INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January 25 2007 REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y23rd APAN Meeting Manila, Philippines January 25 2007

REN-ISAC and Peakflow SP

John Hicks

Indiana [email protected]

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


REN-ISAC

• Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response;

• Specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks.

• Supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

• http://www.ren-isac.net/

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


REN-ISAC Security Efforts

• Information products

– Daily Weather Report– Daily Darknet Reports– Alerts– Notifications– Monitoring views

• Incident response

• 24x7 Watch Desk

• Cybersecurity Contact Registry

• Tool development

• Security infrastructures work in specific communities, e.g. grids

• Participation in other higher education efforts

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Complementary Relationships• REN-ISAC has core complimentary relationships with:

– EDUCAUSE

– Internet2

– EDUCAUSE and Internet2 Security Task Force

– IU Global NOC and Abilene network engineering

– IU Advanced Network Management Lab

– IU Information Technology Security Office

– US Department of Homeland Security & US-CERT

– IT-ISAC

– ISAC Council

– SALSA

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Complementary Relationships

• US Department of Homeland Security - Information Analysis and Infrastructure Protection Directorate has the objective to implement the national strategy and to promote public/private partnerships for information sharing and analysis – ISACs.

• ISACs are encouraged in each critical sector of national security and the economy, e.g. IT, water, agriculture, energy, transportation, finance, etc.

• ISAC Council is a body of the private sector ISACs that promotes cooperation, sharing, and relation to DHS.

• National Cyber Security Partnership is a public-private collaboration focused on strategies and actions to assist the DHS National Cyber Security Division in implementation of the President’s National Strategy to Secure Cyberspace.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Information Resources

• Network instrumentation

• Router NetFlow, BGP, and SNMP data (Peakflow SP)

• Router ACL counters

• Darknet

• Global NOC operational monitoring systems

• Daily cybersecurity status calls with ISACs and US-CERT

• Vetted/closed network security collaborations

• Backbone and member security and network engineers

• Vendors, e.g. monthly ISAC calls with vendors

• Security mailing lists, e.g. EDUCAUSE, etc.

• Members – related to incidents on local networks

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Internet2 NetFlow Policy

• REN-ISAC & Internet2 NetFlow data policy agreement, highlights:– Data is anonymized to /21. Under perceived threat and at the

request of involved institutions the REN-ISAC can selectively turn off anonymization.

– Publicly reported information is restricted to aggregate views of the network. Information that identifies specific institutions or individuals cannot be reported publicly.

– Detailed and sensitive information must be communicated with designated representatives of the affected institutions and refer only to local activity, unless otherwise authorized.

– TransPAC2 has adopted the Internet2 NetFlow Policy.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


NetFlow Analysis – Traffic Grapher

IU ANML developed tool. Graph netflow by source and destination IP port numbers, IP addresses and networks (in CIDR format), and AS numbers. ICMP, TCP or UDP. Optimized performance.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Traffic on Common and Threat Vector Ports

• Utilize Traffic Grapher to provide public views of Internet2 traffic on common application and threat vector ports.

• http://ren-isac.net/monitoring.cgi

• Also utilize ACL counters in routers to collect and publish similar views.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Warning and Response• REN-ISAC Watch Desk

– 24 x 7

– Co-located and staffed with the Global Research NOC

– +1 (317) 278-6630

– [email protected]

• Public reports to the U.S. higher education community regarding analysis at aggregate views.

• Private reports to institutions regarding active threat involving their institution.

• Daily Reports

– REN-ISAC Weather Report

– Darknet Report

• Public views from monitoring systems

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


• Infrastructure security, traffic analysis, managed DoS protection via intelligent netflow analysis

– Network Anomaly Detection:

• DDoS, worms, network and bandwidth abuse

– Integrated Mitigation

• seamless operation with a variety of DoS mitigation tools; filtering, rate-limiting, BGP blackholing, off-ramping/sinkholing, etc.

