Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and BGP Hijacks

1,477 views

Published on

The network is a key component in application delivery and is often a direct or indirect target of security attacks
such as DDoS and BGP hijacking. Mitigation strategies often involve using a third party cloud service without any
visibility into whether the mitigation is working well. Using real life examples, we will show how one can measure
the user perceived impact of an ongoing attack, as well as identify which aspects of the mitigation are not working
as desired. With this detailed availability and performance data at the various layers, financial firms can learn how
to better manage ongoing attacks.

Published in: Technology
  • Be the first to comment

FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and BGP Hijacks

  1. 1. Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and BGP Hijacks Mohit Lad CEO, ThousandEyes
  2. 2. 1 About ThousandEyes What We Do Our Customers’ Stories Network performance management designed for today’s dynamic and complex networks Used by 4 of the world’s top banks Founded in 2010 with an HQ in San Francisco CA and a London office Recognized by Gartner and EMA Reduced time to troubleshoot globally load balanced infrastructure Solved multi-week support issue due to an ISP cable cut in Asia Improved customer experience during the Brazil World Cup
  3. 3. 2 Today’s Cyber Threat Landscape • Increasing size, frequency and severity of attacks • Exposure via external vendors (DNS, CDN, ISPs) • Greater complexity of corporate networks • Increasing importance of network for business operations
  4. 4. 3 More Networks Connected to the Internet Source: CIDR Report Global Routing Table Growth
  5. 5. 4 More Devices Connected to the Internet Source: Akamai State of the Internet Reports, Q2 2010-14; Akamai blog 1,600 1,400 1,200 1,000 800 600 400 200 0 2007 2008 2009 2010 2011 2012 2013 2014 Millions IPv6 IPv4 Unique IP Addresses Observed
  6. 6. 5 Size of DDoS Attacks Increasing 50% YoY Source: Verizon Data Breach Report 2014
  7. 7. 6 Major DDoS Attacks in 2014 400 350 300 250 200 150 100 50 0 Attack Volume Rising Major Attacks in 2014 Q4 12 Q1 13 Q2 13 Q3 13 Q4 13 Q1 14 Q2 14 February: Bitstamp April: UltraDNS August: PlayStation Network, Blizzard Source: Akamai State of the Internet Q2 2014
  8. 8. 7 Three Network Security Threats We’ll Cover BGP Hijacks DDoS Attacks DNS Poisoning
  9. 9. BGP Hijacks
  10. 10. 9 A Primer on BGP Hijacks AS 14340 Salesforce AS 2914 NTT Autonomous System AS 7018 AT&T AS 3356 Level3 Border Router Salesforce advertises routes among BGP peers to upstream ISPs Salesforce.com advertises prefix 96.43.144.0/22 AT&T receives route advertisements to Salesforce via Level3 and NTT AS 4761 Indosat Traffic Path
  11. 11. 10 A Primer on BGP Hijacks AS 14340 Salesforce AS 2914 NTT AS 7018 AT&T AS 3356 Level3 Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s routes AS 4761 Indosat Traffic Path AT&T now directs Salesforce-destined traffic to Indosat
  12. 12. 11 BGP Hijack: Normal Routes to PayPal PayPal / Akamai prefix Akamai Autonomous System Comcast upstream
  13. 13. Locations with completely 12 BGP Hijack: Routes Advertised from Indosat PayPal / Akamai prefix Correct Autonomous System Hijacked hijacked routes Autonomous System
  14. 14. 13 BGP Hijack: PCCW Has No Routes to PayPal PCCW Network only connected to Indosat Not to Akamai / PayPal
  15. 15. 14 BGP Hijack: Causing All Traffic to Drop Traffic transiting PCCW has no routes and terminates
  16. 16. DDoS Attacks
  17. 17. 16 Network Topology of a DDoS Attack Attackers flood your web service from around the world Sydney Portland, OR London YourBank.com Chicago, IL Tokyo Atlanta Internet Enterprise
  18. 18. 17 DDoS Mitigation Strategy 1: On-Premises Sydney Portland, OR London YourBank.com Chicago, IL Tokyo Atlanta Appliance at network edge monitors and mitigates application-layer attacks Internet On-Premises Enterprise DDoS Mitigation Appliance
  19. 19. 18 DDoS Mitigation Strategy 2: ISP Collaboration Sydney Portland, OR ISP 1 London YourBank.com Chicago, IL Tokyo Atlanta Attack traffic is routed by ISPs to a remote-triggered black hole ISP 2 Internet Remote- Enterprise Triggered Black Hole
  20. 20. 19 DDoS Mitigation Strategy 3: Cloud-Based Sydney Portland, OR London YourBank.com Chicago, IL Tokyo Atlanta Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network Internet Scrubbing Enterprise Center
  21. 21. 20 Why Monitor DDoS Attacks Global Availability Mitigation Deployment Mitigation Performance Vendor Collaboration
  22. 22. 21 DDoS Attack: Drop in Global Availability Problems at TCP connection and HTTP receive phases Global availability issues Availability dip to 0%
  23. 23. 22 DDoS Attack: Increased Packet Loss and Latency Loss, latency and jitter Loss during height of attack
  24. 24. 23 DDoS Attack: Congested Nodes in Upstream ISPs Nodes with >25% packet loss Packet loss in upstream ISPs Verizon and AT&T HSBC bank website under attack High packet loss from all testing points
  25. 25. 24 DDoS Attack: Mitigation Effectiveness Verisign DDoS mitigation networks in yellow
  26. 26. 25 DDoS Attack: Mitigation Handoff Using BGP New Autonomous System (VeriSign) Prior Autonomous System (HSBC) HSBC prefix New routes Withdrawn routes
  27. 27. DNS Cache Poisoning
  28. 28. 27 DNS Cache Poisoning Local DNS Cache www.attack.com Attacker DNS Server dns.attack.com Authoritative DNS Server dns.website.com Attacker www.website.com Attacker inserts a false record into the DNS cache Unsecured DNS server, no DNSSEC, no port randomization User 1 User requests DNS record for www.website.com 2 Looks up record on spoofed name server 3 User accesses spoofed URL 4
  29. 29. 28 Blocking Facebook in China DNS availability in China <10%
  30. 30. 29 Redirecting Facebook to Alternate IP Addresses Facebook is typically routed to 173.252.110.27, except in China
  31. 31. • Understand network topology and dependencies • Focus on critical network services 30 Key Capabilities to Monitor Network Security • Reachability to your address blocks • Path changes and more specific prefixes upstream Get global visibility Alert on routing to your network • DNS, CDN and hosting providers • DDoS mitigation vendors and ISPs Track efficacy of external services Implement DNSSEC • Prevent cache poisoning on your resolvers • Monitor for poisoning of your records on other networks
  32. 32. It’s time to see the entire picture.

×