Security Threats to the Internet Backbone
|
|
- Ruby Lyons
- 7 years ago
- Views:
Transcription
1 Security Threats to the Internet Backbone Presented by Ricky Lou IT Intelligence Limited Potential Risks DDoS on critical Internet Resources DNS Spoofing Wide-Area Internet Routing
2 DDoS on critical Internet Resources DDoS attack all 13 of the Internet domain name system (DNS) root servers October 21st 2002 What is DNS root servers? How do they work?
3 The attack Attackers flooded the DNS servers with Internet traffic using ICMP (Internet Control Message protocol) at more than 10 times the normal rate of traffic Such events are nothing new, compare with high-profile attacks in the year before against ISP and companies such as Microsoft Corp. and e-bay Inc. But this incident opens a new chapter in the history of Internetbased attacks. An example of people not targeting enterprises, but going against the Internet itself by attacking the architecture and protocols on which the Internet was built Factors contributing to such attacks are well known. Worms such as Code Red, Nimda, and Slapper have left hundreds if not thousands of compromised computer on the Internet. The attack Such systems can be used as zombies in a DDoS attack Zombies are machine controlled remotely and used to launch an attack Sophisticated software programs have make leveraging those compromised machines a simple matter, even for novice attackers With automated attack tools, even inexperienced people can get control of a large number of hosts. The attacks are not professional or financial in nature. They are random and non-directed
4 The attack Fortunately, the attacks were not sophisticated, relying on a simple packet flood approach in which information packets are sent in high volumes to a server, and using a protocol ICMP Future attacks could be much more sophisticated Attackers might disguise a DDoS attack as normal traffic Nothing about the protocol used or packets sent would appear unusual, but the volume of traffic would be enough to overwhelm the target server Even more hostile, would be attacks that target the routing infrastructure, as opposed to the DNS infrastructure of the Internet. That infrastructure of roadways over which Internet traffic passes is more brittle than the flexible architecture of DNS The attack When one backbone goes down, the traffic has to go somewhere Recalling that the recent outage on the UUnet Internet backbone operated by WorldCom Inc. was felt instantly worldwide Telephone system in Hong Kong when everybody try to pick up the phone at once
5 Attack Mitigation More governmental management of key components of the Internet infrastructure is needed More funding for private companies and public organizations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and nonprofit organizations Because of the financial condition of most companies that manage the Internet backbone, there is little private money available to ensure the extra capacity should one or more parts of the backbone be attacked. Government investment could help create and secure a more robust infrastructure DNS Spoofing A term used when a DNS server accepts and use incorrect information from a host that has no authority giving that information Malicious cache poisoning where forged data is placed in the cache of the name servers Can cause serious security problems for DNS servers vulnerable to such attacks, eg. Causing users to be directed to wrong Internet sites or e- mail being routed to non-authorized mail servers
6 DNS Spoofing A third of all DNS servers on the Internet are vulnerable to spoofing. Source: Domain Health Survey DNS Spoofing How is it done? Three companies (A, B and C), all competing in a challenging environment
7 DNS Spoofing A spoofing attack can continue for a long period without being noticed Companies may never know of the security breach until competitor enters the market with a similar product That companies can destroy any opportunity other companies have to create a competitive edge Most top level business managers have not yet realized the financial and security risks associated with DNS spoofing DNS Spoofing Internet banking Fake Virtual Bank Easy to set up even for an novice
8 What can be done? It is necessary to have the security built into DNS systems Every organization or individual responsible for a domain should first check which type of name server they are using and consult with its developer whether it is secure against DNS spoofing or not. Cricket Liu has written guidelines on how to solve the spoofing problem for BIND and the Microsoft DNS Server in his article Securing an Internet Name Server What can be done? Running the newest version of BIND doesn t guarantee your name server security, it minimizes the possible of attack To combat DoS attack and prevent accidental service outages, eliminate single point of failure in your DNS infrastructure Don t put all of your name servers on a single subnet, behind a single router, behind a single lease line Arrange to have someone run an offsite slave name server for you Restricting Zone Transfer Use transaction signature to cryptographically authenticate and verify Zone Transfer And more..
9 Wide-Area Internet Routing Routing is the process by which a packet is sent from one place to another. Routing is the mechanism which determines the path a packet should take in order to reach the specified destination Routing on the Internet can be classified into two areas: local routing and wide-area routing Local routing transports a packet to a host within particular network once it has reached that network Wide-area routing deals with transporting a packet between networks, i.e., across the Internet itself Wide-Area Internet Routing Various research has proposed authenticated route advertisements Certain wide-area routing protocols have attempted to address some of the security issues associated with Internet routing However, some of the fundamental questions remain with respect to widearea internet routing security, including the following:
10 Wide-Area Internet Routing Does the issue of wide area routing boil down to a problem of authentication, or is it more fundamentally an issue of robustness? Is the threat really a malicious user injecting bad routes into the Internet infrastructure, or rather is it simply a problem of designing an extension to the exterior gateway protocols that is robust to operator error? Wide-Area Internet Routing Who and what are the legitimate threats in such a case? Often, the ability to do largescale damage implies access to a backbone router; therefore, are these entities really vulnerable to script kiddies, or should we really only be concerned with people who might have access to the Internet s backbone routers?
11 Overview of Border Gateway Protocol (BGP) An exterior gateway protocol currently used as a communication between routers to disseminate routing information between autonomous systems An autonomous system is typically established as a particular administrative domain. An ISP such as BBN is AS-1; MIT is AS-3 BGP has mechanisms to prevent routing loops between autonomous systems, and it scales well because it is incremental: once routes are established, only changes (i.e., updates and withdrawals ) are advertised Overview of Border Gateway Protocol (BGP) Each AS has a BGP speaker, a router which runs the BGP routing process, which advertises all of the networks for which it has reach ability information, i.e., all of the networks for which it has a path to reach. If a particular AS wants traffic to be routed to it for a given set of address, it then advertises those networks through a route advertisement An AS can also agree to be a transit-as : if one AS gains information about another network s reach ability via another AS, it can advertise that it has reach ability to that network too
12 Overview of Border Gateway Protocol (BGP) AS AS 4969 AS 6461 AS 701 AS 5000 Overview of Border Gateway Protocol (BGP) Very basic overview of BGP Basic idea is that the Internet is partitioned into administrative domains called autonomous systems, and that each AS advertises the set of networks that it knows how to reach
13 The Threats Mis-configuring a BGP peer AS-5000 is transited by two other AS s (AS-4969 and AS-6464), both of which send full BGP tables to that AS When AS-5000 hears the full BGP tables from the other ASes, it will redistribute these routes internally with the AS (using ibgp, OSPF, etc) The routing table AS-5000 is then redistributed back to the exterior BGP as originating from AS Now AS-4969 and AS-6464 think that the entire internet originates within the AS-5000 network The Threats The upshot is that all Internet-bound traffic from any AS that is peering with AS-5000 will attempt to route traffic through AS- 5000, thus saturating the network and making the Internet inaccessible This assumes that the AS is not performing any filtering of ibgp messages with respect to its ebgp announcements
14 The Threats Lacking of Filtering An AS can filter out certain route announcements based on certain attributes If a certain AS receives an announcement from an IP address that it does not recognize, or is not from a certain AS, then it will not accept that route advertisement Many of the large ISPs, such as Sprint, AT&T, UUNet, etc., who provide access to the Internet backbone, do not filter out these routes The Threats Largely due to the fact that most entities obtain their Internet access from smaller ISPs When a small ISP adds a new network, it wants to be able to grant that user instant connectivity, and not have to tell the larger ISP that it s OK to advertise routes to these new networks. Many of the larger ISPs perform no filtering of updates at all Accepting all routes indiscriminately obviously provides potential for mis-configuration and catastrophic failure
15 The Threats Blackholing Blackholing a route essentially occurs when a particular AS announces a route to a network that an AS essentially does not have Any peer that hears an update corresponding to a blackholed route will send packets to the AS destined for the blackholed route, and packets will be dropped It has been asserted that blackholing is one of the most effective denial of service attacks on the Internet to date The Threats A purposeful blackholing exists whereby an AS announces blackholed networks to peers via BGP multihop, and the next hop information would be changed to an address which would simply drop the packets One particularly disturbing implication of this is that it is possible to target someone else s network and blackhole it by announcing that you have a route to their network when you in fact don t An indication that your network has been blackholed is a sudden drop in traffic to your network
16 The Threats An interesting man-in-the-middle attack can also be performed in a blackholing-type fashion, if a malicious AS announces a route that it wants to blackhole, but then establishes a machine on its internal network that performs some of the same functionality as the machine on the blackholed network This might allow such an attack as masquerading as the machine that the end host thinks it is talking to, or simply sniffing all traffic that is sent between two end hosts Blackholing can be accomplished if the AS is not filtering its ibgp update messages, or via forged BGP UPDATE messages The Threats IP Spoofing It is possible to insert forged BGP UPDATE messages (i.e., route updates) into an existing BGP session between two peers since the only sequence number included in the UPDATE packets are the TCP sequence numbers This means that a malicious AS could potentially spoof the BGP UPDATE messages; spoofing BGP update messages boils down to essentially performing spoofing of TCP messages
17 What can be done? Cisco s IOS allows the use of MD5 hashes for authentication of peers, and picks random TCP ISNs, thus making the insertion of a forged update message particularly difficult Stephen Kent have proposed a protocol referred to as Secure Border Gateway Protocol (S-BGP), which reportedly verifies the authenticity and authorization of BGP control traffic This protocol doesn t include undue overhead and is incrementally deployable What can be done? S-BGP must be adopted by ISPs, and required PKI support by registries that allocate AS number to the ISPs S-BGP still fails to address misconfiguration issues
18 References er_security/securing_an_internet_name_server. pdf poofing.html findex.html e/pfindex.html /november00.html Contact
Network Security. Mobin Javed. October 5, 2011
Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways
More informationExterior Gateway Protocols (BGP)
Exterior Gateway Protocols (BGP) Internet Structure Large ISP Large ISP Stub Dial-Up ISP Small ISP Stub Stub Stub Autonomous Systems (AS) Internet is not a single network! The Internet is a collection
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationHow Cisco IT Protects Against Distributed Denial of Service Attacks
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
More informationF5 Silverline DDoS Protection Onboarding: Technical Note
F5 Silverline DDoS Protection Onboarding: Technical Note F5 Silverline DDoS Protection onboarding F5 Networks is the first leading application services company to offer a single-vendor hybrid solution
More informationSecuring an Internet Name Server
Securing an Internet Name Server Cricket Liu cricket@verisign.com Securing an Internet Name Server Name servers exposed to the Internet are subject to a wide variety of attacks: Attacks against the name
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationOutline. EE 122: Interdomain Routing Protocol (BGP) BGP Routing. Internet is more complicated... Ion Stoica TAs: Junda Liu, DK Moon, David Zats
Outline EE 22: Interdomain Routing Protocol (BGP) Ion Stoica TAs: Junda Liu, DK Moon, David Zats http://inst.eecs.berkeley.edu/~ee22/fa9 (Materials with thanks to Vern Paxson, Jennifer Rexford, and colleagues
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More informationUsing the Border Gateway Protocol for Interdomain Routing
CHAPTER 12 Using the Border Gateway Protocol for Interdomain Routing The Border Gateway Protocol (BGP), defined in RFC 1771, provides loop-free interdomain routing between autonomous systems. (An autonomous
More informationDistributed Denial of Service Attack Tools
Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationInternet inter-as routing: BGP
Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means to: 1. Obtain subnet reachability information from neighboring ASs. 2. Propagate the reachability
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationHow To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address
Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and
More informationTraffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013
Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Distributed Denial of Service (DDoS) Attacks DDoS attack traffic consumes
More informationModule 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur
Module 7 Routing and Congestion Control Lesson 4 Border Gateway Protocol (BGP) Specific Instructional Objectives On completion of this lesson, the students will be able to: Explain the operation of the
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationExamination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491
Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: December 15 2009 14:00 18:00 1. No help material is allowed - You
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationSecurity in Structured P2P Systems
P2P Systems, Security and Overlays Presented by Vishal thanks to Dan Rubenstein Columbia University 1 Security in Structured P2P Systems Structured Systems assume all nodes behave Position themselves in
More information18-731 Midterm. Name: Andrew user id:
18-731 Midterm 6 March 2008 Name: Andrew user id: Scores: Problem 0 (10 points): Problem 1 (10 points): Problem 2 (15 points): Problem 3 (10 points): Problem 4 (20 points): Problem 5 (10 points): Problem
More informationHow To Understand Bg
Table of Contents BGP Case Studies...1 BGP4 Case Studies Section 1...3 Contents...3 Introduction...3 How Does BGP Work?...3 ebgp and ibgp...3 Enabling BGP Routing...4 Forming BGP Neighbors...4 BGP and
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationIntroduction to Routing
Introduction to Routing How traffic flows on the Internet Philip Smith pfs@cisco.com RIPE NCC Regional Meeting, Moscow, 16-18 18 June 2004 1 Abstract Presentation introduces some of the terminologies used,
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationIAB IPv6 Multi-Homing BOF. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI
IAB IPv6 Multi-Homing BOF Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Multi-homing Problems Inbound to the destination traffic engineering is needed Current
More informationUnderstanding Large Internet Service Provider Backbone Networks
Understanding Large Internet Service Provider Backbone Networks Joel M. Gottlieb IP Network Management & Performance Department AT&T Labs Research Florham Park, New Jersey joel@research.att.com Purpose
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationNetwork Level Multihoming and BGP Challenges
Network Level Multihoming and BGP Challenges Li Jia Helsinki University of Technology jili@cc.hut.fi Abstract Multihoming has been traditionally employed by enterprises and ISPs to improve network connectivity.
More informationAPNIC elearning: BGP Basics. Contact: training@apnic.net. erou03_v1.0
erou03_v1.0 APNIC elearning: BGP Basics Contact: training@apnic.net Overview What is BGP? BGP Features Path Vector Routing Protocol Peering and Transit BGP General Operation BGP Terminology BGP Attributes
More informationSecurity in Global IP Networks
Security Technology for the Internet Security in Global IP Networks Tatu Ylönen SSH Communications Security Corp What are global IP networks? The Internet The consumer internet Global uncontrolled
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationDeploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion
Deploying IP Anycast Core DNS Services for University of Minnesota Introduction and General discussion Agenda Deploying IPv4 anycast DNS What is ANYCAST Why is ANYCAST important? Monitoring and using ANYCAST
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationMPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud
MPLS WAN Explorer Enterprise Network Management Visibility through the MPLS VPN Cloud Executive Summary Increasing numbers of enterprises are outsourcing their backbone WAN routing to MPLS VPN service
More informationNetwork Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media
IT 4823 Information Security Concepts and Administration March 17 Network Threats Notice: This session is being recorded. Happy 50 th, Vanguard II March 17, 1958 R.I.P. John Backus March 17, 2007 Copyright
