1

Christoph Dietzel

DE-CIX

Secure Interconnection as

a Fundament of a Digital ECO System

Security exists to facilitate trust.

Trust is the goal, and security is

how we enable it. Bruce Schneier

Abuse Management Blackholing DashboardNew Looking Glass

IXPs are a Perfect Place for Hijackers

Often not well filtered BGP sessions

(bilateral + route server)

It is easy to do nasty BGP tricks

• IP hijacks (e.g. not announced IP space)

• Combined ASN + IP hijacks (e.g. not operated ASNs)

• Hide hijacked resources behind upstream

network – pretend that the spammer is just a

clueless / bad customer of a customer

IXPRoute server

Announce

1.2.3.4/16

AS15159

Announce

8.8.8.0/24

Hijacker’s Activities Are Hard to Detect

IXPRoute server

Announce

1.2.3.4/16

AS15159

Announce

8.8.8.0/24

Upstream

Global Routing TablePeering means learned routes are not

propagated to upstream providers.

Hijacker announcements do not show up

in Global Routing Table.

For detection tools (e.g. RIPE RIS, BGPmon and Qrator)

it is hard (to impossible) to detect ASN + IP

Hijacks

DE-CIX cares about Data Quality at its IXP’s

• We are an IXP operator with clear rules in our contracts:

• Layer 2

• Layer 3 (mainly BGP)

• Violations of these rules might lead to prosecution – we care about

(BGP) data quality

• We want to make sure IXPs are a stable and reliable place for

exchanging traffic

Abuse management at DE-CIX

• Defined contact person and guarantee discretion → solicit feedback from customers

• Redefine Abuse process

• Blacklist for expelled networks (during sales process)

ASN / IP

Hijacks

Faster Innovation?

Market?

Beta

DE-CIX Beta Services

Disclaimer

• No 24/7 support

• SLAs do not apply

• Decommissioning possible anytime

• Beta services – all strings attached

Benefits

• Better feedback loop

• Free of charge

• Platform for smaller features/services

• Custom adoptions possible

Beta

New Looking Glass Service

Shows Filtered Routes

Shows Reasons for Filtering

Blackholing

• Filtering based on destination IP prefix

• Limited visibility – all traffic is dropped

• Simple but very effective

Blackholing Insights

• Statistics of your blackholed data

• Custom visualisations

• Identify the end of an attack

• Notifications and alerts

Blackholing Insights

Flow Demultiplexer

Upstream

More insight for traffic exchanged

Demultiplexer for IPFIX stream

based on open source tool Vermont [1]

patch for L2-MAC Address filtering

config-generator and automatization tools

IPFIX stream for each “Access”[1] https://www.net.in.tum.de/research/software/#vermont

DE-CIX Beta: Flow-data for Customers

How would you ”collect” the IPFIX stream?

- Server behind your router

- System provided by equipment vendor

- …

?

Thank You for Your attention!

DE-CIX Management GmbH | Lindleystr. 12 | 60314 Frankfurt | Germany

Phone + 49 69 1730 902 0 | sales@de-cix.net | www.de-cix.net