1

Routing and router security in an operator environment

Olof Hagsand KTH CSC

DD2495 p4 2011

2

Router lab objectives

•A network operator (eg ISP) needs to secure itself, its customers and its neighbors from attacks.•Most attacks are originated in end-hosts. Most notably windows PCs.•The attacks are usually against single hosts or servers.•These attacks often use bandwidth and are normally not a problem for the operators themselves, since most operators have wire-speed routers. It is difficult to generate that large amount of bandwidth. •But an operator may want to protect its customers•Attacks can also be set against the infra-structure itself. Such as towards the control-plane of the router.

–Effects of such attacks may be disastrous

•Operators also do not want to originate attacks–Attacks may be based in its own customers

Attack traffic

Arbor Networks, 2011

Attack traffic

Arbor Networks, 2011

4

Routing failures by mistake

•AS7007 incident (1997)One router in AS7007 defragmented all Internet routes into /24 and announced all routes with itself as origin

•AS9121 incident (2004)>100000 /24 routes announced upstreams

•Youtube incident (2008)Instead of blocking, announce all youtube prefixes to the Internet (next slide)

5

6

TCP attacks

• Since BGP uses TCP for peering, BGP is sensitive to TCP attacks.• RST injection causes peering to terminate• SYN floods may cause denial-of service due to overload• TCP sequence prediction attack

–Guessing next sequence can be used to inject false data

• Protect peering physically, TTLs, Authentication: MD5, IPSEC.

7

Indirect attacks•Since the BGP peering runs on the same link as the data, an overloaded link may bring the BGP pering down.•Examples where this has happened:

–SQL Slammer–Nimda–Large-scale DOS attacks

•One can also send large number of packets to the control-plane (see next slide)

–Packets directed at the route processor

• eg terminating traffic (destined to router)

• Packets of novel functionality handled by RP only (eg IPv6)

•You need to filter traffic to the RP–rate-limit and identify which traffic the router ”requires”–e.g.: ssh/bgp/is-is–Set firewall-filters for terminating traffic–In juniper this is done by filtering to interface 'lo'

8

CPU

RoutingTable

Memory

Fast path, slow path

•Fast path

–If line cards can determine outgoing port

•Slow path

–Control processor must determine outgoing port

Control Processor

LineCard

LineCard

LineCard

LineCard

Fast path

Slow path

9

Route filtering•Route filtering: examine all imported/exported routes and place policies on which routes are imported and announced.•Typically at the edges of a network: towards customers or peers.•Never run your internal routing protocol on interfaces where there may be external nodes

–So that the IGP may not be compromised by false routes

•Egress filtering–dont give transit by mistake

•Ingress filtering–Check validity of received routes–Check with registries (eg RIPE)–(But these are not always updated)

•Combine with traffic/packet filters (ACLs)–Only accept packets with source addresses matching the announced prefixes

10

Securing routing information within BGP

•But suppose a BGP router has been taken over by an attacker•How do you protect against falsified BGP information?•BGP relies on mutual and 'transitive' trust•Attack forms:•Blackholing (malicious)

Announce prefix to attack traffic and then drop it

•RedirectionTraffic to a destination is redirected to another (incorrect) destination

•SubversionForce the traffic to pass through a specifc link to eavesdrop or modify data, but reaches the original destination

•InstabilitySuccessive adverisement, withdrawals => trigger route flap damping Practical BGP: pages 343-370

Beware of BGP attacks

11

Attack method: prefix hijacking

•Announce false updates•Claim reachability of a prefix it does not have•Claim it owns (originates) a prefix it does not own

Multiple Origin AS (MOAS)

•Prefix hijacking is limited by the connectivity and locality of the compromised router

12

AS2

Example: prefix hijacking

•A claims reachability to AS6 and ownership of prefixes of AS6, but cannot affect routers in AS4 and AS6 (and AS5 and AS3 to a certain degree)

A

AS4

AS5 AS6

AS3

AS1

13

AS graph and peering relations

AS2

AS4

AS1

AS3

AS8AS7AS6 AS9

AS5

Transit

Peer

Customer

Tier 1: FullInternetconnectivity

NSPsISPs

Stubs/Customers

Network Infrastructure protection

Arbor Networks, 2011

14

Netsec lab topologyTier 1: FullInternetconnectivity

NSPsISPs

Customers

RTX3

RTX2

RTX1

RTX4

Tier1

AS650X1 AS650(X+1)1

AS65000

2/0/0 2/0/0

0/0/1

1/0/1

1/0/1

1/0/1

1/0/1 1/0/0

1/0/0

1/0/0

1/0/0

192.71.24.32/27

.1

.2

AS650(X-1)1

Core: 192.168.X.0/24Customers: 10.X.0.0/16

X3

15

Juniper routers : J4300

16

The CLI

•See intro material in the IP routing course–http://www.csc.kth.se/utbildning/kth/kurser/DD2490/ipro1-11/labs.php–The first lab (static) contains a CLI tutorial–The reference manual contains common commands

