Archives for the month of: February, 2014

You might have been DoS-ed recently. And you can’t spend more money on special and expensive DoS detection and mitigation systems. Well, you have routers, don’t you? Some routing platforms support features which can be efficiently used to limit the impact of DoS attacks.

Let us take a brief look into one of these features on the Juniper MX gear. Read the rest of this entry »

Big sport events have great impact on Internet. Here is one of them…

When Slovenian skier Tina Maze is in action, routers at Slovenian Internet Exchange get hotter :-). You can spot both of her runs in Sochi 2014 on the graphs below – mind the second spike, when Tina was soooo close to the bronze medal:





To make this post a little bit more technical: most of the traffic comes from Octoshape, UDP 8247.

Yes, it can be done by BGP. What was the question anyway?

Path hiding on a route server running BGP can happen if the route server has been configured to filter the chosen best path from reaching a particular route server client. Read the rest of this entry »

Disabling ICMP unreachable messages will break Path MTU discovery with legacy IP, that is IPv4.

Operators often disable generating ICMP unreachable messages in order to protect the router’s CPU. This technique to protect the router’s control plane is rather obsolete and dangerous. Namely, IPv4 router will use ICMP message type 3, code 4 (The datagram is too big. Packet fragmentation is required but the ‘don’t fragment’ (DF) flag is on.) to signal the sender that the packet he is sending is too big to forward and has to be fragmented. This is a crucial message in Path MTU discovery process for IPv4. By the way, in IPv6 this is not the case – the Packet too big ICMPv6 message is not of the “unreachable” kind. Read the rest of this entry »

Internet runs on BGP. Securing the BGP is the foundation for Internet routing security.

But it is not only the protocol we must take care of. BGP as an application is also vulnerable to various threats, like route manipulation and route hijacking. BGP will originate IP prefixes as it is being told to do. It is up to network administrators to mitigate the risk of BGP misusage or exploit attempts. Internet was ment to be a place for well-behaved, but, being enormous as it is today it can not be based on trust anymore. Internet resources, like autonomous system numbers (ASNs) and IP prefixes, must be given a validatable proof of holdership. This kind of proof can be given by Resource Certification systems. The resource certificates offers the basics for a secure Internet routing, particularly BGP route origin validation.
Read the rest of this entry »