Download Generic Template

The Changing Internet Ecology:
New Threats to Infrastructure Security
Farnam Jahanian
Arbor Networks / University of Michigan
Emerging Trends
 Globally scoped, respecting no geographic or
topological boundaries
 Exceptionally virulent, propagating to the entire
vulnerable population in the Internet in a matter of
minutes
 Zero- day threats, exploiting vulnerabilities for which
no signature or patch has been developed
Arbor Networks, inc. Proprietary
Infrastructure Security Threats







One large service provider experienced over 1,100 DoS
attacks in the 1st half of 2003. [Rob Thomas, NANOG 28]
Multi-gigabit attacks are increasingly routine. Attacks with
10Gbps aggregate capacity have been recorded.
Emerging threats from IRC bots - IRC bots support
automated scanning and exploitation of inadequately
protected Windows systems, also offer DDoS capabilities.
Massive pools of available zombies, e.g. IRC botnets with
over 140,000 machines. [CERT Advisory CA-2003-08, March 2003]
With so much capacity, spoofing source addresses is no
longer “cool”.
Of 1.127 attacks on a large ISP, only 4 employed spoofed
addresses! [Rob Thomas, NANOG 28]
During Slammer, 75K hosts infected in 30 min. [Moore et al,
NANOG February, 2003]

At peak, 5 Billion injection attempts per day during Nimda.
[Arbor Networks, Sep. 2001]
Arbor Networks, inc. Proprietary
SQL Slammer Attack Propagation
0 hosts infected at the start
75,000 hosts infected in 30 min.
Infections doubled every 8.5 sec.
Spread 100X faster than Code Red
At peak, scanned 55M hosts per sec.
[Moore, Paxson, et al; NANOG February, 2003]
Arbor Networks, inc. Proprietary
Impact of Slammer on the Internet
Loss of several thousand routes, mostly /24s
Arbor Networks, inc. Proprietary
The Evolution of Network Threats
Problems that manifest
themselves network-wide:
 DDoS
 Zero-day worms / AV
 Routing attacks
Arbor Networks, inc. Proprietary
Complementary Techniques
 Detecting, backtracing and mitigating denial-ofservices attacks
 Blackhole monitoring of unused address blocks
Arbor Networks, inc. Proprietary
Denial-of-Service
A denial-of-service attack is characterized by an
explicit attempt by attackers to prevent legitimate users
of a service from using that service. [CERT]



Arbor Networks, inc. Proprietary
Attempts to "flood" a network, thereby
preventing legitimate network traffic
Attempts to disrupt connections between
users and web sites, thereby preventing
access to a service
Attempts to prevent access to critical
infrastructure such as DNS or service
provider routers
Distributed Denial-of-Service
 Phase I: The Initial Intrusions
 Scan networks, identify vulnerable hosts,
compromise by installing tools and backdoors
 Phase II: The Distributed DoS Attacks
 Signal and launch attacks on target web sites,
communication links, routers, DNS, etc.
 Self-propagating worms sometimes blur the
distinction between Phase I and II
Arbor Networks, inc. Proprietary
Myth #1: Magic Box!



Put “filtering box” at
enterprise border
Stop drinking from fire
hose, close your mouth
May not even see
attack: on upstream
router or on firewall
Arbor Networks, inc. Proprietary
Myth #2: IDS Tools
 Rely on intrusion detection
systems for DoS detection
and classification
 Signature-based IDS tools
cannot identify zero-day
attacks, e.g. SLAMMER
Worm
Best Practices
“Practice good computer hygiene”
Patch well-known holes and vulnerabilities
Deploy anti-spoof egress filtering
Policies and procedures for handling alerts
Campus-wide incident response team
Internet Routing Registry
Mechanisms and procedures for sharing
information and working with upstream providers
 Push for routing and DNS authentication







Arbor Networks, inc. Proprietary
Still Not Enough!
So what is the solution?
Network Anomaly Detection
A proactive, holistic, dynamic approach to security.
Operators must model their
infrastructure network-wide, rather than
model the myriad threats against
individual components.
Arbor Networks, inc. Proprietary
Peakflow Architecture
Build a model of normal behavior leveraging flow data topology
information from routers; employ signature analysis and
dynamic profiling to monitor and detect DoS attacks in real-time;
use distributed event aggregation techniques to backtrace
attackers; apply attack-specific remediation methods to
minimize impact on target.
Network
Topology
Information
Real-Time
Traffic Flow
Statistics
Solution
Network
Traffic
Profiles
Arbor Networks, inc. Proprietary
Correlation &
Analysis
Techniques
How Peakflow Works
Service Provider C
Service Provider A
Service Provider B
Collector
Filter:
Peakflow DoS
Profile/Monitor:
Controller
Detect:
Peakflow
recommends
DoSfilters
Peakflow
Trace: DoS
dynamically
(X), which the
profiles
Collectors
Peakflow create
DoS and
traffic
network
patterns
engineer
in the
can
forward
Controllers
unique
then
network
implement
and
toanalyzes
stop the
anomaly
quickly trace
fingerprints
the
traffic
attackfor
before
anomalies
it brings
–
toattack
Peakflow
to itsDoS
source.
without
down key
disrupting
routers,
Controllers.
traffic
firewalls
flow
and
to routers
IDS
solutions, or the
entire network.
Arbor Networks, inc. Proprietary
Collector
Controller
IDS
Firewall
Customer Site:
Web Servers
DNS Servers
Database Servers
Mitigation Strategies
 Do Nothing! (very popular)
 Notify downstream AS or upstream provider
 Packet Filters: ACLs or Firewall
 Filter based on attack characteristics
 Rate Limit Traffic
 Based on attack characteristics: ICMP, UDP, TCP SYN
 QoS policy propagation with BGP (special community)
 BGP Blackhole Routing
 Sinkhole Diversion or Off-Ramping
Also provide the data necessary to know which one to
choose and how to configure it.
Arbor Networks, inc. Proprietary
Feature
Function
Benefit
Detection &
Fingerprinting
Anomaly-based detection and
attack fingerprinting
Instantly flags known and new
(zero-day) attacks with minimal
configuration
Traceback
Reconstructs the attack
trajectory across the network
Analysis
Generate detailed profiles of the
anomalous traffic
Mitigation
Intelligent, flexible, attackspecific mitigation options
Flexible Reporting
Exports XML and PDF-based
anomaly data for offline analysis
Arbor Networks, inc. Proprietary
Quickly identify impacted
customers and equipment
Understand the components to
match the right solution
Stop the attack and quickly
ensure normal network operation
Custom analysis for forensics,
trending and research; share with
customers, co-workers, partners
Case Studies
Peakflow Deployments
Arbor Networks, inc. Proprietary
A RECENT LARGE SCALE DOS ATTACK
Anomalies are
classified as low,
medium, or high.
Different levels
trigger alerts
(email, SNMP, etc.)
Visual breakout of
affected network
elements.
Arbor Networks, inc. Proprietary
THE ATTACK IN MORE DETAIL (PAGE 1)
Provide detailed
information on
characteristics of DoS
attack.
Arbor Networks, inc. Proprietary
THE ATTACK IN MORE DETAIL (PAGE 2)
Visual breakout of
affected network
elements.
Identifies routers and
interfaces that are
impacted by attack.
Arbor Networks, inc. Proprietary
THE ATTACK IN MORE DETAIL (PAGE 3)
Presents a detailed
fingerprint for the
attack.
Automatically
generates the
appropriate
ACL/CAR or
firewall filter sets
for blocking attack.
Arbor Networks, inc. Proprietary
Complementary Methodologies
 Detecting, backtracing and mitigating denial-of-services
attacks
 Blackhole monitoring of unused address blocks
Arbor Networks, inc. Proprietary
Blackhole Monitoring
Block of dark address space that while routable, contain no active hosts
Traffic on the blackhole is due to scans, worm propagation, or DDoS backscatter
Similar to using BGP off-ramping for traffic inspection
Arbor Networks, inc. Proprietary
Components of Blackhole Monitor
 Passive Module: passive measures the traffic, looking for scans
