Security on NKN network

RS MANI

National Knowledge Network Page 2

THANK YOU

National Knowledge Network Page 3

Threat and Attack Categories

Attacks Description

Resource Exhaustion Attacks

Denial Of Service attack: Either Direct, transit, through reflection.

Spoofing Attacks

Packets that masquerades details like source IP address to gain access which otherwise was denied.

Transport Protocol Attacks

Prevents upper-layer communication between hosts or hijacks established session

Exploits previous authentication measures

Enables eavesdropping or false data injection

Routing Protocol Attacks

Disrupts routing protocol peering or redirects traffic flows. ( Like a device can act as a router and participate with the other legitimate ones)

National Knowledge Network Page 4

Threat and Attack Categories(cont.)

Attacks Description

IP control-plane / IP Services

Attacks against DHCP, DNS, NTP & anything that punts CPU

Unauthorized Access

Attempts to gain unauthorized access to restricted systems and networks. ( AAA)

Software Vulnerabilities

Software defect that may compromise confidentiality, integrity, or availability of the device and data plane traffic. (Latest Patches)

National Knowledge Network Page 5

Security Applied Up Till Now

Internet/ NKN

Internet

Enterprise Network

NKN Core Network

E-mail, Web Servers

X

X Remote Access

Systems

Internal Assets, Servers

Transit

Transit

X

X

X

AS1

AS2 (IITD)

AS3

Network Operations Center (NOC)

Core

Edge

Edge

Interface ACLs

Unicast RPF

Flexible packet

matching

IP option filtering

Marking/rate-limiting

Routing techniques

eBGP techniques

ICMP techniques

Receive ACLs

CoPP

ICMP techniques

QoS techniques

Routing techniques

Disable unused

services

Protocol specific

filters

Password security

SNMP security

Remote terminal

access security

System banners

AAA

Network telemetry

Secure file systems

National Knowledge Network Page 6

AGENDA

► DDOS—What Is It?

► Examples of DDOS

► Co-lateral Damage

► Origin of BOTNETs

► How BOTNETs are Created

► BOTNET Uses

► BOTNET Mitigation Options

National Knowledge Network Page 7

Hacker

Zombies

Control Traffic

Attack Traffic

Masters

Victim

(Web Server)

Customer’s Premises:

Server/FW/Switch/Router

Flooded Pipe ISP Edge Router

Drinking From The Fire Hose

Slide Courtesy of

Denial of Service and ISPs

National Knowledge Network Page 8

DDoS Step 1: Crack Handlers and Agents

► Crack a huge number of

innocent but unprotected

hosts…

► Using well known

vulnerabilities

► Manually or through use of

automated tools

Attacker

Innocent Handler

Innocent

Handler

Innocent Agents

Innocent

Agents

National Knowledge Network Page 9

DDoS Step 2: Install Trojan & Covert Communication Channel

► Use FTP handler and agent

programs on all cracked hosts

► Create a hierarchical covert

channel using innocent looking

ICMP packets whose payload

contains DDOS commands; some

DDOS further encrypt the

payload...

Attacker

Innocent Handler

Innocent

Handler

Innocent Agents

Innocent

Agents

National Knowledge Network Page 10

Attacker

Innocent Handler

Innocent

Handler

Innocent Agents

Innocent

Agents

DDoS Step 3: Launch the Attack

Victim

A

Attack Alice

NOW !

