SlideShare une entreprise Scribd logo

Danger of Proxy ARP in IX environment

Télécharger en tant que PPT, PDF
Maksym Tulyuk
Maksym Tulyuk

Review of a Proxy ARP incident and how to deal with it.

Technologie
1  sur  37
Danger of Proxy ARP in IX environment version 0.5 Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
Content 1. The Outage 2. Analysis 3. Tools and procedures 2
Danger of Proxy ARP in IX environment 1. The Outage Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
1.1. Enabling new customer 1. A customer’s router was moved from the Quarantine network to the Production network 2. This is a standard procedure was done many times 4
1.2. Proxy ARP in action Proxy ARP - router sends ARP replies from own mac address Proxy ARP conditions 1.Proxy ARP was enabled on a customer’s router 2.The router had no IP address from IX range 3.The default route was set on the router 5
1.3. BGP sessions down Flapping of BGP sessions was only one visible thing of the accident 6
1.4. Troubleshooting Hypotheses during outage 1.Platform issue? 2.BGP issue? 3.Cisco issue? 4.Route-server issue? 7
1.4.1. Platform issue? 1.No interfaces down – it’s not Physical layer 2.No packet losses – it’s not Data Link layer 3.Small drops on graph – it’s not Network layer 4.Only BGP sessions down – something on Transport or 8
1.4.2. BGP issue? 1. At least, 111 BGP peers were down – available statistics only from our equipment (route-servers, routers) 2. 88 peers with route-servers were down 3. 57 peers with our routers were down 4. Most of mac addresses are … Cisco 9
1.4.3. Cisco issue? 1. 90% affected routers were Cisco 2. Cisco’s “bad fame” 3. RIPE “experiment: https://labs.ripe.net/Members/erik/ripe-ncc-and-duke-university-bgp-experiment 4. 10% routers of other vendors 10
1.4.4. Route-server issue? 1. Our route-servers were unstable 2. /var/log/messages: “arp info overwritten for [IP] by [MAC] on [interface]” – mac address is the same all the time 3. Call from a customer: “router with [MAC] is hijacking IP addresses!” 11
1.5. Disable port 1. The port with the broken router was disconnected 2. It was disconnected 3 (three) times – good team work  12
1.6. Calls from customers 1. 10 calls from customers (1 call per 4 min) 2. No network tickets were sent  3. Confirmation that the right router was disconnected 13
1.7. Unicast flood Disabling router caused Adding mac-address on “unknown unicast” flood monitor host solved flood 14
1.8. Update mac tables Despite disconnecting the broken router, all affected routers had wrong mac addresses in their ARP tables 1. Proper mac addresses were got from ARP sponge (part of our monitoring system) 2. Send spoofed ARP requests 15
1. The Outage: overview 1. Customer in production 2. Proxy ARP in action 3. BGP sessions are down 4. Troubleshooting 5. Disable port 6. Calls from customers 7. Unknown unicast flood 8. Update mac tables 16
Danger of Proxy ARP in IX environment 2. Analysis Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
2. Analysis: root causes The issue happened because 1.Proxy ARP on customer’s router 2.No IP address from IX range 3.Customer’s router had default router 18
2.1. Proxy ARP tests Issue: routers weren’t checked for Proxy ARP Solution 1: Test all new Solution 2: Periodic check connected routers if Proxy all connected routers if Proxy ARP is disabled on them. ARP is disabled on them Fix: proxy ARP test was Fix: tool checks connected added to internal procedure; routers once per day all engineers were informed 19
2.2. Confirmation Issue: no confirmation permanent IP address was set Idea: 1)Customer sets up an IP address from IX range 2)Engineer checks if the IP address was set 3)The router is moved to the production network Discussion… 20
2. Analysis: troubleshooting Issues 3.Duty engineer didn’t have enough information 4.No logs from kernel 5.Customers weren’t informed on time 21
2.3. Full information Issue: duty engineer didn’t have enough information because enabling the new link was done by engineer from the previous shift Fix: 1.informing duty engineer about your actions 2.internal calendar with planned works Discussion: tool to deal with planned works 22
2.4. Enable logs Issue: no logs from kernel on syslog server: /bsd: arp info overwritten for [IP] by [MAC] on [interface] Fix: route-servers export to the syslog server messages from BGP daemon and ARP messages 23
2.5. On time information Issue: customers weren’t informed on time Solution: a tool allows to open and send a network ticket quickly and easily Development: 1.Old web interface: option “send network ticket quickly” 2.New web interface – under testing 24
2. Analysis: overview 1. No proxy ARP tests were made 2. No final confirmation from customer 3. Duty engineer didn’t have enough information 4. No logs from kernel 5. Customers weren’t informed on time 25
Danger of Proxy ARP in IX environment 3. Tools and procedures Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
3.1. Team work “Never debug alone”: 1.15 min – 3 engineers were involved 2.25 min – 5 engineers were involved Advice: if the issue is going more that 15-30 min, escalate to your colleague/2nd line 27
3.2. Central log server 1. Logs from all devices are being sent to a log server 2. The server is available during outage 3. Analysing tools (sed/grep/awk/etc) are installed on server 4. Engineers know how to use them 28
3.3. Visualisation 1. WeatherMap 2. Connectivity matrix 3. MRTG 29
3.3.1. Weather Map http://www.network-weathermap.com/ 30
3.3.2. Real time matrix Router-to-router performance: delay, jitter, frame loss https://www.ams-ix.net/real-time-stats/ 31
3.3.3. MRTG Daily graph: https://www.ams-ix.net/statistics/ Route servers: https://www.ams-ix.net/rs-stats/ 32
3.4. Traffic snooping 1. Host connected to the production network with legal IX address stores all incoming traffic (broadcast, multicast, unknown unicast) 2. Already installed tools: tcpdump, tshark, etc 3. Black hole was made on it 4. Extra: proactive traffic monitoring (STP, CDP, IGMP) through traffic analysis 33
3.5. ARP sponge 1. ARP sponge – tool to reduce ARP traffic in case of “host is down/flapping” 2. If the sponge sees too many ARP requests it declares the host is down and starts replying with own address 3. ARP sponge monitors all ARP traffic, so it knows all mac addresses More details about ARP sponge: http://staff.science.uva.nl/~delaat/rp/2008-2009/p23/report.pdf Source code: http://www.ams-ix.net/downloads/arpsponge/ 34
3.6. ARP cache update 1. The router with proxy ARP was disconnected but other routers still have wrong ARP records 2. To update their ARP tables (proactive approach) ARP spoof request was sent 3. Another option: Gratuitous ARP or Unsolicited ARP Reply 4. Addresses were obtained from ARP sponge 5. Spoofed ARP packets were injected by ARP sponge also More details: http://www.ams-ix.net/assets/Presentations/Euro-IX-19-ARP-Hijacking-Mitigation.pdf 35
3. Tools: overview 1. Team work 2. Central log server 3. Visualisation 4. Traffic snooping 5. ARP sponge 6. ARP cache update 36
Danger of Proxy ARP in IX environment Questions? Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011

Recommandé

Tremashark
TremasharkTremashark
TremasharkYasunobu Chiba
 
Rip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarRip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarDeepak Kumar
 
Ccna 4 Chapter 7 V4.0 Answers
Ccna 4 Chapter 7 V4.0 AnswersCcna 4 Chapter 7 V4.0 Answers
Ccna 4 Chapter 7 V4.0 Answersccna4discovery
 
Developing production OpenFlow controller with Trema
Developing production OpenFlow controller with TremaDeveloping production OpenFlow controller with Trema
Developing production OpenFlow controller with TremaYasunobu Chiba
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) Mohmed Abou Elenein Attia
 
At8000 s configurando multicast
At8000 s configurando multicastAt8000 s configurando multicast
At8000 s configurando multicastNetPlus
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648Mohmed Abou Elenein Attia
 
Ccna 4 Final 2 Version 4.0 Answers
Ccna 4 Final 2 Version 4.0 AnswersCcna 4 Final 2 Version 4.0 Answers
Ccna 4 Final 2 Version 4.0 AnswersCCNA4Answers
 

Recommandé

Tremashark
TremasharkTremashark
TremasharkYasunobu Chiba
 
Rip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarRip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarDeepak Kumar
 
Ccna 4 Chapter 7 V4.0 Answers
Ccna 4 Chapter 7 V4.0 AnswersCcna 4 Chapter 7 V4.0 Answers
Ccna 4 Chapter 7 V4.0 Answersccna4discovery
 
