Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.

Published byQuinten Herford Modified over 9 years ago

Similar presentations

Presentation on theme: "Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in."— Presentation transcript:

1 Sink Holes 111

2 Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in attacks. –Used to redirect attacks away from the customer – working the attack on a router built to withstand the attack. –Used to monitor attack noise, scans, and other activity (via the advertisement of default) –http://www.nanog.org/mtg-0306/sink.html

3 Why Sinkhole? Sinkhole is used to describe a technique that does more than the individual tools we’ve had in the past: –Blackhole Routers – Technique used to exploit a routers forwarding logic in order to discard data, typically in a distributed manner, triggered by routing advertisements. –Tar Pits – A section of a honey net or DMZ designed to slow down TCP based attacks to enable analysis and traceback. Often used interchangeably with Sinkhole. –Shunts – Redirecting traffic to one of the router’s connected interfaces, typically to discard traffic. –Honey Net – A network of one or more systems designed to analyze and capture penetrations and similar malicious activity. –Honey Pot - A system designed to analyze and capture penetrations and similar malicious activity.

4 Sinkhole Routers/Networks Sinkholes are the network equivalent of a honey pot, also commonly referred to as a tar pit, sometimes referred to as a blackhole. –Router or workstation built to suck in and assist in analyzing attacks. –Used to redirect attacks away from the customer – working the attack on a router built to withstand the attack. –Used to monitor attack noise, scans, data from mis- configuration and other activity (via the advertisement of default or unused IP space) –Traffic is typically diverted via BGP route advertisements and policies.

5 Sinkhole Routers/Networks Target of Attack 192.168.20.1 host is target 192.168.20.0/24 – target’s network Sinkhole Network Customers

6 Sinkhole Routers/Networks Target of Attack 192.168.20.1 host is target 192.168.20.0/24 – target’s network Router advertises 192.168.20.1/32 Customers Sinkhole Network

7 Attack is pulled away from customer/aggregation router. Can now apply classification ACLs, Packet Capture, Etc… Objective is to minimize the risk to the network while investigating the attack incident. Sinkhole Routers/Networks Target of Attack 192.168.20.1 host is target 192.168.20.0/24 – target’s network Sinkhole Network Router advertises 192.168.20.1/32 Customers

8 Infected End Points Customer 172.168.20.1 is infected Computer starts scanning the Internet Sink Hole Network SQL Sink Hole advertising Bogon and Dark IP Space

9 Sinkhole Routers/Networks Advertising “default” from the Sinkhole will pull down all sorts of garbage traffic: –Customer Traffic when circuits flap –Network Scans to unallocated address space –Code Red/NIMDA/Worms –Backscatter Can place tracking tools in the Sinkhole network to monitor the noise. Customers Sinkhole Network Router advertises “default” Customers

10 Scaling Sinkhole Networks Multiple Sinkholes can be deployed within a network Combination of IGP with BGP Trigger Regional deployment –Major PoPs Functional deployment –Peering points –Data Centers Note: Reporting more complicated, need aggregation and correlation mechanism Customers 192.168.20.1 is attacked 192.168.20.0/24 – target’s network Sinkhole Network

11 Why Sinkholes? They work! Providers and researchers use them in their network for data collection and analysis. More uses are being found through experience and individual innovation. Deploying Sinkholes correctly takes preparation.

12 The Basic Sinkhole Sinks Holes do not have to be complicated. Some large providers started their Sinkhole with a spare workstation with free unix, Zebra, and TCPdump. Some GNU or MRTG graphing and you have a decent sinkhole. To ISP Backbone Sinkhole Server Advertise small slices of Bogon and Dark IP space

13 Expanding the Sinkhole Expand the Sinkhole with a dedicated router into a variety of tools. Pull the DOS/DDOS attack to the sinkhole and forwards the attack to the target router. Static ARP to the target router keeps the Sinkhole Operational – Target Router can crash from the attack and the static ARP will keep the gateway forwarding traffic to the Ethernet switch. To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers Static ARP to Target Router

14 What to monitor in a Sinkhole? Scans on Dark IP (allocated & announced but unassigned address space). –Who is scoping out the network – pre-attack planning. Scans on Bogons (unallocated). –Worms, infected machines, and Bot creation Backscatter from Attacks –Who is getting attacked Backscatter from Garbage traffic (RFC- 1918 leaks) –Which customers have misconfiguration or “leaking” networks.

