Professional Documents
Culture Documents
01 Introduction
01 Introduction
Introduction
Agenda
Motives:
Ego
Hactivism
Revenge
Personal and Commercial Profit
What Are The Main Threats?
Worms
Zero day attacks
DDos attacks
Spam
Zombies and Botnets
What is a Worm?
Self-replicating computer
program
Sends copies of itself to other
computers without any user
intervention
Exploits unknown, undisclosed
or unpatched application
vulnerabilities
Impact of Worms
A multitude of compromised
systems attack a single target
Incoming traffic floods the
targeted system
Targeted system shuts down
Service denied to legitimate
users
Impact of DoS/DDoS Attacks
Network congestion
Network instability
Increased latency
Loss of network services
Connection
Bandwidth
DNS /email
Collateral damage
SLA penalties for non-delivery of
network performance
Poor internal SLA performance
DDoS in The News
Outgoing SPAM
ISP’s domain “@ispdomain.com”
becoming “blacklisted” due to
outbound spam from subscribers
What are Zombies & Botnets?
A zombie is a computer
attached to the Internet that has
been compromised by a hacker
A botnet is an army of zombies
Zombies are used for:
Sending spam
Propogating worms
Contributing to DDos attacks
Attack
Impact of Zombies & Botnets
Increased OPEX
Bandwidth Costs
Call Center Costs
SLA Penalties
Infrastructure Costs
Customer demand for Denial of
Service protection services
Failure to deliver on internal network
performance SLA’s
Blacklisting due to outbound spam
from subscribers
Agenda
10GE support
Passive network sensors
Behavior based detection
Quick to deploy, easy to manage
Vendor agnostic
Dynamically create packet
signatures or packet filters
Deep Packet Signatures
User configurable alarms
ServiceProtector: Benefits
Reduce complaints
Protect network performance Operational
Costs
Improve Services
Protect existing and add new revenue streams
Cable Subscribers
SP-Sensor
Access
NetEnforcer SP Sensor
Core IP
Network
DSLSubscribers SG-Omega
SP-Sensor Internet peering
partners
International/local
Access
NetEnforcer
How Does It Work?
(HBAD Detection & Mitigation)
Core IP
1. SPS detects Network
2
abnormal subscriber
SMP SPC
activity
2. SPC triggers SMP to NE 3
quarantine
subscriber on NE 1 SPS
3. Undesirable
subscriber traffic is
blocked, redirected
or rate-limited
Zombie
activity
DSL Network
Residential
Limitations and Sizing
80 Up to 8
SPC-80
200 Up to 16
SPC-200
30 None – a single
SPCS sensor is built in
NBAD HBAD
Focus on Network anomalies and their Subscribers demonstrating
identifying packet characteristics malware infected behavior and
(signatures) classifying the behavior
What is being The ISP’s network and The subscriber by detecting
protected? infrastructure botnet infections. The ISP from
email blacklisting, etc…
Examples of DoS and DDoS floods using SYN, Outbound spam, worm scanning,
detected RST, ACK etc, unusual flag port scanning, subscriber-target
events combinations, UDP, DNS floods, flooding
ICMP/request/reply, fragmented
packets, very large packets and
unusual protocols
Enables Surgical filtering of anomalous Isolating the subscriber by
response by traffic using signatures blocking, limiting or quarantining
their traffic
Agenda
https://SPC IP or hostname
Start Page
Using Filters & Updating Reports
A customer has 8 full duplex 1Gbps links which are accessible for
monitoring. Which controller should be proposed?
SPCS X
? 8 full duplex links means 16
directions. Each sensor has 4
monitoring ports therefore
you need 4 sensors (4x4=16);
Match the two threats on the left side with the damage they
typically cause to Service Providers
Email blacklisting
SPAMBots
SLA penalties