The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.

Slides:



Advertisements
Similar presentations
How to Multi-Home Avi Freedman VP Engineering AboveNet Communications.
Advertisements

Choosing a Backbone Provider Avi Freedman VP, Engineering AboveNet Communications.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Routing Basics.
Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.
Congestion Control Algorithms
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG Dearborn,
Chapter 4 IP Multicast Professor Rick Han University of Colorado at Boulder
Examining IP Header Fields
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
14 – Inter/Intra-AS Routing
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
The netperf.net Inter-provider Network Performance Monitoring Project Avi Freedman
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
VLSM and CIDR Last Update Copyright 2008 Kenneth M. Chipps Ph.D.
– Chapter 4 – Secure Routing
Transport Layer 3-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012  CPSC.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
A’Lexus Williams CSC 104 Final Exam Part 1. Societal Topics Weeks 7 & 8 Internet Regulation-is basically restricting or controlling access to certain.
XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
Commercial Peering Service Community Attribute Use in Internet2 CPS Caren Litvanyi lead network engineer peering team Internet2 NOC GigaPoP Geeks BOF January.
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Access-Lists Securing Your Router and Protecting Your Network.
MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell
Distributed Denial of Service Attacks
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Network Design and Management CIS CIS Mike Sloderbeck Ray Curci Change to syllabus: quiz/participation.
1 Defense Strategies for DDoS Attacks Steven M. Bellovin
Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
Proposal for a Global Network for Beam Instrumentation [BIGNET] BI Group Meeting – 08/06/2012 J-J Gras CERN-BE-BI.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Forwarding Packets in a Transit AS.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.
Routing Algorithms Lecture Static/ Dynamic, Direct/ Indirect, Shortest Path Routing, Flooding, Distance Vector Routing, Link State Routing, Hierarchical.
Protecting Multicast- Enabled Networks Matthew Davy Indiana University Matthew Davy Indiana University.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -
BGP Validation Russ White Rule11.us.
ARIN Update John Curran President and CEO, ARIN Focus IPv4 to IPv6 Transition Awareness – Targeting ISPs and Content Providers Continued enhancements.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Lecture 18 Page 1 CS 236 Online Prolog to Lecture 18 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Introduction to Information Security
Chapter 4: Network Layer
Filtering Spoofed Packets
Introduction to Networking
Distributed Content in the Network: A Backbone View
– Chapter 4 – Secure Routing
Presentation transcript:

The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access

The Problem (1) Tens of thousands of networks and subnets allow directed broadcast. Thus, pinging to x.y.z.0 or x.y.z.255 can return a few, or tens or hundreds, of responses. Combined with forged-source address, it’s trivial to attack someone you don’t like. A dialup line can generate tens or hundreds of megs of smurf.

The Problem (2) This has been the case for many years, but it became a big problem once IRC-weenies figured it out. Tracking forged-source is very hard and requires (hi, Sean) intense and quick inter- provider cooperation. ISPs get smurfed for having certain dialup users, and then get smurfed if they kick off those same users.

The Traditional Solution The traditional solution is to use CAR to rate-limit ICMP to given destination(s), on all border interfaces. –access 155 permit icmp any any –int f0/0/0 – rate input acc conf tr exc dr or –access 155 permit icmp any –int f0/0/0 – rate input acc conf tr exc dr sho int rate shows you the progress...

Traditional Solution, ctd. Once you staunch the flow of crud, typically you can monitor the flow to see what smurf “amplifiers” are being used, and try to contact these amplifiers. Problem - most of the ones out there either have no contact info, or have rejected fixing the problem already. Still, some can be educated.

Still, a Problem This helps get useful work done if you have lots of excess capacity to peers and upstreams. Unless you pay on a usage basis. Some upstreams will help, some won’t. Some upstreams can’t feasibly do border- CAR; some just want to charge you.

The Ideal Solution The ideal solution would be {for everyone} to install filters to prevent forged IP source addresses from ever being generated!!!!!!! Big problem - too much load on wimpy VIP2/50s. The SAL project addresses this less directly, both for routers and for hosts.

The Plan (1) SAL is distributing a black-hole feed of smurf amplifier nets via BGP. Nets can be automagically withdrawn by entering their netblock after fixing their smurfiness. People can use it as a BGP RBL, or preferably, to generate host or router filters with code SAL will supply.

The Plan (2) The web sites explaining the system will not be behind the SAL BGP feed, so people inside blocked networks can get information and even submit themselves for removal. For new smurf amplifiers, attempts will be made to communicate with them and with their upstreams first. SAL routes will not be listed publicly.

Our Goal The goal is to eliminate smurf amplifiers as a source of difficulty. Single-source UDP or ICMP slams are much easier to track down… Short-term, we are seeking to get about 10% of the net using SAL; both web hosters and small and regional ISPs.

How it Works We have an online database of smurf amplifiers, with date entered, source, etc… That ties into custom BGP code with some of that data represented in communities. People participate by eBGP multihop peering with AS XXXX and setting next- hop to loopback. Routes have no-export set.

Operations Being run by the fine folks at MAPS. Modest fee to the MAPS folks to participate (note: noone will be turned away for monetary reasons.) Info requests to user questions to NOC issues to

Problems with our Proposal Some feel it is too punishing of the smurf amplifiers. Let’s all work towards educating customers, and work with them to fix their configs. Major networks can’t adopt it because they serve too many smurf amplifiers. Anyone with a few thousand routes is probably hosting tens of them. We are addressing this by putting advertising ASs into route communities.

Current Status An operational site with an operational remove list and an operational feed, but the service is still in alpha, with < 10 sites. Still in beta for participation, and are still working on legal documents. > 4gb/sec of peak traffic using the service. MAPS, with a few individuals as backup, to deal with operational issues.

We’re Looking for... Volunteers to assist with communication with smurf amplifiers before they are placed on the black-hole list. Sites to use the SAL service, both small and large. People to educate their smurf amplifier customers.

We’re Looking for... Feedback about smurf amplifiers being used in active smurf attacks. Technical and policy feedback.

Resources

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.