Network Security in NKN - Fourth Annual NKN Workshop 2015,...
Transcript of Network Security in NKN - Fourth Annual NKN Workshop 2015,...
Network Security in NKN
AGENDA
► DDOS—What Is It?► Examples of DDOS► Co-lateral Damage► Origin of BOTNETs► How BOTNETs are Created► BOTNET Uses► BOTNET Mitigation Options
National Knowledge NetworkPage 2
► DDOS—What Is It?► Examples of DDOS► Co-lateral Damage► Origin of BOTNETs► How BOTNETs are Created► BOTNET Uses► BOTNET Mitigation Options
Zombies
Customer’s Premises:
Server/FW/Switch/Router
Denial of Service and ISPs
National Knowledge NetworkPage 3
Hacker
Control TrafficAttack Traffic
Masters
Victim(Web Server)
Flooded PipeISP Edge Router
Drinking From The Fire Hose
Slide Courtesy of
DDoS Step 1: Crack Handlers and Agents
Attacker
Innocent Handler
Innocent Agents
National Knowledge NetworkPage 4
► Crack a huge number ofinnocent but unprotectedhosts…► Using well known
vulnerabilities► Manually or through use of
automated tools
InnocentHandler
InnocentAgents
DDoS Step 2: Install Trojan & CovertCommunication Channel
Attacker
Innocent Handler
Innocent Agents
National Knowledge NetworkPage 5
► Use FTP handler and agentprograms on all cracked hosts
► Create a hierarchical covertchannel using innocent lookingICMP packets whose payloadcontains DDOS commands; someDDOS further encrypt thepayload...
InnocentHandler
InnocentAgents
Attacker
Innocent Handler
Innocent Agents
DDoS Step 3: Launch the Attack
Attack AliceNOW !
National Knowledge NetworkPage 6
InnocentHandler
InnocentAgents
Victim
A
Attack AliceNOW !
Peering Link
Zombies onInnocent
Computers
Distributed Denial of Service
National Knowledge NetworkPage 7
ISP BackboneAS 24
EnterpriseISP Edge
Slide Courtesy of
SYN Attack
B A CMasquerading as B
A Allocates Kernel Resource forHandling the Starting Connection
National Knowledge NetworkPage 8
Denial of ServicesKernel Resources Exhausted
A Allocates Kernel Resource forHandling the Starting Connection
No Answer From B…120 Sec Timeout
Free the Resource
syn rqst
synackClient Server
TCP SYN Flood
National Knowledge NetworkPage 9
syn rqst
synackVictim
Waiting BufferOverflowsZombies
One of the first CERT DDoS advisories issued – 9/1996► http://www.cert.org/advisories/CA-1996-21.html
Spoofed
TCPLocal Address Remote Address State-------------------- -------------------- -------*.* *.* IDLE*.sunrpc *.* LISTEN*.ftp *.* LISTEN*.telnet *.* LISTEN*.finger *.* LISTENtarget.telnet 10.10.10.11.41508 SYN_RCVDtarget.telnet 10.10.10.12.41508 SYN_RCVDtarget.telnet 10.10.10.13.41508 SYN_RCVDtarget.telnet 10.10.10.14.41508 SYN_RCVDtarget.telnet 10.10.10.10.41508 SYN_RCVDtarget.telnet 10.10.10.15.41508 SYN_RCVDtarget.telnet 10.10.10.16.41508 SYN_RCVDtarget.telnet 10.10.10.17.41508 SYN_RCVDtarget.telnet 10.10.10.18.41508 SYN_RCVDtarget.telnet 10.10.10.19.41508 SYN_RCVDtarget.telnet 10.10.10.20.41508 SYN_RCVD*.* *.* IDLE
TCP SYN Flood
Result ofnetstat -a
On TargetHost
National Knowledge NetworkPage 10Once the Connection Queue Is Full of Waiting-to-Be-Completed Connections,
No More Connections Can Be Accepted on the Target Port
TCPLocal Address Remote Address State-------------------- -------------------- -------*.* *.* IDLE*.sunrpc *.* LISTEN*.ftp *.* LISTEN*.telnet *.* LISTEN*.finger *.* LISTENtarget.telnet 10.10.10.11.41508 SYN_RCVDtarget.telnet 10.10.10.12.41508 SYN_RCVDtarget.telnet 10.10.10.13.41508 SYN_RCVDtarget.telnet 10.10.10.14.41508 SYN_RCVDtarget.telnet 10.10.10.10.41508 SYN_RCVDtarget.telnet 10.10.10.15.41508 SYN_RCVDtarget.telnet 10.10.10.16.41508 SYN_RCVDtarget.telnet 10.10.10.17.41508 SYN_RCVDtarget.telnet 10.10.10.18.41508 SYN_RCVDtarget.telnet 10.10.10.19.41508 SYN_RCVDtarget.telnet 10.10.10.20.41508 SYN_RCVD*.* *.* IDLE
Result ofnetstat -a
On TargetHost
Internet
Peering Edge
Core
DDoS MitigationDevice
Netflow/SNMPVia DCN
CleaningCentre GW
1. NKN Member InstituteManaged Object
(MO) configured inCP.
