ISP Security by GenieATM-SC

GenieATM安全解决方案—异常流量检测和&MitigationGenieNRMApril,2007GenieATMseriesAgenda网络威胁的趋势和挑战运营商级别的安全解决方案—GenieATM异常流量的侦测和Mitigation案例运营商网络威胁的趋势和挑战GenieATMseriesISPSecurityFacts…TrendofThreats–“Botnet”AservantprocessonacompromisedsystemInstalledbyatrojanorwormsCommunicateswithahandlerSystemofbotsandhandler(s)isreferredtoasabotnetorzombienetworkDDoSisstilltheprimaryconcernfornetworksecurityoperationsDDoSandWormsaretop2concernsofSPsBrute-forceattacksaremostpopularandeffectiveGenieATMseriesHowBigIstheProblem?Wide-spread1,000,000+botnetidentifiedrecentlyFastGrowingAsmanyas172,000+newbotsrecruitedeveryday(reportbyCipherTrust)FirePowerBotnetdrivenattackshavebeenresponsibleforsingleDDoSattackflowsofmorethan10GbpsaggregatedcapacityGenieATMseriesAttackImpactsCustomerImpactingAttacks:Anaverageof40customerimpactattackspermonthreportedInfrastructureImpactingAttacks:Targeteddirectlyattheinfrastructure,aswellasaresultofcollateraldamagefromcustomerattacksMostoperatorshadnetsecuritytoolsinplace,thoughnotcoveringtheentirenetperimeterDetectionandmitigationmechanismsneedtobeimprovedandbedeployedubiquitouslyGenieATMseriesChallenges&Requirements(1)Needtoidentifytheinfectedhosts(Zombies/Bots)orvictimsaspreciseasindividualIPs☞LocateAttacking/InfectedIPaddressesNeedmoreaccuratedetectionmechanismsinresponsetothenatureofDDoS/Wormattacks☞ProtocolMisuse,ApplicationAnomaly☞DynamicBaselineLearning☞BlackList☞DarkIP/WormTrafficAnalysisGenieATMseriesChallenges&Requirements(2)NeedVariousMitigationTechniques:☞ACLs☞BGPBlack-holeRouting☞IntelligentFilteringNeedResourcefulInvestigationandForensics☞Flexibletroubleshootingtools☞AbundantanomalyreportsTheISPSecuritySolutionGenieATMv4.7(MP)GenieATMseriesWhatisGenieATMCollectDetectAnalyzeAction•NetFlowv5/v9•sFlowv4/v5•HuaweiNetstream•BGP•SNMP•NetworkModel•Rule-basedReport•TrafficMatrix•AttributesAnalysis•DynamicTopN•TrafficAnomaly•Worm•DoS/DDoS•InterfaceAnomaly•RouteInstability•Alarm/Notification•Troubleshooting•Forensic•ReportRebuild•Mitigation--AFlow-basedTrafficAnalysisandAnomalyDetectionSolutionGenieATMseriesEnhancedSecurityFeaturesGenieATMv4.7(MP)AccuratedetectionmechanismsProtocolMisuse,DynamicBaselineLearning,Dark-IPAnalysis,BlackListPreciseimpactidentificationLocateinfectedhosts(Zombies/Bots)andvictimsasdetailedasIPaddressesVariousMitigationTechniquesACLs,Black-hole,3rd-partyMitigationResourcefulInvestigationandForensicsAccurateDetectionMechanisms1.TrafficAnomaly2.ProtocolMisuse3.ApplicationAnomaly4.DarkIPAnalysisGenieATMseriesTrafficAnomaly:DynamicBaselineLearningNeedsISPhasnotimeornoideatoconfigurethousandsofbaselines.BenefitsSavetimefromautolearningnormaltrafficswithoutmanualconfiguration.ReducefalsealarmsbyDynamicThresholdandLatencymechanism.DailyTrafficLevel1-Jul11-Jul21-Jul31-Jul00:0000:3001:0001:3031-JulTolerance%ThresholdLearningbaselinefromhistoricaltrafficTrafficBaselineRecoveryLatencySeverityLatencyRecoveryLatencyThresholdAlarmMechanismyelloweventredeventGenieATMseriesProtocolMisuse:DetectDoS/DDoSAttacksWhenahostreceivesahugenumberofpacketsasbelowwithinashorttime,itshallbeidentifiedasthevictimofaDDoSattack:TCPSYNFloodingTCPRSTFloodingICMPFloodingUDPFloodingTCPFragment,UDPFragment,IPNULL,TCPNULL,LandAttackGenieATMseriesApplicationAnomaly:DetectWormAttacksDetectknownwormattacks:MSBlaster,Sasser,CodeRed,SQLSlammer,etc.ImplicitDoSimpactsofwormmoreconcerningthanwormpayloaditselfGenieATMcanlocatetheinfectedhostspropagatingwormtrafficGenieATMseriesAB????Internetdarkaddressspace(nocomputerwillresponse)FlowdataWhatisDarkIP?BGProutingnon-exist,unallocatedIPprefixSignsofDDoSattacksorscanATTACKERVICTIMDarkIPTrafficAnalysis:WhyDarkIPAnalysis?•Host/portscanning:92%•DDoSbackscatter:5%•Configurationmistakes:2%•Other:1%DoSATTACKREPLYGenieATMseriesDarkIPTrafficAnalysis:DarkIPMonitoring&ReportingDarkIPReportsInfectedHosts,HomePrefix,Interface,CustomerInadditiontoDarkIP,BlacklistalsohelpstomonitormaliciousIPaddressesPreciseImpactIdentificationGenieATMseriesIdentifyinfectedhosts(Zombies/Bots)andvictimsInfectedhostsVictimsSupportHost-basedDetectionMorethanCustomer-orPrefix-baseddetectionSupporteddetectiontypes:Protocol-Misuse,ApplicationAnomaliesGenieATMseriesApplicationAnomaly:DetectWormAttacksGenieATMaggregateswormtrafficandlocatesinfectedobjects:Locatehosts(InfectedHostsReport),‘LocateIPprefix(HomePrefixReport),LocatePath(InterfaceReport),LocateCustomers(CustomerReport)AnomalyMitigationOptions1.RouterACLsupport2.BlackHole3.3rd-partyTrafficCleansing(CiscoGuard,FlowSpec)GenieATMseries1.RouterACLSupportGenieATMseries2.BlackHoleviaBGPRouteRegionalNetworkRegionalNetworkGenieATMDetectAnomalyTrafficfromNetFlow1BGPannouncement23iproute192.1.1.2255.255.255.255Null03iproute192.1.1.2255.255.255.255Null0GenieATMseries3.3rd-partyCleanCenterDDoSDetectionCleanPipeTrafficControlDDoSMitigationNetwork-wideAnomalyTrafficDetectionNetwork-wideReal-timeTroubleshootingGenieATMCleanCenterNeedsArealeffectiveDDoSprotectionsolution.ProtectISP’simportantcustomersfrommaliciousDDoSa