1 / 21

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS. Joint Techs Winter 2006 Albuquerque Doug Pearson. Overview. Short background on REN-ISAC Short background on Arbor Networks Peakflow SP Illustration of use of Arbor in responding to DoS on Abilene

feo
Download Presentation

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet2 Abilene & REN-ISACArbor Networks Peakflow SPIdentification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson

  2. Overview • Short background on REN-ISAC • Short background on Arbor Networks Peakflow SP • Illustration of use of Arbor in responding to DoS on Abilene • Call to establish linkages with Connectors and Peers to facilitate trace back of DoS incidents.

  3. REN-ISAC • Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; • is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and • supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

  4. REN-ISAC • Information products • Daily Weather Report • Daily Darknet Reports • Alerts • Notifications • Monitoring views • Incident response • 24x7 Watch Desk • Developing R&E Cybersecurity Contact Registry • Security work in specific communities, e.g. grids • Participation in other higher education efforts

  5. REN-ISAC Membership • A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. • Membership oriented to permanent staff involved in cybersecurity protection or response in an official capacity for an institution of higher education, research and education network provider, or government-funded research organization.

  6. Infrastructure security, traffic analysis, managed DoS protection via intelligent netflow analysis • Network Anomaly Detection: • DDoS, worms, network and bandwidth abuse • Integrated Mitigation • seamless operation with a variety of DoS mitigation tools; filtering, rate-limiting, BGP blackholing, off-ramping/sinkholing, etc. • Analytics: peering evaluation, BGP routing, capacity planning • Reporting • real-time and customized anomaly and traffic reports

  7. Customer-facing DoS Portal • Gives customers a first-hand view of their traffic inside the service provider’s network; customers set their own thresholds and alerts; customers can blackhole, off-ramp, etc. • Fingerprint Sharing • Share anomaly fingerprints with peers, customers, etc. for upstream DoS mitigation • Active Threat Feed • Arbor information base that identifies current and growing threats through worms, botnets and botnet controller identification and tracking, Phishing site tracking, infected host identification, etc.

  8. Identifying DoS Sources • Based on trace back of DoS traffic to Abilene router input interfaces we know what Connector or Peer network to attribute DoS activity to. • Because of source address spoofing we’re not able to attribute the activity further upstream, such as to a specific Participant, NREN, or institution – we need the participation of the Connector or Peer to trace back to the sources. • Need to establish linkage of security contacts (REN-ISAC, Connectors, and Peers) and capabilities for trace back.

  9. Reporting DoS Destinations • Also very useful to make report to the security team at the DoS destination: • Awareness of incident, and • being the target of an attack often indicates the machine was previously hijacked or otherwise compromised. • For destinations behind peer networks: do we request the peer network security contacts to pass those notifications? • For Abilene Participants, REN-ISAC can make contact directly to the participant.

  10. Establishing Security Contact Linkages • Linkages with Connectors and Peers: • Get registered w/ REN-ISAC, get to know each other • Would separate abuse@ or security@ e-mail addresses be useful versus contact to the respective noc@ addresses? • Further discussion tonight in the RONs/Abilene Connectors BoF • Linkages to Participants • Get all registered with REN-ISAC • http://www.ren-isac.net/membership

  11. Contacts Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu Doug Pearson dodpears@iu.edu Arbor Networks Rich Shirley <rshirley@arbor.net>

More Related