Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning

1,413 views

Published on

The networks of financial services firms experience a wide range of network threats, from BGP route hijacks to DDoS attacks and DNS cache poisoning. Yet many firms do not have in-depth, real-time monitoring and alerting for these threats. ThousandEyes helps security and network operations teams to gain in-depth DNS, network and BGP visibility of security events as they're happening.

Reviewing real life examples from the financial services industry, we share how to:

Visualize key network services such as BGP and DNS

Create alerts based on security threats

Troubleshoot and take action during situations such as BGP hijacks, DDoS attacks and DNS cache poisoning.

Watch the recorded webinar with live demo here: https://www.thousandeyes.com/resources/network-security-webinar

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,413
On SlideShare
0
From Embeds
0
Number of Embeds
166
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning

  1. 1. Monitoring for Network Security: BGP Hijacks, DDoS Attacks & DNS Cache Poisoning Nick Kephart, Sr. Director of Product Marketing
  2. 2. 1 About ThousandEyes Founded by network experts; strong investor backing Relied on for critical operations by leading enterprises Recognized as an innovative new approach ThousandEyes delivers network intelligence into every network. 24 Fortune 500 4 top 5 SaaS Companies 4 top 6 US Banks 3 Fortune 5
  3. 3. 2 Routes incoming or outgoing traffic to the wrong network Three Network Security Threats Spoofs DNS mappings to reroute traffic to a malicious endpoint BGP Hijack DNS Poisoning Saturates network links, hardware or servers to deny service DDoS
  4. 4. 3 A Primer on BGP Hijacks AS 14340 Salesforce AS 2914 NTT AS 7018 AT&T AS 3356 Level3 Border Router Autonomous System Salesforce advertises routes among BGP peers to upstream ISPs Salesforce.com advertises prefix 96.43.144.0/22 AT&T receives route advertisements to Salesforce via Level3 and NTT AS 4761 Indosat Traffic Path
  5. 5. 4 A Primer on BGP Hijacks AS 14340 Salesforce AS 2914 NTT AS 7018 AT&T AS 3356 Level3 AS 4761 Indosat Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s routes AT&T now directs Salesforce-destined traffic to Indosat Traffic Path
  6. 6. 5 Cloud-Based DDoS Mitigation Chicago, IL YourBank.comLondon Tokyo Atlanta Portland, OR Sydney Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network Internet EnterpriseScrubbing Center
  7. 7. 6 DNS Cache Poisoning Local DNS Cache Authoritative DNS Server dns.website.com Attacker www.website.com Attacker DNS Server dns.attack.com www.attack.com Attacker inserts a false record into the DNS cache Unsecured DNS server, no DNSSEC, no port randomization User 1 User requests DNS record for www.website.com 2 Looks up record on spoofed name server 3 User accesses spoofed URL 4
  8. 8. 7 • View global path changes, reachability • Alert on Origin AS, Next Hop AS, more specific prefix ThousandEyes Helps Monitor Network Security • View DNS record from global points • DNSSEC validation • Alert on DNS availability, resolution time, mapping BGP Hijack DNS Poisoning • Monitor global performance • Ensure mitigation is effective • Share data with ISPs and mitigation vendors DDoS
  9. 9. 8 How ThousandEyes Works DNS Provider Consumers Enterprise Agents 2 BGP Hijacks / Leaks Cloud Agent 3 DDoS Mitigation Performance Branch Data Center 1 DNS Records and Availability DNS Server Internet Route Monitors
  10. 10. 9 Demo
  11. 11. 10 BGP Hijack: Normal Routes PayPal / Akamai prefix Akamai AS Comcast upstream
  12. 12. 11 BGP Hijack: Routes Advertised from Indosat PayPal / Akamai prefix Correct AS Hijacked AS Locations with completely hijacked routes
  13. 13. 12 BGP Hijack: PCCW Has No Routes to PayPal Only connected to Indosat
  14. 14. 13 BGP Hijack: Causing All Traffic to Drop Traffic transiting PCCW has no routes
  15. 15. 14 DDoS Attack: Mitigation Handoff Using BGP New Autonomous System (VeriSign) Prior Autonomous System (HSBC) Withdrawn routes New routes Prefixes automatically identified
  16. 16. 15 DDoS Attack: Drop in Global Availability Global availability issues Problems at TCP connection and HTTP receive phases
  17. 17. 16 DDoS Attack: Increased Packet Loss & Latency Loss, latency and jitter
  18. 18. 17 DDoS Attack: Congested Nodes in ISPs Packet loss in upstream ISPs Bank website under attack High packet loss from all testing points
  19. 19. 18 DDoS Attack: Mitigation Effectiveness Select networks Quickly select interesting data points
  20. 20. 19 DDoS Attack: Mitigation Handoff Using BGP New Autonomous System (VeriSign) Prior Autonomous System (HSBC) Withdrawn routes New routes Prefixes automatically identified
  21. 21. 20 DNS Hijack: Craigslist’s Records Compromised Spoofed mapping Vantage points with spoofed record Prevalence of spoofed mapping over time
  22. 22. 21 DNS Hijack: Networks with Records to Flush Breakdown available by country and network Number of vantage points with spoofed records
  23. 23. See what you’re missing. Watch the webinar www.thousandeyes.com/resources/network-security-webinar

×