Security Threats to the Internet Backbone

Size: px
Start display at page:

Download "Security Threats to the Internet Backbone"

Transcription

1 Security Threats to the Internet Backbone Presented by Ricky Lou IT Intelligence Limited Potential Risks DDoS on critical Internet Resources DNS Spoofing Wide-Area Internet Routing

2 DDoS on critical Internet Resources DDoS attack all 13 of the Internet domain name system (DNS) root servers October 21st 2002 What is DNS root servers? How do they work?

3 The attack Attackers flooded the DNS servers with Internet traffic using ICMP (Internet Control Message protocol) at more than 10 times the normal rate of traffic Such events are nothing new, compare with high-profile attacks in the year before against ISP and companies such as Microsoft Corp. and e-bay Inc. But this incident opens a new chapter in the history of Internetbased attacks. An example of people not targeting enterprises, but going against the Internet itself by attacking the architecture and protocols on which the Internet was built Factors contributing to such attacks are well known. Worms such as Code Red, Nimda, and Slapper have left hundreds if not thousands of compromised computer on the Internet. The attack Such systems can be used as zombies in a DDoS attack Zombies are machine controlled remotely and used to launch an attack Sophisticated software programs have make leveraging those compromised machines a simple matter, even for novice attackers With automated attack tools, even inexperienced people can get control of a large number of hosts. The attacks are not professional or financial in nature. They are random and non-directed

4 The attack Fortunately, the attacks were not sophisticated, relying on a simple packet flood approach in which information packets are sent in high volumes to a server, and using a protocol ICMP Future attacks could be much more sophisticated Attackers might disguise a DDoS attack as normal traffic Nothing about the protocol used or packets sent would appear unusual, but the volume of traffic would be enough to overwhelm the target server Even more hostile, would be attacks that target the routing infrastructure, as opposed to the DNS infrastructure of the Internet. That infrastructure of roadways over which Internet traffic passes is more brittle than the flexible architecture of DNS The attack When one backbone goes down, the traffic has to go somewhere Recalling that the recent outage on the UUnet Internet backbone operated by WorldCom Inc. was felt instantly worldwide Telephone system in Hong Kong when everybody try to pick up the phone at once

5 Attack Mitigation More governmental management of key components of the Internet infrastructure is needed More funding for private companies and public organizations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and nonprofit organizations Because of the financial condition of most companies that manage the Internet backbone, there is little private money available to ensure the extra capacity should one or more parts of the backbone be attacked. Government investment could help create and secure a more robust infrastructure DNS Spoofing A term used when a DNS server accepts and use incorrect information from a host that has no authority giving that information Malicious cache poisoning where forged data is placed in the cache of the name servers Can cause serious security problems for DNS servers vulnerable to such attacks, eg. Causing users to be directed to wrong Internet sites or e- mail being routed to non-authorized mail servers

6 DNS Spoofing A third of all DNS servers on the Internet are vulnerable to spoofing. Source: Domain Health Survey DNS Spoofing How is it done? Three companies (A, B and C), all competing in a challenging environment

7 DNS Spoofing A spoofing attack can continue for a long period without being noticed Companies may never know of the security breach until competitor enters the market with a similar product That companies can destroy any opportunity other companies have to create a competitive edge Most top level business managers have not yet realized the financial and security risks associated with DNS spoofing DNS Spoofing Internet banking Fake Virtual Bank Easy to set up even for an novice

8 What can be done? It is necessary to have the security built into DNS systems Every organization or individual responsible for a domain should first check which type of name server they are using and consult with its developer whether it is secure against DNS spoofing or not. Cricket Liu has written guidelines on how to solve the spoofing problem for BIND and the Microsoft DNS Server in his article Securing an Internet Name Server What can be done? Running the newest version of BIND doesn t guarantee your name server security, it minimizes the possible of attack To combat DoS attack and prevent accidental service outages, eliminate single point of failure in your DNS infrastructure Don t put all of your name servers on a single subnet, behind a single router, behind a single lease line Arrange to have someone run an offsite slave name server for you Restricting Zone Transfer Use transaction signature to cryptographically authenticate and verify Zone Transfer And more..

9 Wide-Area Internet Routing Routing is the process by which a packet is sent from one place to another. Routing is the mechanism which determines the path a packet should take in order to reach the specified destination Routing on the Internet can be classified into two areas: local routing and wide-area routing Local routing transports a packet to a host within particular network once it has reached that network Wide-area routing deals with transporting a packet between networks, i.e., across the Internet itself Wide-Area Internet Routing Various research has proposed authenticated route advertisements Certain wide-area routing protocols have attempted to address some of the security issues associated with Internet routing However, some of the fundamental questions remain with respect to widearea internet routing security, including the following:

10 Wide-Area Internet Routing Does the issue of wide area routing boil down to a problem of authentication, or is it more fundamentally an issue of robustness? Is the threat really a malicious user injecting bad routes into the Internet infrastructure, or rather is it simply a problem of designing an extension to the exterior gateway protocols that is robust to operator error? Wide-Area Internet Routing Who and what are the legitimate threats in such a case? Often, the ability to do largescale damage implies access to a backbone router; therefore, are these entities really vulnerable to script kiddies, or should we really only be concerned with people who might have access to the Internet s backbone routers?

11 Overview of Border Gateway Protocol (BGP) An exterior gateway protocol currently used as a communication between routers to disseminate routing information between autonomous systems An autonomous system is typically established as a particular administrative domain. An ISP such as BBN is AS-1; MIT is AS-3 BGP has mechanisms to prevent routing loops between autonomous systems, and it scales well because it is incremental: once routes are established, only changes (i.e., updates and withdrawals ) are advertised Overview of Border Gateway Protocol (BGP) Each AS has a BGP speaker, a router which runs the BGP routing process, which advertises all of the networks for which it has reach ability information, i.e., all of the networks for which it has a path to reach. If a particular AS wants traffic to be routed to it for a given set of address, it then advertises those networks through a route advertisement An AS can also agree to be a transit-as : if one AS gains information about another network s reach ability via another AS, it can advertise that it has reach ability to that network too

12 Overview of Border Gateway Protocol (BGP) AS AS 4969 AS 6461 AS 701 AS 5000 Overview of Border Gateway Protocol (BGP) Very basic overview of BGP Basic idea is that the Internet is partitioned into administrative domains called autonomous systems, and that each AS advertises the set of networks that it knows how to reach

13 The Threats Mis-configuring a BGP peer AS-5000 is transited by two other AS s (AS-4969 and AS-6464), both of which send full BGP tables to that AS When AS-5000 hears the full BGP tables from the other ASes, it will redistribute these routes internally with the AS (using ibgp, OSPF, etc) The routing table AS-5000 is then redistributed back to the exterior BGP as originating from AS Now AS-4969 and AS-6464 think that the entire internet originates within the AS-5000 network The Threats The upshot is that all Internet-bound traffic from any AS that is peering with AS-5000 will attempt to route traffic through AS- 5000, thus saturating the network and making the Internet inaccessible This assumes that the AS is not performing any filtering of ibgp messages with respect to its ebgp announcements

14 The Threats Lacking of Filtering An AS can filter out certain route announcements based on certain attributes If a certain AS receives an announcement from an IP address that it does not recognize, or is not from a certain AS, then it will not accept that route advertisement Many of the large ISPs, such as Sprint, AT&T, UUNet, etc., who provide access to the Internet backbone, do not filter out these routes The Threats Largely due to the fact that most entities obtain their Internet access from smaller ISPs When a small ISP adds a new network, it wants to be able to grant that user instant connectivity, and not have to tell the larger ISP that it s OK to advertise routes to these new networks. Many of the larger ISPs perform no filtering of updates at all Accepting all routes indiscriminately obviously provides potential for mis-configuration and catastrophic failure

15 The Threats Blackholing Blackholing a route essentially occurs when a particular AS announces a route to a network that an AS essentially does not have Any peer that hears an update corresponding to a blackholed route will send packets to the AS destined for the blackholed route, and packets will be dropped It has been asserted that blackholing is one of the most effective denial of service attacks on the Internet to date The Threats A purposeful blackholing exists whereby an AS announces blackholed networks to peers via BGP multihop, and the next hop information would be changed to an address which would simply drop the packets One particularly disturbing implication of this is that it is possible to target someone else s network and blackhole it by announcing that you have a route to their network when you in fact don t An indication that your network has been blackholed is a sudden drop in traffic to your network

