Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidential | 23-5-2016 | The Naughty port Project Prepared by: Erik Bais May 2016 RIPE72 2016 – Copenhagen, DK.

Published byDiane Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "Confidential | 23-5-2016 | The Naughty port Project Prepared by: Erik Bais May 2016 RIPE72 2016 – Copenhagen, DK."— Presentation transcript:

1 Confidential | 23-5-2016 | The Naughty port Project Prepared by: Erik Bais ebais@a2b-internet.com May 2016 RIPE72 2016 – Copenhagen, DK

2 | RIPE72 2016 presentation 2016 Page | 2 What is our business ?? o Registration of IP addresses and AS numbers o IP Transit in various Dutch datacenters o Internet (Fiber) Access & Datacenter Network Services o 24 * 7 Monitoring and management of BGP infrastructure. o Specialized consultancy for ISP related topics like vendor selections, network design & implementation. What do we provide ?

3 | RIPE72 2016 presentation 2016 Page | 3 Currently in the following Dutch datacenters Currently 14 POP’s In The Netherlands

4 | RIPE72 2016 presentation 2016 Page | 4 The original question to solve..

5 | RIPE72 2016 presentation 2016 Page | 5 Results during a DDOS... o Customers start calling as their primary traffic link is filled with garbage. o Not every complaining customer can afford or want to pay for DDOS mitigation plans. o Customers will complain if they are seeing packetloss … o Customers will complain quickly if they are offering VoIP or Hosted Desktop or VPN services … ( Oh yes.. And gamers … ) o Customers don’t want to suffer from a DDOS to another customer. o The phone lines to the helpdesk are also red-hot during a DDOS … o Customers make it your problem …

6 | RIPE72 2016 presentation 2016 Page | 6

7 | RIPE72 2016 presentation 2016 Page | 7 Defining questions : o Where is the traffic originating from ( Which ASn.. ) o Is the (original) traffic Spoofed IP traffic ? o Can we filter the non-BCP38 traffic ?  Should we want to filter this ?  Will the used HW actually support such large ACL’s ? ( Nope..) o Why are we noticing those Top Speakers only during a DDOS ? o Will de-peering fix our issue ?

8 | RIPE72 2016 presentation 2016 Page | 8 Regular Internet Exchange setup

9 | RIPE72 2016 presentation 2016 Page | 9 Let’s build a test setup … o How do these DDOS Stresser / booter sites work …

10 | RIPE72 2016 presentation 2016 Page | 10 DDOS Amplification basics 1/2

11 | RIPE72 2016 presentation 2016 Page | 11 DDOS Amplification basics 2/2

12 | RIPE72 2016 presentation 2016 Page | 12 Let’s build a test setup … o How do these DDOS Stresser / booter sites work … o Enough scripts available on GitHub etc for testing …

13 | RIPE72 2016 presentation 2016 Page | 13

14 | RIPE72 2016 presentation 2016 Page | 14 Let’s build a test setup … o How do these DDOS Stresser / booter sites work … o Enough scripts available on GitHub etc for testing … o And no need to scan the complete internet for vulnerable IP’s.. Everything can be parsed from downloads of exports via Shodan.io for example …

15 | RIPE72 2016 presentation 2016 Page | 15

16 | RIPE72 2016 presentation 2016 Page | 16 Let’s build a test setup … o How do these DDOS Stresser / booter sites work … o Enough scripts available on GitHub etc for testing … o And no need to scan the complete internet for vulnerable IP’s.. Everything can be parsed from downloads of exports via Shodan.io for example … o And that insight gives a better view on why we see the following during a DDOS …

17 | RIPE72 2016 presentation 2016 Page | 17 AMS-IX Sflow tools

18 | RIPE72 2016 presentation 2016 Page | 18 The “We AMS-IX” page o Their per peer Sflow graphs & monitoring at the customer portal rocks. o The AMS-IX Route-servers support RPSL … (important … )  RIPE DB export-via / import-via support (YEAH!!) o Their NOC engineers were very helpful in assisting to get the solution to work. ( Thnx Aris & Kostas !! ) o The AMS-IX sales team provided us a flexible “Try and Buy” option contract at the Evoswitch Datacenter

19 | RIPE72 2016 presentation 2016 Page | 19 Let’s try something else... o List all AS’s that are only sending traffic DURING a DDOS amplification attack. o Most of these networks don’t send ANY or hardly any traffic during normal operations in our case.. o Can we peer with these parties via the Routeserver on Port X but not via Port Y … Will the Route Server support that.. ?? o Peer with the “Naughty Peers”, on a small (1Gb) IXP port. o Explain the setup to Sales@AMS-IX. Try this out in a setup in production.  A “try and buy agreement” for the second port via the AMS-IX EvoSwitch Datacenter Partner.

20 | RIPE72 2016 presentation 2016 Page | 20 RIPE RPSL & AMS-IX Routeserver integration  A simple include / exclude in RIPE RPLS was all it took …

21 | RIPE72 2016 presentation 2016 Page | 21 Fun fact … o AMS-IX had a 2 vendor approach before we started this project. o But one of the AMS-IX Route Server vendors couldn’t handle the new load on the route-server by the split view with the views via RPSL.

22 | RIPE72 2016 presentation 2016 Page | 22 So one of the Routeserver did …

23 | RIPE72 2016 presentation 2016 Page | 23 Fun fact … o AMS-IX had a 2 vendor approach before we started this project. o One of the AMS-IX Route Server vendors couldn’t handle the route-server split view with the views via RPSL. o Famous last words… “Let’s put this on production in Friday, what could go wrong…”  Resulting in the death of 1 set of route servers over the weekend …

24 | RIPE72 2016 presentation 2016 Page | 24 We asked the NOC …. o Shall we take it off-line ? o Will that help ? It is not in production anyway (for us..) o And they kindly declined in order to be able to troubleshoot  To have a valid reason to kill those RS …

25 | RIPE72 2016 presentation 2016 Page | 25 Kudos

26 | RIPE72 2016 presentation 2016 Page | 26 Naughty Port Setup

27 | RIPE72 2016 presentation 2016 Page | 27 New questions to ponder … o Why are some networks on the Naughty list … o Can we predict who should be on the list … o Do we have Santa Skills ?

