1 / 19

BGP Security, Just Add Peers!

BGP Security, Just Add Peers!. or, No one likes to say “ouch” at 3 AM! Rob Thomas robt@cymru.com 08 May 2002 http://www.cymru.com/~robt. Thrill as Rob Babbles About…. The security problem. The template approach. Resources.

yardan
Download Presentation

BGP Security, Just Add Peers!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BGP Security, Just Add Peers! or, No one likes to say “ouch” at 3 AM! Rob Thomas robt@cymru.com 08 May 2002 http://www.cymru.com/~robt

  2. Thrill as Rob Babbles About… • The security problem. • The template approach. • Resources. Rob Thomas robt@cymru.com

  3. The Security Problem“I try to say ‘Internet Security’ with a straight face!” • Internet Security is all about the other guy. • 1.2Gbps from 1.3.3.7 • “heh ill trade 4 ccs for 1 cisco” • 17683 and 31920 • “Oh, please, they’re not smart enough to do that.” Rob Thomas robt@cymru.com

  4. The Security Problem“i dont have to pax0r u” (After “discovering” route-views.oregon-ix.net) <A> heh if I take out ur route <A> i dont have to pax0r u lol <B> LOL! Think they didn’t visit www.cisco.com after this “discovery?” Rob Thomas robt@cymru.com

  5. The Security ProblemBGP as collateral damage • bang.c and friends. • Attacks from TCP 179 • 346719 • Attacks on routers. • <A> wat did u hit • <B> his router • <B> if u hit his router and not him • <B> he stays down longer Rob Thomas robt@cymru.com

  6. The Security ProblemAnd in the ether bind them… • Three things run the Internet: • BGP • DNS • Caffeine Protect them all! Rob Thomas robt@cymru.com

  7. The Template ApproachOne size never fits all! • First, know your topology and business requirements. • Second, know how to validate that your topology exists and is meeting your business requirements. • Modify to suit. • Wash, rinse, repeat. Rob Thomas robt@cymru.com

  8. The Template ApproachGlobal configuration. • no bgp fast-external-fallover • Tolerance is a virtue. • bgp log-neighbor-changes • Because it’s always the other guy’s fault! ;) • bgp dampening … • Does your upstream do this already? • See the RIPE recommendations. Rob Thomas robt@cymru.com

  9. The Template ApproachNeighbor configuration, part one. • neighbor 1.1.1.1 soft-reconfiguration inbound • Do you have memory to burn? • neighbor 1.1.1.1 description … • NOC numbers. • Circuit IDs or interface labels. • Documentation hurts, but in a good way. • neighbor 1.1.1.1 password … • The simple things work, folks. Rob Thomas robt@cymru.com

  10. The Template ApproachNeighbor configuration, part two. • neighbor 1.1.1.1 prefix-list bogons in • Don’t accept garbage. • Don’t accept unauthorized prefixes (edge). • neighbor 1.1.1.1 prefix-list announce out • Announce only what has been allocated to you. • “Wow, both pipes are full!” Rob Thomas robt@cymru.com

  11. The Template ApproachNeighbor configuration, part three. • neighbor 1.1.1.1 maximum-prefix … • Currently running at about 111K prefixes based on my five peers. • Can run this in advisory mode: • neighbor 1.1.1.1 maximum-prefix 200000 warning-only Rob Thomas robt@cymru.com

  12. The Template ApproachIt looks like this: neighbor 1.1.1.1 remote-as 222 neighbor 1.1.1.1 description eBGP with ISP222 neighbor 1.1.1.1 soft-reconfiguration inbound neighbor 1.1.1.1 password bgpwith222 neighbor 1.1.1.1 version 4 neighbor 1.1.1.1 prefix-list bogons in neighbor 1.1.1.1 prefix-list announce out neighbor 1.1.1.1 maximum-prefix 175000 Rob Thomas robt@cymru.com

  13. The Template ApproachFiltering with prefix-lists. • At a minimum, inbound filtering should be configured to block all of the obvious bogons, e.g. RFC1918 netblocks. • I filter all unallocated and bogon netblocks. Change log: • June 2001, October 2001, December 2001. • If you are at the edge, announce only what you have been allocated! Be wary of providers that accept anything. Rob Thomas robt@cymru.com

  14. The Template ApproachFiltering BGP. • Only your peers should be able to reach TCP 179. Remember bang.c! • “I had to set them straight, ayup.” access-list 185 permit tcp host 1.1.1.1 host 1.1.1.2 eq bgp access-list 185 permit tcp host 1.1.1.1 eq bgp host 1.1.1.2 access-list 185 deny tcp any any eq bgp log-input Rob Thomas robt@cymru.com

  15. Resources • “Trends in Denial of Service Attack Technology,” with the CERT/CC, http://www.cert.org/archive/pdf/DoS_trends.pdf • “Managing the Threat of Denial-of-Service Attacks,” with the CERT/CC, http://www.cert.org/archive/pdf/Managing_DoS.pdf • Dave Dittrich’s DDoS page, http://staff.washington.edu/dittrich/misc/ddos/ Rob Thomas robt@cymru.com

  16. Resources • “Cisco ISP Essentials,” Cisco Systems, http://www.cisco.com/public/cons/isp/essentials/ • NANOG, http://www.nanog.org • RIR mailing lists for ARIN, APNIC, RIPE • http://www.arin.net • http://www.apnic.net • http://www.ripe.net • Philip Smith’s Routing Table Report • bgp-stats-request@lists.apnic.net Rob Thomas robt@cymru.com

  17. Resources(and shamless self promotion) • http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html • http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html • http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html IOS and BGP templates have been ported to Juniper by Steve Gill. Rob Thomas robt@cymru.com

  18. Resources • You and the persons next to you! • I’m always questing for ideas and feedback. Be the first in your ASN to join my Credits section.  Rob Thomas robt@cymru.com

  19. Thank you for your time! Rob Thomas robt@cymru.com

More Related