SlideShare a Scribd company logo

Security myth of i pv6 and dns64

Download as PPTX, PDF
A. S. M. Shamim Reza
A. S. M. Shamim Reza

Global Internet is not ready for IPv6 only Cisco support NAT64 above ASR Series User bandwidth management is way to complex 464 XLAT does not support general WiFi routers Existing server system support Operation & Security Policy We have almost 50k active Customer and planning for 500k Overhead cost of deployment (NAT64 & DNS64)

Internet
1 of 33
Security Myth of IPv6 and DNS64 A. S. M. Shamim Reza Deputy Manager Network Operation Center Link3 Technologies Ltd
[~]# whoami Linux Geek Open Source Software Enthusiast EC-Council Certified Security Analyst ASMShamimReza ShamimRezaSohag sohag.shamim@gmail.com
The Journey Importance of Having IPv6 Challenges Myths and Reality Associated IPv6 Protocol Security Do’s and Don’t
Importance of having IPv6  Running out of IPv4 address  IPv6 has done the math
Challenges
Things we had to Calculate  Global Internet is not ready for IPv6 only  Cisco support NAT64 above ASR Series  User bandwidth management is way to complex  464 XLAT does not support general WiFi routers  Existing server system support  Operation & Security Policy  We have almost 50k active Customer and planning for 500k  Overhead cost of deployment (NAT64 & DNS64)
Things that we come-up with  Existing Bandwidth Manager & Spam firewall Support Dual-Stack  Linux and Windows based system support IPv6 by-default  Host based IDS and Firewall supports IPv6  As an ISP we need to go with NAT64 & DNS64  Dual-Stack for Infrastructure & IPv6 Only for end user  DNS64 will managed by BIND & CentOS 6
Difference between IPv4 & IPv6 IPv4 IPv6 Web, DNS, DHCH Web, DNS64, DHCPv6 TCP, UDP TCP, UDP ICMP ICMPv6
Myths and Reality What have we been told and What have we found
The Myths IPv6 is too new to be attacked My network is IPv4 only
Myths - My network is IPv4 only Reality – All the OS have IPV6 activated by default
Myths - IPv6 is too new to be attacked Reality – Same things with Different Name and tactics. Attacks Tools Reconnaissance Alive6, Nmap Amplification Smurf6, Rsmurf6 DHCPv6 Spoofing flood_dhcpc6, fake_dhcps6 DAD Spoofing, Redirect Spoofing Dos-new-ipv6, redir6
Outcome of Myths  IPv6 is not more or less secure than IPv4  Knowledge of associated protocols is the best security measures  Mindset change is required
Associated IPv6 Protocol Security
Protocol to be considered before deployment ICMPv6 NDP DNS64DHCPv6
DNS Server – What we had Authoritative Recursive DNS Software resources Hardware resources CentOS 5 32 bit Core – 2 RAM – 4 GB HDD – Sata 7.2k RPM bind-utils-9.3.4-10.P1.el5 ypbind-1.19-11.el5 bind-libs-9.3.4-10.P1.el5
DNS Server - What we have Faced  OS version is about to obsolete  Resource utilization was about to fill up  Log search was not administration friendly
DNS Server - What we have done  Upgraded the OS to CentOS 6 64bit  Divided the Authoritative & Recursive in to TWO server  Deployed the DNS system with CHROOT  Calculate the session of Recursive DNS system  Deployed the Recursive server with IP Anycast  Configured the Recursive log based on search criteria
DNS Server - What we have done Software Resources Hardware Resources CentOS 6.9 64 bit CPU Core – 4 with 2 Socket RAM – 8 GB DDR4 HDD – Sata SAS 15k RPM bind-libs-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-sdb-9.8.2-0.62.rc1.el6_9.5.x86_64 rpcbind-0.2.0-13.el6_9.1.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-devel-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-chroot-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-utils-9.8.2-0.62.rc1.el6_9.5.x86_64 iptables-1.4.7-16.el6.x86_64 iptables-ipv6-1.4.7-16.el6.x86_64
How DNS64 Works
DNS64 Server With the New System - what we have  We have configure the DNS64 at the Recursive system  Forget to tune the Kernel and Iptables  Forget to Calculate the Log volume
DNS64 Server What we have faced  Session per second was 4k/second  Increased to 5k/second  Query response was slower/ Some of the users are not getting response  Hard disk about to filled up with the log stored  For every query there are 2 separate line for IPv4 & Ipv6
Log Format of DNS64
DNS64 Server Action that we have taken  We are having almost 4GB of log file in one hour  Configured the log rotation based on file size  Then we have decided to move all the log to the central server after every one hour
DNS64 Server Performance tuning Checked the System – # /sbin/sysctl net.netfilter.nf_conntrack_count net.netfilter.nf_conntrack_count = 262144 Changed it – # sysctl -w net.netfilter.nf_conntrack_max=524288
DNS64 Server Security tuning  Configuration is for sysctl.conf file 1. To stop IPv6 routing advertisement – net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 2. TO Stop ICMPv6 redirect – net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0
DNS64 server 1. To stop DAD related attack– net.ipv6.conf.all.accept_dad = 0 net.ipv6.conf.default.accept_dad = 0 net.ipv6.conf.enp0s8.accept_dad = 0 net.ipv6.conf.all.dad_transmits = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.enp0s8.dad_transmits = 0
DNS64 server Security tuning  Configuration is for IP6TABLES #!/bin/bash ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT ip6tables -I INPUT 1 -d ff02::1 -j DROP ip6tables -I INPUT 2 -i eth1 -m ipv6header --header dst --soft -j DROP ip6tables -I INPUT 3 -i eth1 -m ipv6header --header hop --soft -j DROP ip6tables -I INPUT 4 -i eth1 -m ipv6header --header route --soft -j DROP ip6tables -I INPUT 5 -i eth1 -m ipv6header --header frag --soft -j DROP ip6tables -I INPUT 6 -i eth1 -m ipv6header --header auth --soft -j DROP ip6tables -I INPUT 7 -i eth1 -m ipv6header --header esp --soft -j DROP ip6tables -I INPUT 8 -i eth1 -m ipv6header --header none --soft -j DROP
DO’s and Don’t  IPv6 is moving faster, you can’t walk slow  Keep updated with knowledge  NO IPv6 Only thoughts for Infrastructure  Make a inventory of existing system  List of Necessaries that you Need NOT that you Want
Top 10 countries for IPv6 support (Feb 2018)
Top 10 countries of IPv6 Default for Dual-Stack User
Security myth of i pv6 and dns64
Security myth of i pv6 and dns64

