anti IP spoofing technique
|
|
- Collin McBride
- 7 years ago
- Views:
Transcription
1 anti IP spoofing technique MATSUZAKI maz Yoshinobu Copyright (C) 2006 Internet Initiative Japan Inc. 1
2 ip spoofing creation of IP packets with source addresses other than those assigned to that host Copyright (C) 2006 Internet Initiative Japan Inc. 2
3 Malicious uses with IP spoofing impersonation session hijack or reset hiding flooding attack reflection ip reflected attack Copyright (C) 2006 Internet Initiative Japan Inc. 3
4 src: partner dst: victim impersonation sender ip spoofed packet partner Oh, my partner sent me a packet. I ll process this. victim Copyright (C) 2006 Internet Initiative Japan Inc. 4
5 hiding sender ip spoofed packet src: random dst: victim Oops, many packets are coming. But, who is the real source? victim Copyright (C) 2006 Internet Initiative Japan Inc. 5
6 reflection sender ip spoofed packet src: victim dst: reflector reflector reply packet src: reflector dst: victim Oops, a lot of replies without any request victim Copyright (C) 2006 Internet Initiative Japan Inc. 6
7 ip reflected attacks smurf attacks icmp echo (ping) ip spoofing (reflection) directed-broadcast amplification dns amplification attacks dns query ip spoofing (reflection) DNS amplification Copyright (C) 2006 Internet Initiative Japan Inc. 7
8 amplification 1. multiple replies Sender 2. bigger reply Sender Copyright (C) 2006 Internet Initiative Japan Inc. 8
9 directed-broadcast amplification Sender icmp echo request icmp echo replies Copyright (C) 2006 Internet Initiative Japan Inc. 9
10 DNS amplification ANY?xxx.example.com Sender DNS xxx.example.com IN TXT XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX Copyright (C) 2006 Internet Initiative Japan Inc. 10
11 ip reflected attacks attacker ip spoofed packets open amplifier replies victim Copyright (C) 2006 Internet Initiative Japan Inc. 11
12 smurf attack ip spoofed ping Attacker ICMP echo replies victim Copyright (C) 2006 Internet Initiative Japan Inc. 12
13 dns amplification attack Attacker ip spoofed DNS queries DNS DNS DNS DNS DNS replies victim Copyright (C) 2006 Internet Initiative Japan Inc. 13
14 relations dns amp attack DNS root-servers Command&Control stub-resolvers DNS full-resolvers DNS DNS IP spoofed DNS queries tld-servers DNS example-servers botnet victim Copyright (C) 2006 Internet Initiative Japan Inc. 14
15 solutions for ip reflected attacks attacker ip spoofed packets open amplifier prevent ip spoofing replies disable open amplifiers victim Copyright (C) 2006 Internet Initiative Japan Inc. 15
16 two solutions disable open amplifier disable directed-broadcast disable open recursive DNS server contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer only. prevent ip spoofing!! source address validation BCP38 & BCP84 Copyright (C) 2006 Internet Initiative Japan Inc. 16
17 Source Address Validation Check the source ip address of ip packets filter invalid source ip address filter close to the packets origin as possible filter precisely as possible If no networks allow ip spoofing, we can eliminate these kinds of attacks Copyright (C) 2006 Internet Initiative Japan Inc. 17
18 our assumption ISP/network administrator assign ip address for their users. dynamic or static DHCP, connectivity service Users should use these assigned ip address as their source ip address. Copyright (C) 2006 Internet Initiative Japan Inc. 18
19 close to the origin You are spoofing! RT.a srcip: You are spoofing! srcip: RT.b You are spoofing! srcip: /23 Hmm, this looks ok...but.. srcip: srcip: You are spoofing! You are spoofing! /24 srcip: Copyright (C) 2006 Internet Initiative Japan Inc. 19
20 how to configure the checking ACL packet filter permit valid-source, then drop any urpf check check incoming packets using routing table look-up the return path for the source ip address loose mode can t stop ip reflected attacks use strict mode or feasible mode Copyright (C) 2006 Internet Initiative Japan Inc. 20
21 cisco ACL example ISP Edge Router point-to-point /30 ip access-list extended fromcustmer permit ip any permit ip any deny ip any any! interface Gigabitethernet0/0 ip access-group fromcustomer in! customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 21
22 juniper ACL example point-to-point /30 ISP Edge Router customer network /24 firewall family inet { filter fromcustomer { term CUSTOMER { from source-address { /16; /30; } then accept; } term Default { then discard; } } } [edit interface ge-0/0/0 unit 0 family inet] filter { input fromcustomer; } Copyright (C) 2006 Internet Initiative Japan Inc. 22
23 cisco urpf example ISP Edge Router point-to-point /30 urpf interface Gigabitethernet0/0 ip verify unicast source reachable-via rx customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 23
