Matt Torrisi Customer Success Operations Data Connectors: Is Your Online Security Intelligent? SCENARIOS THAT MATTER TO YOU THE INTERNET, IN 60 SECONDS ish Application Security Network Security Is that the whole picture? 7 Reachability Availability 8 Is that the whole picture? Scenario 1 Traffic between two floors of the same office building in Singapore takes over 350ms round trip, traveling via San Jose, California Scenario 2 Traffic from Western Europe to the US takes around 70ms round trip, traveling via Icelands incumbent provider Is either scenario unusual? Source: Dyn Scenario 1 TYPICAL NTT wont peer with Tinet in Singapore; Tinet must drag traffic to San Jose to hand it off to NTT, who drags it home again to Singapore. Scenario 2 UNUSUAL Icelands Siminn hijacked routes of major firms for weeks and passed the traffic along. In general, traffic never flows via Iceland (cost, geo). Is either scenario unusual? Source: Dyn Scenario 1 Latency for traffic from the American Southwest to a major travel website suddenly doubles, traveling through Atlanta on Destination to Denver. Scenario 2 Traffic from Montevideo, Uruguay to AWS Brazil takes around 290 ms round trip, traveling through Miami. Is either scenario unusual? Source: Dyn 1 2 Is either scenario unusual? Source: Dyn 1 2 Scenario 1- TYPICAL While adding a data center in Denver to join Atlanta, the same ISP was used, despite only allowing peering Atlanta. Traffic will still peer there, before being dragged to the new DC in Denver. New Peering provider likely needed. Scenario 2- VERY TYPICAL Despite being only 2000 km from So Paulo, traffic on Telstar will pass through Miami, then Dallas(!?), before reaching Brazil. Welcome to South America. Actually... Scenario 1 Latencies to Googles public DNS servers increase dramatically from S. America Scenario 2 Latencies to a Microsoft network (hosting important domains) decrease momentarily from E. Europe Source: Dyn Research Is either scenario Scenario 1 UNUSUAL Google departs Brazil for unexplained reasons. DNS queries answered from California. No route hijacking involved. (See our 10/30 blog post) Scenario 2 UNUSUAL (MALICIOUS!) Microsoft network (more specific of routed prefix) is hijacked, misdirection limited to immediate vicinity. Not Man-in-the-Middle! Traces terminated at the hijacker. Source: Dyn Is either scenario unusual? THE INTERNET: ITS NOT THE HIGHWAY ITS NOT YOUR CIRCULATORY THE INTERNET: ITS NOT A TELEPHONE THE INTERNET: ITS A HUMAN THE INTERNET: Internet exchange points can form around critical landing sites, if local conditions are right. 1. Submarine Cables Tie Continents Together 19 Connecting landing point and exchange point cities Arbitraging differences in Internet pricing Creating diversity that can survive local cable breaks 2. Fiber Networks to IXPs 20 Internet service providers of all sizes compete to serve consumer interest, interconnecting in small and medium-sized regional hub cities 3. Regional & Local Internet 21 Delivery of bits from city-level infrastructure to local offices and consumers 4. The Last Mile 22 3,000 OUTAGES/DAY ACROSS THE GLOBAL INTERNET WITH EFFECTS THAT CAN LAST FOR HOURS Source: Dyn Research SECURITY AFFECTS YOUR Source: Dyn Research 500,000 DOMAINS ACROSS 1,500 NETWORKS SERVING 150 CITIES WERE AFFECTED BY ROUTING HIJACKS IN 2014 DNS HIJACKS Hijacks Raised when a prefix you Originate is announced by a different Origin AS Hijacked Sub-prefix Raised when you are monitoring a prefix and a more specific prefix within that range is announced by a different Origin ANATOMY OF A HIJACK Normal YouTube announced through a /22 block /22 Pakistan govt attempted to block an offensive video Pakistan Telecom implemented this by announcing a more specific /24 prefix Propagated globally and redirected all YouTube users to Pakistan Telecom /24 Source: Dyn HIJACK PT. II: GOING NUCLEAR March 2015: Vega (AS 12883) starts announcing British Telecom prefixes. Initially, 14 prefixes, later 167 prefixes including UKs Atomic Weapons Establishment (AWE) Traceroutes confirm traffic heads into Ukraine through Vega, but still reaches its destination at AWE via BT Source: Dyn WHAT IS BGP? Routing Protocol BGP = Border Gateway Protocol Properties ubiquitous: the de facto internet standard distributed: no centralized coordination trust-based: routers believe what they learn gossipy: share information BGP IDENTIFIES Destination X Dyn Edge Core AS PATH & DATA Destination X Dyn Edge Core AS PATH & DATA ALERTING Destination X ACTIVE MANAGEMENT Results of an active monitoring of BGP. Real-time global routing table from over 500 sessions 160+ sending traceroutes to over 1.5 million targets daily 6 billion data-points daily Line-of-site to 98% of the entire global Internet Its good to see this great data being exposed for operational purposes. The internet is so critical for for almost every business today. Gartner (Jonah Kowall, VP). @mikelsteadman DYN INTERNET THROUGH MEASUREMENT, YOU ARE IN NOTES ON HIJACKS Real Hijacks are rare False positives occur more often Usually prefixes with different Originating ASes Examples: Salesforce owns ExactTarget Verisign owns multiple ASes Only the Network Operator can really know what they expect. But... Are you sure you know ALL your prefixes and YOUR MOVE 5 Critical Internet Intelligence Questions Where is my audience (geography & key ISPs)? How do ISPs bring my brand to market? How do we identify external attacks on our brand (domain)? How do we monitor and analyze the performance of the internet? Who oversees our ability to watch, control, and optimize our Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. We have a world-class network and unrivaled, objective intelligence into Internet conditions. THE GOOD NEWS The Internet is a service delivery medium, like any other. It can be measured and managed to meet your critical business goals. Dyn delivers the global measurement infrastructure and interactive tools to help your global business succeed and Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. We have a world-class network and unrivaled, objective intelligence into Internet conditions. THANK YOU!