TransPAC2 Measurement

Download Report

Transcript TransPAC2 Measurement

I
N
D
REN-ISAC and Peakflow SP
I
A
N
A
U
N
John Hicks
Indiana University
I
TransPAC2
V
[email protected]
E
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
REN-ISAC
I
A
N
A
U
N
I
V
E
• Is an integral part of U.S. higher education’s strategy to improve network
security through information collection, analysis, dissemination, early
warning, and response;
• Specifically designed to support the unique environment and needs of
organizations connected to served higher education and research networks.
• Supports efforts to protect the national cyber infrastructure by participating
in the formal U.S. ISAC structure.
• http://www.ren-isac.net/
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
REN-ISAC Security Efforts
I
A
N
A
U
N
I
V
E
R
S
I
• Information products
– Daily Weather Report
– Daily Darknet Reports
– Alerts
– Notifications
– Monitoring views
• Incident response
• 24x7 Watch Desk
• Cybersecurity Contact Registry
• Tool development
• Security infrastructures work in specific communities, e.g. grids
• Participation in other higher education efforts
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Complementary Relationships
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
• REN-ISAC has core complimentary relationships with:
– EDUCAUSE
– Internet2
– EDUCAUSE and Internet2 Security Task Force
– IU Global NOC and Abilene network engineering
– IU Advanced Network Management Lab
– IU Information Technology Security Office
– US Department of Homeland Security & US-CERT
– IT-ISAC
– ISAC Council
– SALSA
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Complementary Relationships
I
A
N
A
U
N
I
V
E
R
S
• US Department of Homeland Security - Information Analysis and
Infrastructure Protection Directorate has the objective to implement the
national strategy and to promote public/private partnerships for information
sharing and analysis – ISACs.
• ISACs are encouraged in each critical sector of national security and the
economy, e.g. IT, water, agriculture, energy, transportation, finance, etc.
• ISAC Council is a body of the private sector ISACs that promotes
cooperation, sharing, and relation to DHS.
• National Cyber Security Partnership is a public-private collaboration
focused on strategies and actions to assist the DHS National Cyber Security
Division in implementation of the President’s National Strategy to Secure
Cyberspace.
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Information Resources
I
A
N
A
U
N
I
V
E
R
S
I
• Network instrumentation
• Router NetFlow, BGP, and SNMP data (Peakflow SP)
• Router ACL counters
• Darknet
• Global NOC operational monitoring systems
• Daily cybersecurity status calls with ISACs and US-CERT
• Vetted/closed network security collaborations
• Backbone and member security and network engineers
• Vendors, e.g. monthly ISAC calls with vendors
• Security mailing lists, e.g. EDUCAUSE, etc.
• Members – related to incidents on local networks
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Internet2 NetFlow Policy
I
A
N
A
U
N
I
V
E
R
S
I
• REN-ISAC & Internet2 NetFlow data policy agreement,
highlights:
– Data is anonymized to /21. Under perceived threat and at
the request of involved institutions the REN-ISAC can
selectively turn off anonymization.
– Publicly reported information is restricted to aggregate
views of the network. Information that identifies specific
institutions or individuals cannot be reported publicly.
– Detailed and sensitive information must be communicated
with designated representatives of the affected institutions
and refer only to local activity, unless otherwise authorized.
– TransPAC2 has adopted the Internet2 NetFlow Policy.
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
NetFlow Analysis – Traffic Grapher
I
A
N
A
U
N
I
V
E
R
S
I
IU ANML developed tool. Graph netflow by source and destination IP
port numbers, IP addresses and networks (in CIDR format), and AS
numbers. ICMP, TCP or UDP. Optimized performance.
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Traffic on Common and Threat Vector Ports
I
A
N
A
U
N
I
• Utilize Traffic Grapher to provide public views of Internet2
traffic on common application and threat vector ports.
• http://ren-isac.net/monitoring.cgi
• Also utilize ACL counters in routers to collect and publish
similar views.
V
E
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Warning and Response
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
• REN-ISAC Watch Desk
– 24 x 7
– Co-located and staffed with the Global Research NOC
– +1 (317) 278-6630
– [email protected]
• Public reports to the U.S. higher education community regarding analysis at
aggregate views.
• Private reports to institutions regarding active threat involving their
institution.
• Daily Reports
– REN-ISAC Weather Report
– Darknet Report
• Public views from monitoring systems
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
I
A
N
A
U
N
I
V
E
R
• Infrastructure security, traffic analysis, managed DoS protection via
intelligent netflow analysis
– Network Anomaly Detection:
• DDoS, worms, network and bandwidth abuse
– Integrated Mitigation
• seamless operation with a variety of DoS mitigation tools; filtering,
rate-limiting, BGP blackholing, off-ramping/sinkholing, etc.
– Analytics: peering evaluation, BGP routing
– Reporting
• real-time and customized anomaly and traffic reports
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
I
A
N
A
U
N
I
V
E
– Customer-facing DoS Portal