More informationTema 5.- Seguridad. Problemas Soluciones
Tema 5.- Seguridad Problemas Soluciones Wireless medium is easy to snoop on Routing security vulnerabilities Due to ad hoc connectivity and mobility, it is hard to guarantee access to any particular node
More informationInter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:
Border Gateway Protocol Exterior routing protocols created to: control the expansion of routing tables provide a structured view of the Internet by segregating routing domains into separate administrations
More informationFrequent Denial of Service Attacks
Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as
More informationKnow Your Foe. Threat Infrastructure Analysis Pitfalls
Know Your Foe Threat Infrastructure Analysis Pitfalls Who Are We? Founders of PassiveTotal Analysts/researchers with 10+ years of collective experience Interested in Better UX/UI for security systems Improving/re-thinking
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationDNS Security FAQ for Registrants
DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of
More informationBorder Gateway Protocol (BGP)
Border Gateway Protocol (BGP) Petr Grygárek rek 1 Role of Autonomous Systems on the Internet 2 Autonomous systems Not possible to maintain complete Internet topology information on all routers big database,
More informationThreats and Security Analysis for Enhanced Secure Neighbor Discovery Protocol (SEND) of IPv6 NDP Security
Threats and Security Analysis for Enhanced Secure Neighbor Discovery Protocol (SEND) of IPv6 NDP Security Yvette E. Gelogo 1, Ronnie D. Caytiles 1 and Byungjoo Park 1 * 1Multimedia Engineering Department,
More informationReducing the impact of DoS attacks with MikroTik RouterOS
Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP
More informationHunting down a DDOS attack
2006-10-23 1 Hunting down a DDOS attack By Lars Axeland +46 70 5291530 lars.axeland@teliasonera.com 2006-10-23 What we have seen so far What can an operator do to achieve core security What solution can
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationallow all such packets? While outgoing communications request information from a
FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,
More informationPublic Key Infrastructure (PKI)
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationHow To Classify A Dnet Attack
Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationRouter Attacks-Detection And Defense Mechanisms
Router Attacks-Detection And Defense Mechanisms Saili Waichal, B.B.Meshram Abstract: Router is one of the most important components of any network. Their main aim is taking routing decision to forward
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More informationBuilding Secure Network Infrastructure For LANs
Building Secure Network Infrastructure For LANs Yeung, K., Hau; and Leung, T., Chuen Abstract This paper discusses the building of secure network infrastructure for local area networks. It first gives
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationBGP Best Path Selection Algorithm
BGP Best Path Selection Algorithm Document ID: 13753 Contents Introduction Prerequisites Requirements Components Used Conventions Why Routers Ignore Paths How the Best Path Algorithm Works Example: BGP
More informationStrategies to Protect Against Distributed Denial of Service (DDoS) Attacks
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate
More information5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)
5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationTransitioning to BGP. ISP Workshops. Last updated 24 April 2013
Transitioning to BGP ISP Workshops Last updated 24 April 2013 1 Scaling the network How to get out of carrying all prefixes in IGP 2 Why use BGP rather than IGP? p IGP has Limitations: n The more routing
More informationAPNIC elearning: BGP Attributes
APNIC elearning: BGP Attributes Contact: training@apnic.net erou04_v1.0 Overview BGP Attributes Well-known and Optional Attributes AS Path AS Loop Detection ibgp and ebgp Next Hop Next Hop Best Practice
More informationOutline. Outline. Outline
Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather
More informationAt dincloud, Cloud Security is Job #1
At dincloud, Cloud Security is Job #1 A set of surveys by the international IT services company, the BT Group revealed a major dilemma facing the IT community concerning cloud and cloud deployments. 79
More informationAbstract. Introduction. Section I. What is Denial of Service Attack?
Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss
More informationBGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543)
BGP FORGOTTEN BUT USEFUL FEATURES Piotr Wojciechowski (CCIE #25543) ABOUT ME Senior Network Engineer MSO at VeriFone Inc. Previously Network Solutions Architect at one of top polish IT integrators CCIE
More informationHow To Protect Your Network From Attack From A Hacker On A University Server
Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
More informationBased on Computer Networking, 4 th Edition by Kurose and Ross
Computer Networks Internet Routing Based on Computer Networking, 4 th Edition by Kurose and Ross Intra-AS Routing Also known as Interior Gateway Protocols (IGP) Most common Intra-AS routing protocols:
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationDenial of Service (DoS) Technical Primer
Denial of Service (DoS) Technical Primer Chris McNab Principal Consultant, Matta Security Limited chris.mcnab@trustmatta.com Topics Covered What is Denial of Service? Categories and types of Denial of
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationInter-domain Routing. Outline. Border Gateway Protocol
Inter-domain Routing Outline Border Gateway Protocol Internet Structure Original idea Backbone service provider Consumer ISP Large corporation Consumer ISP Small corporation Consumer ISP Consumer ISP Small
More informationA very short history of networking
A New vision for network architecture David Clark M.I.T. Laboratory for Computer Science September, 2002 V3.0 Abstract This is a proposal for a long-term program in network research, consistent with the
More informationNETWORK TO NETWORK INTERFACE PLAN
AT&T will provide interconnect points at both the Network Security Operations Center (NSOC) and the Sam Houston Building (SHB), the prescribed DIR locations via AT&T s VPN (AVPN) service. The standards-based
More informationBEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE
BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without
More informationOSPF Version 2 (RFC 2328) Describes Autonomous Systems (AS) topology. Propagated by flooding: Link State Advertisements (LSAs).
OSPF Version 2 (RFC 2328) Interior gateway protocol (IGP). Routers maintain link-state database. Describes Autonomous Systems (AS) topology. Propagated by flooding: Link State Advertisements (LSAs). Router
More informationDDOS in academic Networks. Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014
DDOS in academic Networks Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014 Academic networks? Real Target for DDOS? Lesson learned; DDOS @RedIRIS Mitigation Projects
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationProtect your network: planning for (DDoS), Distributed Denial of Service attacks
Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product
More informationYahoo Attack. Is DDoS a Real Problem?
Is DDoS a Real Problem? Yes, attacks happen every day One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are few good existing mechanisms to stop them
More informationANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE
ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDOS ATTACK AGAINST THE DNS INFRASTRUCTURE The Domain Name System (DNS) is part of the functional infrastructure of the Internet and
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationBorder Gateway Protocol BGP4 (2)
Border Gateway Protocol BGP4 (2) Professor Richard Harris School of Engineering and Advanced Technology (SEAT) Presentation Outline Border Gateway Protocol - Continued Computer Networks - 1/2 Learning
More informationBeginning BGP. Peter J. Welcher. Introduction. When Do We Need BGP?
Beginning BGP Peter J. Welcher Introduction At the time I'm writing this, it is time to register for Networkers / CCIE recertification. I just signed up for Denver. You'll probably be reading this around
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationOwn your LAN with Arp Poison Routing
Own your LAN with Arp Poison Routing By: Rorik Koster April 17, 2006 Security is a popular buzzword heard every day throughout our American culture and possibly even more so in our global economy. From
More informationSecuring DNS Infrastructure Using DNSSEC
Securing DNS Infrastructure Using DNSSEC Ram Mohan Executive Vice President, Afilias rmohan@afilias.info February 28, 2009 Agenda Getting Started Finding out what DNS does for you What Can Go Wrong A Survival
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationNovel Systems. Extensible Networks
Novel Systems Active Networks Denali Extensible Networks Observations Creating/disseminating standards hard Prototyping/research Incremental deployment Computation may be cheap compared to communication
More informationUnderstanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business
& Preventing (Distributed Denial of Service) A Report For Small Business According to a study by Verizon and the FBI published in 2011, 60% of data breaches are inflicted upon small organizations! Copyright
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationWhite paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.
TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationCisco Network Foundation Protection Overview
Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and
More informationCourse Contents CCNP (CISco certified network professional)
Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,
More informationThe Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)
The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) US-CERT Summary US-CERT has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS
More information