View
56
Download
0
Embed Size (px)
Citation preview
Internet Society © 1992–2016
TwoyearsofgoodMANRS- ImprovingGlobalRoutingSecurityandResilience
MANRS
September2017
InternetRouting– whatistheproblem?
• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholed ordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks
• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates
2
Notadaywithoutanincidentdatasource:http://bgpstream.com/
40
20
40
60
80
100
120
1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17
6monthofsuspicious activity
Hijack
Leak
What’sbehindtheseincidents?
• IP prefix hijack• AS announces prefix it doesn’t originate• AS announces more specific prefix than what may be announced by originating AS• Packets end-up being forwarded to a wrong part of Internet• Denial-of-Service, traffic interception, or impersonating network or service
• Route leaks• Similar to prefix hijacking• Usually not malicious and due to misconfigurations• But may also aid traffic inspection and reconnaissance
• IP address spoofing• Creation of IP packets with false source address• The root cause of reflection DDoS attacks
5
Aretheresolutions?
• Yes!• PrefixandAS-PATHfiltering,RPKI…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases
• But…• Lackofdeployment• Lackofreliabledata
6
MutuallyAgreedNormsforRoutingSecurity(MANRS)
MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement
• Technology-neutralbaselineforglobaladoption
MANRSbuildsavisiblecommunityofsecurity-mindedoperators
• Promotescultureofcollaborativeresponsibility
7
GoodMANRS
• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone
• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra
• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators
• Up-to-dateandresponsivepubliccontacts
• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate
8
0
20
40
60
80
100
120
140
160
180
2014 2015 2016 2017(sofar)
#ofAS
#ofAS
TwoyearsofMANRS
9
MANRS members by # of AS
IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance
• MANRSBestCurrentOperationalPractices(BCOP)document:http://www.routingmanifesto.org/bcop/
• Training/certificationprogramme• BasedonBCOPdocumentandanonlinemodule
• Bringingnewtypesofmembersonboard• IXPs
10
Leveragingmarketforcesandpeerpressure
• Developingabetter“businesscase”forMANRS• MANRSvaluepropositionforyourcustomersandyourownnetwork
• Creatingatrustedcommunity• Agroupwithasimilarattitudetowardssecurity
11
StudyMethodology
• Examiningperceptionsandexpectations• Questionnaire-based study
• Assessmentagainstexisting451Researchdata• Commonperceptionelements
• Service providers• Initialtargeting interviews
• Globaldemographic• 25telephoneinterviews
• EnterpriseInternetteams• 250webquestionnaires• 1,000 employeeminimum• PrimarilyNorthAmerica
13
14%
14%
11%
10% 10%
8%
8%
6%
19%
EnterpriseDemographics
Manufacturing
ProfessionalServices
Retail
Telecommunications
Health
Financial
Insurance
Construction
Other
Demographics
14
12%
8%
24%
8%
20%
28%
ServiceProviderSize
100-499
500-999
1000-2499
2500-4999
5000-9999
10000+
46%
24%
15%
15%
EnterpriseSize
1000-2499
2500-4999
5000-9999
10000+
EnterprisesAreConcernedAboutSecurity
• Acorevalueforamajority
16
0%
10%
20%
30%
40%
50%
1000- 2499 2500 - 4999 5000 - 9999 10,000+
PrimaryCoreValue
PartofOurValues
NotDistinguishing
EnterpriseConcernsAroundSecurity
• Widelyvaryingconcernsacrossarangeofissues
• AndconfidencethatMANRScanhelp
17
0%
10%
20%
30%
40%
50%
60%
70%
80%
DDoS Traffichijacking Addressspoofing Availability Blacklisting
57%
74%
57%
46%
28%
InternetSecurityConcerns
AndEnterprisesareWillingtoPayforMANRS
• Significantvalueonsecurityposture
• Medianpremium of15%• 13%wouldonlychooseMANRScompliantproviders
18
0
10
20
30
40
50
60
70
no 5%more 10% 15% 20% 25% IwouldonlychooseaMANRS
Compliantservices
Q: Would you pay a premium for MANRS compliant services?
EnterpriseConclusions
• Greatopportunityforserviceproviders• Whilenotwellknownbyenterprises(yet),MANRSattributesarehighlyvalued• EnterprisescareaboutsecurityandbelieveMANRScanhelp• EnterprisesarewillingtoputMANRScomplianceintoRFPsandrequireitoftheirserviceproviders
19
ServiceProviderAwareness
21
0
1
2
3
4
5
6
7
8
9
10
AwareofwhatMANRSis FamiliarwithsomedetailsofMANRS
HeardofMANRS NeverheardofMANRS
Awareness
MANRSEffectiveness
22
0
2
4
6
8
10
12
14
16
18
Today Future
NotatAll
Some
Very
Q: How effective do you think MANRS is/could be in improving Internet security?
MANRSSecurityImprovements
23
Internet
Largeimprovement
Someimprovement
Noimprovement
Organization
Largeimprovement
Someimprovement
Noimprovement
Q: Do you see MANRS as having a significant effect on improving Internet security/your organization’s security?
