Professional Documents
Culture Documents
mbehring
DDoS Vulnerabilities
Multiple Threats and Targets
Attack zombies:
Use valid protocols
Spoof source IP
Massively distributed
Variety of attacks
Provider Infrastructure:
DNS, routers, and links
8
SPs/ISPs NOC Team
REACTION
What options do you have to
remedy?
CLASSIFICATION
Which option is the best under What kind of attack is it?
the circumstances?
TRACEBACK
Where is the attack coming from?
Where and how is it affecting the
network?
Mitigation Communities
14
Check List
Next FUN-SEC
NSP-SEC-JP
NSP-SEC-KR NSP-SEC-BR
FIRST/CERT DSHIELD
Teams
NSP-SEC iNOC-DBA
National
Cyber
Internet
Teams Storm
NextNSP-SEC-TW Center
NSP-SEC-D Telecoms
NSP-SEC-CN ISAC SANS
Next
Note: We are not trying to MyNetWatchman
Other
illustrate actual inter-relational or
interactive connections between ISACs
the different communities.
DSHIELD
ISP - F ISP - I
ISP - E
ISP - G
ISP - B
ISP - C
ISP - H
ISP - A ISP - D
Target
F POP
It is all about Operational Trust
http://www.first.org/about/organization/teams/
iNOC DBA
25
Check List
to their peers.
Numbering system based on the Internet:
ASnumber:phone
109:100 is Barrys house.
SIP Based VoIP system, managed by
www.pch.net, and sponsored by Cisco.
Is set up difficult?
How is iNOC being used today?
31
Check List
Penetration
AAA
NOC
ISPs
Remote Staff Office Staff
Backbone
Lock Down the VTY and Console
Ports
Penetration
VTY, Console,
rACLs, and VTY
ACL
AAA
NOC
ISPs
Remote Staff Office Staff
Backbone
Encrypt the Traffic from Staff to
Device
AAA
NOC
ISPs
Remote Staff Office Staff
Backbone
Staff AAA to get into the Device
AAA on the
Penetration
Device
AAA
NOC
ISPs
Remote Staff Office Staff
Backbone
Radius is not an ISP AAA Option!
Why?
Radius sends
unencrypted traffic
to the AAA server via
SSH from Staff to UDP!
Device encrypts
the password via
secure TCP
Sessions
AAA
NOC
Token card
Soft token
S-key One-Time
Password
AAA OTP
NOC
ISPs
Remote Staff Office Staff
Backbone
DOSing the AAA Infrastructure
AAA OTP
NOC
ISPs
Remote Staff Office Staff
Backbone
Use a Firewall to Isolate the AAA
Servers
Separate AAA
Statefull inspection Firewall to protect
is another reason to from internal and
select TCP base AAA external threats.
over UDP.
NOC
ISPs
Remote Staff Office Staff
Backbone
NOC
Firewall
Distribute AAA Servers and Config
Backup
Peer A
IXP-W
Peer B
IXP-E
Upstream
Upstream
B
B
AAA OTP
AAA OTP
AAA Node
Router CPU
untrusted
Attacks, junk
Router CPU
Protection
untrusted
Attacks, junk
47
The Old World: Network Edge
outside outside
Core
outside outside
Core
ACL in ACL in
PR1 PR2
R3
R1
R2
R4 R5
CR1 CR2
ACL in ACL in
SRC: eBGP Peer SRC: Valid
DST: CR1 eBGP DST: External to AS (e.g.
Customer)
IP Options
Provide control functions that may be required in some
situations but unnecessary for most common IP
communications
IP Options not switched in hardware
Complete list and description of IP Options in RFC 791
Drop and ignore reduce load on the route processor
(RP)
Caution: some protocols/application require options to
function:
For example: strict/loose source routing, resource reservation
protocols
(RSVP) and others
ip access-list extended drop-ip-option
deny ip any any option any-options
Iterative Deployment
61
Remotely Triggered Black Hole
Filtering
Upstream A D
Upstream
B
A C
Upstream
Upstream
B
E B
iBGP
Target
Advertises
List of
Black Holed
Prefixes
NOC
G
F POP
Inter-Provider Mitigation
ISP - F ISP - I
ISP - E
ISP - G
ISP - B
ISP - C
ISP - H
ISP - A ISP - D
Target
F POP
What can you do to help?
