Investigation of the Regional Internet Infrastructure ResilienceInternet Infrastructure Resilience

Dr. Rytis RainysAt 9th ETSI Security workshop

16 Jan 2014, Sophia Antipolis, FR16 Jan 2014, Sophia Antipolis, FR

Lithuanian scope of cyber securityactionsactions

Awareness rising

• Early warning

Incidents management

• National CERT‐LT

Networks resilience

• Mapping Internet

Digital signature

• QualifiedEarly warning system

• Info flow through the media/web/semi

National CERT LT function

• Hot‐line

Mapping Internet topology

• Critical internet infrastructure assessment

Qualified Certificate Service Providers supervision

• Compatibility / /nars • Monitoring 

critical network components

p y• Usability 

Incidents statisticsThe amount of incidents is growing• More then 25 thouthants a year

Incidents by type• System compromise type of incidents is

increasing up to 43 %

BotnetBotnet• Around 4000 unique IPs in LT detected

each day involved in botnet activities• 09-09-2013 botnet control server

neutralized in LT that controlled 5400 bots

Major media cyber attacks in 2013

DDoS ‐> delfi.ltTraffic 1,4 Gbit/s~1000 source IP

DDoS ‐> hostex.ltAttack took place in pieces Traffic 6 Gbit/s

05 22

2 h out LT / 1,5 day out international25GB logs file

05‐23

05 24 05 25 05 26 05 27 05 28 05 29 05 30 05 31 06 01 06 02

Traffic 6 Gbit/sHostex clients have access 

05‐22 05‐24 05‐25 05‐26 05‐27 05‐28 05‐29 05‐30 05‐31 06‐01 06‐02

DDoS ‐> 15min.ltTraffic 0,5 Gbit/sMax throughtput didn’t accessed

Sql Injection ‐> kaunas.ltControl of resources Redirection to another web

DDoS type of incidents statistics• DDoS 61 by 2012 more then 130 in 2013

130DDoS per year

• DDoS 61 by 2012, more then 130 in 2013• The amount of incidents in numbers makes

more worries then particular media DDoS case

41

103

61

4133

2009   2010   2011  2012  2013

Challenges for the Internet Infrastructure

Internet is very complex and very bigo some 40,000 ASes and some 360,000 prefixes (IPv4)o some 40,000 ASes and some 360,000 prefixes (IPv4)o Internet infrastructure is shaped without a systematic project o few networks connect directly — most connect indirectly

The fundamental questions for regional networkThe fundamental questions for regional network resilience:

o Do we know overall country network infrastructure?o Do we know how complex network infrastructure is? o Do we know how interconnection and the connection to the

internet backbone is performed?po Transit/peering connections distribution?

…lack of data (traffic, capacity, alterative routes, …)…shortage of metrics

National internet resilience assessment

The main priority of the Lithuanian survey is to evaluate the resilience of the national Internet network infrastructureIn order to reach the objective, the following tasks must be resolved:• Description of the model of the Lithuanian Internet network topology• Identification of critical network interconnection nodes• Development of the core of Lithuanian Internet monitoring model

Topology assessment presented important findings• 109 Lithuania’s ISPs, 40 autonomous system , ~590 interconnections and etc.• According to the formed classification of the AS and connections links, type of Customer

AS (81 %) and peering links between AS (76 %) identified as most spread within Lithuanian internet network

Type ofconection

Amount Proportion, %

P i 373 76

Lithuanian internet network

Peering 373 76Transit 117 24

Mapping national internet

Topology data and network visualization • SQL data base created and correlated with incident management system

Critical components of internet infrastructureinfrastructure

With the new metrics critical national internet resources were fidentified

• The method used selecting those critical internet resources: domain names, IP addresses, IP address ranges, routes and autonomies systems (AS)

Internet resources were linked with national critical infrastructures ant its information systems on the internet1. ICT sector2. Governmental sector3. Finance sector4 E t4. Energy sector5. Health sector6. Water and food supply7 T t t7. Transport sector

Critical components of internet infrastructureinfrastructureCritical infrastructure objects information collection scheme• Data collection performed every day (mostly from public source):p y y ( y p )

Automatic data collection module

RIPE, Real BGP tableData collection on daily basis

All LTOnly related with url and root dns ns

URLs listRoot DNS ns list

HTTP status codes;Domain

IP address DNS NS

DNS NS IP dd

Route,Route path;

Inetnum;ASN

Upstream ASNDNS NS IP address

DB

Automatic data collection results

Li h i ’ I i fLithuania’s Internet infrastructure

● ASN (LT) – 101

● ASN (upstream) – 38

● Internet IP range (inetnum) – 4718

● Routes – 1005

● Root dns ns - 5

Lithuania’s critical Internet infrastructure (website ~300)

● Subdomain/Domain - 91

● Root dns ns – 5

● DNS ns – 61

● IP address – 155

● Internet IP range (inetnum) – 61

● Routes – 42

ASN (LT) – 18● ASN (LT) – 18

● ASN (upstream) -38

Priority. National internet resilience

Example: Critical electronic services infrastructure (from URL->ISP->transit ISP)

Priority. National internet resilience

Monitoring of critical national internet infrastructure• Monitoring critical object from inside network (BPG protocol event based) • Monitoring critical object from inside network (eg.: ping based)• Monitoring critical object from outside network (sensors based)

BGP monitoring system

LITIS db BGP feed

All LTRoutes and

Critical routes Analysis systemRoute pathupdate route

Warnings Alert system

Create alert Time trigger

Future worksWhat is in place:

• LITIS and CERT-LT incidents handling systems corelation• Automatic data collecting module (critical service url list, RIPE, RIS)• Real-time monitoring subsystem• based BGP protocol• based ICMP protocol (ping)• based HTTP response status codes

What we are bussy with:y• Visualization subsystem• Real-time monitoring subsystem (based WEB content)• Report generation subsystemReport generation subsystem

Next stange:• Update to the internet content (hosting, clouds) providers

T ffi l i d h d i b• Traffic analysis and threat detection subsystem

More information

Institution websites • http://www rrt lt/enhttp://www.rrt.lt/en• http://www.cert.lt/en

C t tContacts Dr. Rytis RainysCommunications Regulatory Authority of the Republic of LithuaniaDirector of Network and Information Security DepartmentAlgirdo 27A, LT-03219 Vilnius, LithuaniaPhone +370 5 210 56 34, Mob. +370 611 14018, Fax +370 5 216 15 64Phone 370 5 210 56 34, Mob. 370 611 14018, Fax 370 5 216 15 64e-mail: rytis.rainys@rrt.lt