Protecting Against BGP Hijacks: AS-SET Misuse and Prevention

prelude to a bgp hijack n.w
1 / 13
Embed
Share

Learn about the risks of AS-SET misuse in BGP hijacks and how to prevent fraudulent AS-SETs. Explore solutions like ASPA and monitoring IRRs to safeguard your network from malicious routing incidents. Stay informed and secure your BGP infrastructure effectively.

  • BGP Hijack Prevention
  • AS-SET Misuse
  • ASPA
  • IRR Monitoring
  • Network Security
rayaanacharya
jmosk Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Prelude to a BGP hijack? Improper uses of AS-sets? Lasse Jarlskov Lasse.jarlskov@teliacompany.com Public

  2. What happened? Our upstream IP-transit provider alerted us. An AS-SET in the RIPE DB suddenly showed up referencing our AS-number Internal

  3. Who dis? Clearly presenting the AS-set to their upstream: Russia or Tehran, IR? Internal

  4. What is an AS-SET anyway? Just a list of AS s Can be used for anything: AS s present at my IXP. AS s I have a BGP-session with somewhere. AS s whose sales-people bought me a beer at the latest conference. Most common recommended usage: IP-transit providers filtering BGP-announcements from their customers Example from MANRS: Public

  5. IP Transit filtering ROA Route Origin Authorisation Only validates the originating ASN Easily spoofed Equal AS-path length Tier 1 upstream provider Another Tier 1 RPSL-based filtering Based on AS-Set, route(6) and aut-num objects Best practice (MANRS) RPSL-based filtering Telia SE AS3301 ROA VALID Spoofed BGP announcement Attacker AS Spoofed AS3301 Public

  6. What can we do about fraudulent AS-sets? ASPA Autonomous System Provider Authorization Currently going through IETF Not ready yet Monitoring IRR s IRRexplorer BGP.tools Etc. Public

  7. What to do? ASPA Equal AS-path length ASPA was designed specifically against this Autonomous System Provider Authorization (ASPA) In short: Who are my allowed upstreams? https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/ Still being worked on in IETF Real Soon Now[tm] Tier 1 upstream provider Another Tier 1 RPSL-based filtering Telia SE AS3301 ASPA INVALID ROA VALID While waiting Monitor who are referencing you in IRR DBs. Spoofed BGP announcement Attacker AS Spoofed AS3301 Public

  8. What to do right now? Monitoring IRRs Search for your ASN / AS-Set E.g. bgp.tools, Whois tab irrexplorer.nlnog.net Follow the chain of references Some automated monitoring tools, can provide automated alerts for long reference chains Public

  9. Recursive monitoring Many many many AS-sets with questionable semantic meaning E.g. Telia does not peer at DECIX D sseldorf Public

  10. What can we do about fraudulent AS-sets? ASPA Autonomous System Provider Authorization Currently going through IETF Not ready yet Monitoring IRR s Why would you need a Peering AS-set? Are you sure your Peering AS-set actually only contains your peers? Public

  11. What are the ASPA components? draft-ietf-sidrops-aspa-profile (how to encode ASPA objects in DER) draft-ietf-sidorps-aspa-verification (how to apply ASPA to BGP) draft-ietf-sidrops-aspa-slurm (defining local overrides) draft-ietf-sidrops-8210bis (RPKI-To-Router specification)

  12. Soon: IETF SIDROPS WGLC WGLC = Working Group Last Call ( speak now or silent forever ) Operators must be able to test the system end-to-end a. Publish ASPA in test environment of RIR b. Run a validator to fetch it c. Feed it via RTR to a router d. See on the router which routes are rejected/accepted e. Use SLURM to locally override above results The ASPA drafts are interconnected, they form a cluster

  13. Already today lots of software! OpenBGPD BIRD Rpki-client Routinator Rtrlib StayRTR Next year: Cisco? Juniper? Huawei? ASK YOUR VENDOR!

Related


Grade 10 Prelude Program Overview

Grade 10 Prelude Program Overview

lilly
Amygdala Hijack: Impact on Learning and Performance

Amygdala Hijack: Impact on Learning and Performance

lillyrose
Production Planning in e-Prelude.com Tour: Session 6 Overview

Production Planning in e-Prelude.com Tour: Session 6 Overview

bram708
BGP and DNS Worms in Network Security

BGP and DNS Worms in Network Security

euey175
BGP Protocol and Configuration for Routing Policy Filtering

BGP Protocol and Configuration for Routing Policy Filtering

kenzelkr
e-Prelude.com Maintenance and Inventory Management Guide

e-Prelude.com Maintenance and Inventory Management Guide

deff726
Network Security Breakout: Science DMZ, BGP, Data Movement, Measurement & Monitoring Tools

Network Security Breakout: Science DMZ, BGP, Data Movement, Measurement & Monitoring Tools

caan946
Nature's Influence in a Romantic Epic: The Prelude by William Wordsworth

Nature's Influence in a Romantic Epic: The Prelude by William Wordsworth

gail_i
Securing Domain Control with BGP Attacks and Digital Certificates

Securing Domain Control with BGP Attacks and Digital Certificates

kingst
Evolution of BGP: Expectations vs. Reality in Protocol Development

Evolution of BGP: Expectations vs. Reality in Protocol Development

fhess
Network Security Fundamentals

Network Security Fundamentals

chae_220
BGP Basics and Routing Security

BGP Basics and Routing Security

cobe_53
Chinese Nationalist Revolution: Prelude to Internal Tensions and Imperialism Redux

Chinese Nationalist Revolution: Prelude to Internal Tensions and Imperialism Redux

ojen
Non-Optimal Routing and 32-Bit ASN Compatibility

Non-Optimal Routing and 32-Bit ASN Compatibility

abdulmo
Evolution of Networking: Embracing Software-Defined Networks

Evolution of Networking: Embracing Software-Defined Networks

stalling_r
Recent BGP Innovations for Operational Challenges

Recent BGP Innovations for Operational Challenges

elliston_l
Transitioning to BGP Security: Incentives and Challenges

Transitioning to BGP Security: Incentives and Challenges

aalca
Ensuring Route Server Resilience in IXPs Against Data Link Failures

Ensuring Route Server Resilience in IXPs Against Data Link Failures

mind458
Market-Driven Deployment Strategy for BGP Security

Market-Driven Deployment Strategy for BGP Security

cor_me
Automatisation for global BGP tunnel

Automatisation for global BGP tunnel

new_cie

More Related Content