24 juniper urpf example ISP Edge Router point-to-point /30 urpf [edit interface ge-0/0/0 unit 0 family inet] rpf-check; customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 24
25 multistage verification ISP Edge Router urpf customers know their network. good for precise filter Customer Edge Router urpf We can filter spoofed traffic at earliy stage. Customer Router urpf Copyright (C) 2006 Internet Initiative Japan Inc. 25
26 urpf - failures common failures unused space private space wrong address asymmetric routing failures multi-connected network transit LAN special failures private/non-routed backbone network Copyright (C) 2006 Internet Initiative Japan Inc. 26
27 unused space ISP Edge Router /16 default urpf customer network /24 dst: src: if there is no filter, these packets keep looping until ttl expired... fix the routing! add null routes on the customer router Copyright (C) 2006 Internet Initiative Japan Inc. 27
28 private space NAT didn t work ISP Edge Router urpf NAT Router home network (private address) usual case bad implementation of NAT mis-configuration router/firewall network Copyright (C) 2006 Internet Initiative Japan Inc. 28
29 wrong IP address ISP Edge Router urpf ip: mobile PC trying their old IP mis-configuration typo just spoofing customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 29
30 multi-connected network ISP A ISP B urpf urpf ip address from ISP A /24 src: ip address from ISP B /24 PBR can fix this. Copyright (C) 2006 Internet Initiative Japan Inc. 30
31 transit LAN dst: RT.2 interface src: external RT.1 RT.2 urpf urpf packets to the router interface may filter Copyright (C) 2006 Internet Initiative Japan Inc. 31
32 private/non-routed backbone ISP A backbone using private address urpf ISP B backbone hiding technique... but icmp error messages will be filtered. traceroute can t show the ISP1 s network this also breaks PMTUD Copyright (C) 2006 Internet Initiative Japan Inc. 32
33 IIJ s case discussion router capability policy problems Copyright (C) 2006 Internet Initiative Japan Inc. 33
34 internal discussion Do we need anti-spoofing in our network? We heard a rumor that attackers don t use ip spoofing anymore in these days. Answer is YES. ip spoofing is still used for attacks. dns amplification attacks preparation for new attacks using ip-spoofing Copyright (C) 2006 Internet Initiative Japan Inc. 34
35 kubo graph #1 Copyright (C) 2006 Internet Initiative Japan Inc. 35
36 kubo graph #2 Copyright (C) 2006 Internet Initiative Japan Inc. 36
37 router urpf capability #1 Cisco urpf loose/strict mode Cisco 72xx, 75xx software processing... Cisco sup2, sup720 hardware support for urpf/acl one urpf mode per box Copyright (C) 2006 Internet Initiative Japan Inc. 37
38 router urpf capability #2 Cisco 12xxx GSR depends on engine type of line card E0,E1: software processing E2: per physical interface, exclusion ACL E3: loose mode only microcode reload... Copyright (C) 2006 Internet Initiative Japan Inc. 38
39 router urpf capability #3 Juniper T/M works fine feasible means set of same length prefixes routing table prefix pref / / feasible routing table prefix / /30 non-feasible Copyright (C) 2006 Internet Initiative Japan Inc. 39
40 router urpf capability Cisco depends on box/linecard urpf strict/loose mode are supported some boxes use software processing additional 5~20% cpu load Juniper works fine need some hack to export cflowd data of discarded traffic Copyright (C) 2006 Internet Initiative Japan Inc. 40
41 our initial choice single homed user simple urpf strict mode or ACL multihomed user bgp customer(isps) enterprise (need for redundancy) urpf loose mode something is better than nothing Copyright (C) 2006 Internet Initiative Japan Inc. 41
42 IIJ s policy peer ISP upstream ISP IIJ/AS2497 customer ISP single homed static customer multi homed static customer urpf strict mode urpf loose mode Copyright (C) 2006 Internet Initiative Japan Inc. 42
43 ACL and urpf ACL deterministic statically configured maintenance of access-list urpf easy to configure care about asymmetric routing strict mode is working well only for symmetric routing loose mode can t stop the ip reflected attack there are few venders support of feasible mode Copyright (C) 2006 Internet Initiative Japan Inc. 43
44 problems urpf/acl works fine in most case. bug, device capability, performance... less confidence for urpf operations know urpf, but never use it. test it! unaware of Source Address Validation why do we need this? Copyright (C) 2006 Internet Initiative Japan Inc. 44
45 Why do we need? Source Address Validation do NOT protect your users from DoS/Attacks/Etc. directly. This reduce malicious activity. sending ip spoofed packets from your network. If no networks allow ip spoofing, we can eliminate these kinds of attacks. Copyright (C) 2006 Internet Initiative Japan Inc. 45
