ISOC Rural SIG Cybersecurity Webinar

4:49PM Aug 2, 2020

Speakers:

Keywords:

internet

bgp

routing

prefix

security

encryption

resource

important

network

invalid

leaks

dns

validation

secure

routers

implementations

origin

people

enterprise

isp

Hello, my name is Robert

advantis,

I am 18 years old and I live in Mexico. Today I want to share with you a breakdown I've been working on that's called future, he's done the loan. Open Source privacy respecting search engine that is self hosted here at my house and is powered by deep learning algorithms that were also developed and trained here, my house by me below I will leave a link to the GitHub repository and also to the, to the web page.

Tea and we would like to remind you that at 1500 EDT today, that is immediately after the keynote address from Cindy Cohn hope attendees are invited to take the stage for lightning talks we'll have up to five minutes and up to five slides to share knowledge and interest to other hope attendees.

Go to the help announcements channel on matrix just before the start of the session to get the meeting link and give your talk, no pre registration is necessary.

Now, due to an unforeseen scheduled change inside the fight for the right to repair, how tractor hacking was legalized will not be seen at this time.

Instead, we present a cybersecurity webinar from our friends at the Internet Society.

Let me talk a little bit about the Internet Society. Our goal is to have an open globally connected secure and trustworthy internet for everyone. And all these words matter. All these words, inform our daily job at the Internet Society. We want an open Internet, and internet to which you can connect to which you, which you can extend, which you can communicate on in an in an open fashion. We want to have a globally connected so that everybody can speak to everybody else who actually wants to talk to you. We want to have it secure, and we want to have a trustworthy and trustworthy it's not that it instills trust but it's actually worthy of instant trust, so it's technically solid. And we want an internet for everyone. Secure and trustworthy are the words that are relevant to the cyber security SIG special integral interest group, and an internet for everyone is, I would think, more of interest for the rural

security interest group.

Sorry, special interest group, or security is on my mind a lot of sleep.

Oh, when I was thinking about these two topics. Then, the first thing that came up with cyber security is always, what does this mean. And for me, cyber security is broadly divisible in two parts. This is my own sort of way of thinking about it. To me cyber is the combination of two things, the ability to digitize our physical world around us, and perform computation on the digital information that started way back when, when IBM started to digitize business information lectures of all sorts and started to compute financial and bookkeeping type of things and automated that that went to office automation text sharing and all those type of things. And now we digitize videos we digitized, all sorts of information to, to create to compute on it, and computation could be just algorithms, it can be. Artificial Intelligence type of of algorithms. It can be anything

that's one part of cyber.

The other part of cyber to me is the internet, the network of networks that allow you to share the digitized information across the world. So, you create a video you shoot a video somewhere where you capture analog signal. You digitize that and you share it across the world, you can store it you can process it anywhere else on the world. And that is what, what the internet, allows you to do for me. The internet is that that form of connectivity that provides you the ability to do computation to do build services to do all these type of things

in the in the cyber world.

So when I talk about cyber security. There are two aspects. This is the cybersecurity of those digital transformations and calculations. And there's the cyber security of the internet and, and, as I work from the Internet Society, I will be mostly focusing on that second part. How

I was thinking about

the rural special interest groups so

places, non urban nice places where internet is brought. I was really thinking about what, what are the differences between cybersecurity elsewhere and cybersecurity in the, in the rural place. What, what, what, what are the differences. And frankly, I found it very hard to come up with with with differences with differences in cybersecurity approaches in rural areas, and cybersecurity elsewhere. I think there is a little bit of a difference. I will get back to the, the last my last slide, more as a thought as a theory than then as a bold statement. By the way, I don't think there are 10 differences in these two pictures so stop counting,

um,

when we talk about

cyber security in the, in the Internet Society mostly we approached that by a framework which we call

collaborative security

and collaborative security is the ID that security is most normal states but the process, it is a frame of mind, whereby it is important, and this is specifically important for the internet that you're in multione actor. You're not only protecting your assets you're are protecting an asset that is globally shared and in which many parties have a responsibility and their own responsibility in managing the pieces that they are responsible for. Remember that the internet itself, the network of networks itself is a network of 60,000 and all those networks. Connect homes. Connect villages, connect enterprises connect things, and all those type of things need to be secured as well. This is where you you sort of hope along between securing the internet itself but also everything that connects to the internet. And there are a few principles that we keep in mind when we talk about

global Internet Security about

collaborative security.