• Gives customers a first-hand view of their traffic inside
the service provider’s network; customers set their own
thresholds and alerts
– Fingerprint Sharing
• Share anomaly fingerprints with peers, customers, etc.
for upstream DoS mitigation
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Threat Management System
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
• Arbor officially released the Arbor Peakflow SP TMS (Threat Management
System) device in August 2006
• First-and-only carrier-class service provider threat management device for
multi-service converged networks
• SP now unifies network-wide intelligence (CP) and carrier-class threat
management (TMS) to enable the following:
1. Secure your infrastructure from the full spectrum of threats: botnets,
DNS attacks, DDoS, worms, phishing, SPAM, spyware, etc.
2. Manage your multi-service network by visualizing VoIP, web, mail,
DNS, P2P, and IM traffic across your network
3. Rollout network-based security service offerings leveraging multiple
security features on a single platform
• TMS adds a powerful mitigation component to SP as well as augments its
flow-based detection and reporting with application-layer capabilities
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Why TMS?
I
A
N
A
U
N
I
V
E
R
S
I
• SP TMS technology addresses multi-service network infrastructure threats
and visibility needs
– Provide application-layer processing and analysis
• Layer 7 reporting of mission-critical applications: VoIP, IM, P2P, etc.
• Layer 7 packet scrubbing and mitigation
– Address multiple security threats on a single platform
– Fit specific operational needs of service providers
• SP TMS technology augments flow-based SP technologies
– Provide comprehensive network-wide situational awareness augmented
with more specific application-layer traffic reports
– Detect and combat today’s and tomorrow’s infrastructure threats
– Offer a seamless workflow to manage infrastructure threats
– Secure and better understand IP VPN deployments
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Hardware
I
A
N
A
U
N
I
• OEM platform from Bivio Networks
• Contains 7 PowerPC processors connected by switch fabric
– 1 management processor and 6 application processors
• 2 Gbps mitigation performance in the current release 10Gbps
performance available
V
E
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
TMS High Level Features
I
A
N
A
U
N
I
V
E
R
S
I
• Mitigation
– Stop denial-of-service attacks
– Leverage SP network-wide intelligence and single threat
management console to address network threats
• TMS does not require peacetime learning
• TMS does not require accessing multiple UIs or CLIs
• Enhanced Application Monitoring
– DNS alerting and reporting
• NetFlow V9 Flow Generation
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Mitigation
I
A
N
A
U
N
I
V
E
R
S
I
• Active Mitigation of DoS Attacks
– Use BGP offramp to direct traffic to a TMS device
– Re-inject traffic using GRE tunnels
• Attack Counter-Measures (In Processing Order)
– Global exception list
– Per mitigation filters
– Zombie removal
– TCP SYN authentication
– DNS authentication
– Baseline enforcement
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Mitigation (2)
I
A
N
A
U
N
I
V
E
R
S
I
• Global exception list
– Global set of FCAP rules to explicitly pass/drop traffic
independently of any specific mitigation
• Per mitigation filters
– Set of FCAP rules specific to each mitigation for explicitly
dropping or passing traffic
– A mitigation is defined by a prefix/netmask
• Zombie removal
– Detect hosts that are sending traffic at a higher than specified
rate
– When rate is exceeded all traffic from the host is dropped until it
falls below the threshold.
– Rates are per mitigation
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
Mitigation (3)
D
I
A
•
N
A
U
N
I
V
E
R
S
I
T
Y
•
TCP SYN authentication
– Used to block SYN flooding attacks by detecting spoofed connection
attempts
– Set globally
– For new connections attempts, TMS issues a SYN-ACK with magic
value
– If the host completes the handshake, TMS knows the host is valid and
puts into a white list for a specified period
– Established connection is reset
DNS authentication
– Used to block DNS request floods from spoofed hosts
– When TMS sees a new DNS request from a host it will drop the request
– If the host re-transmits the request we mark the host as valid and let the
request through
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Mitigation (4)
I
A
N
A
U
N
I
V
E
• Baseline enforcement
– Use yesterday’s traffic patterns as indicator of good
traffic
• Historical traffic rates for top 200 /24 sources of traffic
• Per protocol rates
– If traffic deviates substantially from the historic rates,
then TMS limits the offending traffic
– Baselines are per mitigation
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
DNS Tracking
I
A
N
A
U
N
I
V
• New feature to monitor DNS request streams
• Deployed on a span port or off of a link tap at
data-center
• Monitors DNS requests and generates alerts
when request rates deviate from baseline
E
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
DNS Queries
I
A
N
A
U
N
I
V
E
R
S
• Track the top requested registered domain names over time
I
• Track the top requested fully qualified domain names over time
T
• Drilldown on the hosts making the most requests
Y
23rd APAN Meeting Manila, Philippines January 25 2007
I
N
D
Questions or Comments
I
A
N
A
N
John Hicks
Indiana University
I
TransPAC2
V
[email protected]
U
E
R
S
I
T
Y
23rd APAN Meeting Manila, Philippines January 25 2007