Threat to Performance - CiscoStephen Lynn Consulting Systems Engineer U.S. Federal Area CCIE# 5507...

Stephen Lynn

Consulting Systems Engineer

U.S. Federal Area

CCIE# 5507 R/S, WAN, Security

[email protected]

Threat to Performance

Positive Control of Network Behavior

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Agenda

� Core Security & Trends

� “In the Box” Security Discussion

� Detection and Classification

� Mitigation

� Keeping Up to Date


Network Security Is a System

� Firewall + AV ≠ Network Security

� Network security is not something you can just buyTechnology will assist

Policy, operations, and design are more important

� Network security systemA collection of network-connected devices, technologies, and best practices that work in complementary ways to provide security to information assets


Core Security & Trends


Major Cyber Security Events

� Jan. 2003 – Slammer worms shutdown Bank of America’s ATMs, Continental Airline Ticketing System, Seattle's 911 network

� Nov. 2008 - Conficker virus infected French Navy, UK Ministry of Defense, Norwegian Police and other European Governments computer networks

� Jan 2010 – Sophisticated cyber attacks originated from China targeting Google & 30 other major companies


Remember Collateral Damage!

� We understand intrusions (patch, patch, patch ;-))

� What about DoS? Do “the right things” and still suffer

� Most modern DoS attacks are distributedDDos IS DoS

� DoS is often driven by financial motivationDoS for hire :-(

Economically-driven miscreant community

� Politically motivated botnet DoS

� DoS cannot be ignored; your business depends on effective handling of attacks


“the attacks against Georgia's Internet infrastructure began

as early as July 20, with coordinated barrages of millions of

requests - known as distributed denial of service, or

D.D.O.S., attacks….. it was the first time a cyber attack had

coincided with a real war.”

Source - http://www.nytimes.com/2008/08/12/world/europe/12iht-cyber.4.15218251.html


ISP BackboneAS 24

PeeringLink

Zombies on Innocent

Computers

A Network Infrastructure View Denial of Service

Enterprise

Flooded Pipe

ISP Edge


Impact of DoS and Worms Direct and Collateral Damage

Availability of Networking Resources Impacted by the Propagation of the Attack

Access

Distribution

Core

SiSi

SiSi

SiSiSiSi

SystemUnder Attack

Network Links Overloaded

• High packet loss• Mission critical

applicationsimpacted

Routers Overloaded

• High CPU• Instability

• Loss of mgmtEnd SystemsOverloaded

• High CPU• Applications

impacted

Bot or InfectedSource


CECECustomer premise:

Server/FW/Switch/router

Zombies

Attacker

Last MileConnection

ISP Edge router

Botnets Make DDoS Attacks Easy

� Botnets for Rent!

� A “Botnet” is a group of compromised computers on which attackers have installed special programs (zombies) to launch DoS attacks

Botnet attacks are triggered from a “central controller”Botnets allow for many types of DDOS attacks: ICMP Attacks, TCP Attacks, UDP Attacks, HTTP overload, others Options for deploying Botnets are extensive and new tools are created to exploit the latest system vulnerabilities

� A relatively small Botnet can cause great damage.

1000 home PCs with an average upstream bandwidth of 128KBit/s can offer more than 100MBit/s against a target

� The size of the attacks are ever increasing and independent of last mile bandwidth


Uptick in DDoS Attacks

� Early 2009 spike in DDoS attacks impacting infrastructure

� Sourced from BotNets

� Diverse targets disrupting service to millions of customers

– Cloud computing provider

– Web hosting provider

– Security provider

– DNS registrar

– Telecom provider

� Targeting DNS to amplify attacks

� Not extortion attempts

� 40 Gbps seen

Source: Arbor Networks Worldwide Infrastructure Security Report


Control and Management Plane Security


Route Processor CPU

Pun

ted

Pac

ketsR

ecei

ve/H

ost P

ath

Pun

ts

CEF Forwarding

PathIngress Packets Forwarded Packets

Data Plane

All Packets Forwarded Through

the Platform

Data Plane

Data Plane

Multiple Paths for Punted Packets

Receive/Host Path

Transit/cef-exception Path

Tra

nsit/

Exc

eptio

n P

ath

Pun

ts


Route Processor CPU

Pun

ted

Pac

ketsR

ecei

ve/H

ost P

ath

Pun

ts

CEF Forwarding

PathIngress Packets Forwarded Packets

Control Plane

Tra

nsit/

Exc

eptio

n P

ath

Pun

ts

Control Plane

ARP, BGP, OSPF, and Other Protocols that Glue

the Network Together

Control Plane

Multiple Paths for Punted Packets

Receive/Host Path

Transit/cef-exception Path


Control Plane Security

� The control plane is the logical group that contains all routing, signaling, link-state, and other control protocols used to create and maintain the state of the network and interfaces