•Two major modes:–Operational mode: Monitor and troubleshoot, network connectivity, hardware–Configure mode: Configuration of interfaces, routing protocols, authentication, logging, etc.

•Completion and query– As you would expect, <TAB> and <?>

•Line editing –Emacs operations: <ctrl-b>, <ctrl-f>, <ctrl-a>, <ctrl-e>, <ctrl-p>, <ctrl-n>,...

•On-line help:–help reference–help topic

17

Firewall configuration

•Applies to interfaces: in and out•Identifies packets, instead of routes•Filters on lo are for local traffic

All filters have an implicit deny rule!

RE

eth-1/0/0

eth-1/0/1

lo

Example:   interfaces eth­1/0/0 {

  unit 0 {     family inet {        filter {          input rule1;          output rule2;        }    }   }}firewall {    filter rule1 {        term allow {            from {                source­address {                    192.168.0.0/16;                    10.0.0.0/8;                }            }            then accept;        }        term reject{            then {                log;                discard;            }        }    }}

18

Firewall conditions and actions● destination-address● source-address● address ● destination-port● source-port● protocol● dscp● icmp-code● packet-length● interface-group● fragmentation-offset● fragment-flags● first-fragment● is-fragment● ip-options● tcp-flags● tcp-established● tcp-initial

● accept: Accept the packet and send it to its destination

● discard: Silent discard● reject: Drop and send an ICMP error

message to the source.● alert: Log an alert for the packet.● count: Count the packets● sample: Sample traffic● log/syslog: packet header is logged.● output-queue: Assign the packet to an

output-queue● loss-priority: Set packet loss priority (PLP)● policer: apply a policer (next slide)

19

Policers

•If a policer is associated to an interface, it rate-limits the traffic to adhere to a token bucket specifying average bandwidth and maximum burst size. When the threshold is exceeded, the traffic is either discarded, its loss-priority is set, or it is placed in a specific output queue.•Typic use: Apply to lo0 to protect RE•Example:

firewall { policer p500k { if-exceeding{ bandwidth-limit 500k;

burst-size-limit 50k; } then{ discard; } }}

Actions: discard, forwarding-classloss-priority

20

Support ticket 1

One of your customers, Media Solutions LDT, is using your network for a local office. Their access router is RTX3. They have recently been experiencing network slowdowns and problems connecting over SSH. From time to time their downlink has been full. They suspect they might be under a DDoS attack and asks you to try to mitigate the attack.

DDOS Mitigation

Arbor Networks, 2011

21

SP1: Comments

•A customer is overwhelmed with traffic. •You need to filter traffic using firewall rules•Which traffic do you drop?

–You have to observe traffic and from trace create drop filters.–Assistants can provide dumps for you–Where does attack traffic come from?–Hint: identify illegal traffic

•Where do you apply the filters?–Think about what parts of the network you want to protect

22

Support ticket 2

You have recently been contacted by the transit provider you are connected to (e.g the operator that provides the link to RTX1). There have been complaints about a large amount of packets with invalid source addresses originating in your network. You are asked to solve this problem.

23

SP2: Comments

•The Transit provider receives traffic with illegal source addresses•Extend (or add new) firewall rules•For traffic transmitted from your network, which source addresses are legal / illegal?•Where do illegal source addresses come from?•Where do you apply filters?

24

Support ticket 3

There have recently been several attacks on our routers. These have been both in the form of distributed DoS attacks and aimed attacks at various protocols on the routers, such as TCP reset attacks. To prevent new attacks we need to protect the routers. You have been given the task of designing and implementing a filter for the router engines (located on the loopback interface of a Juniper Router).

25

SP3: Comments

•Routers are under attack•To protect the router engine (main CPU)

–Add input firewall filters on loopback

•Identify which traffic (eg protocols) you know the routers need: routing, ssh, ...•Identify which sub-networks you want to access the routers from for control and management•Create firewall rules on lo that drops everything else.•Also: rate-limit access traffic (but not routing)