NETSEC SIG

Request to Join

Mission

To foster the deployment of inter-AS network security BCPs, coordinated mitigation, and information sharing.

Objectives:

• To encourage the adaption of inter-AS security Best Current Practices (BCPs)
• To facilitate response coordination of inter-AS BGP routing issues and abuse
• To promote inter-AS DDoS traceback and mitigation
• To encourage inter-AS security incident event sharing

SIG topics and areas of interest:

• Route hijacks and leaks
• DDoS
• Traceback and attack source attribution
• DNS and DNSSEC operational issues
• RPKI, ROV, and other burgeoning routing security technologies
• BCPs, tools, and resources such as those from MANRS.org and PeeringDb.com
• Network operator and researcher collaboration

Goals & Deliverables

• Compile a set of inter-AS security BCPs and resources for CSIRTS and network security teams
• Deliver regular inter-AS security workshops or tutorials at FIRST events
• Provide a Slack channel and mailing list to faciltate inter-AS security discussions
• Disseminate technical briefs on inter-AS security involving the shared fate of subsystems such as DNS, Routing, Email and others through regular SIG meetings and FIRST blog posts
• Explore extending the FIRST teams directory to publish ASN, MANRS status, and PeeringDB link as applicable
• Promote the SIG to qualified external parties and individuals already members of FIRST

Chairs

• John Kristoff
• Hendrik Adrian
• Carlos Friacas
• Aaron Kaplan
• Merike Kaeo

Meetings

• Annual meetings to coincide with the FIRST conference
• Bi-weekly Zoom meetings

Glossary

• AS - Autonomous System
• BCP - Best Common Practice
• BGP - Border Gateway Protocol
• DDoS - Distributed Denial of Service
• MANRS - Mutually Agreed Norms for Routing Security

Additional considerations

Intended audience

• inter-AS router and network operators
• inter-AS DNS service providers
• inter-AS security researchers
• CSIRT inter-AS security members

Participation Requirements

• This is an individual-only approved SIG, no teams nor aliases
• Inter-AS security responsibility or influence
• Individual email addresses must remain active and be periodically tested

Roadmap

• Phase 1 - DONE:Group formation
• Phase 2 - DONE:inter-AS security documentation and resource compilation
• Phase 3 - Expand operational capacity and services

References

Resource Public Key Infrastructure (RPKI)

• https://rpki.readthedocs.io/

RPKI Online Tools

• https://console.rpki-client.org
• https://rpki-validator.ripe.net/ui/
• https://rpki.cloudflare.com/?view=validator
• https://rpki-monitor.antd.nist.gov/

RIR Pages about RPKI

• https://www.arin.net/resources/manage/rpki/
• https://www.ripe.net/manage-ips-and-asns/resource-management/rpki
• https://www.apnic.net/rpki-at-apnic/
• https://afrinic.net/resource-certification/
• https://www.apnic.net/rpki-at-apnic/

Mutually Agreed Norms for Routing Security (MANRS)

• https://www.manrs.org/
• https://observatory.manrs.org/#/overview

Best Current Practice Documents

• BCP38:https://www.rfc-editor.org/rfc/pdfrfc/rfc2827.txt.pdf
• BCP194:https://www.rfc-editor.org/rfc/pdfrfc/rfc7454.txt.pdf

Validation Software

• Routinator:https://github.com/NLnetLabs/routinator
• FORT-validator:https://github.com/NICMx/FORT-validator
• rpki-client:https://github.com/rpki-client/rpki-client-portable

BGP Route Hijacking

• https://bgpstream.crosswork.cisco.com/
• https://www.thousandeyes.com/learning/glossary/bgp-route-hijacking
• https://www.internetsociety.org/blog/2018/05/what-is-bgp-hijacking-anyway/
• https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/
• https://radar.cloudflare.com/security-and-attacks

DNS

• SSAC Report on an Interoperable Approach to Addressing Abuse Handling in the DNS:https://www.icann.org/en/system/files/files/sac-115-en.pdf
• DNS Abuse Techniques Matrix:https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf

Other

• The Interconnection Database:https://www.peeringdb.com
• BGPAlerter:https://github.com/nttgin/BGPalerter
• ARTEMIS:https://github.com/FORTH-ICS-INSPIRE/artemis
• The Spamhaus Don't Route Or Peer Lists:https://www.spamhaus.org/drop/
• Is BGP Safe Yet?:https://isbgpsafeyet.com/

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Cybersecurity Communications SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Implementation Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Implementation Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Detection Engineering & Threat Hunting SIG
    • Digital Safety SIG
    • DNS Abuse SIG
      • Stakeholder Advice
        • Detection
          • Cache Poisoning
          • Creation of Malicious Subdomains Under Dynamic DNS Providers
          • DGA Domains
          • DNS As a Vector for DoS
          • DNS Beacons - C2 Communication
          • DNS Rebinding
          • DNS Server Compromise
          • DNS Tunneling
          • DoS Against the DNS
          • Domain Name Compromise
          • Dynamic DNS (as obfuscation technique)
          • Fast Flux (as obfuscation technique)
          • Infiltration and exfiltration via the DNS
          • Lame Delegations
          • Local Resolver Hijacking
          • Malicious registration of (effective) second level domains
          • On-path DNS Attack
          • Stub Resolver Hijacking
          • Spoofing of a Registered Domain
          • Spoofing of Unregistered Domains
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Public Policy SIG
    • PSIRT SIG
    • Red Team SIG
    • Security Lounge SIG
    • Security Operations Center SIG
    • Standards SIG
    • Strategic Thinking and Planning SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Time SIG
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • CCB Initiatives
  • FIRST CORE
    • Sponsorship Opportunities
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
  • Member Spotlight
  • Previous Activities
    • Best Practices Contest