View
0
Download
0
Category
Preview:
Citation preview
Real-time DDoS Defense:A collaborative Approach at
Internet Scale
Agenda
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale2
Problem & Goal
Overview
Challenges
Implementation
Evaluation
Conclusion
Insight
Discussion
Problem & Goal
Problem
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale4
Source: https://www.youtube.com/watch?v=kBBIqKeVdDo
Problem
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale5
network-traffic
Problem
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale6
mitigation and reaction
Goal
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale7 Source: https://www.gallaudet.edu/rsia/world_deaf_information_resource.html
Ingredients
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale8
Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg
InsightOverview
ChallengesImplementation
Evaluation
Insight
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale9
RQ1: Is real-time and automatic mitigation at ISP level performed and if yes, how?
Insight
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale10
May – July 2014
Online
52 4256 47
November – December 2012
Source: http://www.pieuvre.ca/v2/wp-content/uploads/2010/01/survey.jpg
Real-time and automatic mitigation
Europe93%
North America
2%
Asia5%
Origin
0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
35,00%
Market segment and frequency
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach11
Real-time and automatic mitigation
• Process and involved third-parties
• ISPs and CSIRTs
• to aid NOC
• by email or telephone
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach12
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach13
Real-time and automatic mitigation
Real-time and automatic mitigation
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach14
Real-time and automatic mitigation
Yes37%
Unsure3% Agree
43%
Disagree17%
No60%
Use of automatic mitigation and response tools
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach15
Yes37%
Unsure3%
6%
31%
17%
6%
No60%
Plan of use of automatic mitigation and response tools
Yes, we are planning to do it We are looking into it
No, we will not make use of it I am not aware of it
Real-time and automatic mitigation
0
2
4
6
8
10
12
14
16
Rerouting traffic Change blocking/ filter
capabilities
Notification Rate limiting atingress
Exchange datawith trusted
partners
Quarantinemachines
Changing thetarget's IP
address
Other
Automatic actions of mitigation and response tools
Actions already performed Actions would like to use
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach16
Real-time and automatic mitigation
Yes48%No
52%
IP traffic filtering
Blacklists53%
Whitelists29%
Greylists18%
IP traffic filtering
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach17
Real-time and automatic mitigation
6
21
2 2
0
5
10
15
20
25
Netconf SNMP OpenFlow Other
Network configuration protocols
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach18
Yes29%
9%
39%
13%10%
No71%
Current technical ability to use OpenFlow / Plan to make use of
OpenFlow in 3 years
Yes, we are planning to do it We are looking into it
No, we will not make use of it I am not aware of it
Real-time and automatic mitigation
10
13
6
0
4
6
17
7 7
3
0
2
4
6
8
10
12
14
16
18
None Various CERTs or CSIRTs Law enforcement orgovernmental entities
Industry peers Only receive data
Sharing threat indicators or security events / incidents
Threat indicators Security events/incidents
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach19
Real-time and automatic mitigation
Strongly agree53%
Agree43%
Disagree4%
Collaboration improves mitigation and response capabilities
0
5
10
15
20
25
30
SCAP IDXP IDMEF IODEF x-arf
Exchange protocols / formats
Do or did use Know Heard of Unknown
16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach20
Ingredients
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale21
Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg
InsightOverview
ChallengesImplementation
Evaluation
Terminology
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale22
Format Protocol
vs.
Source: http://www.mifus.de/out/pictures/master/product/1/8000796013248_simba_sechs_sandformen.jpghttp://www.bluesource.at/2013/11/bluesource-enewsletter-november-2013/
Terminology
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale23
Security Event/Incident
Incident
Alert/Event
Alarm/
Warning
Terminology
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale24
Terminology
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale25
IncidentEvent
Chance Card
vs.
Source: http://www.hasbro.com/monopoly/de_DE/ Source: http://www.bitstorm.org/journaal/2005-6/grolsch.jpg
Application Domain
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale26
Source: http://makingsecuritymeasurable.mitre.org/about/index.html
Who is involved ?
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale27
• US governments Defense Advance Research Projects Agency (DARPA)
• TERENA• IETF Incident Handling• Stuttgart University‘s CERT• IETF IDWG• MITRE• IETF MARF• Eco – Association of the German
Internet Industry
Source: http://m.crosstalkonline.org/media/cache/54/c8/54c83f7398d4ee4bece7c84e899c8a64.jpg
Timeline
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale28
1997CISL
DARPA
2001IODEF
TERENA
2002IODEF
IETF INCH
2003FINE
IETF INCH
2003IODEF
IETF INCH2002CAIF
University Stuttgart CERT
2003IDMEF
IETF IDWG
2009CEE
MITRE
2005ARF
MAAWG
2007ARF
IETF MARF
2012x-arf
Eco-Association of the German Internet Industry
2013x-xarf
Kohlrausch & Übelacker
2013Project DMTF Cloud Audit
or Project Lumberjack
Exchange formats
CISL IODEF CAIF IDMEF CEE ARF x-arf/x-xarf syslog
Language S-expressions XML XML XML XML, JSON MIME MIME Text/XML
Content Events, Attacks,Responses
Events,Incidents
Problem, Vulnerability, Exposure
Alerts, Alive messages
Events Spam Incidents, Attacks
Events
Producer Machine Human Human Machine Machine Machine Machine Machine
Consumer Machine Human Human Machine Human Machine/Human
Machine/Human Machine/Human
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale29
IODEF vs. IDMEF
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale30
ARF vs. x-xarf
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale31
Exchange formats and protocolsProtocol OSI layer Format Security
CIDF Transport CISL message SymmetricCryptography
RID Application IODEF TLS
XEP-0268 Application IODEF TLS
IDXP Application IDMEF TLS
CLT Transport CEE Provided by syslog(RFC 5425)
SMTP Application CAIFARFx-arf
NoneS/MIMEMultipart/SignedMultipart/Encrypted
Syslog (RFC 3164) Transport Syslog (RFC 3164) None
Syslog (RFC 5425) Transport Syslog (RFC 5424) TLS
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale32
Evaluation results
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale33
XML
MIME
Ingredients
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale34
Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg
InsightOverview
ChallengesImplementation
Evaluation
Challenges
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale35
„rogue ISPs“ Quantifying cost/benefit
FPRisk
Source: http://www.lowcarb-ernaehrung.info/
Source: http://whiteboard-ratgeber.de/wp-content/uploads/2013/04/digitales-whiteboard-vs-tafel.jpg
Ingredients
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale36
Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg
InsightOverview
ChallengesImplementation
Evaluation
Framework
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale37
Inference Engine (PHREAK)
Mitigation and Response System
Production Memory (rules)
Working Memory (facts)
Pattern Matcher Agenda
Event producer
sends consumes publishes
subscribes
delivers
Incident consumer
38
Pattern Matcher
Mitigation and Response System
Event Processing Response Selection
39
Reaction Execution
Knowledge Base
Event Processing
Mitigation and Response System
Normalization Aggregation / Correlation
40
Event Pattern Frequency of event in a time window
Geolocation IP Filtering Lists Confidence
Response Selection
Mitigation and Response System
Comparison Prioritation
41
Previous Reactions Potential damage
Benefit Risk CVSS Event profiles
Reaction Execution
Mitigation and Response System
Notification
42
Configuration Exchange formats
Email Pub/Sub Consumer
Flow-based Event Exchange Format (FLEX)
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale43
Ingredients
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale44
Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg
InsightOverview
ChallengesImplementation
Evaluation
Evaluation Methodology
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale45
Source: http://www.microgen.com/uk-en/products/microgen-aptitude/v4/microgen-aptitude-business-it-collaboration
Ingredients
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale46
Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg
InsightOverview
ChallengesImplementation
Evaluation
Conclusion
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale47
• insight into processes, structures and capabilities
• a hands-on for network operators
Conclusion
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale48
• FLEX
• framework
Discussion
3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale49
Source: http://www.prosperitycometh.com/wp-content/uploads/2012/11/business_conference_1600_clr_3835.png
Recommended