Podcasts about border gateway protocol bgp

Что общего между Интернетом и салфеткой в столовой? Border Gateway Protocol или просто BGP — протокол, который уже больше 30 лет держит Интернет на плаву. В этом выпуске узнаем, как он появился, как определяет, куда везти видео с котиками, и что может пойти не так, если допустить всего одну ошибку в его настройке. Источники: https://blog.apnic.net/2019/06/10/happy-birthday-bgp - статья в блоге регистратора APNIC по случаю 30-ти летия BGP https://datatracker.ietf.org/doc/html/rfc827 - RFC протокола EGP https://datatracker.ietf.org/doc/html/rfc1105 - RFC по BGP-1 https://www.rfc-editor.org/info/rfc7908 - RFC описывающая и классифицирующее проблему утечки маршрутов в BGP https://datatracker.ietf.org/doc/html/rfc1366 - RFC с предложением создать региональные регистраторы IP сетей https://www.rfc-editor.org/rfc/rfc1519 - RFC с описанием Classless Inter-Domain Routing (CIDR) https://www.ietf.org/proceedings/12.pdf - материалы с 12-й конференции IETF, та самая, на которой в обеденный перерыв родился BGP https://www.ietf.org/proceedings/13.pdf - материалы 13-й конференции IETF, на которой уже вовсю обсуждали BGP https://datatracker.ietf.org/wg/bgp/about/ - рабочая группа по BGP в рамках IETF над ранними версиями BGP https://datatracker.ietf.org/wg/idr/about/ - рабочая группа в рамках IETF, продолжившая разработку BGP начиная с версии 4 https://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2 - статья в Washingtonpost по проблемам безопасности Интернета в контексте BGP https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m12/cisco-employee-no-4-looks-back-and-forward.html - интервью с Кирком Лоухидом из Cisco https://computerhistory.org/blog/the-two-napkin-protocol/ - заметка в Computer History Museum https://www.rfc-editor.org/rfc-index2.html - список всех RFC, где по ключевому слову "BGP", на текущий момент, целых 201 совпадение! https://habr.com/ru/companies/rt-dc/articles/532292/ - статья на Хабр, поясняющая, что такое RPKI в BGP https://rpki-monitor.antd.nist.gov/ROV - мониторинг процента внедерения RPKI в BGP https://linkmeup.ru/blog/713/ - статья про самые большие аварии BGP https://lists.ucc.gu.uwa.edu.au/pipermail/lore/2006-August/000040.html - инцидент AS7007 https://web.archive.org/web/20040314224307/http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html - пост с извинениями представителя аплинк-провайдера, клиентом которого была AS7007 https://web.archive.org/web/20040803141940/http://www.merit.edu/mail.archives/nanog/1997-04/msg00340.html - ветка с обсуждениями инцидента AS7007 "в моменте", от 25 апреля 1997 года https://habr.com/ru/companies/flant/articles/581560/ - инцидент о недоступности Facebook* * Организация Meta, а также её продукт Facebook, признаны экстремистскими на территории РФ

Firstly, the episode highlights the high demand for virtual CISO services among small to medium-sized businesses, emphasizing the gap between demand and supply. The rising need for virtual CISO services is attributed to regulatory compliance, increasing cyber attacks, and a shortage of cybersecurity skills. Service providers offering virtual CISO services report improved margins and revenue, indicating a significant growth opportunity in the market.Secondly, the episode covers the adoption of generative AI by small businesses. Despite concerns about job security and data privacy, employees recognize the productivity advantages of generative AI. To encourage adoption, small business owners are advised to centralize data management, integrate generative AI into operations, and emphasize its role in enhancing productivity. The episode stresses the importance of addressing customer pain points and customizing services accordingly, rather than focusing on buzzwords.The podcast also delves into government initiatives to enhance Internet routing security, particularly targeting vulnerabilities in the Border Gateway Protocol (BGP). The White House has published a roadmap promoting the adoption of Resource Public Key Infrastructure (RPKI) to mitigate security risks associated with BGP. Additionally, a congressional hearing is scheduled to address the global CrowdStrike outage caused by a faulty security update, highlighting the importance of cyber hygiene and supply chain security.Lastly, the episode discusses strategic moves in the tech industry, including Verizon's acquisition of Frontier Communications to expand its fiber network, ScalePad's founder returning as CEO to focus on product integration, and the success of Fleet, a bootstrapped laptop leasing startup. The episode emphasizes the trend of consolidation in the managed services industry driven by private equity firms, the shift towards local processing of large language models, and the increasing adoption of AI services by MSPs. Overall, the episode provides insights into key developments shaping the tech landscape. Four things to know today00:00 Cynomi Report Reveals High Demand for vCISO Services, but Few Providers Offer Solutions to SMBs03:31 Congress to Hold Hearing on CrowdStrike Outage, Scrutinizing Cybersecurity Practices and Supply Chain Security04:43 ScalePad Founder Chris Day Returns as CEO, Shifts Focus to Product Integration and Doubling Subscription Revenue07:01 Private Equity Rollups Dominate MSP M&A Market, Driving Need for Standardization and Operational Integration Supported by:  https://www.huntress.com/mspradio/  Pulseway Event:  https://www.pulseway.com/v2/land/webinar-nexus-msp?rfid=vendor/?partnerref=vendor  All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessoftech.bsky.social