16 The Threats An interesting man-in-the-middle attack can also be performed in a blackholing-type fashion, if a malicious AS announces a route that it wants to blackhole, but then establishes a machine on its internal network that performs some of the same functionality as the machine on the blackholed network This might allow such an attack as masquerading as the machine that the end host thinks it is talking to, or simply sniffing all traffic that is sent between two end hosts Blackholing can be accomplished if the AS is not filtering its ibgp update messages, or via forged BGP UPDATE messages The Threats IP Spoofing It is possible to insert forged BGP UPDATE messages (i.e., route updates) into an existing BGP session between two peers since the only sequence number included in the UPDATE packets are the TCP sequence numbers This means that a malicious AS could potentially spoof the BGP UPDATE messages; spoofing BGP update messages boils down to essentially performing spoofing of TCP messages

17 What can be done? Cisco s IOS allows the use of MD5 hashes for authentication of peers, and picks random TCP ISNs, thus making the insertion of a forged update message particularly difficult Stephen Kent have proposed a protocol referred to as Secure Border Gateway Protocol (S-BGP), which reportedly verifies the authenticity and authorization of BGP control traffic This protocol doesn t include undue overhead and is incrementally deployable What can be done? S-BGP must be adopted by ISPs, and required PKI support by registries that allocate AS number to the ISPs S-BGP still fails to address misconfiguration issues

18 References er_security/securing_an_internet_name_server. pdf poofing.html findex.html e/pfindex.html /november00.html Contact

Network Security. Mobin Javed. October 5, 2011

Network Security. Mobin Javed. October 5, 2011 Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways

More information

Exterior Gateway Protocols (BGP)

Exterior Gateway Protocols (BGP) Exterior Gateway Protocols (BGP) Internet Structure Large ISP Large ISP Stub Dial-Up ISP Small ISP Stub Stub Stub Autonomous Systems (AS) Internet is not a single network! The Internet is a collection

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

F5 Silverline DDoS Protection Onboarding: Technical Note

F5 Silverline DDoS Protection Onboarding: Technical Note F5 Silverline DDoS Protection Onboarding: Technical Note F5 Silverline DDoS Protection onboarding F5 Networks is the first leading application services company to offer a single-vendor hybrid solution

More information

Securing an Internet Name Server

Securing an Internet Name Server Securing an Internet Name Server Cricket Liu cricket@verisign.com Securing an Internet Name Server Name servers exposed to the Internet are subject to a wide variety of attacks: Attacks against the name

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Outline. EE 122: Interdomain Routing Protocol (BGP) BGP Routing. Internet is more complicated... Ion Stoica TAs: Junda Liu, DK Moon, David Zats

Outline. EE 122: Interdomain Routing Protocol (BGP) BGP Routing. Internet is more complicated... Ion Stoica TAs: Junda Liu, DK Moon, David Zats Outline EE 22: Interdomain Routing Protocol (BGP) Ion Stoica TAs: Junda Liu, DK Moon, David Zats http://inst.eecs.berkeley.edu/~ee22/fa9 (Materials with thanks to Vern Paxson, Jennifer Rexford, and colleagues

More information

Service Description DDoS Mitigation Service

Service Description DDoS Mitigation Service Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3

More information

Using the Border Gateway Protocol for Interdomain Routing

Using the Border Gateway Protocol for Interdomain Routing CHAPTER 12 Using the Border Gateway Protocol for Interdomain Routing The Border Gateway Protocol (BGP), defined in RFC 1771, provides loop-free interdomain routing between autonomous systems. (An autonomous

More information

Distributed Denial of Service Attack Tools

Distributed Denial of Service Attack Tools Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

More information

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

Internet inter-as routing: BGP

Internet inter-as routing: BGP Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means to: 1. Obtain subnet reachability information from neighboring ASs. 2. Propagate the reachability

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and

More information

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Distributed Denial of Service (DDoS) Attacks DDoS attack traffic consumes

More information

Module 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur

Module 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur Module 7 Routing and Congestion Control Lesson 4 Border Gateway Protocol (BGP) Specific Instructional Objectives On completion of this lesson, the students will be able to: Explain the operation of the

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: December 15 2009 14:00 18:00 1. No help material is allowed - You

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Security in Structured P2P Systems