Developing production OpenFlow controller with Trema
Developing production OpenFlow controller with TremaDeveloping production OpenFlow controller with Trema
Developing production OpenFlow controller with TremaYasunobu Chiba
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) Mohmed Abou Elenein Attia
 
At8000 s configurando multicast
At8000 s configurando multicastAt8000 s configurando multicast
At8000 s configurando multicastNetPlus
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648Mohmed Abou Elenein Attia
 
Ccna 4 Final 2 Version 4.0 Answers
Ccna 4 Final 2 Version 4.0 AnswersCcna 4 Final 2 Version 4.0 Answers
Ccna 4 Final 2 Version 4.0 AnswersCCNA4Answers
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCCNA4Answers
 
PATENT of panatrate firewall
PATENT of panatrate firewallPATENT of panatrate firewall
PATENT of panatrate firewallBo Xiong
 
M3
M3M3
M3Quân Quạt Mo
 
Ccna 3 Chapter 9 V4.0 Answers
Ccna 3 Chapter 9 V4.0 AnswersCcna 3 Chapter 9 V4.0 Answers
Ccna 3 Chapter 9 V4.0 Answersccna4discovery
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
Ccna 3 final exam answer v5
Ccna 3 final exam answer v5Ccna 3 final exam answer v5
Ccna 3 final exam answer v5friv4schoolgames
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Ccna 1 practice final exam answer v5
Ccna 1 practice final exam answer v5Ccna 1 practice final exam answer v5
Ccna 1 practice final exam answer v5friv4schoolgames
 
ccna 1 v5.0 itn practice final exam answers
ccna 1 v5.0 itn practice final exam answersccna 1 v5.0 itn practice final exam answers
ccna 1 v5.0 itn practice final exam answersĐồng Quốc Vương
 
KR2 Kyocera User Guide
KR2 Kyocera User GuideKR2 Kyocera User Guide
KR2 Kyocera User GuideAri Zoldan
 
Ccna1 v6.0 pretest exam answers 2018
Ccna1 v6.0 pretest exam answers 2018Ccna1 v6.0 pretest exam answers 2018
Ccna1 v6.0 pretest exam answers 2018Download Mipdfcom
 
CCNA 1 v6.0 Final Exam Answers Option B 2018
CCNA 1 v6.0 Final Exam Answers Option B 2018CCNA 1 v6.0 Final Exam Answers Option B 2018
CCNA 1 v6.0 Final Exam Answers Option B 2018Download Mipdfcom
 
Attachment 11 use of common analyzing and positioning tools
Attachment 11 use of common analyzing and positioning toolsAttachment 11 use of common analyzing and positioning tools
Attachment 11 use of common analyzing and positioning toolsChristian Silva Espinoza
 
Ccnav5.org ccna 3-v50_practice_final_exam_2014
Ccnav5.org ccna 3-v50_practice_final_exam_2014Ccnav5.org ccna 3-v50_practice_final_exam_2014
Ccnav5.org ccna 3-v50_practice_final_exam_2014Đồng Quốc Vương
 
Multicast IP addresses Part 1
Multicast IP addresses Part 1Multicast IP addresses Part 1
Multicast IP addresses Part 1Mohmed Abou Elenein Attia
 
Tcp ip management & security
Tcp ip management & securityTcp ip management & security
Tcp ip management & securityAsif Qureshi
 
High available energy management system
High available energy management systemHigh available energy management system
High available energy management systemJo Ee Liew
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3ManageEngine, Zoho Corporation
 
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIASlides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIADheryta Jaisinghani
 
Update over AMS-IX provision system
Update over AMS-IX provision systemUpdate over AMS-IX provision system
Update over AMS-IX provision systemMaksym Tulyuk
 
AMS-IX на европейском рынке IX
AMS-IX на европейском рынке IXAMS-IX на европейском рынке IX
AMS-IX на европейском рынке IXMaksym Tulyuk
 

Contenu connexe

Tendances

Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCCNA4Answers
 
PATENT of panatrate firewall
PATENT of panatrate firewallPATENT of panatrate firewall
PATENT of panatrate firewallBo Xiong
 
