© 2010 IBM Corporation Jeroen Massar Security, DDoS and AntiSpam How to secure the Internet outside of the bunkers inside the Swiss Alps IBM Research –

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Routing Basics.
IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Computer Networks IGCSE ICT Section 4.
Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.
Network security policy: best practices
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, Secure Anycast Tunneling Protocol.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
– Chapter 4 – Secure Routing
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
IIT Indore © Neminath Hubballi
TCOM 515 Lecture 6.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 12: Routing.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
Simple Multihoming Experiment draft-huitema-multi6-experiment-00.txt Christian Huitema, Microsoft David Kessens, Nokia.
Definitions What is a network? A series of interconnected computers, linked together either via cabling or wirelessly. Often linked via a central server.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
Security at NCAR David Mitchell February 20th, 2007.
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Remote Trigger Black Hole 111. Remotely Triggered Black Hole Filtering We use BGP to trigger a network wide response to a range of attack flows. A simple.
Distributed Denial of Service Attacks
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
NIB Networking & Security Issues Data Networks Recent Activities Additional RAS & Router cards procured and installed at “A” and “B” type.
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.
Role Of Network IDS in Network Perimeter Defense.
IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Confidential | | The Naughty port Project Prepared by: Erik Bais May 2016 RIPE – Copenhagen, DK.
Ch. 31 Q and A IS 333 Spring 2016 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Network Devices and Firewalls Lesson 14. It applies to our class…
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
NT1210 Introduction to Networking
BGP Validation Russ White Rule11.us.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Filtering Spoofed Packets
Introduction to Networking
* Essential Network Security Book Slides.
COS 561: Advanced Computer Networks
FIRST How can MANRS actions prevent incidents .
Presentation transcript:

© 2010 IBM Corporation Jeroen Massar Security, DDoS and AntiSpam How to secure the Internet outside of the bunkers inside the Swiss Alps IBM Research – Zurich

© 2010 IBM Corporation Jeroen Massar Contacts Who you gonna call?

© 2010 IBM Corporation IBM Research – Zurich 3Security, DDoS and AntiSpamSwiNOG #21 Can somebody from company XYZ please contact me?  Do you have proper working NOC/Security contacts for all your peers? – –Hard line phone –Cell phone  Are you sure those numbers and addresses still work and that those people are still there?  Looking it up in an external database somewhere on the Internet might work, but what if your connectivity is down or you can’t reach that password list where the password for the database is down?  Yelling on (Swi|NA|…)NOG for somebody to reach you might be too late, as your customers are affected and maybe you can’t mail in the first place as your lines are clogged up  Do keep your data upto date in RIPE db (IRT objects), NSP-SEC, at your local IX and of course peeringdb. Having roles for the contacts is a good idea.

© 2010 IBM Corporation IBM Research – Zurich 4Security, DDoS and AntiSpamSwiNOG #21 Do you have IRT?  An IRT object describes an “Incidence Response Team” and how to contact them  IRT objects are referred to using mnt-irt in inetnum/inet6num and cover more specifics automatically.  Retrieve the best IRT object: whois –h whois.ripe.net –c  IRT objects are mandatory in the APNIC region, currently also a proposal in the RIPE region for requiring IRT objects to be present.  And you are protecting your RIPE objects with a PGP key instead of a MD5 password we hope…. ;)

© 2010 IBM Corporation IBM Research – Zurich 5Security, DDoS and AntiSpamSwiNOG #21 But do you actually read And do  should be non-spam/virus-checked, as you want to receive spam and virusses when people report them  As such all spam will go through to it  Need to filter out the cruft: the real spam, not the reports about spam  There have been various attempts at coming up with a ‘reporting standard’, unfortunately there is not a generally accepted one

© 2010 IBM Corporation IBM Research – Zurich 6Security, DDoS and AntiSpamSwiNOG #21 Security Communities  NSP-SEC (+various sub-groups per region) –Trusted Community, need to be a ‘can type on routers’ person –Signup can be requested by joining the list and providing details, need to be vouched in –Meetings: NANOG, RIPE, APRICOT security BOF  Ops-Trust –Highly vetted community, operators and people who can provide data/tools –Invite only  ISC  DSHIELD  SANS  FIRST/CERT (later slides)  Government

© 2010 IBM Corporation IBM Research – Zurich 7Security, DDoS and AntiSpamSwiNOG #21 CERT (Computer Emergency Response Team)  See CERT ( and FIRST (  Find your local CERTs and know who are there so you can contact them easily  Generally PGP-signed & crypted used as communication –Have your PGP key signed and properly published  They will talk to other CERTs and ISPs, but they won’t do your work

© 2010 IBM Corporation IBM Research – Zurich 8Security, DDoS and AntiSpamSwiNOG #21 iNOC-DBA (Inter-NOC Dial-by-ASN)  URL:  Got an ASN? Then you can join the system  Get a SIP phone or even a soft-phone  Bind your FreeSWITCH/Asterisk box into the system Voila:  Direct contact to a large number of ISPs world wide  Verified that you are at least in the ISP who runs that ASN –Avoids call-screening, as it is an iNOC-DBA call, they know it is not some random person just calling for pranks or because their latency is high in their game For a couple of test numbers:

© 2010 IBM Corporation Jeroen Massar Precautions How to avoid having to come out of bed

© 2010 IBM Corporation IBM Research – Zurich 10Security, DDoS and AntiSpamSwiNOG #21 Remote locations & Cheap survival  Unless you are a very large ISP with several disjunct datacenters, consider setting up a DNS server, MX backup and various other such resources that are important to you as backups at a different ISP, under their prefix, managed by them When your network goes down, their network most likely keeps on working as they are disjunct from yours.  A simple VM or just a 1U box at another ISP which acts as a tiny backup can save you  Another approach: instead of hosting everything yourself, have the main version at your location under your full control, but be ready to trigger failover to a number of cheaply hosted VMs at various locations. These don’t always have to carry the full version of the service you are providing, but might just enable you to keep on running and not be completely down  Have a status URL so that if things break, that you can communicate to the Internet  Being prepared to explain what is happening and thus informing customers earns a lot of kudo points from them and thus might save your face

© 2010 IBM Corporation IBM Research – Zurich 11Security, DDoS and AntiSpamSwiNOG #21 Stepping on fibers, busting in doors  Redundant paths are important, what if someone steps on one of your –Fibres –Electricity –Cooling somewhere in the middle of nowhere, or just right outside your bunker? Do you have a contingency plan, do you know how to detect and localize the problem?  Is your datacenter secure? –Finger print scanner –Retina scanner –Access cards –Passport checks but the nice lady at the entrance can re-program the cards and even has a special key to open the door anyway…

© 2010 IBM Corporation IBM Research – Zurich 12Security, DDoS and AntiSpamSwiNOG #21 Watch your network equipment  Is the configuration really the configuration that you put on the box? –Store configurations in a central location, RCS them if possible –Verify regularly that the configuration you put on it is still there and not changed –RANCID is one of various tools for this purpose  Do you have central control over your network equipment? –Make sure that you at least duplicate your centralization, thus distribute it  Use TACACS+ with logging to verify what is happening to hosts and who is doing what  Pushing configuration from a database is another good option, but make sure you have proper ACLs on the database and the tools to control them; and keep a backup of it  Can the rest of the internet access your router console, or just your NOC? –Filter properly, use separate infrastructure  Make sure that your equipment is properly NTP synced, otherwise logs don’t make sense

© 2010 IBM Corporation IBM Research – Zurich 13Security, DDoS and AntiSpamSwiNOG #21 Update and Access  Do you have a proper security contact and contract with your vendors? –Generally only organizations with a contract will be warned in advance of nasty bugs –If some bug hits you, can you get them to fix it?  Do you check and update your hardware/software regularly for security issues?  Do you have Out-Of-Band (OOB) access to the device? –Drop a GPRS modem attached to a console server in the datacenter if possible –When using a network based AAA make sure the AAA backend can be reached OOB too otherwise you can’t authenticate the moment you need to get in

© 2010 IBM Corporation IBM Research – Zurich 14Security, DDoS and AntiSpamSwiNOG #21 BCP 38 (RFC 2827) “Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing”  In short: Do not send packets to the network that you should not be originating  Do source-route filtering as close to the source as possible –Watch out for “multi-homed” customers Techniques:  Simple firewall rule blocking out the prefix  Unicast RPF When there is no route towards that prefix it should not originate it  Various device specific techniques eg in DSLAMs / Cable concentrators which also look at MAC addresses

© 2010 IBM Corporation IBM Research – Zurich 15Security, DDoS and AntiSpamSwiNOG #21 Protect your routing  Don’t let anything else but the IX/peers talk to your BGP daemons  BGP with TCP/MD5  Generalized TTL Security Mechanism (GTSH) –Set TTL to 255 at sender and verify on receiver that the TTL is still 255 –Packets then have to be from the same link and cannot have been routed  Only accept packets from known MAC addresses  Use arpwatch alike tools to make sure no new MACs are introduced on a switch, next to monitoring the switch that the cable was not unplugged  Use RPSL –Put your route/route6 objects in the IRR –Generate prefix filters from it  There are various secure routing proposals, unfortunately none in wide deployment  Monitor your own prefix on the Internet so that you at least know that it is being used somewhere else by somebody else, of course inform folks of the hijack  Using multiple prefixes can be useful because of that as they need to steel all your prefixes to be able to bring you down at ISPs that accept their advertisement

© 2010 IBM Corporation Jeroen Massar Knowledge is power The use of Intelligence

© 2010 IBM Corporation IBM Research – Zurich 17Security, DDoS and AntiSpamSwiNOG #21 Monitoring  NetFlow / IPFIX / sFlow –How many flows/sec can your routers meter, and how fast is your collector/analyzer? –What are you going to look at?  SNMP –Are you looking at all the right values? –Are you polling devices every second, every minute, every hour?  Syslog –Need to set up proper rules to filter out the events you really want to see  TACACS+ logging –Watch those authentication failures and changes to the nodes  Packet Capturing? –Got Tap?

© 2010 IBM Corporation IBM Research – Zurich 18Security, DDoS and AntiSpamSwiNOG #21 Honeypots & Walled Gardens  Honeypots can provide advance warning and trends  Can detect that your own customers are running into it and get that problem resolved quickly  Can also tell friendly peers about which customers are hitting your honeypot  Do you operate your own Honeypot?

© 2010 IBM Corporation IBM Research – Zurich 19Security, DDoS and AntiSpamSwiNOG #21 Walled Garden  When you have detected that a customer is infected –Try to reach them, call them up (costly) –Walled Garden!  Put customers and/or sources you do not trust in a special network  Redirect all port 80/443 traffic to a website with a warning notice  Always provide a “I need to use the Internet right now” button, but do give them a final warning  Most likely need to allow VoIP traffic, thus at least SIP and Skype as they might have emergency calls going over it

© 2010 IBM Corporation Jeroen Massar Defend Taking care of the nasties

© 2010 IBM Corporation IBM Research – Zurich 21Security, DDoS and AntiSpamSwiNOG #21 Remote Triggered Black Hole Filtering You and your peers/transits/upstreams agree that if you announce a prefix to them with a certain BGP community set they will blackhole it at their borders.  Can announce single /32’s which are being targetted  Avoids the traffic further entering their network and thus also yours  Avoids you being billed for that traffic See amongst others:

© 2010 IBM Corporation IBM Research – Zurich 22Security, DDoS and AntiSpamSwiNOG #21 PI space to the rescue: drop it when you don’t want the traffic Another trick employed generally for IRC servers is to put the IRC server in a /24 along with other resources that are DDoS sensitive/attractive. When somebody is mad at it and starts DDoSing:  Drop the announcement to your transits –Thus they won’t route it and your pipe frees up, keeping traffic to your other customers flowing. –You don’t pay for the DDoS bits Generally this means you have cut down on the DDoS heavily already as all the transited bots can’t packet you anymore  Drop the announcements to direct peers that are still involved As you still announce to local peers they can still access the resource, useful if you generally only have local clients. But:  With IPv6 you have PA space and announce the full /32 or more, thus can’t use this trick.  DDoS kiddos wise up too and will start attacking other parts of your infrastructure.

© 2010 IBM Corporation IBM Research – Zurich 23Security, DDoS and AntiSpamSwiNOG #21 BGP FlowSpec (RFC5575)  Distributes a “Flow” inside BGP and marks that flow to be filtered by routers  Requires cooperation of and implementation at upstreams More information:  Open source (read: 3 clause BSD) tool that can do this:  Implemented also on your favorite J and C boxes and a variety of other vendors

© 2010 IBM Corporation IBM Research – Zurich 24Security, DDoS and AntiSpamSwiNOG #21 Scrubbers / Sinkholes  A big big box that announce a specific prefix in iBGP for the host under attack  Attack now goes to this big box  The box either drops everything (sinkhole)  Or it scrubs out the traffic it thinks is useful and routes it on to the host under attack –Using IDS, eg snort or similar tools  Can be used also to route all un-allocated (darknet) space to, and it becomes a perfect IDS  Anycast this service at the edge of your network to distribute the workload and to save the traffic from crossing your core  If the customer was using BGP to announce the prefix to you, they will stop flapping and their connectivity restores

© 2010 IBM Corporation Jeroen Massar Questions? IBM Zurich - Research

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.