SNMP REFLECTION DDOS ATTACKS

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "SNMP REFLECTION DDOS ATTACKS"

Transcription

1 GSI ID: 1074 SNMP REFLECTION DDOS ATTACKS RISK FACTOR - MEDIUM 1.1 OVERVIEW / The Prolexic Security Engineering and Response Team (PLXsert, now part of Akamai) has observed a marked resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks, beginning on April 11, The SNMP protocol is commonly used in devices for the home, enterprises and other commercial settings; typical devices include printers, switches, firewalls and routers. Until approximately three years ago, SNMP devices were manufactured using SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default. Devices using SNMP v3 are more secure. To stop these older devices from participating in attacks, network administrators need to check for the presence of this protocol and turn off public access. Devices using SNMP v3 are more secure. The use of specific types of protocol reflection attacks such as SNMP surge from time to time, becoming suddenly popular with the re-use or new availability of distributed denial of service (DDoS) tools. Newly available SNMP reflection tools in the underground have enabled the current situation. This threat advisory outlines the indicators, source code, malicious payloads and recommended IDS snort rule for the SNMP Reflector DDoS tool. 1.2 INDICATORS OF SNMP REFLECTOR DDOS ATTACKS / SNMP DDoS attacks from the SNMP Reflector DDoS tool make use of devices on the Internet that allow public SNMP queries. The queries themselves have several identifying characteristics including the following: SNMP GetBulk requests: The GetBulk operation allows the efficient transmission of data from an SNMP device. The request delivers values stored in the device such as IP addresses on a router or the type of toner used in a printer. Use of SNMP Version 2c for SNMP Community string public: The community string regulates access to device information. The default community string for SNMP v2c is usually public. 1

2 Max-repeaters set to 2250: Attackers are crafting SNMP requests to maximize the response payload by using a high value for max-repetitions. The largest value observed during an attack was 2,250. Source port 80: Port 80 is used as the source port of the attack, which sends the reflected payload to port 80 of the target. Query attempts to begin at OID (Object Identifier) : Attackers are directing the query to this high-level OID to ensure they get the largest possible response as the request traverses the OID tree structure. OID does not exist but the GetBulk command will start at the next successive OID value. The object identifier provides a means to query for specific information from a device. For example, or sysdesc, contains information about the device being queried. This could be the version of Windows or the model and brand of router for the device. Request-id: 20039: The attack tool uses a static request identifier, which is usually generated randomly at the time an snmpgetbulk request is made. The response will match the id. RFCs 3416 and 1901 provide more information on the indicators above. 1.3 PAYLOAD GENERATION / Attackers appear to be using a malicious tool to automate their GetBulk requests, possibly using multiple threads. First, an attacker would need to scan the Internet for hosts that are listening on port 161 and using a community string of public. The tool or a paid DDoS service may provide lists of such devices. The list of IP addresses would be placed in a text file, which is input into the attack tool. Using the IP address of the attacker s target as a spoofed source from which the requests will appear to originate, the attacker generates snmpbulkget requests to the list of reflectors. These actions lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker. The IP address of the actual attack source will be hidden. The initial request payload from the attacker to a reflector device is less than 40 bytes. Figure 1 captures data from a single snmpbulkget request. Identifying information is shown in red. 2

3 Figure 1: A 37- byte SNMPBulkGet request generated by attack tool against an Akamai customer Any device configured to listen for SNMP v2c requests could potentially become a reflector for this SNMP attack. Based on recent attacks, PLXsert has determined that malicious actors have reflected these queries from routers, printers, cable modems, desktops and servers. Figure 2 captures traffic snippets involving some of the observed devices used during attacks. Figure 2: Traffic capture samples from various network devices 3

4 Figure 3 shows tshark output for a GetBulk response received during an attack campaign. The payload was so large that it was split into 44 fragmented packets. This payload, a response from a Windows 2003 server, represents an amplification factor of more than 1,700 times. Figure 3: A sample response of more than 64,000 bytes 4