First is the principle that you need to foster confidence and protect all the opportunities that the internet brings the internet brings a lot of opportunities we know there are problems with the internet problems that are often in the news breaches of trust breaches of of expectations and, and we absolutely need to fix the problems that we see. But by doing so we have to make sure that we don't break the fabric of the internet itself and the things that make the internet possible. The open nature of the internet, the, the, the, the ability to innovate, the ability to globally connect all those things are bringing opportunities that you want to protect, and that protection is actually a collective responsibility. Everybody has to play its part. And when you do that, you have to take into account fundamental properties and values,

values of

of a universal nature like the universal treatment of human rights, but also fundamental values and properties of the internet itself. Patience innovation, openness, those type of things.

When you create solutions.

Then create them by evolution and consensus.

Right revolution and implosion imposing solutions is sort of the other extreme, and is not guaranteed to lead to success. It's better to do tests and reject what doesn't work, and have a form of consensus about what you deploy in the internet. And then, finally, and this is an important one think globally but act locally. Everybody can play their part in securing the internet. And you do that locally, but you have to take into account the global nature of the internet when you do so, that is both when you protect your own assets. There's a world of, of, of, Ill intended people out there that are coming to get you so to speak. But also, there might be somebody in your network or in your environment or you might have coincidently downloaded a virus or something, or a piece of malware that this exploit

exploiting something somebody else on the internet.

So, think globally but act locally. Take your responsibility. So that's the framework.

The way that is implemented is this just a graphic that I hope illustrates that

people often ask us what are what what are people actually doing to implement all these type of things. And if you look at look at look at all the, all the organizations that that take their responsibility, and how consensus and coordination is established, then there are a lot of these, these groups. There are those t shirts, the, the, the security incident response teams in nations in corporations, which collaborate and so on and so forth. There are, law enforcement, there are ISP groups there's, there's a lot of different groups that all collaborate together to take their piece in the goal picture of cybersecurity. And I'm not going to explain this picture because that would take me more than 15 minutes, and I only have 15 minutes left. What I wanted to do now is a little bit of an overview of the cyber security related activities in our programs in, in, in the activity program for 2020 and likely also for the pro two programs for 2021, we're likely to continue these.

And those are routing security

encryption.

Time security and policies to favor of secure and trustworthy internet. Now I'm not going to talk about these policies that favor a secure and trustworthy internet because they are probably a presentation by themselves. What I do want to talk about or touch upon a little bit, our time encryption and routing security. And here I'm trying to think a little bit also on the rural perspectives on these type of things. Is there a rural component that makes these projects, special, and frankly I think the answer, and I'm going to spoil it a little bit is going to be no. Let me start with time security time security is one of the projects. It's one of our smaller projects at the Internet Society, where we are interested in making sure that the network fine protocol the protocol that distributes time on the internet becomes secure, and that security is also

deployed. why is this important.

I won't spend much time on this but it's important, because every security transaction, on the internet relies on time every single one of them. If your clock is off, you cannot validate signatures. If your clock is off, you might be heading to the wrong website has an expired certificate. If your clock is off DNS sec won't work if your clock is off, and I can continue and I can continue. Now, clocks are somewhat of an attack vector and making sure you have the correct time is therefore very important. There are two aspects to that, maintaining a well run clock is very important, but also making sure that the distribution mechanism of time itself Network Time Protocol, cannot be spoofed attacked or whatever. And that's currently frankly that's currently possible. So our work in this area is in the very early stages around standardization and making sure that our are bringing together people who work on on early implementations and seeing to it, that there is progress made hopefully towards more professional. And over the over the over the counter type of products that will support. Time security. This is obviously important for everybody on the internet, except that the people who are involved with this now are specialists are people that are interested in time distribution and this is not safe for your regular consumer so I'm going to continue to the next part. That's the routing security routing security is already a little bit more important routing security is important because whenever you you have traffic that transfers the internet. It's being routed from a spoke a to b. Here is a picture of the internet. A very sketchy picture of the internet, where every little cloud here represents a independently owned and operated network and there on the current internet there are about 60,000 So, whenever these networks, say, you can reach my customers here. They will say that to their neighbors, and their neighbors will say that to their neighbors, and those will say that to their neighbors. So, internet routing is actually a whispering game. And the security of a whispering game is abysmal. Um. One of the ways that people try to secure this is by having the best practices that that we know how to operate this, making sure that those are at least operate implemented by all these participants. That's why we have the mutually agreed more on routing security program. Now I won't talk a lot about routing security because that will be the next speaker. But remember, routing is a whispering game, and whispering games are inherently insecure. Now, what does this mean for the rural, the rural

rural people, so to speak, people who are not, you know,

decentral the internet, so to speak.

I think there are no special considerations. If I look at the Rural Internet it's most likely that you are connected to an edge network, and that edge network has their own responsibilities for routing, but you as a clinic D, do not have specific responsibilities there it is your internet service provider that has

third part encryption

encryption i think is important for everybody because encryption is a little bit more about the interaction between the digitized world and and the internet itself, it is about getting information from A to B, and making sure that it is done in a secure way that the data is protected from change, but also that the data that is transferred is not readable by others. This is important in many, many, many daily

interactions.

This is important when you do your banking business. This is important when your kids are sharing location data because they want to walk home safely. This is important. When your medical records are being stored. This is important when you vote. This encryption is important in all aspects of daily life. And again, I don't see many differences, specifically with the importance of encryption between rural and urban communities. So this is also important for for everybody else. The Internet Society we care a great deal about encryption because it's under under, under a textual to speak. There are agencies law enforcement agencies that would want to disable encryption or make it much weaker. We don't agree with that. The Internet Society believes that encryption should be the norm for internet traffic and data storage, because that will make the internet, more secure place. It will make it more private for the individuals that do their business and do their daily lives. And it will allow us to communicate trustworthy encryption is a technology that is inherently trustworthy and can rely on the functionality of that have that technology. Strong and Christian assures that law enforcement communication civil authorities ability to communicate with each other and banking transactions are all protected legal and technical attempts to limit the use of encryption, even well intentioned will negatively impact the security and law abiding citizens and

anti internet of large, this is the Internet

Society society's position on on on on on on encryption. And this, I believe, again, is a topic as I just said that is relevant to all users of the internet. Which brings me to a question for the last three minutes of the presentation. I think thinking a lot, what is the difference if it comes to security between rural and urban areas, what is the difference in cybersecurity.

I see it a lot, but I've been thinking, thinking a little bit about that. I shouldn't

saturating that.

I think

that that that for rural communities the issues are really with capacity. It's not only the ability to connect people, which we know in rural areas is sometimes, much harder than in urban areas and urban nice to places. Obviously, the Internet Society is interested in making sure that people get connected. We have large programs around that like building community networks and enabling the, the possibility to build these. But, but this is more capacity on the human front. Where do you find the specialists that can help you with protecting your internet. The internet in your school or the internet for your business. If you're a small business, small farming business for instance, and you want to make sure that the, the price of crops, get to you, and you can communicate in the same way. What, what, what, what your business secrets are, what your, what your youth, for instance, to make sure that your business runs well. And those specialized functions are often easier to get in, in urban areas, that's where the people who do cybersecurity have their offices,

probably not that easy in the rural areas.

That's a thesis, I do not know if that is true. I would like to.

I'd like to test that with, with the group.

It's clear that access is critical, rural economy.

That's at least clear to me. Anywhere where the internet comes, you have more information about prices you have more information about the rest of the economy. And, and ICT can play a role in that. And having global connectivity can help in that aspect as well. So, my question would be, what can, what can the internet how this connectivity helps you to get to the ICT capacities that are needed

to

to secure your networks and help secure your environment.

I think that is a

slightly different set of considerations than for non rural

environments. But again, that's

a thought, and I would like to hear your, your thoughts on that. And with that, I think I'm done. If you have any questions you can reach me at the email address on this slide. And I also have a Twitter account called mom. That might also be a way to reach.

Thank you very much.

Thank you. Good morning, good afternoon, good evening to everyone, depending on where you are. So I'm going to talk about more details, Olaf already gave a nice brief introduction to routing and some key routing security issues. I'm going to delve deeper into that. Again, this, the doping security as already mentioned, is something that, that will be taken care of by the edge networks, the transit providers of the edge networks and then up the edge of the hierarchy. So let me share my screen, a moment.

Can you see my slides.

Yes, we are able to see our slides. Wait, no

practical solutions for internet routing security and DDoS mitigation. The focus of the talk, will be Border Gateway Protocol or BGP routers, fix the vulnerabilities there include prefix hijacks routing route leaks. We'll also briefly talk about distributed denial of service, which is done by flooding servers with IP packets and these IP packets, often have spoofed IP addresses, and also in that process, internet, open, open Internet servers, such as the DNS are used, they are exploited to amplify the DDoS attacks. We look at some standards based security solutions. So there has been a lot of good effort that has been devoted towards BGP security and best common practice guidance. I mentioned here in this document, and also the manners, use mutually agreed norms for routing security that Allah as already mentioned briefly. In, of course, I did not show an IETF here, and several other organizations.

Many organizations around the world.

The public sector in the private sector, really actively working on routing security. And we ourselves. Several of us at NIST myself my colleagues, been very actively participating in the IETF, and the, the NIST 801 NIST Special Publication 801 89 document that I'm showing on the left side. It covers the topic of BGP security and DDoS mitigation. It provides security technologies, before these two areas. There's a nice overview of those description overview of those technology technologies, and also provide security recommendations and manners, effort, very complimentary to the NIST guidance. Manners includes several implementation guidance documents. They have those are highly complimentary to the, to the sp 801 89 document. Ie 801 89 document contains two main topics as I said, control plane or BGP security. And also, it, it covers DDoS DDoS mitigation reflection amplification of vulnerabilities and solutions, and recommendations for those. And as you can see we cover a variety of topics, and subtopics under each of these, starting from registration of Route objects in the internet routing registries, a certification of resources in the, in the RPK or resource public key infrastructure BGP origin validation, and so on. There is also route leaks which I will talk about briefly later. And on the right hand side for DDoS sources address validation is key. And there were some constraints, some limitations of BCP 38 BCP 84, because of which source address validation did not get adopted widely people, many networks do it by tagging, we would like to see much broader adoption of those in order to mitigate mitigate DDoS attacks. So we also provide solutions that are available in standards, including some new style standards which I'll talk about later. That mitigate DDoS attacks with source address validation. We also provide information about in the document we also discuss going traffic routing at open Internet servers. At the DCP you're having monitoring of TCP UDP ports, and we'll talk about BGP flow spec as well as our tbh remotely trigger black hole

filtering.

So, jump into jumping quickly about the vulnerabilities associated with inter domain routing. So if you look at this picture on the left hand side, there is a legitimate announcement. 192 dot zero dot two dot zero slash 24, and the same prefix is hijacked and announced on the right hand side, from as 64510, and that that is a hijack, and what happens is that, in the absence of routing security in the absence of BGP security. This attack. The BGP attack update will propagate across half of the globe half of the internet and users will be mis directed to the attacker. So the result of these attacks is denial of service mis routing of traffic and resulting stability of eavesdropping on the information and unauthorized routing. There have been many threats that that have made headlines in the newspapers and trade magazines are these threats, or what are the motivations behind those attacks, could be financial or they could be for example, there could be other motivations and in the case of Iran route leaks or BGP attack the motivation was censorship in the country. I want to show this slide. An example of an aerial attack that happened in 2018, and it illustrates to you, the vulnerability in, in some more depth and, and then you will be able to appreciate why the security solutions are so important.

