DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

Similar documents
Scalable DDoS mitigation using BGP Flowspec

DDoS attacks in CESNET2

Arbor s Solution for ISP

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

COMPSCI 111 / 111G An introduc)on to prac)cal compu)ng

Service Description DDoS Mitigation Service

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

BGP DDoS Mitigation. Gunter Van de Velde. Sr Technical Leader NOSTG, Cisco Systems. May Cisco and/or its affiliates. All rights reserved.

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Anycast Rou,ng: Local Delivery. Tom Daly, CTO h<p://dyn.com Up,me is the Bo<om Line

Corero Network Security

F5 Silverline DDoS Protection Onboarding: Technical Note

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

NETWORK DEVICE SECURITY AUDITING

Privileged Administra0on Best Prac0ces :: September 1, 2015

No Cloud Allowed. Denying Service to DDOS Protection Services

Phone Systems Buyer s Guide

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Unifying Incident Response Teams Via Multi Lateral Cyber Exercise for Mitigating Cros Border Incidents: Malaysia CERT Case Study

Luciano Minuchin CIO Sebastian Motta CSO DIRECCIÓN NACIONAL DEL REGISTRO DE DOMINIOS DE INTERNET

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

CSA SDP Working Group

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Internetworking II: MPLS, Security, and Traffic Engineering

Splunk for Networking and SDN

DNS amplification attacks

Everything You Need to Know about Cloud BI. Freek Kamst

Firewall on Demand Multidomain

Main Research Gaps in Cyber Security

Migrating to Hosted Telephony. Your ultimate guide to migrating from on premise to hosted telephony.

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

Firewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

The Naughty port Project

Modernizing EDI: How to Cut Your Migra6on Costs by Over 50%

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

Putting the Tools to Work DDOS Attack

Distributed Denial of Service protection

Wireless Networks: Network Protocols/Mobile IP

Contact Center Rou,ng Strategies for Improving Customer Experience

Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Mitigating DDoS Attacks at Layer 7

DNS Big Data

DANCERT RFC2350 Description Date: Dissemination Level:

Automated Mitigation of the Largest and Smartest DDoS Attacks

How To Protect A Dns Authority Server From A Flood Attack

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Security Solutions for the New Threads

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Distributed Systems Interconnec=ng Them Fundamentals of Distributed Systems Alvaro A A Fernandes School of Computer Science University of Manchester

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

An Integrated Approach to Manage IT Network Traffic - An Overview Click to edit Master /tle style

State of Texas. TEX-AN Next Generation. NNI Plan

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Pravail 2.0 Technical Overview. Exclusive Networks

Approaches for DDoS an ISP Perspective.

DTCC Data Quality Survey Industry Report

Security Toolsets for ISP Defense

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

How Cisco IT Protects Against Distributed Denial of Service Attacks

SDN Controller Requirement

DDoS Damage Control Cheap & effec3ve

Automated Mitigation of the Largest and Smartest DDoS Attacks

DDoS Mitigation Techniques

Acquia Cloud Edge Protect Powered by CloudFlare

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

CloudFlare advanced DDoS protection

A BRAINSTORMING ON SECURITY FIRE DRILLS

PROJECT PORTFOLIO SUITE

DEFENSE NETWORK FAQS DATA SHEET

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Strategies to Protect Against Distributed Denial of Service (DD

Transcription:

DDOS Mi'ga'on in RedIRIS SIG- ISM. Vienna

Index Evolu'on of DDOS a:acks in RedIRIS Mi'ga'on Tools Current DDOS strategy

About RedIRIS Spanish Academic & research network. Universi'es, research centers,. Not schools for now But also a lot of government organiza'ons

Evolu'on of DDOS a:acks in RedIRIS Reported DDOS a:acks against RedIRIS organiza'on were rare some years ago. Some IRC wars in in 2000-2001 Poli'cal protest in 2003 Another poli'cal protest in 2010 Usually organiza'ons were used in DDOS more than been vic'ms

Evolu'on DDOS a:acks in RedIRIS DDOS countermeasures: Filtering of compromised machines NFSend & repor'ng to CSIRT as detec'on system CSIRT contacts for mi'ga'ons a:acks against RedIRIS organiza'ons

Evolu'on of DDOS a:acks in RedIRIS Since 2010 DDOS were more frequent: Organiza'ons used RedIRIS connec'on for their administra've traffic, tui'ons, taxes DDOS tools were easily available due to the anonymous movement. Some government organiza'ons with poli'cal impact were also connected to RedIRIS

DDOS example Bad 'ming If something could fail it will fails. RedIRIS NOVA backbone migra'on Training session day for staff Other people a:ending mee'ngs & workgroups No Previous feedback from the organiza'on Some 'me trying to contact the right person inside RedIRIS

DDOS example

DDOS example This traffic impact also in our backbone infrastructure Customer links completely saturated Traffic analysis show port 80/UDP traffic against web server. 400 sources outside RedIRIS network à Applied filtering in outside peering connec'ons. Contact interna'onal ISP security contacts to block & filters the bots

DDOS. What we learn.. To prepare in advance for the DDOS. Traffic monitoring, what is the normal traffic. Prepare (In advance) filtering rules. Define the contact point Internally Externally Prepare mi'ga'on &conten'on strategy.

