The Naughty port Project

Similar documents
DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

DDoS attacks in CESNET2

Cheap and efficient anti-ddos solution

Reducing the Impact of Amplification DDoS Attack

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Danger of Proxy ARP in IX environment version 0.3. Maksym Tulyuk

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

How to launch and defend against a DDoS

IP Connectivity Dedicated servers Co-location in data centers

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Webinar: Advanced RIPE Atlas Usage

IXP Manager Workshop. 27 th Euro-IX Forum October 25 th 2015 Berlin, Germany

AMS-IX overview. Henk Steenman February 2005

exchanging traffic in Paris a new proposal Maurice Dean & Raphael Maunier

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Effect of anycast on K-root

DEFENSE NETWORK FAQS DATA SHEET

Cloud Security In Your Contingency Plans

Anycast Rou,ng: Local Delivery. Tom Daly, CTO h<p://dyn.com Up,me is the Bo<om Line

Hunting down a DDOS attack

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques

Denial of Service Attacks

How to make a VPN connection to our servers from Windows XP

Setting up and controlling

Securing Linux Servers Best Practice Document

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

Yahoo Attack. Is DDoS a Real Problem?

DDoS Damage Control Cheap & effec3ve

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Characterization and Analysis of NTP Amplification Based DDoS Attacks

How To Understand A Network Attack

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Route Servers, Mergers, Features, and More.

How NOC manages and controls inter-domain traffic? 5 th tf-noc meeting, Dubrovnik nino.ciurleo@garr.it

Approaches for DDoS an ISP Perspective.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Network Management Deployment Guide

How To Prepare For The Second Data Center On Payware Connect For A Second Time

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

Security Toolsets for ISP Defense

IXP Manager. Montenegro IXP Workshop October 1 st Barry O Donovan, INEX Ireland s Internet Neutral Exchange Point barry.odonovan@inex.

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

BELNET: Service Level Description Version (29/7/2009)

What network engineers can learn from web developers when thinking SDN.

FortiDDos Size isn t everything

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

Report of Independent Auditors

Detecting BGP hijacks in 2014

First Line of Defense

Regional cyber security considerations for network operations. Eric Osterweil Principal Scientist, Verisign

How Cisco IT Protects Against Distributed Denial of Service Attacks

Preventing Common Attacks on Critical Infrastructure

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Stream Deployments in the Real World: Enhance Opera?onal Intelligence Across Applica?on Delivery, IT Ops, Security, and More

The Definitive Guide. Monitoring the Data Center, Virtual Environments, and the Cloud. Don Jones

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Recommended IP Telephony Architecture

TELCO challenge: Learning and managing the network behavior

The curse of the Open Recursor. Tom Paseka Network Engineer

How to make a VPN connection to our servers from Windows 8

Using Splunk to Protect Pa=ent Privacy and Achieve Meaningful Use

Microsoft Azure ExpressRoute

Firewall Firewall August, 2003

Your Web Site Parts - Domain Names, URLs, Web Hosts, DNS - What They Are, and What You Need

Lucent VPN Firewall Security in x Wireless Networks

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Putting the Tools to Work DDOS Attack

3M Occupational Health and Environmental Safety 3M E-A-Rfit Validation System. Version 4.2 Software Installation Guide (Upgrade) 1 P age

Manage Firewalls. Palo Alto Networks. Panorama Administrator s Guide Version 6.1. Copyright Palo Alto Networks

DDoS Mitigation Solutions

Phone Inventory 1.0 (1000) Installation and Administration Guide

whitepaper SolarWinds Integration with 3rd Party Products Overview

Cisco IOS Flexible NetFlow Technology

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Peering in General and in Europe. Frank Orlowski DE-CIX Internet Exchange

Configuring an External Domain

Take the NetFlow Challenge!

PBX Security in the VoIP environment

AMRES NOC Bojan Jakovljević. 8 th TF-NOC meeting, Athens 2013.

