Top Banner
Internet Society © 1992–2016 Two years of good MANRS - Improving Global Routing Security and Resilience MANRS Aftab Siddiqui [email protected] September 2017
41

AusNOG - Two Years of Good MANRS

Jan 29, 2018

Download

Technology

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: AusNOG - Two Years of Good MANRS

Internet Society © 1992–2016

TwoyearsofgoodMANRS- ImprovingGlobalRoutingSecurityandResilience

MANRS

[email protected]

September2017

Page 2: AusNOG - Two Years of Good MANRS

InternetRouting– whatistheproblem?

• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholed ordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks

• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates

2

Page 3: AusNOG - Two Years of Good MANRS

https://bgpstream.com/

Page 4: AusNOG - Two Years of Good MANRS

Notadaywithoutanincidentdatasource:http://bgpstream.com/

40

20

40

60

80

100

120

1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17

6monthofsuspicious activity

Hijack

Leak

Page 5: AusNOG - Two Years of Good MANRS

What’sbehindtheseincidents?

• IP prefix hijack• AS announces prefix it doesn’t originate• AS announces more specific prefix than what may be announced by originating AS• Packets end-up being forwarded to a wrong part of Internet• Denial-of-Service, traffic interception, or impersonating network or service

• Route leaks• Similar to prefix hijacking• Usually not malicious and due to misconfigurations• But may also aid traffic inspection and reconnaissance

• IP address spoofing• Creation of IP packets with false source address• The root cause of reflection DDoS attacks

5

Page 6: AusNOG - Two Years of Good MANRS

Aretheresolutions?

• Yes!• PrefixandAS-PATHfiltering,RPKI…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases

• But…• Lackofdeployment• Lackofreliabledata

6

Page 7: AusNOG - Two Years of Good MANRS

MutuallyAgreedNormsforRoutingSecurity(MANRS)

MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement

• Technology-neutralbaselineforglobaladoption

MANRSbuildsavisiblecommunityofsecurity-mindedoperators

• Promotescultureofcollaborativeresponsibility

7

Page 8: AusNOG - Two Years of Good MANRS

GoodMANRS

• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone

• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra

• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators

• Up-to-dateandresponsivepubliccontacts

• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate

8

Page 9: AusNOG - Two Years of Good MANRS

0

20

40

60

80

100

120

140

160

180

2014 2015 2016 2017(sofar)

#ofAS

#ofAS

TwoyearsofMANRS

9

MANRS members by # of AS

Page 10: AusNOG - Two Years of Good MANRS

IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance

• MANRSBestCurrentOperationalPractices(BCOP)document:http://www.routingmanifesto.org/bcop/

• Training/certificationprogramme• BasedonBCOPdocumentandanonlinemodule

• Bringingnewtypesofmembersonboard• IXPs

10

Page 11: AusNOG - Two Years of Good MANRS

Leveragingmarketforcesandpeerpressure

• Developingabetter“businesscase”forMANRS• MANRSvaluepropositionforyourcustomersandyourownnetwork

• Creatingatrustedcommunity• Agroupwithasimilarattitudetowardssecurity

11

Page 12: AusNOG - Two Years of Good MANRS

IsthereabusinesscaseforMANRS?

12

Page 13: AusNOG - Two Years of Good MANRS

StudyMethodology

• Examiningperceptionsandexpectations• Questionnaire-based study

• Assessmentagainstexisting451Researchdata• Commonperceptionelements

• Service providers• Initialtargeting interviews

• Globaldemographic• 25telephoneinterviews

• EnterpriseInternetteams• 250webquestionnaires• 1,000 employeeminimum• PrimarilyNorthAmerica

