FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and BGP Hijacks
-
Upload
thousandeyes -
Category
Technology
-
view
711 -
download
1
description
Transcript of FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and BGP Hijacks
Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning
and BGP Hijacks
Mohit Lad CEO, ThousandEyes
1
Network performance management designed for today’s dynamic and complex networks Used by 4 of the world’s top banks Founded in 2010 with an HQ in San Francisco CA and a London office Recognized by Gartner and EMA
About ThousandEyes
What We Do Our Customers’ Stories
Reduced time to troubleshoot globally load balanced infrastructure
Improved customer experience during the Brazil World Cup
Solved multi-week support issue due to an ISP cable cut in Asia
2
• Increasing size, frequency and severity of attacks
• Exposure via external vendors (DNS, CDN, ISPs)
• Greater complexity of corporate networks
• Increasing importance of network for business operations
Today’s Cyber Threat Landscape
3
More Networks Connected to the Internet
Source: CIDR Report
Global Routing Table Growth
4
More Devices Connected to the Internet
Source: Akamai State of the Internet Reports, Q2 2010-14; Akamai blog
0
200
400
600
800
1,000
1,200
1,400
1,600
2007 2008 2009 2010 2011 2012 2013 2014
Mill
ions
IPv6
IPv4
Unique IP Addresses Observed
5
Size of DDoS Attacks Increasing 50% YoY
Source: Verizon Data Breach Report 2014
6
0
50
100
150
200
250
300
350
400
Q4 12 Q1 13 Q2 13 Q3 13 Q4 13 Q1 14 Q2 14
Major DDoS Attacks in 2014
February: Bitstamp
April: UltraDNS
August: PlayStation Network, Blizzard
Attack Volume Rising Major Attacks in 2014
Source: Akamai State of the Internet Q2 2014
7
Three Network Security Threats We’ll Cover
BGP Hijacks DNS Poisoning DDoS Attacks
BGP Hijacks
9
A Primer on BGP Hijacks
AS 14340 Salesforce
AS 2914 NTT
AS 7018 AT&T
AS 3356 Level3
Border Router
Autonomous System
Salesforce advertises routes among BGP peers
to upstream ISPs
Salesforce.com advertises prefix 96.43.144.0/22
AT&T receives route advertisements to
Salesforce via Level3 and NTT
AS 4761 Indosat
Traffic Path
10
A Primer on BGP Hijacks
AS 14340 Salesforce
AS 2914 NTT
AS 7018 AT&T
AS 3356 Level3
AS 4761 Indosat
Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s
routes
AT&T now directs Salesforce-destined traffic
to Indosat
Traffic Path
11
BGP Hijack: Normal Routes to PayPal
PayPal / Akamai prefix
Akamai Autonomous
System Comcast upstream
12
BGP Hijack: Routes Advertised from Indosat
PayPal / Akamai prefix
Correct Autonomous System
Hijacked Autonomous System
Locations with completely hijacked routes
13
BGP Hijack: PCCW Has No Routes to PayPal
PCCW Network only connected to Indosat
Not to Akamai / PayPal
14
BGP Hijack: Causing All Traffic to Drop
Traffic transiting PCCW has no routes
and terminates
DDoS Attacks
16
Network Topology of a DDoS Attack
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Attackers flood your web service from around the world
Internet Enterprise
17
DDoS Mitigation Strategy 1: On-Premises
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Appliance at network edge monitors and mitigates application-layer attacks
Internet Enterprise On-Premises DDoS Mitigation Appliance
18
DDoS Mitigation Strategy 2: ISP Collaboration
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Attack traffic is routed by ISPs to a remote-triggered black hole
Internet Enterprise Remote-Triggered Black Hole
ISP 1
ISP 2
19
DDoS Mitigation Strategy 3: Cloud-Based
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network
Internet Enterprise Scrubbing Center
20
Why Monitor DDoS Attacks
Global Availability Mitigation Deployment
Mitigation Performance Vendor Collaboration
21
DDoS Attack: Drop in Global Availability
Global availability issues
Problems at TCP connection and HTTP receive
phases
Availability dip to 0%
22
DDoS Attack: Increased Packet Loss and Latency
Loss, latency
and jitter
Loss during height of attack
23
DDoS Attack: Congested Nodes in Upstream ISPs
Nodes with >25% packet loss
Packet loss in upstream ISPs Verizon and
AT&T
HSBC bank website under
attack
High packet loss from all
testing points
24
DDoS Attack: Mitigation Effectiveness
Verisign DDoS mitigation networks in yellow
25
DDoS Attack: Mitigation Handoff Using BGP
New Autonomous System (VeriSign)
Prior Autonomous System (HSBC)
Withdrawn routes
New routes
HSBC prefix
DNS Cache Poisoning
27
DNS Cache Poisoning
Local DNS Cache
Authoritative DNS Server
dns.website.com
Attacker
www.website.com
Attacker DNS Server
dns.attack.com
www.attack.com
Attacker inserts a false record into the
DNS cache
Unsecured DNS server, no DNSSEC, no port
randomization
User
1
User requests DNS record for
www.website.com
2
Looks up record on spoofed name
server
3
User accesses spoofed URL
4
28
Blocking Facebook in China
DNS availability in China <10%
29
Redirecting Facebook to Alternate IP Addresses
Facebook is typically routed to
173.252.110.27, except in China
30
• Understand network topology and dependencies • Focus on critical network services
Key Capabilities to Monitor Network Security
• Reachability to your address blocks • Path changes and more specific prefixes
upstream
Get global visibility
Alert on routing to your network
• DNS, CDN and hosting providers • DDoS mitigation vendors and ISPs
Track efficacy of external services
Implement DNSSEC
• Prevent cache poisoning on your resolvers • Monitor for poisoning of your records on other
networks
It’s time to see the entire picture. It’s time to see the entire picture.