IP Backbone Security > Nicolas FISCHBACH > Sébastien LACOSTE-SERIS
Transcription
IP Backbone Security > Nicolas FISCHBACH > Sébastien LACOSTE-SERIS
IP Backbone Security > Nicolas FISCHBACH IP Engineering Manager - COLT Telecom nico@securite.org - http://www.securite.org/nico/ > Sébastien LACOSTE-SERIS IP R&D Manager, Security Officer - COLT Telecom kaneda@securite.org - http://www.securite.org/kaneda/ version 1.0 Agenda » Introduction » External Gateway Protocol : BGP » Internal Gateway Protocols : OSPF and ISIS » Netflow based DDoS detection » MPLS and IPv6 » Conclusion © 2002 Sécurité.Org 2 What « runs » the Internet ? » Key protocols > BGPv4 (Border Gateway Protocol) > DNS (Domain Name System) > A mix of BGP and DNS in all new/recent technologies - DNS to store the information in new/extended type of records - BGP to distribute the information across the network » A few large vendors » > Limited range of ASIC powered devices > Some well known software release versions/trains (ie S-train) Non-technical stuff : people in the NOCs & coffee :-) © 2002 Sécurité.Org 3 What are the risks, if any ? (1) » The Internet is considered a critical infrastructure > But the trust model hasn’t really changed since the 70s > Can it survive a “chapter 11” from a really large provider ? > “Slashdot effect” (major links and websites -- even those with distributed content). Could larger deployment of multicast help ? > Best Current Practices make the network more resistant, but are not followed or deployed > Recent publications > IETF/IRTF Working Groups © 2002 Sécurité.Org 4 What are the risks, if any ? (2) » Current, new and future type of attacks > Misconfiguration is the most common “attack” > (D)DoS with spoofed source addresses - Kill your network / (IRC) servers - Use of routers as reflectors/amplifiers - No reliable traceback > Short-lived announcements used as source of SPAM/attacks > Advanced routing protocols attacks - Make your (internal/external) routing protocol unstable - Inject new routes/prefixes : MiTM/traffic rerouting attacks > Rootkits and Loadable Kernel Modules - Take control of a device capable of generation thousands of PPS (packets per second) - Control all the routing protocol traffic © 2002 Sécurité.Org 5 BGP : Protocol description » BGP (Border Gateway Protocol) > Current version : 4 > Listens on port 179/tcp > Optional authentication : - MD5 : adds an option to TCP (digest based on pseudoheader+header+data+shared password) > Point-to-point over directly connected interfaces or multihop between (TTL > 1) non adjacent routers > Routing information is exchanged in BGP Update message : © 2002 Sécurité.Org 6 BGP : Protocol description » BGP (Border Gateway Protocol) iBGP sessions Route reflectors AS X Core/Access Routers eBGP sessions {in,e}gress filtering AS Z © 2002 Sécurité.Org AS Y 7 BGP : Risks » Where are the risks ? > Internet Exchanges (“peering points”) - All providers are usually connected to the same shared infrastructure (a switch for example) - The filtering policy is usually more “relax” for peerings - Some major ones, no real (geo)diversity anymore » > Your direct {up,down}stream(s) > Route reflectors > Multi-hop configurations (Man-in-the-middle attack) > Less likely : some backbone router “out there” in the Internet or some hops away What is never “verified” > Origin-AS/prefix relation, “true” AS_path, source authenticity, etc © 2002 Sécurité.Org 8 BGP : Attacks (1) » Information gathering > Find the eBGP peers : - “Forward” and “reverse” traceroute / ICMP Record Route Public route-servers and looking glasses Directly adjacent IPs IPs often used for loopback interfaces (.1+, .254-) SNMP > Session parameters may be required : - Source/destination ports (ie. which router initiated the connection) - Right TTL © 2002 Sécurité.Org 9 BGP : Attacks (2) » Attacks against routers and BGP sessions > SYNflood 179/tcp > Drop the BGP session by RSTing the TCP connection or injecting bogus OPEN/KEEPALIVE/etc messages - Spoofed packet parameters (IPs, ports, SeqNum, TTL) may have to fit > BGP route injection tool : (what is the) challenge ? - Inject the UPDATE . MiTM (or ARP spoofing on IX switches) . Synchronize with/hijack the TCP session (MiTM or spoofed from remote) . Have a previous knowledge of the current configurations of the peers (a MiTM type of attack is more likely to happen) - BGP route injection tools exist (in private circles) > Security bug in the BGP implementation / modified BGPd © 2002 Sécurité.Org 10 BGP : Attacks (3) » Attacks against the network > Attacks playing with BGP parameters (local-pref, MEDs, communities) ? > Make your BGP sessions flap : make you or other destinations unreachable > Announce “more specific routes” of large blocks to increase the number of prefixes in the global routing table and eat up memory on all routers > Announce or “remove” some routes/prefixes or change their attributes > Direct all the traffic to a blackhole, direct it to a specific network (DDoS), create loops, etc. © 2002 Sécurité.Org 11 BGP : Sequence number prediction » ISN problems on Cisco routers Vulnerable IOS “Less” vulnerable IOS > “Fixed” as of 12.0(15) and 12.1(7) > ISNs are (still) time dependant Source : http://razor.bindview.com/publish/papers/tcpseq.html © 2002 Sécurité.Org 12 BGP : Monitoring & protection » What to monitor ? » > AS_path and prefixes you receive from upstreams > AS_path and prefixes that other ISPs are getting that contains your ASN/prefixes (route servers/looking glasses) > Are the paths changing (especially the best path) ? > Are some prefixes announced (temporary) in another AS ? > ARP changes (IX public switches) > Your logs for BGP related messages What is currently missing ? > Origin-AS/prefix mapping : automatically generated filters out of RIRs (Regional Internet Registries) like RIPE NCC’s DB (RPSL) are part of the solution but don’t cover everything : route object that lists the AS in which the network prefix is routed © 2002 Sécurité.Org 13 BGP : Filtering policy » Filtering recommendations > Don’t accept to have only /24 > Never accept, announce or redistribute prefixes that are longer than /24 or de-aggregated blocks > Use maximum-prefix (ie “full routing table” is currently ~110K-114K routes) > Only accept the customer’s allocated prefixes > Don’t filter on AS_path only, but also prefixes (customer may announce a more specific route): this the same as in/egress filtering of IP addresses ! > Filter bogon and non-allocated networks > Should you really accept/announce a default route in BGP ? > Have ingress and egress filters to limit the prefixes you receive/send © 2002 Sécurité.Org 14 BGP : Ingress/egress filtering (1) » What you should never route/see/allow through » > RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) > 0.0.0.0/x, 127.0.0.0/8 > 169.254.0.0/16 (auto-configuration when no DHCP) > 192.0.2.0/24 (Netname: TEST-NET, like example.com) > 192.88.99.0/24 (RFC 3048, used by 6to4 routers) > Multicast blocks (D Class) and Martian networks (E+) > “Hijacked” space by some vendors (192.0.0.192 for printers) > (ARIN) Reserved blocks (bogon networks) > Packets to broadcast addresses or where source == destination What you should route/let through > Your network prefixes (anti-spoofing) © 2002 Sécurité.Org 15 BGP : Ingress/egress filtering (2) » Example with ACLs > Filter on network border : CPE/IX/uplinks interface xy access-group in 100 access-group out 100 access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 192.88.99.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 240.0.0.0 15.255.255.255 any access-list 100 permit ip any any ! Or permit ip <your network prefixes only> » Example with route to Null0 (“discard” on Juniper) ip route 10.0.0.0 255.0.0.0 null0 ip route 172.16.0.0 255.240.0.0 null0 ip route 192.168.0.0 255.255.0.0 null0 © 2002 Sécurité.Org 16 BGP : Security recommendations (1) » Security measures > Log changes (and think about using IPsec -- CPU and $) > Use MD5, but not the same password with all the peers > Filter and limit the number of prefixes, filter the AS_path > Use a “secondary” or “loopback” IP address for the eBGP session to hide parf of the eBGP session details > Protect routes towards Root Servers (<x>.{root, gtld}servers.net) : exclude them from the route dampening > Filtering and routing policies are important, but don’t forget: - to harden your router configuration - to use secure in and out-of-band management and monitoring tools/protocols - that physical access to the router gives “full rights” (peering points/data centers) © 2002 Sécurité.Org 17 BGP : Security recommendations (2) » Security measures router bgp 65000 no bgp dampening bgp dampening route-map dampening-list bgp log-neighbor-changes network x.x.x.x neighbor y.y.y.y remote-as 65001 neighbor y.y.y.y password <MD5password> neighbor y.y.y.y version 4 neighbor y.y.y.y prefix-list theirnetworks in neighbor y.y.y.y prefix-list ournetworks out neighbor y.y.y.y maximum-prefix 120000 neighbor y.y.y.y route-map ourASpath out ip ip ip ip ip ip prefix-list ournetworks seq 5 permit x.x.x.x/y prefix-list ournetworks seq 10 deny 0.0.0.0/0 le 32 prefix-list theirnetworks seq 5 permit x.x.x.x/y prefix-list protected-prefixes permit x.x.x.x/y prefix-list <other prefix-list> permit x.x.x.x/y as-path access-list 99 permit ^<AS>( <AS>)*$ route-map ourASpath permit 10 match as-path 99 route-map dampening-list deny 10 match ip address prefix-list protected-prefixes route-map dampening-list permit 20 match ip address prefix-list <other prefix-list> set dampening <your dampening parameters> © 2002 Sécurité.Org 18 BGP : Future (1) » S-BGP > Covers part of the integrity/AA(A) issues and is based on : - a PKI . to verify ownership (IPs/AS) and Origin-AS/prefix relation . to validate signed UPDATE (with Route Attestations) messages, their content and BGP speakers . to manage certificates and CRLs (Certificate Revocation List), etc - IPsec for the router-to-router session > Implementation and deployment imply that : - RIRs act as a CA (Certificate Authority) and tree root - Servers storing certificates, CRLs, and other information have to be distributed and “protected” from DoS (non-routed ?) - S-BGP supported on large routers with enough memory (volatile and non-volatile) and CPU - ISPs are willing/forced to do correct “paperwork” © 2002 Sécurité.Org 19 BGP : Future (2) » Working Groups > IETF - rpsec (Routing Protocol Security Requirements) - ptomaine (Prefix Taxonomy Ongoing Measurement & Inter Network Experiment) - msec (Multicast Security) > RIPE : Routing Working Group > IRTF : Group Security (GSEC, formerly Secure Multicast Group) » Don’t forger router “host” security ! » Forensics (who used to announce which prefix) > Route information stored inside DBs at large peering points or by large providers © 2002 Sécurité.Org 20 OSPF : Protocol description » OSPF (Open Shortest Path First) > Protocol type 89 > Multicast traffic : “easy” to inject LSAs (Link State Advertisement) > Active adjacencies between all the routers and the (B)DRs (DR/BDR status is based on Router ID and priority) > SPF (Shortest Path First) recalculation takes time and CPU Backup Designated Router (BDR) Designated Router (DR) Area 2 Backbone area (Area 0) Autonomous System Border Router (ASBR) Area Border Router (ABR) Network running another IGP © 2002 Sécurité.Org Area 1 21 OSPF : Attacks » Attacks against OSPF > Since the (B)DRs don’t