The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
(Geneva, Switzerland, September 2014)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 15 Denial of Service Attacks
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Introduction to Honeypot, Botnet, and Security Measurement
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
Honeypot and Intrusion Detection System
Web Application Firewall (WAF) RSA ® Conference 2013.
Final Introduction ---- Web Security, DDoS, others
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Chapter 5: Implementing Intrusion Prevention
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
DoS/DDoS attack and defense
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Role Of Network IDS in Network Perimeter Defense.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
CompTIA Security+ Study Guide (SY0-401)
Internet Quarantine: Requirements for Containing Self-Propagating Code
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CompTIA Security+ Study Guide (SY0-401)
Chapter 4: Protecting the Organization
Introduction to Internet Worm
Presentation transcript:

The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan

Arbor Networks, inc. Proprietary Emerging Trends  Globally scoped, respecting no geographic or topological boundaries  Exceptionally virulent, propagating to the entire vulnerable population in the Internet in a matter of minutes  Zero- day threats, exploiting vulnerabilities for which no signature or patch has been developed

Arbor Networks, inc. Proprietary Infrastructure Security Threats  One large service provider experienced over 1,100 DoS attacks in the 1 st half of [Rob Thomas, NANOG 28]  Multi-gigabit attacks are increasingly routine. Attacks with 10Gbps aggregate capacity have been recorded.  Emerging threats from IRC bots - IRC bots support automated scanning and exploitation of inadequately protected Windows systems, also offer DDoS capabilities.  Massive pools of available zombies, e.g. IRC botnets with over 140,000 machines. [CERT Advisory CA , March 2003]  With so much capacity, spoofing source addresses is no longer “cool”.  Of attacks on a large ISP, only 4 employed spoofed addresses! [Rob Thomas, NANOG 28]  During Slammer, 75K hosts infected in 30 min. [Moore et al, NANOG February, 2003]  At peak, 5 Billion injection attempts per day during Nimda. [Arbor Networks, Sep. 2001]

Arbor Networks, inc. Proprietary SQL Slammer Attack Propagation 0 hosts infected at the start 75,000 hosts infected in 30 min. Infections doubled every 8.5 sec. Spread 100X faster than Code Red At peak, scanned 55M hosts per sec. [Moore, Paxson, et al; NANOG February, 2003]

Arbor Networks, inc. Proprietary Loss of several thousand routes, mostly /24s Impact of Slammer on the Internet

Arbor Networks, inc. Proprietary The Evolution of Network Threats Problems that manifest themselves network-wide:  DDoS  Zero-day worms / AV  Routing attacks

Arbor Networks, inc. Proprietary Complementary Techniques  Detecting, backtracing and mitigating denial-of- services attacks  Blackhole monitoring of unused address blocks

Arbor Networks, inc. Proprietary Denial-of-Service  Attempts to "flood" a network, thereby preventing legitimate network traffic  Attempts to disrupt connections between users and web sites, thereby preventing access to a service  Attempts to prevent access to critical infrastructure such as DNS or service provider routers A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. [CERT]

Arbor Networks, inc. Proprietary Distributed Denial-of-Service  Phase I: The Initial Intrusions  Scan networks, identify vulnerable hosts, compromise by installing tools and backdoors  Phase II: The Distributed DoS Attacks  Signal and launch attacks on target web sites, communication links, routers, DNS, etc.  Self-propagating worms sometimes blur the distinction between Phase I and II

Arbor Networks, inc. Proprietary Why is this problem so hard?  Dichotomy in the need for open networks and the vulnerability of hosts to attacks on the Internet  Zombie-based attacks involve unwitting organizations whose hosts & networks have been compromised  Spoofed attacks hide the identity & location of attackers  Lack of cooperation (mechanisms and policies) between network service providers  Offensive techniques to disarm online attackers are believed to be illegal  Misuse detection techniques and firewalls do not prevent even these attacks

Arbor Networks, inc. Proprietary Myth #1: Magic Box!  Put “filtering box” at enterprise border  Stop drinking from fire hose, close your mouth  May not even see attack: on upstream router or on firewall Myth #2: IDS Tools  Rely on intrusion detection systems for DoS detection and classification  Signature-based IDS tools cannot identify zero-day attacks, e.g. SLAMMER Worm

Arbor Networks, inc. Proprietary Best Practices  “Practice good computer hygiene”  Patch well-known holes and vulnerabilities  Deploy anti-spoof egress filtering  Policies and procedures for handling alerts  Campus-wide incident response team  Internet Routing Registry  Mechanisms and procedures for sharing information and working with upstream providers  Push for routing and DNS authentication Still Not Enough!

