Date post: | 25-May-2015 |
Category: |
Economy & Finance |
Upload: | harold-teunissen |
View: | 188 times |
Download: | 0 times |
DDOS — Nuisance or Threat?
Harold Teunissen & Roland van Rijswijk-Deij TECHEX14, Indianapolis, October 2014
© Norse
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Serving Dutch research & education
2
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
SURF as umbrella
3
• All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella
Scientific Computing & Big Data
Commercial ICT Products & Services
National Research & Education Network
eScience Collaboration and Tools
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Absolute awareness
4
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
We take security serious
5
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Vision
6
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Immunity
7
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Level of protection
8
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Security & Privacy Program
9
AWARENESS
COMMUNITIES SERVICES
STANDARDS
FREE INTERNET
SAFE AND SECURE ENVIRONMENT
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
What do we see?
10
AttacksUniversities
Attacks
Vocational Education
AttacksHigh Schools
FAIR SHARE?
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Regular user
11
DUTCH PUBLIC BROADCASTER
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Regular user
12
DUTCH PUBLIC BROADCASTER
Winter Olympics
World Cup Soccer
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Regular user
13
DUTCH PUBLIC BROADCASTER
MH17
A Large University
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Not every spike is an attack
14
DDOS Astronomers
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
What do we see?
• DDoS attacks mostly directed against schools • Majority are Bandwidth Denial-of-Service attacks
- Usually some form of amplification, mostly NTP, DNS, CharGen, we also now see some UPnP based stuff
• Not every traffic spike is an attack - Monitor for anomalous events (e.g. excess UDP/ICMP
traffic) - Manual analysis by our CSIRT
• Attacks in Tens-of-Gigabits order of magnitude • Many attacks rely on “DDoS-for-Hire” a.k.a.
Booters and are often inside jobs
15
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Keep your friends close...
•We were monitoring for a particular attack (because it abused some of our infrastructure)
•One of our customers appeared in a list of spoofed IP addresses for this particular attack
•And was the victim of a number of DDoS attacks •The timing of the attacks was rather suggestive...
Always during school hours!
•Let’s have a look at what the school found
16
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Let’s see what happens if...
•The external NAT IP address is changed –Will the attack follow?
•We look at the time lines –Comparing attack times against class schedule
•We ask teachers about suspicious behaviour –Are there signs that the culprit is among the students?
•Policy-Based Routing (PBR) –Giving a suspected class a different external IP address
17
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Caught after bragging
18
Courtesy: Graafschap College
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Is this a problem?
• If an attack originates from our network that is very bad — we have big pipes…
• The example inside job caused 1000s of students and 100s of staff to go home because they could no longer work
• Students need to learn that they are committing a criminal offense
19
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
What do we do?
• Our CSIRT keeps vigil 24x7 • We constantly monitor our and our
constituency’s infrastructure for abuse - Concerted efforts to combat e.g. open DNS resolvers and
vulnerable NTP servers
• We report criminal offenses to the authorities and encourage our constituency to do so too - We collaborate with law enforcement and the public
prosecutor’s office
• We (pre-)wash traffic - using rate limiting, filters, …
20
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Cybersave Yourself
21
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
• We actively collaborate with academic groups and non-profit organisations on DDoS research
• Study on “DDoS-for-Hire” services • Support DDoS Defense research • Legal expert opinions on e.g. botnet
take-downs • Share operational network data with researchers
and develop policy for ethical data sharing • Software Defined Security
Research
22
DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014
Upcoming Services
• Protection as a Service a.k.a. DIY Cyber Laundry • Centralised firewall • Pentesting • Maturity scans and auditing (ISO2700x) • Security games
23