preempt, it’s needed to “kill” the legitimate ones to take the functionality over > A “local” area LSA may be exported to another area (over an ABR) or even to another AS (over an ASBR) - ABRs and ASBRs are key routers together with (B)DRs > OSPF LSAs (even “MD5ed”) can be replayed (sequence number) - inject/withdraw routes - break adjacencies (higher sequence number/hello message) - MAXAGE LSAs can be send to purge the related OSPF DB > More or less impossible to protect the network from an internal attack/threat : routers can “lie” (about their role or modify the information they announce) © 2002 Sécurité.Org 22 OSPF : Security (1) » Security measures > Authenticate OSPF exchanges (per interface) with MD5 (not Null nor cleartext). MAC is (OSPF payload+secret) interface xy !ip ospf authentication-key <key> ip ospf message-digest-key 1 md5 <key> router ospf 1 area 0 authentication [message-digest] > Turn your network into a NBMA (Non Broadcast Multiple Access - “point-to-point links only”) network interface xy ip ospf network non-broadcast router ospf 1 neighbor x.x.x.x > (Positive) side effect of link-state protocols : routers may counter the faked LSAs © 2002 Sécurité.Org 23 OSPF : Security (2) » Security measures > Don’t put the interfaces that shouldn’t send or receive OSPF LSAs in your network statement or then exclude them with a passive-interface statement router ospf 1 > Log changes log-adjacency-changes network x.x.x.x passive-interface default no passive-interface xy > You can’t filter what is injected into the local area (the network statement meaning is misleading) only to other Ases - the route information is in the OSPF Database but is not pushed into the RIB (Routing Information Base) router ospf 1 distribute-list <ACL> in distribute-list <ACL> out © 2002 Sécurité.Org 24 ISIS : Protocol description (1) » IS-IS (Intermediate System to Intermediate System) > Comes from the OSI world (routed OSI procotols) > Doesn’t run on top of IP but directly over the data link > Encodes the packets in TLV (Type-Length-Value) format > Uses hierarchy levels/addressing (L1/L2) and flooding - L1 routing means routing in the same area - L2 routing means between areas L1/L2 Router L1 Router Area 1 L1/L2 Router L2 Router L1 Router Area 2 L2 Router Area 3 © 2002 Sécurité.Org 25 ISIS : Protocol description (2) » IS-IS (Intermediate System to Intermediate System) > Floods LSPs (Link State PDUs) - Nothing do to with MPLS’ LSP (Label Switch Path) > Contrary to OSPF DR/BDRs a new IS-IS DIS (Designated IS) with higher priority will take precedence (preempt) and all the routers maintain adjacencies with all the routers in the area (separate L1 and L2 adjacencies on same LAN) > A lot of Service Providers are moving from OSPF to ISIS (usually in relation with MPLS/Traffic Engineering deployment) © 2002 Sécurité.Org 26 ISIS : Attacks and security » Attacks > Similar to OSPF attacks but more complex to inject data because of non-IP protocol > Possible to use the “Overload Bit” to have transit traffic not sent over a “overloaded” router and thus try to redirect it » Security measures > Log changes > Use authentication at - the interface level - the area level - the domain level interface xy isis password <password> level-<z> router isis log-adjacency-changes domain-password <password> area-password <password> > HMAC-MD5 support (TLV 54) © 2002 Sécurité.Org 27 DDoS detection (1) » Netflow > Accounting data (AS, IP flows, protocols, etc) > Send in clear text over the network (UDP) to a gatherer > Only counts outgoing traffic on the interface > Needs CEF (Cisco Express Forwarding) or dCEF - Requires IOS 12.x and uses ~30MB of memory - With CEF activated Netflow will only do accounting - Without CEF the router will do netflow switching > How to export the data ip flow-export