5 Not all SNMP responses will result in such large payloads. Total response size will depend on the available OID data on the reflecting device. 1.4 OBSERVED CAMPAIGNS / Since April 11, 2014 PLXsert has observed 14 DDoS campaigns that have made use of SNMP amplified reflection attacks. The attacks targeted clients in the following industry verticals: consumer goods, gaming, hosting, non-profits and Software-as-a-Service (SaaS). The resurgence of the SNMP reflection attack has been accompanied by a specific pattern in the request and payload response from SNMP reflectors as shown in previous figures. The main source countries have been the United States, China, Brazil, Italy and Turkey. Figure 4: Observed SNMP source distribution based on a single attack campaign 5

6 Figure 5 shows the bandwidth consumed by SNMP attacks since April 11. As devices are discovered to be participating in attacks, their IP addresses are blacklisted or null routed by the Internet community, leading to smaller attack sizes. Past experience indicates, however, that malicious actors will continue to identify additional devices vulnerable to SNMP reflection and use them in their lists instead. Figure 5: Bandwidth consumed SNMP attacks by day. Bandwidth declined as involved IP addresses were blacklisted by the Internet community 1.5 AN EXAMPLE DDOS TOOL: SNMP REFELECTOR DDOS / PLXsert researchers were able to identify a tool used during the recent SNMP reflection attacks and use it to replicate the request and payload in a laboratory setting. This particular tool, which was written by Team Poison in 2011, is available on the Internet. A code snippet from the code of the SNMP Refelector (sic) DDOS tool is shown in Figure 6. 6

7 Figure 6: A code snippet from the SNMP Refelector DDOS tool believed to be used in recent attacks. The misspelling Refelector is coded in the tool. 1.6 LAB STUDY / Using the snmpbulkget command, PLXsert was able to closely simulate a request made by the SNMP Refelector DDoS tool to a Windows 7 computer and to a Cisco router, as shown in Figures 7 and 8. The following is of special interest: The key parameter is -C r2250. This sets the max-repeaters to The default is 10. Even though the query is set for , the first matching OID would be sysdescr( ). The BulkGet command finds the next OID value after and proceeds to return up to 2,250 subsequent OIDs. 7

8 Figure 7: A laboratory- based snmpbuklkget request to a Windows 7 computer Figure 8: A laboratory- based snmpbuklkget request to a Cisco router As shown in Figures 9 and 10 below, the laboratory setup was able to replicate requests and payloads. The tool produced a request of 37 bytes and an amplified response of 51,722 bytes, effectively replicating the SNMP reflection attack seen in the campaigns. Figure 9: Indicators are replicated during attack tool execution in the lab environment 8

9 Figure 10: A payload produced by the malicious tool in the lab against a Windows 7 computer with SNMP service enabled and the default community string public 9

10 1.7 RECOMMENDED REMEDIATION FOR SNMP DEVICES / Network administrators with SNMP devices should take the following actions to mitigate and protect against device involvement in SNMP reflection attacks: Scan for devices on your network that are configured with the default public community string and limit public access. Some SNMP devices, such as printers, should not be allowed to be open to the Internet. Restrict and monitor access to SNMP devices, especially those that perform management oversight of large SNMP device populations. When possible use SNMP v RECOMMENDED VICTIM MITIGATION Snort rule for intrusion detection systems (IDS) alert udp any 80 -> any 161 \ (msg: "SNMP large GetBulk Request"; \ content: " c6963a e ca b "; dsize:37<>37;\ sid: ; rev:1;) 1.9 CONCLUSION / The SNMP Refelector DDoS tool described here is one of many malicious SNMP reflection DDoS tools. Ongoing IP address blacklisting efforts by the Internet community are resulting in a smaller number of involved SNMP devices, but the remaining vulnerable SNMP servers will continue to make this attack dangerous. It is essential that network administrators engage in takedown of vulnerable devices. SNMP v3 is preferred. SNMP v2c is set to the public community string by default and such devices should be configured to prevent public access where it is not needed. SNMP v3 is preferred. The SNMP Reflector DDoS tool described here is one of many malicious SNMP reflection DDoS tools. 10

11 The Prolexic Security Engineering and Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions. Akamai is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit or blogs.akamai.com, and on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 05/14. 11