Ccna 3 Chapter 9 V4.0 Answers
Ccna 3 Chapter 9 V4.0 AnswersCcna 3 Chapter 9 V4.0 Answers
Ccna 3 Chapter 9 V4.0 Answersccna4discovery
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
Ccna 3 final exam answer v5
Ccna 3 final exam answer v5Ccna 3 final exam answer v5
Ccna 3 final exam answer v5friv4schoolgames
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Ccna 1 practice final exam answer v5
Ccna 1 practice final exam answer v5Ccna 1 practice final exam answer v5
Ccna 1 practice final exam answer v5friv4schoolgames
 
ccna 1 v5.0 itn practice final exam answers
ccna 1 v5.0 itn practice final exam answersccna 1 v5.0 itn practice final exam answers
ccna 1 v5.0 itn practice final exam answersĐồng Quốc Vương
 
KR2 Kyocera User Guide
KR2 Kyocera User GuideKR2 Kyocera User Guide
KR2 Kyocera User GuideAri Zoldan
 
Ccna1 v6.0 pretest exam answers 2018
Ccna1 v6.0 pretest exam answers 2018Ccna1 v6.0 pretest exam answers 2018
Ccna1 v6.0 pretest exam answers 2018Download Mipdfcom
 
CCNA 1 v6.0 Final Exam Answers Option B 2018
CCNA 1 v6.0 Final Exam Answers Option B 2018CCNA 1 v6.0 Final Exam Answers Option B 2018
CCNA 1 v6.0 Final Exam Answers Option B 2018Download Mipdfcom
 
Attachment 11 use of common analyzing and positioning tools
Attachment 11 use of common analyzing and positioning toolsAttachment 11 use of common analyzing and positioning tools
Attachment 11 use of common analyzing and positioning toolsChristian Silva Espinoza
 
Ccnav5.org ccna 3-v50_practice_final_exam_2014
Ccnav5.org ccna 3-v50_practice_final_exam_2014Ccnav5.org ccna 3-v50_practice_final_exam_2014
Ccnav5.org ccna 3-v50_practice_final_exam_2014Đồng Quốc Vương
 
Tcp ip management & security
Tcp ip management & securityTcp ip management & security
Tcp ip management & securityAsif Qureshi
 
High available energy management system
High available energy management systemHigh available energy management system
High available energy management systemJo Ee Liew
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3ManageEngine, Zoho Corporation
 
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIASlides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIADheryta Jaisinghani
 

Tendances (20)

Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 Answers
 
PATENT of panatrate firewall
PATENT of panatrate firewallPATENT of panatrate firewall
PATENT of panatrate firewall
 
M3
M3M3
M3
 
Ccna 3 Chapter 9 V4.0 Answers
Ccna 3 Chapter 9 V4.0 AnswersCcna 3 Chapter 9 V4.0 Answers
Ccna 3 Chapter 9 V4.0 Answers
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 
Ccna 3 final exam answer v5
Ccna 3 final exam answer v5Ccna 3 final exam answer v5
Ccna 3 final exam answer v5
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Ccna 1 practice final exam answer v5
Ccna 1 practice final exam answer v5Ccna 1 practice final exam answer v5
Ccna 1 practice final exam answer v5
 
ccna 1 v5.0 itn practice final exam answers
ccna 1 v5.0 itn practice final exam answersccna 1 v5.0 itn practice final exam answers
ccna 1 v5.0 itn practice final exam answers
 
KR2 Kyocera User Guide
KR2 Kyocera User GuideKR2 Kyocera User Guide
KR2 Kyocera User Guide
 
Ccna1 v6.0 pretest exam answers 2018
Ccna1 v6.0 pretest exam answers 2018Ccna1 v6.0 pretest exam answers 2018
Ccna1 v6.0 pretest exam answers 2018
 
CCNA 1 v6.0 Final Exam Answers Option B 2018
CCNA 1 v6.0 Final Exam Answers Option B 2018CCNA 1 v6.0 Final Exam Answers Option B 2018
CCNA 1 v6.0 Final Exam Answers Option B 2018
 
Attachment 11 use of common analyzing and positioning tools
Attachment 11 use of common analyzing and positioning toolsAttachment 11 use of common analyzing and positioning tools
Attachment 11 use of common analyzing and positioning tools
 
Ccnav5.org ccna 3-v50_practice_final_exam_2014
Ccnav5.org ccna 3-v50_practice_final_exam_2014Ccnav5.org ccna 3-v50_practice_final_exam_2014
Ccnav5.org ccna 3-v50_practice_final_exam_2014
 
Multicast IP addresses Part 1
Multicast IP addresses Part 1Multicast IP addresses Part 1
Multicast IP addresses Part 1
 
