Upload File

anti spoofing. reboot. · strict mode provider a provider b customerx rule: incoming interface =...

  • Home
  • Documents
  • Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic
21
Anti Spoofing. Reboot. Alexander Azimov <[email protected]>

Upload: others

Post on 16-Oct-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Anti Spoofing. Reboot.Alexander Azimov <[email protected]>

Page 2: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

IP Spoofing

• Attacks on TCP stack;• TCP floods (SYN, ACK,…);• Reflection Attacks;• Amplification Attacks.

Page 3: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

DDoS Amplifiers

Source: Qrator Labs annual report 2017

https://qrator.net/presentations/QratorAnnualRepEng.pdf
Page 4: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

BCP84: uRPF

https://tools.ietf.org/html/bcp84• Strict mode;• Feasible mode;• Loose mode.

https://tools.ietf.org/html/bcp84
Page 5: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Strict Mode

Provider A Provider B

CustomerX

Rule: incoming interface = interface for the best route for SRC_IP

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB XC A X

x.x.x.0/24

Page 6: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Loose Mode

Rule: there is a route for SRC_IP

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB XC A X

x.x.x.0/24

Page 7: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Feasible Mode

Rule: incoming interface = interface for the best route for SRC_IP

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB XC A X

x.x.x.0/24

Page 8: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Feasible Mode

Rule: incoming interface = interface for the best route for SRC_IP

Provider A Provider B

Provider C

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB C A XC A X

x.x.x.0/24

CustomerX

Page 9: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

BCP84: uRPF

https://tools.ietf.org/html/bcp84• Strict mode – not working;• Loose mode – does nothing.• Feasible mode – not working;

https://tools.ietf.org/html/bcp84
Page 10: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Problem Statement

A distance-vector protocol isn't the best way to propagate availability information.

Page 11: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option №1: New SAFI

Page 12: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Hacking

Page 13: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option №2: AS-SETs

Rule: Check that SRC_IP belongs to customer’s AS_SET

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B X

C A X

x.x.x.0/24

Page 14: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option №2: AS-SETs

Transformation of ingress filters into ACLs.

Positive:• We do not need to change specification;• We do not need to ship new software;• Can be used by any ISP, isn't it?

Negative:• AS-SETs are outdated, unauthorized;• Scalability problems.

Page 15: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

A new transit well-known community that sets LOCAL_PREF to 0.

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24GRSH

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B C A X

C A X

x.x.x.0/24

Page 16: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

Provider B sees x.x.x.0/24 route, but doesn’t use it.x.x.x.0/24 route marked with GRSH – informational message

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24GRSH

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B C A X

C A X

x.x.x.0/24

Page 17: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

Works only for multihomed ISPs…

But it more then 85% of all ISPs in the world!

Provider A Provider B

Provider C

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B C A X

C A X

x.x.x.0/24

CustomerX

x.x.x.0/24

GRSH

Page 18: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

GRACEFUL_SHTUTDOWN community creates informational message for directly connected peers.

Positive:• We do not need to change specification;• We do not need to ship new software;• We solve problem for multihomed of ISPs.

Negative:• A lot of work with customers is required;• Doesn’t work between transit ISPs.

Page 19: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 4: Do Nothing.

But are you prepared?

Page 20: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

http://etc.ch/kfR6/

http://etc.ch/kfR6/
Page 21: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Provider Specific Requirements for the passive NTP in ... · Provider Specific Requirements for the passive Network ... 4 RF INTERFACE CONNECTOR 8 ... DOCSIS 3.0 Security Specification

DSPD Provider/SC to UPI-IR Training Handout.pdfDSPD Provider/SC USTEPS Provider Interface ... Review the incident report before ... successfully submitted it CANNOT be modified. Don’t

Class A Addresses The 1 st bit of a class A address is 0 The 1 st byte has a value from 1-126. (128.x.x.x would not be a class A) 127.x.x.x is reserved

Kernel Authentication & Authorization for J2EE (KAAJEE ... · Web viewKERNEL AUTHENTICATION & AUTHORIZATION FOR J2EE (KAAJEE) VERSION 1.1.0 and SECURITY SERVICE PROVIDER INTERFACE

SAE CORBA Plug-In Service Provider Interface (SPI) · Chapter 1 SAE CORBA Plug-In Service Provider Interface (SPI) 1.1 Introduction The plug-in SPI is defined by CORBA IDL, which

USTEPS Provider Interface - Utah User Manual FY 2014.pdfUPI Page 2 Introduction: The USTEPS Provider Interface (UPI) is an Internet based computer system designed for providers who

Modul 5 Subnetting.ppt...Subnetting 14 • Network klas C terdapat 254 host 1111 1111 1111 1111 1111 1111 1100 0000 = 255.255.255.192 • Subnetting x.x.x.192 = x.x.x.1100 0000 –

