SlideShare uma empresa Scribd logo

BGP Route Leaks at Ripe74

Qrator Labs
Qrator Labs

At the Ripe74 routing working group, Qrator Labs leading engineer Alexander Azimov gave a status update on the BGP route leaks issue. These are the slides to the video: https://youtu.be/4NAlJzVRwM0

Internet
1 de 25
Baixar para ler offline
Route Leaks: Status Update Alexander Azimov, Qrator Labs <aa@qrator.net>
Definition Route Leaks are propagation of BGP prefixes which violate assumptions of BGP topology relationships; e.g. passing a route learned from one peer to another peer or to a transit provider, passing a route learned from one transit provider to another transit provider or to a peer.
Leaked Prefixes If your prefixes are leaked: 1. Increased delays; 2. DoS; 3. MiTM attack.
Leaked Prefixes 0 5000 10000 15000 20000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Prefixes 0 10000 20000 30000 40000 50000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
Accepting Leaked Prefixes If your AS accepts leaked prefixes: 1. Increased delays; 2. DoS; 3. MiTM attack.
Accepting Leaked Prefixes 0,89 0,9 0,91 0,92 0,93 0,94 0,95 0,96 0,97 0,98 0,99 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Leakers If your AS leaks prefixes: 1. DoS attack, was it your goal? 2. MiTM attack, was it your goal? 3. If not, money loss, packet loss, reputation loss.
Leakers 520 540 560 580 600 620 640 660 680 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Leakers 0 200 400 600 800 1000 1200 1400 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
Communities No enforcement of policy existence and its correctness Set communities depending on policy Filter routes depending on set communities
Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET?
Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET? What if leak happens inside AS cone?
Monitoring • BGPStream + Caida AS Relations; • DYN/Renesys; • Radar by Qrator.
Preliminary Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; No opportunity to stop leak propagation in automated way
Peering Relations/Roles Provider: sends their own routes and (possibly) a subset of routes learned from their other customers, peers, and transit providers to their customer. Customer: accepts 'transit routes' from its provider(s) and announces their own routes and the routes they have learned from the transitive closure of their customers to their provider(s). Peer: announces their routes and the routes from their customer cone to other Peers. Internal: announces all routes, accepts all routes.
BGP Roles OPEN with customer role OPEN with peer role NotificationNotification 3 pairs of non-conflict roles: 1. Peer <---> Peer 2. Customer <---> Provider 3. Internal <---> Internal
Considerations • Roles are native; • Roles are not revealing any sensitive data to other parties; • Roles have a number of applications.
Route Leak Prevention: iOTC If route was learned from a provider or peer it should not be announced to another provider or peer Set iOTC if role is customer or peer Internal Session No iOTC change Filter routes if iOTC is set and role is customer or peer
Route Leak Detection: eOTC If role is provider or peer eOTC is set and eOTC!=AS2 AS1 AS3AS2 If route was learned from a customer or peer and eOTC is set and eOTC != neighbor AS then route was leaked If role is provider or peer eOTC=AS1 No Filters
What should we do with Route Leak?
What should we do with Route Leak? • What if there is no alternatives? • What if somebody violated eOTC value? Deprioritization instead of filtering!
Implementation protocol bgp IAMOPERATOR { local as MY_AS; neighbor X.X.X.X as AS_PROVIDER; role customer; } Github: https://github.com/QratorLabs/bird
No Fat Fingers Inside
IETF: Slow Motion March 2016: OTC attribute and roles; October 2016: OTC functionality split between eOTC and iOTC; March 2017: clarification of peering relations, eOTC is moved to a separate draft. Current version: https://www.ietf.org/id/draft-ymbk-idr-bgp-open-policy-03 https://tools.ietf.org/html/draft-ymbk-idr-bgp-eotr-policy-00
IETF: Slow Motion https://tools.ietf.org/html/rfc7908 Problem Definition and Classification https://tools.ietf.org/html/draft-ietf-idr-route-leak- detection-mitigation Alternative to eOTC https://tools.ietf.org/html/draft-ietf-grow-bgp-reject Change of BGP default behaviour
Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; • Roles + iOTC + eOTC can solve the general problem of route leaks that are result of mistake; • Collaborate with IETF!!! • Give us feedback: init.qrator.net/details/route-leak-mitigation

Recomendados

Ch20
Ch20Ch20
Ch20IDRIS USMANI
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. Qrator Labs
 
BGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesBGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesAPNIC
 
TASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureTASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureCybersecurity Education and Research Centre
 
Visualizing Network Security Threats
Visualizing Network Security ThreatsVisualizing Network Security Threats
Visualizing Network Security ThreatsThousandEyes
 
Networking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIINetworking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIIVasanti Dutta
 
Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Paul Yang
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityBangladesh Network Operators Group
 

Recomendados

Ch20
Ch20Ch20
Ch20IDRIS USMANI
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. Qrator Labs
 
BGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesBGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesAPNIC
 
TASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureTASVEER : Tomography of India’s Internet Infrastructure
TASVEER : Tomography of India’s Internet InfrastructureCybersecurity Education and Research Centre
 
Visualizing Network Security Threats
Visualizing Network Security ThreatsVisualizing Network Security Threats
Visualizing Network Security ThreatsThousandEyes
 
Networking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIINetworking lectures unit 2, MCA VII
Networking lectures unit 2, MCA VIIVasanti Dutta
 
Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Mitigating routing misbehavior in mobile ad hoc networks
Mitigating routing misbehavior in mobile ad hoc networks Paul Yang
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityBangladesh Network Operators Group
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network OperatorsBangladesh Network Operators Group
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filtersRafael Alcazar
 
evaluation2.pptx
evaluation2.pptxevaluation2.pptx
evaluation2.pptxadnanmunirkhokhar
 
Ospf
OspfOspf
Ospfankit_saluja
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
IP ROUTING
IP ROUTINGIP ROUTING
IP ROUTINGanilinvns
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updatedSagarR24
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part bSagarR24
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTINGanilinvns
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
Networking in college
Networking in collegeNetworking in college
Networking in collegeHarpreet Gaba
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficTal Lavian Ph.D.
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxManuelRojas960410
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithmsMoctardOLOULADE
 
Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Qrator Labs
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs
 

Mais conteúdo relacionado

Semelhante a BGP Route Leaks at Ripe74

Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filtersRafael Alcazar
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updatedSagarR24
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part bSagarR24
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTINGanilinvns
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
Networking in college
Networking in collegeNetworking in college
Networking in collegeHarpreet Gaba
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficTal Lavian Ph.D.
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 

Semelhante a BGP Route Leaks at Ripe74 (20)

MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na Internet
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filters
 
evaluation2.pptx
evaluation2.pptxevaluation2.pptx
evaluation2.pptx
 
Ospf
OspfOspf
Ospf
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
IP ROUTING
IP ROUTINGIP ROUTING
IP ROUTING
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updated
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part b
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTING
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
 
Networking in college
Networking in collegeNetworking in college
Networking in college
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport traffic
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptx
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithms
 

Mais de Qrator Labs

Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Qrator Labs
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs
 
Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Qrator Labs
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?Qrator Labs
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Qrator Labs
 
Сколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьСколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьQrator Labs
 
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Qrator Labs
 
Caution i pv6 is here
Caution i pv6 is hereCaution i pv6 is here
Caution i pv6 is hereQrator Labs
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLSQrator Labs
 
ISP Border Definition
ISP Border DefinitionISP Border Definition
ISP Border DefinitionQrator Labs
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringQrator Labs
 
Internet Roads of Caucasus
Internet Roads of CaucasusInternet Roads of Caucasus
Internet Roads of CaucasusQrator Labs
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Qrator Labs
 
Особенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакОсобенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакQrator Labs
 
Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Qrator Labs
 
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеWhite Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеQrator Labs
 
Тренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в миреТренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в миреQrator Labs
 
Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Qrator Labs
 

Mais de Qrator Labs (20)

Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017
 
Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat.
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
 
Сколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьСколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делать
 
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]
 
Caution i pv6 is here
Caution i pv6 is hereCaution i pv6 is here
Caution i pv6 is here
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
 
ISP Border Definition
ISP Border DefinitionISP Border Definition
ISP Border Definition
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Internet Roads of Caucasus
Internet Roads of CaucasusInternet Roads of Caucasus
Internet Roads of Caucasus
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6
 
Особенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакОсобенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атак
 
Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016
 
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеWhite Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
 
Тренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в миреТренды 2015 года в области интернет-безопасности в россии и в мире
Тренды 2015 года в области интернет-безопасности в россии и в мире
 
Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015
 

Último

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 

Último (20)