White Paper. The Ten Features Your Web Application Monitoring Software Must Have. Executive Summary

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

DDoS Detection and Alerting

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

WAN Traffic Management with PowerLink Pro100

Transcription:

The Naughty port Project May 2016 RIPE72 2016 Copenhagen, DK Prepared by: Erik Bais ebais@a2b-internet.com Confiden'al 23-5-2016

What is our business?? o Registra'on of IP addresses and AS numbers o IP Transit in various Dutch datacenters o Internet (Fiber) Access & Datacenter Network Services o 24 * 7 Monitoring and management of BGP infrastructure. o Specialized consultancy for ISP related topics like vendor selec'ons, network design & implementa'on. RIPE72 2016 presenta'on What do we provide? 2016 Page 2

Currently in the following Dutch datacenters Currently 14 POP s RIPE72 2016 presenta'on In The Netherlands 2016 Page 3

The original ques:on to solve.. RIPE72 2016 presenta'on 2016 Page 4

Results during a DDOS... o Customers start calling as their primary traffic link is filled with garbage. o Not every complaining customer can afford or want to pay for DDOS mi'ga'on plans. o Customers will complain if they are seeing packetloss o Customers will complain quickly if they are offering VoIP or Hosted Desktop or VPN services ( Oh yes.. And gamers ) o Customers don t want to suffer from a DDOS to another customer. o The phone lines to the helpdesk are also red-hot during a DDOS o Customers make it your problem RIPE72 2016 presenta'on 2016 Page 5

RIPE72 2016 presenta'on 2016 Page 6

Defining ques:ons : o Where is the traffic origina'ng from ( Which ASn.. ) o Is the (original) traffic Spoofed IP traffic? o Can we filter the non-bcp38 traffic? Should we want to filter this? Will the used HW actually support such large ACL s? ( Nope..) o Why are we no'cing those Top Speakers only during a DDOS? o Will de-peering fix our issue? RIPE72 2016 presenta'on 2016 Page 7

Regular Internet Exchange setup Naughty Peer #1 Good Peer #1 Good Peer #2 AMS-IX Route Servers AS51088 RIPE72 2016 presenta'on 2016 Page 8

Let s build a test setup o How do these DDOS Stresser / booter sites work RIPE72 2016 presenta'on 2016 Page 9

DDOS Amplifica:on basics 1/2 RADIUS Bad Guy with a computer TFTP Nice Guy with a network Chargen Computer with a spoofed IP address 1.2.3.4 DNS Victim IP address 1.2.3.4 SNMP NTP Amplification Attacks Basics RIPE72 2016 presenta'on 2016 Page 10

DDOS Amplifica:on basics 2/2 DNS Bad Guy with a computer NTP Nice Guy with a network Chargen Computer with a spoofed IP address 1.2.3.4 DNS Victim IP address 1.2.3.4 SNMP NTP Amplification Attacks Basics RIPE72 2016 presenta'on 2016 Page 11

Let s build a test setup o How do these DDOS Stresser / booter sites work o Enough scripts available on GitHub etc for tes'ng RIPE72 2016 presenta'on 2016 Page 12

RIPE72 2016 presenta'on 2016 Page 13

Let s build a test setup o How do these DDOS Stresser / booter sites work o Enough scripts available on GitHub etc for tes'ng o And no need to scan the complete internet for vulnerable IP s.. Everything can be parsed from downloads of exports via Shodan.io for example RIPE72 2016 presenta'on 2016 Page 14

RIPE72 2016 presenta'on 2016 Page 15

Let s build a test setup o How do these DDOS Stresser / booter sites work o Enough scripts available on GitHub etc for tes'ng o And no need to scan the complete internet for vulnerable IP s.. Everything can be parsed from downloads of exports via Shodan.io for example o And that insight gives a beher view on why we see the following during a DDOS RIPE72 2016 presenta'on 2016 Page 16

AMS-IX Sflow tools RIPE72 2016 presenta'on 2016 Page 17

The We AMS-IX page o Their per peer Sflow graphs & monitoring at the customer portal rocks. o The AMS-IX Route-servers support RPSL (important ) RIPE DB export-via / import-via support (YEAH!!) o Their NOC engineers were very helpful in assis'ng to get the solu'on to work. ( Thnx Aris & Kostas!! ) o The AMS-IX sales team provided us a flexible Try and Buy op'on contract at the Evoswitch Datacenter RIPE72 2016 presenta'on 2016 Page 18

Let s try something else... o List all AS s that are only sending traffic DURING a DDOS amplifica'on ahack. o Most of these networks don t send ANY or hardly any traffic during normal opera'ons in our case.. o Can we peer with these par'es via the Routeserver on Port X but not via Port Y Will the Route Server support that..?? o Peer with the Naughty Peers, on a small (1Gb) IXP port. o Explain the setup to Sales@AMS-IX. Try this out in a setup in produc'on. A try and buy agreement for the second port via the AMS-IX EvoSwitch Datacenter Partner. RIPE72 2016 presenta'on 2016 Page 19