� Critical that control plane resources and protocols are protected

Keep the network up and running at all times Prevent traffic redirection that could result in a DoS condition, eavesdropping, or manipulation of application layer (data) content

� The control plane also enables other protection mechanisms to help mitigate the risk of security attacks


IP Control Plane Security Techniques

� Disable unused control plane services

� ICMP techniques

� Selective packet discard

� IP receive ACL

� Control plane policing

� CoPPr

� MD5 authentication

� BGP techniques

� Protocol specific filters

Note: Not All of These Techniques Will be Covered in This Session, See Reference Section for More Details


ICMP Techniques

� ICMP is handled at the Cisco IOS process level; as a result, it is being leveraged within DoS attacks

� By default, Cisco IOS software enables certain ICMP processing functions in accordance with IETF standards

� These default configurations may not conform to security best practices or to security policies you may have for your network


ICMP TechniquesTo reduce the risk of ICMP-related DoS attacks: � no ip unreachables : interface won’t generate ICMP Destination

Unreachables (Type 3), reduces impact of ICMP-based DoS attacks

� no ip redirects : interface won’t generate ICMP Redirects (Type 5) when sending IP packet out same interface where packet was received

� no ip information-reply : router won’t generate ICMP Information Replies (Type 16) when receiving ICMP Information Requests (Type 15) - applied by default

� no ip mask-reply : router won’t generate ICMP Address Mask Replies (Type 18) when receiving ICMP Address Mask Requests (Type 17) - applied by default

� Interface ACLs : infrastructure and transit ACLs can filter ICMP messages, including ICMP Source Quench (Type 4), ICMP Echo (Type 8), and ICMP Timestamp (Type 13) messages


� CoPP provides filtering and rate-limiting capabilities for all packets “punted” to the route processor

� Uses the Modular QoS CLI (MQC) syntax for QoS policy definition

� Dedicated control-plane “interface” for applying QoS policies—single point of application

Router(config)# control-plane [slot slot-number]

Router(config-cp)# service-policy input control-plane-policy

� CoPP is widely available within IOS, including Cisco IOS 12.0S, 12.2S, 12.2SX, 12.2SBC, 12.3T and later releases

Control Plane Policing (CoPP)


CoPP Conceptual View

� Applies to all ingress packets punted to IOS process level � Silent mode available for output (locally sourced) control packets

IncomingPackets

Control Plane Policing(Alleviating DoS Attack)

Silent Mode(Reconnaissance Prevention)

PacketBuffer

Output Packet Buffer

LocallySwitched Packets

CEF/FIB LOOKUP

ProcessorSwitched Packets

Control Plane

ManagementSNMP, Telnet ICMP IPv6

RoutingUpdates

ManagementSSH, SSL …..

Output from the Control Plane

Input to the Control Plane

CEF Input Forwarding Path

AC

LA

CL

uRP

FuR

PF

NA

TN

AT


Deploying CoPP

� Drop packets prior to CoPPACLs, Unicast Reverse Path Forwarding (Unicast RPF), and additional features

� Identify necessary protocols and maybe even initial rate-limiting values

Based on configurations, NetFlow data, classification ACLs, and show commands (show ip traffic, show ip socket, etc.)

� Develop and pilot CoPP framework without enforcing rate-limits

� Refine policy and adjust rates based on observation

� Deploy policy and enforce rate-limits as required

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html


NetFlow for Security Detection


Key Concept—NetFlow Scalability

� Packet capture is like a wiretap

� NetFlow is like a phone bill

� This level of granularity allows NetFlow to scale for very large amounts of traffic

We can learn a lot from studying the phone bill!

Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc.

NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor


NetFlowInternal Threat Information Resource

� NetFlow is available on routers and switches

� Have syslog-like information without having to buy a firewall

� One NetFlow packet has information about multiple flows

NetFlow Cache

… FlowRecord

FlowRecord

Header• Sequence number• Record count• Version number

router (config-if)# ip flow ingressrouter (config)# ip flow-export destination 172.17. 246.225 9996


NetFlow—OutputInternal Threat Information Resource

Traffic classification

Flow Summary

Detail

NetFlow Performancehttp://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd802a0eb9.shtml


Introduction to Flexible NetFlow (FNF)

� Fixed export formats (NetFlow version 1, 5, 7, 8) are not flexible and adaptable. Each new version contains new export fields; incompatible with previous version

� Flexible NetFlow completely separates the collection and export process

� Allows customization of NetFlow collection:

Scalable by maintaining flow records of the granularity that is required for a particular user’s application

Supports more than 100 fields to configure flow records

Capture and export complete packet headers for security and other applications

� Offers new export protocols (UDP, SCTP)

� Flexible NetFlow is available in Release 12.4(9)T

Cisco 800, 1800, 2800, 3800, 7200, and 7301 series


Using NetFlow Version 9 and FNF

� NetFlow Version 9 is a major enhancement to an earlier version; it is now possible to define what information is exported using templates

� A template specifies which fields are key fields and which are non-key fields

� The information gathered is exported along with a reference to the template to which it belongs

� The packet payload can be used as both key and non-key fields


FNF Multiple Monitors With Unique Key Fields

Key Fields Packet 1

Source IP 3.3.3.3

Destination IP 2.2.2.2

Source port 23

Destination port 22078

Layer 3 Protocol TCP - 6

TOS Byte 0

Input Interface Ethernet 0

Source IP Dest. IP Dest. I/F Protocol TOS … Pkts

3.3.3.3 2.2.2.2 E1 6 0 … 11000

1.1.1.1 2.2.2.2 E1 6 0 … 11000

Traffic Analysis Cache

Flow monitor

1

Traffic

Key Fields Packet 2

Source IP 3.3.3.3

Dest IP 2.2.2.2

Input Interface Ethernet 0

Packet Section 1010101

Source IP Dest. IP Dest. I/F Input I/F Sec … Pkts

3.3.3.3 2.2.2.2 E1 E1 101 … 11000

Security Analysis Cache

Non Key Fields

Packets

Bytes

Time Stamps

Next-Hop Address

Non Key Fields

Packets

Time Stamps

Flow monitor

2


Using FNF for Detection

Different Flow monitors for detecting different information:

SiSi SiSi

WANDATA CENTER

CAMPUS

BRANCH

Security Flows•Protocol•Ports•IP Addresses•TCP Flags•Packet Section

Multicast Flows•Protocol•Ports•IP Subnets•Packet Replication

ISPPeering Flows•Dest. AS•Dest. Traffic Index•BGP Next Hop•DSCP

IP Flows•IP Subnets•Ports•Protocol•Interfaces•Egress/Ingress


Network Behavioral Analysis (NBA)

� Networks and network enabled devices constantly create traffic. However, this traffic follows certain patterns according to the applications and user behaviour

� The key is to collect traffic information (Netflow) and calculate various statistics. These are then compared against a baseline and abnormalities are then analyzed in more detail.

� Analyzing these patterns allows us to see what is NOT normal


NetFlow and Commercial Anomaly-Detection Tools

� Lancope Stealthwatch Xe, Narus InSight Manager, and Q1 Labs Q1Radar all provide both statistical and behavioral anomaly-detection

� Cisco CS-MARS and Arbor Peakflow SP DoS perform statistical anomaly-detection

� Arbor Peakflow/X performs relational/behavioral anomaly-detection


Remote Triggered Black Holes


Destination BasedRemote Triggered Black Hole Filtering

� Method uses BGP to trigger a network wideresponse to a range of attack flows.

� A simple static route to Null0 and BGP will allow an ISP to trigger network wide black holes as fast as iBGP can update the network.

� This provides ISPs with a tool that can be used to respond to security related events or used for DOS/DDOS Backscatter Tracebacks.



The setup (preparation)

� A trigger is a special device that is installed at the NOC exclusively for the purpose of triggering a black hole.