Cleaning Center Design
DDoS CollectorDevice
National Knowledge NetworkPage 11
0. Pre-setup
Provider Edge RegionalScrubbing Centre
Customer Server
NKN Member Institute
Internet
Peering Edge
Core
DDoS CollectorDevice
DDoS MitigationDevice
Netflow/SNMPVia DCN
CleaningCentre GW
2. Traffic destined toNKN Member
Institute server vianormal route.
National Knowledge NetworkPage 12
1. PeaceTime
Provider Edge RegionalScrubbing Centre
Customer Server
CleaningCentre GW
NKN Member Institute
Internet
Peering Edge
Core
DDoS CollectorDevice
DDoS MitigationDevice
Netflow/SNMPVia DCN
CleaningCentre GW
3. NKN MemberInstitute Serveris under DDOS
attack!
National Knowledge NetworkPage 13
2. Attack Starts
Provider Edge RegionalScrubbing Centre
Customer Server
CleaningCentre GW
NKN Member Institute
Attack Traffic
Internet
Peering Edge
Core
DDoS CollectorDevice
DDoS MitigationDevice
Netflow/SNMPVia DCN
CleaningCentre GW
4. DDoS CP/FS detectsanomaly via Netflow.
National Knowledge NetworkPage 14
DDOS Systemdetects anomaly
Provider Edge RegionalScrubbing Centre
Customer Server
CleaningCentre GW
NKN Member Edge
Attack Traffic
Internet
Peering Edge
Core
DDoS CollectorDevice
DDoS MitigationDevice
Netflow/SNMPVia DCN
CleaningCentre GW
5. TMS makes more specificroute announcement to CCGW
6. CCGW sendsiBGP update
7. Traffic DiversionTo scrubbing centre
Attack Traffic
National Knowledge NetworkPage 15
4. DDoS System drawsroutes to Cleaning Centre
Provider Edge RegionalScrubbing Centre
Customer Server
CleaningCentre GW
NKN Member Institute
5. TMS makes more specificroute announcement to CCGW
Internet
Peering Edge
Core
DDoS CollectorDevice
DDoS MitigationDevice
Netflow/SNMPVia DCN
CleaningCentre GW
Attack Traffic
Clean Traffic8. TMS scrubs traffic
and sends clean trafficto CCGW.
National Knowledge NetworkPage 16
5. DDoS System scrubsand re-injects clean traffic
Provider Edge RegionalScrubbing Centre
Customer Server
NKN Member Institute
8. TMS scrubs trafficand sends clean traffic
to CCGW.
Internet
Peering Edge
Core
DDoS CollectorDevice
DDoS MitigationDevice
CleaningCentre GW
9. DDoS CP/FS detectsattack has subsided,
stops mitigation.
10. TMS withdraws route
11. CCGW sendsiBGP update
12. Traffic destined toNKN Member
Institute server vianormal route again.
National Knowledge NetworkPage 17
6. Attack stops
Provider Edge RegionalScrubbing Centre
Customer Server
CleaningCentre GW
NKN Member Institute
10. TMS withdraws route12. Traffic destined toNKN Member
Institute server vianormal route again.
DATA FLOW
National Knowledge NetworkPage 18
Thank You
WWW.NKN.IN
National Knowledge NetworkPage 19
Thank You