Issue Date:

Revision:

Cyber Security Opportunities and Challenges Adli Wahid Security Specialist, APNIC

5th APT Cyber Security Forum, 27-29 May 2014

27 May 2014

2

Agenda

•  Overview of APNIC •  Opportunities and challenges

–  Source address validation (Best Current Practice (BCP) 38)

–  Securing the Internet with Resource Certification –  Effective incident response and handling (APNIC Whois

Database) –  Awareness and education

•  The way forward

2

Overview

3

APNIC’s Vision: “A global, open, stable, and secure Internet that serves the entire Asia Pacific community”

Serving APNIC Members

Supporting Internet development in the Asia Pacific region

Collaborating with the Internet community

4

APNIC’s Mission

•  Function as the RIR for the Asia Pacific, in the service of the community of Members and others

•  Provide Internet registry services to the highest possible standards of trust, neutrality, and accuracy

•  Provide information, training, and supporting services to assist the community in building and managing the Internet

•  Support critical Internet infrastructure to assist in creating and maintaining a robust Internet environment

•  Provide leadership and advocacy in support of its vision and the community

•  Facilitate regional Internet development as needed throughout the APNIC community

5

Strategic Engagement

6

•  NOGs, NIR OPMs, I*, CERTs, ISOC Chapters, PACINET, PICISOC, PTC

Technical community

•  APEC-TEL 47 and 48, ITU WTPF, APT, WSIS+10, ITU Connect Asia Pacific Summit, ITU Telecom World 2013, APEC TEL 49, NETmundial

Governmental

•  National IGFs (Nethui, auIGF), APrIGF •  Bali IGF - significant support given for

fundraising and logistics IGF

Opportunities and Challenges

7

Opportunities and Challenges

•  Government institutions, CERTs, Law Enforcement Agencies (LEAs) and stakeholders have been collaborating all along

•  What else needs to be done? •  What are the opportunities and challenges?

BEST CURRENT PRACTICES

Internet Resources Management

Source Address Validation (BCP 38)

•  Problem –  Network providers allow traffic from IP addresses that they do not hold –  As a result it is trivial to spoof IP addresses –  This enables attacks such as the DDoS Reflection/Amplification

•  Recipe for Amplification attacks –  Network that allows source IP spoofing –  Network services that respond to non-customer requests

•  This is not new –  BCP 38 has been around since 2000 (RFC 2827) –  Also known as Network Ingress Filtering

•  Is your provider allowing source address spoofing? –  Source Address Validation Everywhere! (SAVE)

BCP 38 Ingress Packet Filtering

11

Internet ISP

96.0.21.0/24

96.0.20.0/24

96.0.22.0/24

ISP’s Customer Allocation Block: 96.0.0.0/19 BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24

BCP 38 Applied Here

Credit: http://confluence.senki.org/pages/viewpage.action?pageId=1474569

Resource Certification with RPKI

•  Resource Public Key Infrastructure –  Security framework to verify the association between specific IP

address blocks or Autonomous System (AS) numbers and the holders of the resources

–  Uses digital certificates and Public Key cryptography

•  Essential because: –  Improves security of inter-domain routing. Currently, it’s based on

mutual trust –  Can prove authoritatively who uses an IP address block and what AS

has announced it

•  Prevents mis-origination or “Route Hijacking” –  When an entity participating in Internet routing announces a prefix

without authorization (either mistake or malicious intention)

12

13

ISP A ISP B

ISP E

My AS number is 1001

My prefix is 198.58.1.0/24

My AS number is 1001

My prefix is 198.58.1.0/24

Resource Certification Benefits

•  Routing information corresponds to properly delegated address resources

•  Resource certification gives resource holders proof that they hold certain resources

•  Resource holders can attest to those resources when distributing them

•  Resource certification is a highly robust means of preventing the injection of false information into the Internet’s routing system

14

Resource Certification with RPKI

•  Role of APNIC – Acts as Certificate Authority, attests that the

certificate belong to the identified party –  Issues RPKI certificates to APNIC Members

15

Whois Database – Improving Incident Response and Handling •  Security incidents happen and timely response is

critical •  The Incident Response Team (IRT) object requires

resource holders to provide contact information •  There are opportunities to:

– Enhance incident response and handling capabilities – Provide additional information for escalation (i.e. National

CSIRT/CERT or relevant agency) – Report invalid contact information

16

17

inetnum: 202.55.176.0 - 202.55.191.255 netname: SKYCC descr: SKYCC, VoIP and ISP, Ulaanbaatar, Mongolia country: MN admin-c: SD635-AP tech-c: TB231-AP status: ALLOCATED PORTABLE remarks: ************************************************************* remarks: This object can only modify by APNIC hostmaster remarks: If you wish to modify this object details please remarks: send email to hostmaster@apnic.net with your organisation remarks: account in the subject line. remarks: ************************************************************* changed: hm-changed@apnic.net 20030708 mnt-by: APNIC-HM mnt-lower: MAINT-MN-SKYCC mnt-routes: MAINT-MN-SKYCC mnt-irt: IRT-SKYCC-MN changed: hm-changed@apnic.net 20081114 changed: hm-changed@apnic.net 20130611 source: APNIC irt: IRT-SKYCC-MN address: Sukhbaatar District-1, address: Chinggis Khan Avenue-9, address: Skytel Plaza building, address: Ulaanbaatar-13, e-mail: soyoloo@skycc.mn abuse-mailbox: soyoloo@skycc.mn admin-c: SD635-AP tech-c: TB231-AP auth: # Filtered mnt-by: MAINT-MN-SKYCC changed: soyoloo@skycc.mn 20101210 source: APNIC

IRT contact

Awareness and Education

•  Reaching out to operators (resource holders) and relevant stakeholders is important to create awareness and ability to apply best current practices

•  Challenges: –  Cost and availability of subject matter experts

•  APNIC provides training at events across the region as well as online –  training.apnic.net

•  Topics include –  BGP, IPv6, DNSSEC, Network Security and much more

18

Recent and Upcoming Events

•  Bangladesh Network Operators Group 1 Workshop and Conference –  19 – 24 May 2014 in Dhaka, Bangladesh –  3-day Workshops, 1-day tutorial and 2-day

conference –  90 participants for 3 workshops

•  Network Security •  Routing/BGP •  Virtualization

•  Internet Investigation Training Day –  9 July 2014, New Zealand –  1-day tutorial on how the Internet works –  Focused on LEA engagement –  Collaboration with ICANN, APTLD, .nz DNC, New Zealand police

19

The Way Forward

•  Infrastructure security issues are part of the bigger picture and must be addressed

•  The full impact of security controls may only be realized if everyone implements them –  Relevant stakeholders and operators must make things happen

•  Awareness and education activities are at the core of all of the above

•  Let’s work together!

20

You’re Invited! •  APNIC 38: Brisbane, Australia, 9-19 Sep 2014

•  APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015

21

THANK YOU www.facebook.com/APNIC

www.twitter.com/apnic

www.youtube.com/apnicmultimedia

www.flickr.com/apnic

www.weibo.com/APNICrir