Send us a Text Message.Ready to conquer the CISSP exam? This episode promises to arm you with crucial insights into the OSI model and its real-world applications. We kick things off by unraveling the intricacies of VPN tunnels and the pivotal role the data link layer plays in encapsulating data packets for secure internet travel. Next, you'll grasp how a significant Border Gateway Protocol (BGP) security breach zeroes in on the network layer. We then dissect the limitations of firewalls at the transport layer, ensuring you understand which types of traffic remain beyond their reach.Switching gears, we tackle the security hurdles of converged networks and VLAN segmentation. Discover why adaptive security measures are essential in environments where voice and data traffic coexist and how misconfigurations can open doors to unauthorized access. We also highlight the havoc DDoS attacks wreak across multiple OSI layers and the vulnerabilities of VoIP over wireless LAN. By the end, you'll appreciate the necessity of detecting IP spoofing at the network layer and how VLANs bolster security through tailored policies and isolated broadcast domains. Join us as we not only aim to boost your CISSP readiness but also ignite your passion for a thriving career in cybersecurity.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Multi-perspective Domain Validation (MPDV) is a necessary evolution of Domain Control Validation (DCV) to protect against Border Gateway Protocol (BGP) attacks. We explore how MPDV may affect accepted DCV methods, especially the email method.

In this episode we explain Border Gateway Protocol (BGP) attacks and how multi-perspective domain validation (MPDV, also known as multi-vantage point domain validation) can defeat them.