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory GSI ID: 1065 DNS FLOODER V1.1 RISK FACTOR - HIGH 1.1 OVERVIEW / PLXSert has observed the release and rapid deployment of a new DNS reflection toolkit for distributed denial of service (DDoS) attacks. The

More information

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015. 1 TLP: GREEN 02.11.15 GSI ID: 1086 SECURITY BULLETIN: MS SQL REFLECTION DDOS RISK FACTOR - MEDIUM 1.1 / OVERVIEW / Beginning in October 2014, PLXsert observed the use of a new type of reflection-based

More information

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS GSI ID: 1070 NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS RISK FACTOR - HIGH 1.1 OVERVIEW / Amplification is not a new distributed denial of service (DDoS) attack method, nor is the misuse of the Network

More information

Attack vectors: DNS reflection and amplification

Attack vectors: DNS reflection and amplification 1 akamai s [state of the internet] / Security Bulletin TLP: GREEN 11.11.14 GSI ID: 1082 RISK FACTOR - MEDIUM SECURITY BULLET: CRAFTED DNS TEXT ATTACK 1.1 OVERVIEW / PLXsert has been monitoring a new trend

More information

JOOMLA REFLECTION DDOS-FOR-HIRE

JOOMLA REFLECTION DDOS-FOR-HIRE 1 TLP: GREEN GSI ID: 1085 JOOMLA REFLECTION DDOS-FOR-HIRE RISK FACTOR - HIGH 1.1 / OVERVIEW / Following a series of vulnerability disclosures throughout 2014, the popular content management framework Joomla

More information

SSDP REFLECTION DDOS ATTACKS

SSDP REFLECTION DDOS ATTACKS TLP: AMBER GSI ID: 1079 SSDP REFLECTION DDOS ATTACKS RISK FACTOR - HIGH 1.1 OVERVIEW / PLXsert has observed the use of a new reflection and amplification distributed denial of service (DDoS) attack that

More information

akamai s [state of the internet] / Threat Advisory: RIPv1 Reflection DDoS Risk Factor - Medium Threat Advisory: RIPv1 Reflection DDoS

akamai s [state of the internet] / Threat Advisory: RIPv1 Reflection DDoS Risk Factor - Medium Threat Advisory: RIPv1 Reflection DDoS TLP GREEN 7.1.15 Threat Advisory: RIPv1 Reflection DDoS Risk Factor - Medium 1.1 / Overview / PLXsert has been monitoring an uptick in a form of DDoS reflection previously thought of as mostly abandoned.

More information

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS TLP: GREEN Issue Date: 2015.10.28 Risk Factor- Medium Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS 1.0 / OVERVIEW / In the third quarter of 2015, Akamai mitigated and

More information

Secure Content Delivery Network

Secure Content Delivery Network Akamai Technologies Inc. Akamai Security and Compliance Secure Content Delivery Network Physical Access Information May 13, 2014 Table of Contents Risk Analysis... 1-2 Physical Access... 2-3 Records...

More information

Web Application Vulnerability Scanner: Skipfish

Web Application Vulnerability Scanner: Skipfish Web Application Vulnerability Scanner: Skipfish Page 1 of 7 EXECUTIVE SUMMARY Skipfish is an automated web application vulnerability scanner available for free download at Google s code website. It is

More information

Introduction to DDoS Attacks. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter

Introduction to DDoS Attacks. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter Introduction to DDoS Attacks Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News Q1 2014 DDoS Attack Trends DDoS Attack Trends Q4 2013 Mobile devices

More information

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS Classification: TLP-GREEN RISK LEVEL: MEDIUM Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS Release Date: 6.1.16 1.0 / OVERVIEW / Akamai SIRT is investigating a new DDoS reflection

More information

akamai s [state of the internet] Q executive review

akamai s [state of the internet] Q executive review akamai s [state of the internet] Q4 2015 executive review about the review / Akamai, the world s leading content delivery network (CDN) provider, uses its globally distributed Intelligent Platform TM to

More information

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE. CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE. Threat > The number and size of cyberattacks are increasing rapidly Website availability and rapid performance are critical factors in determining the success