15 Monitoring Scan Rates Select /32 (or larger) address from different block of your address space. Advertise them out the Sinkhole Assign them to a workstation built to monitor and log scans. ( Arbor Network’s Dark IP Peakflow module is one turn key commercial tool that can monitor scan rates via data collected from the network.) To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers Place various /32 Infrastructure addresses here

16 Worm Detection & Reporting UI Operator instantly notified of Worm infection. System automatically generates a list of infected hosts for quarantine and clean-up.

17 Automate Quarantine of Infected Hosts

18 Monitoring Backscatter Advertise bogon blocks with NO_EXPORT community and an explicit safety community (plus prefix-based egress filtering on the edge) Static/set the BGP NEXT_HOP for the bogon to a backscatter collector workstation (as simple as TCPdump). Pulls in backscatter for that range – allows monitoring. To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers Capture Backscatter Traffic Advertise Bogons with no-export community

19 Monitoring Backscatter Inferring Internet Denial-of-Service Activity –http://www.caida.org/outreach/papers/2001/BackScatter/http://www.caida.org/outreach/papers/2001/BackScatter/

20 Monitoring Spoof Ranges Attackers use ranges of valid (allocated blocks) and invalid (bogon, martian, and RFC1918 blocks) spoofed IP addresses. Extremely helpful to know the spoof ranges. Set up a classification filter on source addresses. To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers Export ACL Logs to a syslog server Classification ACL with Source Address

21 Monitoring Spoof Ranges Extended IP access list 120 (Compiled) permit tcp any any established (243252113 matches) deny ip 0.0.0.0 1.255.255.255 any (825328 matches) deny ip 2.0.0.0 0.255.255.255 any (413487 matches) deny ip 5.0.0.0 0.255.255.255 any (410496 matches) deny ip 7.0.0.0 0.255.255.255 any (413621 matches) deny ip 10.0.0.0 0.255.255.255 any (1524547 matches) deny ip 23.0.0.0 0.255.255.255 any (411623 matches) deny ip 27.0.0.0 0.255.255.255 any (414992 matches) deny ip 31.0.0.0 0.255.255.255 any (409379 matches) deny ip 36.0.0.0 1.255.255.255 any (822904 matches). permit ip any any (600152250 matches) Example: Jeff Null’s [jnull@truerouting.com] Test

22 Monitoring Spoof Ranges Select /32 address from different block of your address space. Advertise them out the Sinkhole Assign them to a workstation built to monitor and log scans. Home grown and commercial tools available to monitor scan rates ( Arbor Network’s Dark IP Application is one turn key commercial tool that can monitor scan rates.) To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers Place various /32 Infrastructure addresses here

23 Safety Precautions Do not allow bogons to leak: –BGP “NO_EXPORT” community –Explicit Egress Prefix Policies (community, prefix, etc.) Do not allow traffic to escape the sinkhole: –Backscatter from a Sinkhole defeats the function of a Sinkhole (egress ACL on the Sinkhole router)

24 Simple Sinkholes – Internet Facing BCP is to advertise the whole allocated CIDR block out to the Internet. Left over unallocated Dark IP space gets pulled into the advertising router. The advertising router becomes a Sinkhole for garbage packets. Pee r Border Aggregation CPE Internet Backscatter Scanners Worms Pulls in garbage packets. Large CIDR Block Out Customer’s Allocated Block CPE Router /w Default

25 ASIC Drops at Line Rate? Forwarding/Feature ASICs will drop packets with no performance impact. Line Rate dropping will not solve the problem of garbage packets saturating the link. Pee r Border Aggregation CPE Internet Backscatter Scanners Worms Garbage Saturates Link! Large CIDR Block Out Customer’s Allocated Block CPE Router /w Default

26 Backbone Router Injecting Aggregates Some ISPs use the Backbone/core routers to inject their aggregates. Multiple Backbone injection points alleviate issues of link saturation, but exposes the loopback addresses (at least the way it is done today). In a world of multiple Gig- Bots and Turbo worms, do you really want you backbone routers playing the role of garbage collectors? Large CIDR Block Out Customer’s Allocated Block CPE Router /w Default Peer border Aggregation CPE Internet BackscatterScanners Worms Garbage packets are forwarded to backbone router Backbone

