Embed Size (px)
Citation preview
Routing Is At Risk. Let's Secure It Together
1
Andrei Robachevsky
SOC-SE/SNUS höstkonferens
No Day Without an Incident
2
0
20
40
60
80
100
120
1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17
6monthofsuspicious activity
Hijack
Leak
http://bgpstream.com/
Statistics of routing incidents generated from BGPStream data
Caveats:
• Sometimes it is impossible to distinguish an attack from a legitimate (or consented) routing change
• CC attribution is based on geolocation MaxMind's GeoLite City data set
3
A year in review: 14000 incidents
The routing system is constantly under attack (2017)
4
• 13,935 total incidents (either outages or attacks, like route leaks and hijacks)
• Over 10% of all Autonomous Systems on the Internet were affected
• 3,106 Autonomous Systems were a victim of at least one routing incident
• 1,546 networks were responsible for 5304 routing incidents
8631, 62%
5304, 38%
Twelve months of routing incidents
Outage Routing incident Source: https://www.bgpstream.com/
The routing system is constantly under attack (2017 → 2018)
5
• 13,935 total incidents (either outages or attacks like route leaks and hijacks)
• Over 10% of all Autonomous Systems on the Internet were affected
• 3,106 Autonomous Systems were a victim of at least one routing incident
• 1,546 networks were responsible for 5304 routing incidents
• 547 networks were responsible for 1576 routing incidents
Source: https://www.bgpstream.com/
3668, 70%
1576, 30%
Five months of routing incidents (2018)
Outage Routing incident
Potential victims
6
Source: https://www.bgpstream.com/
1193
450 299
242
233
138
132
125 118 106
Incidents with a victim in a country, Top 10, 2017
US BR IN RU KN BD IR GB DE HK
0
5
10
15
20
25
US BR IN RU BD IR GB DE HK CN
Changes in % of victimized network in country
2017 2018
Potential culprits 2017
7
Source: https://www.bgpstream.com/
324
197
105
55
50
44
41 39
35 32
Number of AS's in a country responsible for a routing incident (a route leak or hijack)
BR US RU GB IN HK DE ID IR NL
6,55
1,18
2,10
3,02
3,50
9,40
2,33
4,27
7,73
3,76
Percent of AS's in a country responsible for a routing incident (a route leak or hijack)
BR US RU GB IN HK DE ID IR NL
Positive dynamics
8
0
1
2
3
4
5
6
7
8
9
10
US BR RU IN BD ID DE IR GB HK
% of AS's in a country responsible for a routing incident
2017 2018
Routing Incidents Cause Real World Problems
9
Event Explanation Repercussions Example
Prefix/Route Hijacking
A network operator or attacker impersonates another network operator, pretending that a server or network is their client.
Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception.
The 2008 YouTube hijack April 2018 Amazon Route 53 hijack
Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider.
Can be used for a MITM, including traffic inspection, modification and reconnaissance.
November 2018. Google faced a major outage in many parts of the world thanks to a BGP leak. This incident that was caused by a Nigerian ISP MainOne due to a configuration mistake.
IP Address Spoofing
Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system.
The root cause of reflection DDoS attacks
March 1, 2018. Memcached 1.3Tb/s reflection-amplification attack reported by Akamai
Tools to Help
10
• Prefix and AS-PATH filtering • RPKI validator, IRR toolset, IRRPT,
BGPQ3 • BGPSEC is standardized
But… • Not enough deployment • Lack of reliable data
We need a systemic approach to improving routing security
We Are In This Together
11
Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet.
The more network operators work together, the fewer incidents there will be, and the less damage they can do.
12
Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to reduce the most common routing threats
13
Mutually Agreed Norms for Routing Security
MANRS defines four simple but concrete actions that network operators must implement to improve Internet security and reliability. • The first two operational improvements eliminate the root causes of common routing issues
and attacks, while the second two procedural steps improve mitigation and decrease the likelihood of future incidents.
MANRS builds a visible community of security minded network operators and IXPs
Coordination Facilitate global
operational communication and
coordination between network operators
Maintain globally accessible up-to-date contact information in
common routing databases
Anti-spoofing Prevent traffic with spoofed source IP
addresses
Enable source address validation for at least single-homed stub
customer networks, their own end-users, and
infrastructure
MANRS Actions
Filtering Prevent propagation of
incorrect routing information
Ensure the correctness of your own announcements and announcements from
your customers to adjacent networks with prefix and
AS-path granularity
Global Validation
Facilitate validation of routing information on a
global scale
Publish your data, so others can validate
14
MANRS is an Important Step
15
Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet.
MANRS is the minimum an operator should consider, with low risk and cost-effective actions.
MANRS is not a one-stop solution to all of the Internet’s routing woes, but it is an important step toward a globally robust and secure routing infrastructure.
Implementing MANRS Actions:
16
Signals an organization’s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. Heads off routing incidents, helping networks readily identify and address problems with customers or peers. Improves a network’s operational efficiency by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. Addresses many concerns of security-focused enterprises and other customers.
MANRS – increasing adoption
17
18
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 Growth of the membership (networks)
MANRS in Europe
19
MANRS IXP Programme
20
There is synergy between MANRS and IXPs • IXPs form a community with a common operational objective • MANRS is a reference point with a global presence – useful for building a “safe
neighborhood”
How can IXPs contribute? • Implement a set of Actions that demonstrate the IXP commitment and also bring significant
improvement to the resilience and security of the routing system
MANRS IXP Program – launched on April 23!
21
MANRS IXP Actions
Action 1 Prevent
propagation of incorrect routing
information
This mandatory action requires
IXPs to implement filtering of route
announcements at the Route Server based on routing information data
(IRR and/or RPKI).
22
Action 2 Promote
MANRS to the IXP membership
IXPs joining MANRS are expected to
provide encouragement or assistance for their
members to implement
MANRS actions.
Action 3 Protect the
peering platform
This action requires that the
IXP has a published policy of traffic not allowed
on the peering fabric and
performs filtering of such traffic.
Action 4 Facilitate global
operational communication
and coordination
The IXP facilitates
communication among members
by providing necessary mailing lists and member
directories.
Action 5 Provide
monitoring and debugging tools to the members.
The IXP provides a looking glass for
its members.
MANRS Implementation Guide
23
A resource to help Operators implement MANRS Actions. • Based on Best Current Operational Practices
deployed by network operators around the world • https://www.manrs.org/bcop/ • Has received recognition from the RIPE
community by being published as RIPE-706
MANRS Training Tutorials
24
6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial. https://www.manrs.org/tutorials
About to begin training moderators for online classes (43 applications received!)
MANRS Hands-on Lab
25
The prototype lab is ready, finalizing the production version.
• Cisco
• Juniper
• Mikrotik
Can be used as a
standalone lab or as
an end-exam
MANRS Member Report and MANRS Observatory
26
Why join MANRS? • Improve your security posture and reduce the
number and impact of routing incidents
• Demonstrate that these practices are reality
• Join a community of security-minded operators working together to make the Internet better
• Use MANRS as a competitive differentiator 27
only together manrs.org
#ProtectTheCore
MANRS Video: https://www.youtube.com/embed/nJINk5p-HEE
28