� The trigger must have an iBGP peering relationship with all the edge routers (or, if using route reflectors, it must have an iBGP relationship with the route reflectors in every cluster)

� The trigger is also configured to redistribute static routes to its iBGP peers. It sends the static route by means of an iBGP routing update.

� The Provider Edges (PEs) must have a static route for an unused IP address space. For example, 192.0.2.1/32 is set to Null0.

� The IP address 192.0.2.1 is reserved for use in test networks and is not used as a deployed IP address.



The Trigger� An administrator adds a static route to the trigger,

which:redistributes the route by sending a BGP update to all its iBGP peersThis sets the next hop to the target destination address under attack as 192.0.2.1 in the current example.

� Each PE receives this “triggered” iBGP update and sets their next hop to the target unused IP address space of 192.0.2.1.

� The route to this address is set to null0 in the PE, using a static routing entry in the router configuration.

� The next hop entry in the forwarding information base (FIB) for the destination IP (target) is now updated to null0.

� All traffic to the target will now be forwarded to Null0 at the edge and dropped.



The withdrawal

� Once the trigger is in place, all traffic to the target destination is dropped at the PEs.

� When the threat no longer exists, the administrator must manually remove the static route from the trigger, which sends a BGP route withdrawal to its iBGP peers.

� This prompts the edge routers to remove the existing route for the target that is pointed to 192.0.2.1 and to install a new route based on the IGP routing information base (RIB).


Activate the Remote Triggered Black Hole Filtering

BGP Sent – 171.68.1.0/24 Next-Hop = 192.0.2.1

Static Route in Edge Router – 192.0.2.1 = Null0Static Route in Edge Router – 192.0.2.1 = Null0

171.68.1.0/24 = 192.0.2.1 = Null0171.68.1.0/24 = 192.0.2.1 = Null0

Next hop of 171.68.1.0/24 is now equal to Null0Next hop of 171.68.1.0/24 is now equal

to Null0


Customer is Under a DOS Attack at a Specific Destination

NOC

Peer B

Peer AIXP-W

IXP-E

Upstream AUpstream A

Upstream BUpstream B Upstream

BUpstream B

POP


Target is taken out

Target


NOC

Target

Peer B

Peer AIXP-W

IXP-E

Upstream A


BUpstream B

POP

Upstream A

The DoS Impacts other Key Network Elements

Customers

Attack causes Collateral Damage


RTBH Is Triggered to Eliminate DoD on Specific Destination Host/Addresses

NOC

Peer B

Peer AIXP-W

IXP-E



BUpstream B

POP


iBGP Advertises list ofBlack Holed prefixes

Edge routers drop packets destined for Target

Edge routers drop packets destined for Target

Target

Customers


Destination-Based Remote Triggered Black Hole Filtering - Summary

� Remote Triggered Black Hole Filtering is the foundation for a whole series of techniques to traceback and react to DOS/DDOS attacks on an ISP’s network.

� Preparation does not affect ISP operations or performance.

� It is powerful, scalable, requires no real-time change to the router configs, and drops happen in the forwarding path.

� But the destination-based approach does quite effectively black-hole the destination…


� What do we have?Blackhole Filtering – if the destination address equals Null0, we drop the packet

Remote Triggered – trigger a prefix to equal Null0 on routers across the Network at iBGP speeds

Unicast RPF Loose Check – if the source address equals Null0, we drop the packet

� Put them together and we have a tool to trigger drop for any packet coming into the network whose source or destination equals Null0

Edge devices must have static route configured

BGP trigger sets next hop – in this case the attacker is the source we want to drop

Black Hole Filtering – Source Based



� Dropping on destination is very importantDropping on source is often what we really want

� Requires Unicast RPF

� Reacting using source address provides some interesting options

Stop the attack without taking the destination offline

Filter command and control servers

Filter (quarantine) infected end stations

� Must be rapid and scalableLeverage pervasive BGP again



� Advantages for using source-based filteringNo ACL update

No change to device configurationDrops happen in the forwarding pathFrequently changes when attack profiles are dynamic

� Weaknesses when using source-based filteringSource detection and enumeration

Attack termination detection (reporting)Will drop all packets with source and destination on all triggered interfaces, regardless of actual intentRemember spoofing, don’t let the miscreant spoof the true source-based target and trick you into black holing themWhitelist important sites that should never be blocked