27 Simple Sinkholes – Customer Facing Defaults on CPE devices pull in everything. Default is the ultimate packet vacuum cleaner Danger to links during times of security duress. Peer border Aggregation CPE Internet Backscatter Scanners Worms Pulls in garbage packets. Large CIDR Block Out Customer’s Allocated Block CPE Router /w Default

28 Simple Sinkholes – Impact Today In the past, this issue of pulling down garbage packets has not been a big deal. GigBots and Turbo Worms change everything Even ASIC-based forwarding platforms get impacted from the RFC 1812 overhead. Peer Border Aggregation CPE Internet Backscatter Scanners Worms Pulls in garbage packets. Large CIDR Block Out Customer’s Allocated Block CPE Router /w Default

29 Sinkholes – Advertising Dark IP Move the CIDR Block Advertisements (or at least more- specifics of those advertisements) to Sinkholes. Does not impact BGP routing – route origination can happen anywhere in the iBGP mesh (careful about MEDs and aggregates). Control where you drop the packet. Turns networks inherent behaviors into a security tool! To ISP Backbone Sinkhole Gateway Target Router Sniffers and Analyzers Target router receives the garbage Advertise CIDR Blocks with Static Lock-ups pointing to the target router

30 Anycast Sinkholes to Scale Anycast allows garbage packet load management and distribution. Core Backbone Regional Node ISPs POPs

31 Anycast Sinkholes Peer B Peer A IXP-W IXP-E Upstream A Upstream B POP Customer Primary DNS Servers 192.168.19.0/24 192.168.19.1 Services Network Sinkhole employs same Anycast mechanism. Sinkhole

32 Protecting the Core With Sink Holes

33 Protecting the Backbone Point to Point Addresses Do you really need to reach the Backbone router ’ s Point to Point Address from any router other than a directly connected neighbor? 198.0.2.1 198.0.2.2 BK-02-A BK-02-B

34 Protecting the Backbone Point to Point Addresses What could break? –Routing protocols are either loopback (BGP or NTP) or adjacent (OSPF, IS-IS, EIGRP). –NOC can Ping the Loopback. –Traceroutes reply with the address in the reply. Reachability of the source is not required. 198.0.2.1 198.0.2.2 BK-02-A BK-02-B BGP, NTP OSPF, ISIS, EIGRP

35 Protecting the Backbone Point to Point Addresses What have people done in the past: –ACLs – Long term ACL management problems. –RFC 1918 – Works – against the theme of the RFC – Traceroute still replies with RFC 1918 source address. –Does not protect against a reflection attack. 192.168.2.1 192.168.2.2 BK-02-A BK-02-B

36 Protecting the Backbone Point to Point Addresses Move the Point to Point Addresses blocks to IGP based Sink Holes. –All packets to these addresses will be pulled into the Sink Hole. –People who could find targets with traceroute cannot now hit the router with an attack based on that intelligence. –Protects against internal and reflection based attacks. BK-02-A BK-02-B Sink Hole Module Packet P-t-P infrastructure address. 198.0.2.1 198.0.2.2

Download ppt "Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in."

Similar presentations

How to Multi-Home Avi Freedman VP Engineering AboveNet Communications.

How to Multi-Home Avi Freedman VP Engineering AboveNet Communications.
An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Best Practices for ISPs

Best Practices for ISPs
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
Internet Routing (COS 598A) Today: BGP Routing Table Size Jennifer Rexford Tuesdays/Thursdays 11:00am-12:20pm.

Internet Routing (COS 598A) Today: BGP Routing Table Size Jennifer Rexford Tuesdays/Thursdays 11:00am-12:20pm.
CSE5803 Advanced Internet Protocols and Applications (7) 1 7.1 Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.
CMPE 151 Routing Marc Mosko. 2 Talk Outline Routing basics Why segment networks? IP address/subnet mask The gateway decision based on dest IP address.

CMPE 151 Routing Marc Mosko. 2 Talk Outline Routing basics Why segment networks? IP address/subnet mask The gateway decision based on dest IP address.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
Border Gateway Protocol(BGP) L.Subramanian 23 rd October, 2001.

Border Gateway Protocol(BGP) L.Subramanian 23 rd October, 2001.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.

Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.

Similar presentations

Ads by Google