barny
Uploaded by
10 SLIDES
302 VIEWS
130LIKES

Infrastructure Security

DESCRIPTION

Explore the latest trends in DDoS attacks and effective mitigation strategies in infrastructure security presented by Nicolas Fischbach at RIPE46. The discussion covers historical and contemporary attack patterns, including bandwidth abuse and packet-per-second assaults against core routers, as well as future threats using IPv6 and protocol complexity. Key topics include filtering techniques, router security measures, and network resilience practices. Contributors from COLT Telecom and Cisco share insights to strengthen your security posture against evolving risks.

1 / 10

Download Presentation

Infrastructure Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infrastructure Security Nicolas FISCHBACH [nico@colt.net] Senior Manager - IP Engineering/Security RIPE46, nsp-sec BoF - Sept. 2003

  2. Agenda • DDoS and Trends • How to mitigate these risks: Infrastructure Security • Conclusion • “Contributors” • COLT Telecom: Marc Binderberger, Andreas Friedrich • Cisco Systems: Michael Behringer • Subscribers from: • nsp-sec*: http://puck.nether.net/mailman/listinfo/nsp-security[-discuss] • emea-sp-sec-forum: (talk to Michael [mbehring@cisco.com])

  3. DDoS and Trends (1/2) • What’s the trend in attacks ? • Yesterday: bandwidth abuse, exploiting bugs • Today: packets-per-second, also against (core) routers • Tomorrow: • QoS/”extended” header • (InterAS) MPLS VPNs’ trust model • IPv6 (transition) • Somewhere in the forwarding path code • Non-spoofed sources (who cares if you have 100k+ bots anyway) • Protocol complexity attacks (mixed with/hidden in/part of “normal” traffic): ie. low bandwidth “special” packets • Another “what’s that packet with tcp.win == 55808” ? • Is the issue really BGP/DNS hijacking ?

  4. DDoS and Trends (2/2) • What if ? • The guys who wrote recent worms had a clue (or different objectives) ? • The latest major IOS bug had leaked or Cisco decided to do a public release ? • This is only the top of the iceberg… and our future ? Cisco Vulnerabilities - The Past, The Present and The Future http://www.phenoelit.de/stuff/camp2003.pdf More (Vulnerable) Embedded Systems http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-FX.pdf

  5. Infrastructure Security (1/4) • (Where/What) should you filter/rate-limit... • Edge and/or Core • Transit and/or Peerings • … depending on … • I’m a Tier1 transit provider • I’m a Tier2/3 access provider (w/ broadband home users) • I’m an enterprise • …. and also on ... • Capabilities/limits of the HW/SW deployed • Scalability and ease of operations of the solution • … and what ? • Protocols, source/dest IPs, source/dest ports, other parts of the (extended) header, etc.

  6. Infrastructure Security (2/4) • Router Security 101 • VTY ACLs, avoid passwords like “c”, “e”, “cisco”, “c1sc0”, use AAA • Account for BGP sessions (will you notice if somebody adds a session in a full-mesh configuration or on a peering router with 60+ peers ?) • Configuration/ROMMON/IOS integrity • Minimal services, logging, restricted SNMPd • Leaking configurations to customers with shared/common passwords/communities/etc. • Apply the same strict policies to peerings and transits than to customers • uRPF (this is not really deployed, even in loose mode) • etc.

  7. Infrastructure Security (3/4) • iACLs (Infrastructure ACLs) • why should any person connected to the Internet be able to talk to your core routers ? • rACLs (Receive ACLs) • makes it easier to maintain and protect the RP • tACLs (Transit ACLs) • filter on the forwarding path (core<->{edge,transit/peering} (permit ip any any) to allow easy changes

  8. Infrastructure Security (3/4) • Re-colouring • {out,in}coming: enforce (on) your administrative boundaries • Rate-limiting • which protocols and what does it break ? • Diversion capabilities • see “MPLS-based traffic shunt” f.e.

  9. The Future • What will LI (Lawful Intercept) also provide ? • A cool remote sniffer for Network Operations to dump traffic without having to pray or say “oops!” each time they press “Return” after entering “debug ip packet details” ? • An easy way for an attacker to do the same ? • The router is not the only device you may have to own, the MD (Mediation Device) is also part of the game • What if somebody comes up with an attack that can be triggered on the forwarding path ? • Well, let’s ask the PSIRT crew ;-)) • “Commercial” worms • Netflow and BGP as the “next-generation” forensics tools ?

  10. Thank you Nicolas FISCHBACH - RIPE46 Sept. 2003

More Related