Threat to Performance - CiscoStephen Lynn Consulting Systems Engineer U.S. Federal Area CCIE# 5507...
Transcript of Threat to Performance - CiscoStephen Lynn Consulting Systems Engineer U.S. Federal Area CCIE# 5507...
Stephen Lynn
Consulting Systems Engineer
U.S. Federal Area
CCIE# 5507 R/S, WAN, Security
Threat to Performance
Positive Control of Network Behavior
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
� Core Security & Trends
� “In the Box” Security Discussion
� Detection and Classification
� Mitigation
� Keeping Up to Date
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Network Security Is a System
� Firewall + AV ≠ Network Security
� Network security is not something you can just buyTechnology will assist
Policy, operations, and design are more important
� Network security systemA collection of network-connected devices, technologies, and best practices that work in complementary ways to provide security to information assets
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Core Security & Trends
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Major Cyber Security Events
� Jan. 2003 – Slammer worms shutdown Bank of America’s ATMs, Continental Airline Ticketing System, Seattle's 911 network
� Nov. 2008 - Conficker virus infected French Navy, UK Ministry of Defense, Norwegian Police and other European Governments computer networks
� Jan 2010 – Sophisticated cyber attacks originated from China targeting Google & 30 other major companies
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Remember Collateral Damage!
� We understand intrusions (patch, patch, patch ;-))
� What about DoS? Do “the right things” and still suffer
� Most modern DoS attacks are distributedDDos IS DoS
� DoS is often driven by financial motivationDoS for hire :-(
Economically-driven miscreant community
� Politically motivated botnet DoS
� DoS cannot be ignored; your business depends on effective handling of attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
“the attacks against Georgia's Internet infrastructure began
as early as July 20, with coordinated barrages of millions of
requests - known as distributed denial of service, or
D.D.O.S., attacks….. it was the first time a cyber attack had
coincided with a real war.”
Source - http://www.nytimes.com/2008/08/12/world/europe/12iht-cyber.4.15218251.html
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
ISP BackboneAS 24
PeeringLink
Zombies on Innocent
Computers
A Network Infrastructure View Denial of Service
Enterprise
Flooded Pipe
ISP Edge
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Impact of DoS and Worms Direct and Collateral Damage
Availability of Networking Resources Impacted by the Propagation of the Attack
Access
Distribution
Core
SiSi
SiSi
SiSiSiSi
SystemUnder Attack
Network Links Overloaded
• High packet loss• Mission critical
applicationsimpacted
Routers Overloaded
• High CPU• Instability
• Loss of mgmtEnd SystemsOverloaded
• High CPU• Applications
impacted
Bot or InfectedSource
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
CECECustomer premise:
Server/FW/Switch/router
Zombies
Attacker
Last MileConnection
ISP Edge router
Botnets Make DDoS Attacks Easy
� Botnets for Rent!
� A “Botnet” is a group of compromised computers on which attackers have installed special programs (zombies) to launch DoS attacks
Botnet attacks are triggered from a “central controller”Botnets allow for many types of DDOS attacks: ICMP Attacks, TCP Attacks, UDP Attacks, HTTP overload, others Options for deploying Botnets are extensive and new tools are created to exploit the latest system vulnerabilities
� A relatively small Botnet can cause great damage.
