Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Slides:



Advertisements
Similar presentations
Managing Cisco IOS Software. Overview The router boot sequence Locating IOS software The configuration register Recovering Passwords Backing Up the Cisco.
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
System and Network Security Practices COEN 351 E-Commerce Security.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Computer Security and Penetration Testing
1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.
Security Awareness: Applying Practical Security in Your World
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
COEN 252: Computer Forensics Router Investigation.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Network security policy: best practices
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
APA of Isfahan University of Technology In the name of God.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Internet Packet eXchange Protocol (IPX) Network Documentation
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Final Introduction ---- Web Security, DDoS, others
Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
McLean HIGHER COMPUTER NETWORKING Lesson 13 Denial of Service Attacks Description of the denial of service attack: effect: disruption or denial of.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
ERICSON BRANDON M. BASCUG Alternate - REGIONAL NETWORK ADMINISTRATOR HOW TO TROUBLESHOOT TCP/IP CONNECTIVITY.
Understand Malware LESSON Security Fundamentals.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Privilege Escalation Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Introduction to Networking
Network Security: IP Spoofing and Firewall
Lecture9: Embedded Network Operating System: cisco IOS
6. Application Software Security
Lecture9: Embedded Network Operating System: cisco IOS
Presentation transcript:

Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

Overview Disruption – Concepts, Examples, Motivations Hands-on Cyber Attack – Concept – Establishing a Baseline – Demonstration of the Attack – Monitoring & Detection – Analyzing the Attack – Response & Recovery – Enacting Mitigation Actions 2 Router Re-config DoS via DNS Queries

Disruption Disruption is the act of denying, degrading, or otherwise limiting the availability of services provided by a system or application 3

Disruption Some Examples: Network Denial of Service – using the network protocols against themselves to saturate or overwhelm services or the links required to access them (e.g. SYN flood, DNS query flood) Hardware Denial of Service – making a change to the hardware which prevents the device from operating correctly (e.g. BIOS flashing) Service Reconfiguration – changing configurations or operating requirements such that the service, application or system no longer functions as intended (e.g. changing sshd_config to an unexpected port, disabling Windows services, overwriting system boot files) 4

Disruption Disruption can be done without any access to the systems affected – DoS, DDoS, Traffic Floods, Amplification Attacks, … Disruption is also possible (and easier) with access to the system – Rebooting hosts, router configuration changes, … 5

Disruption Network disruption attacks are a battle between attacker’s and defender’s provisioning capabilities. – The one with more bandwidth, servers, capability, etc wins. They are typically done with BotNets since they offer an easy method of provisioning more than the defender can muster They take many, many forms – bandwidth saturation, malformed packets, server overload, etc 6

A Brief Aside – BotNets Compromised Hosts (Zombies) are Centrally Controlled by a Single Entity (a Bot Herder) Typically Used for Malicious Purposes – DDoS, spam, Non-attribution Attacks BotNet – “A collection of software robots, or bots, which run autonomously and automatically” 7

A Brief Aside – BotNets Bot Herder Establishes a Presence 8

A Brief Aside – BotNets Bot Herder Creates a Delivery System - Delivers “BotNet” Payload to Hosts 9

A Brief Aside – BotNets Bot Herder Creates DNS Control Server - Issues Commands to Bots - Receives Data From Bots 10

A Brief Aside – BotNets Bot Herder Identifies Candidate Hosts - Sends Baited to Hosts - Hosts Download Bot Malware from Server - Hosts Become Zombies 11

A Brief Aside – BotNets Bot Herder Identifies Target - Issues Command via Control Server - Zombies Receive Command from Server - Zombies Locate Target - Zombies Report Back to Server 01 12

A Brief Aside – BotNets Bot Herder Launches Attack at Target - Issues Command via Control Server - Zombies Attack Target - Bot Herder Issues Stop Command 01 13

Disruption Hardware disruption attacks can be done remotely, but are easier to pull off with physical access – Ease of system administration = vectors for attack – Some hardware manufacturers allow remote flashing of system BIOS – Physical access = complete control – Don’t forget the obvious hammer to the PC trick 14