National Knowledge Network Page 11

ISP Backbone AS 24

Peering Link

Zombies on

Innocent

Computers

Distributed Denial of Service

Enterprise ISP Edge

Slide Courtesy of

National Knowledge Network Page 12

SYN Attack

B A C

Masquerading as B

Denial of Services

Kernel Resources Exhausted

A Allocates Kernel Resource for

Handling the Starting Connection

No Answer From B…

120 Sec Timeout

Free the Resource

National Knowledge Network Page 13

syn rqst

synack Client Server

syn rqst

synack

Victim

Waiting Buffer

Overflows Zombies

TCP SYN Flood

One of the first CERT DDoS advisories issued – 9/1996

► http://www.cert.org/advisories/CA-1996-21.html

Spoofed

National Knowledge Network Page 14

Once the Connection Queue Is Full of Waiting-to-Be-Completed Connections,

No More Connections Can Be Accepted on the Target Port

TCP

Local Address Remote Address State

-------------------- -------------------- -------

*.* *.* IDLE

*.sunrpc *.* LISTEN

*.ftp *.* LISTEN

*.telnet *.* LISTEN

*.finger *.* LISTEN

target.telnet 10.10.10.11.41508 SYN_RCVD

target.telnet 10.10.10.12.41508 SYN_RCVD

target.telnet 10.10.10.13.41508 SYN_RCVD

target.telnet 10.10.10.14.41508 SYN_RCVD

target.telnet 10.10.10.10.41508 SYN_RCVD

target.telnet 10.10.10.15.41508 SYN_RCVD

target.telnet 10.10.10.16.41508 SYN_RCVD

target.telnet 10.10.10.17.41508 SYN_RCVD

target.telnet 10.10.10.18.41508 SYN_RCVD

target.telnet 10.10.10.19.41508 SYN_RCVD

target.telnet 10.10.10.20.41508 SYN_RCVD

*.* *.* IDLE

TCP SYN Flood

Result of netstat -a

On Target

Host

National Knowledge Network Page 15

0. Pre-setup

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Mitigation

Device

Netflow/SNMP

Via DCN

Cleaning

Centre GW

NKN Member Institute

1. NKN Member Institute

Managed Object

(MO) configured in

CP.

Cleaning Center Design

DDoS Collector

Device

National Knowledge Network Page 16

1. PeaceTime

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Collector

Device

DDoS Mitigation

Device

Netflow/SNMP

Via DCN

Cleaning

Centre GW

NKN Member Institute

4. Traffic destined to

NKN Member

Institute server via

normal route.

National Knowledge Network Page 17

2. Attack Starts

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Collector

Device

DDoS Mitigation

Device

Netflow/SNMP

Via DCN

Cleaning

Centre GW

NKN Member Institute

5. NKN Member

Institute Server

is under DDOS

attack!

Attack Traffic

National Knowledge Network Page 18

DDOS System detects anomaly

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Collector

Device

DDoS Mitigation

Device

Netflow/SNMP

Via DCN

Cleaning

Centre GW

NKN Member Edge

6. DDoS CP/FS detects

anomaly via Netflow.

Attack Traffic

National Knowledge Network Page 19

4. DDoS System draws routes to Cleaning Centre

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Collector

Device

DDoS Mitigation

Device

Netflow/SNMP

Via DCN

Cleaning

Centre GW

NKN Member Institute

7. TMS makes more specific

route announcement to CCGW

8. CCGW sends

iBGP update

9. Traffic Diversion

To scrubbing centre

Attack Traffic

National Knowledge Network Page 20

5. DDoS System scrubs and re-injects clean traffic

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Collector

Device

DDoS Mitigation

Device

Netflow/SNMP

Via DCN

Cleaning

Centre GW

NKN Member Institute

Attack Traffic

Clean Traffic 10. TMS scrubs traffic

and sends clean traffic

to CCGW.

National Knowledge Network Page 21

6. Attack stops

Internet

Peering Edge

Core

Provider Edge Regional

Scrubbing Centre

Customer Server

DDoS Collector

Device

DDoS Mitigation

Device

Cleaning

Centre GW

NKN Member Institute

13. DDoS CP/FS detects

attack has subsided,

stops mitigation.

14. TMS withdraws route

15. CCGW sends

iBGP update

16. Traffic destined to

NKN Member

Institute server via

normal route again.

National Knowledge Network Page 23

Thank You

WWW.NKN.IN