The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks...
-
Upload
toby-wilson -
Category
Documents
-
view
219 -
download
0
Transcript of The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks...
The Changing Internet Ecology: New Threats to Infrastructure Security
Farnam Jahanian
Arbor Networks / University of Michigan
Arbor Networks, inc. Proprietary
Emerging Trends
Globally scoped, respecting no geographic or topological boundaries
Exceptionally virulent, propagating to the entire vulnerable population in the Internet in a matter of minutes
Zero- day threats, exploiting vulnerabilities for which no signature or patch has been developed
Arbor Networks, inc. Proprietary
Infrastructure Security Threats
One large service provider experienced over 1,100 DoS attacks in the 1st half of 2003. [Rob Thomas, NANOG 28]
Multi-gigabit attacks are increasingly routine. Attacks with 10Gbps aggregate capacity have been recorded.
Emerging threats from IRC bots - IRC bots support automated scanning and exploitation of inadequately protected Windows systems, also offer DDoS capabilities.
Massive pools of available zombies, e.g. IRC botnets with over 140,000 machines. [CERT Advisory CA-2003-08, March 2003]
With so much capacity, spoofing source addresses is no longer “cool”.
Of 1.127 attacks on a large ISP, only 4 employed spoofed addresses! [Rob Thomas, NANOG 28]
During Slammer, 75K hosts infected in 30 min. [Moore et al, NANOG
February, 2003]
At peak, 5 Billion injection attempts per day during Nimda. [Arbor Networks, Sep. 2001]
Arbor Networks, inc. Proprietary
SQL Slammer Attack Propagation
0 hosts infected at the start
75,000 hosts infected in 30 min.
Infections doubled every 8.5 sec.
Spread 100X faster than Code Red
At peak, scanned 55M hosts per sec.
[Moore, Paxson, et al; NANOG February, 2003]
Arbor Networks, inc. Proprietary
Loss of several thousand routes, mostly /24s
Impact of Slammer on the Internet
Arbor Networks, inc. Proprietary
The Evolution of Network Threats
Problems that manifest themselves network-wide:
DDoS
Zero-day worms / AV
Routing attacks
Arbor Networks, inc. Proprietary
Complementary Techniques
Detecting, backtracing and mitigating denial-of-services attacks
Blackhole monitoring of unused address blocks
Arbor Networks, inc. Proprietary
Denial-of-Service
Attempts to "flood" a network, thereby preventing legitimate network traffic
Attempts to disrupt connections between users and web sites, thereby preventing access to a service
Attempts to prevent access to critical infrastructure such as DNS or service provider routers
A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. [CERT]
Arbor Networks, inc. Proprietary
Distributed Denial-of-Service
Phase I: The Initial Intrusions Scan networks, identify vulnerable hosts,
compromise by installing tools and backdoors
Phase II: The Distributed DoS Attacks Signal and launch attacks on target web sites,
communication links, routers, DNS, etc.
Self-propagating worms sometimes blur the distinction between Phase I and II
Arbor Networks, inc. Proprietary
Myth #1: Magic Box!
Put “filtering box” at enterprise border
Stop drinking from fire hose, close your mouth
May not even see attack: on upstream router or on firewall
Myth #2: IDS Tools
Rely on intrusion detection systems for DoS detection and classification
Signature-based IDS tools cannot identify zero-day attacks, e.g. SLAMMER Worm
Arbor Networks, inc. Proprietary
Best Practices
“Practice good computer hygiene” Patch well-known holes and vulnerabilities Deploy anti-spoof egress filtering Policies and procedures for handling alerts Campus-wide incident response team Internet Routing Registry Mechanisms and procedures for sharing
information and working with upstream providers Push for routing and DNS authentication
Still Not Enough!
Arbor Networks, inc. Proprietary
So what is the solution?
Network Anomaly DetectionA proactive, holistic, dynamic approach to
security.
Operators must model their infrastructure network-wide, rather than
model the myriad threats against individual components.
Arbor Networks, inc. Proprietary
Peakflow Architecture
Build a model of normal behavior leveraging flow data topology information from routers; employ signature analysis and dynamic profiling to monitor and detect DoS attacks in real-time; use distributed event aggregation techniques to backtrace attackers; apply attack-specific remediation methods to minimize impact on target.
SolutionSolution
Network Topology
Information
Correlation & Analysis
Techniques
Real-Time Traffic Flow
Statistics
NetworkTraffic
Profiles
Arbor Networks, inc. Proprietary
How Peakflow Works
Profile/Monitor: Peakflow DoS dynamically profiles traffic patterns in the network and analyzes traffic for anomalies – without disrupting traffic flow to routers
Detect: Peakflow DoS Collectors create and forward unique anomaly fingerprints to Peakflow DoS Controllers.
Trace: Peakflow DoS Controllers then quickly trace the attack to its source.
Filter: Peakflow DoS Controller recommends filters (X), which the network engineer can implement to stop the attack before it brings down key routers, firewalls and IDS solutions, or the entire network.
Collector
Collector
Controller
Customer Site:
Web Servers
DNS Servers
Database Servers
Firewall
IDS
Service Provider A
Service Provider C
Service Provider B
Arbor Networks, inc. Proprietary
Mitigation Strategies
Do Nothing! (very popular) Notify downstream AS or upstream provider Packet Filters: ACLs or Firewall
Filter based on attack characteristics Rate Limit Traffic
Based on attack characteristics: ICMP, UDP, TCP SYN QoS policy propagation with BGP (special community)
BGP Blackhole Routing Sinkhole Diversion or Off-Ramping
Also provide the data necessary to know which one to choose and how to configure it.
Arbor Networks, inc. Proprietary
Benefit
Instantly flags known and new (zero-day) attacks with minimal configuration
Quickly identify impacted customers and equipment
Understand the components to match the right solution
Stop the attack and quickly ensure normal network operation
Custom analysis for forensics, trending and research; share with customers, co-workers, partners
Feature Function
Detection & Fingerprinting
Anomaly-based detection and attack fingerprinting
Traceback Reconstructs the attack trajectory across the network
Analysis Generate detailed profiles of the anomalous traffic
Mitigation Intelligent, flexible, attack-specific mitigation options
Flexible Reporting Exports XML and PDF-based anomaly data for offline analysis
Case Studies
Arbor Networks, inc. Proprietary
Peakflow Deployments
Arbor Networks, inc. Proprietary
A RECENT LARGE SCALE DOS ATTACK
Anomalies are classified as low, medium, or high. Different levels trigger alerts (email, SNMP, etc.)
Visual breakout of affected network elements.
Arbor Networks, inc. Proprietary
THE ATTACK IN MORE DETAIL (PAGE 1)
Provide detailed information on characteristics of DoS attack.
Arbor Networks, inc. Proprietary
THE ATTACK IN MORE DETAIL (PAGE 2)
Visual breakout of affected network elements.
Identifies routers and interfaces that are impacted by attack.
Arbor Networks, inc. Proprietary
THE ATTACK IN MORE DETAIL (PAGE 3)
Presents a detailed fingerprint for the attack.
Automatically generates the appropriate ACL/CAR or firewall filter sets for blocking attack.