Remote Triggered Black Hole Filtering is the most
common ISP DOS/DDOS mitigation tool.
Prepare your network:
ftp://ftp-eng.cisco.com/cons/isp/essentials/ (has whitepaper)
ftp://ftp-eng.cisco.com/cons/isp/security/ (has PDF
Presentations)
NANOG Tutorial:
http://www.nanog.org/mtg-0110/greene.html (has public VOD with
UUNET)
Sink Holes
66
Sink Hole Routers/Networks
Sink Holes are a Swiss Army Knife security
tool.
BGP speaking Router or Workstation that built
to suck in attacks.
Used to redirect attacks away from the
customer working the attack on a router
built to withstand the attack.
Used to monitor attack noise, scans, and
other activity (via the advertisement of
default)
http://www.nanog.org/mtg-0306/sink.html
Sink Hole Routers/Networks
Target of
Attack 172.168.20.0/24 targets network
172.168.20.1 is attacked
Sink Hole Routers/Networks
Router advertises
172.168.20.1/32
Target of
Attack 172.168.20.0/24 targets network
172.168.20.1 is attacked
Sink Hole Routers/Networks
Router
Advertising Default from the Sink Advertise
Hole will pull down all sort of s Default
junk traffic.
Customer Traffic when circuits Sink Hole Network
flap.
Network Scans
Failed Attacks
Code Red/NIMDA Customers 172.168.20.0/24 targets network
Backscatter
172.168.20.1 is attacked
Computer starts
Customer
scanning the Internet
SQL 172.168.20.1 is infected
Anycast Sink Holes
Peer A
IXP-W
Peer B
Remote Triggered
IXP-E
Sink Hole Remote Triggered
Sink Hole
Remote Triggered
Sink Hole Upstream A
Upstream Remote Triggered
Sink Hole
A
Upstream
Upstream
B
Remote Triggered B
Sink Hole
Remote Triggered
Sink Hole
171.68.19.0/24
Customer Remote Triggered
Sink Hole
Services Network
POP
Garbage packets
171.68.19.1 flow to the closest
Remote Triggered
Sink Hole
73
BCP 38 Ingress Packet Filtering
96.0.20.0/24
96.0.21.0/24
Internet ISP
96.0.19.0/24
96.0.18.0/24
Lessons Learned:
It took time and patience.
uRPF did not work for all customers. That is OK,
83
BGP Attack Vectors
Understanding BGP Attack Vectors will help you plan and
prioritize the techniques deployed to build greater resistance into
the system.
The following documents will help you gain perspective on the
realistic Risk Assessment:
NANOG 25 - BGP Security Update
http://www.nanog.org/mtg-0206/barry.html
NANOG 28 - BGP Vulnerability Testing: Separating Fact from FUD
http://www.nanog.org/mtg-0306/franz.html
Look for the updates links to get the latest risk assessments.
http://www.cisco.com/security_services/ciag/initiatives/research/proj
ectsummary.html
Whacking the BGP Session
Four Macro Ways you can Whack
the BGP Session:
Saturate the Receive Path Queues:
BGP times out
Saturate the link: link protocols time
out
Drop the TCP session
up failure
Attacking Routing Devices
Routers usually have various receive path queues that are hit as the
packet heads for the TCP Stack.
Saturation Attacks fill these queues knocking out valid packets
from the queues.
Consequence: BGP Times out Dropping the BGP Session
CPU
GSR Input processes
PRP
SPD
Campus
Signs Route Verifies
Updates Signature
10.1.1.0/24
10.1.1.0/25
Modification
protected path
Direct traffic along an
unprotected path B C
Direct traffic into a black
hole
Create a routing loop
Overclaiming 10.1.1.0/24
D
doesnt exist
Injecting nonexistant
destinations
10.1.1.0/24
A longer prefix!
Underclaiming
Removing destinations
What is a prefix hijack?
All Web traffic forwards
to the /32 more specific.
AS 500
W AS 400
E
X
D
AS 300 Broken into router
advertises Web Server
prefix as a /32
C
N A B M
Customer AS 100 AS 200 Q
X.Y.Z.1/32
X.Y.Z.0/24
Malicious Route Injection
What can ISPs Do?