A

B C

D

E

F

IXP-W

IXP-E

Upstream A

POP

Upstream A

NOCG

Upstream B

Upstream B

Target

iBGP Advertises List of Blackholed Prefixes Based on Source Addresses

Edge Routers Drop Incoming Packets Based on Their SourceAddress

Edge Routers Drop Incoming Packets Based on Their SourceAddress

Peer B

Peer A

Source-Based RTBH – Drop At the Edge


Source Based Remote Triggered Black Hole – Key Feature Check

� Rapid Deployment to Edge routers� Remote Triggered Black Hole Filtering

� Source Based Filter� uRPF Loose Check with Black Hole Filtering – any packet whose

source or destination address equals Null0 is dropped

� Thousand Lines� Black List is only limited by the size of the FIB.

� Modified on the Fly� Just add/remove static routes on the trigger router. Black List

update happens at BGP speeds.

� All Platforms at Line Rate� All ASICs support uRPF Loose Check.


Remote Triggered Black HoleSummary

� Dropping on destination is very importantDropping on source is often what we really need

� Reacting using source address provides some interesting options:

Stop the attack without blackholing real services

Filter command and control servers

Filter (contain) infected end stations

� Must be rapid and scaleableBGP triggered Black Hole filtering (destination based)

Add Loose-mode uRPF – drop any incoming packet whose source or destination now maps to Null0


Cisco IP NGN Security ApproachMapping Solutions to Cisco IP NGN Security ActionsSpecific Cisco technologies and solutions can be mapped to one or more Security Actions

Identify Monitor Correlate Isolate EnforceHarden

Packet Gateways

Access Registrar

Service Control Engine

Anomaly Detector

NetFlow

SysLog

SNMP

EEM

Visual Tools

CS-MARS

CW-SIMS

Partners(Narus, Lancope)

Open Source Tools

Layer-2 VPNs

Layer-3 VPNSEncryption

Session Border Control

Anomaly Guard

Service Control Engine

IDS/IPS

Fail-Open Peering

Network Foundation Protection

Adaptive Security Appliances

IOS and IOS XR


Keeping Up to Date


Cisco Security CenterPowered by IntelliShield and Ironport SenderBase

“Top 20 IT Security Web Sites”

Network World – April 10, 2008


“… an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.”

Shadowserver.org


Security Architecture Assessment (SAA) Service

Benefits

PerimeterPerimeter

WirelessWireless

Unified Comm.Unified Comm.

Data CenterData Center

EndpointEndpoint

Firewall RulesFirewall Rules

PhysicalPhysicalInte

rnal

(R

equi

red)

Inte

rnal

(R

equi

red)

Activities� Review security architecture business

goals, objectives, and requirements

� Evaluate the effectiveness of each technical control at providing the designated security function

� Provide a report that documents architecture control gaps, security risk analysis, and prioritized recommendations for remediation

� Address compliance requirements by identifying improved internal controls needed to better protect data

� Safeguard employee productivity, primary intellectual property, and sensitive customer data by mitigating security risks


Worm/Virus: Exploit Comparison (20 Years)