and backscatter and quantifying the breadth of worm infections
and scope of DDoS attacks
 Active Module: elicits payloads from an adaptively sampled
number of end clients, reconstructing the client half of the
payload and creating a finger print of the application request
 Alerting Module: looks for rapid changes in the characteristics of
the overall network traffic as well as the rise of new types of
threats
Arbor Networks, inc. Proprietary
Blackhole Monitoring
 Measure wide-scale port scans and
service sweeps by attackers
 Characterize and quantify Internet
worm activities
 Estimate the type and severity of
globally-scoped DDoS incidents
Arbor Networks, inc. Proprietary
Wide-Area Blackhole Monitoring
Project
 Launched by Arbor Networks, Merit network and
University of Michigan in 2001
 Collect traffic to a globally announced, unused
/8 network
 Roughly 1/256 of entire Internet address space
 Complete TCP handshake for 1 out of 100,000
requests
 Reassemble worm payload, identify and log each hit
 Save other traffic to disk
 Random scans (SSH, DNS, RPC services, FTP, etc.)
 DoS backscatter (TCP SYN+ACK and RST, ICMP
unreachables)
Arbor Networks, inc. Proprietary
The Blaster Worm –
The View from 10,000 Feet
 Wed July 16 2003 – LSD release advisory
 “Critical security vulnerability in MS OS”
 No known exploit code; patch available
 Affected Windows running DCOM RPC services – used
for local networking by MS Windows systems
 Mon Aug 11 2003 – Blaster Worm appears
 Wed Aug 13 2003 – variants appear
How Blaster scans
 Scans /24 from 0-254, not random hosts
 40% of time, /24s within local /16
 60% of the time random /24
 Scan network for 135/TCP, listen on 69/UDP (TFTP)
 Attempt exploit when connection is found
 Then attacking host connects to 4444/TCP to use as
command line interface
Arbor Networks, inc. Proprietary
 Download msblast.exe via TFTP, start msblast.exe
Blaster’s Traffic Patterns
Three phases of the worm lifecycle: growth,decay, persistence
Minimum doubling time of 2.3 hours during growth phase
Observed over 286,000 unique IP addresses in the blackhole
Arbor Networks, inc. Proprietary
Containing Blaster
Exponential decay of Blaster observations, half-life 10.4 hrs
Contained very “quickly” – operators applying ingress/egress filters
Pretty much all cleaned up in 5 days
Arbor Networks, inc. Proprietary
Breakdown of Infected Hosts
TLD
2LD
Reverse DNS lookups for active hosts shows a global distribution
Second-level domain name analysis shows impact on consumer broadband providers
Observed over 280K unique IP addresses in the blackhole display Blaster behavior
Arbor Networks, inc. Proprietary
Blaster’s Tenuous Grip
Welchia
Welchia counter worm released on August 18
Circadian pattern, peak near 00:00EDT
Global TLD distribution of infected hosts
Arbor Networks, inc. Proprietary
Depth vs. Breadth Classification of
Internet Threat Monitoring Architecture
Arbor Networks, inc. Proprietary
Internet Motion Sensor –
A Distributed Blackhole Monitor
Working with 30+ Internet Service Providers
Arbor Networks, inc. Proprietary
Wrap UP
 Attacks on ISP infrastructure: DoS attacks on backbone
routers, routing protocol exploits, route hijacking
 Increasing sophistication and severity of zero-day attacks
on edge networks
 Self-propagating malicious code:
 Rapid propagation creates DoS condition (Slammer)
 Worms launched with DoS payload (MS Blaster)
 Increased Interdependency with/on service provider and
sites not under “your” control
 Crumbling Perimeter and internal security
Arbor Networks, inc. Proprietary
More Info
White Papers & Research Reports:




“Service provider infrastructure security: Detecting, tracing, and
mitigating network-wide anomalies”
“One size does not fit all: tailoring denial of service mitigation to
maximize effectiveness”
“Intelligent network management with Peakflow Traffic”
“The Internet Motion Sensor (IMS): A distributed global scoped Internet
threat monitoring system”
Contact Info:
Speaker:
European Contact:
Arbor Networks, inc. Proprietary
Farnam Jahanian ([email protected])
Rob Pollard, Dir of EMEA Solutions
Steve Mulhearn, Mgr. of Consulting Engineering
[email protected]