Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cyberwarfare wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Distributed firewall wikipedia , lookup
The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan Emerging Trends Globally scoped, respecting no geographic or topological boundaries Exceptionally virulent, propagating to the entire vulnerable population in the Internet in a matter of minutes Zero- day threats, exploiting vulnerabilities for which no signature or patch has been developed Arbor Networks, inc. Proprietary Infrastructure Security Threats One large service provider experienced over 1,100 DoS attacks in the 1st half of 2003. [Rob Thomas, NANOG 28] Multi-gigabit attacks are increasingly routine. Attacks with 10Gbps aggregate capacity have been recorded. Emerging threats from IRC bots - IRC bots support automated scanning and exploitation of inadequately protected Windows systems, also offer DDoS capabilities. Massive pools of available zombies, e.g. IRC botnets with over 140,000 machines. [CERT Advisory CA-2003-08, March 2003] With so much capacity, spoofing source addresses is no longer “cool”. Of 1.127 attacks on a large ISP, only 4 employed spoofed addresses! [Rob Thomas, NANOG 28] During Slammer, 75K hosts infected in 30 min. [Moore et al, NANOG February, 2003] At peak, 5 Billion injection attempts per day during Nimda. [Arbor Networks, Sep. 2001] Arbor Networks, inc. Proprietary SQL Slammer Attack Propagation 0 hosts infected at the start 75,000 hosts infected in 30 min. Infections doubled every 8.5 sec. Spread 100X faster than Code Red At peak, scanned 55M hosts per sec. [Moore, Paxson, et al; NANOG February, 2003] Arbor Networks, inc. Proprietary Impact of Slammer on the Internet Loss of several thousand routes, mostly /24s Arbor Networks, inc. Proprietary The Evolution of Network Threats Problems that manifest themselves network-wide: DDoS Zero-day worms / AV Routing attacks Arbor Networks, inc. Proprietary Complementary Techniques Detecting, backtracing and mitigating denial-ofservices attacks Blackhole monitoring of unused address blocks Arbor Networks, inc. Proprietary Denial-of-Service A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. [CERT] Arbor Networks, inc. Proprietary Attempts to "flood" a network, thereby preventing legitimate network traffic Attempts to disrupt connections between users and web sites, thereby preventing access to a service Attempts to prevent access to critical infrastructure such as DNS or service provider routers Distributed Denial-of-Service Phase I: The Initial Intrusions Scan networks, identify vulnerable hosts, compromise by installing tools and backdoors Phase II: The Distributed DoS Attacks Signal and launch attacks on target web sites, communication links, routers, DNS, etc. Self-propagating worms sometimes blur the distinction between Phase I and II Arbor Networks, inc. Proprietary Myth #1: Magic Box! Put “filtering box” at enterprise border Stop drinking from fire hose, close your mouth May not even see attack: on upstream router or on firewall Arbor Networks, inc. Proprietary Myth #2: IDS Tools Rely on intrusion detection systems for DoS detection and classification Signature-based IDS tools cannot identify zero-day attacks, e.g. SLAMMER Worm Best Practices “Practice good computer hygiene” Patch well-known holes and vulnerabilities Deploy anti-spoof egress filtering Policies and procedures for handling alerts Campus-wide incident response team Internet Routing Registry Mechanisms and procedures for sharing information and working with upstream providers Push for routing and DNS authentication Arbor Networks, inc. Proprietary Still Not Enough! So what is the solution? Network Anomaly Detection A proactive, holistic, dynamic approach to security. Operators must model their infrastructure network-wide, rather than model the myriad threats against individual components. Arbor Networks, inc. Proprietary Peakflow Architecture Build a model of normal behavior leveraging flow data topology information from routers; employ signature analysis and dynamic profiling to monitor and detect DoS attacks in real-time; use distributed event aggregation techniques to backtrace attackers; apply attack-specific remediation methods to minimize impact on target. Network Topology Information Real-Time Traffic Flow Statistics Solution Network Traffic Profiles Arbor Networks, inc. Proprietary Correlation & Analysis Techniques How Peakflow Works Service Provider C Service Provider A Service Provider B Collector Filter: Peakflow DoS Profile/Monitor: Controller Detect: Peakflow recommends DoSfilters Peakflow Trace: DoS dynamically (X), which the profiles Collectors Peakflow create DoS and traffic network patterns engineer in the can forward Controllers unique then network implement and toanalyzes stop the anomaly quickly trace fingerprints the traffic attackfor before anomalies it brings – toattack Peakflow to itsDoS source. without down key disrupting routers, Controllers. traffic firewalls flow and to routers IDS solutions, or the entire network. Arbor Networks, inc. Proprietary Collector Controller IDS Firewall Customer Site: Web Servers DNS Servers Database Servers Mitigation Strategies Do Nothing! (very popular) Notify downstream AS or upstream provider Packet Filters: ACLs or Firewall Filter based on attack characteristics Rate Limit Traffic Based on attack characteristics: ICMP, UDP, TCP SYN QoS policy propagation with BGP (special community) BGP Blackhole Routing Sinkhole Diversion or Off-Ramping Also provide the data necessary to know which one to choose and how to configure it. Arbor Networks, inc. Proprietary Feature Function Benefit Detection & Fingerprinting Anomaly-based detection and attack fingerprinting Instantly flags known and new (zero-day) attacks with minimal configuration Traceback Reconstructs the attack trajectory across the network Analysis Generate detailed profiles of the anomalous traffic Mitigation Intelligent, flexible, attackspecific mitigation options Flexible Reporting Exports XML and PDF-based anomaly data for offline analysis Arbor Networks, inc. Proprietary Quickly identify impacted customers and equipment Understand the components to match the right solution Stop the attack and quickly ensure normal network operation Custom analysis for forensics, trending and research; share with customers, co-workers, partners Case Studies Peakflow Deployments Arbor Networks, inc. Proprietary A RECENT LARGE SCALE DOS ATTACK Anomalies are classified as low, medium, or high. Different levels trigger alerts (email, SNMP, etc.) Visual breakout of affected network elements. Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 1) Provide detailed information on characteristics of DoS attack. Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 2) Visual breakout of affected network elements. Identifies routers and interfaces that are impacted by attack. Arbor Networks, inc. Proprietary THE ATTACK IN MORE DETAIL (PAGE 3) Presents a detailed fingerprint for the attack. Automatically generates the appropriate ACL/CAR or firewall filter sets for blocking attack. Arbor Networks, inc. Proprietary Complementary Methodologies Detecting, backtracing and mitigating denial-of-services attacks Blackhole monitoring of unused address blocks Arbor Networks, inc. Proprietary Blackhole Monitoring Block of dark address space that while routable, contain no active hosts Traffic on the blackhole is due to scans, worm propagation, or DDoS backscatter Similar to using BGP off-ramping for traffic inspection Arbor Networks, inc. Proprietary Components of Blackhole Monitor Passive Module: passive measures the traffic, looking for scans and backscatter and quantifying the breadth of worm infections and scope of DDoS attacks Active Module: elicits payloads from an adaptively sampled number of end clients, reconstructing the client half of the payload and creating a finger print of the application request Alerting Module: looks for rapid changes in the characteristics of the overall network traffic as well as the rise of new types of threats Arbor Networks, inc. Proprietary Blackhole Monitoring Measure wide-scale port scans and service sweeps by attackers Characterize and quantify Internet worm activities Estimate the type and severity of globally-scoped DDoS incidents Arbor Networks, inc. Proprietary Wide-Area Blackhole Monitoring Project Launched by Arbor Networks, Merit network and University of Michigan in 2001 Collect traffic to a globally announced, unused /8 network Roughly 1/256 of entire Internet address space Complete TCP handshake for 1 out of 100,000 requests Reassemble worm payload, identify and log each hit Save other traffic to disk Random scans (SSH, DNS, RPC services, FTP, etc.) DoS backscatter (TCP SYN+ACK and RST, ICMP unreachables) Arbor Networks, inc. Proprietary The Blaster Worm – The View from 10,000 Feet Wed July 16 2003 – LSD release advisory “Critical security vulnerability in MS OS” No known exploit code; patch available Affected Windows running DCOM RPC services – used for local networking by MS Windows systems Mon Aug 11 2003 – Blaster Worm appears Wed Aug 13 2003 – variants appear How Blaster scans Scans /24 from 0-254, not random hosts 40% of time, /24s within local /16 60% of the time random /24 Scan network for 135/TCP, listen on 69/UDP (TFTP) Attempt exploit when connection is found Then attacking host connects to 4444/TCP to use as command line interface Arbor Networks, inc. Proprietary Download msblast.exe via TFTP, start msblast.exe Blaster’s Traffic Patterns Three phases of the worm lifecycle: growth,decay, persistence Minimum doubling time of 2.3 hours during growth phase Observed over 286,000 unique IP addresses in the blackhole Arbor Networks, inc. Proprietary Containing Blaster Exponential decay of Blaster observations, half-life 10.4 hrs Contained very “quickly” – operators applying ingress/egress filters Pretty much all cleaned up in 5 days Arbor Networks, inc. Proprietary Breakdown of Infected Hosts TLD 2LD Reverse DNS lookups for active hosts shows a global distribution Second-level domain name analysis shows impact on consumer broadband providers Observed over 280K unique IP addresses in the blackhole display Blaster behavior Arbor Networks, inc. Proprietary Blaster’s Tenuous Grip Welchia Welchia counter worm released on August 18 Circadian pattern, peak near 00:00EDT Global TLD distribution of infected hosts Arbor Networks, inc. Proprietary Depth vs. Breadth Classification of Internet Threat Monitoring Architecture Arbor Networks, inc. Proprietary Internet Motion Sensor – A Distributed Blackhole Monitor Working with 30+ Internet Service Providers Arbor Networks, inc. Proprietary Wrap UP Attacks on ISP infrastructure: DoS attacks on backbone routers, routing protocol exploits, route hijacking Increasing sophistication and severity of zero-day attacks on edge networks Self-propagating malicious code: Rapid propagation creates DoS condition (Slammer) Worms launched with DoS payload (MS Blaster) Increased Interdependency with/on service provider and sites not under “your” control Crumbling Perimeter and internal security Arbor Networks, inc. Proprietary More Info White Papers & Research Reports: “Service provider infrastructure security: Detecting, tracing, and mitigating network-wide anomalies” “One size does not fit all: tailoring denial of service mitigation to maximize effectiveness” “Intelligent network management with Peakflow Traffic” “The Internet Motion Sensor (IMS): A distributed global scoped Internet threat monitoring system” Contact Info: Speaker: European Contact: Arbor Networks, inc. Proprietary Farnam Jahanian ([email protected]) Rob Pollard, Dir of EMEA Solutions Steve Mulhearn, Mgr. of Consulting Engineering [email protected]