MITIGATION TOOLS

Improving DDOS mi'ga'on With the deployment of RedIRIS- Nova a DDOS Configure RedIRIS- Nova backbone for BGP filtering capabili'es. Provide tools for RedIRIS CSIRT & Organiza'ons to analyze the traffic.. Implement a cleaning center in case of DDOS a:acks. Prepare in advance against DDOS against cri'cal resources for organiza'ons Provide services for our organiza'ons

BGP filtering capabili'es. Allow CSIRT team to apply filtering and traffic redirec'on in RedIRIS- Backbone Separate route server reflector from NOC team. Allow to diverge traffic to other networks nodes using BPG announces. Successfully applied in security opera'ons. Temporally block of compromised sites Re- rou'ng DNSchanger traffic malware download blocks

BGP filtering capabili'es From this filtering tools we have started to provide a auto filtering tool for the universi'es. Allow Organiza'ons to drop incoming traffic to their IP address space. Use a peering session with a separate route server. Useful in DDOS against some internal servers or less important services. Expec'ng to add flowspec announces to provide real blocking

Tool for visualiza'on Need tools to monitor and visualize the traffic both for RedIRIS and their organiza'ons Exper'se in the Organiza'ons connected a RedIRIS was not uniform. Some organiza'ons has good visibility of their traffics. But unfortunately others need rely only in the informa'on provided by us.

Tool for visualiza'on The old solu'on based on NFSEN were not prac'cal. Traffic informa'on (flows) is sampled, instead of complete. There was too much organiza'ons to provide a view for each one. Slow queries & processing with the normal incident handling Need to add external authen'ca'on

Tool for visualiza'on: Polygraph.io Federated access for the organiza'ons. Works well with sampled traffic Custom database of IP addresses/ports to categorize the Applica'on running Allow to also use a probe to analyze protocols & traffic

Tools for visualiza'on Use FlowSonnar from Team- Cymru for incident handling service. No economic cost Use their own compromised & botnet feed for CSIRT incident handling Enough for daily incident handling Nfen based

Tools for visualiza'on Use Arbor Peakflow for internal monitoring of traffic More focused on DDOS Combined with TMS to provide a DDOS cleaning facility Useful also for NOC people to analyze peering traffic and problems. Good API for repor'ng Price is high

Tools for visualiza'on & cleaning center Using Arbor TMS Isolated from the opera'onal RedIRIS infrastructure Different loca'on Router directly connected to our core routers Gre tunnels directly to customers or regional networks Mi'ga'on strategy combined TMS with tradi'onal filtering in the router

Backbone Router Vic'm network Route Server Traffic informa'on (nedlow) is generated by core routers PeakFlow Cleaning network TMS Arbor SP Arbor TMS

Backbone router Vic'm Network Route Server PeakFlow analyze the flows and generate trends and informa'on related to the traffic PeakFlow Cleaning netowk TMS Arbor SP Arbor TMS

Backbone router Vic'm Network Route server DDOS are detected by Peakflow or directly by the vic'm organiza'on PeakFlow Cleaning network TMS Arbor SP Arbor TMS

Backbone router Vic'm Network Route Server The vic'm IP address (usually /32), is internally announced to Backbone router server with des'na'on the TMS. PeakFlow Cleaning network TMS Arbor SP Arbor TMS

Backbone Router Vic'm Network Route server Route Server announces the new des'na'on in the backbone PeakFlow Cleaning Network TMS Arbor SP Arbor TMS

Backbone Router Vic'm Network Route server DDOS traffic is routed to the TMS that also has informa'on from the Peakflow about the specific kind of traffic. PeakFlow Cleaning Network TMS Arbor SP Arbor TMS

Backbone router Vic'm Network Route server Clean traffic is send using a GRE tunnel to the organiza'on that will process it as usual PeakFlow Cleaning Network TMS Arbor SP Arbor TMS

Backbone router Vic'm network Route server Aeer the DDOS the announce is withdraw and the traffic goes direclty to the vic'm network PeakFlow Cleaning network TMS Arbor SP Arbor TMS

CURRENT DDOS STRATEGY

Services We are not s'll not lis'ng an'- DDOS capabili'es in our customer pordolio. No 20x7 SOC than could analyze and detect the a:acks. But we are running a test phase in a best support mode with some organiza'ons Support with the regional NRENs First steps to prepare the service S'll using tradi'onal ACL

DDOS STRATEGY: informa'on Organiza'ons need to provide: what resources need to be protected? what is the expected traffic? With this informa'on: we can prepare custom filters to mi'gate common amplifica'on DDOS a:acks. Create monitoring objects to detect traffic anomalies.

DDOS strategy: cleaning center We need to stabilish a GRE tunnel outside our backbone for the clean traffic Regional Networks can provide the tunnel directly In other cases organiza'ons use their equipment for the tunel Traffic redirec'on is verified with test address About 10 networks (17 objects) protected

DDOS strategy: upstream carrier Improve communica'ons with our upstream carrier. Tested the GEANT FoD tools Verify the DDOS procedures with other carriers & IX

Current status Aeer a year of Arbor deployment we haven t suffered a major DDOS a:ack. There was some short 'me DDOS not reported by organiza'ons Mostly amplifica'on a:acks

Future works Con'nue working on the deployment of the cleaning center Add more organiza'ons Get more experience on DDOS Train our customers Par'cipate in other global projects. Team Cymru UTRS service Geant FoD Start tes'ng FlowSpec

Muchas gracias!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information