Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Investigation of the Regional Internet Infrastructure ResilienceInternet Infrastructure Resilience
Dr. Rytis RainysAt 9th ETSI Security workshop
16 Jan 2014, Sophia Antipolis, FR16 Jan 2014, Sophia Antipolis, FR
Lithuanian scope of cyber securityactionsactions
Awareness rising
• Early warning
Incidents management
• National CERT‐LT
Networks resilience
• Mapping Internet
Digital signature
• QualifiedEarly warning system
• Info flow through the media/web/semi
National CERT LT function
• Hot‐line
Mapping Internet topology
• Critical internet infrastructure assessment
Qualified Certificate Service Providers supervision
• Compatibility / /nars • Monitoring
critical network components
p y• Usability
Incidents statisticsThe amount of incidents is growing• More then 25 thouthants a year
Incidents by type• System compromise type of incidents is
increasing up to 43 %
BotnetBotnet• Around 4000 unique IPs in LT detected
each day involved in botnet activities• 09-09-2013 botnet control server
neutralized in LT that controlled 5400 bots
Major media cyber attacks in 2013
DDoS ‐> delfi.ltTraffic 1,4 Gbit/s~1000 source IP
DDoS ‐> hostex.ltAttack took place in pieces Traffic 6 Gbit/s
05 22
2 h out LT / 1,5 day out international25GB logs file
05‐23
05 24 05 25 05 26 05 27 05 28 05 29 05 30 05 31 06 01 06 02
Traffic 6 Gbit/sHostex clients have access
05‐22 05‐24 05‐25 05‐26 05‐27 05‐28 05‐29 05‐30 05‐31 06‐01 06‐02
DDoS ‐> 15min.ltTraffic 0,5 Gbit/sMax throughtput didn’t accessed
Sql Injection ‐> kaunas.ltControl of resources Redirection to another web
DDoS type of incidents statistics• DDoS 61 by 2012 more then 130 in 2013
130DDoS per year
• DDoS 61 by 2012, more then 130 in 2013• The amount of incidents in numbers makes
more worries then particular media DDoS case
41
103
61
4133
2009 2010 2011 2012 2013
Challenges for the Internet Infrastructure
Internet is very complex and very bigo some 40,000 ASes and some 360,000 prefixes (IPv4)o some 40,000 ASes and some 360,000 prefixes (IPv4)o Internet infrastructure is shaped without a systematic project o few networks connect directly — most connect indirectly
The fundamental questions for regional networkThe fundamental questions for regional network resilience:
o Do we know overall country network infrastructure?o Do we know how complex network infrastructure is? o Do we know how interconnection and the connection to the
internet backbone is performed?po Transit/peering connections distribution?
…lack of data (traffic, capacity, alterative routes, …)…shortage of metrics
National internet resilience assessment
The main priority of the Lithuanian survey is to evaluate the resilience of the national Internet network infrastructureIn order to reach the objective, the following tasks must be resolved:• Description of the model of the Lithuanian Internet network topology• Identification of critical network interconnection nodes• Development of the core of Lithuanian Internet monitoring model
Topology assessment presented important findings• 109 Lithuania’s ISPs, 40 autonomous system , ~590 interconnections and etc.• According to the formed classification of the AS and connections links, type of Customer
AS (81 %) and peering links between AS (76 %) identified as most spread within Lithuanian internet network
Type ofconection
Amount Proportion, %
P i 373 76
Lithuanian internet network
Peering 373 76Transit 117 24
Mapping national internet
Topology data and network visualization • SQL data base created and correlated with incident management system
Critical components of internet infrastructureinfrastructure
With the new metrics critical national internet resources were fidentified
• The method used selecting those critical internet resources: domain names, IP addresses, IP address ranges, routes and autonomies systems (AS)
Internet resources were linked with national critical infrastructures ant its information systems on the internet1. ICT sector2. Governmental sector3. Finance sector4 E t4. Energy sector5. Health sector6. Water and food supply7 T t t7. Transport sector
Critical components of internet infrastructureinfrastructureCritical infrastructure objects information collection scheme• Data collection performed every day (mostly from public source):p y y ( y p )
Automatic data collection module
RIPE, Real BGP tableData collection on daily basis
All LTOnly related with url and root dns ns
URLs listRoot DNS ns list
HTTP status codes;Domain
IP address DNS NS
DNS NS IP dd
Route,Route path;
Inetnum;ASN
Upstream ASNDNS NS IP address
DB
Automatic data collection results
Li h i ’ I i fLithuania’s Internet infrastructure
● ASN (LT) – 101
● ASN (upstream) – 38
● Internet IP range (inetnum) – 4718
● Routes – 1005
● Root dns ns - 5
Lithuania’s critical Internet infrastructure (website ~300)
● Subdomain/Domain - 91
● Root dns ns – 5
● DNS ns – 61
● IP address – 155
● Internet IP range (inetnum) – 61
● Routes – 42
ASN (LT) – 18● ASN (LT) – 18
● ASN (upstream) -38
Priority. National internet resilience
Example: Critical electronic services infrastructure (from URL->ISP->transit ISP)
Priority. National internet resilience
Monitoring of critical national internet infrastructure• Monitoring critical object from inside network (BPG protocol event based) • Monitoring critical object from inside network (eg.: ping based)• Monitoring critical object from outside network (sensors based)
BGP monitoring system
LITIS db BGP feed
All LTRoutes and
Critical routes Analysis systemRoute pathupdate route
Warnings Alert system
Create alert Time trigger
Future worksWhat is in place:
• LITIS and CERT-LT incidents handling systems corelation• Automatic data collecting module (critical service url list, RIPE, RIS)• Real-time monitoring subsystem• based BGP protocol• based ICMP protocol (ping)• based HTTP response status codes
What we are bussy with:y• Visualization subsystem• Real-time monitoring subsystem (based WEB content)• Report generation subsystemReport generation subsystem
Next stange:• Update to the internet content (hosting, clouds) providers
T ffi l i d h d i b• Traffic analysis and threat detection subsystem
More information
Institution websites • http://www rrt lt/enhttp://www.rrt.lt/en• http://www.cert.lt/en
C t tContacts Dr. Rytis RainysCommunications Regulatory Authority of the Republic of LithuaniaDirector of Network and Information Security DepartmentAlgirdo 27A, LT-03219 Vilnius, LithuaniaPhone +370 5 210 56 34, Mob. +370 611 14018, Fax +370 5 216 15 64Phone 370 5 210 56 34, Mob. 370 611 14018, Fax 370 5 216 15 64e-mail: [email protected]