network security in nkn - fourth annual nkn workshop 2015,...

Report

Post on 04-Aug-2020

1 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Network Security in NKN

AGENDA

► DDOS—What Is It?► Examples of DDOS► Co-lateral Damage► Origin of BOTNETs► How BOTNETs are Created► BOTNET Uses► BOTNET Mitigation Options

National Knowledge NetworkPage 2

► DDOS—What Is It?► Examples of DDOS► Co-lateral Damage► Origin of BOTNETs► How BOTNETs are Created► BOTNET Uses► BOTNET Mitigation Options

Zombies

Customer’s Premises:

Server/FW/Switch/Router

Denial of Service and ISPs

National Knowledge NetworkPage 3

Hacker

Control TrafficAttack Traffic

Masters

Victim(Web Server)

Flooded PipeISP Edge Router

Drinking From The Fire Hose

Slide Courtesy of

DDoS Step 1: Crack Handlers and Agents

Attacker

Innocent Handler

Innocent Agents

National Knowledge NetworkPage 4

► Crack a huge number ofinnocent but unprotectedhosts…► Using well known

vulnerabilities► Manually or through use of

automated tools

InnocentHandler

InnocentAgents

DDoS Step 2: Install Trojan & CovertCommunication Channel

Attacker

Innocent Handler

Innocent Agents

National Knowledge NetworkPage 5

► Use FTP handler and agentprograms on all cracked hosts

► Create a hierarchical covertchannel using innocent lookingICMP packets whose payloadcontains DDOS commands; someDDOS further encrypt thepayload...

InnocentHandler

InnocentAgents

Attacker

Innocent Handler

Innocent Agents

DDoS Step 3: Launch the Attack

Attack AliceNOW !

National Knowledge NetworkPage 6

InnocentHandler

InnocentAgents

Victim

A

Attack AliceNOW !

Peering Link

Zombies onInnocent

Computers

Distributed Denial of Service

National Knowledge NetworkPage 7

ISP BackboneAS 24

EnterpriseISP Edge

Slide Courtesy of

SYN Attack

B A CMasquerading as B

A Allocates Kernel Resource forHandling the Starting Connection

National Knowledge NetworkPage 8

Denial of ServicesKernel Resources Exhausted

A Allocates Kernel Resource forHandling the Starting Connection

No Answer From B…120 Sec Timeout

Free the Resource

syn rqst

synackClient Server

TCP SYN Flood

National Knowledge NetworkPage 9

syn rqst

synackVictim

Waiting BufferOverflowsZombies

One of the first CERT DDoS advisories issued – 9/1996► http://www.cert.org/advisories/CA-1996-21.html

Spoofed

TCPLocal Address Remote Address State-------------------- -------------------- -------*.* *.* IDLE*.sunrpc *.* LISTEN*.ftp *.* LISTEN*.telnet *.* LISTEN*.finger *.* LISTENtarget.telnet 10.10.10.11.41508 SYN_RCVDtarget.telnet 10.10.10.12.41508 SYN_RCVDtarget.telnet 10.10.10.13.41508 SYN_RCVDtarget.telnet 10.10.10.14.41508 SYN_RCVDtarget.telnet 10.10.10.10.41508 SYN_RCVDtarget.telnet 10.10.10.15.41508 SYN_RCVDtarget.telnet 10.10.10.16.41508 SYN_RCVDtarget.telnet 10.10.10.17.41508 SYN_RCVDtarget.telnet 10.10.10.18.41508 SYN_RCVDtarget.telnet 10.10.10.19.41508 SYN_RCVDtarget.telnet 10.10.10.20.41508 SYN_RCVD*.* *.* IDLE

TCP SYN Flood

Result ofnetstat -a

On TargetHost

National Knowledge NetworkPage 10Once the Connection Queue Is Full of Waiting-to-Be-Completed Connections,