1000 home PCs with an average upstream bandwidth of 128KBit/s can offer more than 100MBit/s against a target
� The size of the attacks are ever increasing and independent of last mile bandwidth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Uptick in DDoS Attacks
� Early 2009 spike in DDoS attacks impacting infrastructure
� Sourced from BotNets
� Diverse targets disrupting service to millions of customers
– Cloud computing provider
– Web hosting provider
– Security provider
– DNS registrar
– Telecom provider
� Targeting DNS to amplify attacks
� Not extortion attempts
� 40 Gbps seen
Source: Arbor Networks Worldwide Infrastructure Security Report
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Control and Management Plane Security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Route Processor CPU
Pun
ted
Pac
ketsR
ecei
ve/H
ost P
ath
Pun
ts
CEF Forwarding
PathIngress Packets Forwarded Packets
Data Plane
All Packets Forwarded Through
the Platform
Data Plane
Data Plane
Multiple Paths for Punted Packets
Receive/Host Path
Transit/cef-exception Path
Tra
nsit/
Exc
eptio
n P
ath
Pun
ts
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Route Processor CPU
Pun
ted
Pac
ketsR
ecei
ve/H
ost P
ath
Pun
ts
CEF Forwarding
PathIngress Packets Forwarded Packets
Control Plane
Tra
nsit/
Exc
eptio
n P
ath
Pun
ts
Control Plane
ARP, BGP, OSPF, and Other Protocols that Glue
the Network Together
Control Plane
Multiple Paths for Punted Packets
Receive/Host Path
Transit/cef-exception Path
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Control Plane Security
� The control plane is the logical group that contains all routing, signaling, link-state, and other control protocols used to create and maintain the state of the network and interfaces
� Critical that control plane resources and protocols are protected
Keep the network up and running at all times Prevent traffic redirection that could result in a DoS condition, eavesdropping, or manipulation of application layer (data) content
� The control plane also enables other protection mechanisms to help mitigate the risk of security attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
IP Control Plane Security Techniques
� Disable unused control plane services
� ICMP techniques
� Selective packet discard
� IP receive ACL
� Control plane policing
� CoPPr
� MD5 authentication
� BGP techniques
� Protocol specific filters
Note: Not All of These Techniques Will be Covered in This Session, See Reference Section for More Details
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
ICMP Techniques
� ICMP is handled at the Cisco IOS process level; as a result, it is being leveraged within DoS attacks
� By default, Cisco IOS software enables certain ICMP processing functions in accordance with IETF standards
� These default configurations may not conform to security best practices or to security policies you may have for your network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
ICMP TechniquesTo reduce the risk of ICMP-related DoS attacks: � no ip unreachables : interface won’t generate ICMP Destination
Unreachables (Type 3), reduces impact of ICMP-based DoS attacks
� no ip redirects : interface won’t generate ICMP Redirects (Type 5) when sending IP packet out same interface where packet was received
� no ip information-reply : router won’t generate ICMP Information Replies (Type 16) when receiving ICMP Information Requests (Type 15) - applied by default
� no ip mask-reply : router won’t generate ICMP Address Mask Replies (Type 18) when receiving ICMP Address Mask Requests (Type 17) - applied by default
� Interface ACLs : infrastructure and transit ACLs can filter ICMP messages, including ICMP Source Quench (Type 4), ICMP Echo (Type 8), and ICMP Timestamp (Type 13) messages
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
� CoPP provides filtering and rate-limiting capabilities for all packets “punted” to the route processor
� Uses the Modular QoS CLI (MQC) syntax for QoS policy definition
� Dedicated control-plane “interface” for applying QoS policies—single point of application
Router(config)# control-plane [slot slot-number]
Router(config-cp)# service-policy input control-plane-policy
� CoPP is widely available within IOS, including Cisco IOS 12.0S, 12.2S, 12.2SX, 12.2SBC, 12.3T and later releases
Control Plane Policing (CoPP)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
CoPP Conceptual View
� Applies to all ingress packets punted to IOS process level � Silent mode available for output (locally sourced) control packets
IncomingPackets
Control Plane Policing(Alleviating DoS Attack)
Silent Mode(Reconnaissance Prevention)
PacketBuffer
Output Packet Buffer
LocallySwitched Packets
CEF/FIB LOOKUP
ProcessorSwitched Packets
Control Plane
ManagementSNMP, Telnet ICMP IPv6
RoutingUpdates
ManagementSSH, SSL …..
Output from the Control Plane
Input to the Control Plane
CEF Input Forwarding Path
AC
LA
CL
uRP
FuR
PF
NA
TN
AT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Deploying CoPP
� Drop packets prior to CoPPACLs, Unicast Reverse Path Forwarding (Unicast RPF), and additional features
� Identify necessary protocols and maybe even initial rate-limiting values
Based on configurations, NetFlow data, classification ACLs, and show commands (show ip traffic, show ip socket, etc.)
� Develop and pilot CoPP framework without enforcing rate-limits
� Refine policy and adjust rates based on observation
� Deploy policy and enforce rate-limits as required
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
NetFlow for Security Detection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Key Concept—NetFlow Scalability
� Packet capture is like a wiretap
� NetFlow is like a phone bill
� This level of granularity allows NetFlow to scale for very large amounts of traffic
We can learn a lot from studying the phone bill!
Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc.
NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
NetFlowInternal Threat Information Resource
� NetFlow is available on routers and switches
� Have syslog-like information without having to buy a firewall
� One NetFlow packet has information about multiple flows
NetFlow Cache
… FlowRecord
FlowRecord
Header• Sequence number• Record count• Version number
router (config-if)# ip flow ingressrouter (config)# ip flow-export destination 172.17. 246.225 9996
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
NetFlow—OutputInternal Threat Information Resource
Traffic classification
Flow Summary
Detail
NetFlow Performancehttp://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd802a0eb9.shtml
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Introduction to Flexible NetFlow (FNF)
� Fixed export formats (NetFlow version 1, 5, 7, 8) are not flexible and adaptable. Each new version contains new export fields; incompatible with previous version
� Flexible NetFlow completely separates the collection and export process
� Allows customization of NetFlow collection:
Scalable by maintaining flow records of the granularity that is required for a particular user’s application
Supports more than 100 fields to configure flow records
Capture and export complete packet headers for security and other applications
� Offers new export protocols (UDP, SCTP)
� Flexible NetFlow is available in Release 12.4(9)T
Cisco 800, 1800, 2800, 3800, 7200, and 7301 series
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Using NetFlow Version 9 and FNF
� NetFlow Version 9 is a major enhancement to an earlier version; it is now possible to define what information is exported using templates
� A template specifies which fields are key fields and which are non-key fields
� The information gathered is exported along with a reference to the template to which it belongs
� The packet payload can be used as both key and non-key fields
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
FNF Multiple Monitors With Unique Key Fields
Key Fields Packet 1
Source IP 3.3.3.3
Destination IP 2.2.2.2
Source port 23
Destination port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP Dest. IP Dest. I/F Protocol TOS … Pkts
3.3.3.3 2.2.2.2 E1 6 0 … 11000
1.1.1.1 2.2.2.2 E1 6 0 … 11000
Traffic Analysis Cache
Flow monitor
1
Traffic
Key Fields Packet 2
Source IP 3.3.3.3
Dest IP 2.2.2.2
Input Interface Ethernet 0
Packet Section 1010101
Source IP Dest. IP Dest. I/F Input I/F Sec … Pkts
3.3.3.3 2.2.2.2 E1 E1 101 … 11000
Security Analysis Cache
Non Key Fields
Packets
Bytes
Time Stamps
Next-Hop Address
Non Key Fields
Packets
Time Stamps
Flow monitor
2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Using FNF for Detection
Different Flow monitors for detecting different information:
SiSi SiSi
WANDATA CENTER
CAMPUS
BRANCH
Security Flows•Protocol•Ports•IP Addresses•TCP Flags•Packet Section
Multicast Flows•Protocol•Ports•IP Subnets•Packet Replication
ISPPeering Flows•Dest. AS•Dest. Traffic Index•BGP Next Hop•DSCP
IP Flows•IP Subnets•Ports•Protocol•Interfaces•Egress/Ingress
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Network Behavioral Analysis (NBA)
� Networks and network enabled devices constantly create traffic. However, this traffic follows certain patterns according to the applications and user behaviour
� The key is to collect traffic information (Netflow) and calculate various statistics. These are then compared against a baseline and abnormalities are then analyzed in more detail.
� Analyzing these patterns allows us to see what is NOT normal
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
NetFlow and Commercial Anomaly-Detection Tools
� Lancope Stealthwatch Xe, Narus InSight Manager, and Q1 Labs Q1Radar all provide both statistical and behavioral anomaly-detection
� Cisco CS-MARS and Arbor Peakflow SP DoS perform statistical anomaly-detection
� Arbor Peakflow/X performs relational/behavioral anomaly-detection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Remote Triggered Black Holes
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Destination BasedRemote Triggered Black Hole Filtering
� Method uses BGP to trigger a network wideresponse to a range of attack flows.
� A simple static route to Null0 and BGP will allow an ISP to trigger network wide black holes as fast as iBGP can update the network.
� This provides ISPs with a tool that can be used to respond to security related events or used for DOS/DDOS Backscatter Tracebacks.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Destination BasedRemote Triggered Black Hole Filtering
The setup (preparation)
� A trigger is a special device that is installed at the NOC exclusively for the purpose of triggering a black hole.
