Internet2 Abilene & REN-ISACArbor Networks Peakflow SP

Identification and Response to DoS

Joint Techs Winter 2006Albuquerque

Doug Pearson

Overview

• Short background on REN-ISAC• Short background on Arbor Networks Peakflow SP• Illustration of use of Arbor in responding to DoS

on Abilene• Call to establish linkages with Connectors and

Peers to facilitate trace back of DoS incidents.

REN-ISAC

• Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response;

• is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and

• supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

REN-ISAC

• Information products– Daily Weather Report– Daily Darknet Reports– Alerts– Notifications– Monitoring views

• Incident response• 24x7 Watch Desk• Developing R&E Cybersecurity Contact Registry• Security work in specific communities, e.g. grids• Participation in other higher education efforts

REN-ISAC Membership

• A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations.

• Membership oriented to permanent staff involved in cybersecurity protection or response in an official capacity for an institution of higher education, research and education network provider, or government-funded research organization.

• Infrastructure security, traffic analysis, managed DoS protection via intelligent netflow analysis– Network Anomaly Detection:

• DDoS, worms, network and bandwidth abuse– Integrated Mitigation

• seamless operation with a variety of DoS mitigation tools; filtering, rate-limiting, BGP blackholing, off-ramping/sinkholing, etc.

– Analytics: peering evaluation, BGP routing, capacity planning

– Reporting• real-time and customized anomaly and traffic reports

– Customer-facing DoS Portal• Gives customers a first-hand view of their traffic

inside the service provider’s network; customers set their own thresholds and alerts; customers can blackhole, off-ramp, etc.

– Fingerprint Sharing • Share anomaly fingerprints with peers, customers,

etc. for upstream DoS mitigation– Active Threat Feed

• Arbor information base that identifies current and growing threats through worms, botnets and botnet controller identification and tracking, Phishing site tracking, infected host identification, etc.

Identifying DoS Sources

• Based on trace back of DoS traffic to Abilene router input interfaces we know what Connector or Peer network to attribute DoS activity to.

• Because of source address spoofing we’re not able to attribute the activity further upstream, such as to a specific Participant, NREN, or institution – we need the participation of the Connector or Peer to trace back to the sources.

• Need to establish linkage of security contacts (REN-ISAC, Connectors, and Peers) and capabilities for trace back.

Reporting DoS Destinations

• Also very useful to make report to the security team at the DoS destination:– Awareness of incident, and– being the target of an attack often indicates the

machine was previously hijacked or otherwise compromised.

• For destinations behind peer networks: do we request the peer network security contacts to pass those notifications?

• For Abilene Participants, REN-ISAC can make contact directly to the participant.

Establishing Security Contact Linkages

• Linkages with Connectors and Peers:– Get registered w/ REN-ISAC, get to know each other– Would separate abuse@ or security@ e-mail

addresses be useful versus contact to the respective noc@ addresses?

– Further discussion tonight in the RONs/Abilene Connectors BoF

• Linkages to Participants– Get all registered with REN-ISAC

• http://www.ren-isac.net/membership

Contacts

Research and Education Networking ISAC24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu

Doug Pearsondodpears@iu.edu

Arbor NetworksRich Shirley <rshirley@arbor.net>