The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks...

The Changing Internet Ecology: New Threats to Infrastructure Security

Farnam Jahanian

Arbor Networks / University of Michigan

Arbor Networks, inc. Proprietary

Emerging Trends

Globally scoped, respecting no geographic or topological boundaries

Exceptionally virulent, propagating to the entire vulnerable population in the Internet in a matter of minutes

Zero- day threats, exploiting vulnerabilities for which no signature or patch has been developed


Infrastructure Security Threats

One large service provider experienced over 1,100 DoS attacks in the 1st half of 2003. [Rob Thomas, NANOG 28]

Multi-gigabit attacks are increasingly routine. Attacks with 10Gbps aggregate capacity have been recorded.

Emerging threats from IRC bots - IRC bots support automated scanning and exploitation of inadequately protected Windows systems, also offer DDoS capabilities.

Massive pools of available zombies, e.g. IRC botnets with over 140,000 machines. [CERT Advisory CA-2003-08, March 2003]

With so much capacity, spoofing source addresses is no longer “cool”.

Of 1.127 attacks on a large ISP, only 4 employed spoofed addresses! [Rob Thomas, NANOG 28]

During Slammer, 75K hosts infected in 30 min. [Moore et al, NANOG

February, 2003]

At peak, 5 Billion injection attempts per day during Nimda. [Arbor Networks, Sep. 2001]


SQL Slammer Attack Propagation

0 hosts infected at the start

75,000 hosts infected in 30 min.

Infections doubled every 8.5 sec.

Spread 100X faster than Code Red

At peak, scanned 55M hosts per sec.

[Moore, Paxson, et al; NANOG February, 2003]


Loss of several thousand routes, mostly /24s

Impact of Slammer on the Internet


The Evolution of Network Threats

Problems that manifest themselves network-wide:

DDoS

Zero-day worms / AV

Routing attacks


Complementary Techniques

Detecting, backtracing and mitigating denial-of-services attacks

Blackhole monitoring of unused address blocks


Denial-of-Service

Attempts to "flood" a network, thereby preventing legitimate network traffic

Attempts to disrupt connections between users and web sites, thereby preventing access to a service

Attempts to prevent access to critical infrastructure such as DNS or service provider routers

A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. [CERT]


Distributed Denial-of-Service

Phase I: The Initial Intrusions Scan networks, identify vulnerable hosts,

compromise by installing tools and backdoors

Phase II: The Distributed DoS Attacks Signal and launch attacks on target web sites,

communication links, routers, DNS, etc.

Self-propagating worms sometimes blur the distinction between Phase I and II


Myth #1: Magic Box!

Put “filtering box” at enterprise border

Stop drinking from fire hose, close your mouth

May not even see attack: on upstream router or on firewall

Myth #2: IDS Tools

Rely on intrusion detection systems for DoS detection and classification

Signature-based IDS tools cannot identify zero-day attacks, e.g. SLAMMER Worm


Best Practices

“Practice good computer hygiene” Patch well-known holes and vulnerabilities Deploy anti-spoof egress filtering Policies and procedures for handling alerts Campus-wide incident response team Internet Routing Registry Mechanisms and procedures for sharing

information and working with upstream providers Push for routing and DNS authentication

Still Not Enough!


So what is the solution?

Network Anomaly DetectionA proactive, holistic, dynamic approach to

security.

Operators must model their infrastructure network-wide, rather than

model the myriad threats against individual components.


Peakflow Architecture

Build a model of normal behavior leveraging flow data topology information from routers; employ signature analysis and dynamic profiling to monitor and detect DoS attacks in real-time; use distributed event aggregation techniques to backtrace attackers; apply attack-specific remediation methods to minimize impact on target.

SolutionSolution

Network Topology

Information

Correlation & Analysis

Techniques

Real-Time Traffic Flow

Statistics

NetworkTraffic

Profiles


How Peakflow Works

Profile/Monitor: Peakflow DoS dynamically profiles traffic patterns in the network and analyzes traffic for anomalies – without disrupting traffic flow to routers

Detect: Peakflow DoS Collectors create and forward unique anomaly fingerprints to Peakflow DoS Controllers.

Trace: Peakflow DoS Controllers then quickly trace the attack to its source.

Filter: Peakflow DoS Controller recommends filters (X), which the network engineer can implement to stop the attack before it brings down key routers, firewalls and IDS solutions, or the entire network.

Collector

Collector

Controller

Customer Site:

Web Servers

DNS Servers

Database Servers

Firewall

IDS

Service Provider A

Service Provider C

Service Provider B


Mitigation Strategies

Do Nothing! (very popular) Notify downstream AS or upstream provider Packet Filters: ACLs or Firewall

Filter based on attack characteristics Rate Limit Traffic

Based on attack characteristics: ICMP, UDP, TCP SYN QoS policy propagation with BGP (special community)

BGP Blackhole Routing Sinkhole Diversion or Off-Ramping

Also provide the data necessary to know which one to choose and how to configure it.


