Presentation is loading. Please wait.

Presentation is loading. Please wait.

Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.

Published byEmmeline Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs."— Presentation transcript:

1 http://www.nlnetlabs.nl/ Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs

2 http://www.nlnetlabs.nl/ NLnet Labs What Is Internet Infrastructure? What makes the network of networks eventually the Internet –IP (v4/v6): protocol to exchange data between end- points –DNS: resolving human readable names to IP addresses –routing: inter-domain routing between networks, making IP addresses globally reachable Thus presentation not about end-points –nothing about trojans, botnets, viruses, etc –it is about the network between the end-points

3 http://www.nlnetlabs.nl/ NLnet Labs The Nature of Attacks on the Internet Infrastructure DNS spoofing –redirect to websites that are “evil twins” –stealing personal information or money DDoS amplification reflection attacks –knock-out competitor: business or in gaming –blackmailing: receive money to stop DDoS Route hijacks –knock-out competitor or inspecting traffic –intention (malicious or mistake) difficult to assess

4 http://www.nlnetlabs.nl/ NLnet Labs DNS SPOOFING AND DNSSEC

5 http://www.nlnetlabs.nl/ NLnet Labs DNS Spoofing and DNSSEC DNS Spoofing by cache poisoning –attacker flood a DNS resolver with phony information with bogus DNS results –by the law of large numbers, these attacks get a match and plant a bogus result into the cache Man-in-the-middle attacks –redirect to wrong Internet sites –email to non-authorized email server

6 http://www.nlnetlabs.nl/ NLnet Labs What is DNSSEC? Digital signatures are added to responses by authoritative servers for a zone Validating resolver can use signature to verify that response is not tampered with Trust anchor is the key used to sign the DNS root Signature validation creates a chain of overlapping signatures from trust anchor to signature of response the one slide version credits Geoff Huston

7 http://www.nlnetlabs.nl/ NLnet Labs DNSSEC and Validation.nlnetlabs.nl. A record www.nlnetlabs.nl. + signature.nl.. validating resolver DNSKEY record.nlnetlabs.nl. + signature DS record.nlnetlabs.nl. + signature DNSKEY record.nl. + signature DS record.nl. + signature local root key (preloaded) 1 2 3 4 5 in a single picture

8 http://www.nlnetlabs.nl/ NLnet Labs DNSSEC Deployment Open source authoritative DNS name servers supporting DNSSEC –e.g., NSD, BIND 9, and Knot Open source DNSSEC validating resolvers –e.g., Unbound, BIND 9 Google Public DNS – DNSSEC validation –8.8.8.8 and 8.8.4.4 –2001:4860:4860::8888 and 2001:4860:4860::8844

9 http://www.nlnetlabs.nl/ NLnet Labs DNSSEC and Community RIPE DNS Working Group at RIPE meetings DNS Working Group mailing list dns-wg@ripe.netdns-wg@ripe.net DNSSEC training course http://www.ripe.net/lir- services/training/courses http://www.ripe.net/lir- services/training/courses IETF DNSOP Working Group at IETF meetings DNSOP Working Group mailing list dnsop@ietf.orgdnsop@ietf.org RFC on operational practiceshttp://tools.ietf.or g/html/rfc6781http://tools.ietf.or g/html/rfc6781

10 http://www.nlnetlabs.nl/ NLnet Labs Other References to DNSSEC ISOC Deploy360 –http://www.internetsociety.org/deploy360/dnssec/http://www.internetsociety.org/deploy360/dnssec/ –information on basics, deployment, training, etc. DNSSEC Deployment Initiative –https://www.dnssec-deployment.orghttps://www.dnssec-deployment.org –mailing list dnssec-deployment@dnssec- deployment.orgdnssec-deployment@dnssec- deployment.org OpenDNSSEC –open-source turn-key solution for DNSSEC –www.opendnssec.orgwww.opendnssec.org

11 http://www.nlnetlabs.nl/ NLnet Labs AMPLIFICATION ATTACKS AND SOURCE ADDRESS FILTERING