Arbor Networks, inc. Proprietary
Complementary Methodologies
Detecting, backtracing and mitigating denial-of-services attacks
Blackhole monitoring of unused address blocks
Arbor Networks, inc. Proprietary
Block of dark address space that while routable, contain no active hosts
Traffic on the blackhole is due to scans, worm propagation, or DDoS backscatter
Similar to using BGP off-ramping for traffic inspection
Blackhole Monitoring
Arbor Networks, inc. Proprietary
Components of Blackhole Monitor
Passive Module: passive measures the traffic, looking for scans and backscatter and quantifying the breadth of worm infections and scope of DDoS attacks
Active Module: elicits payloads from an adaptively sampled number of end clients, reconstructing the client half of the payload and creating a finger print of the application request
Alerting Module: looks for rapid changes in the characteristics of the overall network traffic as well as the rise of new types of threats
Arbor Networks, inc. Proprietary
Blackhole Monitoring
Measure wide-scale port scans and service sweeps by attackers
Characterize and quantify Internet worm activities
Estimate the type and severity of globally-scoped DDoS incidents
Arbor Networks, inc. Proprietary
Wide-Area Blackhole MonitoringProject
Launched by Arbor Networks, Merit network and University of Michigan in 2001
Collect traffic to a globally announced, unused /8 network Roughly 1/256 of entire Internet address space
Complete TCP handshake for 1 out of 100,000 requests
Reassemble worm payload, identify and log each hit Save other traffic to disk
Random scans (SSH, DNS, RPC services, FTP, etc.) DoS backscatter (TCP SYN+ACK and RST, ICMP
unreachables)
Arbor Networks, inc. Proprietary
The Blaster Worm – The View from 10,000 Feet Wed July 16 2003 – LSD release advisory
“Critical security vulnerability in MS OS” No known exploit code; patch available Affected Windows running DCOM RPC services – used for local
networking by MS Windows systems Mon Aug 11 2003 – Blaster Worm appears Wed Aug 13 2003 – variants appear
How Blaster scans Scans /24 from 0-254, not random hosts
40% of time, /24s within local /16 60% of the time random /24
Scan network for 135/TCP, listen on 69/UDP (TFTP) Attempt exploit when connection is found
Then attacking host connects to 4444/TCP to use as command line interface Download msblast.exe via TFTP, start msblast.exe
Arbor Networks, inc. Proprietary
Blaster’s Traffic Patterns
Three phases of the worm lifecycle: growth,decay, persistence
Minimum doubling time of 2.3 hours during growth phase
Observed over 286,000 unique IP addresses in the blackhole
Arbor Networks, inc. Proprietary
Containing Blaster
Exponential decay of Blaster observations, half-life 10.4 hrs
Contained very “quickly” – operators applying ingress/egress filters
Pretty much all cleaned up in 5 days
Arbor Networks, inc. Proprietary
Breakdown of Infected Hosts
Reverse DNS lookups for active hosts shows a global distribution
Second-level domain name analysis shows impact on consumer broadband providers
Observed over 280K unique IP addresses in the blackhole display Blaster behavior
TLD
2LD
Arbor Networks, inc. Proprietary
Blaster’s Tenuous Grip
Welchia counter worm released on August 18
Circadian pattern, peak near 00:00EDT
Global TLD distribution of infected hosts
Welchia
Arbor Networks, inc. Proprietary
Depth vs. Breadth Classification of Internet Threat Monitoring Architecture
Arbor Networks, inc. Proprietary
Internet Motion Sensor –A Distributed Blackhole Monitor
Working with 30+ Internet Service Providers
Arbor Networks, inc. Proprietary
Wrap UP
Attacks on ISP infrastructure: DoS attacks on backbone routers, routing protocol exploits, route hijacking
Increasing sophistication and severity of zero-day attacks on edge networks
Self-propagating malicious code: Rapid propagation creates DoS condition (Slammer) Worms launched with DoS payload (MS Blaster)
Increased Interdependency with/on service provider and sites not under “your” control
Crumbling Perimeter and internal security
Arbor Networks, inc. Proprietary
More Info
White Papers & Research Reports:
“Service provider infrastructure security: Detecting, tracing, and mitigating network-wide anomalies”
“One size does not fit all: tailoring denial of service mitigation to maximize effectiveness”
“Intelligent network management with Peakflow Traffic” “The Internet Motion Sensor (IMS): A distributed global scoped Internet threat
monitoring system”
Contact Info:
Speaker: Farnam Jahanian ([email protected])European Contact: Rob Pollard, Dir of EMEA Solutions
Steve Mulhearn, Mgr. of Consulting [email protected]