RIPE RPSL & AMS-IX Routeserver integra:on A simple include / exclude in RIPE RPLS was all it took RIPE72 2016 presenta'on 2016 Page 20

Fun fact o AMS-IX had a 2 vendor approach before we started this project. o But one of the AMS-IX Route Server vendors couldn t handle the new load on the route-server by the split view with the views via RPSL. RIPE72 2016 presenta'on 2016 Page 21

So one of the Routeserver did RIPE72 2016 presenta'on 2016 Page 22

Fun fact o AMS-IX had a 2 vendor approach before we started this project. o One of the AMS-IX Route Server vendors couldn t handle the route-server split view with the views via RPSL. o Famous last words Let s put this on produc'on in Friday, what could go wrong Resul'ng in the death of 1 set of route servers over the weekend RIPE72 2016 presenta'on 2016 Page 23

o Shall we take it off-line? We asked the NOC. o Will that help? It is not in produc'on anyway (for us..) o And they kindly declined in order to be able to troubleshoot To have a valid reason to kill those RS RIPE72 2016 presenta'on 2016 Page 24

Kudos RIPE72 2016 presenta'on 2016 Page 25

Naughty Port Setup Naughty Peer #1 Good Peer #1 Good Peer #2 RPSL?? Ah!! AMS-IX Route Servers AS61180 AS51088 RIPE72 2016 presenta'on 2016 Page 26

New ques:ons to ponder o Why are some networks on the Naughty list o Can we predict who should be on the list o Do we have Santa Skills? RIPE72 2016 presenta'on 2016 Page 27

Santa Skillz RIPE72 2016 presenta'on 2016 Page 28

New ques:ons to ponder o Why are some networks on the Naughty list o Can we predict who should be on the list o Do we have Santa Skills? Can we tell who is Naughty and who is nice? RIPE72 2016 presenta'on 2016 Page 29

New ques:ons to ponder o Why are some networks on the Naughty list o Can we predict who should be on the list o Do we have Santa Skills? Can we tell who is Naughty and who is nice? o What are the benefits of having a Naughty Port RIPE72 2016 presenta'on 2016 Page 30

RIPE72 2016 presenta'on 2016 Page 31

Ra:ng the Naughty Networks. o We ve put every AS in a database o Uploaded the number of Open resolvers, NTP servers, Chargen, SNMP, SSDP IP s etc per AS in the database. o Pulled the number of announced IP per AS from the RIPE RIS API s o A high Naughty Ra'ng, doesn t mean a bad peer But is a naughty peer worth the trouble on your premium network link? Is a peer selec'on based on just traffic ra'o accurate? o Ra'ngs can be improved by proper Abuse Management ( Yes it is that simple... ) RIPE72 2016 presenta'on 2016 Page 32

Time for reach-out o We ve asked several Dutch ISP s if we can name them in this presenta'on and explain them about the project.. o Most of them responded with : Yes you may use our name and data And How do we improve our ra'ng? o And these are their results RIPE72 2016 presenta'on 2016 Page 33

Naughty Port ra:ngs RIPE72 2016 presenta'on 2016 Page 34

Naughty Ra:ng interface RIPE72 2016 presenta'on 2016 Page 35

How to improve you ra:ng? o Implement Abuse.IO (Yes, it is free.. and Open Source!! ) hhps://abuse.io/ For automagic abuse msg parsing and event handling o Request reports on your network at Shadowserver.org hhps://www.shadowserver.org/wiki/pmwiki.php/involve/ GetReportsOnYourNetwork#toc3 There is a backlog on network report requests, processing may not be instant. RIPE72 2016 presenta'on 2016 Page 36

Would you want your own Naughty Port? o We can explain how it works and how we did it.. o We can share the data provide access to the portal. o All you need is an extra AMS-IX port and an extra AS number. o And you can decide for yourself who you want on your list. RIPE72 2016 presenta'on 2016 Page 37

Triple-IT already proofed it can be fixed RIPE72 2016 presenta'on 2016 Page 38

Next steps : o Publish the Naughty Ra'ng Search interface on a website. We want the data to be open for all peering managers. o Check/discus what needs to be added..? TFTP? Others? o Checks per AS-SET s as well as AS number. RIPE72 2016 presenta'on 2016 Page 39

Who has a ques:on? Email to: ebais@a2b-internet.com Or call : +31 85 90 20 410 Who has the first RIPE72 2016 presenta'on ques'on? 2016 Page 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information