Benefit

Instantly flags known and new (zero-day) attacks with minimal configuration

Quickly identify impacted customers and equipment

Understand the components to match the right solution

Stop the attack and quickly ensure normal network operation

Custom analysis for forensics, trending and research; share with customers, co-workers, partners

Feature Function

Detection & Fingerprinting

Anomaly-based detection and attack fingerprinting

Traceback Reconstructs the attack trajectory across the network

Analysis Generate detailed profiles of the anomalous traffic

Mitigation Intelligent, flexible, attack-specific mitigation options

Flexible Reporting Exports XML and PDF-based anomaly data for offline analysis

Case Studies


Peakflow Deployments


A RECENT LARGE SCALE DOS ATTACK

Anomalies are classified as low, medium, or high. Different levels trigger alerts (email, SNMP, etc.)

Visual breakout of affected network elements.


THE ATTACK IN MORE DETAIL (PAGE 1)

Provide detailed information on characteristics of DoS attack.



Visual breakout of affected network elements.

Identifies routers and interfaces that are impacted by attack.



Presents a detailed fingerprint for the attack.

Automatically generates the appropriate ACL/CAR or firewall filter sets for blocking attack.


Complementary Methodologies

Detecting, backtracing and mitigating denial-of-services attacks

Blackhole monitoring of unused address blocks


Block of dark address space that while routable, contain no active hosts

Traffic on the blackhole is due to scans, worm propagation, or DDoS backscatter

Similar to using BGP off-ramping for traffic inspection

Blackhole Monitoring


Components of Blackhole Monitor

Passive Module: passive measures the traffic, looking for scans and backscatter and quantifying the breadth of worm infections and scope of DDoS attacks

Active Module: elicits payloads from an adaptively sampled number of end clients, reconstructing the client half of the payload and creating a finger print of the application request

Alerting Module: looks for rapid changes in the characteristics of the overall network traffic as well as the rise of new types of threats


Blackhole Monitoring

Measure wide-scale port scans and service sweeps by attackers

Characterize and quantify Internet worm activities

Estimate the type and severity of globally-scoped DDoS incidents


Wide-Area Blackhole MonitoringProject

Launched by Arbor Networks, Merit network and University of Michigan in 2001

Collect traffic to a globally announced, unused /8 network Roughly 1/256 of entire Internet address space

Complete TCP handshake for 1 out of 100,000 requests

Reassemble worm payload, identify and log each hit Save other traffic to disk

Random scans (SSH, DNS, RPC services, FTP, etc.) DoS backscatter (TCP SYN+ACK and RST, ICMP

unreachables)


The Blaster Worm – The View from 10,000 Feet Wed July 16 2003 – LSD release advisory

“Critical security vulnerability in MS OS” No known exploit code; patch available Affected Windows running DCOM RPC services – used for local

networking by MS Windows systems Mon Aug 11 2003 – Blaster Worm appears Wed Aug 13 2003 – variants appear

How Blaster scans Scans /24 from 0-254, not random hosts

40% of time, /24s within local /16 60% of the time random /24

Scan network for 135/TCP, listen on 69/UDP (TFTP) Attempt exploit when connection is found

Then attacking host connects to 4444/TCP to use as command line interface Download msblast.exe via TFTP, start msblast.exe


Blaster’s Traffic Patterns

Three phases of the worm lifecycle: growth,decay, persistence

Minimum doubling time of 2.3 hours during growth phase

Observed over 286,000 unique IP addresses in the blackhole


Containing Blaster

Exponential decay of Blaster observations, half-life 10.4 hrs

Contained very “quickly” – operators applying ingress/egress filters

Pretty much all cleaned up in 5 days


Breakdown of Infected Hosts

Reverse DNS lookups for active hosts shows a global distribution

Second-level domain name analysis shows impact on consumer broadband providers

Observed over 280K unique IP addresses in the blackhole display Blaster behavior

TLD

2LD


Blaster’s Tenuous Grip

Welchia counter worm released on August 18

Circadian pattern, peak near 00:00EDT

Global TLD distribution of infected hosts

Welchia


Depth vs. Breadth Classification of Internet Threat Monitoring Architecture


Internet Motion Sensor –A Distributed Blackhole Monitor

Working with 30+ Internet Service Providers


Wrap UP

Attacks on ISP infrastructure: DoS attacks on backbone routers, routing protocol exploits, route hijacking

Increasing sophistication and severity of zero-day attacks on edge networks

Self-propagating malicious code: Rapid propagation creates DoS condition (Slammer) Worms launched with DoS payload (MS Blaster)

Increased Interdependency with/on service provider and sites not under “your” control

Crumbling Perimeter and internal security


More Info

White Papers & Research Reports:

“Service provider infrastructure security: Detecting, tracing, and mitigating network-wide anomalies”

“One size does not fit all: tailoring denial of service mitigation to maximize effectiveness”

“Intelligent network management with Peakflow Traffic” “The Internet Motion Sensor (IMS): A distributed global scoped Internet threat

monitoring system”

Contact Info:

Speaker: Farnam Jahanian ([email protected])European Contact: Rob Pollard, Dir of EMEA Solutions

Steve Mulhearn, Mgr. of Consulting [email protected]

The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks...

Documents

Transcript of The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks...