Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Prepare your NOC 111. SP’s/ISP’s NOC Team Every SP and ISP needs a NOC Anyone who has worked or run a NOC has their own list of what should be in a NOC.
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Total Visibility 111 What Is Meant by ‘Telemetry’? Te·lem·e·try— a technology that allows the remote measurement and reporting of information of interest.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
DoS/DDoS Attack Forbes Henderson. What is a DoS Attack  DoS Attack (Denial of Service Attack)  A Denial of Service Attack is Often used by hackers to.
Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Introduction to Honeypot, Botnet, and Security Measurement
Session 1 Framework Security Threat Responsibility and Policy Architecture Response Flow Preparation.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 The Internet and Its Uses Working at a Small-to-Medium Business or ISP – Chapter.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.
TCOM 515 Lecture 6.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 The Internet and Its Uses Working at a Small-to-Medium Business or.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.
Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.
Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai
Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.
Network Presence, LLC SM Innovative Security Solutions SM Understanding, Planning For, and Responding To Denial of Service Attacks SANS 2001.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Identifying Application Impacts on Network Design Designing and Supporting.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell
DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE.
Remote Trigger Black Hole 111. Remotely Triggered Black Hole Filtering We use BGP to trigger a network wide response to a range of attack flows. A simple.
Distributed Denial of Service Attacks
FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.
Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.
Campus Case Studies in Implementing Advanced Services Cas D’Angelo
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
1 Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks l The Problem: Massive distributed DoS attacks have the potential to severely.
DoS/DDoS attack and defense
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
Role Of Network IDS in Network Perimeter Defense.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
OARsec 17 Feb 2016 OARnet Agenda 17 Feb 2016 Call to Order & Introductions OARnet Updates Security Operations and Response Standards.
AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Help Desk Working at a Small-to-Medium Business or ISP – Chapter.
DDoS Attacks on Financial Institutions Presentation
Critical Security Controls
The Linux Operating System
Distributed Denial of Service Attacks
Session 3 Response Measure
Distributed Denial of Service Attacks
Presentation transcript:

Putting the Tools to Work – DDOS Attack 111

DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that they can express DDOS issues as SLA violations, which allow for their management to understand why they need to act.

BOTNETS – Making DDoS Attacks EasyCE Customer premise: Server/FW/Switch/router Zombies Extortionist Last Mile Connection ISP Edge router BOTNETs for Rent! A BOTNET is comprised of computers that have been broken into and planted with programs (zombies) that can be directed to launch attacks from a central controller computer BOTNETs allow for all the types of DDOS attacks: ICMP Attacks, TCP Attacks, and UDP Attacks, http overload Options for deploying BOTNETs are extensive and new tools are created to exploit the latest system vulnerabilities A relatively small BOTNET with only 1000 zombies can cause a great deal of damage. For Example: 1000 home PCs with an average upstream bandwidth of 128KBit/s can offer more than 100MBit/s Size of attacks are ever increasing and independent of last mile bandwidth 2 for 1 Special

 It is all about the packet …..  Once a packet gets into the Internet, someone, somewhere has to do one of two things: –Deliver the Packet –Drop the Packet  In the context of DoS attacks, the questions are who and where will the “drop the packet” action occur? Internet IP Packet POP Border OC48 OC12 Nine ChOC12 Big Aggregation Box Big Aggregation Box It is all about the packet ………

PREPARATION Prep the network Create tools Test tools Prep procedures Train team Practice IDENTIFICATION How do you know about the attack? What tools can you use? What’s your process for communication? CLASSIFICATION What kind of attack is it? TRACEBACK Where is the attack coming from? Where and how is it affecting the network? REACTION What options do you have to remedy? Which option is the best under the circumstances? POST MORTEM What was done? Can anything be done to prevent it? How can it be less painful in the future? Six Phases of Incident Response

SITREP Everything is normal in the Network. Then alarms go off – something is happening in the network.

Customer Is DOSed—Before NOC A B C D E F G Target Peer B Peer A IXP-W IXP-E Upstream A Upstream B POP Upstream A Target is taken out

NOC A B C D E F G Target Peer B Peer A IXP-W IXP-E Upstream A Upstream B POP Upstream A Customer Is DOSed—Before— Collateral Damage Customers Attack causes Collateral Damage

SITREP – Attack in Progress Attack on a customer is impacting a number of customers. COLATERAL DAMAGE INCIDENT! Immediate Action: Solve the Collateral Damage issues.

Customer Is DOSed—After— Packet Drops Pushed to the Edge NOC A B C D E F G iBGP Advertises List of Black Holed Prefixes Target Peer B Peer A IXP-W IXP-E Upstream A Upstream B POP Upstream A

SITREP – Attack in Progress Collateral Damage mitigated Customer who was attacked has PARTIAL SERVICE. DOS Attack is Still Active Options: –Sink Hole a part of the traffic to analyze. –Watch the DOS attack and wait for Attack Rotation or cessation. –Activate “Clean Pipes” for a Full Service Recovery.

Corp Network Core Data Center POP/Customer Upstream A Peer X Peer Y Communities 1, 100, 200 Community abc Communities 1, 100, 300 Community hijCommunity efg Remote Triggered Drops and Communities

SITREP – Attack in Progress Collateral Damage mitigated Customer who was attacked has PARTIAL SERVICE. DOS Attack is Still Active Action: Monitor the Attack & Get more details on the Attack – Use BGP Community based triggering to send one regions flow into a Sink Hole

BGP Community Trigger to Sinkhole Peer B Peer A IXP-W IXP-E Upstream A Upstream B POP Customer Primary DNS Servers / Services Network Sinkhole Send DOS to Sink Hole.

Analyze the Attack Use the tools available on the Internet and from Vendors to analyze the details of the attack. This will provide information about what you can or cannot do next. To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers

SITREP – Attack in Progress Collateral Damage mitigated Customer who was attacked has PARTIAL SERVICE. DOS Attack is Still Active Action: Provide the Customer who is the victim with a Clean Pipes FULL SERVICE RECOVERY (off to vendor specific details).

What is Full Service Recovery “Clean Pipes” is a term used to describe full service recovery. The expectations for a full service recovery is: –DDOS Attack is in full force and ALL customer services are operating normally – meeting the contracted SLA. –The Device used for the full service recovery is not vulnerable to the DDOS & the infrastructure is not vulnerable to collateral damage. Full Service Recovery/Clean Pipes products are very specialized. Talk to the appropriate vendor.

BGP—More Information Cisco BGP Home — k80/tech_protocol_family_home.html k80/tech_protocol_family_home.html Slammer/BGP analysis — massey_iwdc03.pdf massey_iwdc03.pdf Team CYMRU BGP Tools —

Syslog—More Information Syslog.org - Syslog Logging w/PostGres HOWTO— og_postgresql/ og_postgresql/ Agent Smith Explains Syslog—

Packet Capture—More Information tcpdump/libpcap Home— Vinayak Hegde’s Linux Gazette article— 6/vinayak.html 6/vinayak.html

Remote Triggered Black Hole Remote Triggered Black Hole filtering is the foundation for a whole series of techniques to traceback and react to DOS/DDOS attacks on an ISP’s network. Preparation does not effect ISP operations or performance. It does adds the option to an ISP’s security toolkit.

More Netflow Tools NfSen - Netflow Sensor – NFDUMP – FlowCon –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.