Network Security in NKN - Fourth Annual NKN Workshop 2015,...

19
Network Security in NKN

Transcript of Network Security in NKN - Fourth Annual NKN Workshop 2015,...

Page 1: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Network Security in NKN

Page 2: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

AGENDA

► DDOS—What Is It?► Examples of DDOS► Co-lateral Damage► Origin of BOTNETs► How BOTNETs are Created► BOTNET Uses► BOTNET Mitigation Options

National Knowledge NetworkPage 2

► DDOS—What Is It?► Examples of DDOS► Co-lateral Damage► Origin of BOTNETs► How BOTNETs are Created► BOTNET Uses► BOTNET Mitigation Options

Page 3: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Zombies

Customer’s Premises:

Server/FW/Switch/Router

Denial of Service and ISPs

National Knowledge NetworkPage 3

Hacker

Control TrafficAttack Traffic

Masters

Victim(Web Server)

Flooded PipeISP Edge Router

Drinking From The Fire Hose

Slide Courtesy of

Page 4: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

DDoS Step 1: Crack Handlers and Agents

Attacker

Innocent Handler

Innocent Agents

National Knowledge NetworkPage 4

► Crack a huge number ofinnocent but unprotectedhosts…► Using well known

vulnerabilities► Manually or through use of

automated tools

InnocentHandler

InnocentAgents

Page 5: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

DDoS Step 2: Install Trojan & CovertCommunication Channel

Attacker

Innocent Handler

Innocent Agents

National Knowledge NetworkPage 5

► Use FTP handler and agentprograms on all cracked hosts

► Create a hierarchical covertchannel using innocent lookingICMP packets whose payloadcontains DDOS commands; someDDOS further encrypt thepayload...

InnocentHandler

InnocentAgents

Page 6: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Attacker

Innocent Handler

Innocent Agents

DDoS Step 3: Launch the Attack

Attack AliceNOW !

National Knowledge NetworkPage 6

InnocentHandler

InnocentAgents

Victim

A

Attack AliceNOW !

Page 7: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Peering Link

Zombies onInnocent

Computers

Distributed Denial of Service

National Knowledge NetworkPage 7

ISP BackboneAS 24

EnterpriseISP Edge

Slide Courtesy of

Page 8: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

SYN Attack

B A CMasquerading as B

A Allocates Kernel Resource forHandling the Starting Connection

National Knowledge NetworkPage 8

Denial of ServicesKernel Resources Exhausted

A Allocates Kernel Resource forHandling the Starting Connection

No Answer From B…120 Sec Timeout

Free the Resource

Page 9: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

syn rqst

synackClient Server

TCP SYN Flood

National Knowledge NetworkPage 9

syn rqst

synackVictim

Waiting BufferOverflowsZombies

One of the first CERT DDoS advisories issued – 9/1996► http://www.cert.org/advisories/CA-1996-21.html

Spoofed

Page 10: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

TCPLocal Address Remote Address State-------------------- -------------------- -------*.* *.* IDLE*.sunrpc *.* LISTEN*.ftp *.* LISTEN*.telnet *.* LISTEN*.finger *.* LISTENtarget.telnet 10.10.10.11.41508 SYN_RCVDtarget.telnet 10.10.10.12.41508 SYN_RCVDtarget.telnet 10.10.10.13.41508 SYN_RCVDtarget.telnet 10.10.10.14.41508 SYN_RCVDtarget.telnet 10.10.10.10.41508 SYN_RCVDtarget.telnet 10.10.10.15.41508 SYN_RCVDtarget.telnet 10.10.10.16.41508 SYN_RCVDtarget.telnet 10.10.10.17.41508 SYN_RCVDtarget.telnet 10.10.10.18.41508 SYN_RCVDtarget.telnet 10.10.10.19.41508 SYN_RCVDtarget.telnet 10.10.10.20.41508 SYN_RCVD*.* *.* IDLE

TCP SYN Flood

Result ofnetstat -a

On TargetHost

National Knowledge NetworkPage 10Once the Connection Queue Is Full of Waiting-to-Be-Completed Connections,

No More Connections Can Be Accepted on the Target Port

TCPLocal Address Remote Address State-------------------- -------------------- -------*.* *.* IDLE*.sunrpc *.* LISTEN*.ftp *.* LISTEN*.telnet *.* LISTEN*.finger *.* LISTENtarget.telnet 10.10.10.11.41508 SYN_RCVDtarget.telnet 10.10.10.12.41508 SYN_RCVDtarget.telnet 10.10.10.13.41508 SYN_RCVDtarget.telnet 10.10.10.14.41508 SYN_RCVDtarget.telnet 10.10.10.10.41508 SYN_RCVDtarget.telnet 10.10.10.15.41508 SYN_RCVDtarget.telnet 10.10.10.16.41508 SYN_RCVDtarget.telnet 10.10.10.17.41508 SYN_RCVDtarget.telnet 10.10.10.18.41508 SYN_RCVDtarget.telnet 10.10.10.19.41508 SYN_RCVDtarget.telnet 10.10.10.20.41508 SYN_RCVD*.* *.* IDLE

Result ofnetstat -a

On TargetHost

Page 11: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

1. NKN Member InstituteManaged Object

(MO) configured inCP.

Cleaning Center Design

DDoS CollectorDevice

National Knowledge NetworkPage 11

0. Pre-setup

Provider Edge RegionalScrubbing Centre

Customer Server

NKN Member Institute

Page 12: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

2. Traffic destined toNKN Member

Institute server vianormal route.

National Knowledge NetworkPage 12

1. PeaceTime

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

Page 13: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

3. NKN MemberInstitute Serveris under DDOS

attack!

National Knowledge NetworkPage 13

2. Attack Starts

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

Attack Traffic

Page 14: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

4. DDoS CP/FS detectsanomaly via Netflow.

National Knowledge NetworkPage 14

DDOS Systemdetects anomaly

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Edge

Attack Traffic

Page 15: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

5. TMS makes more specificroute announcement to CCGW

6. CCGW sendsiBGP update

7. Traffic DiversionTo scrubbing centre

Attack Traffic

National Knowledge NetworkPage 15

4. DDoS System drawsroutes to Cleaning Centre

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

5. TMS makes more specificroute announcement to CCGW

Page 16: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

Attack Traffic

Clean Traffic8. TMS scrubs traffic

and sends clean trafficto CCGW.

National Knowledge NetworkPage 16

5. DDoS System scrubsand re-injects clean traffic

Provider Edge RegionalScrubbing Centre

Customer Server

NKN Member Institute

8. TMS scrubs trafficand sends clean traffic

to CCGW.

Page 17: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

CleaningCentre GW

9. DDoS CP/FS detectsattack has subsided,

stops mitigation.

10. TMS withdraws route

11. CCGW sendsiBGP update

12. Traffic destined toNKN Member

Institute server vianormal route again.

National Knowledge NetworkPage 17

6. Attack stops

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

10. TMS withdraws route12. Traffic destined toNKN Member

Institute server vianormal route again.

Page 18: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

DATA FLOW

National Knowledge NetworkPage 18

Page 19: Network Security in NKN - Fourth Annual NKN Workshop 2015, …workshop.nkn.in/meghalaya/sessions/shri-R-S-Mani/NE... · 2016-10-25 · SYN Attack B A C Masquerading as B A Allocates

Thank You

WWW.NKN.IN

National Knowledge NetworkPage 19

Thank You


Narrative Nkn 1 Group 3

Narrative Nkn 1 Group 3

Late-occurring Paradoxical Reaction Masquerading as ...

Late-occurring Paradoxical Reaction Masquerading as ...

Directorate of Information Technology and Support System ...workshop.nkn.in/2012/Document/slides/day2/NKN Enablement at University... · Network Infrastructure Management Unit 3.

Directorate of Information Technology and Support System ...workshop.nkn.in/2012/Document/slides/day2/NKN Enablement at University... · Network Infrastructure Management Unit 3.

APPLICATIONS centres and networks. NKN provides bulk data transfer facility required for e-Governance applications. NKN Services Generic Services:Internet, Intranet, Network Management

APPLICATIONS centres and networks. NKN provides bulk data transfer facility required for e-Governance applications. NKN Services Generic Services:Internet, Intranet, Network Management

Performance Monitoring With NKN

Performance Monitoring With NKN

Pilomatricoma masquerading as metastatic squamous … · Pilomatricoma masquerading as metastatic ... The cytopathology department at our tertiary referral center reviewed slides

Pilomatricoma masquerading as metastatic squamous … · Pilomatricoma masquerading as metastatic ... The cytopathology department at our tertiary referral center reviewed slides

nkn`tu - Finance Companies in Sri Lanka | HNB Finance · nkn`tu - Finance Companies in Sri Lanka | HNB Finance ... 05

nkn`tu - Finance Companies in Sri Lanka | HNB Finance · nkn`tu - Finance Companies in Sri Lanka | HNB Finance ... 05

E-Science infrastructure: National Knowledge Network (NKN ... · ORIGINAL RESEARCH E-Science infrastructure: National Knowledge Network (NKN) initiative S. V. Raghavan Received: 4

E-Science infrastructure: National Knowledge Network (NKN ... · ORIGINAL RESEARCH E-Science infrastructure: National Knowledge Network (NKN) initiative S. V. Raghavan Received: 4

Linux IP Masquerading

Linux IP Masquerading

Pulmonary Melioidosis Masquerading as Tuberculosis: A …

Pulmonary Melioidosis Masquerading as Tuberculosis: A …

Masquerading as Type 2 DM - cdn.ymaws.com

Masquerading as Type 2 DM - cdn.ymaws.com

Masquerading bundle branch block

Masquerading bundle branch block

Newsletter of the NASSCOM Knowledge Network (NKN) 2udaanfoundation.net/wp-content/uploads/2017/07/NKN-Newsletter... · Newsletter of the NASSCOM Knowledge Network (NKN) 2.0 Issue

Newsletter of the NASSCOM Knowledge Network (NKN) 2udaanfoundation.net/wp-content/uploads/2017/07/NKN-Newsletter... · Newsletter of the NASSCOM Knowledge Network (NKN) 2.0 Issue

One can visit our website in for various …workshop.nkn.in/meghalaya/sessions/NKN Presentation - Sri Arnab S… · seed sources, fertilizer outlets, veterinary dispensaries, state

One can visit our website in for various …workshop.nkn.in/meghalaya/sessions/NKN Presentation - Sri Arnab S… · seed sources, fertilizer outlets, veterinary dispensaries, state

Security on NKN networkworkshop.nkn.in/2015/sources/speakers/sessions/NKN SECURITY... · Netflow/SNMP Via DCN Cleaning Centre GW NKN Member Institute Attack Traffic Clean Traffic

Security on NKN networkworkshop.nkn.in/2015/sources/speakers/sessions/NKN SECURITY... · Netflow/SNMP Via DCN Cleaning Centre GW NKN Member Institute Attack Traffic Clean Traffic

Masquerading in Costumes Personas - Scarsscars.tv/pdf/2016/20161001Masquerading_in_Costumes_and_Personas.pdf · Masquerading in Costumes &Personas ... and you cannot see the tears

Masquerading in Costumes Personas - Scarsscars.tv/pdf/2016/20161001Masquerading_in_Costumes_and_Personas.pdf · Masquerading in Costumes &Personas ... and you cannot see the tears

4.3.4 TNPESU BANDWIDTH FOR BSNL,NKN MOU, NKN …

4.3.4 TNPESU BANDWIDTH FOR BSNL,NKN MOU, NKN …

MASQUERADING AS MASSIVE UNILATERAL PLEURAL EFFUSION

MASQUERADING AS MASSIVE UNILATERAL PLEURAL EFFUSION

Medical Knowledge Management over NKN Infrastructure ...sgpgitelemedicine.org/telemedicine/PPT/Medical Knowledge Manage… · First NKN Annual Workshop "The e-Infrastructure of India"

Medical Knowledge Management over NKN Infrastructure ...sgpgitelemedicine.org/telemedicine/PPT/Medical Knowledge Manage… · First NKN Annual Workshop "The e-Infrastructure of India"

Esthesioneuroblastoma Masquerading as Chronic Rhinosinusitis

Esthesioneuroblastoma Masquerading as Chronic Rhinosinusitis