BHEU2004 NF SP EWS v11

Information about BHEU2004 NF SP EWS v11

Published on December 3, 2007

Author: Waldarrama

Source: authorstream.com

Content

Slide1:  Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom [email protected] - http://www.securite.org/nico/ version 1.1 Building an Early Warning System in a Service Provider Network Black Hat Briefings Europe 2004 Agenda:  Agenda What are ISPs/NSPs looking for ? Honeynet-like sensors Routers as honeypots DDoS detection with honeybots Traffic diversion to honeyfarms Other information sources System data Security data Network data Early Warning System Putting all the information bits together Conclusion DDoS, Worms and the Underground:  DDoS, Worms and the Underground MEECES – an acronym for Money Ego Entertainment Cause Entrance into social groups Status Max Kilger (Honeynet Project) Applies to the underground/”hacker”/blackhat community INTEL agencies’ MICE (Money, Ideology, Compromise, Ego) DDoS, Worms and the Underground:  DDoS, Worms and the Underground What have we seen up to now Cause/Hacktivism: Web site defacement DDoS (SCO, WU/MSFT, etc) Ego/Status: “I have more (network) power than you” “I’m not going to loose that item in <online game>” Entertainment “Hey look, I just DoSed <favorite IRC user/website>” Entrance into a social group “Wanna trade this botnet ?” DDoS, Worms and the Underground:  DDoS, Worms and the Underground What have we seen up to now Money: BGP speaking routers SPAM, botnets, open proxies, etc. C/C numbers incl. personal information, eBay accounts, etc. Where are we today ? Real money “Pay or get DDoSed” Worms for SPAM Organized crime using “real world” proven ways of making money on the Internet Targets: online business, mainly gaming/gambling/betting sites nowadays DDoS, Worms and the Underground:  DDoS, Worms and the Underground Where are we today “Loosing” a botnet isn’t a tragedy Mass-acquisition tools are mandatory Protect your property (host and communication channel) Control channel over IRC/P2P/not so common protocols/IPv6 (anonymous) Secure the host to avoid multiple zombies/agents Not for fun on free time anymore (people with network and DoS filtering technology/techniques skills) The skills, knowledge, organization and hierarchy are not different/worse in the “blackhat” world… anything but not the chaotic world we all expect DDoS, Worms and the Underground:  DDoS, Worms and the Underground Where are we today A few hundred/thousand dollars/euros is a yearly salary in poor countries AP and SA are the main sources, not (just) .ro anymore Usually good education, leaving in a country with a high number of unemployed people Most of the communications are in-band (Internet), out-of-band is limited to “hacker” meetings or local phone calls Do you have the resources to analyze TBs a day of IRC logs coming from compromised hosts/honeypots (in x different languages) ? DDoS, Worms and the Underground:  A vulnerability’s life cycle: worm or not ? Key: is the exploit “generic” ? [Messenger vs LSASS] Vulnerability found Vulnerability “found” again Disclosure Patch available Patch deployed “Victims” Time Full/fixed patch Exploit “Proof of Concept” Automated DDoS, Worms and the Underground PoC + Exploit + Worm ? “Noise” “bad patch” What are ISPs/NSPs looking for ?:  What are ISPs/NSPs looking for ? An EWS in a large network Detect DDoS attacks (Unknown) worms SPAM Covert channels Hacked system Open proxies Scans Detect it early! Cover a large network Distributed approach, bandwidth/PPS requirements and system performance Easy to detect/fingerprint ? What are ISPs/NSPs looking for ?:  What are ISPs/NSPs looking for ? An EWS in a large network Lots of data Information sources Honey* sensors Systems and Applications Security devices Network Quick 101 BGP MPLS Netflow DDoS Honeypot Honeyrouters:  Honeyrouters Routers as honeypots BGP speaking routers Traded in the underground: more value than eBay accounts or valid CC numbers Makes them good targets Password policy issue Are miscreant just scanning for open telnet/SSH or “brute force” the login and try out commands ? BGP route injection: DDoS attack or SPAM ? Honeyrouters:  Honeyrouters Network architecture honey internet filter BGP session tacacs AAA Honeyrouters:  Honeyrouters Using honeyd Cisco CLI/telnet script SNMP script Using an UNIX+Zebra Cisco-like CLI Using a Cisco router Real BGP feed “read-only” BGP session Real “fake” account AAA and TACACS+ Real network connectivity IP filtering and rate-limiting Honeybots:  Honeybots DDoS attack detection with honeybots/honeyzombies DDoS attack detection Netflow, ACLs, SNMP, etc. “Other SPs” DDoS detection Backscatter data Honeybots 0) Infected host post-mortem/forensics 1) Run bots and DDoS agents/zombies in a sandbox 2) Watch IRC, P2P, control channel communications Honeybots:  Honeybots Network Architecture internet filter host ircd/p2p malware (ddos agent/zombie) command/control channel Honeyfarms:  Honeyfarms Traffic diversion to honeypots internet filter edge edge iBGP route bgp traffic flow MPLS LSP Honeyfarms:  Honeyfarms Traffic diversion to honeypots Easy traffic rerouting May be “invisible” Limitations RTT/TTL may change Overhead (L2TP and especially GRE/IPIP) Use low-interaction honeypots Basic TCP/UDP listeners, no “real” active response honeyd Avoid high-interaction (unless you have time and resources) Established sessions p0f v2: learn what the source may run on System Data:  System Data System information sources Exposed services SMTP (mail server/relay): [email protected] DNS (authoritative/caching): Zonelabs/TAT14 HTTP (portal/cache) System logs System Data:  System Data What not to do (at least not as an SP) Use honeypots/fake open relays to detect and fight SPAM Risk of ending up in RBLs Use open proxies to detect surfing, phising, etc. Use honeypots/honeybots to bite back and clean up attacking systems: “Active Defense” Legal issues Not customers and even if they are… AUP ? Usually causes more harm than good! But an interesting approach inside an IT network Automated network “management” Perimeter is defined Security Data:  Security Data Security information sources Firewalls xIDS Anti-virus Security logs Network Data:  Network Data Network information sources Routers ACLs uRPF and interface counters Requires a mix of scripts and SNMP polling Traffic Netflow “Header” (src/dst IP, src/dst port, protocol, ingress interface, ToS but exports TCP flags, ASN, etc) and inbound only Full traffic dump (RMON/SPAN/RTE/tap) in specific locations (hosting center upstreams, DSL/dial aggregation, etc) “Dark” IP space Sinkholes Network Data:  Network Data Network information sources Routing BGP updates Route-server Projects RIPE RIS Netlantis Netflow and BGP:  Netflow and BGP Network Architecture SOC tr ccr ccr ar ar tr ppr ixpr collector collector controller Dark IP space/Sinkholes:  Dark IP space/Sinkholes Network Architecture internet filter bgp customer customer customer unallocated network traffic Dark IP space/Sinkholes:  Dark IP space/Sinkholes Collecting backscatter data Bad guy Master agent Victim (s) Slave agents (zombies, bots) Third parties [backscatter] Owned host Dark IP space/Sinkholes:  Dark IP space/Sinkholes Setup BGP speaking router Route-reflector Full iBGP mesh Announce PA/PI allocations Non-allocated/unused prefixes routed to the sinkhole/darkIP monitor More-specific route followed for allocated (customer space) Dynamic (add/remove) Take the prefixes’ history into account Ceased customers Allocation method (dial/DSL): lots of short term noise Central or distributed/regional deployment ? IP Anycast Dark IP space/Sinkholes:  Dark IP space/Sinkholes Data analysis What kind of information will you get ? How to identify backscatter from other (rogue) traffic Early Warning System:  Early Warning System EWS Share/reuse data with/from your SOC (SIM/SEM) SIM/SEM aggregate/correlate applications logs central syslog server security logs and events network sources honey* sources lookup display/alert search Early Warning System:  Early Warning System EWS Which data have value ? High value Low value Use the human eye to catch anomalies Challenge: how to display and visualize data Can be deployed and useful inside an IT network Don’t put your network at risk by deploying these sensors Conclusion:  Conclusion Conclusion See also Backbone and Infrastructure Security Presentations http://www.securite.org/presentations/secip/ (Distributed) Denial of Service Presentations http://www.securite.org/presentations/ddos/ Q&A Thanks Lolo, Phil, Marc, Lance, Jose and Toby Image: www.shawnsclipart.com/funkycomputercrowd.html

Related presentations


Other presentations created by Waldarrama

ISP 20071031
30. 11. 2007
0 views

ISP 20071031

Mexican Revolution
13. 04. 2008
0 views

Mexican Revolution

CHINA
26. 03. 2008
0 views

CHINA

God is Love
17. 06. 2007
0 views

God is Love

GENOCIDE FRAMEWORK
28. 12. 2007
0 views

GENOCIDE FRAMEWORK

quidnunc
22. 04. 2008
0 views

quidnunc

berlino
17. 04. 2008
0 views

berlino

pandemics
10. 04. 2008
0 views

pandemics

WF Surface Water
07. 04. 2008
0 views

WF Surface Water

LopezBGET12May05
30. 03. 2008
0 views

LopezBGET12May05

Tut Prager
28. 03. 2008
0 views

Tut Prager

AMY IMS CLIVARSSG15
27. 03. 2008
0 views

AMY IMS CLIVARSSG15

boone
04. 10. 2007
0 views

boone

After The Tornado
05. 10. 2007
0 views

After The Tornado

Tornadoes
07. 10. 2007
0 views

Tornadoes

gp 9 forest resources
10. 10. 2007
0 views

gp 9 forest resources

maki
06. 09. 2007
0 views

maki

Teaching Hockey Sense
06. 09. 2007
0 views

Teaching Hockey Sense

lecture16
06. 09. 2007
0 views

lecture16

Mouth Protection Info For Clinic
06. 09. 2007
0 views

Mouth Protection Info For Clinic

peter huybers
06. 09. 2007
0 views

peter huybers

P E at Arnold House
06. 09. 2007
0 views

P E at Arnold House

The Kerr Metric
29. 11. 2007
0 views

The Kerr Metric

Presentation Bejakovic
05. 12. 2007
0 views

Presentation Bejakovic

911
02. 11. 2007
0 views

911

dalhousie
12. 11. 2007
0 views

dalhousie

SEGUNDA GUERRA MUNDIAL
13. 11. 2007
0 views

SEGUNDA GUERRA MUNDIAL

Svarc
14. 11. 2007
0 views

Svarc

7 CECCHINI Marco
16. 11. 2007
0 views

7 CECCHINI Marco

Las Mujeres Jaguar
20. 11. 2007
0 views

Las Mujeres Jaguar

visual studio 2008 linq
28. 11. 2007
0 views

visual studio 2008 linq

WoodandRyan
24. 12. 2007
0 views

WoodandRyan

CreditCards
25. 12. 2007
0 views

CreditCards

southeastasia
28. 12. 2007
0 views

southeastasia

BC8 11 2
01. 01. 2008
0 views

BC8 11 2

dw space
02. 01. 2008
0 views

dw space

NHSL Dont forget workforce
07. 01. 2008
0 views

NHSL Dont forget workforce

Prasser Project Conf 2006 final
26. 11. 2007
0 views

Prasser Project Conf 2006 final

ASD BASIC
28. 12. 2007
0 views

ASD BASIC

OQ Presentation2
04. 12. 2007
0 views

OQ Presentation2

HIPAA Education BasicFinal0103
23. 12. 2007
0 views

HIPAA Education BasicFinal0103

NCIA CARDÃ ACA
28. 12. 2007
0 views

NCIA CARDÃ ACA

2002 annual meeting print
19. 02. 2008
0 views

2002 annual meeting print

Gang Primer 1ID1
26. 02. 2008
0 views

Gang Primer 1ID1

Prasad p3
06. 09. 2007
0 views

Prasad p3

PotatoesI
04. 03. 2008
0 views

PotatoesI

UNIT ONE INTRODUCTION
06. 03. 2008
0 views

UNIT ONE INTRODUCTION

Prezentacja4
18. 03. 2008
0 views

Prezentacja4

NC2005 Denbeck
06. 09. 2007
0 views

NC2005 Denbeck

Ceremonial Speech
31. 12. 2007
0 views

Ceremonial Speech

03conv d3 champs
06. 09. 2007
0 views

03conv d3 champs

BCH Slide PresentationFinal
06. 09. 2007
0 views

BCH Slide PresentationFinal

G050504 00
03. 10. 2007
0 views

G050504 00

02 TCSS Semi Formal Dance
27. 11. 2007
0 views

02 TCSS Semi Formal Dance

Changes in Medina County
11. 12. 2007
0 views

Changes in Medina County

sunum39
21. 11. 2007
0 views

sunum39

S14 44
17. 12. 2007
0 views

S14 44

God Embraces vs 2
17. 06. 2007
0 views

God Embraces vs 2

gender issues
17. 06. 2007
0 views

gender issues

Funny Bunny Camille Page
17. 06. 2007
0 views

Funny Bunny Camille Page

Funny Turns
17. 06. 2007
0 views

Funny Turns

history of comedy presentation
17. 06. 2007
0 views

history of comedy presentation

history of english
17. 06. 2007
0 views

history of english

hinman romeo
17. 06. 2007
0 views

hinman romeo

Helping Children Love to Read
17. 06. 2007
0 views

Helping Children Love to Read

health humor
17. 06. 2007
0 views

health humor

happiness Belarus
17. 06. 2007
0 views

happiness Belarus

group F
17. 06. 2007
0 views

group F

Gripping
17. 06. 2007
0 views

Gripping

gallows humor
17. 06. 2007
0 views

gallows humor

fwe 05
17. 06. 2007
0 views

fwe 05

bremsstrahlung nss2006
22. 11. 2007
0 views

bremsstrahlung nss2006

praes lehnert
14. 03. 2008
0 views

praes lehnert

Dabholkar2
28. 11. 2007
0 views

Dabholkar2

HELP PP
17. 06. 2007
0 views

HELP PP

Gaubatz
06. 11. 2007
0 views

Gaubatz

Women Energy
04. 01. 2008
0 views

Women Energy

chi course06 4 23
03. 10. 2007
0 views

chi course06 4 23

ALDA
06. 09. 2007
0 views

ALDA

CobraKai MarketingPresentation
06. 09. 2007
0 views

CobraKai MarketingPresentation

NAU Hockey Club
06. 09. 2007
0 views

NAU Hockey Club

AGM CoachingandNewNCCP
06. 09. 2007
0 views

AGM CoachingandNewNCCP

hackman CLC
17. 06. 2007
0 views

hackman CLC

Yi Capstone071604
07. 12. 2007
0 views

Yi Capstone071604

Hotchkiss REU03
07. 11. 2007
0 views

Hotchkiss REU03

CASE ITINERARIO
01. 11. 2007
0 views

CASE ITINERARIO