing Security 17
MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. 18
Building a culture of routing hygiene 19 MANRS defines four concrete actions that network operators should implement — Technology-neutral baseline for global adoption — 4 Actions: a minimum set of requirements MANRS builds a visible community of security- minded operators — Promotes culture of collaborative responsibility
MANRS Actions Filtering – Prevent propagation of incorrect routing information • Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing – Prevent traffic with spoofed source IP addresses • Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination – Facilitate global operational communication and coordination between network operators • Maintain globally accessible up-to-date contact information Global Validation – Facilitate validation of routing information on a global scale • Publish your data, so others can validate 20
Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks 21 Use an IRR (e.g. APINIC IRR) • In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to register their expected announcements as route objects in the IRR • AS64500 will need to register its own route object, define its customer-cone using an as-set object, and publish its routing policy with an aut-num object. • AS64500 will use IRRToolset, BGPQ3, IRRPT to generate filters
Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks 22 Use RPKI • In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to get RPKI certificates from APNIC and create ROAs for their expected announcements • AS64500 will do the same • AS64500 can use RPKI validator to directly tag the announcements, e.g. route-map rpki permit 10 match rpki valid set local-preference 999 …
Anti-spoofing: Prevent traffic with spoofed source IP addresses 23 Use ingress ACLs ip access-list extended customer1-in-ipv4 permit ip 192.0.2.0 0.0.0.255 any ! ipv6 access-list customer1-in-ipv6 permit ipv6 2001:db8:1001::/48 any ! interface x ip access-group customer1-in-ipv4 in ipv6 traffic-filter customer1-in-ipv6 in Convince the customer to egress-filter Interface y ip access-group egress-provider out Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
Anti-spoofing: Prevent traffic with spoofed source IP addresses 24 Use uRPF ip verify unicast reachable-via rx ipv6 verify unicast reachable-via rx Convince the customer to egress-filter Interface y ip access-group egress-provider out Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
mntner role Inetnum Inet6num . 25 Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information aut-num as-set route-set MyAPNIC Portal Abuse Policy Technical NOC Public Relations Sales Network Operations Center Support Team Abuse Team Security Team
ROA: 2001:db8:2002::/4 8 origin: AS64502 ROA: 2001:db8:2002::/4 8 origin: AS64502 ROA: 2001:db8:2002::/4 8 origin: AS64502 Global Validation: Facilitate validation of routing information on a global scale 26 Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties aut-num: AS64500 mp-import: from AS64501 accept AS64501 mp-export: to AS64501 announce ANY ... mp-import: from AS64511 accept AS64511:AS- ALL mp-export: to AS64511 announce 64500:AS-ALL ... source: APNIC route: 192.0.2.0/24 origin: AS64501 source: APNIC route6: 2001:db8:1001::/48 origin: AS64501 source: APNIC route: 198.51.100.0/24 origin: AS64502 source: APNIC route6: 2001:db8:2002::/48 origin: AS64502 source: APNIC route: 203.0.113.0/24 origin: AS64500 source: APNIC route6: 2001:db8:1000::/3 6 origin: AS64500 source: APNIC as-set: AS64500:AS-ALL members: AS64500 members: AS64501, AS64502 source: APNIC ROA: 2001:db8:2002::/4 8 origin: AS64502
More detailed guidance • MANRS Implementation guide • Based on Best Current Operational Practices deployed by network operators around the world • http://www.manrs.org/bcop/ 27 • MANRS online modules • https://www.internetsociety.org/tutorials/manrs/ • Can be delivered in a form of moderated classes
Why to join MANRS? 28 • Improve your security posture and reduce number and impact of routing incidents • Join the community of security minded operators • Use MANRS as a competitive differentiator
Join Us 29 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives
30 LEARN MORE: https://www.manrs.org manrs@isoc.org
Routing security & MANRS: a poll Vote link: http://etc.ch/3uEg 31
Let us look at the results 32 • https://directpoll.com/r?XDbzPBd3ixYqg82ZSamae3gr Z6zRHWuZzYEepTwV3
Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. Andrei Robachevsky robachevsky@isoc.org 33

Empfohlen

PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 

Empfohlen

PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017APNIC
 
Peering Talk 101 by Douglas Wilson
Peering Talk 101 by Douglas WilsonPeering Talk 101 by Douglas Wilson
Peering Talk 101 by Douglas WilsonMyNOG
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaMyNOG
 
IPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanIPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanAPNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
The curse of the open recursor
The curse of the open recursorThe curse of the open recursor
The curse of the open recursorTom Paseka
 
mnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliamnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliaAPNIC
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network OperatorsBangladesh Network Operators Group
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017APNIC
 
Peering Talk 101 by Douglas Wilson
Peering Talk 101 by Douglas WilsonPeering Talk 101 by Douglas Wilson
Peering Talk 101 by Douglas WilsonMyNOG
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaMyNOG
 
IPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanIPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanAPNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
The curse of the open recursor
The curse of the open recursorThe curse of the open recursor
The curse of the open recursorTom Paseka
 
mnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliamnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliaAPNIC
 

Was ist angesagt? (20)

Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKI
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
 
Peering Talk 101 by Douglas Wilson
Peering Talk 101 by Douglas WilsonPeering Talk 101 by Douglas Wilson
Peering Talk 101 by Douglas Wilson
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in Asia
 
IPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanIPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in Japan
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
The curse of the open recursor
The curse of the open recursorThe curse of the open recursor
The curse of the open recursor
 
mnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliamnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in Mongolia
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 

Ähnlich wie Routing Security in 2017 – We can do better!

LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityObika Gellineau
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 

Ähnlich wie Routing Security in 2017 – We can do better! (20)

MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
BGP
BGPBGP
BGP
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na Internet
 

Mehr von APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

Mehr von APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Kürzlich hochgeladen

Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 

Kürzlich hochgeladen (20)

Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 

Routing Security in 2017 – We can do better!

  • 1. Internet Society © 1992–2016 And how MANRS can help Routing Security in 2017 – We can do better! Andrei Robachevsky robachevsky@isoc.org APRICOT 2018 Presentation title – Client name 1
  • 2. A Routing Security Primer The Problem 2
  • 3. The Problem Caption 10/12pt Caption body copy 3 Border Gateway Protocol (BGP) is based entirely on trust • No built-in validation of the legitimacy of updates • The chain of trust spans continents • Lack of reliable resource data
  • 5. No Day Without an Incident 5 0 20 40 60 80 100 120 1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17 6 month of suspicious activity Hijack Leak http://bgpstream.com/
  • 6. What’s Happening? IP prefix hijack • AS announces prefix it doesn’t originate and wins the ‘best route’ selection • AS announces more specific prefix than what may be announced by originating AS • AS announces it can route traffic through shorter route, whether it exists or not • Packets end up being forwarded to wrong part of Internet • Denial-of-Service (DoS), traffic interception, or impersonating network or service Route leaks • Violation of valley-free routing (e.g. re-announcing transit provider routes to another provider) • Usually due to misconfigurations, but can be used for traffic inspection and reconnaissance • Can be equally devastating 6
  • 7. What is happening? Route Hijacking Route hijacking, also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https://www.ripe.net/publications/news/industry- developments/youtube-hijacking-a-ripe-ncc-ris-case-study) 7
  • 8. What is happening? Route Leak 8 A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: September 2014. VolumeDrive (AS46664) is a Pennsylvania-based hosting company that uses Cogent (AS174) and Atrato (AS5580) for Internet transit. VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. (https://dyn.com/blog/why-the-internet-broke-today/)
  • 9. Statistics of routing incidents generated from BGPStream data Caveats: • Sometimes it is impossible to distinguish an attack from a legitimate (or consented) routing change • CC attribution is based on geolocation MaxMind's GeoLite City data set 2017 in review: 14000 routing incidents 9
  • 10. Global stats 10 • 13,935 total incidents (either outages or attacks like route leaks and hijacks) • Over 10% of all Autonomous Systems on the Internet were affected • 3,106 Autonomous Systems were a victim of at least one routing incident • 1,546 networks caused at least one incident 8631, 62% 5304, 38% Twelve months of routing incidents Outage Routing incident Source: https://www.bgpstream.com/
  • 11. Outages: APAC 11 406 312 111 103 79 72 37 32 27 16 Outages per country IN ID BD CN KR PK TH AU VN SG 5.7 5.6 6.1 8.55.6 1.4 3.7 8.9 2.6 2.0 Percent of AS's in a country having an outage IN ID KR CN BD AU TH PK VN PH Source: https://www.bgpstream.com/
  • 12. APAC: potential victims 12 Source: https://www.bgpstream.com/ 299 138 99 93 90 85 69 61 53 44 Incidents with a victim in a country, Top 10 IN BD CN ID MM PH TH AU JP SG 15 14 13 12 12 11 11 11 9 9 Top 10 victims of routing incidents AS63852 AS18399 AS4134 AS38456 AS9498 AS54538 AS134736 AS14762 AS4837 AS24319
  • 13. APAC: potential culprits 13 351 214 121 95 72 69 67 58 42 31 Incidents with a culprit in a country, top 10 CN IN SG BD MM ID JP PH AU MY Source: https://www.bgpstream.com/ 321 81 33 32 29 27 22 20 19 18 Top 10 potential culprits in routing incidents AS4134 AS7473 AS133385 AS132167 AS10026 AS58601 AS17676 AS17494 AS55644 AS10201
  • 14. Bogons: APAC 14 6 2 8 25 2 22 1 1 10 1 1 1 # bogon prefixes AU BD CN HK ID IN JP PH ID IN KR TH 52 1 3 1 1 2 1 4 # bogon ASNs AU CN HK IN MY PH TH TH Source: https://www.cidr-report.org/as2.0/
  • 15. Are There Solutions? 15 Tools - Yes! • Prefix and AS-PATH filtering • RPKI validator, IRRToolset, IRRPT, BGPQ3 • BGPSEC is standardised But… • Lack of reliable data • Lack of deployment
  • 16. A Tragedy of the Commons 16 From a routing perspective, securing your own network does not necessarily make it more secure. Network security is in someone else’s hands. — The more hands – the better the security Is there a clear, visible, and industry- supported line between good and bad? — A cultural norm?
