Network Security for Service Providers

Report
Network Security for Service Providers
Understanding and Addressing the Threat of Criminal and Hacker Activity
Doug Miller
[email protected]
September 19, 2012
Company Overview
We are the WORLD LEADER in
DNS & DHCP solutions
Our solutions run the world’s
MOST DEMANDING networks
• Our Chairman, Dr. Paul
Mockapetris, invented the DNS
• Team comprised of BIND 8, BIND
9 & ISC-DHCP creators
• 40 Issued and pending patents
• A decade of network operator
experience
• Over 140 Fixed and Mobile network
operators
• Serving over 1 trillion worldwide
DNS queries per day
The first & only DNS/DHCP
INTEGRATED ECOSYSTEM
• DNS/DHCP engines provide
efficiency, lower costs, higher QoS
• N2 Data Platform enable agility &
faster application development
• Applications create differentiation
and new revenue sources
EMPOWERING SOME OF THE MOST IMPORTANT BRANDS IN THE WORLD
2
Nominum IDEAL Ecosystem
3rd PARTY CERTIFIED APPS
NOMINUM APPS
Unified User Interface
Content
Filtering
Subscriber
Safety
Personal
Internet
Message
Center
NetView
OTT Video
Analytics
Network
Security
Nominum
Configuration
Manager
Configuration
Management
Future
SIEM
More…
ISP-DEVELOPED APPS
Custom
Custom
More…
Interoperability (SDK & APIs)
Network and Security
Subscriber
Analytics
3
Understanding the Threat
Putting Telecom into Perspective
Source: Chetan Sharma Consulting – 2012
5
Connected Devices per User
Source: Cisco IBSG, 2011
6
Internet-Based Crime is Profitable
• Hackers and criminals run a business
– Marketing
– Operations
– Competition
• Crime follows the market
–
–
–
–
Initially focused on basic exploits
Moved to crude DDoS with little financial gain
Began to focus on wired broadband networks
Increasingly moving into mobile networks – new growth market
• Greatest profits come from the largest networks
– Must use unsuspecting users to complete missions
– Created the need for bots and bot networks
– Networks increase strength and shield the hackers
7
Profitability is Great
Online Fraud
Trend
Online banking fraud
Cashing
Phishing
Theft of electronic funds
Total
Total market share, %
21.3%
16.0%
2.4%
1.3%
41.0%
Amount, million USD
$490
$367
$55
$30
$942
Spam
Trend
Spam
Pharma and counterfeits
Fake software
Total
Total market share, %
24.0%
6.2%
5.9%
36.1%
Amount, million USD
$553
$142
$135
$830
Internal market (C2C)
Trend
Sale of traffic
Sale of exploits
Sale of loaders
Anonymization
Total
Total market share, %
6.6%
1.8%
1.2%
0.4%
10.0%
Amount, million USD
$153
$41
$27
$9
$230
Other
Trend
DDoS attacks
Other
Total
Total
Source: Group IB
Total market share, %
5.6%
7.3%
12.9%
Amount, million USD
$130
$168
$298
100%
$2,300
8
Millions of Hosts
First Evidence
of Attacks
Storm
Sasser
Zeus
SQL Slammer Attack
Code Red Worm
I Love You
Internet Hosts
Droid Dream
Conficker
900
800
700
600
500
400
300
200
100
0
Melissa
Bots and Malware Landscape
9
Don’t Lose Sight of Simple Attacks
• Attacks are generally very basic – don’t forget that
– It’s too easy to talk about the exotic attacks
• The fact is that most attacks are relatively simple*
– 92% of all data breaches were from external agents
• E.g. Malware installed on to machines to execute tasks
• 58% driven by organized crime
• 65% from Eastern Europe
– “External agents have created economies of scale by
refining standardized, automated, and highly repeatable
attacks”
*Note: Information drawn from 2011 Data Breach
Investigations Report; Verizon, US Secret
Service, and Dutch High Tech Crime Unit
10
The Lifecycle of a Bot Network
Botnet
C&C
Bot Master
3 – Bot gets
instructions from
Command and Control
(C&C) server
2 – User visits site and
is infected via “drive
by download” Malware
and becomes part of
Botnet
1 – Spam entices user
to badsite.com
Innocent
User
4 – Newly infected
machine (bot) joins
Botnet in DDOS attack
on a legitimate Web
site
11
Mobile Malware Distribution
12
Cache Poisoning Threat – Kaminsky
• Attacker redirects unsuspecting customers
– Entries in cache are changed by an attacker
– Customer going to www.mybank.com is given incorrect
information
• Does not require phishing or any unsafe behavior
– Attacker directs customers to controlled sites
• Financial and identity theft, malware installation, etc.
• Statistical attack
– Send query so server listening for answer
– Send guesses while target DNS waits for
real answer
– Repeat until success
13
Addressing the Issue
Network and User Security Solution
• Security needs span
across mobile & fixed
networks
– The threat on broadband
networks is clear
– Mobile networks are the new
playground for hackers and
thieves
– End user threats are not just
a PC problem
• “Mobile threats are evolving
quickly—sophistication that
took decades to reach on
the PC is taking just a few
years on mobile”
- Lookout Mobile
• Addressing the security
problem on multiple levels
– Protect DNS network assets
• Server security ensures
network access is available
– Caching data is highly
valuable
• End users must be confident
they’re going where they
want to
– The network must be clean
• Think about spectrum
efficiency
– End users Options
• Network-based solutions
remove complexity and
confusion
15
Protecting the DNS Assets
• Client rate limiting
– Limit any subscriber to a maximum amount of QPS (e.g. 1,000)
– Queries-per-second (QPS) limit defined by administrator
• Limit recursion contexts
– Recursion context is an authoritative query out to the Internet
– Limit maximum number of recursion contexts
– Default limit per Vantio of 2,000 simultaneous recursion contexts
Limit inbound
DNS queries
Limit outbound
DNS queries
Internet
Client
16
Protecting the Caching Data
Action
Layer
Impact
Stop attacks using the following:
Deterrence



Defense
Detect and Defend (D&D)
Detect spoofed response and switch to TCP

Resistance
Remediation
Randomize transaction ID (QID)
UDP Source Port Randomization (USPR)
Case (query name) Randomization (0x20)
E.g. 0x20 Failures switch to TCP
“Glue Segregation”
Discard unsolicited answers
Notification and Reporting
All TCP transaction, including 0x20 and D&D
Decrease the probability
of a successful attack
Significantly slow the
progress of an attack
(100x or more)
Eliminate the opportunity
for an attacker to insert a
fake record
Isolate the attacker and
take remedial measures
Protecting the Cache is Vital
17
Protecting the Network
Nominum Bot
Domain Feed
Visibility and
Reporting
goodsite1.com
Response
Vantio
Caching
Engine
botC&C.com
NXDomain
goodsite2.com
Service Provider
Network
Response
18
Protecting the End User
• A brief introduction
– Opt-in service for managing both
fixed and mobile data access
– Broad application categories
supporting multiple services
• Online Security
• Parental Control
• Scheduling
– Network-based DNS service
• No need to download anything to the
end-user mobile device
19
Layered Caching Security
Action
Layer
Impact
Stop attacks using the following:
Deterrence



Defense
Detect and Defend (D&D)
Detect spoofed response and switch to TCP

Resistance
Remediation
Randomize transaction ID (QID)
UDP Source Port Randomization (USPR)
Case (query name) Randomization (0x20)
E.g. 0x20 Failures switch to TCP
“Glue Segregation”
Discard unsolicited answers
Notification and Reporting
All TCP transaction, including 0x20 and D&D
Decrease the probability
of a successful attack
Significantly slow the
progress of an attack
(100x or more)
Eliminate the opportunity
for an attacker to insert a
fake record
Isolate the attacker and
take remedial measures
Protecting the Cache is Vital
20
Enabling Legal Compliance
• Leveraging the same ecosystem
– Filter government-mandated lists
– Comply with legal requirements
– Minimize operational impacts
21
Business Benefits of Security
Executive
Better brand recognition
as a security leader
• Improved Industry and
Government relations
Marketing
Increase customer
satisfaction from
• Faster Internet service
• Decreased computer
issues
Better service means
Greater control over
network and operations
costs
Dedicated focus on end
user experience
• Prevent bad traffic
• Protection from harm
• “Good Corporate Citizen”
• Lower churn
• Greater ability to upsell
services
• Lower calls into customer
support
No news about attacks
• High brand recognition
• Customer loyalty
Operations
Lower variability in
network traffic
• Limited unplanned or
unexpected spikes
• Ability to sustain peak
periods of traffic
More predictable
network growth
• Focus only on “good
traffic” and not bad
• Decreased bandwidth
from bot traffic
Lower call volume
• Computer issues
• Network outages
• Slow service
Security
Complete visibility into
bot traffic trends
Integrated and
automated mitigation
• No third party
requirements
• No complex processes
More predictable
customer behavior
• Easier to highlight
potentially dangerous
trends
22
www.nominum.com
Twitter: @Nominum
Facebook: http://www.facebook.com/nominum
YouTube: http://www.youtube.com/nominumwebinars
LinkedIn: http://www.linkedin.com/company/nominum
Doug Miller
[email protected]

similar documents