ISP Security - Real World Techniques

Download Report

Transcript ISP Security - Real World Techniques 

Teknologi pemantauan
jaringan internet untuk
pendeteksian dini
terhadap ancaman dan
gangguan
Alberto Rivai
[email protected]
1
About My Self
 Bachelor degree in Electrical Engineering
 Master degree from Queensland University of Tech
 7 years experience in Security related area
 2 years working experience in Manage Security Service
Provider
 CISSP (Certified Information System Security
Professional)
 Other vendor related certification
2
Goal
 Provide techniques/task that any SP can do to improve
their resistance to security issues.
 These techniques can be done on any core routing
vendor’s equipment.
 Each of these techniques have proven to make a
difference.
3
Current State
 ISP is working alone to protect the infrastructure
 SPs, CERTs, and "officials" in Indonesia are not yet
aware that this group exist or are preventing these
attacks from happening.
 No collaboration
 Point products approach
 So how are they going to get "early warning" if they are
not involved with the community doing to battle with the
bad guys?
4
DDoS Vulnerabilities
Multiple Threats and Targets
Attack




zombies:
Use valid protocols
Spoof source IP
Massively distributed
Variety of attacks
Provider Infrastructure:
• DNS, routers, and links
Access Line
Entire Data Center:
• Servers, security devices, routers
• Ecommerce, web, DNS, email,…
5
List of things that Work
1.
Prepare your NOC
2.
Mitigation Communities
3.
Point Protection on Every Device
4.
Edge Protection
5.
Remote triggered black hole filtering
6.
Sink holes
7.
Source address validation on all customer traffic
8.
Total Visibility (Data Harvesting – Data Mining)
9.
Security Event Management
6
The Executive Summary
77
SP Security in the NOC - Prepare
PREPARATION
POST MORTEM
What was done?
Can anything be done to
prevent it?
How can it be less painful in the
future?
Prep the network
Create tools
Test tools
Prep procedures
Train team
Practice
IDENTIFICATION
How do you know about the
attack?
What tools can you use?
What’s your process for
communication?
REACTION
What options do you have to
remedy?
Which option is the best under
the circumstances?
CLASSIFICATION
TRACEBACK
What kind of attack is it?
Where is the attack coming from?
Where and how is it affecting the
network?
8
Aggressive Collaboration
Hijacked
Drone-Armies
MWP
FUN-SEC
NSP-SEC-JP
NSP-SEC-KR
NSP-SEC-BR
NSP-SEC
FIRST/CERT
Teams
National
Cyber
Teams
iNOC-DBA
NSP-SEC-TW
NSP-SEC-D
NSP-SEC-CN
MyNetWatchman
DSHIELD
Internet
Storm
Center
Telecoms
ISAC
SANS
Other
ISACs
9
Penetration
Point Protection
AAA
NOC
Remote Staff
ISP’s
Backbone
Office Staff
10
Edge Protection
“outside”
Core
“outside”
 Core routers individually secured PLUS
 Infrastructure protection
 Routers generally NOT accessible from outside
11
Destination Based RTBH
IXP-W
A
Peer A
Peer B
IXP-E
Upstream A
Upstream
A
B
D
C
Upstream
B
E
Target
F POP
G
NOC
Upstream
B
iBGP
Advertises
List of
Black Holed
Prefixes
12
Sink Holes
Peer A
IXP-W
Peer B
IXP-E
Remote Triggered
Sink Hole
Remote Triggered
Sink Hole
Remote Triggered
Sink Hole
Upstream A
Upstream
A
Remote Triggered
Sink Hole
Upstream
B
Upstream
B
Remote Triggered
Sink Hole
Remote Triggered
Sink Hole
171.68.19.0/24
Customer
Remote Triggered
Sink Hole
Services Network
POP
171.68.19.1
Garbage packets
flow to the closest
Sink Hole
Remote Triggered
Sink Hole
Primary DNS Servers
13
BCP (Best Current Practice) 38 Ingress Packet
Filtering /RFC3704
ISP’s Customer Allocation Block: 96.0.0.0/19
BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24
96.0.20.0/24
96.0.21.0/24
Internet
ISP
96.0.19.0/24
• Static access list on the edge of
the network
• Dynamic access list with AAA profiles
• Unicast RPF
• Cable Source Verify (MAC & IP)
• IP Source Verify (MAC & IP)
96.0.18.0/24
BCP 38 Filter Applied
on Downstream
Aggregation and NAS
Routers
14
Total Visibility
Anomaly for DNS Queries
Investigate the spike
Thru’put
Spike
Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
An identified cause of
the outage
RTT
Spike
15
Security Event Management
 SEM improves security incident response capabilities.
SEM processes near-real-time data from security
devices, network devices and systems to provide realtime event management for security operations.
 Provides a holistic view of the networks.
16
Sasser Detection―
Dynamic Visual Snapshot
17
Summary
 We cannot provide early warning system if we dont
cooperate with the people that fighting the bad guys
 We can use the technology available to provide the
Early warning system
 Prepare the NOC is the #1 thing you need to do to
prevent attacks. You cannot run around during an
attack building and deploying tools and procedures. It is
like the fire department going to a fire and then opening
the operations manual for how to operate the fire
engine.
 Last but not least, Aggressive Collaboration and work
together with the rest of the world
18
Thank You
19