Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan.

Published byToby Wilson Modified over 9 years ago

Similar presentations

Presentation on theme: "The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan."— Presentation transcript:

1 The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan

2 Arbor Networks, inc. Proprietary Emerging Trends  Globally scoped, respecting no geographic or topological boundaries  Exceptionally virulent, propagating to the entire vulnerable population in the Internet in a matter of minutes  Zero- day threats, exploiting vulnerabilities for which no signature or patch has been developed

3 Arbor Networks, inc. Proprietary Infrastructure Security Threats  One large service provider experienced over 1,100 DoS attacks in the 1 st half of 2003. [Rob Thomas, NANOG 28]  Multi-gigabit attacks are increasingly routine. Attacks with 10Gbps aggregate capacity have been recorded.  Emerging threats from IRC bots - IRC bots support automated scanning and exploitation of inadequately protected Windows systems, also offer DDoS capabilities.  Massive pools of available zombies, e.g. IRC botnets with over 140,000 machines. [CERT Advisory CA-2003-08, March 2003]  With so much capacity, spoofing source addresses is no longer “cool”.  Of 1.127 attacks on a large ISP, only 4 employed spoofed addresses! [Rob Thomas, NANOG 28]  During Slammer, 75K hosts infected in 30 min. [Moore et al, NANOG February, 2003]  At peak, 5 Billion injection attempts per day during Nimda. [Arbor Networks, Sep. 2001]

4 Arbor Networks, inc. Proprietary SQL Slammer Attack Propagation 0 hosts infected at the start 75,000 hosts infected in 30 min. Infections doubled every 8.5 sec. Spread 100X faster than Code Red At peak, scanned 55M hosts per sec. [Moore, Paxson, et al; NANOG February, 2003]

5 Arbor Networks, inc. Proprietary Loss of several thousand routes, mostly /24s Impact of Slammer on the Internet

6 Arbor Networks, inc. Proprietary The Evolution of Network Threats Problems that manifest themselves network-wide:  DDoS  Zero-day worms / AV  Routing attacks

7 Arbor Networks, inc. Proprietary Complementary Techniques  Detecting, backtracing and mitigating denial-of- services attacks  Blackhole monitoring of unused address blocks

8 Arbor Networks, inc. Proprietary Denial-of-Service  Attempts to "flood" a network, thereby preventing legitimate network traffic  Attempts to disrupt connections between users and web sites, thereby preventing access to a service  Attempts to prevent access to critical infrastructure such as DNS or service provider routers A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. [CERT]

9 Arbor Networks, inc. Proprietary Distributed Denial-of-Service  Phase I: The Initial Intrusions  Scan networks, identify vulnerable hosts, compromise by installing tools and backdoors  Phase II: The Distributed DoS Attacks  Signal and launch attacks on target web sites, communication links, routers, DNS, etc.  Self-propagating worms sometimes blur the distinction between Phase I and II

10 Arbor Networks, inc. Proprietary Why is this problem so hard?  Dichotomy in the need for open networks and the vulnerability of hosts to attacks on the Internet  Zombie-based attacks involve unwitting organizations whose hosts & networks have been compromised  Spoofed attacks hide the identity & location of attackers  Lack of cooperation (mechanisms and policies) between network service providers  Offensive techniques to disarm online attackers are believed to be illegal  Misuse detection techniques and firewalls do not prevent even these attacks

11 Arbor Networks, inc. Proprietary Myth #1: Magic Box!  Put “filtering box” at enterprise border  Stop drinking from fire hose, close your mouth  May not even see attack: on upstream router or on firewall Myth #2: IDS Tools  Rely on intrusion detection systems for DoS detection and classification  Signature-based IDS tools cannot identify zero-day attacks, e.g. SLAMMER Worm

12 Arbor Networks, inc. Proprietary Best Practices  “Practice good computer hygiene”  Patch well-known holes and vulnerabilities  Deploy anti-spoof egress filtering  Policies and procedures for handling alerts  Campus-wide incident response team  Internet Routing Registry  Mechanisms and procedures for sharing information and working with upstream providers  Push for routing and DNS authentication Still Not Enough!