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 

BGP Route Leaks at Ripe74

  • 1. Route Leaks: Status Update Alexander Azimov, Qrator Labs <aa@qrator.net>
  • 2. Definition Route Leaks are propagation of BGP prefixes which violate assumptions of BGP topology relationships; e.g. passing a route learned from one peer to another peer or to a transit provider, passing a route learned from one transit provider to another transit provider or to a peer.
  • 3. Leaked Prefixes If your prefixes are leaked: 1. Increased delays; 2. DoS; 3. MiTM attack.
  • 4. Leaked Prefixes 0 5000 10000 15000 20000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Prefixes 0 10000 20000 30000 40000 50000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
  • 5. Accepting Leaked Prefixes If your AS accepts leaked prefixes: 1. Increased delays; 2. DoS; 3. MiTM attack.
  • 6. Accepting Leaked Prefixes 0,89 0,9 0,91 0,92 0,93 0,94 0,95 0,96 0,97 0,98 0,99 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
  • 7. Leakers If your AS leaks prefixes: 1. DoS attack, was it your goal? 2. MiTM attack, was it your goal? 3. If not, money loss, packet loss, reputation loss.
  • 8. Leakers 520 540 560 580 600 620 640 660 680 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Unique Leakers 0 200 400 600 800 1000 1200 1400 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Cumulative Sum
  • 9. Communities No enforcement of policy existence and its correctness Set communities depending on policy Filter routes depending on set communities
  • 10. Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET?
  • 11. Proactive Approach AS Build filters using AS cone. Can we fully rely on AS-SET? What if leak happens inside AS cone?
  • 12. Monitoring • BGPStream + Caida AS Relations; • DYN/Renesys; • Radar by Qrator.
  • 13. Preliminary Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; No opportunity to stop leak propagation in automated way
  • 14. Peering Relations/Roles Provider: sends their own routes and (possibly) a subset of routes learned from their other customers, peers, and transit providers to their customer. Customer: accepts 'transit routes' from its provider(s) and announces their own routes and the routes they have learned from the transitive closure of their customers to their provider(s). Peer: announces their routes and the routes from their customer cone to other Peers. Internal: announces all routes, accepts all routes.
  • 15. BGP Roles OPEN with customer role OPEN with peer role NotificationNotification 3 pairs of non-conflict roles: 1. Peer <---> Peer 2. Customer <---> Provider 3. Internal <---> Internal
  • 16. Considerations • Roles are native; • Roles are not revealing any sensitive data to other parties; • Roles have a number of applications.
  • 17. Route Leak Prevention: iOTC If route was learned from a provider or peer it should not be announced to another provider or peer Set iOTC if role is customer or peer Internal Session No iOTC change Filter routes if iOTC is set and role is customer or peer
  • 18. Route Leak Detection: eOTC If role is provider or peer eOTC is set and eOTC!=AS2 AS1 AS3AS2 If route was learned from a customer or peer and eOTC is set and eOTC != neighbor AS then route was leaked If role is provider or peer eOTC=AS1 No Filters
  • 19. What should we do with Route Leak?
  • 20. What should we do with Route Leak? • What if there is no alternatives? • What if somebody violated eOTC value? Deprioritization instead of filtering!
  • 21. Implementation protocol bgp IAMOPERATOR { local as MY_AS; neighbor X.X.X.X as AS_PROVIDER; role customer; } Github: https://github.com/QratorLabs/bird
  • 22. No Fat Fingers Inside
  • 23. IETF: Slow Motion March 2016: OTC attribute and roles; October 2016: OTC functionality split between eOTC and iOTC; March 2017: clarification of peering relations, eOTC is moved to a separate draft. Current version: https://www.ietf.org/id/draft-ymbk-idr-bgp-open-policy-03 https://tools.ietf.org/html/draft-ymbk-idr-bgp-eotr-policy-00
  • 24. IETF: Slow Motion https://tools.ietf.org/html/rfc7908 Problem Definition and Classification https://tools.ietf.org/html/draft-ietf-idr-route-leak- detection-mitigation Alternative to eOTC https://tools.ietf.org/html/draft-ietf-grow-bgp-reject Change of BGP default behaviour
  • 25. Results • Well managed communities will prevent you from leaking; • Well defined policy can filter some leaks; • Monitoring can assist you in tracking route leaks; • Roles + iOTC + eOTC can solve the general problem of route leaks that are result of mistake; • Collaborate with IETF!!! • Give us feedback: init.qrator.net/details/route-leak-mitigation