monitoring for network security: bgp hijacks, ddos attacks and dns poisoning
DESCRIPTION
The networks of financial services firms experience a wide range of network threats, from BGP route hijacks to DDoS attacks and DNS cache poisoning. Yet many firms do not have in-depth, real-time monitoring and alerting for these threats. ThousandEyes helps security and network operations teams to gain in-depth DNS, network and BGP visibility of security events as they're happening. Reviewing real life examples from the financial services industry, we share how to: Visualize key network services such as BGP and DNS Create alerts based on security threats Troubleshoot and take action during situations such as BGP hijacks, DDoS attacks and DNS cache poisoning. Watch the recorded webinar with live demo here: http://ow.ly/BzCCkTRANSCRIPT
Monitoring for Network Security: BGP Hijacks, DDoS Attacks
& DNS Cache Poisoning
Nick Kephart Director of Product Marketing
1
Founded: 2010 Team: UCLA CS PhDs HQ: San Francisco CA Investors: Sequoia Capital
First, A Bit About ThousandEyes
Twitter presents how they use ThousandEyes while on stage at Structure 2013
Our Background Making a Splash
2
Some of Our Customers
3
Routes incoming or outgoing traffic to the
wrong network
Three Network Security Threats
Spoofs DNS mappings to
reroute traffic to a malicious
endpoint
BGP Hijack DNS Poisoning
Saturates network links, hardware or
servers to deny service
DDoS
4
A Primer on BGP Hijacks
AS 14340 Salesforce
AS 2914 NTT
AS 7018 AT&T
AS 3356 Level3
Border Router
Autonomous System Salesforce advertises
routes among BGP peers to upstream ISPs
Salesforce.com advertises prefix 96.43.144.0/22
AT&T receives route advertisements to
Salesforce via Level3 and NTT
AS 4761 Indosat
Traffic Path
5
A Primer on BGP Hijacks
AS 14340 Salesforce
AS 2914 NTT
AS 7018 AT&T
AS 3356 Level3
AS 4761 Indosat
Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s
routes
AT&T now directs Salesforce-destined traffic
to Indosat
Traffic Path
6
Cloud-Based DDoS Mitigation
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network
Internet Enterprise Scrubbing Center
Attackers flood your web service from around the world
7
DNS Cache Poisoning
Local DNS Cache
Authoritative DNS Server
dns.website.com
Attacker
www.website.com
Attacker DNS Server
dns.attack.com
www.attack.com
Attacker inserts a false record into the
DNS cache
Unsecured DNS server, no DNSSEC, no port
randomization
User
1
User requests DNS record for
www.website.com
2
Looks up record on spoofed
name server
3
User accesses spoofed URL
4
8
• View global path changes, reachability
• Alert on Origin AS, Next Hop AS, more specific prefix
ThousandEyes Helps Monitor Network Security
• View DNS record from global points
• DNSSEC validation
• Alert on DNS availability, resolution time, mapping
BGP Hijack DNS Poisoning
• Monitor global performance
• Ensure mitigation is effective
• Share data with ISPs and mitigation vendors
DDoS
9
See the entire picture, hop-by-hop, across all
networks
Three Foundational Technologies
Collaborate with providers to resolve
problems faster
Deep Path Analysis
Interactive Sharing
Correlate app performance with
infrastructure issues
X-Layer
Enterprise
Cloud App
10
How ThousandEyes Works
Enterprise Internet Application or Service
Enterprise Agent (branch offices, data centers,
key customers)
Cloud Agent (at dozens of global POPs)
Active Tests DNS, BGP,
Network, Web
ThousandEyes SaaS Platform
It’s time to see the entire picture.