  • 17. A vital part of the security solution Mutually Agreed Norms for Routing Security 17
  • 18. MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. 18
  • 19. Building a culture of routing hygiene 19 MANRS defines four concrete actions that network operators should implement — Technology-neutral baseline for global adoption — 4 Actions: a minimum set of requirements MANRS builds a visible community of security- minded operators — Promotes culture of collaborative responsibility
  • 20. MANRS Actions Filtering – Prevent propagation of incorrect routing information • Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing – Prevent traffic with spoofed source IP addresses • Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination – Facilitate global operational communication and coordination between network operators • Maintain globally accessible up-to-date contact information Global Validation – Facilitate validation of routing information on a global scale • Publish your data, so others can validate 20
  • 21. Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks 21 Use an IRR (e.g. APINIC IRR) • In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to register their expected announcements as route objects in the IRR • AS64500 will need to register its own route object, define its customer-cone using an as-set object, and publish its routing policy with an aut-num object. • AS64500 will use IRRToolset, BGPQ3, IRRPT to generate filters
  • 22. Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks 22 Use RPKI • In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to get RPKI certificates from APNIC and create ROAs for their expected announcements • AS64500 will do the same • AS64500 can use RPKI validator to directly tag the announcements, e.g. route-map rpki permit 10 match rpki valid set local-preference 999 …
  • 23. Anti-spoofing: Prevent traffic with spoofed source IP addresses 23 Use ingress ACLs ip access-list extended customer1-in-ipv4 permit ip 192.0.2.0 0.0.0.255 any ! ipv6 access-list customer1-in-ipv6 permit ipv6 2001:db8:1001::/48 any ! interface x ip access-group customer1-in-ipv4 in ipv6 traffic-filter customer1-in-ipv6 in Convince the customer to egress-filter Interface y ip access-group egress-provider out Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
  • 24. Anti-spoofing: Prevent traffic with spoofed source IP addresses 24 Use uRPF ip verify unicast reachable-via rx ipv6 verify unicast reachable-via rx Convince the customer to egress-filter Interface y ip access-group egress-provider out Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
  • 25. mntner role Inetnum Inet6num . 25 Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information aut-num as-set route-set MyAPNIC Portal Abuse Policy Technical NOC Public Relations Sales Network Operations Center Support Team Abuse Team Security Team
  • 26. ROA: 2001:db8:2002::/4 8 origin: AS64502 ROA: 2001:db8:2002::/4 8 origin: AS64502 ROA: 2001:db8:2002::/4 8 origin: AS64502 Global Validation: Facilitate validation of routing information on a global scale 26 Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties aut-num: AS64500 mp-import: from AS64501 accept AS64501 mp-export: to AS64501 announce ANY ... mp-import: from AS64511 accept AS64511:AS- ALL mp-export: to AS64511 announce 64500:AS-ALL ... source: APNIC route: 192.0.2.0/24 origin: AS64501 source: APNIC route6: 2001:db8:1001::/48 origin: AS64501 source: APNIC route: 198.51.100.0/24 origin: AS64502 source: APNIC route6: 2001:db8:2002::/48 origin: AS64502 source: APNIC route: 203.0.113.0/24 origin: AS64500 source: APNIC route6: 2001:db8:1000::/3 6 origin: AS64500 source: APNIC as-set: AS64500:AS-ALL members: AS64500 members: AS64501, AS64502 source: APNIC ROA: 2001:db8:2002::/4 8 origin: AS64502
  • 27. More detailed guidance • MANRS Implementation guide • Based on Best Current Operational Practices deployed by network operators around the world • http://www.manrs.org/bcop/ 27 • MANRS online modules • https://www.internetsociety.org/tutorials/manrs/ • Can be delivered in a form of moderated classes
  • 28. Why to join MANRS? 28 • Improve your security posture and reduce number and impact of routing incidents • Join the community of security minded operators • Use MANRS as a competitive differentiator
  • 29. Join Us 29 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives
  • 31. Routing security & MANRS: a poll Vote link: http://etc.ch/3uEg 31
  • 32. Let us look at the results 32 • https://directpoll.com/r?XDbzPBd3ixYqg82ZSamae3gr Z6zRHWuZzYEepTwV3
  • 33. Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. Andrei Robachevsky robachevsky@isoc.org 33