Security in Structured P2P Systems P2P Systems, Security and Overlays Presented by Vishal thanks to Dan Rubenstein Columbia University 1 Security in Structured P2P Systems Structured Systems assume all nodes behave Position themselves in

More information

18-731 Midterm. Name: Andrew user id:

18-731 Midterm. Name: Andrew user id: 18-731 Midterm 6 March 2008 Name: Andrew user id: Scores: Problem 0 (10 points): Problem 1 (10 points): Problem 2 (15 points): Problem 3 (10 points): Problem 4 (20 points): Problem 5 (10 points): Problem

More information

How To Understand Bg

How To Understand Bg Table of Contents BGP Case Studies...1 BGP4 Case Studies Section 1...3 Contents...3 Introduction...3 How Does BGP Work?...3 ebgp and ibgp...3 Enabling BGP Routing...4 Forming BGP Neighbors...4 BGP and

More information

DNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org

DNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be

More information

Introduction to Routing

Introduction to Routing Introduction to Routing How traffic flows on the Internet Philip Smith pfs@cisco.com RIPE NCC Regional Meeting, Moscow, 16-18 18 June 2004 1 Abstract Presentation introduces some of the terminologies used,

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

IAB IPv6 Multi-Homing BOF. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

IAB IPv6 Multi-Homing BOF. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI IAB IPv6 Multi-Homing BOF Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Multi-homing Problems Inbound to the destination traffic engineering is needed Current

More information

Understanding Large Internet Service Provider Backbone Networks

Understanding Large Internet Service Provider Backbone Networks Understanding Large Internet Service Provider Backbone Networks Joel M. Gottlieb IP Network Management & Performance Department AT&T Labs Research Florham Park, New Jersey joel@research.att.com Purpose

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Network Level Multihoming and BGP Challenges

Network Level Multihoming and BGP Challenges Network Level Multihoming and BGP Challenges Li Jia Helsinki University of Technology jili@cc.hut.fi Abstract Multihoming has been traditionally employed by enterprises and ISPs to improve network connectivity.

More information

APNIC elearning: BGP Basics. Contact: training@apnic.net. erou03_v1.0

APNIC elearning: BGP Basics. Contact: training@apnic.net. erou03_v1.0 erou03_v1.0 APNIC elearning: BGP Basics Contact: training@apnic.net Overview What is BGP? BGP Features Path Vector Routing Protocol Peering and Transit BGP General Operation BGP Terminology BGP Attributes

More information

Security in Global IP Networks

Security in Global IP Networks Security Technology for the Internet Security in Global IP Networks Tatu Ylönen SSH Communications Security Corp What are global IP networks? The Internet The consumer internet Global uncontrolled

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion Deploying IP Anycast Core DNS Services for University of Minnesota Introduction and General discussion Agenda Deploying IPv4 anycast DNS What is ANYCAST Why is ANYCAST important? Monitoring and using ANYCAST

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud MPLS WAN Explorer Enterprise Network Management Visibility through the MPLS VPN Cloud Executive Summary Increasing numbers of enterprises are outsourcing their backbone WAN routing to MPLS VPN service

More information

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media IT 4823 Information Security Concepts and Administration March 17 Network Threats Notice: This session is being recorded. Happy 50 th, Vanguard II March 17, 1958 R.I.P. John Backus March 17, 2007 Copyright

More information

Tema 5.- Seguridad. Problemas Soluciones

Tema 5.- Seguridad. Problemas Soluciones Tema 5.- Seguridad Problemas Soluciones Wireless medium is easy to snoop on Routing security vulnerabilities Due to ad hoc connectivity and mobility, it is hard to guarantee access to any particular node

More information

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to: Border Gateway Protocol Exterior routing protocols created to: control the expansion of routing tables provide a structured view of the Internet by segregating routing domains into separate administrations

More information

Frequent Denial of Service Attacks

Frequent Denial of Service Attacks Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

More information

Know Your Foe. Threat Infrastructure Analysis Pitfalls

Know Your Foe. Threat Infrastructure Analysis Pitfalls Know Your Foe Threat Infrastructure Analysis Pitfalls Who Are We? Founders of PassiveTotal Analysts/researchers with 10+ years of collective experience Interested in Better UX/UI for security systems Improving/re-thinking

More information

TDC s perspective on DDoS threats

TDC s perspective on DDoS threats TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)

