Upload File

anti spoofing. reboot. · strict mode provider a provider b customerx rule: incoming interface =...

  • Home
  • Documents
  • Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic
21
Anti Spoofing. Reboot. Alexander Azimov <[email protected]>

Upload: others

Post on 16-Oct-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Anti Spoofing. Reboot.Alexander Azimov <[email protected]>

Page 2: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

IP Spoofing

• Attacks on TCP stack;• TCP floods (SYN, ACK,…);• Reflection Attacks;• Amplification Attacks.

Page 3: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

DDoS Amplifiers

Source: Qrator Labs annual report 2017

https://qrator.net/presentations/QratorAnnualRepEng.pdf
Page 4: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

BCP84: uRPF

https://tools.ietf.org/html/bcp84• Strict mode;• Feasible mode;• Loose mode.

https://tools.ietf.org/html/bcp84
Page 5: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Strict Mode

Provider A Provider B

CustomerX

Rule: incoming interface = interface for the best route for SRC_IP

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB XC A X

x.x.x.0/24

Page 6: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Loose Mode

Rule: there is a route for SRC_IP

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB XC A X

x.x.x.0/24

Page 7: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Feasible Mode

Rule: incoming interface = interface for the best route for SRC_IP

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB XC A X

x.x.x.0/24

Page 8: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Feasible Mode

Rule: incoming interface = interface for the best route for SRC_IP

Provider A Provider B

Provider C

Ingress Traffic

Egress Traffic

Provider AS_PATHA XB C A XC A X

x.x.x.0/24

CustomerX

Page 9: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

BCP84: uRPF

https://tools.ietf.org/html/bcp84• Strict mode – not working;• Loose mode – does nothing.• Feasible mode – not working;

https://tools.ietf.org/html/bcp84
Page 10: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Problem Statement

A distance-vector protocol isn't the best way to propagate availability information.

Page 11: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option №1: New SAFI

Page 12: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Hacking

Page 13: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option №2: AS-SETs

Rule: Check that SRC_IP belongs to customer’s AS_SET

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B X

C A X

x.x.x.0/24

Page 14: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option №2: AS-SETs

Transformation of ingress filters into ACLs.

Positive:• We do not need to change specification;• We do not need to ship new software;• Can be used by any ISP, isn't it?

Negative:• AS-SETs are outdated, unauthorized;• Scalability problems.

Page 15: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

A new transit well-known community that sets LOCAL_PREF to 0.

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24GRSH

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B C A X

C A X

x.x.x.0/24

Page 16: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

Provider B sees x.x.x.0/24 route, but doesn’t use it.x.x.x.0/24 route marked with GRSH – informational message

Provider A Provider B

CustomerX

Provider C

x.x.x.0/24GRSH

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B C A X

C A X

x.x.x.0/24

Page 17: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

Works only for multihomed ISPs…

But it more then 85% of all ISPs in the world!

Provider A Provider B

Provider C

Ingress Traffic

Egress Traffic

Provider AS_PATH

A X

B C A X

C A X

x.x.x.0/24

CustomerX

x.x.x.0/24

GRSH

Page 18: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 3: GRSH + Feasible Mode

GRACEFUL_SHTUTDOWN community creates informational message for directly connected peers.

Positive:• We do not need to change specification;• We do not need to ship new software;• We solve problem for multihomed of ISPs.

Negative:• A lot of work with customers is required;• Doesn’t work between transit ISPs.

Page 19: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

Option 4: Do Nothing.

But are you prepared?

Page 20: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

http://etc.ch/kfR6/

http://etc.ch/kfR6/
Page 21: Anti Spoofing. Reboot. · Strict Mode Provider A Provider B CustomerX Rule: incoming interface = interface for the best route for SRC_IP Provider C x.x.x.0/24 Ingress Traffic

[MS-OXABREF]: Address Book Name Service Provider Interface ...MS... · Address Book Name Service Provider Interface (NSPI) Referral Protocol Specification ... 1.8 Vendor-Extensible

Service provider Interface Study

Kernel Authentication & Authorization for J2EE (KAAJEE ... · Web viewKERNEL AUTHENTICATION & AUTHORIZATION FOR J2EE (KAAJEE) VERSION 1.1.0 and SECURITY SERVICE PROVIDER INTERFACE

[MS-OXNSPI]: Exchange Server Name Service Provider Interface (NSPI) Protocol · 2016-09-14 · client to use a single remote procedure call (RPC) interface and several interface methods

posted on the City’s RFP web page · SS7, and DNS connectivity, if DNS connectivity applies. INTERFACE WITH PSTN PROVIDER Describe how the proposed system will interface with the

VERSION - az781118.vo.msecnd.net...credential provider (version 10 SP3). Added "nofollow" to links in the web interface and added a "robot.txt" file that indicates that the web interface

DSPD Provider/SC to UPI-IR Training Handout.pdfDSPD Provider/SC USTEPS Provider Interface ... Review the incident report before ... successfully submitted it CANNOT be modified. Don’t

Version 1research.utwente.nl/files/166933985/Blueprint_for_a_TO_MP_API_v1.1.pdfBlueprint for an Application Programming Interface from Transport Operator to MaaS Provider (TO-MP API)

