190 likes | 295 Vues
BGP Security, Just Add Peers!. or, No one likes to say “ouch” at 3 AM! Rob Thomas robt@cymru.com 08 May 2002 http://www.cymru.com/~robt. Thrill as Rob Babbles About…. The security problem. The template approach. Resources.
E N D
BGP Security, Just Add Peers! or, No one likes to say “ouch” at 3 AM! Rob Thomas robt@cymru.com 08 May 2002 http://www.cymru.com/~robt
Thrill as Rob Babbles About… • The security problem. • The template approach. • Resources. Rob Thomas robt@cymru.com
The Security Problem“I try to say ‘Internet Security’ with a straight face!” • Internet Security is all about the other guy. • 1.2Gbps from 1.3.3.7 • “heh ill trade 4 ccs for 1 cisco” • 17683 and 31920 • “Oh, please, they’re not smart enough to do that.” Rob Thomas robt@cymru.com
The Security Problem“i dont have to pax0r u” (After “discovering” route-views.oregon-ix.net) <A> heh if I take out ur route <A> i dont have to pax0r u lol <B> LOL! Think they didn’t visit www.cisco.com after this “discovery?” Rob Thomas robt@cymru.com
The Security ProblemBGP as collateral damage • bang.c and friends. • Attacks from TCP 179 • 346719 • Attacks on routers. • <A> wat did u hit • <B> his router • <B> if u hit his router and not him • <B> he stays down longer Rob Thomas robt@cymru.com
The Security ProblemAnd in the ether bind them… • Three things run the Internet: • BGP • DNS • Caffeine Protect them all! Rob Thomas robt@cymru.com
The Template ApproachOne size never fits all! • First, know your topology and business requirements. • Second, know how to validate that your topology exists and is meeting your business requirements. • Modify to suit. • Wash, rinse, repeat. Rob Thomas robt@cymru.com
The Template ApproachGlobal configuration. • no bgp fast-external-fallover • Tolerance is a virtue. • bgp log-neighbor-changes • Because it’s always the other guy’s fault! ;) • bgp dampening … • Does your upstream do this already? • See the RIPE recommendations. Rob Thomas robt@cymru.com
The Template ApproachNeighbor configuration, part one. • neighbor 1.1.1.1 soft-reconfiguration inbound • Do you have memory to burn? • neighbor 1.1.1.1 description … • NOC numbers. • Circuit IDs or interface labels. • Documentation hurts, but in a good way. • neighbor 1.1.1.1 password … • The simple things work, folks. Rob Thomas robt@cymru.com
The Template ApproachNeighbor configuration, part two. • neighbor 1.1.1.1 prefix-list bogons in • Don’t accept garbage. • Don’t accept unauthorized prefixes (edge). • neighbor 1.1.1.1 prefix-list announce out • Announce only what has been allocated to you. • “Wow, both pipes are full!” Rob Thomas robt@cymru.com
The Template ApproachNeighbor configuration, part three. • neighbor 1.1.1.1 maximum-prefix … • Currently running at about 111K prefixes based on my five peers. • Can run this in advisory mode: • neighbor 1.1.1.1 maximum-prefix 200000 warning-only Rob Thomas robt@cymru.com
The Template ApproachIt looks like this: neighbor 1.1.1.1 remote-as 222 neighbor 1.1.1.1 description eBGP with ISP222 neighbor 1.1.1.1 soft-reconfiguration inbound neighbor 1.1.1.1 password bgpwith222 neighbor 1.1.1.1 version 4 neighbor 1.1.1.1 prefix-list bogons in neighbor 1.1.1.1 prefix-list announce out neighbor 1.1.1.1 maximum-prefix 175000 Rob Thomas robt@cymru.com
The Template ApproachFiltering with prefix-lists. • At a minimum, inbound filtering should be configured to block all of the obvious bogons, e.g. RFC1918 netblocks. • I filter all unallocated and bogon netblocks. Change log: • June 2001, October 2001, December 2001. • If you are at the edge, announce only what you have been allocated! Be wary of providers that accept anything. Rob Thomas robt@cymru.com
The Template ApproachFiltering BGP. • Only your peers should be able to reach TCP 179. Remember bang.c! • “I had to set them straight, ayup.” access-list 185 permit tcp host 1.1.1.1 host 1.1.1.2 eq bgp access-list 185 permit tcp host 1.1.1.1 eq bgp host 1.1.1.2 access-list 185 deny tcp any any eq bgp log-input Rob Thomas robt@cymru.com
Resources • “Trends in Denial of Service Attack Technology,” with the CERT/CC, http://www.cert.org/archive/pdf/DoS_trends.pdf • “Managing the Threat of Denial-of-Service Attacks,” with the CERT/CC, http://www.cert.org/archive/pdf/Managing_DoS.pdf • Dave Dittrich’s DDoS page, http://staff.washington.edu/dittrich/misc/ddos/ Rob Thomas robt@cymru.com
Resources • “Cisco ISP Essentials,” Cisco Systems, http://www.cisco.com/public/cons/isp/essentials/ • NANOG, http://www.nanog.org • RIR mailing lists for ARIN, APNIC, RIPE • http://www.arin.net • http://www.apnic.net • http://www.ripe.net • Philip Smith’s Routing Table Report • bgp-stats-request@lists.apnic.net Rob Thomas robt@cymru.com
Resources(and shamless self promotion) • http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html • http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html • http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html IOS and BGP templates have been ported to Juniper by Steve Gill. Rob Thomas robt@cymru.com
Resources • You and the persons next to you! • I’m always questing for ideas and feedback. Be the first in your ASN to join my Credits section. Rob Thomas robt@cymru.com
Thank you for your time! Rob Thomas robt@cymru.com