Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

Overview Where Did We Start? Where We are Now… Survey of Additional Strategies 2

Where Did We Start? We started with a fairly simple, non-resilient network – One Gateway Router No ACLs or Monitoring – One Nameserver – One Non-Functional NOC 3 We Were “Blind”!

We Are Here! We now have a fairly simple network that offers us some resiliency to cyber attacks – One Gateway Router With ACLS & Monitoring – One Nameserver Some Configuration Changes – One Functional NOC Monitoring & Detection 4 We Can See!

We Are Here! The Things We Discussed: – Have a Plan BEFORE Attacks Occur – Various Monitoring Tools – Configuration Control – Secure Application Configurations 5 Tip of the Iceberg!

It’s a BIG World… There are things that we didn’t demonstrate due to time or have the ability to add: – Anycasting – Additional Infrastructure – In-Line Monitoring – Active Defenses 6 But – Let’s Discuss! “By The Way – Not Everything Is a Technical Solution!”

Mitigation Strategies Build a Contingency Plan – Compare costs of disruption vs. recovery – Establish plan of action for what you expect to be your highest risks – Concentrate on your business objectives & risk Risk is NOT threat – its an understanding of what’s important to you, threats, vulnerabilities, controls, and impact – Prioritize security implementations based on risk You probably don’t have the time or resources to implement everything Good security is about multiple layers of protection 7

Mitigation Strategies Robust Architectures – Anycasting – Geographically Separated Name Servers – NS on Both Sides of Satellite Links – Diversity in hardware & software – Over-provision where possible Bandwidth, servers, people! 8

Mitigation Strategies Anycasting “Anycast is a network addressing and routing scheme whereby data is routed to the "nearest" or "best" destination as viewed by the routing topology.” – Wikipedia 9 NS1NS /24 AS /24 AS

Mitigation Strategies Anycasting – Increased Capacity, Resiliency to Attack – Outsourcing Instant Gratification, Perhaps Loss of Control What are you really getting? Ask Questions! – Doing it In House Requires Expertise & Resources to Set it Up 10

Mitigation Strategies Real Time Monitoring – Stratify your alerts (info, low, med, high, uh oh!) – , SMS, Pager notifications of priority alerts – Select tools that work for you! Intrusion Detection – Install & Monitor an IDS (e.g. SNORT) – Where to install it? Inside or Outside? – Feeling adventurous – put it in active mode! 11

A Brief Aside - SNORT SNORT monitors traffic seen by the box’s network card in promiscuous mode SNORT compares this traffic to a set of static rules (signatures) Any matches to the signatures produce an alert These alerts can be displayed through SYSLOG or through several other front-ends (like BASE). Alerts can be stored in a database for later analysis An operator can view these alerts and take appropriate action Note the one-way paths here – for security purposes… – BUT – these could all be on the same box if you wanted… 12 SNORT MySQL BASE Network Canx Alerts View Alerts Alerts SNIFF

A Brief Aside - SNORT The key to SNORT are its rules There are two kinds of rules – Official Ruleset – Paying users get them as they are released – Registered users get them 5 days after release – Unregistered users get them with SNORT releases – Community Rules – Publicly Available Rules are text based files that contain a signature (what to alert on) and an action (how to alert) 13 SNORT MySQL BASE Network Canx Alerts View Alerts Alerts SNIFF

A Brief Aside - SNORT The key to SNORT are its rules There are two kinds of rules – Official Ruleset – Paying users get them as they are released – Registered users get them 5 days after release – Unregistered users get them with SNORT releases – Community Rules – Publicly Available Rules are text based files that contain a signature (what to alert on) and an action (how to alert) 14 Alert tcp any any -> $HOME_NET any (flags:S; msg:”SYN packet”;)

