210 likes | 218 Views
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS. Joint Techs Winter 2006 Albuquerque Doug Pearson. Overview. Short background on REN-ISAC Short background on Arbor Networks Peakflow SP Illustration of use of Arbor in responding to DoS on Abilene
E N D
Internet2 Abilene & REN-ISACArbor Networks Peakflow SPIdentification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson
Overview • Short background on REN-ISAC • Short background on Arbor Networks Peakflow SP • Illustration of use of Arbor in responding to DoS on Abilene • Call to establish linkages with Connectors and Peers to facilitate trace back of DoS incidents.
REN-ISAC • Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; • is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and • supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.
REN-ISAC • Information products • Daily Weather Report • Daily Darknet Reports • Alerts • Notifications • Monitoring views • Incident response • 24x7 Watch Desk • Developing R&E Cybersecurity Contact Registry • Security work in specific communities, e.g. grids • Participation in other higher education efforts
REN-ISAC Membership • A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. • Membership oriented to permanent staff involved in cybersecurity protection or response in an official capacity for an institution of higher education, research and education network provider, or government-funded research organization.
Infrastructure security, traffic analysis, managed DoS protection via intelligent netflow analysis • Network Anomaly Detection: • DDoS, worms, network and bandwidth abuse • Integrated Mitigation • seamless operation with a variety of DoS mitigation tools; filtering, rate-limiting, BGP blackholing, off-ramping/sinkholing, etc. • Analytics: peering evaluation, BGP routing, capacity planning • Reporting • real-time and customized anomaly and traffic reports
Customer-facing DoS Portal • Gives customers a first-hand view of their traffic inside the service provider’s network; customers set their own thresholds and alerts; customers can blackhole, off-ramp, etc. • Fingerprint Sharing • Share anomaly fingerprints with peers, customers, etc. for upstream DoS mitigation • Active Threat Feed • Arbor information base that identifies current and growing threats through worms, botnets and botnet controller identification and tracking, Phishing site tracking, infected host identification, etc.
Identifying DoS Sources • Based on trace back of DoS traffic to Abilene router input interfaces we know what Connector or Peer network to attribute DoS activity to. • Because of source address spoofing we’re not able to attribute the activity further upstream, such as to a specific Participant, NREN, or institution – we need the participation of the Connector or Peer to trace back to the sources. • Need to establish linkage of security contacts (REN-ISAC, Connectors, and Peers) and capabilities for trace back.
Reporting DoS Destinations • Also very useful to make report to the security team at the DoS destination: • Awareness of incident, and • being the target of an attack often indicates the machine was previously hijacked or otherwise compromised. • For destinations behind peer networks: do we request the peer network security contacts to pass those notifications? • For Abilene Participants, REN-ISAC can make contact directly to the participant.
Establishing Security Contact Linkages • Linkages with Connectors and Peers: • Get registered w/ REN-ISAC, get to know each other • Would separate abuse@ or security@ e-mail addresses be useful versus contact to the respective noc@ addresses? • Further discussion tonight in the RONs/Abilene Connectors BoF • Linkages to Participants • Get all registered with REN-ISAC • http://www.ren-isac.net/membership
Contacts Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu Doug Pearson dodpears@iu.edu Arbor Networks Rich Shirley <rshirley@arbor.net>