Disruption Service reconfiguration attacks can be done remotely or locally, but almost always require some sort of access (recall privilege escalation) – Overwrite boot files – Delete critical OS files – Modify or create a hosts file – Modify application configuration files – Stop or disable MS Windows services System administration tasks can turn into service reconfiguration attacks in the blink of an eye – This could be malicious or accidental! 15

Disruption Why are these attacks important to you? – They keep you from offering services to your customers – Potentially tarnish your reputation as a service provider These attacks may coincide with other attacks – The “loudest” attack usually receives administrator attention – Be sure to watch the bigger picture - this may be a smoke screen These attacks will definitely affect your network – The intent of the attack is to disrupt your operations 16

Disruption 17 Cyber Attack - Router Re-Configuration -

Disruption Cyber Attack – Router Re-Config Your routers perform a critical service to your operation – If they don’t work – you can’t provide service to your customers We will assume that you have a malicious user (an administrator) operating on the inside of your network who wants to disrupt the gateway router – They have the credentials to conduct this attack 18

Disruption Cyber Attack – Router Re-Config Malicious actors might target your gateway routers: – Because they are central points in the network – Affecting one usually has broader effects Why? – The obvious one: deny service – Political statements – Demonstrations of “power” – Cyber “Riot” 19

Disruption Cyber Attack – Router Re-Config The components needed for this attack – Target IP address, credentials 20

Disruption Cyber Attack – Router Re-Config Recall Our Secure Operations Framework 21 Monitor Detect Respond Recover Analyze Baseline

Disruption Cyber Attack – Router Re-Config Establish a Baseline for What’s Normal for Your Network: – What are your current router configurations? – Are your external links up? (silly question – but you may have authorized outages from your provider) – Do you see fluctuations in your links over time? (e.g. poor service quality, satellite link outages, rainstorms, etc) Use this baseline to compare what you currently see to what you expect – The key is expectation, if you aren’t expecting it, analyze it! 22

Disruption Cyber Attack – Router Re-Config 23 Attack Demonstration

Disruption Cyber Attack – Router Re-Config Monitoring & Detection – External Service Availability – Router Configuration Monitoring 24 CVS RANCID

Disruption Cyber Attack – Router Re-Config Monitoring & Detection – Configure your network to monitor service availability and router configuration changes – Monitor your detection tool(s) – Establish a Baseline 25 EX: Detecting Changes with SWATCH EX: Configuring RANCID

Disruption Cyber Attack – Router Re-Config 26 Attack Demonstration (This time you can see how your network views the attack)

Disruption Cyber Attack – Router Re-Config Analysis - what did your detection tools report? Is this really an attack? – External service availability – Router configuration changes Where is the attack coming from? Was your external service availability affected? 27

Disruption Cyber Attack – Router Re-Config Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)Reload configuration from known good copy The actions you take: – Should focus on restoring service – punish the guilty afterwards! 28

Disruption Cyber Attack – Router Re-Config BUT WAIT – Dr. Evil has changed your router again – what has he done?? 29 Attack Demonstration

Disruption Cyber Attack – Router Re-Config Analysis - what did your detection tools report? – External service availability – Router configuration changes Where is the attack coming from? Was your external service availability affected? Are there other indications of what occurred? – Multi-Source Analysis – what else occurred about the same time as the configuration change? 30

Disruption Cyber Attack – Router Re-Config Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)Reload configuration from known good copy 3)Make changes by hand?! 31

Disruption Cyber Attack – Router Re-Config Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Use your analysis tools to determine where attack originated from and who may have done it 3)Consider use of a management VLAN or otherwise restrict infrastructure administration to certain IPs 4)Setup automatic alerts for service availability and configuration changes 32

Disruption Cyber Attack – Router Re-Config What Other Mitigation Steps Would You Take? – What is appropriate for your network & resources? 33 DISCUSSIONS