Blog: https://medium.com/asecuritysite-when-bob-met-alice/one-of-the-greatest-protocols-and-one-of-the-greatest-weaknesses-of-the-internet-meet-the-d8201a1e6e80 So the Internet isn't the large-scale distributed network that DARPA tried to create, and which could withstand a nuclear strike on any part of it. At its core is a centralised infrastructure of routing devices and of centralised Internet services. The protocols its uses are basically just the ones that were drafted when we connected to mainframe computers from dumb terminals. Overall, though, a single glitch in its core infrastructure can bring the whole thing crashing to the floor. And then if you can't get connected to the network, you often will struggle to fix it. A bit like trying to fix your car, when you have locked yourself out, and don't have the key to get in. As BGP still provides a good part of the core of the Internet, any problems with it can cause large scale outages. Recently Facebook took themselves off the Internet due to a BGP configuration errors, and there have been multiple times when Internet traffic has been “tricked” to take routes through countries which do not have a good track record for privacy. BGP does the core of routing on the Internet, works by defining autonomous systems (AS). The ASs are identified with an ASN (Autonomous System Number) and keep routing tables which allows the ASs to pass data packets between themselves, and thus route between them. Thus the Facebook AS can advertise to other AS's that it exists and that packets can be routed to them. When the Facebook outage happened, the Facebook AS failed to advertise its presence. Each AS then defines the network ranges that they can reach. Facebook's ASN is AS32935 and covers around 270,000 IP address ranges [here]. What is BGP? The two main interdomain routing protocols in recent history are EGP (Exterior Gateway Protocol) and BGP (Border Gateway Protocol). EGP suffers from several limitations, and its principal one is that it treats the Internet as a tree-like structure, as illustrated in Figure 1. This assumes that the structure of the Internet is made up of parents and children, with a single backbone. A more typical topology for the Internet is illustrated in Figure 2. BGP is now one of the most widely accepted exterior routing protocol, and has largely replaced EGP. Figure 1: Single backbone — Tree-like topology Figure 2: Multiple backbones BGP is an improvement on EGP (the fourth version of BGP is known as BGP-4), and is defined in RFC1772. Unfortunately it is more complex than EGP, but not as complex as OSPF. BGP assumes that the Internet is made up of an arbitrarily interconnected set of nodes. It then assumes the Internet connects to a number of AANs (autonomously attached networks), as illustrated in Figure 3, which create boundaries around organizations, Internet service providers, and so on. It then assumes that, once they are in the AAN, the packets will be properly routed. Figure 3: Autonomously attached networks Most routing algorithms try to find the quickest way through the network, whereas BGP tries to find any path through the network. Thus, the main goal is reachability instead of the number of hops to the destination. So finding a path which is nearly optimal is a good achievement. The AAN administrator selects at least one node to be a BGP speaker and also one or more border gateways. These gateways simply route the packet into and out of the AAN. The border gateways are the routers through which packets reach the AAN. The speaker on the AAN broadcasts its reachability information to all the networks within its AAN. This information states only whether a destination AAN can be reached; it does not describe any other metrics. An important point is that BGP is not a distance-vector or link state protocol because it transmits complete routing information instead of partial information. The BGP update packet also contains information on routes which cannot be reached (withdrawn routes), and the content of the BGP-4 update packet is: Unfeasible routes length (2 bytes). Withdrawn routes (variable length). Total path attribute length (2 bytes). Path attributes (variable length). Network layer reachability information (variable length). This can contain extra information, such as ‘use AAN 1 in preference to AAN 2'. Routers within AS's share similar routing policies, and thus operate as a single administrative unit. All the routers outside the AS treat the AS as a single unit. The AS identification number is assigned by the Internet Assigned Numbers Authority (IANA) in the range of 1 to 65,535, where 64,512 to 65,535 are reserved for private use. The private numbers are only used within private domain, and must be translated to registered numbers when leaving the domain. BGP and routing loops BGP uses TCP segments on port 179 to send routing information (whereas RIP uses port 520). BGP overcomes routing loops by constructing a graph of autonomous systems, based on the information provided by exchanging information between neighbors. It can thus build up a wider picture of the entire interconnected ASs. A keep-alive message is send between neighbours, which allows the graph to be kept up-to-date. Single-homed systems ASs which have only one exit point are defined as single-homed systems, and are often referred to as stub networks. These stubs can use a default route to handle all the network traffic destined for non-local networks. There are three methods that an AS can use so that the outside world can learn the addresses within the AS: Static configuration. For this, an Internet access provider could list the customer's networks as static entries within its own router. These would then be advertised to other routers connected to its Internet core. This approach could also be used with a CIDR approach which aggregates the routes. Use an Interior Gateway Protocol (IGP) on the link. For this, an Internet access provider could run a IGP on the single connection, this can then be used to advertise the connected networks. This method allows for a more dynamic approach, than static configuration. A typical IGP is OSPF. Use an Exterior Gateway Protocol (EGP) on the link. An EGP can be used to advertise the networks. If the connected AS does not have a registered AS, the Internet access provider can assign it from a private pool of AS numbers (64,512 to 65,535), and then strip off the numbers when advertising the AS to the core of the Internet. Multihomed system A multi-homed system has more than one exit point from the AS. As it has more than one exit point, it could support the routing of data across the exit points. A system which does not support the routing of traffic through the AS is named a non-transit AS. Non-transit ASs thus will only advertise its own routes to the Internet access providers, as it does not want any routing through it. One Internet provider could force traffic through the AS if it knows that routing through the AS is possible. To overcome this, the AS would setup filtering to stop any of this routed traffic. Multi-homed transit systems have more than one connection to an Internet access provider, and also allow traffic to be routed through it. It will route this traffic by running BGP internally so that multiple border routers in the same AS can share BGP information. Along with this, routers can forward BGP information from one border router to another. BGP running inside the AS is named Internet BGP (IBGP), while it is known as External BGP (EBGP) if it is running outside AS's. The routers which define the boundary between the AS and the Internet access provider is known as border routers, while routers running internal BGP are known as transit routers. BGP specification Border Gateway Protocol (BGP) is an inter-Autonomous System routing protocol (exterior routing protocol), which builds on EGP. The main function of a BGP-based system is to communicate network reachability information with other BGP systems. Initially two systems exchange messages to open and confirm the connection parameters, and then transmit the entire BGP routing table. After this, incremental updates are sent as the routing tables change. Each message has a fixed-size header and may or may not be followed a data portion. The fields are: Marker. Contains a value that the receiver of the message can predict. It can be used to detect a loss of synchronization between a pair of BGP peers, and to authenticate incoming BGP messages. 16 bytes. Length. Indicates the total length, in bytes, of the message, including the header. It must always be greater than 18 and no greater than 4096. 2 bytes. Type. Indicates the type of message, such as 1 — OPEN, 2 — UPDATE, 3 — NOTIFICATION and 4 — KEEPALIVE. OPEN message The OPEN message is the first message sent after a connection has been made. A KEEPALIVE message is sent back confirming the OPEN message. After this the UPDATE, KEEPALIVE, and NOTIFICATION messages can be exchanged. Figure 4 shows the extra information added to the fixed-size BGP header. It has the following fields: Version. Indicates the protocol version number of the message. Typical values are 2, 3 or 4. 1 byte. My Autonomous System. Identifies the sender's Autonomous System number. 2 bytes. Hold Time. Indicates the maximum number of seconds that can elapse between the receipt of successive KEEPALIVE and/or UPDATE and/or NOTIFICATION messages. 2 bytes. Authentication Code. Indicates the authentication mechanism being used. This should define the form and meaning of the Authentication Data and the algorithm for computing values of Marker fields. Authentication Data. The form and meaning of this field is a variable-length field which depends on the Authentication Code. Figure 4: BGP message header and BGP OPEN message data BGP configuration BGP configuration commands are similar to those used for RIP (Routing Internet Protocol). To configure the router to support BGP the following commands is used: RouterA # config tRouterA(config)# router bgp AS-number With IGP's, such as RIP, the network command defined the networks on which routing table update are sent. For BGP a different approach is used to define the relationship between networks. This is [here]: RouterA # config tRouterA(config) # router bgp AS-numberRouter(config-router)# network network-number [mask network-mask] where the network command defines where to advertise the locally learnt networks. These networks could have been learnt from other protocols, such as RIP. An optional mask can be used with the network command to specify individual subnets. With the BGP protocol neiphbors must establish a relationship, for this the following is used: RouterA # config tRouterA(config) #router bgp AS-numberRouter(config-router)#network network-number [mask network-mask]Router(config-router)# neighbor ip-address remote-as AS-number which defines the IP address of a connected BGP-based router, along with its AS number. Conclusions At its core, the Internet is not a decentralised infrastructure. It is fragile and open to human error and adversarial attacks. Too much of our time is spent on making our services work and very little on making them robust. We need to spend more time looking at scenarios and how to mitigate them. Previously it was Facebook taking themselves offline, the next time it could be a nation-state bring down a whole country … and that it is likely to have a devastating effect. Now … I have setup more Cisco challenges for BGP for you, so go and learn more about BGP configuration here: https://asecuritysite.com/cisco/bgp

In episode 70 of The Cyber5, we are joined by Open Source Context Director of Operations, Donald McCarthy. We discuss external telemetry available to the private sector, focusing on passive domain name systems or passive DNS, and Border Gateway Protocol or BGP. These data sets are critical for threat intelligence teams, as they often provide crucial information on attacker infrastructure for the SOC. Still, they also help solve problems and provide context on a much broader scale. Three Key Takeaways: 1) What is Passive DNS and how is it collected? To simplify, passive DNS is a way of storing DNS resolution data so that security teams can reference past DNS record values to uncover potential security incidents or discover malicious infrastructures. Passive DNS is the historical phone book of the internet. Practitioners can collect it by: Collecting on the resolver: Have access and enable logging on the resolver, often termed “T-ing the Resolver.” The client-side of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately leads to a full resolution (translation) of the resource sought, e.g., translation of a domain name into an IP address. DNS resolvers classify data using various query methods, such as recursive, non-recursive, and iterative.  Listening on the wire: DNS is port 53 UDP unencrypted, and many security teams put a sensor like Bro, Onion, Snort, or Suricata that can collect and then parse the data. 2) What is Border Gateway Protocol (BGP)?  BGP is designed to exchange routing and reachability information between autonomous systems on the Internet and is often complementary to passive DNS. If PDNS is the historical phone book of the internet, Border Gateway Protocol (BGP) is the postal service of the Internet. BGP is the protocol that makes the Internet work by enabling data routing. For example, when a user in Thailand loads a website with origin servers in Brazil, BGP is the protocol that allows that communication to happen quickly and efficiently, usually through autonomous systems (ASes). ASes typically belong to Internet service providers (ISPs) or other large organizations, such as tech companies, universities, government agencies, and scientific institutions. Much of this information can be commercially collected and available.  3) Use Cases for PDNS and BGP in the SOC: Identifying attacker or botnet infrastructure. Identifying all internet-facing infrastructure in business use. Identifying tactics, techniques, and procedures of attackers. 4) Use Cases for PDNS and BGP outside of the SOC: Verify internet-facing applications and infrastructure for merger, acquisition, and compromise items for M&A. Verify internet-facing applications, infrastructure, and compromise for suppliers.  Review staging infrastructure of competitors to scan product launches.  Investigate threatening emails to executives. Investigate disinformation websites and infrastructure. 5) Enrichment is King and Does Not Need to Be Resource Intensive If security teams are not engaging with the business to solve problems that risk revenue generation, data sets like PDNS or BGP do not matter.  For example, if an organization does not control DNS at their borders, they will lose a lot of visibility to reduce risk and potentially give away proprietary information.

Between Frances Haugen's testimony, a meta outage of Facebook properties including Facebook.com, Instagram, and What's App, and a $7 billion drop in Mark Zuckerberg's personal wealth in a matter of hours, it's safe to say that Facebook has been having a terrible, horrible, no good, very bad time of it. There have even been rumors that Facebook's "work from home" policy is being rescinded; though, such claims have been denied by the company. Today, the crew talks about everything that's going on in the Facebook universe. And, Tim shares his own harrowing experience with Border Gateway Protocol (BGP) catastrophes and why Facebook's networking woes were a little too triggering for his own comfort.Notes & LinksGone in Minutes, Out for Hours: Outage Shakes FacebookHere are 4 key points from the Facebook whistleblower's testimony on Capitol HillZuckerberg loses $7 billion over Facebook outage; Telegram, Signal gainFacebook denies end to 'WFH forever' rule in wake of mega outageDNS - Domain Name SystemBGP - Border Gateway ProtocolDynDNSFollow the show! Our website is workingcode.dev and we're @WorkingCodePod on Twitter and Instagram. Or, leave us a message at (512) 253-2633‬ (that's 512-253-CODE). New episodes drop weekly on Wednesday.And, if you're feeling the love, support us on Patreon.With audio editing and engineering by ZCross Media.

A Border Gateway Protocol (BGP) misconfiguration is what took out Facebook on 4 October.  Most IT folks don't understand how BGP works.  This episode helps you gain a better understanding of the protocol that creates routing tables to move information from one end of the Internet to the other.  We'll explain how Autonomous Systems (AS) share BGP route information, what should happen when things go right, and then examine what likely went wrong at Facebook and how you might be able to prepare for potential problems in advance before they occur.

Facebook, Instagram, WhatsApp NOT WORKING? #sirishavarma #brandingbypixels #facebookoutage #instagramoutage #facebooknotworking #whatsapp #whatsappnotworking Notes: 1. Websites & Apps like Facebook, Instagram and Whatsapp use "Border Gateway Protocol (BGP)" for quicker logins 2. According to Facebook's message the outage was due to some code being applied to BGP to make the process more efficient 3. Other sources blame Chinese Hacker for the outage 4. Facebook lost $6 Billion due to the 6 hr outage in ad revenues 5. Facebook stock lost 5% due to outage Subscribe to my Youtube Channel - https://www.youtube.com/channel/UCNS8Qp9JskXUofeyIiOEa6A 

 Subscribe to my Youtube Telugu Channel - https://www.youtube.com/channel/UCxDOpn6H3fOtUm0Nzy4OLQQ
 #brandingbypixels #sirishavarma #digitalmarketingagencyindia #digitalmarketingagencyhyderabad Visit our website here: http://brandingbypixels.com/digital-marketing-services/ #brandingbypixels #sirishavarma Some of our success stories at our company include: 1. Ranking our preschool client consistently in the first page of google within 3 months without spending a single rupee on ads 2. Increasing the admission rates in a preschool from 20% to 70% by our SEO & Social Media Marketing Strategies 3. Achieve an ROI of 1600% for our E-commerce client. 4. Consistently ranking our clients in the first page of Google only with organic SEO 5. Increase page likes, shares & engagement by 500% for our restaurant client on Facebook. 6. Increasing revenues of our client selling on amazon by 3X times. I am Sirisha Varma, Founder, Chief Strategist at Branding by Pixels a Business Strategy Design and Digital Marketing company from India. I record podcasts thrice a week : Tuesday - Marketing / Digital Marketing Topic Thursday - Business Case Study Saturday - Motivation/Personal Finance/Book Review etc. Reach out to me for any business strategy and digital marketing questions on sirisha@brandingbypixels.com Youtube link - https://www.youtube.com/channel/UCNS8Qp9JskXUofeyIiOEa6A 
 Website link - http://brandingbypixels.com/digital-marketing-services/ My E-book on "17 Business Rules for Dummies" on amazon.com - https://amzn.to/3mcU4BZ My E-book on "17 Business Rules for Dummies" on amazon.in - https://amzn.to/374Ii8n Happy Marketing!

In this Episode of AWS TechChat, Shane and Pete perform a tech round up from May through to June of 2020 There is now an ability to provide Direct Connect testing, You can noow use the Resiliency Toolkit to test the resiliency of their Direct Connect connections. The Fail over testing feature enables customers to test resiliency by disabling one or more Border Gateway Protocol (BGP) sessions using the AWS Management Console, Command Line Interface, or AWS Direct Connect API. Shield Advanced now allows proactive engagement from the DDoS Response Team (DRT) when a DDoS event is detected. When you turn on proactive engagement, the DRT will directly contact you if an Amazon Route 53 health check associated with your protected resource becomes unhealthy during an event that's detected by Shield Advanced. Amazon Redshift now delivers better cold query performance by significantly improving compilation times Amazon Aurora PostgreSQL Global Database Supports Managed Recovery Point Objective (RPO) Tighten S3 permissions for your IAM users and roles using access history of S3 actions Amazon MSK now supports Apache Kafka version upgrades We spoke about the AWS Transfer family and you can now use the source IP as an additional factor of authentication A raft pf Ec2 updates including the availability of the Graviton 2 based instances Finally Amazon FSx for Windows File Server now enables you to grow storage and to scale performance on your file systems

Man looks at the Internet blackouts sweeping India and the world. How governments are throttling internet speeds, voicemails to 313-MAN-0231. network disruptions, network shutdowns, Internet shutdowns, or blackouts of digital channels, particularly social media, mobile comm (WhatsApp, Voice over Internet Procol [VoIP] services ). The emergence of Internet refugees or digital refugees. Throttling, Border Gateway Protocol (BGP). autonomous systems (AS), packet dropping, IP blocking, DNS filtering and redirection, URL filtering, or any combination

Het bericht Border Gateway Protocol – BGP verscheen eerst op Tesorion.

Josh Aas, the co-founder of the non-profit Internet Security Research Group (ISRG), is interviewed by Craig Ingram, a Runtime Engineer at Heroku. Amongst other outreach programs, ISRG is in charge of developing Let's Encrypt, which is a Certificate Authority (CA) designed to provide free TLS/SSL certificates to any website on the web. While starting ISRG in 2013, Josh noted that only about a third of websites on the Internet were secured by HTTPS. He discovered that not only was the price of acquiring a certificate a barrier to entry, but the technical requirements to apply a certificate was also cumbersome. Let's Encrypt began as a way to simplify the application of aTLS/SSL certificate for any website. Founding a CA was no easy task. To begin with, a brand new CA is "untrusted," and it takes up to a decade for every company and Internet-ready device in the world to accept your validity. In 2015, Let's Encrypt partnered with another CA called IdenTrust by having them cross-sign certificates. This allows Let’s Encrypt to operate and provide certs while making progress towards becoming a fully independent CA. Over the years, there have been several trade-offs between Let's Encrypt original goals and features that users have requested. Although ISRG would like to limit the technical scope of what Let's Encrypt offers to keep the process simple, they have worked through feedback to ensure that they meet a majority of their users' needs. Although HTTPS certainly helps secure communication between a user and a website, there are still more layers of the Internet which require protection. One of these is called Border Gateway Protocol (BGP) hijacking. The team is working on mitigations to make these sorts of attacks impractical. Links from this episode Let's Encrypt is a free, automated, and open Certificate Authority with the goal of creating a 100% encrypted Web. The Border Gateway Protocol is, in Josh's opinion, another major component of the Internet which requires stronger security.

Épisode 149 : Une panne géante a touché les serveurs du géant américain Facebook ce mercredi 13 mars 2019 et une grande partie de ses quelques 2,3 milliards d'abonnés ont été impactés. La panne a débuté sur Facebook vers 17h environ et ensuite Instagram, Whatsapp, Messenger... On vous explique tout ! Facebook et Instagram sont "down" ou presque. La connexion au réseaux social, l'accès au fil d'actualité ou certaines fonctions qui permettent de poster sur son mur sont inaccessibles. D'après le site Downdetector, plusieurs milliers de rapports de pannes sont répertoriées. On en comptait près de 10 000 à la minute entre 17 et 19 heures. ##La plus grosse panne de l’histoire des réseaux sociaux.## 14 heures de suite ! ##Toute l’infrastructure Facebook touchée :## Facebook, Instagram, WhatsApp, Messenger Impossible de poster. Impossible créer une pub. Impossible de se loger sur les plateformes. Même Occulus la plateforme de réalité augmentée créée par Facebook était en panne. ##Panique chez les CM et les influenceurs## Mais comment on fait pour publier ?!?!? ##Et quand ça ne va pas, on se tourne vers Twitter## #Facebookdown en trending topic. « Eh les ingénieurs de Facebook, vous avez essayé de débrancher les serveurs et de les rebrancher après avoir attendu 10secondes ?#FacebookDown » Même FB a été contraint d’utiliser son concurrent pour communiquer sur la panne ##Impact énorme aussi pour Facebook.## Impact d’image Dans un contexte de confiance fragilisé pour le groupe une panne était la dernière des choses souhaitée. Impact financier énorme Et bien oui une grosse dizaine d’heure sans revenu publicitaire pour Facebook ça fait tout de même un joli pactole qui part en fumée. Je me suis prêté au jeu de calculer ce montant. Au dernier trimestre 2018, le groupe FB gagnant 16,6 milliard de dollars de revenu publicitaire. Je sors ma calculette, ça nous fait 92 millions de dollars perdus pour une vilaine panne. ##Les sites, applications et services rattachés au process d’identification de Facebook## Impossible de se connecter sur certains sites ou service avec Facebook Connect ##Mais alors que s’est il passé ? Une attaque de hacker ? Une attaque DDOS ?## Forcément déferlement de théorie du complot. Une attaque Russe, les Nord Coréens à coup sûr…. Une attaque par déni de service ? On a très vite parlé d’attaque DDoS. "Une attaque par déni de service", qui consiste à inonder un service de demandes de connexions. Mais alors que près de 20 000 attaques DDoS ont lieu chaque jour sur Internet, Facebook est une cible extrêmement improbable. Facebook, Google - ce genre de sociétés - sont si énormes, et leur bande passante et leur interconnectivité sont si énormes, qu'ils peuvent efficacement absorber eux-mêmes des attaques à grande échelle. — Facebook a déclaré dans un tweet que "le problème n'est pas lié à une attaque par DDoS " — Porte-parole de Facebook, Tom Parnell, dans un courrier électronique à WIRED.  « Je peux confirmer que cela n'a rien à voir avec des efforts de piratage de l'extérieur » — Troy Mursch, chercheur en sécurité et administrateur du site consacré à la sécurité Bad Packets Report «Aucune preuve de collaboration d'aucune sorte n'indique une attaque malveillante» Un problème d’API ? "Nous rencontrons actuellement des problèmes pouvant entraîner des requêtes d'API plus longues ou des échecs inattendus», écrit la société sur Facebook developer.  "Nous étudions le problème et nous travaillons sur une solution." Cela pourrait indiquer un large éventail de coupables, allant d’un énorme problème de maintenance à un problème de routage réseau Border Gateway Protocol (BGP) . Ce ne sont cependant pas les pirates. Des liens pour en savoir plus : Facebook down dont blame hackers Facebook Instagram down partially post messages profile loading Facebook Instagram and messenger are down for some users . . . Le Super Daily est fabriqué avec une pluie d'amour par les équipes de Supernatifs. Nous sommes une agence de content marketing et social media basée à Lyon. Nous aidons les entreprises à créer des relations durables et rentables avec leurs audiences. Nous inventons, produisons et diffusons des contenus qui engagent vos collaborateurs, vos prospects et vos consommateurs. Contact : bonjour@supernatifs.com