version 5 origin-as ip flow-export destination x.x.x.x interface xy ip route-cache flow > How to view the data : sh ip cache flow © 2002 Sécurité.Org 28 DDoS detection (2) » (Un)usual traffic distribution per protocol > TCP > UDP > ICMP > IGMP : : : : ~90 % (HTTP, FTP, SMTP and P2P tools) ~10 % (DNS, SNMP, streaming) <1 % <1 % > Mostly <x> bytes packets > RRDtool and Netflow can be used to graph trends, detect changes and anomalies Source : Flowscan from UW-Madison (http://wwwstats.net.wisc.edu/) © 2002 Sécurité.Org 29 DDoS detection (3) » Netflow data on Multi-Layer Switches > Netflow-based MLS flow-mode is “destination-only” no source address is cached) > Enable “full-flow” mode (performance impact on SE1) ! MLS in hybrid mode set mls flow full ! MLS in native mode mls flow ip full > Display the entries ! MLS in hybrid mode show mls entry ! MLS in native mode show mls ip > Poor man’s netflow : ntop ? © 2002 Sécurité.Org 30 DDoS prevention (1) » Unicast RPF (Reverse-Path Forwarding) > Mode - Strict : IP packets are checked to ensure that the route back to the source uses the same interface - Loose check: allowed if the prefix exists in the FIB > Only the best path (if no multi-path or equal cost paths) is in the FIB > Asymmetric routes are supported (really :-) > Check the BGP weight if you use strict mode in a multi-homed configuration © 2002 Sécurité.Org 31 DDoS prevention (2) » Unicast RPF (Reverse-Path Forwarding) > Strict (you can use an ACL for exceptions or for logs) ip cef [distributed] interface xy ip verify unicast reverse-path [allow-self-ping] [acl] > “Loose check” ip verify unicast source reachable-via any © 2002 Sécurité.Org 32 DDoS prevention (3) » ICMP, UDP, TCP SYN rate-limiting interface xy rate-limit input access-group 100 8000 8000 8000 \ conform-action transmit exceed-action drop rate-limit output access-group 100 8000 8000 8000 \ conform-action transmit exceed-action drop <…> access-list 100 deny tcp any host x.x.x.x established access-list 100 permit tcp any host x.x.x.x access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply > UDP rate-limiting can be a problem if your customer is a streaming company © 2002 Sécurité.Org 33 DDoS prevention (4) » TCP Intercept > Can do as much good as bad > If enabled : process switching and not “full” CEF anymore > The “destination” host must send a RST (no silent drops) or you’ll DoS yourself > Same is true if you use “blackholed” routes (route to Null0) ip ip ip ip ip tcp tcp tcp tcp tcp intercept intercept intercept intercept intercept list 100 connection-timeout 60 watch-timeout 10 one-minute low 1500 one-minute high 6000 access-list 100 permit tcp any x.x.x.0 0.0.0.255 © 2002 Sécurité.Org 34 DDoS prevention (5) » Advanced ICMP filtering > Only let the “mission critical” ICMP messages in and out interface xy ip access-group 100 in access-list 100 deny icmp any any fragments access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any source-quench access-list 100 permit icmp any any time-exceeded access-list 100 deny icmp any any access-list 100 permit ip any any > ICMP filtering is a source of dispute (unreachables, parameter-problem, etc) > ICMP is not just “ping”, you can break a lot of things (Path MTU Discovery for example) > YMMV. © 2002 Sécurité.Org 35 DDoS prevention (6) » Advanced technique 1 (1/2) : BGP/Null0 > Pick an IP address from TEST-NET and add a static route to Null0 for it (on all your routers) > Have a “master” BGP router set the next-hop for the source network you want to “drop” to the selected IP > Have BGP redistribute it to the routers in your AS only and uRPF will drop it (at the LC level, not on the RP) router bgp <AS> network <sourceOfDDOS> mask <netmask> route-map ddos-nh route-map ddos-nh set ip next-hop <TEST-NETIPaddr> ip route <TEST-NET> 255.255.255.0 