Recommended

ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
Amazon Web Services
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Mirantis
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
Peter Clapham
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 

Recommended

ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
Amazon Web Services
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Mirantis
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
Peter Clapham
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonGraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
Neo4j
 
Introducing SciaaS @ Sanger
Introducing SciaaS @ SangerIntroducing SciaaS @ Sanger
Introducing SciaaS @ Sanger
Peter Clapham
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
Dzmitry Durasau
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Cloud Native Day Tel Aviv
 
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
HWBOT
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
Vietnam Open Infrastructure User Group
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
Sagi Brody
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
RedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystemRedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystem
François-Guillaume Ribreau
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewBuilding a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Hari
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
 

More Related Content

What's hot

BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
Dzmitry Durasau
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Cloud Native Day Tel Aviv
 
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
HWBOT
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud
 

What's hot (20)

GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonGraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
 
Introducing SciaaS @ Sanger
Introducing SciaaS @ SangerIntroducing SciaaS @ Sanger
Introducing SciaaS @ Sanger
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
 
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
PAX Australia 2016 Panel "Pushing Limits: Going Beyond 8 GHz"
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
 
Campus networking
Campus networkingCampus networking
Campus networking
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
RedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystemRedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystem
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
OVHcloud Tech Talks S01E09 - OVHcloud Data Processing : Le nouveau service po...
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 

Similar to Security myth of i pv6 and dns64

Backup netezza-tsm-v1403c-140330170451-phpapp01
Backup netezza-tsm-v1403c-140330170451-phpapp01Backup netezza-tsm-v1403c-140330170451-phpapp01
Backup netezza-tsm-v1403c-140330170451-phpapp01
Arunkumar Shanmugam
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 

Similar to Security myth of i pv6 and dns64 (20)

Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewBuilding a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
Building Linux IPv6 DNS Server (Complete Presentation)
Building Linux IPv6 DNS Server (Complete Presentation)Building Linux IPv6 DNS Server (Complete Presentation)
Building Linux IPv6 DNS Server (Complete Presentation)
 
Building Linux IPv6 DNS Server (Draft Copy)
Building Linux IPv6 DNS Server (Draft Copy)Building Linux IPv6 DNS Server (Draft Copy)
Building Linux IPv6 DNS Server (Draft Copy)
 
Backup netezza-tsm-v1403c-140330170451-phpapp01
Backup netezza-tsm-v1403c-140330170451-phpapp01Backup netezza-tsm-v1403c-140330170451-phpapp01
Backup netezza-tsm-v1403c-140330170451-phpapp01
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Building Linux IPv6 DNS Server (Complete Soft Copy)
Building Linux IPv6 DNS Server (Complete Soft Copy)Building Linux IPv6 DNS Server (Complete Soft Copy)
Building Linux IPv6 DNS Server (Complete Soft Copy)
 
Building Linux IPv6 DNS Server (Third Review)
Building Linux IPv6 DNS Server (Third Review)Building Linux IPv6 DNS Server (Third Review)
Building Linux IPv6 DNS Server (Third Review)
 
Next Generation Security Solution
Next Generation Security SolutionNext Generation Security Solution
Next Generation Security Solution
 
Cl116
Cl116Cl116
Cl116
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
Backup Options for IBM PureData for Analytics powered by Netezza
Backup Options for IBM PureData for Analytics powered by NetezzaBackup Options for IBM PureData for Analytics powered by Netezza
Backup Options for IBM PureData for Analytics powered by Netezza
 
Qnap iei partners_day_2016 1108
Qnap iei partners_day_2016 1108Qnap iei partners_day_2016 1108
Qnap iei partners_day_2016 1108
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Resume
ResumeResume
Resume
 
Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storage
 
Orascom-tehnical study final
Orascom-tehnical study finalOrascom-tehnical study final
Orascom-tehnical study final
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 

Recently uploaded

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 

Recently uploaded (20)