Arbor Networks, inc. Proprietary So what is the solution? Network Anomaly Detection A proactive, holistic, dynamic approach to security. Operators must model their infrastructure network-wide, rather than model the myriad threats against individual components.

Arbor Networks, inc. Proprietary Peakflow Architecture Build a model of normal behavior leveraging flow data topology information from routers; employ signature analysis and dynamic profiling to monitor and detect DoS attacks in real-time; use distributed event aggregation techniques to backtrace attackers; apply attack-specific remediation methods to minimize impact on target. Solution Network Topology Information Correlation & Analysis Techniques Real-Time Traffic Flow Statistics Network Traffic Profiles

Arbor Networks, inc. Proprietary How Peakflow Works Profile/Monitor: Peakflow DoS dynamically profiles traffic patterns in the network and analyzes traffic for anomalies – without disrupting traffic flow to routers Detect: Peakflow DoS Collectors create and forward unique anomaly fingerprints to Peakflow DoS Controllers. Trace: Peakflow DoS Controllers then quickly trace the attack to its source. Filter: Peakflow DoS Controller recommends filters (X), which the network engineer can implement to stop the attack before it brings down key routers, firewalls and IDS solutions, or the entire network. Collector Controller Customer Site: Web Servers DNS Servers Database Servers Firewall IDS Service Provider A Service Provider C Service Provider B

Arbor Networks, inc. Proprietary Mitigation Strategies  Do Nothing! (very popular)  Notify downstream AS or upstream provider  Packet Filters: ACLs or Firewall  Filter based on attack characteristics  Rate Limit Traffic  Based on attack characteristics: ICMP, UDP, TCP SYN  QoS policy propagation with BGP (special community)  BGP Blackhole Routing  Sinkhole Diversion or Off-Ramping Also provide the data necessary to know which one to choose and how to configure it.

Arbor Networks, inc. Proprietary Benefit Instantly flags known and new (zero-day) attacks with minimal configuration Quickly identify impacted customers and equipment Understand the components to match the right solution Stop the attack and quickly ensure normal network operation Custom analysis for forensics, trending and research; share with customers, co-workers, partners FeatureFunction Detection & Fingerprinting Anomaly-based detection and attack fingerprinting TracebackReconstructs the attack trajectory across the network AnalysisGenerate detailed profiles of the anomalous traffic MitigationIntelligent, flexible, attack- specific mitigation options Flexible ReportingExports XML and PDF-based anomaly data for offline analysis

Case Studies

Arbor Networks, inc. Proprietary Peakflow Deployments

Arbor Networks, inc. Proprietary Network-Wide View Network-wide view of anomalous traffic Anomalies are classified as low, medium, or high. Different levels trigger alerts ( , SNMP, etc.)

Arbor Networks, inc. Proprietary A RECENT LARGE SCALE DOS ATTACK Anomalies are classified as low, medium, or high. Different levels trigger alerts ( , SNMP, etc.) Visual breakout of affected network elements.

Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 1) Provide detailed information on characteristics of DoS attack.

Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 2) Visual breakout of affected network elements. Identifies routers and interfaces that are impacted by attack.

Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 3) Presents a detailed fingerprint for the attack. Automatically generates the appropriate ACL/CAR or firewall filter sets for blocking attack.

