T1: Infrastructure attack detection and mitigation


Monday, August 22, 2005, morning

Tutorial abstract

While worms and end-host security issues monopolize the headlines, Internet backbone operators face an equally significant escalation of threats directed against core Internet infrastructure, including backbone links, routers and communication protocols. This tutorial surveys the current arsenal of security technologies and methodologies used by commercial Internet backbone operators. We frame our survey within six basic stages of incident response methodology: preparation, identification, classification, traceback, reaction, and port-mortem. Discussion of each stage represents data and hard-won experience derived from the collective best practices of the commercial Internet community.

We survey data on backbone attack trends, scale and impact, including real-world case studies of attacks leading to outages, as well as ones successfully mitigated. We explore the strengths, limitations and open research issues associated with a range of backbone security mechanisms and policies. In our exploration of mitigations approaches, we focus on where theory meets real-world limitations of specific hardware, protocol and vendor architectures.

We review a range of specific techniques, including uRPF, IP Rcv ACLs, RP Rate-limiting, sinkholes, free and commercial detection tools, and intelligent hardware filtering. We provide in-depth discussion of the use of off-ramping and sinkholes to track infrastructure port scanning, identify and classify attacks, packet capture attack flows, trace attacks through networks, and divert attack flows from the target of the attacks. Throughout the tutorial, we present specific router (JUNOS and IOS) examples to demonstrate each mitigation approach. We end with discussion of evolving techniques such as BGP Flow Specification and fingerprinting/ pushback technology.

Intended audience

Security and network engineers, as well as researchers who want to understand attack detection and mitigation methodologies employed by Internet network operators and large enterprises today. Attendees will be introduced to a six phased incident response methodology derived from the collective best practices of the Internet community. This tutorial helps bridge the gap between the theoretical foundations of network security and the real-world practical limitations network providers face. Basic familiarity with IP routing and routed protocols and Internet architecture is assumed, though not required.

Speaker biography

Craig Labovitz has served as Director of Network Architecture at Arbor Networks since 2001. Before joining Arbor, Craig served as a network researcher and scientist for the Microsoft Corporation. Previously, Craig also spent nine years with Merit Network, Inc. and the University of Michigan as a senior backbone engineer and Director of the Research and Emerging Technologies group. His work at Merit included design and engineering on the NSFNet backbone and Routing Arbiter projects. Craig also served as the director of several National ScienceFoundation network architecture and routing protocol research grants. Craig received his PhD. and MSE from the University of Michigan.

Danny McPherson is currently with Arbor Networks. Prior to joining Arbor Networks, Danny McPherson was Director of Emerging Technology at Amber Networks, which was acquired by Nokia. He has more than 10 years experience as a network architect for global Internet Service Providers such as Qwest and MCI. Danny currently chairs the IETF PWE3 Working Group and is a common contributor to several IETF Area directorates and Internet research groups. He is also a member of the FCC's Network Reliability and Interoperability Council (NRIC) and the MPLScon Advisory Board. He has authored a number of Internet protocol standards, books and other documents related to Internet routing protocols, network security, Internet addressing and network operations. His most recent work, Practical BGP, was published in 2004.

Farnam Jahanian is Professor of Electrical Engineering and Computer Science at the University of Michigan and co-founder of Arbor Networks, Inc. Prior to joining academia, he was a Research Staff Member at the IBM T.J. Watson Research Center. His interests include network security, and network protocols and architectures. Farnams work on a flow-based system for detecting, backtracing and resolving network-wide anomalies, such as DDoS attacks, formed the basis for a technology that has been widely deployed by more than 100 service providers. The author of over 80 published research papers, Farnam has served on dozens of government and industry panels. Farnam holds a master's degree and a Ph.D. in Computer Science from the University of Texas at Austin.

  Valid XHTML 1.0! Valid CSS!