No More Connections Can Be Accepted on the Target Port

TCPLocal Address Remote Address State-------------------- -------------------- -------*.* *.* IDLE*.sunrpc *.* LISTEN*.ftp *.* LISTEN*.telnet *.* LISTEN*.finger *.* LISTENtarget.telnet 10.10.10.11.41508 SYN_RCVDtarget.telnet 10.10.10.12.41508 SYN_RCVDtarget.telnet 10.10.10.13.41508 SYN_RCVDtarget.telnet 10.10.10.14.41508 SYN_RCVDtarget.telnet 10.10.10.10.41508 SYN_RCVDtarget.telnet 10.10.10.15.41508 SYN_RCVDtarget.telnet 10.10.10.16.41508 SYN_RCVDtarget.telnet 10.10.10.17.41508 SYN_RCVDtarget.telnet 10.10.10.18.41508 SYN_RCVDtarget.telnet 10.10.10.19.41508 SYN_RCVDtarget.telnet 10.10.10.20.41508 SYN_RCVD*.* *.* IDLE

Result ofnetstat -a

On TargetHost

Internet

Peering Edge

Core

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

1. NKN Member InstituteManaged Object

(MO) configured inCP.

Cleaning Center Design

DDoS CollectorDevice

National Knowledge NetworkPage 11

0. Pre-setup

Provider Edge RegionalScrubbing Centre

Customer Server

NKN Member Institute

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

2. Traffic destined toNKN Member

Institute server vianormal route.

National Knowledge NetworkPage 12

1. PeaceTime

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

3. NKN MemberInstitute Serveris under DDOS

attack!

National Knowledge NetworkPage 13

2. Attack Starts

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

Attack Traffic

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

4. DDoS CP/FS detectsanomaly via Netflow.

National Knowledge NetworkPage 14

DDOS Systemdetects anomaly

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Edge

Attack Traffic

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

5. TMS makes more specificroute announcement to CCGW

6. CCGW sendsiBGP update

7. Traffic DiversionTo scrubbing centre

Attack Traffic

National Knowledge NetworkPage 15

4. DDoS System drawsroutes to Cleaning Centre

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

5. TMS makes more specificroute announcement to CCGW

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

Netflow/SNMPVia DCN

CleaningCentre GW

Attack Traffic

Clean Traffic8. TMS scrubs traffic

and sends clean trafficto CCGW.

National Knowledge NetworkPage 16

5. DDoS System scrubsand re-injects clean traffic

Provider Edge RegionalScrubbing Centre

Customer Server

NKN Member Institute

8. TMS scrubs trafficand sends clean traffic

to CCGW.

Internet

Peering Edge

Core

DDoS CollectorDevice

DDoS MitigationDevice

CleaningCentre GW

9. DDoS CP/FS detectsattack has subsided,

stops mitigation.

10. TMS withdraws route

11. CCGW sendsiBGP update

12. Traffic destined toNKN Member

Institute server vianormal route again.

National Knowledge NetworkPage 17

6. Attack stops

Provider Edge RegionalScrubbing Centre

Customer Server

CleaningCentre GW

NKN Member Institute

10. TMS withdraws route12. Traffic destined toNKN Member

Institute server vianormal route again.

DATA FLOW

National Knowledge NetworkPage 18

Thank You

WWW.NKN.IN

National Knowledge NetworkPage 19

Thank You

top related

antigen processing lecture-nkn
Education
late-occurring paradoxical reaction masquerading as
Documents
giant submandibular sialolipoma masquerading as huge
Documents
tonsillar lymphoma masquerading as obstructive sleep … ·...
Documents
linux ip masquerading
Documents
transverse myelitis masquerading as cauda ... - biomedicine
Documents
campus lan at nkn member institutions - fourth annual...
Documents
masquerading as massive unilateral pleural effusion
Documents
narrative text x nkn 1
Presentations & Public Speaking
masquerading in costumes personas -...
Documents
one can visit our website in for various...
Documents
esthesioneuroblastoma masquerading as chronic rhinosinusitis
Documents
newsletter of the nasscom knowledge network (nkn)...
Documents
polypoidal choroidal vasculopathy masquerading as...
Documents
nkn · nkn 테스트넷채굴을위한웹앱...
Documents
narrative nkn 1 group 2
Education
narrative nkn 1 group 3
Education
kelas : xi aptn reg / aptn man jumlah : 35 (reg = 18, man...
Documents
challenges in setting interactive classroom (virtual class...
Documents
autonomic epilepsy: masquerading as a pheochromocytoma
Documents