Arbor Networks, inc. Proprietary Complementary Methodologies  Detecting, backtracing and mitigating denial-of-services attacks  Blackhole monitoring of unused address blocks

Arbor Networks, inc. Proprietary Block of dark address space that while routable, contain no active hosts Traffic on the blackhole is due to scans, worm propagation, or DDoS backscatter Similar to using BGP off-ramping for traffic inspection Blackhole Monitoring

Arbor Networks, inc. Proprietary Components of Blackhole Monitor  Passive Module: passive measures the traffic, looking for scans and backscatter and quantifying the breadth of worm infections and scope of DDoS attacks  Active Module: elicits payloads from an adaptively sampled number of end clients, reconstructing the client half of the payload and creating a finger print of the application request  Alerting Module: looks for rapid changes in the characteristics of the overall network traffic as well as the rise of new types of threats

Arbor Networks, inc. Proprietary Blackhole Monitoring  Measure wide-scale port scans and service sweeps by attackers  Characterize and quantify Internet worm activities  Estimate the type and severity of globally-scoped DDoS incidents

Arbor Networks, inc. Proprietary Wide-Area Blackhole Monitoring Project  Launched by Arbor Networks, Merit network and University of Michigan in 2001  Collect traffic to a globally announced, unused /8 network  Roughly 1/256 of entire Internet address space  Complete TCP handshake for 1 out of 100,000 requests  Reassemble worm payload, identify and log each hit  Save other traffic to disk  Random scans (SSH, DNS, RPC services, FTP, etc.)  DoS backscatter (TCP SYN+ACK and RST, ICMP unreachables)

Arbor Networks, inc. Proprietary The Blaster Worm – The View from 10,000 Feet  Wed July – LSD release advisory  “Critical security vulnerability in MS OS”  No known exploit code; patch available  Affected Windows running DCOM RPC services – used for local networking by MS Windows systems  Mon Aug – Blaster Worm appears  Wed Aug – variants appear How Blaster scans  Scans /24 from 0-254, not random hosts  40% of time, /24s within local /16  60% of the time random /24  Scan network for 135/TCP, listen on 69/UDP (TFTP)  Attempt exploit when connection is found  Then attacking host connects to 4444/TCP to use as command line interface  Download msblast.exe via TFTP, start msblast.exe

Arbor Networks, inc. Proprietary Blaster’s Traffic Patterns Three phases of the worm lifecycle: growth,decay, persistence Minimum doubling time of 2.3 hours during growth phase Observed over 286,000 unique IP addresses in the blackhole

Arbor Networks, inc. Proprietary Pre-Blaster Scan Activity Increase in 135/TCP scans: small before July, started in mid-July, increased after exploit release

Arbor Networks, inc. Proprietary Containing Blaster Exponential decay of Blaster observations, half-life 10.4 hrs Contained very “quickly” – operators applying ingress/egress filters Pretty much all cleaned up in 5 days

Arbor Networks, inc. Proprietary Breakdown of Infected Hosts Reverse DNS lookups for active hosts shows a global distribution Second-level domain name analysis shows impact on consumer broadband providers Observed over 280K unique IP addresses in the blackhole display Blaster behavior TLD 2LD

Arbor Networks, inc. Proprietary Blaster’s Tenuous Grip Welchia counter worm released on August 18 Circadian pattern, peak near 00:00EDT Global TLD distribution of infected hosts Welchia

Arbor Networks, inc. Proprietary Depth vs. Breadth Classification of Internet Threat Monitoring Architecture

Arbor Networks, inc. Proprietary Internet Motion Sensor – A Distributed Blackhole Monitor Working with 30+ Internet Service Providers

Arbor Networks, inc. Proprietary Wrap UP  Attacks on ISP infrastructure: DoS attacks on backbone routers, routing protocol exploits, route hijacking  Increasing sophistication and severity of zero-day attacks on edge networks  Self-propagating malicious code:  Rapid propagation creates DoS condition (Slammer)  Worms launched with DoS payload (MS Blaster)  Increased Interdependency with/on service provider and sites not under “your” control  Crumbling Perimeter and internal security

Arbor Networks, inc. Proprietary More Info White Papers & Research Reports:  “Service provider infrastructure security: Detecting, tracing, and mitigating network-wide anomalies”  “One size does not fit all: tailoring denial of service mitigation to maximize effectiveness”  “Intelligent network management with Peakflow Traffic”  “The Internet Motion Sensor (IMS): A distributed global scoped Internet threat monitoring system” Contact Info: Speaker:Farnam Jahanian European Contact: Rob Pollard, Dir of EMEA Solutions Steve Mulhearn, Mgr. of Consulting Engineering

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.