The document discusses the increasing complexity and severity of cyber threats, specifically focusing on DDoS attacks, DNS poisoning, and BGP hijacks. It emphasizes the importance of monitoring network security and implementing effective mitigation strategies to address these threats in a dynamic network environment. The document also highlights ThousandEyes' role in global network performance management and its relevance in today's cyber landscape.

1. Troubleshooting Network Threats:
DDoS Attacks, DNS Poisoning
and BGP Hijacks
Mohit Lad
CEO, ThousandEyes

2. 1
About ThousandEyes
What We Do Our Customers’ Stories
Network performance management
designed for today’s dynamic and
complex networks
Used by 4 of the world’s top banks
Founded in 2010 with an HQ in San
Francisco CA and a London office
Recognized by Gartner and EMA
Reduced time to
troubleshoot globally load
balanced infrastructure
Solved multi-week support
issue due to an ISP cable
cut in Asia
Improved customer
experience during the Brazil
World Cup

3. 2
Today’s Cyber Threat Landscape
• Increasing size, frequency and severity of attacks
• Exposure via external vendors (DNS, CDN, ISPs)
• Greater complexity of corporate networks
• Increasing importance of network for business operations

4. 3
More Networks Connected to the Internet
Source: CIDR Report
Global Routing
Table Growth

5. 4
More Devices Connected to the Internet
Source: Akamai State of the Internet Reports, Q2 2010-14; Akamai blog
1,600
1,400
1,200
1,000
800
600
400
200
0
2007 2008 2009 2010 2011 2012 2013 2014
Millions
IPv6
IPv4
Unique IP
Addresses
Observed

6. 5
Size of DDoS Attacks Increasing 50% YoY
Source: Verizon Data Breach Report 2014

7. 6
Major DDoS Attacks in 2014
400
350
300
250
200
150
100
50
0
Attack Volume Rising Major Attacks in 2014
Q4 12 Q1 13 Q2 13 Q3 13 Q4 13 Q1 14 Q2 14
February: Bitstamp
April: UltraDNS
August: PlayStation
Network, Blizzard
Source: Akamai State of the Internet Q2 2014

8. 7
Three Network Security Threats We’ll Cover
BGP Hijacks DDoS Attacks DNS Poisoning

9. BGP Hijacks

10. 9
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
Autonomous System
AS 7018
AT&T
AS 3356
Level3
Border Router
Salesforce advertises
routes among BGP peers
to upstream ISPs
Salesforce.com advertises
prefix 96.43.144.0/22
AT&T receives route
advertisements to
Salesforce via Level3 and
NTT
AS 4761
Indosat
Traffic Path

11. 10
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
AS 7018
AT&T
AS 3356
Level3
Indosat also advertises
prefix 96.43.144.0/22,
‘hijacking’ Salesforce’s
routes
AS 4761
Indosat
Traffic Path
AT&T now directs
Salesforce-destined traffic
to Indosat

12. 11
BGP Hijack: Normal Routes to PayPal
PayPal / Akamai prefix
Akamai
Autonomous
System
Comcast upstream

13. Locations with completely
12
BGP Hijack: Routes Advertised from Indosat
PayPal / Akamai prefix
Correct
Autonomous System
Hijacked
hijacked routes
Autonomous System

14. 13
BGP Hijack: PCCW Has No Routes to PayPal
PCCW Network only
connected to Indosat
Not to Akamai /
PayPal

15. 14
BGP Hijack: Causing All Traffic to Drop
Traffic transiting
PCCW has no routes
and terminates

16. DDoS Attacks

17. 16
Network Topology of a DDoS Attack
Attackers flood your web
service from around the world
Sydney
Portland, OR
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Internet Enterprise

18. 17
DDoS Mitigation Strategy 1: On-Premises
Sydney
Portland, OR
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Appliance at network edge
monitors and mitigates
application-layer attacks
Internet On-Premises Enterprise
DDoS
Mitigation
Appliance

19. 18
DDoS Mitigation Strategy 2: ISP Collaboration
Sydney
Portland, OR
ISP 1
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Attack traffic is routed by ISPs
to a remote-triggered black
hole
ISP 2
Internet Remote- Enterprise
Triggered
Black Hole

20. 19
DDoS Mitigation Strategy 3: Cloud-Based
Sydney
Portland, OR
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Traffic is rerouted, using DNS
or BGP, to cloud-based
scrubbing centers and ‘real’
traffic is routed back to your
network
Internet Scrubbing Enterprise
Center

21. 20
Why Monitor DDoS Attacks
Global Availability Mitigation Deployment
Mitigation Performance Vendor Collaboration

22. 21
DDoS Attack: Drop in Global Availability
Problems at TCP
connection and
HTTP receive
phases
Global availability
issues
Availability dip to 0%

23. 22
DDoS Attack: Increased Packet Loss and Latency
Loss,
latency
and jitter
Loss during height
of attack

24. 23
DDoS Attack: Congested Nodes in Upstream ISPs
Nodes with >25%
packet loss
Packet loss in
upstream ISPs
Verizon and
AT&T
HSBC bank
website under
attack
High packet
loss from all
testing points

25. 24
DDoS Attack: Mitigation Effectiveness
Verisign DDoS mitigation
networks in yellow

26. 25
DDoS Attack: Mitigation Handoff Using BGP
New Autonomous
System (VeriSign)
Prior Autonomous
System (HSBC)
HSBC prefix
New routes
Withdrawn routes

27. DNS Cache Poisoning

28. 27
DNS Cache Poisoning
Local DNS Cache
www.attack.com
Attacker
DNS Server
dns.attack.com
Authoritative
DNS Server
dns.website.com
Attacker
www.website.com
Attacker inserts a
false record into the
DNS cache
Unsecured DNS server, no
DNSSEC, no port
randomization
User
1
User requests DNS
record for
www.website.com
2
Looks up record
on spoofed name
server
3
User accesses
spoofed URL
4

29. 28
Blocking Facebook in China
DNS
availability in
China <10%

30. 29
Redirecting Facebook to Alternate IP Addresses
Facebook is
typically routed to
173.252.110.27,
except in China

31. • Understand network topology and dependencies
• Focus on critical network services
30
Key Capabilities to Monitor Network Security
• Reachability to your address blocks
• Path changes and more specific prefixes
upstream
Get global
visibility
Alert on routing
to your network
• DNS, CDN and hosting providers
• DDoS mitigation vendors and ISPs
Track efficacy of
external services
Implement
DNSSEC
• Prevent cache poisoning on your resolvers
• Monitor for poisoning of your records on other
networks

32. It’s time to see the entire picture.