Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alberto Rivai arivai@cisco.com Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com.

Published byEdwina Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "Alberto Rivai arivai@cisco.com Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com."— Presentation transcript:

1 Alberto Rivai arivai@cisco.com
Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai

2 About My Self Bachelor degree in Electrical Engineering
Master degree from Queensland University of Tech 7 years experience in Security related area 2 years working experience in Manage Security Service Provider CISSP (Certified Information System Security Professional) Other vendor related certification

3 Goal Provide techniques/task that any SP can do to improve their resistance to security issues. These techniques can be done on any core routing vendor’s equipment. Each of these techniques have proven to make a difference.

4 Current State ISP is working alone to protect the infrastructure
SPs, CERTs, and "officials" in Indonesia are not yet aware that this group exist or are preventing these attacks from happening. No collaboration Point products approach So how are they going to get "early warning" if they are not involved with the community doing to battle with the bad guys?

5 DDoS Vulnerabilities Multiple Threats and Targets
Attack zombies: Z Z Use valid protocols Spoof source IP Massively distributed Variety of attacks Z Provider Infrastructure: DNS, routers, and links Access Line Z Entire Data Center: Servers, security devices, routers Ecommerce, web, DNS, ,…

6 List of things that Work
Prepare your NOC Mitigation Communities Point Protection on Every Device Edge Protection Remote triggered black hole filtering Sink holes Source address validation on all customer traffic Total Visibility (Data Harvesting – Data Mining) Security Event Management

7 The Executive Summary 7 7 7

8 SP Security in the NOC - Prepare
PREPARATION Prep the network Create tools Test tools Prep procedures Train team Practice IDENTIFICATION How do you know about the attack? What tools can you use? What’s your process for communication? CLASSIFICATION What kind of attack is it? TRACEBACK Where is the attack coming from? Where and how is it affecting the network? REACTION What options do you have to remedy? Which option is the best under the circumstances? POST MORTEM What was done? Can anything be done to prevent it? How can it be less painful in the future?

9 Aggressive Collaboration
Hijacked Drone-Armies MWP NSP-SEC-JP FUN-SEC NSP-SEC-KR NSP-SEC-BR FIRST/CERT Teams DSHIELD NSP-SEC National Cyber Teams Internet Storm Center NSP-SEC-TW iNOC-DBA NSP-SEC-D Telecoms ISAC NSP-SEC-CN SANS MyNetWatchman Other ISACs

10 Point Protection Penetration DOS Penetration Interception Interception
AAA NOC ISP’s Backbone Remote Staff Office Staff

11 Edge Protection 45 left, 11:20AM - 12:20PM 02:20:00 - 03:20:00, RI
telnet snmp “outside” “outside” Core 45 left, 11:20AM - 12:20PM 02:20: :20:00, RI Core routers individually secured PLUS Infrastructure protection Routers generally NOT accessible from outside

12 Destination Based RTBH
Peer A IXP-W A Peer B IXP-E Upstream A D Upstream A B C Upstream B Upstream B E Target iBGP Advertises List of Black Holed Prefixes NOC G POP F

13 Sink Holes Peer A IXP-W Peer B IXP-E Upstream A Upstream A Upstream B
Remote Triggered Sink Hole Remote Triggered Sink Hole Upstream A Remote Triggered Sink Hole Upstream A Remote Triggered Sink Hole Upstream B Upstream B Remote Triggered Sink Hole Remote Triggered Sink Hole /24 Customer Remote Triggered Sink Hole Services Network POP Garbage packets flow to the closest Sink Hole Remote Triggered Sink Hole Primary DNS Servers

14 BCP (Best Current Practice) 38 Ingress Packet Filtering /RFC3704
Internet ISP’s Customer Allocation Block: /19 BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24 /24 /24 /24 /24 BCP 38 Filter Applied on Downstream Aggregation and NAS Routers ISP Static access list on the edge of the network Dynamic access list with AAA profiles Unicast RPF Cable Source Verify (MAC & IP) IP Source Verify (MAC & IP)

15 Anomaly for DNS Queries An identified cause of the outage
Total Visibility Anomaly for DNS Queries Investigate the spike By polling various devices like routers, interfaces and servers, DNS query serge can be related to the bleep on the Interface utilization anomaly. Thru’put Spike RTT Spike An identified cause of the outage Source:

16 Security Event Management
SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. Provides a holistic view of the networks.

17 Sasser Detection― Dynamic Visual Snapshot

18 Summary We cannot provide early warning system if we dont cooperate with the people that fighting the bad guys We can use the technology available to provide the Early warning system Prepare the NOC is the #1 thing you need to do to prevent attacks. You cannot run around during an attack building and deploying tools and procedures. It is like the fire department going to a fire and then opening the operations manual for how to operate the fire engine. Last but not least, Aggressive Collaboration and work together with the rest of the world

19 Thank You

Download ppt "Alberto Rivai arivai@cisco.com Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.
Prepare your NOC 111. SP’s/ISP’s NOC Team Every SP and ISP needs a NOC Anyone who has worked or run a NOC has their own list of what should be in a NOC.

Prepare your NOC 111. SP’s/ISP’s NOC Team Every SP and ISP needs a NOC Anyone who has worked or run a NOC has their own list of what should be in a NOC.
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.

Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...
Best Practices for ISPs

Best Practices for ISPs
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Peers working together to battle Attacks to the Net Version 1.3

Peers working together to battle Attacks to the Net Version 1.3
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

Similar presentations

Ads by Google