Data Plane Protection. The googles they do nothing.

Similar documents
Network Policy Enforcement

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Unicast Reverse Path Forwarding Loose Mode

Control Plane Protection

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

PROTECT NETWORK EDGE WITH BGP, URPF AND S/RTBH. by John Brown, CityLink Telecommunications, LLC

Remember Extension Headers?

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Denial of Service Protection Standardize Defense or Loose the War

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

KillTest. 半年免费更新服务

Contents. Configuring urpf 1

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Static and Default Routes

HP High-End Firewalls

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Configuring Unicast Reverse Path Forwarding

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

ASA Has High CPU Usage Due to a Traffic Loop When VPN Clients Disconnect

CSE 565 Computer Security Fall 2018

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Security by BGP 101 Building distributed, BGP-based security system

Securing network infrastructure

ASA/PIX Security Appliance

Cisco CCNA ACL Part II

Configuring Unicast RPF

Prevent DoS using IP source address spoofing

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

CISCO EXAM QUESTIONS & ANSWERS

PrepKing. PrepKing

Computer Networks and Data Systems

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

Introduction to IPv6. IPv6 addresses

The information in this document is based on Cisco IOS Software Release 15.4 version.

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

IPv6 Security Safe, Secure, and Supported.

Campus Networking Workshop CIS 399. Core Network Design

Insight Guide into Securing your Connectivity

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Cisco CCIE Security Written.

Cisco - ASA Lab Camp v9.0

Network Security. Thierry Sans

User Guide TL-R470T+/TL-R480T REV9.0.2

DoS Mitigation Strategies

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

DDoS Defense Mechanisms for IXP Infrastructures

CCNA Security. 2.0 Secure Access. 1.0 Security Concepts

EE 122: Network Security

CSCI-1680 Network Layer:

Basic Network Security

Implementing Cisco IP Routing

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Fundamentals of Network Security v1.1 Scope and Sequence

Implementing Cisco Network Security (IINS) 3.0

DDoS Protection in Backbone Networks

Unit 3: Dynamic Routing

ICS 451: Today's plan

HP High-End Firewalls

Phase 4 Traceback the Attack. 2002, Cisco Systems, Inc. All rights reserved.

ITBraindumps. Latest IT Braindumps study guide

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Growing DDoS attacks what have we learned (29. June 2015)

Chapter 5. RIP Version 1 (RIPv1) CCNA2-1 Chapter 5

Sybex CCENT Chapter 8: IP Routing. Instructor & Todd Lammle

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Configuring attack detection and prevention 1

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Internet Control Message Protocol

Security in inter-domain routing

Filtering Trends Sorting Through FUD to get Sanity

MULTICAST SECURITY. Piotr Wojciechowski (CCIE #25543)

Symbols I N D E X. (vertical bar), string searches, 19 20

Cisco ASA 5500 LAB Guide

H3C SecPath Series High-End Firewalls

CS4450. Computer Networks: Architecture and Protocols. Lecture 13 THE Internet Protocol. Spring 2018 Rachit Agarwal

Configuring Unicast Reverse Path Forwarding

Introduction to External Connectivity

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

CCENT Study Guide. Chapter 9 IP Routing

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

CISCO EXAM QUESTIONS & ANSWERS

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

CCNA Routing and Switching (NI )

CISCO EXAM QUESTIONS & ANSWERS

Table of Contents 1 PIM Configuration 1-1

Chapter 8 roadmap. Network Security

Cisco Router Security: Principles and Practise. The foundation of network security is router security.

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Configuring attack detection and prevention 1

Transcription:

Data Plane Protection The googles they do nothing.

Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing.

Can be, ICMP (smurf, POD), SYN, Application attacks. Turning off the effected device works pretty good too. Single Source

Multiple Source

Reflection DoS

Reflection DDoS

Network Effects

Service DoS effects

Bandwidth DoS Effects

Bandwidth DDoS effects

Router Service DoS

Dual Router Service DoS

Dual Router Service DoS

Defenses Firewall Anycast ACL s BCP38 Blackholing BGP trigged blackholing

Firewalls The antithesis of routers. Drop by default.

Firewalls They choose to accept or drop a packet based on (generally) layer 3 and 4 data. But they can t protect a buggy application (mostly). Scales until it doesn t.

Mail, HTTP or whatever. Textbook Architecture

But more like this.

Policies Then create network to network policies.

Count the policies

EASY Three networks, three polices Oh, I mean six.

Next example

Internet ->

Oh other Internet

RAAAAGH

How many policies? So there are eight networks the formula is, n(n-1)/2 /2? Only for bidirectional links Actually n(n-1) So fifty six policies!

How many policies Fifty six Policies! That s not rules! There needs to be one rule per service per policy! There are three firewalls as well.

Firewall configuration doesn t scale well. Try and use an automation system.

Weaknesses? Lordy

Weaknesses https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160210-asa-ike

Weaknesses https://kb.juniper.net/infocenter/index?page=content&id=jsa10713&actp=search

Weaknesses

https://www.cvedetails.com/cve/cve-2016-1909/ Weaknesses

Weaknesses https://blog.coresecurity.com/2015/03/18/analysis-of-a-remote-code-execution-vulnerability-on-fortinet-single-sign-on/

FIREWALLS

More resources for firewalls as they look at more. Lookup Loops

Back to this

Remote user?

Remote user? VPN!

General recommendations Multiple layers of firewall. Least specific rules to more specific rules. Isolate groups and areas. Firewalls on hosts! Anything that simplifies configuration.

Anycast Anycast is a method of load balancing traffic to multiple nodes, while delivering traffic to a single address.

Anycast Here we have a network, the nodes could be either AS s or could be individual routers. Doesn t matter.