– Analytics: peering evaluation, BGP routing

– Reporting

• real-time and customized anomaly and traffic reports

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


– Customer-facing DoS Portal• Gives customers a first-hand view of their traffic inside

the service provider’s network; customers set their own thresholds and alerts

– Fingerprint Sharing • Share anomaly fingerprints with peers, customers, etc.

for upstream DoS mitigation

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Threat Management System• Arbor officially released the Arbor Peakflow SP TMS (Threat Management

System) device in August 2006

• First-and-only carrier-class service provider threat management device for multi-service converged networks

• SP now unifies network-wide intelligence (CP) and carrier-class threat management (TMS) to enable the following:

1. Secure your infrastructure from the full spectrum of threats: botnets, DNS attacks, DDoS, worms, phishing, SPAM, spyware, etc.

2. Manage your multi-service network by visualizing VoIP, web, mail, DNS, P2P, and IM traffic across your network

3. Rollout network-based security service offerings leveraging multiple security features on a single platform

• TMS adds a powerful mitigation component to SP as well as augments its flow-based detection and reporting with application-layer capabilities

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Why TMS?• SP TMS technology addresses multi-service network infrastructure threats

and visibility needs– Provide application-layer processing and analysis

• Layer 7 reporting of mission-critical applications: VoIP, IM, P2P, etc.

• Layer 7 packet scrubbing and mitigation– Address multiple security threats on a single platform– Fit specific operational needs of service providers

• SP TMS technology augments flow-based SP technologies– Provide comprehensive network-wide situational awareness augmented

with more specific application-layer traffic reports– Detect and combat today’s and tomorrow’s infrastructure threats– Offer a seamless workflow to manage infrastructure threats– Secure and better understand IP VPN deployments

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Hardware

• OEM platform from Bivio Networks

• Contains 7 PowerPC processors connected by switch fabric

– 1 management processor and 6 application processors

• 2 Gbps mitigation performance in the current release 10Gbps performance available

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


TMS High Level Features

• Mitigation– Stop denial-of-service attacks– Leverage SP network-wide intelligence and single threat

management console to address network threats• TMS does not require peacetime learning• TMS does not require accessing multiple UIs or CLIs

• Enhanced Application Monitoring– DNS alerting and reporting

• NetFlow V9 Flow Generation

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Mitigation

• Active Mitigation of DoS Attacks– Use BGP offramp to direct traffic to a TMS device– Re-inject traffic using GRE tunnels

• Attack Counter-Measures (In Processing Order)– Global exception list – Per mitigation filters – Zombie removal – TCP SYN authentication– DNS authentication – Baseline enforcement

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Mitigation (2)

• Global exception list – Global set of FCAP rules to explicitly pass/drop traffic

independently of any specific mitigation• Per mitigation filters

– Set of FCAP rules specific to each mitigation for explicitly dropping or passing traffic

– A mitigation is defined by a prefix/netmask• Zombie removal

– Detect hosts that are sending traffic at a higher than specified rate

– When rate is exceeded all traffic from the host is dropped until it falls below the threshold.

– Rates are per mitigation

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Mitigation (3)

• TCP SYN authentication

– Used to block SYN flooding attacks by detecting spoofed connection attempts

– Set globally

– For new connections attempts, TMS issues a SYN-ACK with magic value

– If the host completes the handshake, TMS knows the host is valid and puts into a white list for a specified period

– Established connection is reset

• DNS authentication

– Used to block DNS request floods from spoofed hosts

– When TMS sees a new DNS request from a host it will drop the request

– If the host re-transmits the request we mark the host as valid and let the request through

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Mitigation (4)

• Baseline enforcement– Use yesterday’s traffic patterns as indicator of good

traffic• Historical traffic rates for top 200 /24 sources of traffic• Per protocol rates

– If traffic deviates substantially from the historic rates, then TMS limits the offending traffic

– Baselines are per mitigation

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


DNS Tracking

• New feature to monitor DNS request streams

• Deployed on a span port or off of a link tap at data-center

• Monitors DNS requests and generates alerts when request rates deviate from baseline

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


DNS Queries

• Track the top requested registered domain names over time

• Track the top requested fully qualified domain names over time

• Drilldown on the hosts making the most requests

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T


Questions or Comments

John Hicks

Indiana [email protected]

Documents

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January 25 2007 REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2