Disruption Cyber Attack – Router Re-Config Attack Discussion – Everyone hopes their employees are trustworthy – but history tells us otherwise Other Thoughts Before We Move On? 34 Trust But Verify

Disruption 35 Cyber Attack - DoS via DNS Queries - Full Disclosure – we do not (yet) have traffic generation capabilities to saturate all 8 student group 100 Mbps links – so we will throttle your upstream router connections to demonstrate this attack Your backchannel connection will not be affected by the throttling (or the DoS) so you should be able to see the attack as it happens

Disruption Cyber Attack – DoS via DNS Your authoritative DNS servers are open to the world and remotely accessible – They _have_ to be, otherwise, what’s the point? We will generate large numbers of DNS queries to saturate your upstream link – Note that we are NOT targeting your DNS server! The effect is that external users will not be able to resolve DNS queries to your domain 36

Disruption Cyber Attack – DoS via DNS Malicious actors might target your DNS servers: – Because they are remotely accessible – You are guaranteed to have them – DNS queries are easy to generate Why? – The obvious one: deny service – Political statements – Demonstrations of “power” – Cyber “Riot” 37

Disruption Cyber Attack – DoS via DNS The components needed for this attack – Target IP address, DNS query generation 38

Disruption Cyber Attack – DoS via DNS Recall Our Secure Operations Framework 39 Monitor Detect Respond Recover Analyze Baseline

Disruption Cyber Attack – DoS via DNS Establish a Baseline for What’s Normal for Your Network: – What is your current bandwidth? – How much of your bandwidth is normally in use? – How many queries do you normally see? – Do you see fluctuations over time? (e.g. more queries in the morning than in the evening) Use this baseline to compare what you currently see to what you expect – A spike in queries might indicate undue “interest” in you! – You don’t want your first indication of an attack to be a customer calling you! 40

Disruption Cyber Attack – DoS via DNS 41 Attack Demonstration

Disruption Cyber Attack – DoS via DNS Monitoring & Detection – Bandwidth Monitoring Tools – External Service Availability 42 Smoke Ping Net Flow

Disruption Cyber Attack – DoS via DNS Monitoring & Detection – Configure your network to monitor bandwidth and DNS queries – Monitor your detection tool(s) – Establish a Baseline 43 EX: Configuring NFSen

Disruption Cyber Attack – DoS via DNS 44 Attack Demonstration (This time you can see how your network views the attack)

Disruption Cyber Attack – DoS via DNS Analysis - what did your detection tools report? Is this really an attack? – Bandwidth Usage – Queries per second Where is the attack coming from? Was your external service availability affected? 45

Disruption Cyber Attack – DoS via DNS Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)Filter at your gateways based on the attack traffic 3)Contact your upstream providers to filter 4)Provision more services (bandwidth, secondaries, etc) The actions you take: – Should focus on restoring service to your customers – Depend on the extent of attack and where its originating from – Depend on your connectivity and where your customers are located Recall establishing an architecture baseline – you don’t want to figure our where your links are while you are being attacked You may determine that you can mitigate the attack by closing your servers to queries from outside your country – your in-country customers are OK 46

Disruption Cyber Attack – DoS via DNS Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Provision additional bandwidth over separate links 3)Provision geographically separated secondaries 4)Anycasting 5)Mutual Aid Agreements with other ccTLDs 6)Response procedures for contacting upstream providers 7)Procedures for determining customer priority 47

Disruption Cyber Attack – DoS via DNS What Other Mitigation Steps Would You Take? – What is appropriate for your network & resources? 48 DISCUSSIONS

Disruption Cyber Attack – DoS via DNS Attack Discussion – DoS attacks can take many forms; effective monitoring is the only way to detect them – External service monitoring (e.g. what does your network look like from the outside) can help too! Other Thoughts Before We Move On? 49

QUESTIONS? 50 ? Do you have any questions about … –Disruption Attacks –Detecting This Type of Attack –Responding & Recovering From This Type of Attack

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.