So, on

the on the on the left side we have the Amazon authoritative DNS, and on the upper right hand side and imposter Amazon DS DNS is operating at these entities using a compromised router in the Columbus Columbus, Ohio location. And in this attack the attackers made a use of BGP hijacking, as well as, as well as in like an imposter DNS DNS hijacking. So, the imposter, what happens is that the imposter Amazon DNS is essentially operable because the hijack propagated across the internet and hijack is the most specific prefix it propagates everywhere in the internet, unless there is routing security, the users are reaching the imposter DNS as a result, and then the DNS that DNS Miss directs the users to to imposter my Ethernet wallet.com server in Russia and the, the unsuspecting users will put in their, their credentials, their imposter are the attacker is then able to go to my wallet.com on the upper left side, and be able to accomplish that, the stealing of the cryptocurrency. So you can see the vulnerability of PGP enormous, and there are global implications of it. So there is work in the IETF that that has happened over the last 10 years or so. That covers BGP origin validation. It covers BGP path validation or BGP said it covers BGP route leaks, amongst other topics, and today we are going to look at more detail, more in a more detailed way about BGP already origin validation. And also we also will look at route leaks, briefly, But there is the whole RPI infrastructure. It This shows the hierarchy of the internet resource allocations. It starts off at the top with Ayana, and it and and the five different areas in yellow. And these are IRS allocate resources to ISVs and to enterprises, the dotted line is simply iron allocation, but the solid arrows correspond to the, the resource certification hierarchy. So, in ripe, are the five, those are the main five trust anchors, and they allocate resources to ISP enterprises, and ISP and in turn can allocate resources to their subordinate ISP, as well as customers. So these are resource certificates are the idea, or this is a hierarchy of the source certification in the next slide. So once the customer for example or an enterprise has a has a certificate for their resources, the prefix the AAS number, they are able to then create route origin authorization. And with their with a proof resource certificate corresponding to their prefix, they can they can sign the door. The door contains multiple prefixes potentially that the customer wishes to originate, and they can specify the AAS number from which they originate. They also specify max length, meaning that the BGP announcement. The prefix should not exceed the maximum. So that o essentially is something that the routers in the internet the Border Gateway Protocol routers, we would make use of the role is to implement routing security. This is again about how this whole infrastructure works that I will respect briefly in the next few slides. We have this array hosted RPK infrastructure on the left and the user or enterprise. On the right, a point of contact for the enterprise. They have resources prefixes as numbers, and they connect to the RTR to a hosted service

portal them, and they are able to authenticate themselves, then they get their allocated resource certificates, private key public key which which are hosted within the array. And the user is then able to use the resource certificate, the private key to sign. They are lower, and put it in the repository. Now, the on the next slide. The. Once again, the hosted RPK infrastructure here. Once the user's role was, and then the resource certificates are adding are created. They are stored in the RPI vacation point there. The, the, tion party of ipti will download the RPI information, such as the resource certificates, which include the public key is needed, as well as the rowers. And once this information is is saved in RPI caches. From there, it can be utilized within the autonomous system of the enterprise, or the ISP to make their BGP routers, secure. So from the, from the repositories PRP is downloaded into RPI caches. And from the ipti caches that was a proper process and the x dot start firewall nine authentication is is performed validation is performed. Then, what is called a V RP validated payload. Those are created and validated to a payload is then fed into the routers, either through the API router protocol or a network management system. Now the routers are ready with a whitelist of what prefix origins are expect valued and what would be invalid. And based on that they can perform their helping security or origin validation. And this is an additional detail which talks about delegated RPI either will skip over that in the interest of time, um, the resource certification status is that all five ri RS are have production RPI services