More information

An Analysis of DrDoS SNMP/NTP/CHARGEN Reflection Attacks

An Analysis of DrDoS SNMP/NTP/CHARGEN Reflection Attacks A Prolexic White Paper An Analysis of DrDoS SNMP/NTP/CHARGEN Reflection Attacks Part II of the DrDoS White Paper Series During 2012, there was a significant increase in the use of a specific Distributed

More information

SSHowDowN Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns AKAMAI THREAT ADVISORY

SSHowDowN Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns AKAMAI THREAT ADVISORY AKAMAI THREAT ADVISORY SSHowDowN Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns By Ezra Caltum & Ory Segal, Akamai Threat Research Issue Date: 10.11.16 Executive Summary How many

More information

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks TLP: GREEN Issue Date: 1.12.16 Threat Advisory: Continuous Uptick in SEO Attacks Risk Factor High The Akamai Threat Research Team has identified a highly sophisticated Search Engine Optimization (SEO)

More information

HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security

HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security HIMSS Survey Uncovers Critical Weaknesses in Hospital Web Security 2 HIMSS Analytics, in partnership with Akamai, recently conducted a

More information

Account Checkers and Fraud

Account Checkers and Fraud kamai Technologies Inc. Account Checkers and Fraud Carders in Action VERSION: 2013-0005-G Table of Contents Executive Summary... 2 Observed Behavior... 2 Attacker Tactics, Techniques and Procedures...

More information

IBM Security Services Stacheldraht DDoS Malware MSS Threat Research Group

IBM Security Services Stacheldraht DDoS Malware MSS Threat Research Group IBM Security Services Stacheldraht DDoS Malware MSS Threat Research Group By John Kuhn, Senior Threat Researcher June 02, 2014 Executive Overview/Key Findings In today's fast paced world of internet security

More information

akamai s [state of the internet] Q 3 2015 executive review

akamai s [state of the internet] Q 3 2015 executive review akamai s [state of the internet] Q 3 2015 executive review about the review / Akamai, the world s leading content delivery network (CDN) provider, uses its globally distributed Intelligent Platform TM

More information

Prolexic Quarterly Global DDoS Attack Report Q4 2012

Prolexic Quarterly Global DDoS Attack Report Q4 2012 Prolexic Quarterly Global DDoS Attack Report Q4 2012 Q4 2012 was defined by the increasing scale and diversity of DDoS attacks as well as the enduring nature of botnets. Analysis and emerging trends At

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Efficient Network Management (236635) Final Project

Efficient Network Management (236635) Final Project Efficient Network Management (36635) Final Project Project Title: SNMP Agent for large data transfer Team: Kfir Karmon (ID 3797696) Tsachi Sharfman (ID 97399). Problem Description One of the weaknesses

More information

THE INTERNET GETS BETTER WHEN WE WORK TOGETHER

THE INTERNET GETS BETTER WHEN WE WORK TOGETHER THE INTERNET GETS BETTER WHEN WE WORK TOGETHER FASTER FORWARD. TOGETHER. Since it s inception, the creation and constant improvement of the Internet has been, by design, a team effort. And nowhere do we

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry

AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry AKAMAI WHITE PAPER The Challenges of Connecting Globally in the Pharmaceutical Industry The Challenges of Connecting Globally in the Pharmaceutical Industry TABLE OF CONTENTS EXECUTIVE SUMMARY 1 GLOBAL

More information

Internet Scanner 7.0 Frequently Asked Questions

Internet Scanner 7.0 Frequently Asked Questions Frequently Asked Questions Internet Scanner 7.0 Frequently Asked Questions April 2003 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS) Internet Scanner

More information

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

More information

Technical Note. ForeScout CounterACT: Virtual Firewall

Technical Note. ForeScout CounterACT: Virtual Firewall ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...

