security on nkn networkworkshop.nkn.in/2015/sources/speakers/sessions/nkn security... ·...
TRANSCRIPT
Security on NKN network
RS MANI
National Knowledge Network Page 2
THANK YOU
National Knowledge Network Page 3
Threat and Attack Categories
Attacks Description
Resource Exhaustion Attacks
Denial Of Service attack: Either Direct, transit, through reflection.
Spoofing Attacks
Packets that masquerades details like source IP address to gain access which otherwise was denied.
Transport Protocol Attacks
Prevents upper-layer communication between hosts or hijacks established session
Exploits previous authentication measures
Enables eavesdropping or false data injection
Routing Protocol Attacks
Disrupts routing protocol peering or redirects traffic flows. ( Like a device can act as a router and participate with the other legitimate ones)
National Knowledge Network Page 4
Threat and Attack Categories(cont.)
Attacks Description
IP control-plane / IP Services
Attacks against DHCP, DNS, NTP & anything that punts CPU
Unauthorized Access
Attempts to gain unauthorized access to restricted systems and networks. ( AAA)
Software Vulnerabilities
Software defect that may compromise confidentiality, integrity, or availability of the device and data plane traffic. (Latest Patches)
National Knowledge Network Page 5
Security Applied Up Till Now
Internet/ NKN
Internet
Enterprise Network
NKN Core Network
E-mail, Web Servers
X
X Remote Access
Systems
Internal Assets, Servers
Transit
Transit
X
X
X
AS1
AS2 (IITD)
AS3
Network Operations Center (NOC)
Core
Edge
Edge
Interface ACLs
Unicast RPF
Flexible packet
matching
IP option filtering
Marking/rate-limiting
Routing techniques
eBGP techniques
ICMP techniques
Receive ACLs
CoPP
ICMP techniques
QoS techniques
Routing techniques
Disable unused
services
Protocol specific
filters
Password security
SNMP security
Remote terminal
access security
System banners
AAA
Network telemetry
Secure file systems
National Knowledge Network Page 6
AGENDA
► DDOS—What Is It?
► Examples of DDOS
► Co-lateral Damage
► Origin of BOTNETs
► How BOTNETs are Created
► BOTNET Uses
► BOTNET Mitigation Options
National Knowledge Network Page 7
Hacker
Zombies
Control Traffic
Attack Traffic
Masters
Victim
(Web Server)
Customer’s Premises:
Server/FW/Switch/Router
Flooded Pipe ISP Edge Router
Drinking From The Fire Hose
Slide Courtesy of
Denial of Service and ISPs
National Knowledge Network Page 8
DDoS Step 1: Crack Handlers and Agents
► Crack a huge number of
innocent but unprotected
hosts…
► Using well known
vulnerabilities
► Manually or through use of
automated tools
Attacker
Innocent Handler
Innocent
Handler
Innocent Agents
Innocent
Agents
National Knowledge Network Page 9
DDoS Step 2: Install Trojan & Covert Communication Channel
► Use FTP handler and agent
programs on all cracked hosts
► Create a hierarchical covert
channel using innocent looking
ICMP packets whose payload
contains DDOS commands; some
DDOS further encrypt the
payload...
Attacker
Innocent Handler
Innocent
Handler
Innocent Agents
Innocent
Agents
National Knowledge Network Page 10
Attacker
Innocent Handler
Innocent
Handler
Innocent Agents
Innocent
Agents
DDoS Step 3: Launch the Attack
Victim
A
Attack Alice
NOW !