and BGP routing BGP origin validation details. So once you have the enterprise as or the ISP autonomous system, you have the Border Gateway. There's the BGP routers, doing performing origin validation on the left and the right in the figure, the validation is performed on internal BGP announcements in ibgp as well as external BGP announcements that come in over ebgp. And these announcements. The prefix origin pair from these announcements, is compared against the VRP. The VRP of results gives you three different outcomes, not found valid or invalid. Not Found means that the resource owner the prefix owner has not registered a rower. Therefore we cannot tell whether this is actually valid or not valid. The resource owner has registered at over, then the prefix origin in the update or the VRP is, is, and the end of the RP are compared. And if there is a VRP that matches the route prefix, it would be valid. And if, at least one VIP covers the route prefix, but no VRP matches the announcement or the route prefix, then it is declared invalid. So there are three states, then based on that you can have local policy decisions whether to drop the invalid updates, or prefer depress the invalid of age, etc. but one has to be careful about choosing which policy, because not not ever, not all of them provide effective solution that is tailored to your need. You may just choose to monitor or you may choose to drop the invalid. One has to carefully, think about that and factor it into their policies. Then there are this this slide covers the BGP operational status. it gives you a number of references SR look up regarding the core specifications in the IETF kommst commercial implementations of products, services, production services like and operational deployments IP applique then on the right hand side, there is additional information about workshops documentations that are quite relevant.

We now delve into measurements related to the origin validation. Here we talk about source certification measurement resource certification measurement. In other words like you have the RPI infrastructure, the internet service providers. The Enterprise's have created their rovers, what we are doing. We have a monitor at NIST, and what we do every day is look at the download the data from the RTR resource registries, and, and, and so on. And we take the rtkl data from there the rovers, and looking at those rovers, we, we also look at the BGP announcements from route views and write race, and we match the two against each other. So we will determine what announcements that our views seen in the route views or IPS would be valid invalid or not found, and we report on the statistics. On the left you see that 20% of the prefixes in the internet globally today would be valid. And that number should should should grow substantially over the next few years because of the substantial efforts that are taking place across the networking community. On the right hand side, the focus is on right only. This year we are not looking at the prefixes but instead the address space and slash 24 units. He had received that the that the valid is a nice 47% figure. And this is not as good for other ri RS right is ahead of the other Rs. The next slide, it shows you who are the early adopters. So we look at autonomous systems, the prefixes from them, whether they are valid or invalid. And, and this reports, a ranking of the SS in terms of the, the validation, the maximum number of maximum amount of address space, that would be valid for any given as, and this is the rank of the ranking of 25, as you do a pretty detailed analysis, or delving into the current invalid routes, first we identify what is the cause of the invalid is the AAS number is incorrect or if the maximum is exceeded. And we delve even deeper. We asked the question, if I have an invalid route, and if I drop it. Where will this traffic go instead of the invalid route the traffic would go to another valid out, potentially, or maybe another not found route. And those routes may be the same prefix or they may be specific. In either case, the, the traffic is going to a legitimate prefix appointment potentially a legitimate prefix. Then we delve even deeper and we look, we asked, Is it going to the same origin as, or a different origin. Is it does it have the same as back to the, to the originating s, or a different one. So those questions are also answered. We have a monitor, that is currently existing, and then we have a new monitor which we call monitor to Dotto. That is not online yet, but that provides these kinds of additional detailed information. And also it provides detailed information about day to day changes in the archives in the rowers, etc. So there are efforts that monitors the adoption of IP API and this provides this website at peak API dotnet I showed you, which SS are currently doing doing validation. So there are about 117 ss that I looked up a couple of days back and of those most of us. Most are using aro RV at the Amsterdam, internet exchange route server. And there are BGP implementations. In the interest of time, I'll just point you to the references here. Both are PGI infrastructure related implementations. On the left, and the router implementations on the right.

