Best Practices No 5 - Detecting .NET Application Memory Leaks
Detecting Hijacks and Leaks
-
Upload
thousandeyes -
Category
Technology
-
view
135 -
download
0
Transcript of Detecting Hijacks and Leaks
BGP Series Part 3: Detecting Hijacks and Leaks Young Xu, Product Marketing Analyst
2
• May 5th 2016 • Intro to Autonomous Systems, the BGP protocol and
how routes are advertised and learned
BGP Webinar Series
• June 16th 2016 • How to visualize, diagnose and set alerts to
detect BGP hijacks and leaks
How BGP Works
Detecting Hijacks & Leaks
• May 24th 2016 • Explore data from routing change events and learn
how to detect BGP changes with alerts
Monitoring Route Changes
Optimizing AS Paths
• July 28th 2016 • Tips and tricks for using routing data to improve how
traffic flows into or out of your network
3
About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.
Founded by network experts; strong
investor backing
Relied on for "critical operations by leading enterprises
Recognized as "an innovative "
new approach
27 Fortune 500
5 top 5 SaaS Companies 4 top 6 US Banks
4
• BGP wasn’t designed with security built into it – Advertisements are generally trusted among ISPs
• The Internet is vulnerable to propagating incorrect routes – Route leak: Propagation of illegitimate route advertisements,
usually by mistake, leading to incorrect or suboptimal routing – Route hijack: Malicious equivalent to a route leak
• More prone to propagation when leaked path is preferred – A more specific prefix is advertised – Advertised path is shorter than current path
BGP: Built on Trust
5
AS 200759 Innofield
Route Propagation
AS 16509 Amazon
AS 30844 Econet
AS 6939 Hurricane Electric
Border Router
Amazon advertises routes among BGP peers to
upstream ISPs
Amazon advertises prefix 54.239.16.0/20
Econet receives route advertisements to
Amazon via Hurricane Electric
Traffic Path AS 65021
Private
6
AS 65021 Private
AS 200759 Innofield
AWS Route Leak, April 2016
AS 16509 Amazon
AS 30844 Econet
AS 6939 Hurricane Electric
Traffic Path
Innofield leaks routes for more specific /21 prefixes, directing traffic to private
AS 65021
Hurricane Electric accepts routes and now directs Amazon-
destined traffic to Innofield
7
• Leaks result from human error or misconfigurations – Improper route filtering, mismanaged routing policies • Misuse of NO-EXPORT community • Misconfigured route optimizers
• Route hijacks are intentional and malicious – Deny service (e.g. targeted attack, censorship) – Inspect traffic (see man-in-the-middle attacks) • Traffic interception and impersonation • Corporate or state espionage • Steal cryptocurrency
– IP squatting and spamming
Why Leaks and Hijacks Happen
8
Alerting for Leaks and Hijacks
Alert Rule Parameter
Origin ASN not in: Your own or hosting provider’s ASN
Next Hop ASN not in: Upstream ISPs’ ASNs
Covered Prefix Exists
Covered Prefix not in Your expected sub-prefixes
9
• Monitor BGP to quickly detect routing events • Contact upstream ISPs to reject the illegitimate routes • Announce routes preferable to the leaked route
– More specific prefix (when leaked prefix is bigger than /24) – Shorter AS path (remove any path prepending)
• Last resort: Change destination prefixes using DNS – Feasible if you can shift traffic to other data centers or a CDN – Can take time depending on TTL of DNS records
• RPKI: Publish Route Origin Authorizations (ROAs) in RIR
Mitigating Route Leaks Affecting Your Prefixes
10
• Route filtering (based on prefix, AS path, community) – Bogon filtering – Enforce commercial relationships • Block advertisements for peer paths from customers • “Peerlocking”: Don’t allow intermediate networks between peers
– BGP Maximum-Prefix: Max number of prefixes from a peer
• Security standards: RPKI, RPSL, BGPSEC • Prevent hijacks by blocking illegitimate advertisements
– TCP MD5: Uses secret key to compute hash over TCP header – GTSM: Peer sets TTL to max of 255 (attacker >1 hop away can’t
impersonate)
Preventing Propagation of Bad Routes
11
Demo
12
1. Covered Prefix to Spotify Leaked by Enzu
Visible for almost 3 hours
Leaked by Enzu (AS18978)
Spotify (AS43650) Propagated at
LAIX (AS40633)
Seen by 4 monitors
New, more specific /23 route leaked
13
Impacted Traffic on the Network Layer
Traces terminating in edge of Vocus
network with LAIX
LAIX
14
2. AxcelX Leak: Normal Routes
Amazon.com
NTT
Level 3
Hurricane Electric
ReTN.net
15
Amazon Routes Leaked by AxcelX
New routes through Hibernia
(AS 5580), AxcelX (AS 33083)
New Amazon AS
No longer routed through expected
ISPs
16
Caused Performance Impacts
100% loss in AxcelX
99% loss in Hibernia
17
3. Indosat Hijack of Akamai: Normal Routes
Akamai prefix
Akamai AS
Comcast upstream
18
Multiple Origins: Indosat Advertised Routes
Akamai prefix
Correct AS
Hijacking AS Locations with
completely hijacked routes
19
Only connected to Indosat
PCCW Had No Routes to PayPal
20
Caused All Traffic to Drop
Traffic transiting PCCW had no routes
See what you’re missing.
Watch the webinar:
https://www.thousandeyes.com/resources/detecting-hijacks-and-leaks-webinar