More information

MAN-IN-THE-MIDDLE ATTACKS TARGET ios AND ANDROID

MAN-IN-THE-MIDDLE ATTACKS TARGET ios AND ANDROID 1 TLP: GREEN GSI ID: 1084 MAN-IN-THE-MIDDLE ATTACKS TARGET ios AND ANDROID RISK FACTOR - HIGH 1.1 / OVERVIEW / Information from intelligence sources suggests ongoing efforts by an organized and resourceful

More information

AKAMAI WHITE PAPER. Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling

AKAMAI WHITE PAPER. Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling AKAMAI WHITE PAPER Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling Delivering Dynamic Web Content in Cloud Computing Applications 1 Overview

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider

More information

Network Monitoring with SNMP

Network Monitoring with SNMP Network Monitoring with SNMP This document describes how SNMP is used in WhatsUp Gold v11 and provides examples on how to configure performance, active, and passive monitors. Introduction SNMP (Simple

More information

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS : DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s

More information

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013 SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and

More information

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS Threat Report Insights on Finding, Fighting, and Living with DDoS Attacks v1.1 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News - 2014 DDoS Trends

More information

Attivo Networks BOTsink and McAfee NSP Integration DNS Sinkhole with URL Sandboxing

Attivo Networks BOTsink and McAfee NSP Integration DNS Sinkhole with URL Sandboxing NSP Integration DNS Sinkhole with URL Sandboxing Botnets are a complex and pervasive form of cyber attack that has been used by attackers, for over a decade, to compromise millions of endpoints in order

More information

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW) Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet

More information

How to Evaluate DDoS Mitigation Providers:

How to Evaluate DDoS Mitigation Providers: Akamai White Paper How to Evaluate DDoS Mitigation Providers: Four Critical Criteria How to Evaluate DDoS Mitigation Providers 2 TABLE OF CONTENTS INTRODUCTION 3 CRITERIA #1: THREAT INTELLIGENCE 3 CRITERIA

More information

THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! AKAMAI 10For10 AKAMAI INDUSTRY BROCHURE

THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! AKAMAI 10For10 AKAMAI INDUSTRY BROCHURE AKAMAI 10For10 THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! Whether delivering web applications from behind the firewall, hosting in the cloud,

More information

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized. SiteAudit Knowledge Base Network Traffic March 2012 In This Article: SiteAudit s Traffic Impact How SiteAudit Discovery Works Why Traffic is Minimal How to Measure Traffic Minimal network traffic is the

More information

Making the Internet Business-Ready

Making the Internet Business-Ready Making the Internet Business-Ready If you ve ever shopped online, downloaded music, watched a web video or connected to work remotely, you ve probably used Akamai. Our solutions help to deliver the best

More information

Cloud Security In Your Contingency Plans

Cloud Security In Your Contingency Plans Cloud Security In Your Contingency Plans Jerry Lock Security Sales Lead, Greater China Contingency Plans Avoid data theft and downtime by extending the security perimeter outside the data-center and protect

More information

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques. Some IPS systems can be easily fingered using simple techniques. The unintentional disclosure of which security devices are deployed within your defences could put your network at significant risk. Security

More information

Network Monitoring with SNMP

Network Monitoring with SNMP Network Monitoring with SNMP This paper describes how SNMP is used in WhatsUp- Professional and provides specific examples on how to configure performance, active, and passive monitors. Introduction SNMP

More information

Web Application Accelerator

Web Application Accelerator Akamai Solution Web Application Accelerator Faster, More Reliable Web-Based Applications Increased Online Bookings for Cathay Pacific Cathay Pacific Web Site Cathay Pacific Airways of Hong Kong, the world

More information

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative Network Monitoring By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative Overview of network Logical network view Goals of Network Monitoring Determine overall health

More information

Secure Content Delivery Network

Secure Content Delivery Network kamai Technologies Inc. Secure Content Delivery Network Physical Access Information May 13, 2014 Table of Contents Purpose... 2 Risk Analysis... 2 Physical Access... 2 Issue/Response... 3 Records... 4

More information

Exercise 7 Network Forensics

Exercise 7 Network Forensics Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Technical White Paper June 2016

Technical White Paper June 2016 Technical White Paper June 2016 Guide to DDoS Attacks Authored by: Lee Myers, Senior Manager of Security Operations Christopher Cooley, Cyber Intelligence Analyst This Multi- State Information Sharing

More information

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

THREAT VISIBILITY & VULNERABILITY ASSESSMENT THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

Dynamic Site Accelerator

Dynamic Site Accelerator Akamai Solution Dynamic Site Accelerator Dynamic, Personalized Web Sites Five Times Faster Faster Site Performance Drives Higher Conversions BestBuy: Accelerates dynamic transactional content Ross-Simons:

More information

White Paper In Denial?...Follow Seven Steps for Better DoS and DDoS Protection

White Paper In Denial?...Follow Seven Steps for Better DoS and DDoS Protection RELEVANT. INTELLIGENT. SECURITY White Paper In Denial?...Follow Seven Steps for Better DoS and DDoS Protection www.solutionary.com (866) 333-2133 In Denial?...Follow Seven Steps for Better DoS and DDoS

More information

Advanced Threat Protection with Dell SecureWorks Security Services

Advanced Threat Protection with Dell SecureWorks Security Services Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Network Management. Jaakko Kotimäki. Department of Computer Science Aalto University, School of Science. 21. maaliskuuta 2016

Network Management. Jaakko Kotimäki. Department of Computer Science Aalto University, School of Science. 21. maaliskuuta 2016 Jaakko Kotimäki Department of Computer Science Aalto University, School of Science Outline Introduction SNMP architecture Management Information Base SNMP protocol Network management in practice Niksula

More information

An Introduction to SNMP

An Introduction to SNMP Contents About this Guide 3 What is SNMP? 4 SNMP Actions 4 How is SNMP Structured? 4 How Does N-central use SNMP? 6 N-central and the GET command 6 N-central and Syslog Messages 6 N-central SDK 7 Setting

More information

Active Management Services

Active Management Services Active Management Services White Paper 2.0 for Ricoh Customers Prepared by Professional Services department of Ricoh International B.V. Monday, 14 January 2013 TABLE OF CONTENT 1. Introduction... 4 2.

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Simple Network Management Protocol

Simple Network Management Protocol A Seminar Report on Simple Network Management Protocol Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: SUBMITTED BY: www.studymafia.org www.studymafia.org

More information

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Demystifying the Myth of Passive Network Discovery and Monitoring Systems Demystifying the Myth of Passive Network Discovery and Monitoring Systems Ofir Arkin Chief Technology Officer Insightix Copyright 2012 - All Rights Reserved. This material is proprietary of Insightix.

More information

Traffic Monitoring : Experience

Traffic Monitoring : Experience Traffic Monitoring : Experience Objectives Lebah Net To understand who and/or what the threats are To understand attacker operation Originating Host Motives (purpose of access) Tools and Techniques Who

More information

Spike DDoS Toolkit OVERVIEW INDICATORS OF BINARY INFECTION. TLP: GREEN GSI ID: 1078 Risk Factor - High

Spike DDoS Toolkit OVERVIEW INDICATORS OF BINARY INFECTION. TLP: GREEN GSI ID: 1078 Risk Factor - High Spike DDoS Toolkit TLP: GREEN GSI ID: 1078 Risk Factor - High OVERVIEW In 2014, PLXsert has observed a trend in new distributed denial of service (DDoS) malware originating from Asia. These binaries have

More information

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data SEE everything in your environment LEARN by applying security intelligence to data ADAPT defenses automatically ACT in real-time Sourcefire Solutions Overview Security for the Real World Change is constant.

More information

CASPR Commonly Accepted Security Practices and Recommendations

CASPR Commonly Accepted Security Practices and Recommendations hhhhhhhhhhhhhh CASPR Commonly Accepted Security Practices and Recommendations CASPR is an open-source project aimed at documenting the information security common body of knowledge through commonly accepted

More information

Audit and Protect Unstructured Data

Audit and Protect Unstructured Data File Security DATASHEET Audit and Protect Unstructured Data Unmatched Auditing and Protection for File Data Conventional approaches for auditing file activity and managing permissions simply don t work

More information

CA Vulnerability Manager r8.3

CA Vulnerability Manager r8.3 PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL

More information

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Web Security. Discovering, Analyzing and Mitigating Web Security Threats Web Security Discovering, Analyzing and Mitigating Web Security Threats Expectations and Outcomes Mitigation strategies from an infrastructure, architecture, and coding perspective Real-world implementations

More information

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative 2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago,

More information

First Line of Defense

First Line of Defense First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive

More information

Network/Internet Forensic and Intrusion Log Analysis

Network/Internet Forensic and Intrusion Log Analysis Course Introduction Enterprises all over the globe are compromised remotely by malicious hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of

More information

Stop DDoS Attacks in Minutes

Stop DDoS Attacks in Minutes PREVENTIA Forward Thinking Security Solutions Stop DDoS Attacks in Minutes 1 On average there are more than 7,000 DDoS attacks observed daily. You ve seen the headlines. Distributed Denial of Service (DDoS)

More information

CompTIA Network+ N Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs

CompTIA Network+ N Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs CompTIA Network+ N10 005 Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs Domain 1.0: Network Concepts 1.1 Compare the layers of the OSI and TCP/IP Models TCP/IP Model Layer Matching

More information

Traffic monitoring with sflow and ProCurve Manager Plus

Traffic monitoring with sflow and ProCurve Manager Plus An HP ProCurve Networking Application Note Traffic monitoring with sflow and ProCurve Manager Plus Contents 1. Introduction... 3 2. Prerequisites... 3 3. Network diagram... 3 4. About the sflow protocol...

More information

Man, Machine and DDoS Mitigation

Man, Machine and DDoS Mitigation Man, Machine and DDoS Mitigation The case for human cyber security expertise Automated DDoS mitigation poses risks Distributed denial of service (DDoS) attacks can overwhelm DDoS appliances Today s DDoS

More information

BeyondInsight Version 5.6 New and Updated Features

BeyondInsight Version 5.6 New and Updated Features BeyondInsight Version 5.6 New and Updated Features BeyondInsight 5.6 Expands Risk Visibility Across New Endpoint, Cloud and Firewall Environments; Adds Proactive Threat Alerts The BeyondInsight IT Risk

More information

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software McAfee Global Threat Intelligence File Reputation Service Best Practices Guide for McAfee VirusScan Enterprise Software Table of Contents McAfee Global Threat Intelligence File Reputation Service McAfee

More information

Overview of Attack Trends

Overview of Attack Trends Overview of Attack Trends CERT Coordination Center The CERT Coordination Center has been observing intruder activity since 1988. Much has changed since then, from our technology to the makeup of the Internet

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

orrelog SNMP Trap Monitor Software Users Manual

orrelog SNMP Trap Monitor Software Users Manual orrelog SNMP Trap Monitor Software Users Manual http://www.correlog.com mailto:info@correlog.com CorreLog, SNMP Trap Monitor Software Manual Copyright 2008-2015, CorreLog, Inc. All rights reserved. No

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Visualize current and potential network traffic patterns

More information

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Characterization and Analysis of NTP Amplification Based DDoS Attacks Characterization and Analysis of NTP Amplification Based DDoS Attacks L. Rudman Department of Computer Science Rhodes University Grahamstown g11r0252@campus.ru.ac.za B. Irwin Department of Computer Science

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to

More information

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1 Smart Tips Enabling WAN Load Balancing Overview Many small businesses today use broadband links such as DSL or Cable, favoring them over the traditional link such as T1/E1 or leased lines because of the

More information

McAfee Network Security Platform

McAfee Network Security Platform Quick Tour Revision A McAfee Network Security Platform version 8.3 McAfee Network Security Platform [formerly McAfee IntruShield ] is a combination of network appliances and software that accurately detects

More information

Comparative analysis. NETASQ vs Fortinet. COMPARATIVE ANALYSIS NETASQ vs Fortinet. Copyright NETASQ 2009

Comparative analysis. NETASQ vs Fortinet. COMPARATIVE ANALYSIS NETASQ vs Fortinet. Copyright NETASQ 2009 Comparative analysis vs 1 Key advantages to solutions Proactive when encountering threats High-performance architecture Maximum protection for businesses of all sizes Licenses for unlimited number of users

More information

Cisco IWAN and Akamai Intelligent Platform : Maximize Your WAN Investment

Cisco IWAN and Akamai Intelligent Platform : Maximize Your WAN Investment Cisco IWAN and Akamai Intelligent Platform : Maximize Your WAN Investment What You Will Learn Cisco Systems and Akamai Technologies intend to deliver the world s first combined Cisco Intelligent WAN with

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

Availability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013

Availability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013 the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information