Upload File

anti-spoofing and your network: bcp38, savi, and what to ... · ietf “savi” effort search for...

  • Home
  • Documents
  • Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)
13
IX Leeds 3 Open Meeting - June 2013 Anti-Spoofing and your network: BCP38, SAVI, and what to look for Mike Hughes, Ethernorth Consultancy

Upload: others

Post on 15-Oct-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

IX Leeds 3 Open Meeting - June 2013

Anti-Spoofing and your network:BCP38, SAVI, and what to look forMike Hughes, Ethernorth Consultancy

Page 2: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

March 2013: Spamhaus attacked

✤ Dubbed by some as “biggest attack seen so far” - but debatable

✤ Basically a huge “backscatter” attack - reported >300Gb/sec

Page 3: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Anatomy of a Backscatter Attack

ZombieArmy Open Resolvers Victim

.

.

.

.

.

.

.

.

Spoofed source - Victim address

Responses “amplified”toward victim

Page 4: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Anatomy of a Backscatter Attack

ZombieArmy Open Resolvers Victim

.

.

.

.

.

.

.

.

Spoofed source - Victim address

Responses “amplified”toward victim

Page 5: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Spoofed Source AddressEasy as writing it on the back of an envelope if you know how (or with the right malware)...

http://www.flickr.com/photos/frijole/4057271368/

http://www.flickr.com/photos/frijole/4057271368/
http://www.flickr.com/photos/frijole/4057271368/
Page 6: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Anti-Spoofing Measures: BCP38

✤ Search “IETF BCP38” for the document

✤ Describes current “best practice”

✤ Even if seems that it’s not widely followed?

http://www.flickr.com/photos/8212496@N06/2380082505

http://www.flickr.com/photos/8212496@N06/2380082505
http://www.flickr.com/photos/8212496@N06/2380082505
Page 7: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Does anybody care?

✤ Industry tries on occasion to raise awareness

✤ RIPE Task-Force started in 2006 to raise awareness

✤ Disbanded late 2007

✤ 5 years on, still banging on about this... really?

Page 8: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Why should you care?

✤ What’s it got to do with me?

✤ Running a clean network

✤ Doing the “right thing”

✤ You pay for your bandwidth, right?

✤ Costs of response and cleanup

http://www.flickr.com/photos/auntiep/3083645776/

http://www.flickr.com/photos/auntiep/3083645776/
http://www.flickr.com/photos/auntiep/3083645776/
Page 9: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Applying Anti-Spoofing

✤ Easier toward the edge

✤ More complex toward the core

✤ Common approaches are...

✤ Access list based filtering

✤ uRPF - Unicast Reverse Path Forwarding

Page 10: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

Why isn’t it deployed?

✤ Management of config

✤ Cost & time considerations?

✤ Because “no-one is demanding it”

✤ Perception that it’s “difficult”

Page 11: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

IETF “SAVI” effort

✤ Search for “IETF SAVI” for more info & working group

✤ Currently an informational RFC (6959) as a “problem statement”

✤ To make anti-spoofing and source address validation more applicable

✤ Thought is that you sanity check at the “downstream” edges

✤ Tie anti-spoofing to what is already known about topology

Page 12: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

What should you do?

✤ BCP38 filter own single-homed downstream customers, hosting networks, etc.

✤ Filter your own estate

✤ Ask your suppliers to use anti-spoofing measures if they don’t already

http://www.flickr.com/photos/thinkofacolour/5248664776/

http://www.flickr.com/photos/thinkofacolour/5248664776/
http://www.flickr.com/photos/thinkofacolour/5248664776/
Page 13: Anti-Spoofing and your network: BCP38, SAVI, and what to ... · IETF “SAVI” effort Search for “IETF SAVI” for more info & working group Currently an informational RFC (6959)

[email protected]

Ta-Dah!Questions? Comments? Brickbats?


IETF Report€¦ · About This Presentation This presentation is an official IETF report – This report covers TWO IETFs, IETF 100 and IETF 101 – This is not an in-depth IETF report

Network Security Best Practice (BCP38 & 140)

Zagreb na Savi

Savi chapter9

Ptk pend savi

Savi sizmari

Savi General Catalogue

Savi chapter6

A SAVI Solution for DHCP Draf-ietf-savi-dhcp-06 J. Bi, J. Wu, G. Yao, F. Baker IETF79, Beijing Nov. 9, 2010

draft-ietf-isms-dtls-tm Wes Hardaker ietf@hardakers

IETF Status at IETF 76

IETF Hackathon IETF 92, March 21-22,Dallas, TX IETF 92IETF Hackathon1

Savi chapter8

IETF 112 - IETF LLC Briefing

IP Spoofing & BCP38 · 2018-11-20 · MikroTik User Meeting IP Spoofing & BCP38 Ing. Mario Clep MKE Solutions 15 y 16 de Noviembre de 2018 Buenos Aires

Savi Systems

1ITU Telecom 99 Internet Standardization and the IETF Fred Baker IETF Chair Fred Baker IETF Chair

1 IETF Status at IETF 83 Russ Housley IETF Chair

1 IETF Status at IETF 85 Russ Housley IETF Chair

Savi chapter1

Savi Corporate Overview.PDF

Savic real estate@savi @savi-flyer-f

Savi chapter7

SAVI Advanced and SAVI Indices New SAVI tools published this year Jay Colbert Indianapolis

Savi Network

¿Cómo funciona el IETF? - ESNOG€¦ · ¿Cómo funciona el IETF? 2 Agenda Presentación Panorámica e historia del IETF Estructura del IETF Documentos en el IETF, proceso de estandarización

IETF における標準化・ ディプロイメント状況...Source Address Validation WG SAVI for Stateless Address Autoconfiguration SAVI for DHCP SAVI f S NDSAVI for Secure ND

Savi chapter12

Kupittaan Savi

1 IETF Status at IETF 78 Russ Housley, IETF Chair

Savi chapter4

SAV Interface Developer Toolkit user manual · 2018-08-31 · 2 About SAVI This section introduces SAVI and describes the SAVI programming paradigm SAVI programming methods how to

Lidia Model Savi

1 IETF Status at IETF 79 Russ Housley IETF Chair

Contents · 6 Plantronics Headset Parts and Accessories Guide 6.12 Savi® Office Savi Office, Convertible, WO100/101 Savi Office, Over-the-head Monaural, WO300 Savi Office, Over-the-ear,