46 bogon traffic 1.8Mbps 150Mbps 6Kpps 36Kpps Copyright (C) 2006 Internet Initiative Japan Inc. 46
47 please consider Source Address Validation in your network Copyright (C) 2006 Internet Initiative Japan Inc. 47
48 END Copyright (C) 2006 Internet Initiative Japan Inc. 48
DNS amplification attacks
amplification attacks Matsuzaki Yoshinobu 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1 amplification attacks Attacks using IP spoofed dns query generating a traffic overload
More informationUnicast Reverse Path Forwarding
Unicast Reverse Path Forwarding This feature module describes the Unicast Reverse Path Forwarding (RPF) feature, which helps to mitigate problems caused by malformed or forged IP source addresses passing
More informationReducing the impact of DoS attacks with MikroTik RouterOS
Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationTCP/IP Security Problems. History that still teaches
TCP/IP Security Problems History that still teaches 1 remote login without a password rsh and rcp were programs that allowed you to login from a remote site without a password The.rhosts file in your home
More informationSample Configuration Using the ip nat outside source static
Sample Configuration Using the ip nat outside source static Table of Contents Sample Configuration Using the ip nat outside source static Command...1 Introduction...1 Before You Begin...1 Conventions...1
More informationLab 5.2.5 Configure IOS Firewall IDS
Lab 5.2.5 Configure IOS Firewall IDS Objective Scenario Topology: Estimated Time: 15 minutes Number of Team Members: Two teams with four students per team. In this lab, the student will learn how to perform
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationLAB II: Securing The Data Path and Routing Infrastructure
LAB II: Securing The Data Path and Routing Infrastructure 8. Create Packet Filters a. Create a packet filter which will deny packets that have obviously bogus IP source addresses but permit everything
More informationDDoS attacks in CESNET2
DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationUNICAST REVERSE PATH FORWARDING ENHANCEMENTS FOR THE INTERNET SERVICE PROVIDER INTERNET SERVICE PROVIDER NETWORK EDGE
WHITE PAPER UNICAST REVERSE PATH FORWARDING ENHANCEMENTS FOR THE INTERNET SERVICE PROVIDER INTERNET SERVICE PROVIDER NETWORK EDGE HIGHLIGHTS New additions to Unicast Reverse Path Forwarding (urpf) that
More informationHow To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address
DNS Amplification Are YOU Part of the Problem? (RIPE66 Dublin, Ireland - May 13, 2013) Merike Kaeo Security Evangelist, Internet Identity merike@internetidentity.com INTRO Statistics on DNS Amplification
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationHow To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net
Using Access-groups to Block/Allow Traffic in AOS When setting up an AOS unit, it is important to control which traffic is allowed in and out. In many cases, the built-in AOS firewall is the most efficient
More informationCampus LAN at NKN Member Institutions
Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and
More informationChapter 10 Troubleshooting
Chapter 10 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. After each problem description, instructions are provided
More informationWen Temitim and Christopher Papandreou NANOG 58, June 2013
IPv4 Address Conservation Method for Hosting Providers Wen Temitim and Christopher Papandreou NANOG 58, June 2013 2 The Issue When allocating subnets for servers in a hosting environment, an IP is bound
More informationImplementing Secure Converged Wide Area Networks (ISCW)
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet
More informationTroubleshooting the Firewall Services Module
25 CHAPTER This chapter describes how to troubleshoot the FWSM, and includes the following sections: Testing Your Configuration, page 25-1 Reloading the FWSM, page 25-6 Performing Password Recovery, page
More informationHunting down a DDOS attack
2006-10-23 1 Hunting down a DDOS attack By Lars Axeland +46 70 5291530 lars.axeland@teliasonera.com 2006-10-23 What we have seen so far What can an operator do to achieve core security What solution can
More informationSecuring a Core Network
Securing a Core Network Manchester, 21 Sep 2004 Michael Behringer Christian Panigl Session Number Presentation_ID 325_mbehring 2001, 2003 Cisco Systems, Inc. All
More informationLab Exercise Configure the PIX Firewall and a Cisco Router
Lab Exercise Configure the PIX Firewall and a Cisco Router Scenario Having worked at Isis Network Consulting for two years now as an entry-level analyst, it has been your hope to move up the corporate
More informationSample Configuration Using the ip nat outside source list C
