1
Christoph Dietzel
DE-CIX
Secure Interconnection as
a Fundament of a Digital ECO System
Security exists to facilitate trust.
Trust is the goal, and security is
how we enable it. Bruce Schneier
Abuse Management Blackholing DashboardNew Looking Glass
IXPs are a Perfect Place for Hijackers
Often not well filtered BGP sessions
(bilateral + route server)
It is easy to do nasty BGP tricks
• IP hijacks (e.g. not announced IP space)
• Combined ASN + IP hijacks (e.g. not operated ASNs)
• Hide hijacked resources behind upstream
network – pretend that the spammer is just a
clueless / bad customer of a customer
IXPRoute server
Announce
1.2.3.4/16
AS15159
Announce
8.8.8.0/24
Hijacker’s Activities Are Hard to Detect
IXPRoute server
Announce
1.2.3.4/16
AS15159
Announce
8.8.8.0/24
Upstream
Global Routing TablePeering means learned routes are not
propagated to upstream providers.
Hijacker announcements do not show up
in Global Routing Table.
For detection tools (e.g. RIPE RIS, BGPmon and Qrator)
it is hard (to impossible) to detect ASN + IP
Hijacks
DE-CIX cares about Data Quality at its IXP’s
• We are an IXP operator with clear rules in our contracts:
• Layer 2
• Layer 3 (mainly BGP)
• Violations of these rules might lead to prosecution – we care about
(BGP) data quality
• We want to make sure IXPs are a stable and reliable place for
exchanging traffic
Abuse management at DE-CIX
• Defined contact person and guarantee discretion → solicit feedback from customers
• Redefine Abuse process
• Blacklist for expelled networks (during sales process)
ASN / IP
Hijacks
Faster Innovation?
Market?
Beta
DE-CIX Beta Services
Disclaimer
• No 24/7 support
• SLAs do not apply
• Decommissioning possible anytime
• Beta services – all strings attached
Benefits
• Better feedback loop
• Free of charge
• Platform for smaller features/services
• Custom adoptions possible
Beta
New Looking Glass Service
Shows Filtered Routes
Shows Reasons for Filtering
Blackholing
• Filtering based on destination IP prefix
• Limited visibility – all traffic is dropped
• Simple but very effective
Blackholing Insights
• Statistics of your blackholed data
• Custom visualisations
• Identify the end of an attack
• Notifications and alerts
Blackholing Insights
Flow Demultiplexer
Upstream
More insight for traffic exchanged
Demultiplexer for IPFIX stream
based on open source tool Vermont [1]
patch for L2-MAC Address filtering
config-generator and automatization tools
IPFIX stream for each “Access”[1] https://www.net.in.tum.de/research/software/#vermont
DE-CIX Beta: Flow-data for Customers
How would you ”collect” the IPFIX stream?
- Server behind your router
- System provided by equipment vendor
- …
?
Thank You for Your attention!
DE-CIX Management GmbH | Lindleystr. 12 | 60314 Frankfurt | Germany
Phone + 49 69 1730 902 0 | [email protected] | www.de-cix.net