Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Application Visibility and Experience through Flexible NetflowCisco DevNet
The world of applications is changing rapidly in the enterprise; from the way applications are increasingly hosted in the cloud, the diverse nature of apps and to the way they are consumed by many devices. The need for organizations and network administrators is to focus on "Fast IT" - "Innovation in the Enterprise" is growing, which means having to spend less time on daily operations, maintenance and troubleshooting and more time on delivering business value with newer services. Cisco AVC with its NBAR2 technology is designed to detect applications and measure application performance through measuring round trip time, retransmission rates, jitter, delay, packet loss, MoS, URL statistics etc. Those details are transmitted using Flexible Netflow/IPFIX, so partners could leverage the data for application usage reporting, performance reporting and troubleshooting application issues to deliver best possible application experience.
Watch the DevNet 2047 replay from the Cisco Live On-Demand Library at: https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=92664&backBtn=true
Check out more and register for Cisco DevNet: http://ow.ly/jCNV3030OfS
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlowAuditor
NetFlow Auditor software uses NetFlow and sFlow to detect anomalies & analyze full network traffic forensics. The objective of our software is to provide easy to use full-featured anomaly detection and analysis of Flows to quickly identify who is doing what, where, when, with whom and for how long on a network and provide alerts, scheduled reports, SNMP Traps and or filter lists. It allows organizations to quickly identify and alert on network anomalies to help resolve performance problems and manage network security and compliance across business services and applications, dramatically reducing the risk of potential downtime.
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
Network Security and Visibility through NetFlowLancope, Inc.
With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data.
Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response.
Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover:
- An overview of NetFlow, what it is, how it works, and how it benefits security
- Design, deployment, and operational best practices for NetFlow security monitoring
- How to best utilize NetFlow and identity services for security telemetry
- How to investigate and identify threats using statistical analysis of NetFlow telemetry
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
Network bandwidth usage is one of the biggest contributors to your network performance. By taking advantage of the flow technology that is built into most routers and switches, you can quickly identify bottlenecks and troubleshoot bandwidth related problems. Join our SolarWinds Head Geek, Don Jacob and Sales Engineer David Byrd as they discuss and share the tips and tricks to get the most out of your network bandwidth.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Application Visibility and Experience through Flexible NetflowCisco DevNet
The world of applications is changing rapidly in the enterprise; from the way applications are increasingly hosted in the cloud, the diverse nature of apps and to the way they are consumed by many devices. The need for organizations and network administrators is to focus on "Fast IT" - "Innovation in the Enterprise" is growing, which means having to spend less time on daily operations, maintenance and troubleshooting and more time on delivering business value with newer services. Cisco AVC with its NBAR2 technology is designed to detect applications and measure application performance through measuring round trip time, retransmission rates, jitter, delay, packet loss, MoS, URL statistics etc. Those details are transmitted using Flexible Netflow/IPFIX, so partners could leverage the data for application usage reporting, performance reporting and troubleshooting application issues to deliver best possible application experience.
Watch the DevNet 2047 replay from the Cisco Live On-Demand Library at: https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=92664&backBtn=true
Check out more and register for Cisco DevNet: http://ow.ly/jCNV3030OfS
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlowAuditor
NetFlow Auditor software uses NetFlow and sFlow to detect anomalies & analyze full network traffic forensics. The objective of our software is to provide easy to use full-featured anomaly detection and analysis of Flows to quickly identify who is doing what, where, when, with whom and for how long on a network and provide alerts, scheduled reports, SNMP Traps and or filter lists. It allows organizations to quickly identify and alert on network anomalies to help resolve performance problems and manage network security and compliance across business services and applications, dramatically reducing the risk of potential downtime.
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
Network Security and Visibility through NetFlowLancope, Inc.
With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data.
Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response.
Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover:
- An overview of NetFlow, what it is, how it works, and how it benefits security
- Design, deployment, and operational best practices for NetFlow security monitoring
- How to best utilize NetFlow and identity services for security telemetry
- How to investigate and identify threats using statistical analysis of NetFlow telemetry
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
Network bandwidth usage is one of the biggest contributors to your network performance. By taking advantage of the flow technology that is built into most routers and switches, you can quickly identify bottlenecks and troubleshoot bandwidth related problems. Join our SolarWinds Head Geek, Don Jacob and Sales Engineer David Byrd as they discuss and share the tips and tricks to get the most out of your network bandwidth.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
Les actualités de la Roumanie pour Septembre 2016, qui reprennent toutes les informations économiques sur l'industrie, la agriculture, etc.
Eastrategies, Cabinet conseil spécialisé sur les pays de l’Est
Eastrategies, est une société d’accompagnement à l’international spécialiste de l’Europe centrale et orientale. Cabinet conseil international, créé en Roumanie en 1992, en Bulgarie en 2000 et Moldavie en 2008.
Nous conseillons et accompagnons les entreprises dans toutes les étapes de leurs démarches commerciales et industrielles sur la Roumanie, Bulgarie, Moldavie et Serbie, tant dans leurs projets de recherche de distributeur, d’investissement, de production, de recrutement, de sous-traitance, sourcing, achat, d’implantation financement européens tant dans des missions de Management de transition.
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityEdgeUno
The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed by most major content providers (including Google and Facebook) and many Internet Service Providers (ISPs). While the ultimate goal of IPv6 is virtually the same as that of IPv4 (moving packets across the Internet), the underlying mechanisms and technical details are significantly different, typically resulting in unexpected security and privacy implications. In this presentation, Fernando will cover the state of the art in everything ranging from IPv6 pentesting, to security controls and operational mitigations for IPv6 attacks, thus providing valuable information to red, blue, and purple teams.
Aspekte von IPv6-Security
• Hackertools & ein paar Angriffsszenarien
• 3 Empfehlungen
q a) Ist IPv6 sicherer als IPv4?
q b) Ist IPv6 unsicherer als IPv4?
q c) Wer ist an allem Schuld?
q d) Wie wirkt sich die Integration von IPv6 in
meine Organisation auf deren IT-Sicherheit aus?
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4.
Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC
After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
Peter Rounds, Senior Network Engineer, Syracuse University
Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.
Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.
4. IPv6 Security - Workshop mit Live Demo - Marco Senn FortinetDigicomp Academy AG
Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. Goals For Today
• Fundamental IPv6 security considerations
• Knowing the right questions to ask
• Admitting that practical IPv6 malware detection
and mitigation needs work
• Learning how DNS can be utilized to help with
IPv6 malware detection
2
3. Does Operations Understand IPv6?
• It *is* similar to IPv4…..but NOT J [Training is Important!!]
• IPv4 and IPv6 interface addressing nuances
• Which IPv6 address used to source traffic?
• When is IPv4 address used vs IPv6 address for
a dual-stacked host?
• Where are special transition addresses used?
• More IPv6 nuances
• Every mobile device is a /64
• Extension headers
• Path MTU Discovery
• Fragmentation
3
4. Fundamental Security Principles
• Authentication
• Who (or What) are you?
• Authorization
• What are you allowed to access or do?
• Integrity
• Has data been altered?
• Confidentiality
• Can only authorized eyeballs see data?
• Availability
• Do I have access to data I need?
5. Fundamental Privacy Principles
• Concern for how data is:
• Collected
• Analyzed
• Used
• Protected
• Potential for increased surveillance and
tracking
How is privacy changing in the world of
social media and information gluttony?
6. Best Practices & Operational Realities
draft-ietf-opsec-v6-09
• Addressing Recommendations
• Extension Header Issues
• Link Layer Security (ND/RA)
• Control Plane Security
• Routing Security
• Logging/Monitoring
• Legacy vs New Coexistence Technologies
• Added Considerations
6
7. Can You Listen to the Network using IPv4 / IPv6 ?
• Sources (data collection points)
• Protocols to use for data collection
• Tools used to collect data
Conference
Net
NOC
Syslog, TFTP,
AAA, DNS,
SNMP
NetFlow,
SNMP
7
8. Growing Trends in DDoS (IPv4)
• DDoS attacks use spoofed IP addresses of legitimate users
• Combining spoofed addresses with legitimate protocol use
makes mitigation extremely difficult – what do you block
and where?
• Recent trends have been utilizing DNS as attack vector
since it is a fundamentally used Internet technology
• Utilize resources of large hosting providers for added attack
bandwidth
• Many other Internet protocols also susceptible
• Mobile networks and IoT – NEEDS ATTENTION
• Latest DDoS attack on Brian Krebs – 600+ Gbps!!!
• Mirai malware – exploits default weak credentials (Telnet!!)
