Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route...
Transcript of Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route...
![Page 1: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/1.jpg)
1
Christoph Dietzel
DE-CIX
Secure Interconnection as
a Fundament of a Digital ECO System
![Page 2: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/2.jpg)
Security exists to facilitate trust.
Trust is the goal, and security is
how we enable it. Bruce Schneier
Abuse Management Blackholing DashboardNew Looking Glass
![Page 3: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/3.jpg)
IXPs are a Perfect Place for Hijackers
Often not well filtered BGP sessions
(bilateral + route server)
It is easy to do nasty BGP tricks
• IP hijacks (e.g. not announced IP space)
• Combined ASN + IP hijacks (e.g. not operated ASNs)
• Hide hijacked resources behind upstream
network – pretend that the spammer is just a
clueless / bad customer of a customer
IXPRoute server
Announce
1.2.3.4/16
AS15159
Announce
8.8.8.0/24
![Page 4: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/4.jpg)
Hijacker’s Activities Are Hard to Detect
IXPRoute server
Announce
1.2.3.4/16
AS15159
Announce
8.8.8.0/24
Upstream
Global Routing TablePeering means learned routes are not
propagated to upstream providers.
Hijacker announcements do not show up
in Global Routing Table.
For detection tools (e.g. RIPE RIS, BGPmon and Qrator)
it is hard (to impossible) to detect ASN + IP
Hijacks
![Page 5: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/5.jpg)
DE-CIX cares about Data Quality at its IXP’s
• We are an IXP operator with clear rules in our contracts:
• Layer 2
• Layer 3 (mainly BGP)
• Violations of these rules might lead to prosecution – we care about
(BGP) data quality
• We want to make sure IXPs are a stable and reliable place for
exchanging traffic
![Page 6: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/6.jpg)
Abuse management at DE-CIX
• Defined contact person and guarantee discretion → solicit feedback from customers
• Redefine Abuse process
• Blacklist for expelled networks (during sales process)
ASN / IP
Hijacks
![Page 7: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/7.jpg)
![Page 8: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/8.jpg)
Faster Innovation?
Market?
![Page 9: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/9.jpg)
Beta
![Page 10: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/10.jpg)
DE-CIX Beta Services
Disclaimer
• No 24/7 support
• SLAs do not apply
• Decommissioning possible anytime
• Beta services – all strings attached
Benefits
• Better feedback loop
• Free of charge
• Platform for smaller features/services
• Custom adoptions possible
Beta
![Page 11: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/11.jpg)
New Looking Glass Service
![Page 12: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/12.jpg)
Shows Filtered Routes
![Page 13: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/13.jpg)
Shows Reasons for Filtering
![Page 14: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/14.jpg)
![Page 15: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/15.jpg)
Blackholing
• Filtering based on destination IP prefix
• Limited visibility – all traffic is dropped
• Simple but very effective
Blackholing Insights
• Statistics of your blackholed data
• Custom visualisations
• Identify the end of an attack
• Notifications and alerts
Blackholing Insights
![Page 16: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/16.jpg)
![Page 17: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/17.jpg)
Flow Demultiplexer
Upstream
More insight for traffic exchanged
Demultiplexer for IPFIX stream
based on open source tool Vermont [1]
patch for L2-MAC Address filtering
config-generator and automatization tools
IPFIX stream for each “Access”[1] https://www.net.in.tum.de/research/software/#vermont
DE-CIX Beta: Flow-data for Customers
How would you ”collect” the IPFIX stream?
- Server behind your router
- System provided by equipment vendor
- …
?
![Page 18: Christoph Dietzel DE-CIX · 2018-06-07 · Hijacker’s Activities Are Hard to Detect IXP Route server Announce 1.2.3.4/16 AS15159 Announce 8.8.8.0/24 Upstream Peering means learned](https://reader034.fdocuments.in/reader034/viewer/2022050603/5faa7523f03a4d552d4b9d1e/html5/thumbnails/18.jpg)
Thank You for Your attention!
DE-CIX Management GmbH | Lindleystr. 12 | 60314 Frankfurt | Germany
Phone + 49 69 1730 902 0 | [email protected] | www.de-cix.net