Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Monitoring for Network Security:
BGP Hijacks, DDoS Attacks & DNS Cache Poisoning
Nick Kephart, Sr. Director of Product Mar...
1
About ThousandEyes
Founded by network
experts; strong
investor backing
Relied on for
critical operations by
leading ente...
2
Routes incoming or
outgoing traffic to the
wrong network
Three Network Security Threats
Spoofs DNS
mappings to reroute
t...
3
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
AS 7018
AT&T
AS 3356
Level3
Border Router
Autonomous System
Sale...
4
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
AS 7018
AT&T
AS 3356
Level3
AS 4761
Indosat
Indosat also adverti...
5
Cloud-Based DDoS Mitigation
Chicago, IL
YourBank.comLondon
Tokyo
Atlanta
Portland, OR
Sydney
Traffic is rerouted, using ...
6
DNS Cache Poisoning
Local DNS Cache
Authoritative
DNS Server
dns.website.com
Attacker
www.website.com
Attacker
DNS Serve...
7
• View global path
changes,
reachability
• Alert on
Origin AS, Next
Hop AS, more
specific prefix
ThousandEyes Helps Moni...
8
How ThousandEyes Works
DNS Provider
Consumers
Enterprise
Agents
2 BGP Hijacks / Leaks
Cloud Agent
3 DDoS Mitigation Perf...
9
Demo
10
BGP Hijack: Normal Routes
PayPal / Akamai prefix
Akamai AS
Comcast upstream
11
BGP Hijack: Routes Advertised from Indosat
PayPal / Akamai prefix
Correct AS
Hijacked AS
Locations with completely
hija...
12
BGP Hijack: PCCW Has No Routes to PayPal
Only connected to Indosat
13
BGP Hijack: Causing All Traffic to Drop
Traffic transiting
PCCW has no routes
14
DDoS Attack: Mitigation Handoff Using BGP
New
Autonomous
System
(VeriSign)
Prior
Autonomous
System (HSBC)
Withdrawn rou...
15
DDoS Attack: Drop in Global Availability
Global
availability
issues
Problems at TCP
connection and
HTTP receive
phases
16
DDoS Attack: Increased Packet Loss & Latency
Loss,
latency
and jitter
17
DDoS Attack: Congested Nodes in ISPs
Packet loss in
upstream ISPs
Bank website
under attack
High packet
loss from all
t...
18
DDoS Attack: Mitigation Effectiveness
Select
networks
Quickly select
interesting data points
19
DDoS Attack: Mitigation Handoff Using BGP
New
Autonomous
System
(VeriSign)
Prior
Autonomous
System (HSBC)
Withdrawn rou...
20
DNS Hijack: Craigslist’s Records Compromised
Spoofed
mapping
Vantage points
with spoofed
record
Prevalence of spoofed
m...
21
DNS Hijack: Networks with Records to Flush
Breakdown available by
country and network
Number of vantage points
with spo...
See what you’re missing.
Watch the webinar
www.thousandeyes.com/resources/network-security-webinar
Upcoming SlideShare
Loading in …5
×

Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning

1,919 views

Published on

The networks of financial services firms experience a wide range of network threats, from BGP route hijacks to DDoS attacks and DNS cache poisoning. Yet many firms do not have in-depth, real-time monitoring and alerting for these threats. ThousandEyes helps security and network operations teams to gain in-depth DNS, network and BGP visibility of security events as they're happening.

Reviewing real life examples from the financial services industry, we share how to:

Visualize key network services such as BGP and DNS

Create alerts based on security threats

Troubleshoot and take action during situations such as BGP hijacks, DDoS attacks and DNS cache poisoning.

Watch the recorded webinar with live demo here: https://www.thousandeyes.com/resources/network-security-webinar

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning

  1. 1. Monitoring for Network Security: BGP Hijacks, DDoS Attacks & DNS Cache Poisoning Nick Kephart, Sr. Director of Product Marketing
  2. 2. 1 About ThousandEyes Founded by network experts; strong investor backing Relied on for critical operations by leading enterprises Recognized as an innovative new approach ThousandEyes delivers network intelligence into every network. 24 Fortune 500 4 top 5 SaaS Companies 4 top 6 US Banks 3 Fortune 5
  3. 3. 2 Routes incoming or outgoing traffic to the wrong network Three Network Security Threats Spoofs DNS mappings to reroute traffic to a malicious endpoint BGP Hijack DNS Poisoning Saturates network links, hardware or servers to deny service DDoS
  4. 4. 3 A Primer on BGP Hijacks AS 14340 Salesforce AS 2914 NTT AS 7018 AT&T AS 3356 Level3 Border Router Autonomous System Salesforce advertises routes among BGP peers to upstream ISPs Salesforce.com advertises prefix 96.43.144.0/22 AT&T receives route advertisements to Salesforce via Level3 and NTT AS 4761 Indosat Traffic Path
  5. 5. 4 A Primer on BGP Hijacks AS 14340 Salesforce AS 2914 NTT AS 7018 AT&T AS 3356 Level3 AS 4761 Indosat Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s routes AT&T now directs Salesforce-destined traffic to Indosat Traffic Path
  6. 6. 5 Cloud-Based DDoS Mitigation Chicago, IL YourBank.comLondon Tokyo Atlanta Portland, OR Sydney Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network Internet EnterpriseScrubbing Center
  7. 7. 6 DNS Cache Poisoning Local DNS Cache Authoritative DNS Server dns.website.com Attacker www.website.com Attacker DNS Server dns.attack.com www.attack.com Attacker inserts a false record into the DNS cache Unsecured DNS server, no DNSSEC, no port randomization User 1 User requests DNS record for www.website.com 2 Looks up record on spoofed name server 3 User accesses spoofed URL 4
  8. 8. 7 • View global path changes, reachability • Alert on Origin AS, Next Hop AS, more specific prefix ThousandEyes Helps Monitor Network Security • View DNS record from global points • DNSSEC validation • Alert on DNS availability, resolution time, mapping BGP Hijack DNS Poisoning • Monitor global performance • Ensure mitigation is effective • Share data with ISPs and mitigation vendors DDoS
  9. 9. 8 How ThousandEyes Works DNS Provider Consumers Enterprise Agents 2 BGP Hijacks / Leaks Cloud Agent 3 DDoS Mitigation Performance Branch Data Center 1 DNS Records and Availability DNS Server Internet Route Monitors
  10. 10. 9 Demo
  11. 11. 10 BGP Hijack: Normal Routes PayPal / Akamai prefix Akamai AS Comcast upstream
  12. 12. 11 BGP Hijack: Routes Advertised from Indosat PayPal / Akamai prefix Correct AS Hijacked AS Locations with completely hijacked routes
  13. 13. 12 BGP Hijack: PCCW Has No Routes to PayPal Only connected to Indosat
  14. 14. 13 BGP Hijack: Causing All Traffic to Drop Traffic transiting PCCW has no routes
  15. 15. 14 DDoS Attack: Mitigation Handoff Using BGP New Autonomous System (VeriSign) Prior Autonomous System (HSBC) Withdrawn routes New routes Prefixes automatically identified
  16. 16. 15 DDoS Attack: Drop in Global Availability Global availability issues Problems at TCP connection and HTTP receive phases
  17. 17. 16 DDoS Attack: Increased Packet Loss & Latency Loss, latency and jitter
  18. 18. 17 DDoS Attack: Congested Nodes in ISPs Packet loss in upstream ISPs Bank website under attack High packet loss from all testing points
  19. 19. 18 DDoS Attack: Mitigation Effectiveness Select networks Quickly select interesting data points
  20. 20. 19 DDoS Attack: Mitigation Handoff Using BGP New Autonomous System (VeriSign) Prior Autonomous System (HSBC) Withdrawn routes New routes Prefixes automatically identified
  21. 21. 20 DNS Hijack: Craigslist’s Records Compromised Spoofed mapping Vantage points with spoofed record Prevalence of spoofed mapping over time
  22. 22. 21 DNS Hijack: Networks with Records to Flush Breakdown available by country and network Number of vantage points with spoofed records
  23. 23. See what you’re missing. Watch the webinar www.thousandeyes.com/resources/network-security-webinar

×