Null0 > Do not redistribute it to your peers : use a private AS or a “no-export” community © 2002 Sécurité.Org 36 DDoS prevention (7) » Advanced technique 1 (2/2) : BGP/Null0 NOC iBGP sessions Master BGP router (set the next-hop for the DDoS sources to 192..0.2.10) Route reflectors Propagate the new next-hop Core/Access Routers (route 192.0.2.10 to Null0) Internet or Customers © 2002 Sécurité.Org 37 DDoS prevention (8) » Advanced technique 2 (1/2) : BGP/CAR/FIB > Set a special community for the network you want to ratelimit on your “master” BGP router and send this community to your iBGP peers router bgp <AS> network <destOfDDOS> mask <netmask> neighbor x.x.x.x route-map ddos-rl out neighbor x.x.x.x send community access-list 10 permit <destOfDDOS> route-map ddos-rl match ip address 10 set community <AS>:66 no-export ip route <destOfDDOS> 255.255.255.0 Null0 © 2002 Sécurité.Org 38 DDoS prevention (9) » Advanced technique 2 (2/2) : BGP/CAR/FIB > On the routers change the QoSID entry in the FIB based on this special community > Use the QoSID entry of the FIB to rate-limit router bgp <AS> table-map ddos-rl ip community list 1 permit <AS>:66 route-map ddos-rl match community 1 set ip qos-group 66 interface xy bgp-policy source ip-qos-map rate-limit input qos-group 66 ... © 2002 Sécurité.Org 39 Worm detection and protection (1) » How to detect a new worm > New/unusual number of HTTP/SMTP flows and server logs » How to protect with NBAR (Network-Based Application Recognition) > Needs CEF > Available as of 12.1(5)T > Like TCP Intercept - do we need it ? > Side-effect : the TCP handshake is already done but the server never receives the HTTP GET request > Performance impact : ~20% CPU © 2002 Sécurité.Org 40 Worm detection and protection (2) » NBAR Restrictions and limitations > Supports up to 24 concurrent URLs, hosts or MIME types matches > Can’t match beyond the first 400 bytes in a URL > Can’t deal with fragmented packets > HTTPS traffic (that’s normal ;-) > Packets originating from/sent to the router (you can’t protect the local HTTP server) > Doesn’t support Unicode (UTF-8/%u) » Tune the scheduler and the timeout ip nbar resources 600 1000 50 scheduler allocate 30000 2000 © 2002 Sécurité.Org 41 DDoS/worm research/future (1) » ICMP Traceback (itrace) » » > Each router sends, with a low probability, a message to the destination of a packet it forwarded with information about the previous and next hop and part of the payload > Only “works” for larger (D)DoS attacks IP Traceback > Traceback information is stored in the ip.id field by the “IPT” routers on the packet’s path > Probability to catch smaller attacks is better than with itrace MULTOPS (Multi-Level Tree for Online Packet Statistics) > A local data structure on each router stores data about current flows and is analyzed to detect/respond to attacks © 2002 Sécurité.Org 42 DDoS/worm research/future (2) » SPIE (Source Path Isolation Engine) » » » > The router stores temporary a hash about each packet it forwards and authorized routers can query this information Pushback > Router send rate-limit requests for certain networks if they detect attacks (based on traffic characteristics) IDIP (Intruder Detection and Isolation Protocol) > Protocols and framework used to correlate information, detect and respond to intrusions HIP (Host Identity Payload/Protocol) > New name space (next to IP/DNS) with IKE like functionalities and public key based authentication for hosts © 2002 Sécurité.Org 43 DDoS/worm research/future (3) » CenterTrack > Secondary network used to carry “interesting” packets detected by routers for analysis » Limitations > CPU and memory needs on routers > Fundamental changes (infrastructure, deployment, operations, etc) > IP address spoofing and traceback are the key issues © 2002 Sécurité.Org 44 