12 http://www.nlnetlabs.nl/ NLnet Labs Spoofed Source Address Attacks DNS server auth/resolver attacker 1.2.3.4 victim 9.8.7.6 query www.example.comwww.example.com source address 9.8.7.6 A record [+ signature] destination address 9.8.7.6 20-50 bytes avg. around 600 bytes

13 http://www.nlnetlabs.nl/ NLnet Labs DNS Amplification Attack

14 http://www.nlnetlabs.nl/ NLnet Labs Recent DDoS Attacks with Spoofed Traffic The new normal: 200-400 Gbps DDoS Attacks March 2013: 300 Gbps DDoS attack –victim Spamhaus –DNS amplication attack –[offender arrested by Spanish police and handed over to Dutch police] Februari 2014: 400 Gbps DDoS attack –victim customers of CloudFlare –NTP amplification

15 http://www.nlnetlabs.nl/ NLnet Labs Mitigation to Amplification Attacks DNS amplification attacks –response rate limiting (RRL) –RRL available in NSD, BIND 9, and Knot NTP –secure NTP template from Team Cymru http://www.team- cymru.org/ReadingRoom/Templates/secure- ntp-template.html http://www.team- cymru.org/ReadingRoom/Templates/secure- ntp-template.html

16 http://www.nlnetlabs.nl/ NLnet Labs … or BCP38 and Filter Spoofed Traffic BCP 38 (and related BCP 84) Filter your customers –strict filter traffic from your customers –strict unicast reverse path forwarding (uRPF) –don’t be part of the problem Filter your transit –difficult to strict filter your transit –feasible or loose uRPF –feasible not well supported by hardware vendors

17 http://www.nlnetlabs.nl/ NLnet Labs Address Spoofing and Community RIPE RIPE meetings in plenary and working groups RIPE document 431 and 432 –http://www.ripe.net/ripe/docs /ripe-431http://www.ripe.net/ripe/docs /ripe-431 –http://www.ripe.net/ripe/docs /ripe-432http://www.ripe.net/ripe/docs /ripe-432 RIPE training course http://www.ripe.net/lir- services/training/courses http://www.ripe.net/lir- services/training/courses IETF and others BCP 38 and BCP 84 IETF SAVI WG Open Resolver Project openresolverproject.org openresolverproject.org Open NTP Project openntpproject.org openntpproject.org

18 http://www.nlnetlabs.nl/ NLnet Labs ROUTE HIJACKS AND RPKI

19 http://www.nlnetlabs.nl/ NLnet Labs Recent News on Internet Routing Security April 2, 2014: “Indonesia Hijacks the World” –Indosat leaked over 320,000 routes (out of 500,000) of the global routing table multiple times over a two-hour period –claimed that it “owned” many of the world’s networks –few hundred were widely accepted 0.2% low impact (5-25% of routes) 0.06% medium impact (25-50% of routes) 0.03% high impact (more than 50% of routes) –for details see http://www.renesys.com/2014/04/indonesia-hijacks- world/ http://www.renesys.com/2014/04/indonesia-hijacks- world/

20 http://www.nlnetlabs.nl/ NLnet Labs Less Recent News on Internet Routing Security April 8, 2010: “China Hijacks 15% of the Internet” –50,000 of 340,000 IP address blocks makes 15% –for roughly 15 minutes Hijacking 15% of the routes, does not imply 15% of Internet traffic More realistic guesses –order of 1% to 2% traffic actually diverted much less in Europe and US –order of 0.015% based on 80 ATLAS ISP observations but still an estimation

21 http://www.nlnetlabs.nl/ NLnet Labs Even Less Recent News on Internet Routing Security February 2008: Pakistan’s attempt to block YouTube access within their country takes down YouTube globally –mistakenly the YouTube block was also sent to a network outside of Pakistan, and propagated August 2008: Kapela & Pilosov showed effective man-in-the-middle attack –already known to the community, but never tested in real

22 http://www.nlnetlabs.nl/ NLnet Labs Old News on Internet Routing Security January 2006: Con-Edison hijacks a chunk of the Internet December 24, 2004: TTNet in Turkey hijacks the Internet (aka Christmas Turkey hijack) May 2004: Malaysian ISP blocks Yahoo Santa Clara data center May 2003: Northrop Grumman hit by spammers April 1997: The "AS 7007 incident”, maybe the earliest notable example?