AS 500
AS 400
W
E
X
D
Ingress Filter
Customers AS 300
Prefixes
C
Customer
Filters In and
Out
N A B M
AS 100 AS 200
Customer
Bogons and Special Use Addresses
Prefix Filter
Prefix Filter
Peer
Total Visibility
100
Check List
Podiatrist
Cardiologist
Ophthalmologist
Neurologist
Hematologist Nephrologist
Holistic Approach to
System-Wide Telemetry
CPE/ACCESS/AGGREGATION CORE DATA/SVC PEERING
Center
PE(s)
CPE(s) L2 Agg. P P
Broadband,
Wireless (3G, PE
802.11), ISP /
Ethernet, FTTH, P Alt. Carrier
Leased Line,
ATM, Frame- Listen
Relay Listen Listen P P P
Listen
Core:
Customer Edge:
Shared resources
Performance must SP Peering:
not be affected Data/Service
and services Center Ability to trace
should be through
available asymmetric
Data Center:
traffic
Inter as well as Intra Data
Center traffic
Open Source Tools for NetFlow
Analysis VisualizationFlowScan
Investigate the spike
Thruput
Spike
RTT
Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
Spike
Displaying RMONntop Examples
Detailed
Source: http://www.ntop.org
Analysis i.e. TTL
BGP ExampleSQL Slammer
Correlating NetFlow and Routing
Data
Wealth of
information, L1-L7
raw data for
analysis
Source: http://www.ethereal.com, Cisco Systems, Inc.
Q and A
112
Communications
Addendum
113
Never underestimate the power of
human communications as a tool to
solve security problems. Our history
demonstrates that since the Morris
Worm, peer communication has been
the most effect security tool.
Barry Raveendran Greene
Preparation as Empowerment
It is imperative that an SPs operations
team prepare by empowering them for
action.
Contacts for all ISPs who you inter-connect
(peers, customers, and upstreams)
Contacts for all vendors product security
reaction teams.
Document your policies. Will you help your
customers? Will you classify the attacks? Will
you traceback the attacks? Will you drop the
attacks on your infrastructure?
Important Points
Create your companys Computer Emergency
Response Team
Know your peers (neighboring CERTs), build
relationships
Get on NSP-SEC mailing list and on iNOC
Phone
Know Eachs Vendors Security Team
Example: psirt@cisco.com, security-alert@cisco.com and
www.cisco.com/security to contact Cisco Systems.
You are receiving this email because you have subscribed to one or more services with Infoserve. We have received a virus alert from
security authorities and we believe that you should be informed (please see information below). If you do not wish to be included in
future information service, please click Reply and type Remove from subscription in the subject field.
-------------------------------------------
We have received warning from security authorities on a new virus, W32.Sobig.E@mm. W32.Sobig.E@mm is a new variant of the
W32.Sobig worm. It is a mass-mailing worm sends itself to all the email addresses, purporting to have been sent by Yahoo
(support@yahoo.com) or obtained email address from the infected machine. The worm finds the addresses in the files with the following
extensions: .wab .dbx .htm .html .eml .txt
You should regularly update your antivirus definition files to ensure that you are up-to-date with the latest protection.
Confidentiality
Use signed and encrypted communication
Use PGP, S/MIME or GPG, have your key signed!
CERTs coordinate with other CERTs and ISPs
CERTs provide assistance, help, advice
They do not do your work!
Collecting Information from Peers
132
NetFlowMore Information
IETF RMON WG
http://www.ietf.org/html.charters/rmonmib-
charter.html
Cisco RMON Home
http://www.cisco.com/en/US/tech/tk648/tk362/t
k560/tech_protocol_home.html
Cisco NAM Product Page
http://www.cisco.com/en/US/products/hw/modul
es/ps2706/ps5025/index.html
BGPMore Information
Syslog.org - http://www.syslog.org/
Syslog Logging w/PostGres HOWTO
http://kdough.net/projects/howto/syslog_po
stgresql/
Agent Smith Explains Syslog
http://routergod.com/agentsmith/
Packet CaptureMore Information
tcpdump/libpcap Home
http://www.tcpdump.org/
Vinayak Hegdes Linux Gazette article
http://www.linuxgazette.com/issue86/vina
yak.html
Remote Triggered Black Hole