Version 1research.utwente.nl/files/166933985/Blueprint_for_a_TO_MP_API_v1.1.pdfBlueprint for an Application Programming Interface from Transport Operator to MaaS Provider (TO-MP API)

Automatic Fire Alarm Service Provider Computer Interface ... · PDF fileDecember 2013 July 2017 Version 1.6 Automatic Fire Alarm Service Provider Computer Interface Specification for

interoperability.blob.core.windows.netMS-OXNSPI]-18121…  · Web view[MS-OXNSPI]: Exchange Server Name Service Provider Interface (NSPI) Protocol. Intellectual Property Rights Notice

[MS-OXNSPI]: Exchange Server Name Service Provider Interface (NSPI) Protocol · 2016-09-14 · client to use a single remote procedure call (RPC) interface and several interface methods

Upgrading PowerConnect Switches From Version 2.x.x.x or 3.x.x.x or 4.x.x.x to 5.0.1.3 Firmware

INTERFACE ™ WT Documentation System. interface.group GmbH Interface.group is a solution provider located in Bremerhaven, Germany, currently active in

RIDE SOAP Interface Service Provider User guide1.6 Document Conventions This document uses several conventions to facilitate recognition of instructions. See RIDE Web Interface Service

Service provider Interface Study

SCIELO AS AN OPEN ARCHIVE: the development of SciELO / OpenArchives data provider interface

User Guide Android 3.x.x.x

SAE CORBA Plug-In Service Provider Interface (SPI ... · SAE CORBA Plug-In Service Provider Interface (SPI) Reference Manual 7.6 ... 1.1 Introduction ... SAE CORBA Plug-In Service

[MS-OXABREF]: Address Book Name Service Provider Interface ...MS... · Address Book Name Service Provider Interface (NSPI) Referral Protocol Specification ... 1.8 Vendor-Extensible

Interface Board HW User Guide - Telit: IoT Solutions Provider · 2017. 9. 29. · Interface Board HW User Guide 1VV0301285 Rev.0.3 – 2017-01-12 ... (SW) products described in this

[MS-OXABREF]: Address Book Name Service Provider …...3 of 14 [MS-OXABREF] - v1.0 Address Book Name Service Provider Interface (NSPI) Referral Protocol Specification Copyright ©

posted on the City’s RFP web page · SS7, and DNS connectivity, if DNS connectivity applies. INTERFACE WITH PSTN PROVIDER Describe how the proposed system will interface with the

SHARE Anaheim August 8, 2012€¦ · Advanced Crypto Service Provider (ACSP) Exposing The API Services The ACSP Client exposes the standard IBM CCA interface, a PKCS#11 interface

Manuel d’utilisation IDEM v2017.1.x.x - atih.sante.fr · Manuel d’utilisation IDEM v2017.1.x.x.x Interchamps Mars 2018 Service Architecture et production informatiques ... Téléphone

Baseband IP Voice handover interface specification - … IP voice... · Baseband IP Voice handover interface specification ... service provider soft-switch and do not rely on the

Automatic Fire Alarm Service Provider Computer Interface ...December 2013 February 2019 Version 1.7 Automatic Fire Alarm Service Provider Computer Interface Specification For Fire

Oracle® Data Provider for · Oracle Data Provider for .NET (ODP.NET) is an implementation of the Microsoft ADO.NET interface. ODP.NET support for Oracle TimesTen In-Memory Database

Aracati · 2019. 6. 10. · SEALTICA .x.x.x .x.X.x ,x.x.x DE PROJtT0, ORÇAMENTO ðBÅÅ PAVIMENTAÇÃO DO PROGRAMA DA COMUNIDADE OE SANTA *PUANOžÞETRABALHOfl00642893.x, x. X. X

Getting Started with Managing Websites in Plesk...Getting Started with Plesk 5 Service Provider view.Choose this interface if you are a shared hosting provider and plan to sell hosting

VMware Fusion for Mac OS X · Mac OS X version 10.5.8 Leopard or later, ... version filename is VMware-Fusion-x.x.x-xxxxxx-light.dmg. 3Double-click VMware-Fusion-x.x.x-xxxxxx.dmg

IPND Data Provider & User Access to Internet Interface

WMI Provider Programming - ITwelzel.bizgwise.itwelzel.biz/Microsoft/Windows 2000 Server... · Web viewWMI facilitates these communications by providing a common programming interface

E-COMMERCE M ODULE · 3. Connect to your Magento 2.x provider interface using the SSH connection (for further details, contact your service provider) or use software such as P utty

Oracle® Data Provider for · 2013. 8. 1. · August 2013 Oracle Data Provider for .NET (ODP.NET) is an implementation of the Microsoft ADO.NET interface. ODP.NET support for Oracle

Service Provider IPv6 Deployment€¦ · mpls ldp router-id Loopback0! interface Loopback0 ip address 192.168.3.1 255.255.255.255! interface Ethernet0/0 description to PE1 ip address