Peers Working Together to Battle Attacks to the Internet JANOG17 20 Jan 2006 Matsuzaki Yoshinobu <maz@iij.ad.jp> Tomoya Yoshida <yoshida@ocn.ad.jp> Taka Mizuguchi <taka@ntt.net> NSP-SEC/NSE-SEC-JP
Agenda NSP-SEC-JP Update ISP bogon routes bogon ISP Security survey Source Address Validation ACL, urpf How to use urpf 2
1. NSP-SEC-JP Update 3
1. NSP-SEC-JP Update NSP-SEC-JP NSP-SEC-JP Bogon Route-sever 4
1.1 NSP-SEC-JP NSP-SEC Sub-community NSP-SEC ML ISP/ICP confidential ML 5
1.2 NSP-SEC-JP < > 2006/1/6 ISP 25 Vender 3 Team Cymru 1 SP 6
1.3.1 bogon bogon route-server 5 http://www.cymru.com/bgp/bogon-rs.html.jis bogon BGP bogon 7
1.3.2 ISP Bogon Bogon ISP Private Link Local TestNet Multicast ISP 8
1.3.3 bogon route-server origin AS = 65333 community = 65333:888 bogon urpf loose mode source address bogon drop filtering ( more specific) 9
1.3.4 bogon route-server urpf loose 2 1 10
2. Security Trend 11
2.1 Darknet TCP UDP Warm 12
2.1.1 TCP Port 13
2.1.2 UDP Port 14
2.1.3 Worm W32/Sasser-A Deloder.A SQL Slammer Doomjuice Dabber.A 15
2.1.4 Worm W32/Sasser-A Deloder.A SQL Slammer Doomjuice Dabber.A 16
2.2.1 ISP Security Survey Tier-1/2 ISP / Tier1 Tier2 20 15 44% 10 28% 17
2.2.2 ISP Security Survey DNS Poisoning DDoS 64% 18
2.2.3 ISP Security Survey BGP DNS Poisoning DDoS BGP BGP BGP 19
2.2.4 ISP Security Survey 20
2.2.5 ISP Security Survey 500 500 21
2.2.6 ISP Security Survey 500 500 22
2.2.7 ISP Security Survey 10Gbps 1 10Gbps 500M 1Gbps 100 500Mbps 100M 23
2.2.8 ISP Security Survey 10Gbps 1 10Gbps 500M 1Gbps 100 500Mbps 100M 24
2.2.9 ISP Security Survey Web Web IRC IRC RIAA( RIAA( ) ISP ISP 25
2.2.10 ISP Security Survey 26
2.2.11 ISP Security Survey ACL BGP 27
3 Source Address Validation 28
3.1 Source IP address RFC3704 BCP84 Ingress Filtering for Multi-homed Networks 29
3.2 RT.a srcip: 0.0.0.0 srcip: 10.0.0.1 srcip: 0.0.0.0 RT.b srcip: 10.0.0.1 10.0.0.0/23 10.0.2.0/24 10.0.3.0/24 30
3.3 ACL Interface urpf check Source IP address 31
3.4 urpf check strict mode interface loose mode feasible mode 32
3.5 urpf 10.0.0.0/23 via <if.0> 10.0.2.0/24 via <if.1> 10.0.3.0/24 via <if.2> 10.0.4.0/24 via <if.3> if.3 if.0 if.1 if.2 srcip: 10.0.0.1 dstip: 10.0.4.1 forwarding 1. dst-ip 2. drop 3. urpf check 1. src-ip 2. drop (loose) 3. interface interface drop(strict) 4. urpf check OK! 33
3.6 urpf strict mode network 10.0.0.0/23 via <if.0> 10.0.2.0/24 via <if.1> interface OK srcip: 10.0.0.1 if.0 if.1 NG srcip: 10.0.0.1 interface drop 10.0.0.0/23 10.0.2.0/24 34
3.7 urpf loose mode network 10.0.0.0/23 via <if.0> 10.0.2.0/24 via <if.1> OK srcip: 10.0.2.1 if.0 if.1 NG srcip: 0.0.0.0 drop 10.0.0.0/23 : 10.0.2.0/24 : 35
3.8 urpf Cisco strict/loose mode /Engine urpf MIB drop packet netflow Juniper strict/feasible/loose mode urpf MIB drop cflowd AlaxalA 36
3.9 How to use urpf? Strict 37 Single-homed Static Loose ISP Peer ISP Transit ISP ISP Multi-homed Static BGP Peer ISP
3.10 urpf ISP ISP loose strict static single homed static loose loose static static multi homed static loose loose ISP 38
Let s Join NSP-SEC-JP!! 39
URL: http://puck.nether.net/mailman/listinfo/nsp-security-jp http://puck.nether.net/mailman/listinfo/nsp-security http://www.cymru.com/ http://www.arbor.net/downloads/arbor_worldwide_isp_s ecurity_report.pdf 40