More information

DNS Security FAQ for Registrants

DNS Security FAQ for Registrants DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of

More information

Border Gateway Protocol (BGP)

Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) Petr Grygárek rek 1 Role of Autonomous Systems on the Internet 2 Autonomous systems Not possible to maintain complete Internet topology information on all routers big database,

More information

Threats and Security Analysis for Enhanced Secure Neighbor Discovery Protocol (SEND) of IPv6 NDP Security

Threats and Security Analysis for Enhanced Secure Neighbor Discovery Protocol (SEND) of IPv6 NDP Security Threats and Security Analysis for Enhanced Secure Neighbor Discovery Protocol (SEND) of IPv6 NDP Security Yvette E. Gelogo 1, Ronnie D. Caytiles 1 and Byungjoo Park 1 * 1Multimedia Engineering Department,

More information

Reducing the impact of DoS attacks with MikroTik RouterOS

Reducing the impact of DoS attacks with MikroTik RouterOS Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP

More information

Hunting down a DDOS attack

Hunting down a DDOS attack 2006-10-23 1 Hunting down a DDOS attack By Lars Axeland +46 70 5291530 lars.axeland@teliasonera.com 2006-10-23 What we have seen so far What can an operator do to achieve core security What solution can

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

allow all such packets? While outgoing communications request information from a

allow all such packets? While outgoing communications request information from a FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,

More information

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

How To Classify A Dnet Attack

How To Classify A Dnet Attack Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Router Attacks-Detection And Defense Mechanisms

Router Attacks-Detection And Defense Mechanisms Router Attacks-Detection And Defense Mechanisms Saili Waichal, B.B.Meshram Abstract: Router is one of the most important components of any network. Their main aim is taking routing decision to forward

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Building Secure Network Infrastructure For LANs

Building Secure Network Infrastructure For LANs Building Secure Network Infrastructure For LANs Yeung, K., Hau; and Leung, T., Chuen Abstract This paper discusses the building of secure network infrastructure for local area networks. It first gives

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

BGP Best Path Selection Algorithm

BGP Best Path Selection Algorithm BGP Best Path Selection Algorithm Document ID: 13753 Contents Introduction Prerequisites Requirements Components Used Conventions Why Routers Ignore Paths How the Best Path Algorithm Works Example: BGP

More information

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

More information

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

Transitioning to BGP. ISP Workshops. Last updated 24 April 2013

Transitioning to BGP. ISP Workshops. Last updated 24 April 2013 Transitioning to BGP ISP Workshops Last updated 24 April 2013 1 Scaling the network How to get out of carrying all prefixes in IGP 2 Why use BGP rather than IGP? p IGP has Limitations: n The more routing

More information

APNIC elearning: BGP Attributes

APNIC elearning: BGP Attributes APNIC elearning: BGP Attributes Contact: training@apnic.net erou04_v1.0 Overview BGP Attributes Well-known and Optional Attributes AS Path AS Loop Detection ibgp and ebgp Next Hop Next Hop Best Practice

More information

Outline. Outline. Outline

Outline. Outline. Outline Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather

More information

At dincloud, Cloud Security is Job #1

At dincloud, Cloud Security is Job #1 At dincloud, Cloud Security is Job #1 A set of surveys by the international IT services company, the BT Group revealed a major dilemma facing the IT community concerning cloud and cloud deployments. 79

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

BGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543)

BGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543) BGP FORGOTTEN BUT USEFUL FEATURES Piotr Wojciechowski (CCIE #25543) ABOUT ME Senior Network Engineer MSO at VeriFone Inc. Previously Network Solutions Architect at one of top polish IT integrators CCIE

More information

How To Protect Your Network From Attack From A Hacker On A University Server

How To Protect Your Network From Attack From A Hacker On A University Server Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Based on Computer Networking, 4 th Edition by Kurose and Ross

Based on Computer Networking, 4 th Edition by Kurose and Ross Computer Networks Internet Routing Based on Computer Networking, 4 th Edition by Kurose and Ross Intra-AS Routing Also known as Interior Gateway Protocols (IGP) Most common Intra-AS routing protocols:

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Denial of Service (DoS) Technical Primer

Denial of Service (DoS) Technical Primer Denial of Service (DoS) Technical Primer Chris McNab Principal Consultant, Matta Security Limited chris.mcnab@trustmatta.com Topics Covered What is Denial of Service? Categories and types of Denial of

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

Inter-domain Routing. Outline. Border Gateway Protocol

Inter-domain Routing. Outline. Border Gateway Protocol Inter-domain Routing Outline Border Gateway Protocol Internet Structure Original idea Backbone service provider Consumer ISP Large corporation Consumer ISP Small corporation Consumer ISP Consumer ISP Small

More information

A very short history of networking

A very short history of networking A New vision for network architecture David Clark M.I.T. Laboratory for Computer Science September, 2002 V3.0 Abstract This is a proposal for a long-term program in network research, consistent with the

More information

NETWORK TO NETWORK INTERFACE PLAN

NETWORK TO NETWORK INTERFACE PLAN AT&T will provide interconnect points at both the Network Security Operations Center (NSOC) and the Sam Houston Building (SHB), the prescribed DIR locations via AT&T s VPN (AVPN) service. The standards-based

More information

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without

More information

OSPF Version 2 (RFC 2328) Describes Autonomous Systems (AS) topology. Propagated by flooding: Link State Advertisements (LSAs).

OSPF Version 2 (RFC 2328) Describes Autonomous Systems (AS) topology. Propagated by flooding: Link State Advertisements (LSAs). OSPF Version 2 (RFC 2328) Interior gateway protocol (IGP). Routers maintain link-state database. Describes Autonomous Systems (AS) topology. Propagated by flooding: Link State Advertisements (LSAs). Router

More information

DDOS in academic Networks. Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014

DDOS in academic Networks. Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014 DDOS in academic Networks Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014 Academic networks? Real Target for DDOS? Lesson learned; DDOS @RedIRIS Mitigation Projects

More information

A PKI For IDR Public Key Infrastructure and Number Resource Certification

A PKI For IDR Public Key Infrastructure and Number Resource Certification A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect

More information

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Protect your network: planning for (DDoS), Distributed Denial of Service attacks Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product

More information

Yahoo Attack. Is DDoS a Real Problem?

Yahoo Attack. Is DDoS a Real Problem? Is DDoS a Real Problem? Yes, attacks happen every day One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are few good existing mechanisms to stop them

More information

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDOS ATTACK AGAINST THE DNS INFRASTRUCTURE The Domain Name System (DNS) is part of the functional infrastructure of the Internet and

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Border Gateway Protocol BGP4 (2)

Border Gateway Protocol BGP4 (2) Border Gateway Protocol BGP4 (2) Professor Richard Harris School of Engineering and Advanced Technology (SEAT) Presentation Outline Border Gateway Protocol - Continued Computer Networks - 1/2 Learning

More information

Beginning BGP. Peter J. Welcher. Introduction. When Do We Need BGP?

Beginning BGP. Peter J. Welcher. Introduction. When Do We Need BGP? Beginning BGP Peter J. Welcher Introduction At the time I'm writing this, it is time to register for Networkers / CCIE recertification. I just signed up for Denver. You'll probably be reading this around

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Own your LAN with Arp Poison Routing

Own your LAN with Arp Poison Routing Own your LAN with Arp Poison Routing By: Rorik Koster April 17, 2006 Security is a popular buzzword heard every day throughout our American culture and possibly even more so in our global economy. From

More information

Securing DNS Infrastructure Using DNSSEC

Securing DNS Infrastructure Using DNSSEC Securing DNS Infrastructure Using DNSSEC Ram Mohan Executive Vice President, Afilias rmohan@afilias.info February 28, 2009 Agenda Getting Started Finding out what DNS does for you What Can Go Wrong A Survival

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Novel Systems. Extensible Networks

Novel Systems. Extensible Networks Novel Systems Active Networks Denali Extensible Networks Observations Creating/disseminating standards hard Prototyping/research Incremental deployment Computation may be cheap compared to communication

More information

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business & Preventing (Distributed Denial of Service) A Report For Small Business According to a study by Verizon and the FBI published in 2011, 60% of data breaches are inflicted upon small organizations! Copyright

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc. TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...

More information

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to

More information

Cisco Network Foundation Protection Overview

Cisco Network Foundation Protection Overview Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and

More information

Course Contents CCNP (CISco certified network professional)

Course Contents CCNP (CISco certified network professional) Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,

More information

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) US-CERT Summary US-CERT has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS

More information