8
11. Attacker sends ICMP Echo request
packets to a remote network
directed broadcast address using
spoofed IP source addresses
All hosts that receive this ICMP
Echo request packet send a reply
to the spoofed IP source address
and overwhelm spoofed victim
Router that connects this remote network
sends packet onto the local network
1
1
2
2
Victim
3 3
Attacker
(SMURF)
Router Router
12. Type Description Justification
2 Packet too big For correct operation of PMTUD
4 Parameter problem Cannot process packet because cannot identify a
field in a header or the packet itself
130-
132
Multicast listener Routing device must accept these messages to
participate in multicast routing
133 Router solicitation Needed for IPv6 autoconfiguration
134 Router
advertisement
Needed for IPv6 autoconfiguration
135 Neighbor
solicitation
Duplicate address detection and Layer2 (MAC) -to-
IPv6 address resolution
136 Neighbor
advertisement
Duplicate address detection and Layer2 (MAC) -to-
IPv6 address resolution
IPv6 ICMP Considerations
13. Help Mitigate DDoS: Ingress/Egress Filters
ipv6 access-list extended DSL-ipv6-Outbound
permit ipv6 2001:DB8:AA65::/48 any
deny ipv6 any any log
interface atm 0/0
ipv6 traffic-filter DSL-ipv6_Outbound out
router bgp <AS#>
neighbor <IP> remote-as <AS#>
neighbor <IP> prefix-list customer in
ip prefix-list customer permit <netblock>
ip prefix-list customer deny <everything else>
Home
Customer
SMB Customer
ISP
EGRESS
INGRESS
Deploy anti-spoofing filters as close to potential source as possible
ipv6 access-list extended DSL-ipv6-Inbound
permit ipv6 2001:DB8:AA65::/48 any
deny ipv6 any any log
interface atm 0/0
ipv6 traffic-filter DSL-ipv6_Inbound in
INGRESS
13
15. Using DNS to detect IPv6 Malware
278
Million
10+
Billion
100+
Million
Current
Domain Names
ccTLD
Domains
Current
Hostnames
Questions That Can Be Answered
Using Passive DNS
- Where did this domain name point to
in the past?
- What domain names are hosted by a
given nameserver?
- What domain names point into a
given IP network?
- What subdomains exist below a
certain domain name?
- What new names are hosted in
ccTLDs?
18. Find Associated Domains [IPv4]:
• Most all malicious
domains utilize A
records although
these could be
legitimate
• Many AAAA records
associated with
legitimate domains
TODAY’S TREND
18
20. Further Investigation…
• Correlate domains seen in IPv4 and in IPv6
• IPv4 and IPv4-mapped addresses both associated with > 10,000
domains
• Not all domains are same as seen in IPv4 and IPv6
• Investigate same domains seen in IPv4 and IPv6
• Investigate domains seen separately from IPv4 vs IPv6
address
• Might be legitimate hosting company
Passive DNS can be used to correlate
IPv4 and IPv6 related information
20
21. Operational Observations
• Some IPv6 attacks known but not discussed
• Ongoing SMTP over IPv6 discussions where lack of
reputation information blocks legitimate traffic that
would not be blocked on IPv4
• Many folks turn off SMTP use over IPv6 as response
• https://www.maawg.org/sites/maawg/files/news/M3AAWG_Inb
ound_IPv6_Policy_Issues-2014-09.pdf
• Many IPv6 invalid source addresses observed
• https://ripe67.ripe.net/presentations/288-Jen_RIPE67.pdf
• How would you tell configuration error from deliberate
spoofing?
21
22. • Secure end-host (a router or switch is an end-host)
• Turn off unused services
• Change all default credentials [use 2FA]
• Use cryptographically protected protocols for management
• Limit access to network
• Filter (packet filter vs uRPF vs route filter)
• Ingress AND Egress filtering necessary
• Authenticate
• Device vs User
• Credential management lifecycle
• Use multi-factor authentication
• Audit network traffic
• netflow-v9
• Wireshark (yes, periodically look what is ON THE WIRE)
How Mitigate Most Threats?
23. Trust But Verify….
• Understand what monitoring capability is for IPv4
and/or IPv6 traffic and know how the traffic patterns
can be correlated
• Test dual-stack and transition technology behavior to
know when DNS replies utilize A and/or AAAA records
• Tools for incident response improving for IPv6 but there
is still more improvement needed
• Not all management functionality can utilize IPv6 transport
• Some networks being built for IPv6 only and are motivating
vendors
• Correlation is important!!
23