Listen to this Post

Introduction:
Network operators in South Asia are gathering at bdNOG21 in Dhaka, Bangladesh, to confront the brutal realities of modern cyber warfare. From Zero Trust Architecture for ICS networks to AI-driven network management, the conference has unveiled a slew of technical workshops aimed at fortifying Internet infrastructure against sophisticated threats like BGP hijacking, DDoS attacks, and IPv6-specific vulnerabilities.
Learning Objectives:
- Implement Zero Trust segmentation and continuous validation for Industrial Control Systems (ICS) and Operational Technology (OT) environments.
- Secure BGP routing infrastructure using RPKI, Route Origin Validation (ROV), and advanced filtering techniques.
- Automate network configuration backup and disaster recovery using Oxidized, Ansible, and Git.
- Harden IPv6 deployments against address spoofing, neighbor discovery attacks, and transition mechanism exploits.
- Leverage Large Language Models (LLMs) for network observability and anomaly detection.
You Should Know:
1. Operationalizing Zero Trust Architecture for OT/ICS Networks
Sudipta Mondal’s session at bdNOG21 tackled the application of Zero Trust principles to protect Industrial Control Systems. This extends beyond simple micro-segmentation to include continuous authentication and authorization for every device, user, and network flow within critical infrastructure.
Step‑by‑step guide:
- Identify and Classify Assets: Use a tool like `nmap` to discover all OT and IT assets on your network. Classify devices into trust zones based on function and criticality.
nmap -sn 192.168.1.0/24 Ping scan to discover live hosts nmap -sV -p- 192.168.1.10 Service version detection on a critical PLC
- Implement Micro-Segmentation with Linux
iptables: Restrict lateral movement by creating granular firewall rules. For example, allow only a specific jump host to SSH into a PLC, block everything else.Allow SSH only from 10.0.0.5 to PLC at 192.168.1.10 iptables -A INPUT -p tcp --dport 22 -s 10.0.0.5 -d 192.168.1.10 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP
- Enforce Continuous Validation: Use a SIEM or a lightweight tool like `auditd` on Linux to monitor and log all process executions, file accesses, and network connections from OT devices. Correlate this with a known-good baseline.
Audit all commands executed by a specific user auditctl -a always,exit -F arch=b64 -S execve -F uid=operator -k command_monitor
- Deploy Network Access Control (NAC) for IoT: For devices lacking robust authentication, implement MAC Authentication Bypass (MAB) on your switches. Use RADIUS to validate each device’s MAC address against an allowlist before granting access.
-
Automating Network Configuration Backup & Version Control with Oxidized
Tawfique Ahmed’s presentation highlighted using Oxidized, an open-source network device configuration backup tool, to manage configurations as code. This practice is crucial for disaster recovery, compliance, and change management.
Step‑by‑step guide:
- Install Oxidized on Linux: Oxidized is a Ruby gem. Install it with its dependencies.
Debian/Ubuntu sudo apt update && sudo apt install -y ruby ruby-dev libssl-dev libssh2-1-dev make g++ sudo gem install oxidized oxidized-script oxidized-web
- Configure Oxidized: Create the main configuration file (
~/.config/oxidized/config).</li> </ol> username: admin password: securepass Or use a secrets management tool model: ios interval: 3600 Backup every hour use_max_threads: 5 output: default: git git: user: "Oxidized" email: "[email protected]" repo: "/var/lib/oxidized/devices.git" source: default: csv csv: file: "/var/lib/oxidized/router.db" delimiter: !ruby/regexp /:/
3. Define Devices: Populate the `router.db` file with your network devices. The format is
hostname:username:password:enable_password:model.core-router-01:admin:adminpass:enablepass:ios dist-switch-01:admin:switchpass::ios
4. Initial Run and Git Verification: Launch Oxidized and check the Git repository.
oxidized Check the Git log cd /var/lib/oxidized/devices.git git log --oneline
- Shutting Down BGP Hijacks with RPKI and Route Origin Validation
A critical workshop at bdNOG21 focused on securing BGP, the postal service of the internet. BGP hijacking can redirect traffic for entire IP prefixes. RPKI provides a cryptographic framework to prevent this by allowing networks to verify that an AS is authorized to advertise a specific prefix.
Step‑by‑step guide:
- Install and Configure a RPKI Validator (e.g., Routinator): Routinator by NLnet Labs is a robust RPKI validator that caches all valid ROAs.
Download and install Routinator on Linux wget https://github.com/NLnetLabs/routinator/releases/download/v0.13.1/routinator-0.13.1-x86_64-unknown-linux-musl.tar.gz tar -xzf routinator-0.13.1-x86_64-unknown-linux-musl.tar.gz sudo mv routinator /usr/local/bin/ Run the validator routinator server --rtr 127.0.0.1:3323 --http 127.0.0.1:9556
- Configure your BGP router to use the validator (MikroTik example): Point your router to the RPKI cache server.
/routing bgp rpki add address=127.0.0.1 port=3323 refresh-interval=1h
- Create an RPKI filter for BGP import: Only accept routes with RPKI state “Valid” or “NotFound”. Reject “Invalid” routes.
/routing filter rule add chain=bgp-in rpki-verify=yes /routing filter rule add chain=bgp-in rpki-state=invalid action=reject
- Monitor and Audit: Regularly check the RPKI validation state of your prefixes.
Using your BGP router's CLI /routing bgp rpki check prefix=203.0.113.0/24 Or using bgp.tools (online service)
4. Hardening IPv6 Deployments: From Dual-Stack to Security-First
IPv6 deployment is accelerating, but its security nuances are often overlooked. bdNOG21 featured sessions on “IPv6-mostly Network Deployment,” which inherently require engineers to address IPv6-specific threats like rogue Router Advertisements (RAs) and ND spoofing.
Step‑by‑step guide:
- Disable IPv6 on Endpoints if Not Needed (Windows): While not a complete solution, disabling IPv6 on unused interfaces reduces attack surface.
Disable IPv6 on all non-tunnel interfaces Get-NetAdapterBinding -ComponentID ms_tcpip6 | Disable-NetAdapterBinding -ComponentID ms_tcpip6
- Implement RA Guard on Switches: This prevents rogue RAs from being propagated. On Cisco IOS:
interface Vlan100 ipv6 nd raguard
- Use Secure Neighbor Discovery (SEND) – Linux Example: SEND cryptographically protects Neighbor Discovery messages. Implementation is sparse, but Linux provides experimental support.
Generate a CGA (Cryptographically Generated Address) key ip sec cga generate-key -a modp2048 Assign a CGA address to an interface ip addr add 2001:db8:1::/64 dev eth0 ip sec cga set eth0 2001:db8:1::/64
- Monitor IPv6 Traffic: Use `tcpdump` to capture and analyze IPv6 neighbor discovery packets.
Capture all ICMPv6 neighbor discovery packets on eth0 tcpdump -i eth0 -s0 -v -n icmp6 and 'ip6[bash] == 133 or ip6[bash] == 134 or ip6[bash] == 135 or ip6[bash] == 136'
5. Managing Network with LLMs: AI-Driven Anomaly Detection
Rakibul Hassan’s session introduced the concept of leveraging Large Language Models as a “second brain” for network management. This involves using LLMs to parse vast amounts of syslog, SNMP traps, and flow data to identify anomalies, correlate events, and suggest remediation steps beyond static rules.
Step‑by‑step guide (using a local LLM for privacy):
- Set up a Local LLM API (Ollama): Ollama allows you to run models like Llama 3 locally.
curl -fsSL https://ollama.com/install.sh | sh ollama pull llama3
- Collect and Preprocess Network Logs: Use a tool like `journalctl` or `grep` to extract a batch of recent logs related to an anomaly.
Get the last 50 syslog messages from a router ssh user@core-router "show log | tail -n 50" > /tmp/router_logs.txt
- Query the LLM for Analysis: Create a Python script that sends the logs to the Ollama API with a prompt for threat analysis.
import requests import json</li> </ol> with open('/tmp/router_logs.txt', 'r') as f: logs = f.read() prompt = f"Analyze these router logs for potential security threats (DDoS, recon, config changes):\n\n{logs}" response = requests.post('http://localhost:11434/api/generate', json={'model': 'llama3', 'prompt': prompt, 'stream': False}) print(json.loads(response.text)['response'])6. Hardening ISP Visibility: DNS Query Trend Analysis
Abu Sufian’s talk on “What Your DNS Logs Say About CDN Efficiency” can be repurposed for security monitoring. DNS logs are a treasure trove for detecting DGA-based malware, data exfiltration via DNS tunneling, and command-and-control (C2) callbacks.
Step‑by‑step guide:
- Log all DNS Queries (BIND example): Enable verbose query logging on your DNS resolver.
Add to /etc/named.conf logging { channel query_log { file "/var/log/named/queries.log" versions 3 size 20m; severity info; print-time yes; }; category queries { query_log; }; }; - Analyze Logs with `awk` and
sort: Identify unusual domain patterns. High entropy domains or repeated NXDOMAIN replies for random-looking subdomains are classic DGA indicators.Extract queried domains, count frequencies, and look for high-entropy names cat /var/log/named/queries.log | awk '{print $6}' | sort | uniq -c | sort -nr | head -20 - Detect DNS Tunneling: Monitor for unusually large DNS packet sizes or high query volume to a single domain.
Find TXT record requests with large response sizes tshark -r capture.pcap -Y 'dns.qry.type == 16' -T fields -e dns.resp.len -e dns.qry.name
What Undercode Say:
- bdNOG is the new frontline: Events like bdNOG21 are no longer just about routing; they’re critical cybersecurity incident-response and threat-hunting grounds for global infrastructure. Ignoring regional NOGs means ignoring a massive portion of internet traffic that can be hijacked or exploited.
- The “automation or die” imperative is real: The hands-on sessions on Oxidized, Ansible, and network programmability signal that manual CLI tweaking is an operational risk. Attackers move fast; your recovery and change management must move faster, with version control as the foundation.
- The convergence of AI and network ops is inevitable. bdNOG21’s inclusion of LLMs for network management shows we are moving beyond dashboards and static alerting to proactive, context-aware security recommendations. However, the real challenge will be securing the training data and the LLM model itself from adversarial poisoning.
Prediction:
Within the next 12-18 months, we will see the first major cyberattack that leverages a compromised RPKI validator to inject a “valid” but malicious route origin authorization, leading to a widespread BGP hijack that bypasses traditional security mechanisms. The countermeasure will be a shift towards decentralized, blockchain-like notarization of routing records, a concept likely to be debated at bdNOG22.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Rezwandhkbd Bdnog – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- Log all DNS Queries (BIND example): Enable verbose query logging on your DNS resolver.