Quality Center Synchronizer Adapter Service Provider ... · Adapter Service Provider Interface (SPI) Developer Guide 1 Introduction The HP ALM Synchronizer synchronizes records between

Data Bus Subsystem Provider Template Interface Control ...sunguidesoftware.com/sunguidesoftware/documentlibrary/ICD/6_2/Sun... · Data Bus Subsystem Provider Template Interface Control

Oracle® Data Provider for · 2013. 8. 1. · August 2013 Oracle Data Provider for .NET (ODP.NET) is an implementation of the Microsoft ADO.NET interface. ODP.NET support for Oracle

IPND Data Provider & User Access to Internet Interface

Department of Social Services - Addendum to Service Provider … · 2015-05-27 · Department of Social Services Addendum to Service Provider Interface Technical Specifications Version

[MS-OXABREF]: Address Book Name Service Provider …...3 of 14 [MS-OXABREF] - v1.0 Address Book Name Service Provider Interface (NSPI) Referral Protocol Specification Copyright ©

SAE CORBA Plug-In Service Provider Interface (SPI) · Chapter 1 SAE CORBA Plug-In Service Provider Interface (SPI) 1.1 Introduction The plug-in SPI is defined by CORBA IDL, which

E-COMMERCE M ODULE · 3. Connect to your Magento 2.x provider interface using the SSH connection (for further details, contact your service provider) or use software such as P utty

X.X.X. - All Department in UTCCdepartment.utcc.ac.th/library/onlinethesis/259371.pdf · 1.5 นิยามค าศัพท์เฉพาะ ..... 5 1.6 ประโยชน์ที่คาดว่าจะ

Kerberizing Applications Using Security Support Provider ...ptgmedia.pearsoncmg.com/images/0201657783/sample... · Using Security Support Provider Interface ... interfaces to provide

RIDE SOAP Interface Service Provider User guide1.6 Document Conventions This document uses several conventions to facilitate recognition of instructions. See RIDE Web Interface Service

IP :XX .X X.X.X Use r:y yPas wo rd:z z SID: . . . . Wi-F ... X. User name: y Pa sword : z z IP :XX .X X.X.X Use r:y y Pas wo rd:z z. Created Date: 5/31/2017 5:15:07 PM

GST Suvidha Provider - Instavatinsta.instavat.in/PDF/Eco-SystemforGSTandGSTSuvidhaProviders.pdf · GST Suvidha Provider 7 Taxpayers will interface with GST System via GST system portal

Class A Addresses The 1 st bit of a class A address is 0 The 1 st byte has a value from 1-126. (128.x.x.x would not be a class A) 127.x.x.x is reserved

INTERFACE ™ WT Documentation System. interface.group GmbH Interface.group is a solution provider located in Bremerhaven, Germany, currently active in

SAE CORBA Plug-In Service Provider Interface (SPI ... · SAE CORBA Plug-In Service Provider Interface (SPI) Reference Manual 7.6 ... 1.1 Introduction ... SAE CORBA Plug-In Service

Getting Started with Managing Websites in Plesk...Getting Started with Plesk 5 Service Provider view.Choose this interface if you are a shared hosting provider and plan to sell hosting

WMI Provider Programming - ITwelzel.bizgwise.itwelzel.biz/Microsoft/Windows 2000 Server... · Web viewWMI facilitates these communications by providing a common programming interface

Manuel d’utilisation IDEM v2017.1.x.x - atih.sante.fr · Manuel d’utilisation IDEM v2017.1.x.x.x Interchamps Mars 2018 Service Architecture et production informatiques ... Téléphone

Automatic Fire Alarm Service Provider Computer Interface ...December 2013 February 2019 Version 1.7 Automatic Fire Alarm Service Provider Computer Interface Specification For Fire

CRICOS Provider No 00025B Re-visioning mathematics education at the secondary-tertiary interface: Towards creative boundary practices Merrilyn Goos The

Upgrading PowerConnect Switches From Version 2.x.x.x or 3.x.x.x or 4.x.x.x to 5.0.1.3 Firmware

Cetis Announces Broadsoft BroadWorks SIP Interface … Announces Broadsoft BroadWorks SIP Interface Interop Certification. ... BroadSoft is the leading provider of cloud software and

interoperability.blob.core.windows.netMS-OXNSPI]-18121…  · Web view[MS-OXNSPI]: Exchange Server Name Service Provider Interface (NSPI) Protocol. Intellectual Property Rights Notice

Provider Specific Requirements for the passive NTP in ... · Provider Specific Requirements for the passive Network ... 4 RF INTERFACE CONNECTOR 8 ... DOCSIS 3.0 Security Specification

Interface Board HW User Guide - Telit: IoT Solutions Provider · 2017. 9. 29. · Interface Board HW User Guide 1VV0301285 Rev.0.3 – 2017-01-12 ... (SW) products described in this

Oracle® Data Provider for · Oracle Data Provider for .NET (ODP.NET) is an implementation of the Microsoft ADO.NET interface. ODP.NET support for Oracle TimesTen In-Memory Database