Real-time DDoS Defense: A collaborative Approach at Internet Scale

Size: px

Start display at page:

Download "Real-time DDoS Defense: A collaborative Approach at Internet Scale"

Emmeline Johns
6 years ago
Views:

1 Real-time DDoS Defense: A collaborative Approach at Internet Scale

2 Agenda Problem & Goal Insight Overview Challenges Implementation Evaluation Conclusion Discussion 2

3 Problem & Goal

4 Problem Source: 4

5 Problem networktraffic 5

6 Problem mitigation and reaction 6

7 Goal 7 Source:

8 Ingredients Insight Overview Evaluation Challenges Implementation Source: 8

9 Insight RQ1: Is real-time and automatic mitigation at ISP level performed and if yes, how? 9

10 Insight Online November December 2012 May July Source:

11 Real-time and automatic mitigation North America 2% Asia 5% Origin 35,00% 30,00% Market segment and frequency 25,00% 20,00% 15,00% 10,00% 5,00% 0,00% Europe 93% February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

12 Real-time and automatic mitigation Process and involved third-parties ISPs and CSIRTs to aid NOC by or telephone February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

Real-time and automatic mitigation 13 16.

13 Real-time and automatic mitigation February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

Real-time and automatic mitigation 14 16.

14 Real-time and automatic mitigation February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

15 Real-time and automatic mitigation Use of automatic mitigation and response tools Plan of use of automatic mitigation and response tools Unsure 3% Agree 43% Unsure 3% 31% Yes 37% No 60% Disagree 17% Yes 37% No 60% 6% 6% 17% Yes, we are planning to do it No, we will not make use of it We are looking into it I am not aware of it February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

16 Real-time and automatic mitigation 16 Automatic actions of mitigation and response tools Rerouting traffic Change blocking / filter capabilities Notification Rate limiting at ingress Exchange data with trusted partners Quarantine machines Changing the target's IP address Other Actions already performed Actions would like to use February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

17 Real-time and automatic mitigation IP traffic filtering IP traffic filtering Greylists 18% No 52% Yes 48% Blacklists 53% Whitelists 29% February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

18 Real-time and automatic mitigation Network configuration protocols 21 Current technical ability to use OpenFlow / Plan to make use of OpenFlow in 3 years 15 39% 10 6 Yes 29% No 71% 9% 10% 13% Netconf SNMP OpenFlow Other Yes, we are planning to do it No, we will not make use of it We are looking into it I am not aware of it February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

19 Real-time and automatic mitigation 18 Sharing threat indicators or security events / incidents None Various CERTs or CSIRTs Law enforcement or governmental entities 0 Industry peers Only receive data Threat indicators Security events/incidents February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

20 Real-time and automatic mitigation Collaboration improves mitigation and response capabilities Disagree 4% Exchange protocols / formats Agree 43% Strongly agree 53% SCAP IDXP IDMEF IODEF x-arf Do or did use Know Heard of Unknown February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach

21 Ingredients Insight Overview Evaluation Challenges Implementation Source: 21

22 Terminology Format Protocol vs. 22 Source:

23 Terminology 23

24 Terminology Alert/ Event Alarm/ Warning Incident Security Event/Incident 24

25 Terminology Event Incident Chance Card vs. Source: Source: 25

26 Application Domain Source: 26

27 Who is involved? US governments Defense Advance Research Projects Agency (DARPA) TERENA IETF Incident Handling Stuttgart University s CERT IETF IDWG MITRE IETF MARF Eco Association of the German Internet Industry 27 Source:

28 Timeline 1997 CISL DARPA 2001 IODEF TERENA 2002 CAIF University Stuttgart CERT 2002 IODEF IETF INCH 2003 FINE IETF INCH 2003 IODEF IETF INCH 2003 IDMEF IETF IDWG 2009 CEE MITRE 2013 Project DMTF Cloud Audit or Project Lumberjack ARF MAAWG 2007 ARF IETF MARF 2012 x-arf Eco-Association of the German Internet Industry 2013 x-xarf Kohlrausch & Übelacker

29 Exchange formats CISL IODEF CAIF IDMEF CEE ARF x-arf/x-xarf syslog Language S-expressions XML XML XML XML, JSON MIME MIME Text/XML Content Events, Attacks, Responses Events, Incidents Problem, Vulnerability, Exposure Alerts, Alive messages Events Spam Incidents, Attacks Producer Machine Human Human Machine Machine Machine Machine Machine Consumer Machine Human Human Machine Human Machine/ Human Machine/Human Events Machine/ Human 29

30 IODEF vs. IDMEF 30

31 ARF vs. x-xarf 31

32 Exchange formats and protocols Protocol OSI layer Format Security CIDF Transport CISL message Symmetric Cryptography RID Application IODEF TLS XEP-0268 Application IODEF TLS IDXP Application IDMEF TLS CLT Transport CEE Provided by syslog (RFC 5425) SMTP Application CAIF ARF x-arf Syslog (RFC 3164) Transport Syslog (RFC 3164) None Syslog (RFC 5425) Transport Syslog (RFC 5424) TLS None S/MIME Multipart/Signed Multipart/Encrypted 32

33 Evaluation results XML MIME 33

34 Ingredients Insight Overview Evaluation Challenges Implementation Source: 34

35 Challenges FP rogue ISPs Source: Quantifying cost/benefit Risk 35 Source:

36 Ingredients Insight Overview Evaluation Challenges Implementation Source: 36

37 Framework 37

38 Mitigation and Response System Inference Engine (PHREAK) Event producer sends consumes publishes Pattern Matcher Agenda delivers subscribes Incident consumer Production Memory (rules) Working Memory (facts) 38

39 Mitigation and Response System Pattern Matcher Event Processing Response Selection Reaction Execution Knowledge Base 39

40 Mitigation and Response System Event Processing Normalization Aggregation / Correlation Event Pattern Frequency of event in a time window Geolocation IP Filtering Lists Confidence 40

41 Mitigation and Response System Response Selection Comparison Prioritation Previous Reactions Potential damage Benefit Risk CVSS Event profiles 41

42 Mitigation and Response System Reaction Execution Notification Configuration Exchange formats Pub/Sub Consumer 42

43 Flow-based Event Exchange Format (FLEX) 43

44 Ingredients Insight Overview Evaluation Challenges Implementation Source: 44

45 Evaluation Methodology Source: 45

46 Ingredients Insight Overview Evaluation Challenges Implementation Source: 46

47 Conclusion insight into processes, structures and capabilities a hands-on for network operators 47

48 Conclusion FLEX framework 48

49 Discussion Source: 49

SURVEY ON NETWORK ATTACK DETECTION AND MITIGATION

SURVEY ON NETWORK ATTACK DETECTION AND MITIGATION Welcome to the da/sec survey on network attack detection and mitigation. Network-based attacks pose a strong threat to the Internet landscape and academia