� The trigger must have an iBGP peering relationship with all the edge routers (or, if using route reflectors, it must have an iBGP relationship with the route reflectors in every cluster)
� The trigger is also configured to redistribute static routes to its iBGP peers. It sends the static route by means of an iBGP routing update.
� The Provider Edges (PEs) must have a static route for an unused IP address space. For example, 192.0.2.1/32 is set to Null0.
� The IP address 192.0.2.1 is reserved for use in test networks and is not used as a deployed IP address.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Destination BasedRemote Triggered Black Hole Filtering
The Trigger� An administrator adds a static route to the trigger,
which:redistributes the route by sending a BGP update to all its iBGP peersThis sets the next hop to the target destination address under attack as 192.0.2.1 in the current example.
� Each PE receives this “triggered” iBGP update and sets their next hop to the target unused IP address space of 192.0.2.1.
� The route to this address is set to null0 in the PE, using a static routing entry in the router configuration.
� The next hop entry in the forwarding information base (FIB) for the destination IP (target) is now updated to null0.
� All traffic to the target will now be forwarded to Null0 at the edge and dropped.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Destination BasedRemote Triggered Black Hole Filtering
The withdrawal
� Once the trigger is in place, all traffic to the target destination is dropped at the PEs.
� When the threat no longer exists, the administrator must manually remove the static route from the trigger, which sends a BGP route withdrawal to its iBGP peers.
� This prompts the edge routers to remove the existing route for the target that is pointed to 192.0.2.1 and to install a new route based on the IGP routing information base (RIB).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Activate the Remote Triggered Black Hole Filtering
BGP Sent – 171.68.1.0/24 Next-Hop = 192.0.2.1
Static Route in Edge Router – 192.0.2.1 = Null0Static Route in Edge Router – 192.0.2.1 = Null0
171.68.1.0/24 = 192.0.2.1 = Null0171.68.1.0/24 = 192.0.2.1 = Null0
Next hop of 171.68.1.0/24 is now equal to Null0Next hop of 171.68.1.0/24 is now equal
to Null0
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Customer is Under a DOS Attack at a Specific Destination
NOC
Peer B
Peer AIXP-W
IXP-E
Upstream AUpstream A
Upstream BUpstream B Upstream
BUpstream B
POP
Upstream AUpstream A
Target is taken out
Target
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
NOC
Target
Peer B
Peer AIXP-W
IXP-E
Upstream A
Upstream BUpstream B Upstream
BUpstream B
POP
Upstream A
The DoS Impacts other Key Network Elements
Customers
Attack causes Collateral Damage
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
RTBH Is Triggered to Eliminate DoD on Specific Destination Host/Addresses
NOC
Peer B
Peer AIXP-W
IXP-E
Upstream AUpstream A
Upstream BUpstream B Upstream
BUpstream B
POP
Upstream AUpstream A
iBGP Advertises list ofBlack Holed prefixes
Edge routers drop packets destined for Target
Edge routers drop packets destined for Target
Target
Customers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Destination-Based Remote Triggered Black Hole Filtering - Summary
� Remote Triggered Black Hole Filtering is the foundation for a whole series of techniques to traceback and react to DOS/DDOS attacks on an ISP’s network.
� Preparation does not affect ISP operations or performance.
� It is powerful, scalable, requires no real-time change to the router configs, and drops happen in the forwarding path.
