Overview of DDoS Mitigation Service, Walter van Dijk

Download Report

Transcript Overview of DDoS Mitigation Service, Walter van Dijk 

Security Services @SURFnet:
Towards a coherent portfolio
Walter van Dijk
TF-MSP - 27 November 2014
Our playing field
 HE&R institutions are more and more connected. ICT facilitates and
plays an instrumental role
 The ICT infrastructure becomes ever more critical for both education
and research
 This connectedness and ‘indispensability’ increases the impact of
security incidents
 Attacks get more complex and thereby the associated security
measures just as well: should we expect that institutions have all the
required knowledge and manpower in-house available?
Hence: how can institutions offer an open and safe campus
environment?
Security Privacy & Trust: role of SURFnet
Existing security services
• SURFcert
–Operational security for the SURFnet constituency
24x7 service in close coop with local security teams
– Members from connected institutions and SURFnet
–Oldes emergency response team in the Netherlands
• SCIRT
–Community-of-practice incident response teams
–Share operational experience within trusted community
–Discussions on security issues
–Facilitated by SURFnet
(1)
Existing security services
• Cybersave Yourself
–Awareness campaign around security issues
–Joint program with connected institutions
• SURFibo
–Community of practice for information security
–Collaboration on policy in the fields of security en privacy
• SURFaudit
–Compliance with information security (ISO 27001)
–Standards framework and software tooling
–Self-auditing, peer-auditing & 3rd party auditing
(2)
New since 2014:
Security, Privacy & Trust
• Further development of existing security services and
scouting of new services
• Applied research in the field of Security, Privacy en
Trust
• Enlarge visibility of services, sharing of best practices &
knowledge dissemination
Service development
SURFnet currently explores different options for new services:
 Security Diagnosis toolset:
 Vulnerability scanning (Outpost24 has been contracted)
 Penetration testing (first experience gathered with tooling)
 Protection-as-a-Service
Facilitate institutions to set filters in the SURFnet-network as a
protection against DDoS attacks
 Firewall-as-a-Service
Security Diagnosis toolset
Starting point: lots of tools (vulnerability scanning, penetration
testing etc) available on the market.
How can an NREN add value to all that?
Differentiating factor: working closely with the community

Support selection process of institutes by:
 Creating checklists for tools
 SCIRT certified: recommended products per type
 Products should be easy to acquire via SURFmarket

Facilitate sharing of information:
 Reporting templates: SURFaudit, external auditers etc.
 Common vulnerabilities including solutions for HE&R systems
 Develop workflows for scans/pentests
Currently considering
 Specialised penetration testing team for:
 Deep testing ICT systems on campus
 Tests on cloud services contracted by customers
Protection-as-a-Service
•Why?
–Number and intensity of denial-of-service attacks in general (and in our
constituency) grows significantly
–2014: ‘heaviest’ denial-of-service attack ever noticed (400Gbit/s)
•Goal:
–Control the vulnerability of our constituency
•What?
–Exploration of “protection-as-a-service”
–Investigate denial-of-service detection with academia (‘applied research’)
–Close collaboration with THTC/National Police
Current solution:
Incident Response as a Service
SURFcert: helping hand ‘in the line of fire’
DDoS: two types
• ‘Flooding’ of an application or a server (or firewall!)
- E.g. TCP SYN flood
- Typically: lots of requests
• ‘Flooding’ of the connection (or firewall!)
- reflection/amplification attacks
- DNS, SNMP, NTP amplification (UDP)
- Typically: lots of volume
Finding the best place to mitigate
 Firewall (institutions)
 Not always the right solution
 Not a remedy for flooded connections
 Can help in case of SYN flooding and attacks on applications and servers (rate
limiting)
 Upstream (us)
 Standard security measures on customer connection
 The “washing-machine” for first aid
 Filters (rate limiters) on the core routers
 Protection-as-a-Service
 Firewall-as-a-Service
Security on customer connection
SURFnet
Security base
• Input packet filter
• BGP Prefix filter
• Output policer (contracted bandwidth)
Incident
• ACL (inbound/outbound) on request
Customer
network
Sidestep: ‘it’s not always technology”
 The (D)DoS ‘source’ is often an internal factor (person)
 Match timestamps of attacks with exam schedules
 Collaborate with the education people
 Report findings to the police
SURFnet washing-machine
Research networks
&
Internet
SURFcert
SURFnet
AS1103
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
SURFnet washing-machine –
Denial-of-Service
Research networks
&
Internet
SURFcert
SURFnet
AS1103
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
SURFnet washing-machine –
Detection
Research networks
&
Internet
Telephone
E-mail
Alarm
SURFcert
SURFnet
AS1103
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
SURFnet washing-machine –
Activate washprogram
Research networks
&
Internet
SURFcert
SURFnet
AS1103
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
SURFnet washing-machine –
DDoS in the washing-machine
Research networks
&
Internet
SURFcert
SURFnet
AS1103
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
connected
institute
Pre-wash & main wash
Curently considering:
Protection-as-a Service
 Idea: develop a service to service institutions in a less
ad-hoc way
 Self-service interface for DIY network
configurations
 Currently testing GRnet’s “Firewall on demand”
 No replacement of the corporate firewall
Protection-as-a-Service versus
Firewall-as-a-Service
Protection-as-a-Service:
a service which offers network protection based on rule based filters, rate
limiting, IP-address range-, protocol- and port blocking. Protection filters
are set on the SURFnet core side and are typically used to prevent
saturated links to the customer (i.e. DDoS protection). Does not replace
firewall of institutions but offers additional protection.
FaaS:
centralised offering of a fully intelligent, deep packet inspection, intrusion
detection and prevention service, which is state/session based and
application aware. Could replace a firewall which is typically on the
institutional side of the network.
Main questions
 Where do we as NREN’s see the most potential for collaboration?
 Are NREN’s looking at ‘application based firewalling’ (e.g. Cloudflare, Fortinet etc) and
would ‘demand bundling’ be useful?
 Should we collaborate by means of organizing joint (TRANSITS) trainings on
vulnerability testing, pentesting etc
 Is cooperation on service development sufficiently facilitated
by GN3+/GN4 or do we need more?