National Knowledge Network Page 11
ISP Backbone AS 24
Peering Link
Zombies on
Innocent
Computers
Distributed Denial of Service
Enterprise ISP Edge
Slide Courtesy of
National Knowledge Network Page 12
SYN Attack
B A C
Masquerading as B
Denial of Services
Kernel Resources Exhausted
A Allocates Kernel Resource for
Handling the Starting Connection
No Answer From B…
120 Sec Timeout
Free the Resource
National Knowledge Network Page 13
syn rqst
synack Client Server
syn rqst
synack
Victim
Waiting Buffer
Overflows Zombies
TCP SYN Flood
One of the first CERT DDoS advisories issued – 9/1996
► http://www.cert.org/advisories/CA-1996-21.html
Spoofed
National Knowledge Network Page 14
Once the Connection Queue Is Full of Waiting-to-Be-Completed Connections,
No More Connections Can Be Accepted on the Target Port
TCP
Local Address Remote Address State
-------------------- -------------------- -------
*.* *.* IDLE
*.sunrpc *.* LISTEN
*.ftp *.* LISTEN
*.telnet *.* LISTEN
*.finger *.* LISTEN
target.telnet 10.10.10.11.41508 SYN_RCVD
target.telnet 10.10.10.12.41508 SYN_RCVD
target.telnet 10.10.10.13.41508 SYN_RCVD
target.telnet 10.10.10.14.41508 SYN_RCVD
target.telnet 10.10.10.10.41508 SYN_RCVD
target.telnet 10.10.10.15.41508 SYN_RCVD
target.telnet 10.10.10.16.41508 SYN_RCVD
target.telnet 10.10.10.17.41508 SYN_RCVD
target.telnet 10.10.10.18.41508 SYN_RCVD
target.telnet 10.10.10.19.41508 SYN_RCVD
target.telnet 10.10.10.20.41508 SYN_RCVD
*.* *.* IDLE
TCP SYN Flood
Result of netstat -a
On Target
Host
National Knowledge Network Page 15
0. Pre-setup
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Mitigation
Device
Netflow/SNMP
Via DCN
Cleaning
Centre GW
NKN Member Institute
1. NKN Member Institute
Managed Object
(MO) configured in
CP.
Cleaning Center Design
DDoS Collector
Device
National Knowledge Network Page 16
1. PeaceTime
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Collector
Device
DDoS Mitigation
Device
Netflow/SNMP
Via DCN
Cleaning
Centre GW
NKN Member Institute
4. Traffic destined to
NKN Member
Institute server via
normal route.
National Knowledge Network Page 17
2. Attack Starts
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Collector
Device
DDoS Mitigation
Device
Netflow/SNMP
Via DCN
Cleaning
Centre GW
NKN Member Institute
5. NKN Member
Institute Server
is under DDOS
attack!
Attack Traffic
National Knowledge Network Page 18
DDOS System detects anomaly
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Collector
Device
DDoS Mitigation
Device
Netflow/SNMP
Via DCN
Cleaning
Centre GW
NKN Member Edge
6. DDoS CP/FS detects
anomaly via Netflow.
Attack Traffic
National Knowledge Network Page 19
4. DDoS System draws routes to Cleaning Centre
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Collector
Device
DDoS Mitigation
Device
Netflow/SNMP
Via DCN
Cleaning
Centre GW
NKN Member Institute
7. TMS makes more specific
route announcement to CCGW
8. CCGW sends
iBGP update
9. Traffic Diversion
To scrubbing centre
Attack Traffic
National Knowledge Network Page 20
5. DDoS System scrubs and re-injects clean traffic
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Collector
Device
DDoS Mitigation
Device
Netflow/SNMP
Via DCN
Cleaning
Centre GW
NKN Member Institute
Attack Traffic
Clean Traffic 10. TMS scrubs traffic
and sends clean traffic
to CCGW.
National Knowledge Network Page 21
6. Attack stops
Internet
Peering Edge
Core
Provider Edge Regional
Scrubbing Centre
Customer Server
DDoS Collector
Device
DDoS Mitigation
Device
Cleaning
Centre GW
NKN Member Institute
13. DDoS CP/FS detects
attack has subsided,
stops mitigation.
14. TMS withdraws route
15. CCGW sends
iBGP update
16. Traffic destined to
NKN Member
Institute server via
normal route again.
National Knowledge Network Page 23
Thank You
WWW.NKN.IN