13

14%

14%

11%

10% 10%

8%

8%

6%

19%

EnterpriseDemographics

Manufacturing

ProfessionalServices

Retail

Telecommunications

Health

Financial

Insurance

Construction

Other

Page 14: AusNOG - Two Years of Good MANRS

Demographics

14

12%

8%

24%

8%

20%

28%

ServiceProviderSize

100-499

500-999

1000-2499

2500-4999

5000-9999

10000+

46%

24%

15%

15%

EnterpriseSize

1000-2499

2500-4999

5000-9999

10000+

Page 15: AusNOG - Two Years of Good MANRS

Abusinesscaseforanenterprise

15

Page 16: AusNOG - Two Years of Good MANRS

EnterprisesAreConcernedAboutSecurity

• Acorevalueforamajority

16

0%

10%

20%

30%

40%

50%

1000- 2499 2500 - 4999 5000 - 9999 10,000+

PrimaryCoreValue

PartofOurValues

NotDistinguishing

Page 17: AusNOG - Two Years of Good MANRS

EnterpriseConcernsAroundSecurity

• Widelyvaryingconcernsacrossarangeofissues

• AndconfidencethatMANRScanhelp

17

0%

10%

20%

30%

40%

50%

60%

70%

80%

DDoS Traffichijacking Addressspoofing Availability Blacklisting

57%

74%

57%

46%

28%

InternetSecurityConcerns

Page 18: AusNOG - Two Years of Good MANRS

AndEnterprisesareWillingtoPayforMANRS

• Significantvalueonsecurityposture

• Medianpremium of15%• 13%wouldonlychooseMANRScompliantproviders

18

0

10

20

30

40

50

60

70

no 5%more 10% 15% 20% 25% IwouldonlychooseaMANRS

Compliantservices

Q: Would you pay a premium for MANRS compliant services?

Page 19: AusNOG - Two Years of Good MANRS

EnterpriseConclusions

• Greatopportunityforserviceproviders• Whilenotwellknownbyenterprises(yet),MANRSattributesarehighlyvalued• EnterprisescareaboutsecurityandbelieveMANRScanhelp• EnterprisesarewillingtoputMANRScomplianceintoRFPsandrequireitoftheirserviceproviders

19

Page 20: AusNOG - Two Years of Good MANRS

AbusinesscaseforanISP

20

Page 21: AusNOG - Two Years of Good MANRS

ServiceProviderAwareness

21

0

1

2

3

4

5

6

7

8

9

10

AwareofwhatMANRSis FamiliarwithsomedetailsofMANRS

HeardofMANRS NeverheardofMANRS

Awareness

Page 22: AusNOG - Two Years of Good MANRS

MANRSEffectiveness

22

0

2

4

6

8

10

12

14

16

18

Today Future

NotatAll

Some

Very

Q: How effective do you think MANRS is/could be in improving Internet security?

Page 23: AusNOG - Two Years of Good MANRS

MANRSSecurityImprovements

23

Internet

Largeimprovement

Someimprovement

Noimprovement

Organization

Largeimprovement

Someimprovement

Noimprovement

Q: Do you see MANRS as having a significant effect on improving Internet security/your organization’s security?

Page 24: AusNOG - Two Years of Good MANRS

ServiceProviderMotivations

24

0%

5%

10%

15%

20%

25%

30%

35%

40%

Beingagoodinternetcitizen

Beingmoresecure Increasingoperatingefficiency

Regulatorycompliance

16%

36%

12%

36%

ReasonsforImplementation

Q: Which aspect of MANRS would provide the greatest reason for implementing for your organization?

Page 25: AusNOG - Two Years of Good MANRS

ServiceProviderConclusions

• Cautious enthusiasm,butmarketmisperceptions• MuchsupportfortheactionsandhighexpectationsforthechangeMANRScouldmakeonindividualorganizationsandtheInternetasawhole,ifimplementedwidely

• Challengesindecisionprocess• Technical teamsdrivefor64%• Technicalteamshaveauthorityin4%

• Limitedexpectationsofenterprisevalue• ImplementingMANRSandmarketinganincreasedsecurityposturetoenterprisescanserveasabusinessdifferentiatorandtranslateintoincreasedrevenue

• Possibilityforadd-onsecurityservicestocustomersbasedonimplementingMANRSactions

25

Page 26: AusNOG - Two Years of Good MANRS

ResourceStatistics

26

Page 27: AusNOG - Two Years of Good MANRS

27

No. of ASNs: 2183

Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest

Page 28: AusNOG - Two Years of Good MANRS

28

No. of IPv6 Prefixes: 1126

Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest

Page 29: AusNOG - Two Years of Good MANRS

29

No. of IPv4 Prefixes: 7462

Data Source: http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest

Page 30: AusNOG - Two Years of Good MANRS

30

No. of Prefixes Announced: 16794

Page 31: AusNOG - Two Years of Good MANRS

31

Top 3AS38719 – Dream Scape Networks

AS9512 – Net Logistics Pty LtdAS35803 – Digital Pacific

Top 3AS55795– Verb Data CentreAS58979 – Cloud Registry

AS10145 – Secure IP

Page 32: AusNOG - Two Years of Good MANRS

BogusPrefixes/ASNsfromAustralia

32

Page 33: AusNOG - Two Years of Good MANRS

33

Possible Bogus PrefixesPrefix OriginAS ASDescription PeerAS PeerASDesc.45.124.164.0/22 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.164.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.165.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.166.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus45.124.167.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus103.20.219.0/24 AS55795 VERBDC1-AS-APVerbDataCentrePtyLtd,AU AS17819 Equinix103.58.216.0/22 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenit PtyltdAustralia,AU AS4826 Vocus103.58.216.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.217.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.218.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus103.58.219.0/24 AS38803 GOLDENIT-PTY-LTD-AUSTRALIA-APGoldenitPtyltdAustralia,AU AS4826 Vocus119.160.232.0/21 AS132070 INTERVOLVE-BRISBANE-AS-APInterhost PacificPtyLtdt/aIntervolve.,AU - -203.89.101.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir203.89.103.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir203.89.107.0/24 AS9499 SUPERLOOP-AS-APSUPERLOOP(AUSTRALIA)PTYLTD,AU AS24093 BigAir220.152.112.0/21 AS23871 AINS-AS-APAustraliaInternetSolutions,AU AS7474 Optus