� But the destination-based approach does quite effectively black-hole the destination…
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
� What do we have?Blackhole Filtering – if the destination address equals Null0, we drop the packet
Remote Triggered – trigger a prefix to equal Null0 on routers across the Network at iBGP speeds
Unicast RPF Loose Check – if the source address equals Null0, we drop the packet
� Put them together and we have a tool to trigger drop for any packet coming into the network whose source or destination equals Null0
Edge devices must have static route configured
BGP trigger sets next hop – in this case the attacker is the source we want to drop
Black Hole Filtering – Source Based
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Black Hole Filtering – Source Based
� Dropping on destination is very importantDropping on source is often what we really want
� Requires Unicast RPF
� Reacting using source address provides some interesting options
Stop the attack without taking the destination offline
Filter command and control servers
Filter (quarantine) infected end stations
� Must be rapid and scalableLeverage pervasive BGP again
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Black Hole Filtering – Source Based
� Advantages for using source-based filteringNo ACL update
No change to device configurationDrops happen in the forwarding pathFrequently changes when attack profiles are dynamic
� Weaknesses when using source-based filteringSource detection and enumeration
Attack termination detection (reporting)Will drop all packets with source and destination on all triggered interfaces, regardless of actual intentRemember spoofing, don’t let the miscreant spoof the true source-based target and trick you into black holing themWhitelist important sites that should never be blocked
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
A
B C
D
E
F
IXP-W
IXP-E
Upstream A
POP
Upstream A
NOCG
Upstream B
Upstream B
Target
iBGP Advertises List of Blackholed Prefixes Based on Source Addresses
Edge Routers Drop Incoming Packets Based on Their SourceAddress
Edge Routers Drop Incoming Packets Based on Their SourceAddress
Peer B
Peer A
Source-Based RTBH – Drop At the Edge
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Source Based Remote Triggered Black Hole – Key Feature Check
� Rapid Deployment to Edge routers� Remote Triggered Black Hole Filtering
� Source Based Filter� uRPF Loose Check with Black Hole Filtering – any packet whose
source or destination address equals Null0 is dropped
� Thousand Lines� Black List is only limited by the size of the FIB.
� Modified on the Fly� Just add/remove static routes on the trigger router. Black List
update happens at BGP speeds.
� All Platforms at Line Rate� All ASICs support uRPF Loose Check.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Remote Triggered Black HoleSummary
� Dropping on destination is very importantDropping on source is often what we really need
� Reacting using source address provides some interesting options:
Stop the attack without blackholing real services
Filter command and control servers
Filter (contain) infected end stations
� Must be rapid and scaleableBGP triggered Black Hole filtering (destination based)
Add Loose-mode uRPF – drop any incoming packet whose source or destination now maps to Null0
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Cisco IP NGN Security ApproachMapping Solutions to Cisco IP NGN Security ActionsSpecific Cisco technologies and solutions can be mapped to one or more Security Actions
Identify Monitor Correlate Isolate EnforceHarden
Packet Gateways
Access Registrar
Service Control Engine
Anomaly Detector
NetFlow
SysLog
SNMP
EEM
Visual Tools
CS-MARS
CW-SIMS
Partners(Narus, Lancope)
Open Source Tools
Layer-2 VPNs
Layer-3 VPNSEncryption
Session Border Control
Anomaly Guard
Service Control Engine
IDS/IPS
Fail-Open Peering
Network Foundation Protection
Adaptive Security Appliances
IOS and IOS XR
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
Keeping Up to Date
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Cisco Security CenterPowered by IntelliShield and Ironport SenderBase
“Top 20 IT Security Web Sites”
Network World – April 10, 2008
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
“… an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.”
Shadowserver.org
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Security Architecture Assessment (SAA) Service
Benefits
PerimeterPerimeter
WirelessWireless
Unified Comm.Unified Comm.
Data CenterData Center
EndpointEndpoint
Firewall RulesFirewall Rules
PhysicalPhysicalInte
rnal
(R
equi
red)
Inte
rnal
(R
equi
red)
Activities� Review security architecture business
goals, objectives, and requirements
� Evaluate the effectiveness of each technical control at providing the designated security function
� Provide a report that documents architecture control gaps, security risk analysis, and prioritized recommendations for remediation
� Address compliance requirements by identifying improved internal controls needed to better protect data
� Safeguard employee productivity, primary intellectual property, and sensitive customer data by mitigating security risks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
Worm/Virus: Exploit Comparison (20 Years)
Morris1988
Love Bug 2000
Code Red 2001
Slammer 2003
MyDoom 2004
Zotob 2005
RPC DNS2007
MS08-0672008
Probe Scan for Fingerd N/A Scan
for IIS N/A N/AScan for
MS Directory Services
Scan or Endpoint Mapper
Scan for MS Directory
Services
PenetrateBuffer
Overflow in Fingerd
Arrive as Email
Attachment
Buffer Overflow
in IIS
Buffer Overflow in
SQL and MSDE
Arrive as Email
Attachment
Buffer Overflow in UPNP Service
Buffer Overflow in RPC Service
Buffer Overflow in Server Service
Mapped and Removable
Drives
PersistExecute Script to
Download Code
Create Executables
and Edit Registry
Execute Script
to Download Code
N/A
Create Executables
and Edit Registry
Create Files, Edit Registry,
Download Code
Execute Payload to Download
Code
Create FilesModify RegistryDownload CodeDNS HookingKill Processes
Hot Patch
PropagateLook for
Addresses and Spread to
New Victim
Open Address Book
and Email Copies
Pick New Addresses
and Spread toNew Victim
Pick New Addresses
and Spread to New Victim
Open Address Book and
Email Copies
FTP and TFTP Services, Search
for Addressesand Spread to New Victim
Look for Addressesand Spread
to New Victim
Peer-to-Peer C&C
HTTP C&CNetwork ShareWeb Listener
ParalyzeLots of
Processes Slow System
Worm Spreads
Lots of Threads
Slow System
Lots of Packets
Slow Network
Worm Spreads
Delete Registry Keys
and Files, Terminate Processes
Worm/Trojan Spreads
Worm Spreads
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Threat and Attack Models
Description
Resource Exhaustion Attacks
� DoS attack makes target unavailable for its intended service
� Attempted by direct, transit, or reflection-based attack
Spoofing Attacks �Uses packets that masquerade with false data (such as source IP address) to exploit a trust relationship
Transport Protocol Attacks
�Prevents upper-layer communication between hosts or hijacks established session
�Exploits previous authentication measures
�Enables eavesdropping or false data injection
Routing Protocol Attacks
�Prevents or disrupts routing protocol peering or redirects traffic flows
�Attempts to inject false information, alter existing information, or remove valid information
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
Threat and Attack Models (Cont.)
Description
Attacks Against IP control-plane Services
�Attacks against DHCP, DNS, and NTP
�Affects network availability and operations
Unauthorized Access Attacks
�Attempts to gain unauthorized access to restricted systems and networks
Software Vulnerabilities
�Software defect that may compromise confidentiality, integrity, or availability of the device and data plane traffic
Malicious Network Reconnaissance
�Gathering info about a target device, network, or organization
�Enables attacker to id specific security weaknesses that may be exploited in a future attack.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Oct 2008
Conficker a.k.a. Downadup and MS08-067
Nov 2008 Dec 2008 Jan 2009 Feb 2009 Mar 2009
MIT MD6 Hash Released15 October 2008MIT MD6 Hash Released15 October 2008
Conficker.A Spreads21 November 2008Exploits MS08-067DNS HookingConnects to 250 Randomly Generated Domains/Hosts DayMD5 Hashing w/1024-bit RSA Digital Certificate
Conficker.A Spreads21 November 2008Exploits MS08-067DNS HookingConnects to 250 Randomly Generated Domains/Hosts DayMD5 Hashing w/1024-bit RSA Digital Certificate
MIT MD6 Buffer Overflow Patched15 January 2009Conficker.A+B Affected by this Vulnerability
MIT MD6 Buffer Overflow Patched15 January 2009Conficker.A+B Affected by this Vulnerability
Major Growth in Conficker.A+B Population15 January 2009—15 February 2009Major Growth in Conficker.A+B Population15 January 2009—15 February 2009
SRI Conficker Analysis Published4 February 2009SRI Conficker Analysis Published4 February 2009
MS08-067 Published23 October 2008Cisco Security Agent Prevents Exploitation Using Default Desktop or Default Server Policies
MS08-067 Published23 October 2008Cisco Security Agent Prevents Exploitation Using Default Desktop or Default Server Policies
Conficker.B Spreads29 December 200838 Days After Conficker.ANetwork Share Exploitation Using 445/tcp AddedRemovable Drive Propagation AddedConnects to a Different Set of 250 Randomly Generated Domains/Hosts DayMD6 Hashing w/4096-bit RSA Digital Certificate
Conficker.B Spreads29 December 200838 Days After Conficker.ANetwork Share Exploitation Using 445/tcp AddedRemovable Drive Propagation AddedConnects to a Different Set of 250 Randomly Generated Domains/Hosts DayMD6 Hashing w/4096-bit RSA Digital Certificate
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Feb 2009
Conficker a.k.a. Downadup and MS08-067(Cont.)
Mar 2009 Apr 2009 May 2009 Jun 2009 ??? 2009
DNS Mitigation by CWG for Conficker.C4 March 2009—???DNS Mitigation by CWG for Conficker.C4 March 2009—???
Conficker.C Discovered20 February 200953 Days after Conficker.BAccept Commands from Other Conficker Nodes Using Peer-to-Peer (P2P) via MS08-067 VulnerabilityConficker Begins to Shift to a Resilient P2P Architecture
Conficker.C Discovered20 February 200953 Days after Conficker.BAccept Commands from Other Conficker Nodes Using Peer-to-Peer (P2P) via MS08-067 VulnerabilityConficker Begins to Shift to a Resilient P2P Architecture
Conficker Working Group Announced12 February 2009Conficker Working Group Announced12 February 2009
Conficker.E8 April 200927 Days After Conficker.DUpdates Conficker.B+.C+.DDeletes Itself on May 3
Conficker.E8 April 200927 Days After Conficker.DUpdates Conficker.B+.C+.DDeletes Itself on May 3
SRI Conficker.C Analysis Published8 March 2009SRI Conficker.C Analysis Published8 March 2009
DNS Mitigation by CWG for Conficker.A+B15 February 2009—???DNS Mitigation by CWG for Conficker.A+B15 February 2009—???
Conficker.D Discovered4 March 200965 Days After Conficker.B and 12 Days After Conficker.CConnects to 500 Random Hosts per-Day (24 Hours) Out of 50k Randomly Generated Domains on 1 April 2009Peer-to-Peer with Other Conficker.D Infected NodesMIT MD6 Vulnerability PatchedMS08-067 Scanning RemovedMore Processes Added to Termination ListDNS Blacklist Updated for Security-Related Web Sites
Conficker.D Discovered4 March 200965 Days After Conficker.B and 12 Days After Conficker.CConnects to 500 Random Hosts per-Day (24 Hours) Out of 50k Randomly Generated Domains on 1 April 2009Peer-to-Peer with Other Conficker.D Infected NodesMIT MD6 Vulnerability PatchedMS08-067 Scanning RemovedMore Processes Added to Termination ListDNS Blacklist Updated for Security-Related Web Sites
Conficker.D1 April 2009, April Fools Is Here—Everything Is Melting :DTransition to the New Phone-Home Method
Conficker.D1 April 2009, April Fools Is Here—Everything Is Melting :DTransition to the New Phone-Home Method
Media Goes Crazy over Conficker.D30 March 2009—3 April 2009
Various Detection Tools and Research Published30 March 2009— 4 April 2009
Media Goes Crazy over Conficker.D30 March 2009—3 April 2009
Various Detection Tools and Research Published30 March 2009— 4 April 2009
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Size of DDoS Attacks
� Attacks now exceed 40 gigabits
� 57% of service providers reported attacks greater than 1 gigabit
Nearly double last year
� Larger attacks inflict upstream collateral damage
� Protocol exhaustion and flood-based attacks predominant
� Lower bandwidth attacks target specific services exploit service weaknesses
Source: Arbor Networks Worldwide Infrastructure Security Report
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Ingress Routing
Ingress IOS Features1. IP Traffic Export (RITE)2. QoS Policy Propagation thru BGP (QPPB)3. Ingress Flexible NetFlow4. Network Based Application
Recognition (NBAR)5. Input QoS Classification6. Ingress NetFlow7. IOS IPS Inspection8. Input Stateful Packet Inspection (IOS FW)9. Input ACL
10. Input Flexible Packet Matching (FPM)11. IPsec Decryption (if encrypted)12. Unicast RPF Check13. Input QoS Marking14. Input Policing (CAR)15. Input MAC/Precedence Accounting16. NAT Outside-to-Inside17. Policy Routing
Egress IOS Features1. WCCP Redirect2. NAT Inside-to-Outside3. Network Based Application
Recognition (NBAR)4. BGP Policy Accounting5. Output QoS Classification 6. Output ACL Check7. Output Flexible Packet Matching (FPM)8. DoS Tracker9. Output Stateful Packet Inspection (IOS FW)
10. TCP Intercept11. Output QoS Marking12. Output Policing (CAR)13. Output MAC/Precedence Accounting14. IPSec Encryption15. Egress NetFlow16. Egress Flexible NetFlow17. Egress RITE18. Output Queuing (CBWFQ, LLQ, WRED)
Egress
Defense in Depth and Breadth—Cisco IOS Features “Order of Operations”