DDoS/worm research/future (4) » Worse to come > A lot of research has been done but nothing has been published/disclosed : “risks are too high” > Most of the worms we’ve seen were quite gentle > Will the next worm affect IIS/Outlook users again ? > What are the effects on the Internet stability ? » What are the trends ? > Routers are used as source > Attacks are more complex and agents are becoming more intelligent > Temporary “use” of non allocated blocks © 2002 Sécurité.Org 45 MPLS (1) » MultiProtocol Label Switching > MPLS label added to the IP packet to identify the VPN > Each router (LSR) on the path (LSP) has a local table (LIB) > The label only has a “local” meaning and is/may be changed on each hop Backup LSP Primary LSP (Label Switch Path) Router Customer Edge Router Provider Edge MPLS Core Label Switch Routers © 2002 Sécurité.Org 46 MPLS (2) » MultiProtocol Label Switching > Virtual Circuits, not encrypted/authenticated VPNs > “Equivalent” to a layer 2 VPN (ATM/FR) - the security is often provided by hiding the MPLS core structure/cloud from customers by using filtering or nonrouted address space (think security by obscurity) - as a customer you have to trust the MPLS core > IPsec can be used to secure the traffic > VPN partitioning done at routing layer > “One routing table per VPN” on each PE router - separate Virtual Routing and Forwarding instance (VRF) - or extended Route Distinguisher (RD) > Current trend in SP networks : deploy MPLS+ISIS w/ Wide Metrics+TE for subsecond convergence and traffic rerouting © 2002 Sécurité.Org 47 MPLS (3) » Attacks > Labeled packets injection : - locked by default on all interfaces (Customer Edge Router) - easy if access to the MPLS routers > Inject data in the signaling protocols ((MP-)BGP and IGPs) to modify the VPN topology : IPv4-RRs and VPNv4-RRs (Route Reflectors) > Even a higher risk when the same router is shared for Internet access and a MPLS L2VPN © 2002 Sécurité.Org 48 MPLS (4) » Attacks > Use new functionality like FRR (MPLS Fast ReRoute) - RSVP (No Route) Path Error message : allows sniffing by redirecting traffic over a router that is under control and part of the MPLS core . a new LSP is signaled . the adjacency table is updated for the tunnel interface . a LSR receiving a marked packet with label x will accept it on any interface and switch it out fake/spoofed IGP LSP/LSA or RSVP Path Error message Label In Label Out Interface Out old Path 3 17 POS7/0 new Path 3 8 POS7/1 © 2002 Sécurité.Org MPLS Core 49 MPLS (5) » Security measures > Good configuration of all routers (CE, PE, P, MPLS Core) - ACLs Static and dynamic routing VRFs etc. > The “MPLS network” should start on the PE router, not the CE > Difficult to gather MPLS information from the routers > Use IPsec (without anonymous key exchanges ;-) © 2002 Sécurité.Org 50 IPv6 » IPv6 > Basically no new risks/big changes > “Native” IPsec support > Higher risks during the transition phase from IPv4 to IPv6 ? > Protocols used to interconnect IPv4 to IPv4 islands over IPv6 (and vice versa) - GRE - MPLS > MAC address can be part of the IP address © 2002 Sécurité.Org 51 Publications » Publications > Inferring Internet DoS Activity (Caida) > A Snapshot of Global Worm Activity (Arbor) > Shining Light on Dark Internet Address Space (Arbor) > How to 0wn the Internet in Your Spare Time (Staniford/Paxson) > Global Routing Instabilities during Code Red II and Nimda Worm Propagation (Renesys) > Trends in Denial of Service Attack Technology (CERT) > ... © 2002 Sécurité.Org 52 That’s all folks :-) » Latest version of this document & presentation including tips/commands to secure routers (IOS) and switches (Cat(I)OS) < http://www.securite.org/presentations/secip/ > » Questions ? Image: http://www.inforamp.net/~dredge/funkycomputercrowd.html © 2002 Sécurité.Org 53