janet network ddos experiences - networkshop44
TRANSCRIPT
Janet Network DDoS Experience
23/03/2016 Janet Network DDoS Experience
23/03/2016 Janet Network DDoS Experience
Tim KiddExecutive director, Jisc [email protected]
What happened in early December
To set the scene…
» I will say more than we have said publicly
» There is a police investigation ongoing
» Confidentiality
23/03/2016 Janet Network DDoS Experience
Timeline
» Tuesday 1 Dec 11:15 - 1 hourAttack directed at NW institution then infrastructure
» Friday 4 Dec 13:58 - 40 minutesInitial blocks in place at 14:35 with attack blocked
» Friday 4-Dec 15:54 - 20 minutesInitial blocks at 16:02 but little impact, attack blocked at 16:16
» Monday 7 Dec 09:11 - 1 hour 10 minutesInitial blocks at 09:47 but little impact, attack blocked at 10:18
» Monday 7 Dec 11:17 - 25 minutesAttack blocked at 11:40
» Tuesday 8 Dec 09:10 - 3 hours 30 minutesBlocked at 10:10 but further problems due to defensive blocks
23/03/2016 Janet Network DDoS Experience
Engineers prepared next level of blocks to install Monday morning
Jisc website hit 11:39 coincidence?
Communication
» Declared a major incident; used web page and Twitter @JiscMI
» In accordance with major incident procedure, staff were moved from normal duties to bolster the Janet Service Desk but still more calls than we could handle
23/03/2016 Janet Network DDoS Experience
External border protection
» ≈50 routers to configure
» Blocked IP fragments to all infrastructure
» Policed TCP, UDP and ICMP to core infrastructure
» Site access link infrastructure under way
23/03/2016 Janet Network DDoS Experience
Lessons Learned
» BBC DDoS attack on 31 December caused people to think Janet was being attacked
» A malicious attack feels very different from other major incidents
» Potential misuse of public updates via Twitter – use SMS directly to nominated people
» A more nuanced response (bronze, silver, gold) and difference between Major Incident and High Impact Incident
» Accelerate the DDoS element of our security programme
» Secure the infrastructure address space23/03/2016 Janet Network DDoS Experience
23/03/2016 Janet Network DDoS Experience
Steve KennettHead of operational [email protected]
Responding to a changing threat landscape
Security programme
» Information security management » ISO27001» DDoS mitigation» Security X-ray» Cybersecurity intelligence» Vulnerability assessment » Phishing mitigation » Malware analysis» Digital forensics » Password managers» Web filtering
23/03/2016 Janet Network DDoS Experience
What’s changing in the threat landscape?
» Janet and customer infrastructure has now been directly targeted
» Attacks appear to be more reactive to countermeasures we deploy
» An effective attack now only requires a credit card
» The cost of launching an attack continues to drop
23/03/2016 Janet Network DDoS Experience
The challenge of dealing with large scale DDoS
» Requires coordinated action between customer and Janet operations:
› Impacts the weakest link between where attacks enter Janet and the target system
› Depending on scale can disrupt customer, regional or even national infrastructures
› Once customer access link capacity is overloaded you have limited options
› Providing advice on likely duration and impact of event(s)
› Multiple internet connections do not necessarily help depending on nature and sophistication of attack
› Asymmetry of costs between attackers and defenders
23/03/2016 Janet Network DDoS Experience
Impact of mitigation (I)
» We have to detect attacks in order to apply mitigation –reactive function
» Traffic will have to be re-routed to apply mitigation
» Some traffic latency will be introduced
» Mitigation is not 100% effective – some ’attack’ traffic will still get through
» Can create false positives – blocking genuine traffic
» Legitimate traffic flows look similar to large scale DDoS –improved awareness and coordination required
23/03/2016 Janet Network DDoS Experience
Impact of mitigation (II)
» Greater automation is required to free up resources, control costs and support response time
» Mitigation capacity is expensive to deliver and operate
» Organisations under persistent attack can be kept in mitigation -but capacity is limited
» Arms race in capacity terms is likely
» System complexity
23/03/2016 Janet Network DDoS Experience
23/03/2016 Janet Network DDoS Experience
Questions?
jisc.ac.uk
23/03/2016 Janet Network DDoS Experience
Tim Kidd
Executive director, Jisc technologies