Konstantin Weitz (University of Washington, USA) gives the second talk in the second panel, Tools for Verification, on the 2nd day of the ICFP conference. Co-written by Steven Lyubomirsky, University of Washington, USA, Stefan Heule, Stanford University, USA, Emina Torlak, University of Washington, USA, Michael D. Ernst, University of Washington, USA, Zachary Matlock, University of Washington, USA. Many verification tools build on automated solvers. These tools reduce problems in a specific application domain (e.g., compiler optimization validation) to queries that can be discharged with a highly optimized solver. But the correctness of the reductions themselves is rarely verified in practice, limiting the confidence that the solver's output establishes the desired domain-level property. This paper presents SpaceSearch, a new library for developing solver-aided tools within a proof assistant. A user builds their solver-aided tool in Coq against the SpaceSearch interface, and the user then verifies that the results provided by the interface are sufficient to establish the tool's desired high-level properties. Once verified, the tool can be extracted to an implementation in a solver-aided language (e.g., Rosette), where SpaceSearch provides an efficient instantiation of the SpaceSearch interface with calls to an underlying SMT solver. This combines the strong correctness guarantees of developing a tool in a proof assistant with the high performance of modern SMT solvers. This paper also introduces new optimizations for such verified solver-aided tools, including parallelization and incrementalization. We evaluate SpaceSearch by building and verifying two solver-aided tools. The first, SaltShaker, checks that RockSalt's x86 semantics for a given instruction agrees with STOKE's x86 semantics. SaltShaker identified 7 bugs in RockSalt and 1 bug in STOKE. After these systems were patched by their developers, SaltShaker verified the semantics' agreement on 15,255 instruction instantiations in under 2h. The second tool, BGProof, is a verified version of an existing Border Gateway Protocol (BGP) router configuration checker. Like the existing checker, BGProof scales to checking industrial configurations spanning over 240 KLOC, identifying 19 configuration inconsistencies with no false positives. However, the correctness of BGProof has been formally proven, and we found 2 bugs in the unverified implementation. These results demonstrate that SpaceSearch is a practical approach to developing efficient, verified solver-aided tools. We present a logic, called Relational Higher Order Logic (RHOL), for proving relational properties of a simply typed lambda-calculus with inductive types and recursive definitions. RHOL retains the type-directed flavour of relational refinement type systems but achieves greater expressivity through rules which simultaneously reason about the two terms as well as rules which only contemplate one of the two terms. We show that RHOL has strong foundations, by proving an equivalence with higher-order logic (HOL), and leverage this equivalence to derive key meta-theoretical properties: subject reduction, admissibility of a transitivity rule and set-theoretical soundness. Moreover, we define sound embeddings for several existing relational type systems such as relational refinement types and type systems for dependency analysis and relative cost, and we verify examples that were out of reach of prior work.

Our monthly free webcast series rolls on with another talk about a major vulnerability. This webcast is entitled "Trust Doesn't Scale: Practical Hijacking On the World's Largest Network." The webcast is based on a remarkable presentation by Tony Kapela and Alexander Pilosov at the DEFCON security conference this August. To illustrate their BGP-based traffic-hijacking techniques, they intercepted all traffic from the notoriously hostile conference network and ran it through their servers. The process was almost completely invisible to DEFCON attendees. Their demonstration took advantage of a trust issue with Border Gateway Protocol (BGP), and it appears to be part of a larger security trend of major issues emerging in the bedrock protocols that support the Internet. Dan Kaminsky's DNS vulnerability relies on trust issues in DNS. In recent years major questions have been raised about SNMP and ICMP and at this writing there's word of a potentially major TCP exploit. Vulnerabilities like these raise significant questions about the business of security, the limits of patching, and the difficulties involved in securing a trust-based system.