FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and BGP Hijacks

Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning

and BGP Hijacks

Mohit Lad CEO, ThousandEyes

1

Network performance management designed for today’s dynamic and complex networks Used by 4 of the world’s top banks Founded in 2010 with an HQ in San Francisco CA and a London office Recognized by Gartner and EMA

About ThousandEyes

What We Do Our Customers’ Stories

Reduced time to troubleshoot globally load balanced infrastructure

Improved customer experience during the Brazil World Cup

Solved multi-week support issue due to an ISP cable cut in Asia

2

•  Increasing size, frequency and severity of attacks

•  Exposure via external vendors (DNS, CDN, ISPs)

•  Greater complexity of corporate networks

•  Increasing importance of network for business operations

Today’s Cyber Threat Landscape

3

More Networks Connected to the Internet

Source: CIDR Report

Global Routing Table Growth

4

More Devices Connected to the Internet

Source: Akamai State of the Internet Reports, Q2 2010-14; Akamai blog

0

200

400

600

800

1,000

1,200

1,400

1,600

2007 2008 2009 2010 2011 2012 2013 2014

Mill

ions

IPv6

IPv4

Unique IP Addresses Observed

5

Size of DDoS Attacks Increasing 50% YoY

Source: Verizon Data Breach Report 2014

6

0

50

100

150

200

250

300

350

400

Q4 12 Q1 13 Q2 13 Q3 13 Q4 13 Q1 14 Q2 14

Major DDoS Attacks in 2014

February: Bitstamp

April: UltraDNS

August: PlayStation Network, Blizzard

Attack Volume Rising Major Attacks in 2014

Source: Akamai State of the Internet Q2 2014

7

Three Network Security Threats We’ll Cover

BGP Hijacks DNS Poisoning DDoS Attacks

BGP Hijacks

9

A Primer on BGP Hijacks

AS 14340 Salesforce

AS 2914 NTT

AS 7018 AT&T

AS 3356 Level3

Border Router

Autonomous System

Salesforce advertises routes among BGP peers

to upstream ISPs

Salesforce.com advertises prefix 96.43.144.0/22

AT&T receives route advertisements to

Salesforce via Level3 and NTT

AS 4761 Indosat

Traffic Path

10

A Primer on BGP Hijacks

AS 14340 Salesforce

AS 2914 NTT

AS 7018 AT&T

AS 3356 Level3

AS 4761 Indosat

Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s

routes

AT&T now directs Salesforce-destined traffic

to Indosat

Traffic Path

11

BGP Hijack: Normal Routes to PayPal

PayPal / Akamai prefix

Akamai Autonomous

System Comcast upstream

12

BGP Hijack: Routes Advertised from Indosat

PayPal / Akamai prefix

Correct Autonomous System

Hijacked Autonomous System

Locations with completely hijacked routes

13

BGP Hijack: PCCW Has No Routes to PayPal

PCCW Network only connected to Indosat

Not to Akamai / PayPal

14

BGP Hijack: Causing All Traffic to Drop

Traffic transiting PCCW has no routes

and terminates

DDoS Attacks

16

Network Topology of a DDoS Attack

Chicago, IL

YourBank.com London

Tokyo

Atlanta

Portland, OR

Sydney

Attackers flood your web service from around the world

Internet Enterprise

17

DDoS Mitigation Strategy 1: On-Premises

Chicago, IL

YourBank.com London

Tokyo

Atlanta

Portland, OR

Sydney

Appliance at network edge monitors and mitigates application-layer attacks

Internet Enterprise On-Premises DDoS Mitigation Appliance

18

DDoS Mitigation Strategy 2: ISP Collaboration

Chicago, IL

YourBank.com London

Tokyo

Atlanta

Portland, OR

Sydney

Attack traffic is routed by ISPs to a remote-triggered black hole

Internet Enterprise Remote-Triggered Black Hole

ISP 1

ISP 2

19

DDoS Mitigation Strategy 3: Cloud-Based

Chicago, IL

YourBank.com London

Tokyo

Atlanta

Portland, OR

Sydney

Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network

Internet Enterprise Scrubbing Center

20

Why Monitor DDoS Attacks

Global Availability Mitigation Deployment

Mitigation Performance Vendor Collaboration

21

DDoS Attack: Drop in Global Availability

Global availability issues

Problems at TCP connection and HTTP receive

phases

Availability dip to 0%

22

DDoS Attack: Increased Packet Loss and Latency

Loss, latency

and jitter

Loss during height of attack

23

DDoS Attack: Congested Nodes in Upstream ISPs

Nodes with >25% packet loss

Packet loss in upstream ISPs Verizon and

AT&T

HSBC bank website under

attack

High packet loss from all

testing points

24

DDoS Attack: Mitigation Effectiveness

Verisign DDoS mitigation networks in yellow

25

DDoS Attack: Mitigation Handoff Using BGP

New Autonomous System (VeriSign)

Prior Autonomous System (HSBC)

Withdrawn routes

New routes

HSBC prefix

DNS Cache Poisoning

27

DNS Cache Poisoning

Local DNS Cache

Authoritative DNS Server

dns.website.com

Attacker

www.website.com

Attacker DNS Server

dns.attack.com

www.attack.com

Attacker inserts a false record into the

DNS cache

Unsecured DNS server, no DNSSEC, no port

randomization

User

1

User requests DNS record for

www.website.com

2

Looks up record on spoofed name

server

3

User accesses spoofed URL

4

28

Blocking Facebook in China

DNS availability in China <10%

29

Redirecting Facebook to Alternate IP Addresses

Facebook is typically routed to

173.252.110.27, except in China

30

•  Understand network topology and dependencies •  Focus on critical network services

Key Capabilities to Monitor Network Security

•  Reachability to your address blocks •  Path changes and more specific prefixes

upstream

Get global visibility

Alert on routing to your network

•  DNS, CDN and hosting providers •  DDoS mitigation vendors and ISPs

Track efficacy of external services

Implement DNSSEC

•  Prevent cache poisoning on your resolvers •  Monitor for poisoning of your records on other

networks

It’s time to see the entire picture. It’s time to see the entire picture.