Morris1988

Love Bug 2000

Code Red 2001

Slammer 2003

MyDoom 2004

Zotob 2005

RPC DNS2007

MS08-0672008

Probe Scan for Fingerd N/A Scan

for IIS N/A N/AScan for

MS Directory Services

Scan or Endpoint Mapper

Scan for MS Directory

Services

PenetrateBuffer

Overflow in Fingerd

Arrive as Email

Attachment

Buffer Overflow

in IIS

Buffer Overflow in

SQL and MSDE

Arrive as Email

Attachment

Buffer Overflow in UPNP Service

Buffer Overflow in RPC Service

Buffer Overflow in Server Service

Mapped and Removable

Drives

PersistExecute Script to

Download Code

Create Executables

and Edit Registry

Execute Script

to Download Code

N/A

Create Executables

and Edit Registry

Create Files, Edit Registry,

Download Code

Execute Payload to Download

Code

Create FilesModify RegistryDownload CodeDNS HookingKill Processes

Hot Patch

PropagateLook for

Addresses and Spread to

New Victim

Open Address Book

and Email Copies

Pick New Addresses

and Spread toNew Victim

Pick New Addresses

and Spread to New Victim

Open Address Book and

Email Copies

FTP and TFTP Services, Search

for Addressesand Spread to New Victim

Look for Addressesand Spread

to New Victim

Peer-to-Peer C&C

HTTP C&CNetwork ShareWeb Listener

ParalyzeLots of

Processes Slow System

Worm Spreads

Lots of Threads

Slow System

Lots of Packets

Slow Network

Worm Spreads

Delete Registry Keys

and Files, Terminate Processes

Worm/Trojan Spreads

Worm Spreads


Threat and Attack Models

Description

Resource Exhaustion Attacks

� DoS attack makes target unavailable for its intended service

� Attempted by direct, transit, or reflection-based attack

Spoofing Attacks �Uses packets that masquerade with false data (such as source IP address) to exploit a trust relationship

Transport Protocol Attacks

�Prevents upper-layer communication between hosts or hijacks established session

�Exploits previous authentication measures

�Enables eavesdropping or false data injection

Routing Protocol Attacks

�Prevents or disrupts routing protocol peering or redirects traffic flows

�Attempts to inject false information, alter existing information, or remove valid information


Threat and Attack Models (Cont.)

Description

Attacks Against IP control-plane Services

�Attacks against DHCP, DNS, and NTP

�Affects network availability and operations

Unauthorized Access Attacks

�Attempts to gain unauthorized access to restricted systems and networks

Software Vulnerabilities

�Software defect that may compromise confidentiality, integrity, or availability of the device and data plane traffic

Malicious Network Reconnaissance

�Gathering info about a target device, network, or organization

�Enables attacker to id specific security weaknesses that may be exploited in a future attack.


Oct 2008

Conficker a.k.a. Downadup and MS08-067

Nov 2008 Dec 2008 Jan 2009 Feb 2009 Mar 2009

MIT MD6 Hash Released15 October 2008MIT MD6 Hash Released15 October 2008

Conficker.A Spreads21 November 2008Exploits MS08-067DNS HookingConnects to 250 Randomly Generated Domains/Hosts DayMD5 Hashing w/1024-bit RSA Digital Certificate

Conficker.A Spreads21 November 2008Exploits MS08-067DNS HookingConnects to 250 Randomly Generated Domains/Hosts DayMD5 Hashing w/1024-bit RSA Digital Certificate

MIT MD6 Buffer Overflow Patched15 January 2009Conficker.A+B Affected by this Vulnerability

MIT MD6 Buffer Overflow Patched15 January 2009Conficker.A+B Affected by this Vulnerability

Major Growth in Conficker.A+B Population15 January 2009—15 February 2009Major Growth in Conficker.A+B Population15 January 2009—15 February 2009

SRI Conficker Analysis Published4 February 2009SRI Conficker Analysis Published4 February 2009

MS08-067 Published23 October 2008Cisco Security Agent Prevents Exploitation Using Default Desktop or Default Server Policies

MS08-067 Published23 October 2008Cisco Security Agent Prevents Exploitation Using Default Desktop or Default Server Policies

Conficker.B Spreads29 December 200838 Days After Conficker.ANetwork Share Exploitation Using 445/tcp AddedRemovable Drive Propagation AddedConnects to a Different Set of 250 Randomly Generated Domains/Hosts DayMD6 Hashing w/4096-bit RSA Digital Certificate

Conficker.B Spreads29 December 200838 Days After Conficker.ANetwork Share Exploitation Using 445/tcp AddedRemovable Drive Propagation AddedConnects to a Different Set of 250 Randomly Generated Domains/Hosts DayMD6 Hashing w/4096-bit RSA Digital Certificate


Feb 2009

Conficker a.k.a. Downadup and MS08-067(Cont.)

Mar 2009 Apr 2009 May 2009 Jun 2009 ??? 2009

DNS Mitigation by CWG for Conficker.C4 March 2009—???DNS Mitigation by CWG for Conficker.C4 March 2009—???