Just follow the links and you can get number of details, again on this slide. In the interest of time, I'll be quick. There are innovative tools and techniques that are being made available by Amsterdam internet exchange, once again, their implementations cloud Fed is also very actively involved in propagating promoting and increasing the adoption of ipti in multiple ways. There are a number of efforts in the IETF I will not go into the details that are listed on the right hand side. Let me talk next few minutes about about crowd leaks and DDoS mitigation and then we'll conclude and go to, and then route leaks. So this is also a very significant issue with in the internet with BGP thousands and thousands of Route leaks happen every day. Some of them make it to the newspapers and and but many of them don't because undoubtly is still getting the traffic to the appropriate or illegitimate destination. Then, people don't notice them, but many loud rock leaks happen, that, that people do notice, and they cause major disruptions. What is no click. If you look at the last one on the left, it is an internet service provider transit provider, it is slow, it is sending a prefix to the customer. The customer should send it only downward to their customer, but not up towards another transit provided in, so that would be. So internet routes are supposed to be to be valid free. In this case you'd see that it is not value free the customer is propagating it back up to another transit provider that allows the transit provider ISP to does not detect and they, they propagate it further which makes things really bad. So these things happen every so often and cause cause major disruption. So the in principle, even when you're a BGP router in your network as an enterprise or ISP receives a prefix. It should propagate will receive the update from the provider or appear. It should propagate that update, update to customers only but not to another peer, or transit provider, and that basic principle is violated in route leads. There are several efforts in the IETF which are listed here I'm involved in those. So, there is a RFC on definition, and there is also there are also topics that cover about leaks solutions. So, without going into too much detail. Let me just briefly describe what the solution looks like in this slide, essentially do means the down only indication, could be an attribute, or it could be a community in the BGP update the customer sends their prefix upward from as 15 to s five s five is sending it to a lateral peer. It says down only, and it says is number five I put in downtown only from this point onwards, it should go only down, down the Down The Stream if air six leaks it to as to with the down only indicator attribute community. The BGP update is to is able to detect it's allowed proudly, and then they can stop it quickly next to one minute. And then one or two minutes and then I will talk about DDoS IP spoofing and reply reflection amplification.

That will be the last topic for, for, for today for my talk, the DDoS attack happens when many botnets laptops, desktops tablets are compromised. On the lower left and they are, they become botnet sources. And they can be used to generate DDoS traffic or towards a victim on the upper right hand side, but along the path. These could be these messages could be directed with a spoofed IP address, they can be directed to open reflectors such as DNS, and then type responses from the DNS, or the open Internet software would be directed to the victim and the victim will will get amplified huge volume of attack traffic, and it can also be this attack can also be performed from the cloud, upper right, upper left hand side. So the solution is source address validation and unicast reverse path filtering, which have been around for a long time but the adoption is not great. And that is because, because of some practical limitations and without going into details here of the practical limitation basically what you are doing is that if you have appear BGP here, and you get BGP updates from them. And when you get a data packet, you look at the source address and you say that did I get the prefix update EGP update from this year. This neighbor, which contains the source address. If not, you drop the packet. So that is ticked you RPF, and there is lose your pf where you say, okay, not just this neighbor but do I have a route in my routing database, which covers the source address in this data packet, if there is such a prefix which covers the source address that's, that would be lose you RPF physical path cares about. So six cares about directionality a lot. Those does not care about directionality, but feasible path is the middle ground. And what we have done is we have and we have advanced the feasible path to our F, and we have something called enhanced feasible path to RPF it's an RFC, 8704, where it is described. So just in one last slide, I would like to share with you what is a enhanced Facebook path algorithm does for you you RPF does for you. Let me go to the picture. So essentially, as for you are doing source address validation, and you want to minimize the, the false alarm, the, the false dropping of legitimate data packets. That is the that has been the main concern with the RPF and source address validation. And this enhanced feasible path, improves the RPF, a great deal in terms of minimizing the false alarms, and at the same time, being able to draw invalid data packets that have spoofed IP addresses the key principle here is that the s for the border routers in the ps4. They look at what are the updates I'm getting which have as one in common, for example, and it is getting three prefixes p one p two p three from three different directions cost from customers from here. And it says, Okay, I have p one p two p three which all originate from the same as mine. So I'm happy to give the benefit of doubt is these data packets can now come with, with address in any of these prefixes from any of those three interfaces, so that way it adds flexibility. It compromises directionality a little bit, but it gets pretty more accurate in terms of reducing the false alarms, so that's the key concept. With that, let me point you to a nice project, a website, and now I'm open to thank you very much.

I hope, having great time

for hours production time to make a 52nd

video.

Okay.

That's why they play people make movies lots of money.

Name material hurry. I am a computer programmer. c++ is my C sharp is my favorite current programming language programming assembler, etc etc since 1967.

Okay. Born 1948

masks. Were you masks mess design needs work. Okay. Best goes over the neck, not the years. And then when you need it

best to leave the eyes exposed.

That's it. We're going to go four seconds one second. Beep beep beep beep stuffing.