LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Similar documents
DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

honeytarg Chapter Activities

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Development of an IPv6 Honeypot

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

CERT.br: Mission and Services

DDoS attacks in CESNET2

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

A Network Design Primer

Phishing and Banking Trojan Cases Affecting Brazil

How Cisco IT Protects Against Distributed Denial of Service Attacks

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

CISCO IOS NETWORK SECURITY (IINS)

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Cybersecurity and Incident Response Initiatives: Brazil and Americas

DDoS Overview and Incident Response Guide. July 2014

Chapter 11 Cloud Application Development

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Incident Response and Early Warning Initiatives in Brazil

CS 356 Lecture 16 Denial of Service. Spring 2013

Arbor s Solution for ISP

Pravail 2.0 Technical Overview. Exclusive Networks

How To Block A Ddos Attack On A Network With A Firewall

Service Description DDoS Mitigation Service

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Putting the Tools to Work DDOS Attack

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Denial of Service Attacks

Network/Internet Forensic and Intrusion Log Analysis

CMPT 471 Networking II

Campus LAN at NKN Member Institutions

TDC s perspective on DDoS threats

How to launch and defend against a DDoS

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Cisco IOS Flexible NetFlow Technology

Report of Independent Auditors

AbuseHUB: a national Abuse Report. Clearing House. Phons Bloemen. ISD Congress September 24,

Log Management for the University of California: Issues and Recommendations

Telecom Business Continuity Solutions FOR INTERNAL USE ONLY

Denial of Service Attacks

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Preventing your Network from Being Abused by Spammers

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

CTS2134 Introduction to Networking. Module Network Security

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

Secure Pipes with Network Security Technology Showcase

GregSowell.com. Mikrotik Security

How To Protect A Dns Authority Server From A Flood Attack

Stop DDoS Attacks in Minutes

Traffic Monitoring : Experience

Description: Objective: Attending students will learn:

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Early warning for security attacks

PART D NETWORK SERVICES

Hunting down a DDOS attack

Network provider filter lab

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

Acquia Cloud Edge Protect Powered by CloudFlare

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Complete Protection against Evolving DDoS Threats

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

CloudFlare advanced DDoS protection

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Mitigating DDoS Attacks at Layer 7

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

/ Staminus Communications

DDoS Mitigation Strategies

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Transcription:

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

DDoS Atacks: Detection, Analysis and Mitigation Lucimara Desiderá lucimara@cert.br Klaus Steding-Jessen jessen@cert.br

Internet Governance in Brazil: The Brazilian Internet Steering Committee CGI.br CGI.br is a multi-stakeholder organization created in 1995 by the Ministries of Communications and Science and Technology to coordinate all Internet related activities in Brazil. Among the diverse responsibilities reinforced by the Presidential Decree 4.829, it has as the main attributions: to propose policies and procedures related to the regulation of Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IP) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics http://www.cgi.br/about/

CERT.br Activities Incident Handling Coordination Facilitation Support Statistics Training and Awareness Courses Presentations Documents Meetings Network Monitoring Distributed Honeypots SpamPots http://www.cert.br/about/

DDoS Atacks: Challenges

Challenges: It s not possible to avoid them Anyone can be a target Countless networks/systems being abused to perpetrate attacks: DNS open resolvers, lack of antispoofing implementation, unnecessary services enabled, unpatched systems, weak passwords, etc Attacks are getting more harmful: reflective mixed techniques CERT.br 2014: more than 200 times increase in DDoS notifications

How to make things better? GOAL: help to understand the attack types in order to choose the right mitigation strategy compile a set (not exhaustive) of good practices: avoid networks and systems from being abused to perpetrate attacks how to handle DDoS attacks prepare detect analyze mitigate Document Recomendações para Melhorar o Cenário de Ataques Distribuídos de Negação de Serviço (DDoS) http://www.cert.br/docs/whitepapers/ddos/

Some highlights

Document highlights Main topics Main targets and motivations for the attacks How attacks are executed Attack Types Application layer attacks Resource exhaustion attacks Volumetric attacks How to avoid your network and systems from being abused to perpetrate attacks End users Web application developers Network administrators ISPs How to handle DDoS attacks Preparation Detection and Analysis Mitigation Post mortem

Don t contribute to the problem: Best Practices to avoid being abused (1/2) Implement anti-spoofing (BCP38) https://tools.ietf.org/html/bcp38 http://spoofer.caida.org/ http://bcp.nic.br/ DNS Enable recursion for your network only On authoritative servers: NTP Disable Recursion Consider implementing Response Rate Limit (RRL) Consider using a simpler implementation OpenNTPD Uptade to version 4.2.7 or superior Disable the monitor function in ntpd.conf

Don t contribute to the problem: Best Practices to avoid being abused (2/2) SNMP Use version 3 if possible Don t use the Public community Other protocols Enable only when necessary

Preparation Adopt proactive measures become an Autonomous System more than one route to the Internet control over your own routing policy over provisioning have physical links/ports with more capacity than contracted service scalability (web, e-mail, etc) make sure your contracts allow bandwidth flexibility in case of attacks implement network segregation for critical services reduce the visibility of internal systems and services establish contacts with the technical team from your upstream to have help in case of emergency train the technical network team to implement mitigation techniques

Detection Monitor your network traffic in and out this allows the identification of: changes in the network use patterns detection of connections to botnet C&C Intrusion Detection IDS / IPS, Firewall, Antivirus Extrusion Detection Netflows, Honeypots, Passive DNS Handling abuse and incident notifications Data Feeds (Team Cymru, ShadowServer, other CSIRTs)

Mitigation Improve your infrastructure more bandwidth services and routers with more capacity Traffic filtering by source IP or port firewall, IPSes, switches and routers Use rate-limiting and ACLs in routers and switches Contact your upstream apply filters, blackholing / sinkholing DDoS mitigation services ( clean pipe ) If you have an AS, consider using Team Cymru s UTRS http://www.team-cymru.org/utrs/ Contract mitigation services may affect the confidentiality of information Move to a CDN (Content Delivery Network)

Thank You www.cert.br lucimara@cert.br jessen@cert.br @certbr May 04 th, 2016

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information