A Brief Aside - SNORT 15 View Alerts By Protocol

A Brief Aside - SNORT 16 View Recent Alerts By Protocol

A Brief Aside - SNORT 17 View Recent Alerts By IP

A Brief Aside - SNORT 18 View Recent Alerts By Port

A Brief Aside - SNORT 19 View Portscans

A Brief Aside - SNORT 20 A Single Alert

A Brief Aside - SNORT 21 Alert Title Links to Alert Information

A Brief Aside - SNORT 22 Click for IP Analysis – alerts SOURCED from this IP alerts DESTINED for this IP

Mitigation Strategies Vulnerability Scanning – Regularly scheduled scans – using an updated engine! Web application, operating system, third party application scanners are all available… Patching Systems – This is NOT a silver bullet – but keeps riff-raff out – Use automatic updates where available – Vulnerability scanning can tell you what’s missing – don’t assume that because you “installed” it, it actually took – Don’t forget 3 rd party application updates (adobe, flash, firefox, etc) 23

Mitigation Strategies Forensic Data Capture – Capture the last say, 12 hours, of traffic to enable you to do forensic analysis on what happened after the fact Technical Configuration Guides – Understand how your systems are configured and be able to easily reproduce / rebuild them – Most already exist, find them BEFORE you need them in a hurry 24

Mitigation Strategies Data Escrow – Keeping a copy of your zone and customer data in a safe place Mutual Aid Agreements – Other ccTLDs, Universities, Governments – Secondary Hosts, Data Escrow, Tech Assistance – Temporary Manpower & Resources – Do you (would you) share data of an attack with other ccTLDs? 25

Mitigation Strategies Cold, Warm, Hot & Mirrored Sites – Secondary locations that can be stood up in case of physical or cyber difficulties 26 B C AD

Mitigation Strategies Bubba Net (Bubba = Friend, Net = Network) – Establish your professional networks so you know who to call when you need assistance Develop Professional Network of Stakeholders – Governments, ISPs, Registrars, etc Awareness Briefings to Stakeholders – Establish yourself as “critical infrastructure” 27

Mitigation Strategies End User / Customer Education – Reduce Risk from Your Customers (e.g. phishing) Media / Public Relations – Invite media in to discuss best methods of dealing with them – Build a communication plan so you know how to respond for a given situation 28

Mitigation Strategies Internal Training & Awareness – Train your administrators in defensive actions – Forces you to establish procedures & policies! Exercise Defensive Actions – You will only know your defensive capacity by testing it! – Simple walkthroughs to elaborate, hands-on, multi-agency exercises 29

Mitigation Strategies Test Your Processes – Two-factor authentication for customer interaction – Out of band communication (phone, fax, walk-in) for customer validation 30

Notional ccTLD Architecture Putting It All Together Registrant NS2 NS1 User NS4 NS3 Internal External 31 International User

Notional ccTLD Architecture Registrant – Requests Assignment, Updates, Removal 32 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Authentication for Registrant Requests 33 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Authorization for Internal Registry Changes 34 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Offsite Backup for Entire Registry 35 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Registry – Publishes and Maintains Assignments 36 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Alternate Registry Server and Database 37 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Country Localized DNS Servers 38 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Country Localized User 39 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Firewall 40 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Primary Global DNS 41 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Primary External Gateway 42 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Secondary Global DNS Server Anycasting with Geographic Separation 43 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture Secondary External Gateway 44 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Notional ccTLD Architecture International User 45 Registrant NS2 NS1 User NS4 NS3 Internal External International User

Recommendations ThreatRecommendations Zone TransferMonitoring, DNS Server Configuration Non-Authoritative Spoofing Monitoring, Communication Port ScanningMonitoring, Awareness of Other Parallel Attacks Router Re-Config Monitoring, Configuration Control, Administrative VLANs SSH Brute ForceApplication Logging, Log Analysis, Secure Configuration DDoS Geographic Separation, Anycasting, Country Localized and Global Server Separation 46

References Internet Society Workshop Resource Center ccTLD Best Practices ICANN Country Code Name Support Org ICANN Security & Stability Advisory Committee DNS Security Reading Room DNS Installation & Configuration Training 47

QUESTIONS? 48 ? Do you have any questions about … –Mitigation Strategies