23 http://www.nlnetlabs.nl/ NLnet Labs Today’s Routing Infrastructure is Insecure The Border Gateway Protocol (BGP) is the sole inter-domain routing protocol used BGP is based on informal trust models –routing by rumor –business agreements between networks Routing auditing is a low value activity –and not always done with sufficient thoroughness

24 http://www.nlnetlabs.nl/ NLnet Labs IP Hijacking Explained A 213.154/16: A D E C B 213.154/16: E 213.154/16: C, A 213.154/16: A 213.154/16: E 213.154/16: C, A

25 http://www.nlnetlabs.nl/ NLnet Labs Typical Threats Derivation of traffic (man-in-the-middle) –third party inspection, denial of service, subversion Dropping traffic –denial of service, compound attacks Adding false addresses –support for compound attacks Isolating/removing routers from the network

26 http://www.nlnetlabs.nl/ NLnet Labs Current Methods to Secure Routing Infrastructure Filtering, filtering, filtering, … –IP prefix filtering –AS path filtering –max prefix filtering Monitoring IP prefix / AS path –detect changes in route origin announcement –services provided by e.g. RIPE NCC, open source projects, and commercial partners However, there is no trusted and authoritative data repository

27 http://www.nlnetlabs.nl/ NLnet Labs Secure Inter-Domain Routing Focus of the IETF Secure Inter-Domain Routing (SIDR) working group Create trusted and authoritative resource data infrastructure –IP addresses and AS networks Improve on IP prefix filtering and AS path filtering –who holds the “right-of-usage” of a resource

28 http://www.nlnetlabs.nl/ NLnet Labs Resource PKI: First Step to Improve Security Regional Internet Registries (RIPE, APNIC, etc.) issue resource certificates –proof of ownership of resources (IP addresses) –… and recursively repeated by NIR/LIR/… owner of IP addresses publishes signed route origin attestations –private key signed ROA states right of use of addresses by a network (the route origin) ISPs can validate BGP routing announcements –validate ownership of route origin by checking signature in ROA with public key in resource certificate

29 http://www.nlnetlabs.nl/ NLnet Labs Routing with RPKI Explained A 213.154/16: A D E C B 213.154/16: E 213.154/16: C, A 213.154/16: A 213.154/16: E 213.154/16: C, A ✔ ✗ ✗ ✔ ✔ ✔

30 http://www.nlnetlabs.nl/ NLnet Labs Routing Security and Community RIPE Enable RPKI in RIPE LIR portal for your resources RPKI origin validation in Cisco, Juniper, Alcatel- Lucent, … and open source software Quagga and BIRD RIPE meetings in plenary and Routing WG routing- wg@ripe.netrouting- wg@ripe.net IETF and others IETF SIDR WG for RPKI and BGPSEC protocol standardization IETF GROW WG on operational problems ISOC Deploy360 Programme http://www.internetsociety.org/deploy360/securing- bgp/tools/ http://www.internetsociety.org/deploy360/securing- bgp/tools/

31 http://www.nlnetlabs.nl/ NLnet Labs Summary Internet a dangerous place? –yes/no, not different from the real world We have a shared responsibility in securing our infrastructure (the Internet is you!) –deploy DNSSEC –BCP 38 and BCP 84 –route filtering and RPKI Excellent training courses by RIPE NCC Contact me or staff of RIPE NCC for questions

Download ppt "Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Inter-domain Routing security Problems Solutions.

Inter-domain Routing security Problems Solutions.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Similar presentations

Ads by Google