Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

Similar documents
OSSIR. 8 Novembre 2005

Dynamic Botnet Detection

Network Security Fundamentals

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

NETWORK THREATS DEMAN

DDoS Defense Mechanisms for IXP Infrastructures

Cisco Protects Data Center Assets with Network-Based Intrusion Prevention System

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Techniques, Tools and Processes to Help Service Providers Clean Malware from Subscriber Systems

Chapter 10: Denial-of-Services

Internet2 DDoS Mitigation Update

Intelligent and Secure Network

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Basic Concepts in Intrusion Detection

Introduction to Netflow

The Changing Internet Ecology: Confronting Security and Operational Challenges by Mining Network Data

DDoS: Evolving Threats, Solutions FEATURING: Carlos Morales of Arbor Networks Offers New Strategies INTERVIEW TRANSCRIPT

ARDA Program: P2INGS (Proactive And Predictive Information Assurance For Next Generation Systems)

Defenses, Application-Level Attacks, etc. Nick Feamster CS 7260 April 4, 2007

Programmatic Interface to Routing

Data Plane Protection. The googles they do nothing.

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

SENSS: Software-defined Security Service

Network Management and Monitoring

SP Infrastructure Security Survey & Attack Classification

Use Cases. E-Commerce. Enterprise

Cloudflare Advanced DDoS Protection

November 1, 2018, RP Provision of Managed Security Services on an Annual Contract ADDENDUM #2

AMP-Based Flow Collection. Greg Virgin - RedJack

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Security Whitepaper. DNS Resource Exhaustion

Wireless Network Security Fundamentals and Technologies

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Routing Basics. Campus Network Design & Operations Workshop

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Advanced Attack Response and Mitigation

Imma Chargin Mah Lazer

Endpoint Protection : Last line of defense?

Business Strategy Theatre

Converged World. Martin Capurro

Incorporating Network Flows in Intrusion Incident Handling and Analysis

DNS Security. Ch 1: The Importance of DNS Security. Updated

Collective responsibility for security and resilience of the global routing system

Routing Basics. ISP Workshops

Collective responsibility for security and resilience of the global routing system

Denial of Service (DoS)

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Tracking Global Threats with the Internet Motion Sensor

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Trisul Network Analytics - Traffic Analyzer

Security in inter-domain routing

Lecture 12. Application Layer. Application Layer 1

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

SENSS Against Volumetric DDoS Attacks

MPLS-based traffic shunt. Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept. 2003

SURVEY ON NETWORK ATTACK DETECTION AND MITIGATION

Attacks from Within: Windows Spreads Mirai to Enterprise IoT - Draft

Detecting Spam Zombies By Monitoring Outgoing Messages

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Clean Pipe Solution 2.0

An Operational Perspective on BGP Security. Geoff Huston February 2005

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Acceptable Use Policy

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Routing Basics. ISP Workshops. Last updated 10 th December 2015

Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Chapter 4: Networking and the Internet. Figure 4.1 Network topologies. Network Classifications. Protocols. (continued)

Chapter 4: Networking and the Internet

Security Gap Analysis: Aggregrated Results

RID IETF Draft Update

Routing and router security in an operator environment

Tag Switching. Background. Tag-Switching Architecture. Forwarding Component CHAPTER

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Techniques and Protocols for Improving Network Availability

Introduction to Security. Computer Networks Term A15

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

HTTP BASED BOT-NET DETECTION TECHNIQUE USING APRIORI ALGORITHM WITH ACTUAL TIME DURATION

Flow-based Traffic Visibility

Sink Holes, Dark IP, and HoneyNets

MULTICAST SECURITY. Piotr Wojciechowski (CCIE #25543)

AKAMAI CLOUD SECURITY SOLUTIONS

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

TO DETECT AND RECOVER THE AUTHORIZED CLI- ENT BY USING ADAPTIVE ALGORITHM

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CSE 565 Computer Security Fall 2018

Transcription:

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing RIPE 50 Stockholm, Sweden Danny McPherson danny@arbor.net May 3, 2005

Agenda What s a bot and what s it used for? Evolution of threats & problem scope Attack Traceback and Mitigation Inter-domain sharing of attack information Fingerprint Sharing Summary Disclaimer: I was asked to talk about Arbor s Fingerprint Sharing Alliance - attempted to keep this as non-commercial as possible McPherson - RIPE 50 2

What s a bot? A bot is a servant process on a compromised system Usually installed by a trojan, though worms have evolved to install bots as well (e.g., deloder) Communicates with a handler or controller, typically via IRC, often running on public IRC servers or other compromised systems Almost always unbeknownst to the systems owner - got bot? A botmaster or botherder commands bots to perform any of an number of different functions System of bots and controller(s) is referred to as a botnet or zombie network McPherson - RIPE 50 3

Escalation of Worm Threat Escalation of threat in worm payload Clear trend from worms that simply wreak havoc and disrupt network services to worms that enable bot proliferation An entire miscreant economy exists - don t want to violate SLAs with wormtriggered network services disruption McPherson - RIPE 50 4

Escalation of Threats.. For example: Code Red: DDoS against one IP Changed IP/Null routed previous IP Blaster: DDoS against hostname Repeated DNS Shifts Eventual NXDOMAINing of windowsupdate.com record Deloder: Arbitrary DDoS toolkit Hrmm? Backdoors escalated from remote control (e.g., BO, NetBus) to harvesters and far more complicated NetBus was originally written in March of 1998 and only had Swedish UI. In November of 1998 it was translated to English and it s use continues to grow even today! Control channels include IRC commonly and other, encrypted mechanisms more and more. McPherson - RIPE 50 5