Sample Configuration Using the ip nat outside source list C Table of Contents Sample Configuration Using the ip nat outside source list Command...1 Introduction...1 Before You Begin...1 Conventions...1
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More informationBGP route monitoring. Mar, 25, 2008 Matsuzaki maz Yoshinobu <maz@telecom-isac.jp>, <maz@iij.ad.jp>
BGP route monitoring Mar, 25, 2008 Matsuzaki maz Yoshinobu , 1 abstract BGP prefix hijack is a serious security issue in the internet, and these events have been widely
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationFederal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks
Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationTutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia
Tutorial: Options for Blackhole and Discard Routing Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia Caveats and Assumptions The views presented here are those of the authors and they do not
More information51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE
51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;
More informationSonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging
SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION:
More informationGregSowell.com. Mikrotik Security
Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.
More informationTroubleshooting the Firewall Services Module
CHAPTER 25 This chapter describes how to troubleshoot the FWSM, and includes the following sections: Testing Your Configuration, page 25-1 Reloading the FWSM, page 25-6 Performing Password Recovery, page
More informationFortiOS Handbook - Advanced Routing VERSION 5.2.2
FortiOS Handbook - Advanced Routing VERSION 5.2.2 TECHNICAL DOCUMENTATION http://docs.fortinet.com KNOWLEDGE BASE http://kb.fortinet.com FORUMS https://support.fortinet.com/forum CUSTOMER SERVICE & SUPPORT
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationIntroduction to Firewalls
Introduction to Firewalls Today s Topics: Types of firewalls Packet Filtering Firewalls Application Level Firewalls Firewall Hardware/Software IPChains/IPFilter/Cisco Router ACLs Firewall Security Enumeration
More informationThe Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series
Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including
More informationIP Routing Features. Contents
7 IP Routing Features Contents Overview of IP Routing.......................................... 7-3 IP Interfaces................................................ 7-3 IP Tables and Caches........................................
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationTech-Note Bridges Vs Routers Version 1.0-02/06/2009. Bridges Vs Routers
Tech-Note Bridges Vs Routers - 02/06/2009 1 2 Index 1. About this tech-note... 3 2. Recommended configurations... 4 3. Issues that may arise with other types of connections... 5 3.1. Connected to a router
More informationClaudio Jeker. RIPE 41 Meeting Amsterdam, 15. January 2002. oppermann@pipeline.ch. jeker@n-r-g.com. Using BGP topology information for DNS RR sorting
BGPDNS Using BGP topology information for DNS RR sorting a scalable way of multi-homing André Oppermann oppermann@pipeline.ch Claudio Jeker jeker@n-r-g.com RIPE 41 Meeting Amsterdam, 15. January 2002 What
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationDRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014
DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist
More information8 steps to protect your Cisco router
8 steps to protect your Cisco router Daniel B. Cid daniel@underlinux.com.br Network security is a completely changing area; new devices like IDS (Intrusion Detection systems), IPS (Intrusion Prevention
More informationLab 8.3.13 Configure Cisco IOS Firewall CBAC
Lab 8.3.13 Configure Cisco IOS Firewall CBAC Objective Scenario Topology In this lab, the students will complete the following tasks: Configure a simple firewall including CBAC using the Security Device
More informationNETNOD Autumn 2014 October 2, 2014
Surviving a DDoS Attack: Securing CDN traffic at CloudFlare NETNOD Autumn 2014 October 2, 2014 Martin J. Levy, Network Strategy www.cloudflare.com DDoS Attacks are becoming massive, and easier to initiate
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationChapter 7 Troubleshooting
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200. After each problem description, instructions are provided to help you diagnose and
More informationIPv6 Security. Scott Hogg, CCIE No. 5133 Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Contents Introduction xix Chapter 1 Introduction to IPv6 Security 3 Reintroduction
More informationTechnical Support Information Belkin internal use only
The fundamentals of TCP/IP networking TCP/IP (Transmission Control Protocol / Internet Protocols) is a set of networking protocols that is used for communication on the Internet and on many other networks.