Tcp ip management & security
Tcp ip management & securityTcp ip management & security
Tcp ip management & security
 
High available energy management system
High available energy management systemHigh available energy management system
High available energy management system
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
 
Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3
 
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIASlides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
Slides for Ph.D. Thesis Defense of Dheryta Jaisinghani at IIIT-Delhi, INDIA
 

En vedette

Update over AMS-IX provision system
Update over AMS-IX provision systemUpdate over AMS-IX provision system
Update over AMS-IX provision systemMaksym Tulyuk
 
AMS-IX на европейском рынке IX
AMS-IX на европейском рынке IXAMS-IX на европейском рынке IX
AMS-IX на европейском рынке IXMaksym Tulyuk
 
AMS-IX provision system
AMS-IX provision systemAMS-IX provision system
AMS-IX provision systemMaksym Tulyuk
 
AMS-IX IPv6 Launch Day
AMS-IX IPv6 Launch DayAMS-IX IPv6 Launch Day
AMS-IX IPv6 Launch DayMaksym Tulyuk
 
IX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionIX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionMaksym Tulyuk
 
Jumbo frames in AMS-IX
Jumbo frames in AMS-IXJumbo frames in AMS-IX
Jumbo frames in AMS-IXMaksym Tulyuk
 
Multilayer Campus Architectures and Design Principles
Multilayer Campus Architectures and Design PrinciplesMultilayer Campus Architectures and Design Principles
Multilayer Campus Architectures and Design PrinciplesCisco Canada
 

En vedette (7)

Update over AMS-IX provision system
Update over AMS-IX provision systemUpdate over AMS-IX provision system
Update over AMS-IX provision system
 
AMS-IX на европейском рынке IX
AMS-IX на европейском рынке IXAMS-IX на европейском рынке IX
AMS-IX на европейском рынке IX
 
AMS-IX provision system
AMS-IX provision systemAMS-IX provision system
AMS-IX provision system
 
AMS-IX IPv6 Launch Day
AMS-IX IPv6 Launch DayAMS-IX IPv6 Launch Day
AMS-IX IPv6 Launch Day
 
IX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionIX Future: AMS-IX example. English version
IX Future: AMS-IX example. English version
 
Jumbo frames in AMS-IX
Jumbo frames in AMS-IXJumbo frames in AMS-IX
Jumbo frames in AMS-IX
 
Multilayer Campus Architectures and Design Principles
Multilayer Campus Architectures and Design PrinciplesMultilayer Campus Architectures and Design Principles
Multilayer Campus Architectures and Design Principles
 

Similaire à Danger of Proxy ARP in IX environment

3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentationVarun Varshney
 
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic AnalyticsSAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic AnalyticsQin Liu
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffNETWAYS
 
FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...
FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...
FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...PROFIBUS and PROFINET InternationaI - PI UK
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESIRJET Journal
 
NetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionNetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionDESHPANDE M
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Ccna 2 Chapter 8 V4.0 Answers
Ccna 2 Chapter 8 V4.0 AnswersCcna 2 Chapter 8 V4.0 Answers
Ccna 2 Chapter 8 V4.0 Answersccna4discovery
 
Running head network design 1 netwo
Running head network design 1 netwoRunning head network design 1 netwo
Running head network design 1 netwoAKHIL969626
 
Functional Areas of Network Management Configuration Management
Functional Areas of Network Management Configuration ManagementFunctional Areas of Network Management Configuration Management
Functional Areas of Network Management Configuration Managementjeronimored
 
Network analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wiresharkNetwork analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wiresharkYoram Orzach
 
Ccna 2 Chapter 8 V4.1 Answers
Ccna 2 Chapter 8 V4.1 AnswersCcna 2 Chapter 8 V4.1 Answers
Ccna 2 Chapter 8 V4.1 Answersccna4discovery
 

Similaire à Danger of Proxy ARP in IX environment (20)

Icmp
IcmpIcmp
Icmp
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentation
 
A new perspective on Network Visibility - RISK 2015
A new perspective on Network Visibility - RISK 2015A new perspective on Network Visibility - RISK 2015
A new perspective on Network Visibility - RISK 2015
 
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic AnalyticsSAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
 
FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...
FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...
FPGA-based error generator for PROFIBUS DP - Jean-Marc Capron (Yncréa Hauts-d...
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
 
NetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionNetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and Detection
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Ccna 2 Chapter 8 V4.0 Answers
Ccna 2 Chapter 8 V4.0 AnswersCcna 2 Chapter 8 V4.0 Answers
Ccna 2 Chapter 8 V4.0 Answers
 
Running head network design 1 netwo
Running head network design 1 netwoRunning head network design 1 netwo
Running head network design 1 netwo
 
Functional Areas of Network Management Configuration Management
Functional Areas of Network Management Configuration ManagementFunctional Areas of Network Management Configuration Management
Functional Areas of Network Management Configuration Management
 
Network analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wiresharkNetwork analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wireshark
 
New Creators
New CreatorsNew Creators
New Creators
 
Ccna 2 Chapter 8 V4.1 Answers
Ccna 2 Chapter 8 V4.1 AnswersCcna 2 Chapter 8 V4.1 Answers
Ccna 2 Chapter 8 V4.1 Answers
 

Dernier

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Danger of Proxy ARP in IX environment

  • 1. Danger of Proxy ARP in IX environment version 0.5 Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
  • 2. Content 1. The Outage 2. Analysis 3. Tools and procedures 2
  • 3. Danger of Proxy ARP in IX environment 1. The Outage Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
  • 4. 1.1. Enabling new customer 1. A customer’s router was moved from the Quarantine network to the Production network 2. This is a standard procedure was done many times 4
  • 5. 1.2. Proxy ARP in action Proxy ARP - router sends ARP replies from own mac address Proxy ARP conditions 1.Proxy ARP was enabled on a customer’s router 2.The router had no IP address from IX range 3.The default route was set on the router 5
  • 6. 1.3. BGP sessions down Flapping of BGP sessions was only one visible thing of the accident 6
  • 7. 1.4. Troubleshooting Hypotheses during outage 1.Platform issue? 2.BGP issue? 3.Cisco issue? 4.Route-server issue? 7
  • 8. 1.4.1. Platform issue? 1.No interfaces down – it’s not Physical layer 2.No packet losses – it’s not Data Link layer 3.Small drops on graph – it’s not Network layer 4.Only BGP sessions down – something on Transport or 8
  • 9. 1.4.2. BGP issue? 1. At least, 111 BGP peers were down – available statistics only from our equipment (route-servers, routers) 2. 88 peers with route-servers were down 3. 57 peers with our routers were down 4. Most of mac addresses are … Cisco 9
  • 10. 1.4.3. Cisco issue? 1. 90% affected routers were Cisco 2. Cisco’s “bad fame” 3. RIPE “experiment: https://labs.ripe.net/Members/erik/ripe-ncc-and-duke-university-bgp-experiment 4. 10% routers of other vendors 10
  • 11. 1.4.4. Route-server issue? 1. Our route-servers were unstable 2. /var/log/messages: “arp info overwritten for [IP] by [MAC] on [interface]” – mac address is the same all the time 3. Call from a customer: “router with [MAC] is hijacking IP addresses!” 11
  • 12. 1.5. Disable port 1. The port with the broken router was disconnected 2. It was disconnected 3 (three) times – good team work  12
  • 13. 1.6. Calls from customers 1. 10 calls from customers (1 call per 4 min) 2. No network tickets were sent  3. Confirmation that the right router was disconnected 13
  • 14. 1.7. Unicast flood Disabling router caused Adding mac-address on “unknown unicast” flood monitor host solved flood 14
  • 15. 1.8. Update mac tables Despite disconnecting the broken router, all affected routers had wrong mac addresses in their ARP tables 1. Proper mac addresses were got from ARP sponge (part of our monitoring system) 2. Send spoofed ARP requests 15
  • 16. 1. The Outage: overview 1. Customer in production 2. Proxy ARP in action 3. BGP sessions are down 4. Troubleshooting 5. Disable port 6. Calls from customers 7. Unknown unicast flood 8. Update mac tables 16
  • 17. Danger of Proxy ARP in IX environment 2. Analysis Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
  • 18. 2. Analysis: root causes The issue happened because 1.Proxy ARP on customer’s router 2.No IP address from IX range 3.Customer’s router had default router 18