28 | RIPE72 2016 presentation 2016 Page | 28 Santa Skillz …

29 | RIPE72 2016 presentation 2016 Page | 29 New questions to ponder … o Why are some networks on the Naughty list … o Can we predict who should be on the list … o Do we have Santa Skills ?  Can we tell who is Naughty and who is nice ?

30 | RIPE72 2016 presentation 2016 Page | 30 New questions to ponder … o Why are some networks on the Naughty list … o Can we predict who should be on the list … o Do we have Santa Skills ?  Can we tell who is Naughty and who is nice ? o What are the benefits of having a Naughty Port …

31 | RIPE72 2016 presentation 2016 Page | 31

32 | RIPE72 2016 presentation 2016 Page | 32 Rating the Naughty Networks …. o We’ve put every AS in a database … o Uploaded the number of Open resolvers, NTP servers, Chargen, SNMP, SSDP IP’s etc per AS in the database. o Pulled the number of announced IP per AS from the RIPE RIS API’s o A high Naughty Rating, doesn´t mean a bad peer …  But is a naughty peer worth the trouble on your premium network link ?  Is a peer selection based on ‘just’ traffic ratio accurate ? o Ratings can be improved by proper Abuse Management …  ( Yes it is that simple... )

33 | RIPE72 2016 presentation 2016 Page | 33 Time for reach-out … o We’ve asked several Dutch ISP’s if we can name them in this presentation and explain them about the project.. o Most of them responded with :  “Yes you may use our name and data…”  And … “How do we improve our rating ?” o And these are their results…

34 | RIPE72 2016 presentation 2016 Page | 34 Naughty Port ratings

35 | RIPE72 2016 presentation 2016 Page | 35 Naughty Rating interface

36 | RIPE72 2016 presentation 2016 Page | 36 How to improve you rating ? o Implement Abuse.IO … (Yes, it is free.. and Open Source !! )  https://abuse.io/ https://abuse.io/  For automagic abuse msg parsing and event handling o Request reports on your network at Shadowserver.org  https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOn YourNetwork#toc3 https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOn YourNetwork#toc3  There is a backlog on network report requests, processing may not be instant.

37 | RIPE72 2016 presentation 2016 Page | 37 Would you want your own Naughty Port ? o We can explain how it works … and how we did it.. o We can share the data … provide access to the portal. o All you need is an extra AMS-IX port and an extra AS number. o And you can decide for yourself who you want on your list.

38 | RIPE72 2016 presentation 2016 Page | 38 Triple-IT already proofed it can be fixed …

39 | RIPE72 2016 presentation 2016 Page | 39 Next steps : o Publish the Naughty Rating Search interface on a website.  We want the data to be open for all peering managers. o Check/discus what needs to be added.. ? TFTP ? Others ? o Checks per AS-SET’s as well as AS number.

40 | RIPE72 2016 presentation 2016 Page | 40 Who has a question ? Who has the first question ? Email to: ebais@a2b-internet.comebais@a2b-internet.com Or call : +31 – 85 – 90 20 410

Download ppt "Confidential | 23-5-2016 | The Naughty port Project Prepared by: Erik Bais May 2016 RIPE72 2016 – Copenhagen, DK."

Similar presentations

3.02H Publishing a Website 3.02 Develop webpages..

3.02H Publishing a Website 3.02 Develop webpages..
Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
Request Tracking (RT) The new ticketing system Tomasz Wlodek.

Request Tracking (RT) The new ticketing system Tomasz Wlodek.
MyGateway. Top Tabs MyGateway Home Students Library

MyGateway. Top Tabs MyGateway Home Students Library
M2 – Explain the tools and techniques used in the creation of an interactive website. By Arturas Vitkovskij.

M2 – Explain the tools and techniques used in the creation of an interactive website. By Arturas Vitkovskij.
Rob Smets A user centred approach IPv6 deployment monitoring.

Rob Smets A user centred approach IPv6 deployment monitoring.
EFormula Evolution Advanced Webinar #1 The Internal Promotion Engine (the system and the tools)

EFormula Evolution Advanced Webinar #1 The Internal Promotion Engine (the system and the tools)
Customer e-Newsletter Exclusively for Usborne Books & More Consultants

Customer e-Newsletter Exclusively for Usborne Books & More Consultants
© 2014 VMware Inc. All rights reserved. BlazeMeter Load Testing Solution with vCloud Air High-level Overview Jan 2015.

© 2014 VMware Inc. All rights reserved. BlazeMeter Load Testing Solution with vCloud Air High-level Overview Jan 2015.
Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.

Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.
10/10/14 INASP: Effective Network Management Workshops Unit 6: Solving Network Problems.

10/10/14 INASP: Effective Network Management Workshops Unit 6: Solving Network Problems.
Chapter 14: Troubleshooting and Problem Resolution.

Chapter 14: Troubleshooting and Problem Resolution.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
S ELECTION OF WEB HOST AND WEB PAGE SYSTEM. W EB HOST stores all the pages of your website and makes them available to computers connected to the Internet.

S ELECTION OF WEB HOST AND WEB PAGE SYSTEM. W EB HOST stores all the pages of your website and makes them available to computers connected to the Internet.
“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.

“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)

CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)

Similar presentations

Ads by Google