Alberto Rivai arivai@cisco.com Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com.

Slides:

Advertisements

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Advertisements

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.

Prepare your NOC 111. SP’s/ISP’s NOC Team Every SP and ISP needs a NOC Anyone who has worked or run a NOC has their own list of what should be in a NOC.

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

Best Practices for ISPs

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

Peers working together to battle Attacks to the Net Version 1.3

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff

(Geneva, Switzerland, September 2014)

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

COEN 252: Computer Forensics Router Investigation.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.

Department Of Computer Engineering

Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

DECISION Group Inc.. Decision Group Mediation Device for Internet Access Provider.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.

TCOM 515 Lecture 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 The Internet and Its Uses Working at a Small-to-Medium Business or.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.

Control Plane Protection 111. BGP Attack Vectors Understanding BGP Attack Vectors will help you plan and prioritize the techniques deployed to build greater.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.

Remote Trigger Black Hole 111. Remotely Triggered Black Hole Filtering We use BGP to trigger a network wide response to a range of attack flows. A simple.

Distributed Denial of Service Attacks

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.

Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

NT1210 Introduction to Networking

Draft-lewis-infrastructure-security-00.txt Infrastructure Protection BCP Darrel Lewis, James Gill, Paul Quinn, Peter Schoenmaker.

C IBM Security QRadar SIEM V7.2.6 Associate Analyst

Cisco Exam Questions Dumps

Filtering Spoofed Packets

“Enterprise Network Design and Implementation for Airports” Master’s Thesis: By Ashraf Ali and advised by professor Nicholas Rosasco Introduction Practical.

Preventing Internet Denial-of-Service with Capabilities

Session 3 Response Measure

FIRST How can MANRS actions prevent incidents .

Presentation transcript:

Alberto Rivai arivai@cisco.com Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com

About My Self Bachelor degree in Electrical Engineering Master degree from Queensland University of Tech 7 years experience in Security related area 2 years working experience in Manage Security Service Provider CISSP (Certified Information System Security Professional) Other vendor related certification

Goal Provide techniques/task that any SP can do to improve their resistance to security issues. These techniques can be done on any core routing vendor’s equipment. Each of these techniques have proven to make a difference.

Current State ISP is working alone to protect the infrastructure SPs, CERTs, and "officials" in Indonesia are not yet aware that this group exist or are preventing these attacks from happening. No collaboration Point products approach So how are they going to get "early warning" if they are not involved with the community doing to battle with the bad guys?

DDoS Vulnerabilities Multiple Threats and Targets Attack zombies: Z Z Use valid protocols Spoof source IP Massively distributed Variety of attacks Z Provider Infrastructure: DNS, routers, and links Access Line Z Entire Data Center: Servers, security devices, routers Ecommerce, web, DNS, email,…

List of things that Work Prepare your NOC Mitigation Communities Point Protection on Every Device Edge Protection Remote triggered black hole filtering Sink holes Source address validation on all customer traffic Total Visibility (Data Harvesting – Data Mining) Security Event Management

The Executive Summary 7 7 7

SP Security in the NOC - Prepare PREPARATION Prep the network Create tools Test tools Prep procedures Train team Practice IDENTIFICATION How do you know about the attack? What tools can you use? What’s your process for communication? CLASSIFICATION What kind of attack is it? TRACEBACK Where is the attack coming from? Where and how is it affecting the network? REACTION What options do you have to remedy? Which option is the best under the circumstances? POST MORTEM What was done? Can anything be done to prevent it? How can it be less painful in the future?

Aggressive Collaboration Hijacked Drone-Armies MWP NSP-SEC-JP FUN-SEC NSP-SEC-KR NSP-SEC-BR FIRST/CERT Teams DSHIELD NSP-SEC National Cyber Teams Internet Storm Center NSP-SEC-TW iNOC-DBA NSP-SEC-D Telecoms ISAC NSP-SEC-CN SANS MyNetWatchman Other ISACs

Point Protection Penetration DOS Penetration Interception Interception AAA NOC ISP’s Backbone Remote Staff Office Staff

Edge Protection 45 left, 11:20AM - 12:20PM 02:20:00 - 03:20:00, RI telnet snmp “outside” “outside” Core 45 left, 11:20AM - 12:20PM 02:20:00 - 03:20:00, RI Core routers individually secured PLUS Infrastructure protection Routers generally NOT accessible from outside

Destination Based RTBH Peer A IXP-W A Peer B IXP-E Upstream A D Upstream A B C Upstream B Upstream B E Target iBGP Advertises List of Black Holed Prefixes NOC G POP F

Sink Holes Peer A IXP-W Peer B IXP-E Upstream A Upstream A Upstream B Remote Triggered Sink Hole Remote Triggered Sink Hole Upstream A Remote Triggered Sink Hole Upstream A Remote Triggered Sink Hole Upstream B Upstream B Remote Triggered Sink Hole Remote Triggered Sink Hole 171.68.19.0/24 Customer Remote Triggered Sink Hole Services Network POP Garbage packets flow to the closest Sink Hole 171.68.19.1 Remote Triggered Sink Hole Primary DNS Servers

BCP (Best Current Practice) 38 Ingress Packet Filtering /RFC3704 Internet ISP’s Customer Allocation Block: 96.0.0.0/19 BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24 96.0.20.0/24 96.0.21.0/24 96.0.19.0/24 96.0.18.0/24 BCP 38 Filter Applied on Downstream Aggregation and NAS Routers ISP Static access list on the edge of the network Dynamic access list with AAA profiles Unicast RPF Cable Source Verify (MAC & IP) IP Source Verify (MAC & IP)

Anomaly for DNS Queries An identified cause of the outage Total Visibility Anomaly for DNS Queries Investigate the spike By polling various devices like routers, interfaces and servers, DNS query serge can be related to the bleep on the Interface utilization anomaly. Thru’put Spike RTT Spike An identified cause of the outage Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

Security Event Management SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. Provides a holistic view of the networks.

Sasser Detection― Dynamic Visual Snapshot

Summary We cannot provide early warning system if we dont cooperate with the people that fighting the bad guys We can use the technology available to provide the Early warning system Prepare the NOC is the #1 thing you need to do to prevent attacks. You cannot run around during an attack building and deploying tools and procedures. It is like the fire department going to a fire and then opening the operations manual for how to operate the fire engine. Last but not least, Aggressive Collaboration and work together with the rest of the world

Thank You