ServiceProviderMotivations
24
0%
5%
10%
15%
20%
25%
30%
35%
40%
Beingagoodinternetcitizen
Beingmoresecure Increasingoperatingefficiency
Regulatorycompliance
16%
36%
12%
36%
ReasonsforImplementation
Q: Which aspect of MANRS would provide the greatest reason for implementing for your organization?
ServiceProviderConclusions
• Cautious enthusiasm,butmarketmisperceptions• MuchsupportfortheactionsandhighexpectationsforthechangeMANRScouldmakeonindividualorganizationsandtheInternetasawhole,ifimplementedwidely
• Challengesindecisionprocess• Technical teamsdrivefor64%• Technicalteamshaveauthorityin4%
• Limitedexpectationsofenterprisevalue• ImplementingMANRSandmarketinganincreasedsecurityposturetoenterprisescanserveasabusinessdifferentiatorandtranslateintoincreasedrevenue
• Possibilityforadd-onsecurityservicestocustomersbasedonimplementingMANRSactions
25
28
No. of IPv6 Prefixes: 1126
Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest
29
No. of IPv4 Prefixes: 7462
Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest
31
Top 3AS38719 – Dream Scape Networks
AS9512 – Net Logistics Pty LtdAS35803 – Digital Pacific
Top 3AS55795– Verb Data CentreAS58979 – Cloud Registry
AS10145 – Secure IP
33
Possible Bogus PrefixesPrefix OriginAS ASDescription PeerAS PeerASDesc.45.124.164.0/22 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.164.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.165.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.166.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.167.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus103.20.219.0/24 AS55795 VERBDC1-AS-APVerbDataCentrePtyLtd,AU AS17819 Equinix103.58.216.0/22 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus103.58.216.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.217.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.218.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.219.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus119.160.232.0/21 AS132070 INTERVOLVE-BRISBANE-AS-APInterhost PacificPtyLtdt/aIntervolve.,AU - -203.89.101.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir203.89.103.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir203.89.107.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir220.152.112.0/21 AS23871 AINS-AS-APAustraliaInternetSolutions,AU AS7474 Optus
http://www.cidr-report.org/as2.0/
34
Possible Bogus ASNsAS55481 Announcedby AS1221 ASN-TELSTRATelstraPtyLtd,AUAS64521 Announcedby AS9822 AMNET-AU-APAmnetITServicesPtyLtd,AUAS64627 Announcedby AS23871 AINS-AS-APAustraliaInternetSolutions,AUAS65315 Announcedby AS134188 NTTDATAVTS-AS-APNTTDATAVictorianTicketingSystemPtyLtd,AUAS65535 Announcedby AS133178 ACABPS-AS-APAustralianCustomsandBorderProtectionService,AUAS4294836336 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836363 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836392 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836409 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836414 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836444 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901860 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901861 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901863 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901864 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901865 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901866 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901867 Announcedby AS2764 AAPTAAPTLimited,AU
http://www.cidr-report.org/as2.0/
35
AS4294901868 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901869 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901870 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901874 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901875 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901876 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901878 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901879 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901880 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901881 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901882 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901884 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901886 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901888 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901889 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901890 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901891 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901892 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901893 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901894 Announcedby AS2764 AAPTAAPTLimited,AU
Possible Bogus ASNs
http://www.cidr-report.org/as2.0/
36
AS4294901895 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901896 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901897 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901898 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901900 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901901 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901902 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901903 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901904 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901906 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901908 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901909 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901910 Announcedby AS2764 AAPTAAPTLimited,AU
Possible Bogus ASNs
http://www.cidr-report.org/as2.0/
37
Session Timestamp ClientPrefix ASN NAT SpoofPrivate
SpoofRoutable
AdjacencySpoofing
228714 2017-05-2312:47:28 180.214.94.x/24 9268(OVERTHEWIRE-AS-AP) no received received /8
160215 2017-03-0705:01:32 125.63.49.x/24 45570 (NETPRES-AS-AP) no received received /8
138763 2017-02-0205:34:04
117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21
2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none
134201 2017-01-2604:18:36
117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21
2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none
132112 2017-01-1903:03:17
117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21
2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none
127707 2017-01-1201:47:47
117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21
2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none
123342 2017-01-0500:32:31
117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21
2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none
Spoofer Results
https://spoofer.caida.org/recent_tests.php?as_include=&country_include=aus&no_block=1
MANRSAddsValue
• Strongmotivations forserviceproviders• Significant differentiationforenterprisebuyers
• Identifiablevalueinavaguemarket• Educationisrequiredforenterprise
• Enterpriseswanttoknowmore• Securityinformationhasvalue• Questionsonregulatoryinvolvement…
• Additionalrevenueopportunitiesforproviders• Operationalinformation• Informationsecurityinformationfeeds• Stickyservices
39
Pleasejoinustomakeroutingmoresecure• Gotohttps://www.manrs.org/signup/
• Providerequestedinformation
• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible
• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”
• Spoofer https://www.caida.org/projects/spoofer/
• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials
• Downloadthelogoanduseit
• BecomeanactiveMANRSparticipant
40
Questions?
• Feelfreetocontactusifyouareinterestedandwanttolearnmore• http://www.routingmanifesto.org/contact/
• Mail:[email protected]
• Lookingforwardtoyoursign-ups:• http://www.routingmanifesto.org/signup/
41