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationStrategies to Protect Against Distributed Denial of Service (DDoS) Attacks
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate
More informationAdvanced BGP Policy. Advanced Topics
Advanced BGP Policy George Wu TCOM690 Advanced Topics Route redundancy Load balancing Routing Symmetry 1 Route Optimization Issues Redundancy provide multiple alternate paths usually multiple connections
More informationASA/PIX: Load balancing between two ISP - options
ASA/PIX: Load balancing between two ISP - options Is it possible to load balance between two ISP links? on page 1 Does the ASA support PBR (Policy Based Routing)? on page 1 What other options do we have?
More informationApproaches for DDoS an ISP Perspective. barry@null0.net ognian.mitev@viawest.com
Approaches for DDoS an ISP Perspective barry@null0.net ognian.mitev@viawest.com Home School How everyone starts It s all up to you It s inexpensive (compared to other forms of education) Quality may not
More informationIPv6 Security from point of view firewalls
IPv6 Security from point of view firewalls János Mohácsi 09/June/2004 János Mohácsi, Research Associate, Network Engineer NIIF/HUNGARNET Contents Requirements IPv6 firewall architectures Firewalls and
More informationFirewall Stateful Inspection of ICMP
The feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages into either a malicious or benign category by allowing the Cisco IOS firewall to use stateful inspection
More informationBrocade NetIron Denial of Service Prevention
White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron
More informationSEC-370. 2001, Cisco Systems, Inc. All rights reserved.
SEC-370 2001, Cisco Systems, Inc. All rights reserved. 1 Understanding MPLS/VPN Security Issues SEC-370 Michael Behringer SEC-370 2003, Cisco Systems, Inc. All rights reserved. 3
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationThe Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends
3. The Environment Surrounding DNS DNS is used in many applications, serving as an important Internet service. Here we discuss name collision issues that have arisen with recent TLD additions, and examine
More informationLAB THREE STATIC ROUTING
LAB THREE STATIC ROUTING In this lab you will work with four different network topologies. The topology for Parts 1-4 is shown in Figure 3.1. These parts address router configuration on Linux PCs and a
More informationAdvanced Routing. FortiOS Handbook v3 for FortiOS 4.0 MR3
Advanced Routing FortiOS Handbook v3 for FortiOS 4.0 MR3 FortiOS Handbook Advanced Routing v3 4 January 2013 01-433-98043-20120116 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate,
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More information#42 D A N T E I N P R I N T. Tackling Network DoS on Transit Networks. David Harmelin
D A T E I P R I T #42 Tackling etwork DoS on Transit etworks David Harmelin DATE I PRIT is a track record of papers and articles published by, or on behalf of DATE. HTML and Postscript versions are available
More informationBest Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013
Best Practices Guide: Vyatta Firewall SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013 INTRODUCTION Vyatta Network OS is a software-based networking and security solution that delivers advanced
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationNetwork Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers
Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers Abstract Hang Chau DoS/DDoS attacks are a virulent, relatively new type of Internet attacks, they have caused some biggest web
More informationCCNA Exploration: Accessing the WAN Chapter 7 Case Study
Objectives: Mitigate attacks based on DHCP rogue servers. Intro: ChurchBells Inc. is having connectivity issues and needs your help. The Scenario: According to the reports, some user PCs within the company
More informationLab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router
Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router Objective Scenario Topology Estimated Time: 35 minutes Number of Team Members: Two teams with four students per team In this lab exercise,
More informationFirewalls. Network Security. Firewalls Defined. Firewalls
Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More informationBasics of Computer Networks Security
Basics of Computer Networks Security Computer Networks Lecture 7 http://goo.gl/pze5o8 The Process of Securing Computer Network (1) Security is not about installing a big security box, but about definition