Conficker.C Discovered20 February 200953 Days after Conficker.BAccept Commands from Other Conficker Nodes Using Peer-to-Peer (P2P) via MS08-067 VulnerabilityConficker Begins to Shift to a Resilient P2P Architecture

Conficker.C Discovered20 February 200953 Days after Conficker.BAccept Commands from Other Conficker Nodes Using Peer-to-Peer (P2P) via MS08-067 VulnerabilityConficker Begins to Shift to a Resilient P2P Architecture

Conficker Working Group Announced12 February 2009Conficker Working Group Announced12 February 2009

Conficker.E8 April 200927 Days After Conficker.DUpdates Conficker.B+.C+.DDeletes Itself on May 3

Conficker.E8 April 200927 Days After Conficker.DUpdates Conficker.B+.C+.DDeletes Itself on May 3

SRI Conficker.C Analysis Published8 March 2009SRI Conficker.C Analysis Published8 March 2009

DNS Mitigation by CWG for Conficker.A+B15 February 2009—???DNS Mitigation by CWG for Conficker.A+B15 February 2009—???

Conficker.D Discovered4 March 200965 Days After Conficker.B and 12 Days After Conficker.CConnects to 500 Random Hosts per-Day (24 Hours) Out of 50k Randomly Generated Domains on 1 April 2009Peer-to-Peer with Other Conficker.D Infected NodesMIT MD6 Vulnerability PatchedMS08-067 Scanning RemovedMore Processes Added to Termination ListDNS Blacklist Updated for Security-Related Web Sites

Conficker.D Discovered4 March 200965 Days After Conficker.B and 12 Days After Conficker.CConnects to 500 Random Hosts per-Day (24 Hours) Out of 50k Randomly Generated Domains on 1 April 2009Peer-to-Peer with Other Conficker.D Infected NodesMIT MD6 Vulnerability PatchedMS08-067 Scanning RemovedMore Processes Added to Termination ListDNS Blacklist Updated for Security-Related Web Sites

Conficker.D1 April 2009, April Fools Is Here—Everything Is Melting :DTransition to the New Phone-Home Method

Conficker.D1 April 2009, April Fools Is Here—Everything Is Melting :DTransition to the New Phone-Home Method

Media Goes Crazy over Conficker.D30 March 2009—3 April 2009

Various Detection Tools and Research Published30 March 2009— 4 April 2009

Media Goes Crazy over Conficker.D30 March 2009—3 April 2009

Various Detection Tools and Research Published30 March 2009— 4 April 2009


Size of DDoS Attacks

� Attacks now exceed 40 gigabits

� 57% of service providers reported attacks greater than 1 gigabit

Nearly double last year

� Larger attacks inflict upstream collateral damage

� Protocol exhaustion and flood-based attacks predominant

� Lower bandwidth attacks target specific services exploit service weaknesses

Source: Arbor Networks Worldwide Infrastructure Security Report


Ingress Routing

Ingress IOS Features1. IP Traffic Export (RITE)2. QoS Policy Propagation thru BGP (QPPB)3. Ingress Flexible NetFlow4. Network Based Application

Recognition (NBAR)5. Input QoS Classification6. Ingress NetFlow7. IOS IPS Inspection8. Input Stateful Packet Inspection (IOS FW)9. Input ACL

10. Input Flexible Packet Matching (FPM)11. IPsec Decryption (if encrypted)12. Unicast RPF Check13. Input QoS Marking14. Input Policing (CAR)15. Input MAC/Precedence Accounting16. NAT Outside-to-Inside17. Policy Routing

Egress IOS Features1. WCCP Redirect2. NAT Inside-to-Outside3. Network Based Application

Recognition (NBAR)4. BGP Policy Accounting5. Output QoS Classification 6. Output ACL Check7. Output Flexible Packet Matching (FPM)8. DoS Tracker9. Output Stateful Packet Inspection (IOS FW)

10. TCP Intercept11. Output QoS Marking12. Output Policing (CAR)13. Output MAC/Precedence Accounting14. IPSec Encryption15. Egress NetFlow16. Egress Flexible NetFlow17. Egress RITE18. Output Queuing (CBWFQ, LLQ, WRED)

Egress

Defense in Depth and Breadth—Cisco IOS Features “Order of Operations”

Threat to Performance - CiscoStephen Lynn Consulting Systems Engineer U.S. Federal Area CCIE# 5507...

Documents

Transcript of Threat to Performance - CiscoStephen Lynn Consulting Systems Engineer U.S. Federal Area CCIE# 5507...