http://www.cidr-report.org/as2.0/

Page 34: AusNOG - Two Years of Good MANRS

34

Possible Bogus ASNsAS55481 Announcedby AS1221 ASN-TELSTRATelstraPtyLtd,AUAS64521 Announcedby AS9822 AMNET-AU-APAmnetITServicesPtyLtd,AUAS64627 Announcedby AS23871 AINS-AS-APAustraliaInternetSolutions,AUAS65315 Announcedby AS134188 NTTDATAVTS-AS-APNTTDATAVictorianTicketingSystemPtyLtd,AUAS65535 Announcedby AS133178 ACABPS-AS-APAustralianCustomsandBorderProtectionService,AUAS4294836336 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836363 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836392 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836409 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836414 Announcedby AS2764 AAPTAAPTLimited,AUAS4294836444 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901860 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901861 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901863 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901864 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901865 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901866 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901867 Announcedby AS2764 AAPTAAPTLimited,AU

http://www.cidr-report.org/as2.0/

Page 35: AusNOG - Two Years of Good MANRS

35

AS4294901868 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901869 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901870 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901874 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901875 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901876 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901878 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901879 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901880 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901881 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901882 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901884 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901886 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901888 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901889 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901890 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901891 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901892 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901893 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901894 Announcedby AS2764 AAPTAAPTLimited,AU

Possible Bogus ASNs

http://www.cidr-report.org/as2.0/

Page 36: AusNOG - Two Years of Good MANRS

36

AS4294901895 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901896 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901897 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901898 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901900 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901901 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901902 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901903 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901904 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901906 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901908 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901909 Announcedby AS2764 AAPTAAPTLimited,AUAS4294901910 Announcedby AS2764 AAPTAAPTLimited,AU

Possible Bogus ASNs

http://www.cidr-report.org/as2.0/

Page 37: AusNOG - Two Years of Good MANRS

37

Session Timestamp ClientPrefix ASN NAT SpoofPrivate

SpoofRoutable

AdjacencySpoofing

228714 2017-05-2312:47:28 180.214.94.x/24 9268(OVERTHEWIRE-AS-AP) no received received /8

160215 2017-03-0705:01:32 125.63.49.x/24 45570 (NETPRES-AS-AP) no received received /8

138763 2017-02-0205:34:04

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

134201 2017-01-2604:18:36

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

132112 2017-01-1903:03:17

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

127707 2017-01-1201:47:47

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

123342 2017-01-0500:32:31

117.120.47.x/24 4851(HOSTNETWORKS-AS-AU-AP) no blocked blocked /21

2402:e400:10xx::/40 4851(HOSTNETWORKS-AS-AU-AP) no received received none

Spoofer Results

https://spoofer.caida.org/recent_tests.php?as_include=&country_include=aus&no_block=1

Page 38: AusNOG - Two Years of Good MANRS

Conclusion

38

Page 39: AusNOG - Two Years of Good MANRS

MANRSAddsValue

• Strongmotivations forserviceproviders• Significant differentiationforenterprisebuyers

• Identifiablevalueinavaguemarket• Educationisrequiredforenterprise

• Enterpriseswanttoknowmore• Securityinformationhasvalue• Questionsonregulatoryinvolvement…

• Additionalrevenueopportunitiesforproviders• Operationalinformation• Informationsecurityinformationfeeds• Stickyservices

39

Page 40: AusNOG - Two Years of Good MANRS

Pleasejoinustomakeroutingmoresecure• Gotohttps://www.manrs.org/signup/

• Providerequestedinformation

• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible

• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”

• Spoofer https://www.caida.org/projects/spoofer/

• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials

• Downloadthelogoanduseit

• BecomeanactiveMANRSparticipant

40

Page 41: AusNOG - Two Years of Good MANRS

Questions?

• Feelfreetocontactusifyouareinterestedandwanttolearnmore• http://www.routingmanifesto.org/contact/

• Mail:[email protected]

• Lookingforwardtoyoursign-ups:• http://www.routingmanifesto.org/signup/

41