visualizing network security threats
DESCRIPTION
With applications moving to the cloud and networks becoming more distributed, network security is of critical business importance. From this presentation you will: • Gain an understanding of DDoS attacks and BGP routing • See visualizations of recent network attacks • Get tips to monitor your environmentTRANSCRIPT
Visualizing Network Security Threats
Mohit Lad CEO, ThousandEyes
2
Hijacker routes incoming or outgoing traffic to the
wrong network
Two Serious Network Security Threats
Attacker saturates network
links, hardware or servers to deny service
BGP Hijacks DDoS Attacks
BGP Attacks
4
A Primer on BGP Hijacks
AS 14340 Salesforce
AS 2914 NTT
AS 7018 AT&T
AS 3356 Level3
Border Router
Autonomous System
Salesforce advertises routes among BGP peers
to upstream ISPs
Salesforce.com advertises prefix 96.43.144.0/22
AT&T receives route advertisements to
Salesforce via Level3 and NTT
AS 4761 Indosat
Traffic Path
5
A Primer on BGP Hijacks
AS 14340 Salesforce
AS 2914 NTT
AS 7018 AT&T
AS 3356 Level3
AS 4761 Indosat
Indosat also advertises prefix 96.43.144.0/22, ‘hijacking’ Salesforce’s
routes
AT&T now directs Salesforce-destined traffic
to Indosat
Traffic Path
6
BGP Hijack: Normal Routes to PayPal
PayPal / Akamai prefix
Akamai Autonomous
System Comcast upstream
7
BGP Hijack: Routes Advertised from Indosat
PayPal / Akamai prefix
Correct Autonomous System
Hijacked Autonomous System
Locations with completely hijacked routes
8
BGP Hijack: PCCW Has No Routes to PayPal
PCCW Network only connected to Indosat
Not to Akamai / PayPal
9
BGP Hijack: Causing All Traffic to Drop
Traffic transiting PCCW has no routes
and terminates
DDoS Attacks
11
Why Monitor DDoS Attacks
Global Availability Mitigation Deployment
Mitigation Performance Vendor Collaboration
12
Network Topology of DDoS Attack and Mitigation
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney On-premises appliance at network edge
Internet Enterprise
1
ISP filters traffic with a remote-triggered black hole 2
Cloud-based mitigation provider scrubs traffic 3
Scrubbing Center
Attackers flood your web service from around the world
13
DDoS Attack: Drop in Global Availability
Global availability issues
Problems at TCP connection and HTTP receive
phases
Availability dip to 0%
14
DDoS Attack: Increased Packet Loss and Latency
Loss, latency
and jitter
Loss during height of attack
15
DDoS Attack: Congested Nodes in Upstream ISPs
Nodes with >25% packet loss
Packet loss in upstream ISPs Verizon and
AT&T
HSBC bank website under
attack
High packet loss from all
testing points
16
DDoS Attack: Mitigation Effectiveness
Verisign DDoS mitigation networks in yellow
17
DDoS Attack: Mitigation Handoff Using BGP
New Autonomous System (VeriSign)
Prior Autonomous System (HSBC)
Withdrawn routes
New routes
HSBC prefix
18
• Monitor critical external services – ISPs, DNS providers
• Proactively alert on network stress and faults – Establish baselines and reduce alert fatigue
• Record data for future forensics – Preserve detailed outage and attack diagnostics
• Establish a procedure to share data – Trusted internal and vendor teams
Tips for Network Threat Monitoring
It’s time to see the entire picture. It’s time to see the entire picture.