Session 1 Framework Security Threat Responsibility and Policy Architecture Response Flow Preparation

Emergency Response Yan Wang

Agenda  Framework & Technology  Security Monitoring  Response Measure  Case Study & Discussion

Security Threat  Threat Evolution and Trends  Threat Categories  Attacks Fundamental

Evolution of Availability Threats

Exploit Trends

Three Key Threat Categories Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities Access Unauthorized data manipulation, system access, or privilege escalation Denial of Service Disable or corrupt networks, systems, or services

How do these impact ISPs? Reconnaissance – Happens all the time. It is part of the “ attack noise ” of the Internet (along with low level attacks and backscatter). Access – Break-ins on the edge of an ISP ’ s network (I.e. customer CPE equipment) can impact the ISP ’ s core. DOS – The core threat to an ISP – knocking out customers, infrastructure, and services.

Reconnaissance Methods Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts

Network Sniffer

nmap

Why Do We Care?

Access Methods

Access Methods (cont.)

Denial of Service Methods Resource Overload Disk space, bandwidth, buffers,... Ping floods, SYN flood, UDP bombs,... Software bugs Out of Band Data Crash: Ping of death, fragmentation … Toolkits TRINOO, Tribal Flood Net and friends Distributed attacks for amplification

DoS

DoS type Resource Overload Disk space, bandwidth, buffers,... Ping floods, SYN flood, UDP bombs,... Out of Band Data Crash Ping of death,... Routing Capacity Fill up packet buffers, queues, flow tables, and processing capabilities.

DoS Sequence

DDoS

DDoS Step 1: Crack Handlers and Agents

DDoS Step 2: Install Trojan & Covert Communication Channel

DDoS Step 3: Launch the Attack

DDOS Attack Characteristics DDOS Arrays (handlers and agents) a maintenance intensive. Take time and effort to create. Launching attacks from an agent can be considered a one shot weapon. Once the attack is launched, there is a risk of traceback. If someone traces back to the agent, they could watch and wait to see if the perpetrator returns to the agent.

Attacks Fundamental

Address Resolution Protocol (ARP)

ARP Datagram

Internet Protocol

IP Header

Internet Control Message Protocol (ICMP)

User Datagram Protocol (UDP)

Transport Control Protocol

TCP Header

TCP Establishment and Termination

Packet Spoofing

IP Spoofing

TCP Blind Spoofing

TCP blind spoofing (Cont.)

ARP Based Attacks

Gratuitous ARP

Misuse of Gratuitous ARP

A Test in the Lab

A Collection of Tools to Do:

ARP spoof in Action

More on ARP Spoof

Selective Sniffing

SSL/SSH Interception

ICMP Based Attacks-smurf

Smurf ’ s Script Kiddy Tool

ICMP Unreachable Teardown

IP Based Attacks IP Normal Fragmentation

IP Normal Fragmentation (Cont.)

IP Normal Reassembly

IP Reassembly Attack

IP Reassembly Attack (Cont.)

Ping of Death Attack Denial of Service

UDP Based Attacks Looping UDP

DoS - Fraggle Attack

TCP Based Attacks SYN Attack

TCP SYN Flood

TCP Session Hijacking

TCP DDOS Reflection Attacks

Other Attacks

Incident Response Team  A Computer Security Incident Response Team (CSIRT) is a team that performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency.

ISP Security ISP need to: Protect themselves Help protect their customers from the Internet Protect the Internet from their customers At any given time there are between 20 to 40 DOS/DDOS attacks on the Net

Role of Service Providers

ISP Security Actions

Policy

Avoid extensive damage to data, systems and networks due to not taking timely action to contain an intrusion Minimize the possibility of an intrusion affecting multiple systems both inside and outside an organization because staff did not know who to notify and what actions to take. Avoid negative exposure in the news media that can damage an organization ’ s public image and reputation. Avoid possible legal liability and prosecution for failure to exercise due care when systems are inadvertently or intentionally used to attack others.

Preparing to Respond Create an archive of original media, configuration files, and security-related patches for all router and host operating systems and application software versions Ensure that backup tools and procedures are working Create a database of contact information Select and install tools to use when responding to intrusions

Preparing to Respond (Cont.) Develop a plan and process to configure isolated test systems and networks when required Keep response plans, procedures and tools up to date Consider performing a practice drill to test tools and procedures

CERT Infrastructure Information Platform （ Website ） Tel, Mail Event Processing System Traffic Monitoring System Intrusion Detection System

Security System Security System Architecture Infrastructure Identity Authen Clock Synchronization Security Monitoring System Traffic Collection Traffic Analyse and Account emergency response service system information issue system Event Cooperation Leak Scan Distributing IDS IP info

CCERT Framework CERNET Committee of Experts Center CCERT Regional CCERT CCERT Expert Team Campus CCERT R&D Secretariat Interprovincial CCERT

CCERT R&DLiaisonTraining AnalysisMonitoringService Committee of Experts CCERT Framework

Response Flow ① Preparation ② Detection ③ Analysis ④ Decision ⑤ Control ⑥ Announcement ⑦ Statistic

Response Flow helpdesk Investigation NOC Traffic analyzing and monitoring Signature based IDS CERNET management CNCERT/CC Other IRTs Users Administrators tools patches Attack signature Incident database Whois info advisories Common Event Important Event

What Do ISPs Need to Do?

Components of Response  Analyze the event  Contain the incident  Eliminate intruder access  Restore operations  Update procedures based on lessons learned

Analyze Event What systems were used to gain access What systems were accessed by the intruder What information assets were available to those systems? What an intruder did after obtaining access What an intruder is currently doing

Contain the Intrusion Gain control of the systems involved Attempt to deny an intruder access to prevent further damage Monitor systems and networks for subsequent intruder access attempts

Eliminate Intruder Access Change all passwords on all systems accessed Restore system and application software and data, as needed What other systems might be vulnerable?

Restore Operations Validate the restored system Monitor systems and networks Notify users and management that systems are again operational

Other Build the Communications Channels to your Peers and Customers Build the Communications Channels to your Vendors

Preparation Securing the Router and the Management Plane Securing the Network and Data Plane Securing the Routing Protocol and Control Plane Anycast as a Security Tool Using IP Routing as a Security Tool

Terminology

Securing the Router and the Management Plane

Routers do get Directly Attacked

Router Security

Global Services You Turn OFF

Interface Services You Turn Off

Cisco Discovery Protocol

Use Enable Secret

Securing Access to the Router

RISK Assessment

Lock Down the VTY and Console Ports

VTY and Console Port Timeouts

VTY Security

Encrypt the Traffic from Staff to Device

SSH Support in ISP Code

Cisco IOS SSH Configuration

SSH Server Implementation

SSH Server Configuration Prerequisites

SSH Server Configuration

SSH Server Configuration (cont.)

SSH Server Configuration Summary

SSH Client Access

SSH Terminal-Line Access

Secure Copy (SCP)

Staff AAA to get into the Device

What is ISP AAA and ISP AA?

Separate Security Domains!