13 Arbor Networks, inc. Proprietary So what is the solution? Network Anomaly Detection A proactive, holistic, dynamic approach to security. Operators must model their infrastructure network-wide, rather than model the myriad threats against individual components.

14 Arbor Networks, inc. Proprietary Peakflow Architecture Build a model of normal behavior leveraging flow data topology information from routers; employ signature analysis and dynamic profiling to monitor and detect DoS attacks in real-time; use distributed event aggregation techniques to backtrace attackers; apply attack-specific remediation methods to minimize impact on target. Solution Network Topology Information Correlation & Analysis Techniques Real-Time Traffic Flow Statistics Network Traffic Profiles

15 Arbor Networks, inc. Proprietary How Peakflow Works Profile/Monitor: Peakflow DoS dynamically profiles traffic patterns in the network and analyzes traffic for anomalies – without disrupting traffic flow to routers Detect: Peakflow DoS Collectors create and forward unique anomaly fingerprints to Peakflow DoS Controllers. Trace: Peakflow DoS Controllers then quickly trace the attack to its source. Filter: Peakflow DoS Controller recommends filters (X), which the network engineer can implement to stop the attack before it brings down key routers, firewalls and IDS solutions, or the entire network. Collector Controller Customer Site: Web Servers DNS Servers Database Servers Firewall IDS Service Provider A Service Provider C Service Provider B

16 Arbor Networks, inc. Proprietary Mitigation Strategies  Do Nothing! (very popular)  Notify downstream AS or upstream provider  Packet Filters: ACLs or Firewall  Filter based on attack characteristics  Rate Limit Traffic  Based on attack characteristics: ICMP, UDP, TCP SYN  QoS policy propagation with BGP (special community)  BGP Blackhole Routing  Sinkhole Diversion or Off-Ramping Also provide the data necessary to know which one to choose and how to configure it.

17 Arbor Networks, inc. Proprietary Benefit Instantly flags known and new (zero-day) attacks with minimal configuration Quickly identify impacted customers and equipment Understand the components to match the right solution Stop the attack and quickly ensure normal network operation Custom analysis for forensics, trending and research; share with customers, co-workers, partners FeatureFunction Detection & Fingerprinting Anomaly-based detection and attack fingerprinting TracebackReconstructs the attack trajectory across the network AnalysisGenerate detailed profiles of the anomalous traffic MitigationIntelligent, flexible, attack- specific mitigation options Flexible ReportingExports XML and PDF-based anomaly data for offline analysis

18 Case Studies

19 Arbor Networks, inc. Proprietary Peakflow Deployments

20 Arbor Networks, inc. Proprietary Network-Wide View Network-wide view of anomalous traffic Anomalies are classified as low, medium, or high. Different levels trigger alerts (email, SNMP, etc.)

21 Arbor Networks, inc. Proprietary A RECENT LARGE SCALE DOS ATTACK Anomalies are classified as low, medium, or high. Different levels trigger alerts (email, SNMP, etc.) Visual breakout of affected network elements.

22 Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 1) Provide detailed information on characteristics of DoS attack.

23 Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 2) Visual breakout of affected network elements. Identifies routers and interfaces that are impacted by attack.

24 Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 3) Presents a detailed fingerprint for the attack. Automatically generates the appropriate ACL/CAR or firewall filter sets for blocking attack.

25 Arbor Networks, inc. Proprietary Complementary Methodologies  Detecting, backtracing and mitigating denial-of-services attacks  Blackhole monitoring of unused address blocks

26 Arbor Networks, inc. Proprietary Block of dark address space that while routable, contain no active hosts Traffic on the blackhole is due to scans, worm propagation, or DDoS backscatter Similar to using BGP off-ramping for traffic inspection Blackhole Monitoring

27 Arbor Networks, inc. Proprietary Components of Blackhole Monitor  Passive Module: passive measures the traffic, looking for scans and backscatter and quantifying the breadth of worm infections and scope of DDoS attacks  Active Module: elicits payloads from an adaptively sampled number of end clients, reconstructing the client half of the payload and creating a finger print of the application request  Alerting Module: looks for rapid changes in the characteristics of the overall network traffic as well as the rise of new types of threats

28 Arbor Networks, inc. Proprietary Blackhole Monitoring  Measure wide-scale port scans and service sweeps by attackers  Characterize and quantify Internet worm activities  Estimate the type and severity of globally-scoped DDoS incidents

29 Arbor Networks, inc. Proprietary Wide-Area Blackhole Monitoring Project  Launched by Arbor Networks, Merit network and University of Michigan in 2001  Collect traffic to a globally announced, unused /8 network  Roughly 1/256 of entire Internet address space  Complete TCP handshake for 1 out of 100,000 requests  Reassemble worm payload, identify and log each hit  Save other traffic to disk  Random scans (SSH, DNS, RPC services, FTP, etc.)  DoS backscatter (TCP SYN+ACK and RST, ICMP unreachables)

30 Arbor Networks, inc. Proprietary The Blaster Worm – The View from 10,000 Feet  Wed July 16 2003 – LSD release advisory  “Critical security vulnerability in MS OS”  No known exploit code; patch available  Affected Windows running DCOM RPC services – used for local networking by MS Windows systems  Mon Aug 11 2003 – Blaster Worm appears  Wed Aug 13 2003 – variants appear How Blaster scans  Scans /24 from 0-254, not random hosts  40% of time, /24s within local /16  60% of the time random /24  Scan network for 135/TCP, listen on 69/UDP (TFTP)  Attempt exploit when connection is found  Then attacking host connects to 4444/TCP to use as command line interface  Download msblast.exe via TFTP, start msblast.exe

31 Arbor Networks, inc. Proprietary Blaster’s Traffic Patterns Three phases of the worm lifecycle: growth,decay, persistence Minimum doubling time of 2.3 hours during growth phase Observed over 286,000 unique IP addresses in the blackhole

32 Arbor Networks, inc. Proprietary Pre-Blaster Scan Activity Increase in 135/TCP scans: small before July, started in mid-July, increased after exploit release

33 Arbor Networks, inc. Proprietary Containing Blaster Exponential decay of Blaster observations, half-life 10.4 hrs Contained very “quickly” – operators applying ingress/egress filters Pretty much all cleaned up in 5 days

34 Arbor Networks, inc. Proprietary Breakdown of Infected Hosts Reverse DNS lookups for active hosts shows a global distribution Second-level domain name analysis shows impact on consumer broadband providers Observed over 280K unique IP addresses in the blackhole display Blaster behavior TLD 2LD

35 Arbor Networks, inc. Proprietary Blaster’s Tenuous Grip Welchia counter worm released on August 18 Circadian pattern, peak near 00:00EDT Global TLD distribution of infected hosts Welchia

36 Arbor Networks, inc. Proprietary Depth vs. Breadth Classification of Internet Threat Monitoring Architecture

37 Arbor Networks, inc. Proprietary Internet Motion Sensor – A Distributed Blackhole Monitor Working with 30+ Internet Service Providers

38 Arbor Networks, inc. Proprietary Wrap UP  Attacks on ISP infrastructure: DoS attacks on backbone routers, routing protocol exploits, route hijacking  Increasing sophistication and severity of zero-day attacks on edge networks  Self-propagating malicious code:  Rapid propagation creates DoS condition (Slammer)  Worms launched with DoS payload (MS Blaster)  Increased Interdependency with/on service provider and sites not under “your” control  Crumbling Perimeter and internal security

39 Arbor Networks, inc. Proprietary More Info White Papers & Research Reports:  “Service provider infrastructure security: Detecting, tracing, and mitigating network-wide anomalies”  “One size does not fit all: tailoring denial of service mitigation to maximize effectiveness”  “Intelligent network management with Peakflow Traffic”  “The Internet Motion Sensor (IMS): A distributed global scoped Internet threat monitoring system” Contact Info: Speaker:Farnam Jahanian (farnam@arbor.net) European Contact: Rob Pollard, Dir of EMEA Solutions Steve Mulhearn, Mgr. of Consulting Engineering emeasolutions@arbor.net

Download ppt "The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.

The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Similar presentations

Ads by Google