What s a botnet used for? Bots are used for one or more of the following: Install key loggers and capture passwords, account information, etc../ ID Theft Gain access to local LANs or internal systems Phishing Spam relay/harvest email addresses for spammers Open proxies DOS Attacks Distributed cracking systems (e.g., Brute Force SSH activity) New Rbot capabilities include using webcams to capture video and still images(!) An entire economy is evolving around bot ownership Sell and trade of bots ($0.10 for generic bot, $40 USD or more for an interesting bot; e.g., a.mil bot) Bots are a commodity - no significant resource constraints McPherson - RIPE 50 6

How big is the problem? As many as 157,000 new bots recruited every day according to a recent report by CipherTrust! Symantec s latest Internet Security Threat Report reports that bot observations currently average 30,000 a day A single botnet comprised of more than 140,000 hosts was observed in the wild over 3 years ago Botnet driven attacks have been responsible for single DDOS attack flows of more than 10Gbps aggregate capacity A study conducted by the University of Michigan showed that an out of the box Windows 2000 PC was recruited into 3 discrete botnets upon being connected to the Internet for just 48 hours - Numerous studies reinforce similar infection rates/frequencies McPherson - RIPE 50 7

I m responsible for the infrastructure - why do I care? Many of the compromised hosts reside on your internal network or belong to customers of yours - it s your responsibility And if that doesn t work? The sheer size of these botnets and available firepower not only thoroughly neutralize the target, they also yield a considerable amount of collateral damage on the infrastructure - your network! Consider the fact that an OC-3 (155 Mbps) could be effectively rendered useless by a botnet comprised of only 200 home PCs, each with an average connection bandwidth of only 1 Mbps Now, consider frequency of recruitment and couple that with proliferation of residential broadband access capacities - are you concerned yet? and couple that with the evolving convergence architectures in IP networks today (e.g., VoIP, Video, Internet, VPN) and overlay services availability requirements -- Now do you care? McPherson - RIPE 50 8

Collateral Damage IXP W Peer A A Peer B IXP E Upstream A B Upstream A C D Upstream B E Upstream B Customers Target F POP Attack causes Collateral Damage! G McPherson - RIPE 50 9

Traditional Traceback & Mitigation Began with ACLs and counters at network egress to customer Filtered attack traffic as it was destined for customer premise Manually traced back through the network, hop-by-hop, interface by interface - very time-consuming and tedious (automated with ACL scripting tools; I.e., dostracker.pl) Then BGP Blackholing Backscatter Traceback, employing BGP blackholing techniques (may not identify ingress interface - assumes spoofing) However, attack magnitudes grow, inflict collateral damage on aggregation routers and inter-pop/intra-pop links, and therefore must be mitigated at network ingress McPherson - RIPE 50 10

Traditional Traceback IXP-W Peer A Peer B IXP-E Upstream A Upstream A Upstream B Upstream B Target POP McPherson - RIPE 50 11

Optimized Traceback Flow-based detection tools (open & commercial) and traceback, covering entire network perimeter, realtime alerting (as opposed to a customer calling?), augments infrastructure NetFlow and sflow-based techniques, IPFIX perhaps in the future to report on Network and Transport attributes of an attack, as well as any other interesting micro-flow characteristics Flow-based techniques enable mitigation that s element specific, sequentially optimized, performed at network ingress, with full accounting (even BGP Blackhole packets and the like), forensics, etc.. McPherson - RIPE 50 12

Optimized Traceback McPherson - RIPE 50 13

And that s still not good enough! Mitigation must occur as farther upstream, else network interconnect bandwidth is affected In order to effectively eliminate threats identities (and associated attributes) of compromised hosts must be conveyed to Internet ingress network - or as close to source as possible With infection/compromise frequency and available firepower, botnet information must be shared in an automated manner - quarantine and remediation functions MUST be automated as well! McPherson - RIPE 50 14

Sharing Requirements Attack sources and attributes can only be shared with transit and origin networks (don t share information with third parties Couple routing information to determine source and transit networks Must be shared via secure mechanism Employ a common language for describing attacks Must be trackable Must provide peer-peer registration process Must employ distributed architecture with peer-peer and centralized fingerprint distribution model Can be used for sharing explicit attack attributes, as well as worm and vulnerability signature information Information can be shared with adjacent and non-adjacent networks Needs to interface with non-arbor systems Needs to be multi-vendor McPherson - RIPE 50 15

Fingerprint Sharing Alliance McPherson - RIPE 50 16

Other Attack Information Conveyance Mechanisms Peer-Peer INOC-DBA http://www.pch.net/inoc-dba NSP-SEC https://puck.nether.net/mailman/listinfo/nsp-security https://puck.nether.net/mailman/listinfo/nsp-security-discuss IETF INCH/RID http://www.ietf.org/html.charters/inch-charter.html BGP Flow Specification? Other? Arbor Networks http://www.arbor.net McPherson - RIPE 50 17

Summary & Conclusions Providers MUST work together to solve this problem Bot detection AND response mechanisms MUST be automated Protection and cleaning of the host is where the problem should be resolved -- in the interim network operators will inevitably be required to intervene - if not to protect their customers, at least to protect themselves Attack fingerprint sharing and similar mechanisms need to be further researched, developed and deployed to combat this very real threat McPherson - RIPE 50 18

Thanks! danny@arbor.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback