Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted...
Transcript of Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted...
![Page 1: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/1.jpg)
March 2007 Apricot Unwanted Traffic # 1 www.acreo.se
Reflections on Unwanted Traffic
After the IAB Workshop
Loa AnderssonInternet Architecture Board
MPLS WG co-chair
Apricot, March 1
![Page 2: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/2.jpg)
March 2007 Apricot Unwanted Traffic # 2 www.acreo.se
![Page 3: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/3.jpg)
March 2007 Apricot Unwanted Traffic # 3 www.acreo.se
Why an “Unwanted Traffic” workshop
Lots of Unwanted Traffic on the Internet today– (D)DoS, Spam, viruses, worms, etc.
The trend– The ratio of Unwanted Traffic is increasing,
not decreasing– Persistence of infected hosts considerable
The impact– Significant economic losses and growing
![Page 4: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/4.jpg)
March 2007 Apricot Unwanted Traffic # 4 www.acreo.se
Evolution of Threats
From worms/viruses that simply wreak havoc on thenetwork to malware that propagates, compromises hostsand enables command and control infrastructure andservices platforms for malicious activity. E.g.:
– Code Red (DDoS against IP)– Blaster (DDoS against hostname)– Deloder (Arbitrary DDoS toolkit)– Fully extensible today
(D)DoS was initial botnet threat, arrayof employment functions today;mostly with economic motivators,though religious, political, etc.. as well
![Page 5: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/5.jpg)
March 2007 Apricot Unwanted Traffic # 5 www.acreo.se
The Workshop
IAB called the workshop to– Assess the state of affairs– Examine existing counter measures– Collect input for action planning
ParticipantsThe major findings are report in:
– draft-iab-iwout-report-00.txt
![Page 6: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/6.jpg)
March 2007 Apricot Unwanted Traffic # 6 www.acreo.se
The Workshop Findings
An Underground Economy exists– It drives majority of unwanted
trafficAn arms race with the evolvingunderground economy
– Currently the situation is gettingworse
– Increasing virulence of malware– Persistence of existing
compromised systemsAn action plan is needed!
![Page 7: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/7.jpg)
March 2007 Apricot Unwanted Traffic # 7 www.acreo.se
5th FloorServers:MilitaryGovernmentBusiness
4th FloorRetail:Credit cardsSocial Security No’sBank Accounts
3rd FloorInternet:HostsCore RoutersSpoofed Addresses
2nd FloorEquipment:Bots & Botnets
The Underground Shopping Mall
![Page 8: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/8.jpg)
March 2007 Apricot Unwanted Traffic # 8 www.acreo.se
The Root of All Evils: An Underground Economy
– The Underground Economy is a virtualshopping mall where your belongingsand assets are bought and sold
– The shopping mall and stores aremanaged by criminals
– They use the tools we have developedto run the warehouse
– Inventory list: credit cards, bankaccounts,core Internet routers, businesscritical servers, bots, botnets, etc.
![Page 9: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/9.jpg)
March 2007 Apricot Unwanted Traffic # 9 www.acreo.se
Why an Underground Economy?
The monetary incentives are HUGE!Lack of meaningful deterrence
– Vulnerable host platforms– Lack of education to add protection or
prompt repair– Prosecution of miscreants - extremely
difficultNo proactive actions from service providers
– Lack of resources– Lack of adequate tools– Efforts go into reactive patches (damage
control, miscreants move around)– Rare for mitigation to involve sanitizing hosts– ROI
![Page 10: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/10.jpg)
March 2007 Apricot Unwanted Traffic # 10 www.acreo.se
The botnet example
Vectors– Vulnerability -> Exploit– Compromise/Infection– Propagation– C & C
Employment– DDoS (spoof and
non)– Spam– Spam w/phishing,
host phishing sites– Open proxies– ID theft– Key loggers– Lift CD keys– Click Fraud– Stream video?– Marketing!
![Page 11: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/11.jpg)
March 2007 Apricot Unwanted Traffic # 11 www.acreo.se
Current Vulnerabilities and Existing Solutions
VulnerabilitiesSource address spoofingBGP route hijacking“Everything over HTTP”Everyone comes fromEverywhereComplex networkauthenticationSecurity tools - unused
SolutionsInternetAccess control lists (ACL)BGP null routingBCP38uRPF/BCP 84EnterpriseFirewallsALGsAnti-Spam SW
![Page 12: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/12.jpg)
March 2007 Apricot Unwanted Traffic # 12 www.acreo.se
Why Existing Solutions Fail
Tools are inadequate ……or improperly deployed
Competence is low …… and education is inadequate
Network operators must demonstrateROI for CAPEX and BCP investment, notimmediately obvious
![Page 13: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/13.jpg)
March 2007 Apricot Unwanted Traffic # 13 www.acreo.se
Hard Questions
Internet Architecture and stopping UnwantedTraffic
– Cryptographic mechanisms– Curtailing the openness– Increasing the system complexity– Architectural principles we need to preserve– Separate control plane– The adversary is very adaptive … … and will take counter actions for any
move we make to defend ourselves - e.g.,BlueSecurity example
![Page 14: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/14.jpg)
March 2007 Apricot Unwanted Traffic # 14 www.acreo.se
Bad - going on worse
But we see things that can be done!There is a light in the end of the tunnel!Situation will stay “gloomy” only as longa we let!
![Page 15: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/15.jpg)
March 2007 Apricot Unwanted Traffic # 15 www.acreo.se
Medium and Long Term
Tightening security of the routing infrastructureCleaning up the Internet Routing RegistryRepository [IRR], and securing both the databaseand the access, so that it can be used for routingverificationsTake down bots and botnetsEven without a magic wand we are able to takemeasures to reduce the unwanted trafficCommunity education (e.g., TCP MD5,use the filtering BCP’s, etc..)Layer security, raise the bar
![Page 16: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/16.jpg)
March 2007 Apricot Unwanted Traffic # 16 www.acreo.se
Actionable
Update the host requirementsUpdate the router requirements.Update ingress filtering (BCP38 [RFC2827] and BCP 84[RFC3704]).The IAB
– inform the community about the existence of theunderground economy.
The IRTF– steps toward understanding the
Underground Economy– encourage research on
effective countermeasures.
![Page 17: Reflections on Unwanted Traffic After the IAB Workshop · PDF fileReflections on Unwanted Traffic After the IAB Workshop Loa Andersson Internet Architecture Board MPLS WG co-chair](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87b4dc7f8b9ac96a8df248/html5/thumbnails/17.jpg)
March 2007 Apricot Unwanted Traffic # 17 www.acreo.se
A Concluding Note
The Underground Economy is different fromwhat we have seen before
– It’s no longer kiddies with nothing better to do– It is a financially motivated illegal activity– The technology and global connectedness of
the Internet is just the enablerThe situation is getting worseHowever, there is growing awareness ofthe issues of the UndergroundEconomy and that is the first steptowards effective solutions