  • 19. 2.1. Proxy ARP tests Issue: routers weren’t checked for Proxy ARP Solution 1: Test all new Solution 2: Periodic check connected routers if Proxy all connected routers if Proxy ARP is disabled on them. ARP is disabled on them Fix: proxy ARP test was Fix: tool checks connected added to internal procedure; routers once per day all engineers were informed 19
  • 20. 2.2. Confirmation Issue: no confirmation permanent IP address was set Idea: 1)Customer sets up an IP address from IX range 2)Engineer checks if the IP address was set 3)The router is moved to the production network Discussion… 20
  • 21. 2. Analysis: troubleshooting Issues 3.Duty engineer didn’t have enough information 4.No logs from kernel 5.Customers weren’t informed on time 21
  • 22. 2.3. Full information Issue: duty engineer didn’t have enough information because enabling the new link was done by engineer from the previous shift Fix: 1.informing duty engineer about your actions 2.internal calendar with planned works Discussion: tool to deal with planned works 22
  • 23. 2.4. Enable logs Issue: no logs from kernel on syslog server: /bsd: arp info overwritten for [IP] by [MAC] on [interface] Fix: route-servers export to the syslog server messages from BGP daemon and ARP messages 23
  • 24. 2.5. On time information Issue: customers weren’t informed on time Solution: a tool allows to open and send a network ticket quickly and easily Development: 1.Old web interface: option “send network ticket quickly” 2.New web interface – under testing 24
  • 25. 2. Analysis: overview 1. No proxy ARP tests were made 2. No final confirmation from customer 3. Duty engineer didn’t have enough information 4. No logs from kernel 5. Customers weren’t informed on time 25
  • 26. Danger of Proxy ARP in IX environment 3. Tools and procedures Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011
  • 27. 3.1. Team work “Never debug alone”: 1.15 min – 3 engineers were involved 2.25 min – 5 engineers were involved Advice: if the issue is going more that 15-30 min, escalate to your colleague/2nd line 27
  • 28. 3.2. Central log server 1. Logs from all devices are being sent to a log server 2. The server is available during outage 3. Analysing tools (sed/grep/awk/etc) are installed on server 4. Engineers know how to use them 28
  • 29. 3.3. Visualisation 1. WeatherMap 2. Connectivity matrix 3. MRTG 29
  • 30. 3.3.1. Weather Map http://www.network-weathermap.com/ 30
  • 31. 3.3.2. Real time matrix Router-to-router performance: delay, jitter, frame loss https://www.ams-ix.net/real-time-stats/ 31
  • 32. 3.3.3. MRTG Daily graph: https://www.ams-ix.net/statistics/ Route servers: https://www.ams-ix.net/rs-stats/ 32
  • 33. 3.4. Traffic snooping 1. Host connected to the production network with legal IX address stores all incoming traffic (broadcast, multicast, unknown unicast) 2. Already installed tools: tcpdump, tshark, etc 3. Black hole was made on it 4. Extra: proactive traffic monitoring (STP, CDP, IGMP) through traffic analysis 33
  • 34. 3.5. ARP sponge 1. ARP sponge – tool to reduce ARP traffic in case of “host is down/flapping” 2. If the sponge sees too many ARP requests it declares the host is down and starts replying with own address 3. ARP sponge monitors all ARP traffic, so it knows all mac addresses More details about ARP sponge: http://staff.science.uva.nl/~delaat/rp/2008-2009/p23/report.pdf Source code: http://www.ams-ix.net/downloads/arpsponge/ 34
  • 35. 3.6. ARP cache update 1. The router with proxy ARP was disconnected but other routers still have wrong ARP records 2. To update their ARP tables (proactive approach) ARP spoof request was sent 3. Another option: Gratuitous ARP or Unsolicited ARP Reply 4. Addresses were obtained from ARP sponge 5. Spoofed ARP packets were injected by ARP sponge also More details: http://www.ams-ix.net/assets/Presentations/Euro-IX-19-ARP-Hijacking-Mitigation.pdf 35
  • 36. 3. Tools: overview 1. Team work 2. Central log server 3. Visualisation 4. Traffic snooping 5. ARP sponge 6. ARP cache update 36
  • 37. Danger of Proxy ARP in IX environment Questions? Maksym Tulyuk AMS-IX GM33. Amsterdam maksym.tulyuk@ams-ix.net 16 November 2011

Notes de l'éditeur

  1. A lot of operations stuff
  2. A lot of operations stuff
  3. A lot of operations stuff
  4. A lot of operations stuff