"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 

Security myth of i pv6 and dns64

  • 1. Security Myth of IPv6 and DNS64 A. S. M. Shamim Reza Deputy Manager Network Operation Center Link3 Technologies Ltd
  • 2. [~]# whoami Linux Geek Open Source Software Enthusiast EC-Council Certified Security Analyst ASMShamimReza ShamimRezaSohag sohag.shamim@gmail.com
  • 3. The Journey Importance of Having IPv6 Challenges Myths and Reality Associated IPv6 Protocol Security Do’s and Don’t
  • 4. Importance of having IPv6  Running out of IPv4 address  IPv6 has done the math
  • 6. Things we had to Calculate  Global Internet is not ready for IPv6 only  Cisco support NAT64 above ASR Series  User bandwidth management is way to complex  464 XLAT does not support general WiFi routers  Existing server system support  Operation & Security Policy  We have almost 50k active Customer and planning for 500k  Overhead cost of deployment (NAT64 & DNS64)
  • 7. Things that we come-up with  Existing Bandwidth Manager & Spam firewall Support Dual-Stack  Linux and Windows based system support IPv6 by-default  Host based IDS and Firewall supports IPv6  As an ISP we need to go with NAT64 & DNS64  Dual-Stack for Infrastructure & IPv6 Only for end user  DNS64 will managed by BIND & CentOS 6
  • 8. Difference between IPv4 & IPv6 IPv4 IPv6 Web, DNS, DHCH Web, DNS64, DHCPv6 TCP, UDP TCP, UDP ICMP ICMPv6
  • 9. Myths and Reality What have we been told and What have we found
  • 10. The Myths IPv6 is too new to be attacked My network is IPv4 only
  • 11. Myths - My network is IPv4 only Reality – All the OS have IPV6 activated by default
  • 12. Myths - IPv6 is too new to be attacked Reality – Same things with Different Name and tactics. Attacks Tools Reconnaissance Alive6, Nmap Amplification Smurf6, Rsmurf6 DHCPv6 Spoofing flood_dhcpc6, fake_dhcps6 DAD Spoofing, Redirect Spoofing Dos-new-ipv6, redir6
  • 13. Outcome of Myths  IPv6 is not more or less secure than IPv4  Knowledge of associated protocols is the best security measures  Mindset change is required
  • 15. Protocol to be considered before deployment ICMPv6 NDP DNS64DHCPv6
  • 16. DNS Server – What we had Authoritative Recursive DNS Software resources Hardware resources CentOS 5 32 bit Core – 2 RAM – 4 GB HDD – Sata 7.2k RPM bind-utils-9.3.4-10.P1.el5 ypbind-1.19-11.el5 bind-libs-9.3.4-10.P1.el5
  • 17. DNS Server - What we have Faced  OS version is about to obsolete  Resource utilization was about to fill up  Log search was not administration friendly
  • 18. DNS Server - What we have done  Upgraded the OS to CentOS 6 64bit  Divided the Authoritative & Recursive in to TWO server  Deployed the DNS system with CHROOT  Calculate the session of Recursive DNS system  Deployed the Recursive server with IP Anycast  Configured the Recursive log based on search criteria
  • 19. DNS Server - What we have done Software Resources Hardware Resources CentOS 6.9 64 bit CPU Core – 4 with 2 Socket RAM – 8 GB DDR4 HDD – Sata SAS 15k RPM bind-libs-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-sdb-9.8.2-0.62.rc1.el6_9.5.x86_64 rpcbind-0.2.0-13.el6_9.1.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-devel-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-chroot-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-utils-9.8.2-0.62.rc1.el6_9.5.x86_64 iptables-1.4.7-16.el6.x86_64 iptables-ipv6-1.4.7-16.el6.x86_64
  • 21. DNS64 Server With the New System - what we have  We have configure the DNS64 at the Recursive system  Forget to tune the Kernel and Iptables  Forget to Calculate the Log volume
  • 22. DNS64 Server What we have faced  Session per second was 4k/second  Increased to 5k/second  Query response was slower/ Some of the users are not getting response  Hard disk about to filled up with the log stored  For every query there are 2 separate line for IPv4 & Ipv6
  • 23. Log Format of DNS64
  • 24. DNS64 Server Action that we have taken  We are having almost 4GB of log file in one hour  Configured the log rotation based on file size  Then we have decided to move all the log to the central server after every one hour
  • 25. DNS64 Server Performance tuning Checked the System – # /sbin/sysctl net.netfilter.nf_conntrack_count net.netfilter.nf_conntrack_count = 262144 Changed it – # sysctl -w net.netfilter.nf_conntrack_max=524288
  • 26. DNS64 Server Security tuning  Configuration is for sysctl.conf file 1. To stop IPv6 routing advertisement – net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 2. TO Stop ICMPv6 redirect – net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0
  • 27. DNS64 server 1. To stop DAD related attack– net.ipv6.conf.all.accept_dad = 0 net.ipv6.conf.default.accept_dad = 0 net.ipv6.conf.enp0s8.accept_dad = 0 net.ipv6.conf.all.dad_transmits = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.enp0s8.dad_transmits = 0
  • 28. DNS64 server Security tuning  Configuration is for IP6TABLES #!/bin/bash ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT ip6tables -I INPUT 1 -d ff02::1 -j DROP ip6tables -I INPUT 2 -i eth1 -m ipv6header --header dst --soft -j DROP ip6tables -I INPUT 3 -i eth1 -m ipv6header --header hop --soft -j DROP ip6tables -I INPUT 4 -i eth1 -m ipv6header --header route --soft -j DROP ip6tables -I INPUT 5 -i eth1 -m ipv6header --header frag --soft -j DROP ip6tables -I INPUT 6 -i eth1 -m ipv6header --header auth --soft -j DROP ip6tables -I INPUT 7 -i eth1 -m ipv6header --header esp --soft -j DROP ip6tables -I INPUT 8 -i eth1 -m ipv6header --header none --soft -j DROP
  • 29. DO’s and Don’t  IPv6 is moving faster, you can’t walk slow  Keep updated with knowledge  NO IPv6 Only thoughts for Infrastructure  Make a inventory of existing system  List of Necessaries that you Need NOT that you Want
  • 30. Top 10 countries for IPv6 support (Feb 2018)
  • 31. Top 10 countries of IPv6 Default for Dual-Stack User