In this case, there is no anycast and we have a single node. Anycast

Anycast So for load balancing reasons we put in a second node advertising the same space.

Anycast So now the traffic is split over the two sites. Remember this is load balanced using routing protocols, so it s not going to be based on traffic loads.

But if we have a fault on the network. Let s say a node goes down. Anycast

Anycast Now the routing protocol converges and suddenly the traffic is now all going to the remaining node.

Anycast What work did we have to do for that? What new technologies did I need? What licenses did I need? Anycast has been in use since 1995, PCH has been involved in it s deployment for a long time. We are even references in Wikipedia.

Anycast Uses? DNS serving is the most widely deployed. Content distribution is possible. Easing configuration in your network. Increase resilience in your management network by deploying more data collection nodes in the network without having to worry about additional equipment configuration. How does this help network protection?

Anycast Uses DNS Serving. All but one of the root DNS servers use Anycast. It s the only way to scale when you are limited to only 13 addresses. Uses BGP for advertising networks. Never been taken down.

Anycast Uses Management. At my previous employer I set up Anycast for the management network. Collecting SNMP and syslog. Providing DNS, and TACACS+. Done over OSPF instead of BGP.

ACL s Just block traffic at your edge. We already have ACL s at the edge as it is. This is a fast way to drop traffic at the edge, but comes with some challenges. If the network is seriously effected, it may be difficult or impossible to access a stressed router. Also you have to maintain the ACL on all the network edge devices.

BCP 38 Can someone tell me what that is? It s filtering traffic to ensure that the source address is valid.

BCP 38

BCP 38

BCP 38

BCP 38

BCP 38

BCP 38

How can I filter for it? You ll need to use extended ACL s But that s not going to scale if you have to manually maintain it. Add it to AAA profiles for dynamic clients.

ACLs!! Looks like this.! access-list 121 permit ip 192.168.0.0 0.0.0.255 any access-list 121 deny ip any any log! interface Fa0/1 description Local LAN ip access-group 121 in!

ACLs A custom ACL for every interface in your network isn t really going to scale.

ip source guard Configured on Cisco switches it verifies port + mac + ip bindings. But requires DHCP so it knows what is configured where. Great for LANs. Not for peering.

Easy BCP38 Unicast Reverse Path Filtering. Strict Feasible Loose Operates on a per interface basis Only operates at ingress http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html http://leighfinch.net/cisco_wiki/index.php/unicast_reverse_path_forwarding

urpf - Strict The source address of the packet is checked to see if the arriving interface is the best path for the source address. If it isn t, the packet is dropped.

urpf - Feasible The source address of the packet is checked to see if the arriving interface is a possible path for the source address of the packet. If it isn t a possible path the packet is dropped.

urpf - Loose The router checks to see if there are any possible paths for the source address of the packet. If there are no valid routes for the address, it is dropped.

urpf I ve only seem implementations of loose and strict. Interesting tip, if the best route is via Null0 the router will drop the packet.

BCP38 What are the applications of this? Anti-spoofing Junk traffic dropping Active network protection

Anti-Spoofing This prevents forged DDoS and reflection attacks being sourced from your network. Malware is no longer able to spoof source addresses, so their unable to pretend to be someone else or randomise the source address.

Drop Junk Traffic Saves on maintaining ACL s for RFC1918 traffic and such. If you don t have a route for it, it gets dropped. (or the route is Null) Pretty handy, like the communities it saves changing ACL and prefix lists all the time for provisioning.

Strict vs Loose For implementation which should you use? For a customers and downstream? Strict For a peer where there is a chance of multiple paths? Should be Feasible, but we only have access to Loose.

Active Network Protection It s also allows us to filter traffic we choose based on source. How can we do that? But how can we set the next hop to Null0? Not via static routes on every device! that s just silly. Perhaps via a routing protocol? Remember this is all done in hardware.

RTBH Real Time Black Hole Triggered using BGP.

Here we have a single source DoS. DoS - RTBH

Add in the Null0 next hops. DoS - RTBH

We set the targets route as the next hop. DoS - RTBH

But that router will drop ALL traffic destined for that target. DoS - RTBH

For a DDoS DDoS - RTBH

Okay here we have triggered the blackhole this time, it s network wide. Great damage contained. DDoS - RTBH

DDoS - RTBH But if the attack traffic is greater than our available link bandwidth (which is likely), then the network is still DoSed. What if we could signal our neighbours and ask them to drop it.

DDoS - RTBH

DDoS - RTBH

But there is still a problem the victim is still unreachable. :( DDoS - RTBH

Can we do better? kinda

Take another look at this diagram. What if we had urpf enabled? Take a step back

This would happen Any traffic sourced from the victim that passed through the black holing router would be dropped. Why?

Source RTBH So just the traffic from the attacker would be dropped. Success, the victim is still available to the rest of the internet? Would this work for a DDoS? (only reflection attacks) If it was a reflection how would you signal it to peers? But Arbor Networks will sell you a solution that will do it.

Traffic Analyse

How is that achieved? It s not too hard

RTBH You can t pass an interface as a next-hop through BGP. Pick and address you re never going to use. Create a static route, ip route 192.0.2.1 255.255.255.255 Null0 on all the routers. Then create a route with 192.0.2.1 as the next hop. QED

But there are a couple of tricks to it. But we ll go over those in the lab.

Other Methods There are other methods to protect against application and service attacks. But we re only dealing with things at the network layer. Other methods? Firewalls, IDS, application proxy and tcp proxy.

Quiz Time! What does RTBH stand for? What is BCP 38? How does Anycast work? What is a reflection attack? What s the difference between a service and bandwidth attack? Which is most dangerous?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback