1 teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan...
TRANSCRIPT
![Page 1: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/1.jpg)
1
Teknologi pemantauan jaringan internet untuk
pendeteksian dini terhadap ancaman dan
gangguan
Alberto Rivai
![Page 2: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/2.jpg)
2
About My Self
Bachelor degree in Electrical Engineering
Master degree from Queensland University of Tech
7 years experience in Security related area
2 years working experience in Manage Security Service Provider
CISSP (Certified Information System Security Professional)
Other vendor related certification
![Page 3: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/3.jpg)
3
Goal
Provide techniques/task that any SP can do to improve their resistance to security issues.
These techniques can be done on any core routing vendor’s equipment.
Each of these techniques have proven to make a difference.
![Page 4: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/4.jpg)
4
Current State
ISP is working alone to protect the infrastructure
SPs, CERTs, and "officials" in Indonesia are not yet aware that this group exist or are preventing these attacks from happening.
No collaboration
Point products approach
So how are they going to get "early warning" if they are not involved with the community doing to battle with the bad guys?
![Page 5: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/5.jpg)
5
DDoS VulnerabilitiesMultiple Threats and Targets
Use valid protocols Spoof source IP Massively distributed Variety of attacks
Entire Data Center:• Servers, security devices, routers• Ecommerce, web, DNS, email,…
Provider Infrastructure:• DNS, routers, and links
Access Line
Attack zombies:
![Page 6: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/6.jpg)
6
List of things that Work
1. Prepare your NOC
2. Mitigation Communities
3. Point Protection on Every Device
4. Edge Protection
5. Remote triggered black hole filtering
6. Sink holes
7. Source address validation on all customer traffic
8. Total Visibility (Data Harvesting – Data Mining)
9. Security Event Management
![Page 7: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/7.jpg)
7
The Executive Summary
777
![Page 8: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/8.jpg)
8
PREPARATION
Prep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice
IDENTIFICATION
How do you know about the attack?What tools can you use?What’s your process for communication?
CLASSIFICATION
What kind of attack is it?TRACEBACK
Where is the attack coming from?Where and how is it affecting the network?
REACTION
What options do you have to remedy?Which option is the best under the circumstances?
POST MORTEM
What was done?Can anything be done to prevent it?How can it be less painful in the future?
SP Security in the NOC - Prepare
![Page 9: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/9.jpg)
9
NationalCyber Teams
Aggressive Collaboration
NSP-SEC
NSP-SEC-BRNSP-SEC-KR
NSP-SEC-JP
FIRST/CERT Teams
NSP-SEC-D
Drone-Armies
NSP-SEC-CN
NSP-SEC-TW
FUN-SEC
Telecoms
ISAC
Other
ISACs
MWPHijacked
DSHIELD
iNOC-DBA
MyNetWatchman
Internet StormCenter
SANS
![Page 10: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/10.jpg)
10
NOC
ISP’sBackbone
Point Protection
Remote Staff Office Staff
Penet
ratio
n
Inte
rcep
tio
n
Pen
etra
tio
n
Penetration
Intercep
tion
Interception
DOS
AAA
![Page 11: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/11.jpg)
11
“outside” “outside”Core
Edge Protection
Core routers individually secured PLUS
Infrastructure protection
Routers generally NOT accessible from outside
telnet snmp
![Page 12: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/12.jpg)
12
Destination Based RTBH
NOC
A
B C
D
E
FG
iBGP Advertises
List of Black Holed
Prefixes
TargetTarget
Peer B
Peer AIXP-W
IXP-E
Upstream A
Upstream A
Upstream B
Upstream B Upstream
BUpstream
B
POP
Upstream A
Upstream A
![Page 13: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/13.jpg)
13
Sink Holes
Peer B
Peer AIXP-W
IXP-E
Upstream A
Upstream A
Upstream A
Upstream A
Upstream B
Upstream B Upstream
BUpstream
B
POP
CustomerCustomer
Primary DNS Servers
171.68.19.0/24
171.68.19.1
Services Network
Remote Triggered Sink Hole
Garbage packets flow to the closest
Sink Hole
Remote Triggered Sink Hole
Remote Triggered Sink Hole
Remote Triggered Sink Hole
Remote Triggered Sink Hole
Remote Triggered Sink Hole
Remote Triggered Sink Hole
Remote Triggered Sink Hole
![Page 14: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/14.jpg)
14
BCP (Best Current Practice) 38 Ingress Packet Filtering /RFC3704
Internet
ISP’s Customer Allocation Block: 96.0.0.0/19BCP 38 Filter = Allow only source addresses from the customer’s
96.0.X.X/24
96.0.20.0/24
96.0.21.0/24
96.0.19.0/24
96.0.18.0/24
BCP 38 Filter Applied on Downstream
Aggregation and NAS Routers
ISP
•Static access list on the edge of the network
•Dynamic access list with AAA profiles
•Unicast RPF•Cable Source Verify (MAC & IP)•IP Source Verify (MAC & IP)
•Static access list on the edge of the network
•Dynamic access list with AAA profiles
•Unicast RPF•Cable Source Verify (MAC & IP)•IP Source Verify (MAC & IP)
![Page 15: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/15.jpg)
15
Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
Total VisibilityAnomaly for DNS Queries
Thru’put Spike
RTTSpike
Investigate the spike
An identified cause of the outage
![Page 16: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/16.jpg)
16
Security Event Management
SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations.
Provides a holistic view of the networks.
![Page 17: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/17.jpg)
17
Sasser Detection―Dynamic Visual Snapshot
![Page 18: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/18.jpg)
18
Summary
We cannot provide early warning system if we dont cooperate with the people that fighting the bad guys
We can use the technology available to provide the Early warning system
Prepare the NOC is the #1 thing you need to do to prevent attacks. You cannot run around during an attack building and deploying tools and procedures. It is like the fire department going to a fire and then opening the operations manual for how to operate the fire engine.
Last but not least, Aggressive Collaboration and work together with the rest of the world
![Page 19: 1 Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com](https://reader031.vdocuments.pub/reader031/viewer/2022032106/56649e8e5503460f94b91dbb/html5/thumbnails/19.jpg)
19
Thank You