More informationAnnouncements. No question session this week
Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being
More informationSecuring Networks with Juniper Networks
Securing Networks with Juniper Networks Juniper Security Features Jean-Marc Uzé Liaison Research, Education and Government Networks and Institutions, EMEA juze@juniper.net TF-CSIRT Meeting, 26/09/02 Agenda
More informationTroubleshooting and Maintaining Cisco IP Networks Volume 1
Troubleshooting and Maintaining Cisco IP Networks Volume 1 Course Introduction Learner Skills and Knowledge Course Goal and E Learning Goal and Course Flow Additional Cisco Glossary of Terms Your Training
More informationDD2491 p1 2008. Load balancing BGP. Johan Nicklasson KTHNOC/NADA
DD2491 p1 2008 Load balancing BGP Johan Nicklasson KTHNOC/NADA Dual home When do you need to be dual homed? How should you be dual homed? Same provider. Different providers. What do you need to have in
More informationWAN Traffic Management with PowerLink Pro100
Whitepaper WAN Traffic Management with PowerLink Pro100 Overview In today s Internet marketplace, optimizing online presence is crucial for business success. Wan/ISP link failover and traffic management
More informationOutline. Outline. Outline
Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationConfiguring Static and Dynamic NAT Translation
This chapter contains the following sections: Network Address Translation Overview, page 1 Information About Static NAT, page 2 Dynamic NAT Overview, page 3 Timeout Mechanisms, page 4 NAT Inside and Outside
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Auxiliary Protocols
Auxiliary Protocols IP serves only for sending packets with well-known addresses. Some questions however remain open, which are handled by auxiliary protocols: Address Resolution Protocol (ARP) Reverse
More informationExample: Advertised Distance (AD) Example: Feasible Distance (FD) Example: Successor and Feasible Successor Example: Successor and Feasible Successor
642-902 Route: Implementing Cisco IP Routing Course Introduction Course Introduction Module 01 - Planning Routing Services Lesson: Assessing Complex Enterprise Network Requirements Cisco Enterprise Architectures
More informationCourse Contents CCNP (CISco certified network professional)
Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,
More informationFrequent Denial of Service Attacks
Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as
More informationIOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections
IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections Document ID: 99427 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram
More informationComputer Networks I Laboratory Exercise 1
Computer Networks I Laboratory Exercise 1 The lab is divided into two parts where the first part is a basic PC network TCP/IP configuration and connection to the Internet. The second part is building a
More informationNetwork layer. Assignment 3
Network layer Chapter 4 in the textbook Assignment 3 UWO Abstractly, your server is essentially a simple router Maybe more of a switch than a router Your server gets messages ( packets ) These messages
More informationOutline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg
Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright
More informationHow Cisco IT Protects Against Distributed Denial of Service Attacks
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationMeasurement Study on the Internet reachability. 3.1 Introduction. 3. Internet Backbone
3. Measurement Study on the Internet reachability Internet reachability can be assessed using control-plane and data-plane measurements. However, there are biases in the results of these two measurement
More informationChapter 7 Protecting Against Denial of Service Attacks
Chapter 7 Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a Routing Switch is flooded with useless packets, hindering normal operation. HP devices include measures for
More informationFirewall Stateful Inspection of ICMP
The feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated
More informationMPLS VPN Security. Intelligent Information Network. Klaudia Bakšová Systems Engineer, Cisco Systems kbaksova@cisco.com
Intelligent Information Network MLS VN Security Klaudia Bakšová Systems Engineer, Cisco Systems kbaksova@cisco.com Agenda Analysis of MLS/VN Security Inter-AS VNs rovider Edge DoS possibility Secure MLS
More information