ServiceProtector Operators Training

Introduction
Agenda

 Threats to Network Security

 ServiceProtector Solution
 NBAD/HBAD Technology
 Introducing the GUI
 Who is the Enemy?

Bringing Civilization to Its Knees…

Motives:
 Ego
 Hactivism
 Revenge
 Personal and Commercial Profit
What Are The Main Threats?

 Worms
 Zero day attacks
 DDos attacks
 Spam
 Zombies and Botnets
What is a Worm?

 Self-replicating computer
program
 Sends copies of itself to other
computers without any user
intervention
 Exploits unknown, undisclosed
or unpatched application
vulnerabilities
Impact of Worms

 Send probe packets scanning for

infection candidates
 Increased international/peering
costs from propagation traffic
 Sudden increase in network
traffic
 Increased help desk complaints
due to slow Internet experience
What is a Zero Day Attack?
Impact of Zero Day Attacks

 Sudden escalation in traffic and network

problems:
 Network congestion
 Packet loss
 Increased latency
 Flow-based application issues
Zero Day Attack Example:
SQL Slammer Worm
What are DoS/DDoS Attacks?

 A multitude of compromised
systems attack a single target
 Incoming traffic floods the
targeted system
 Targeted system shuts down
 Service denied to legitimate
users
Impact of DoS/DDoS Attacks

 Network congestion
 Network instability
 Increased latency
 Loss of network services
 Connection
 Bandwidth
 DNS /email
 Collateral damage
 SLA penalties for non-delivery of
network performance
 Poor internal SLA performance
DDoS in The News

Estonia’s Minister of defense

Jaak Aaviksoo
Spam And The Impact Of Spam

 Outgoing SPAM
 ISP’s domain “@ispdomain.com”
becoming “blacklisted” due to
outbound spam from subscribers
What are Zombies & Botnets?

 A zombie is a computer
attached to the Internet that has
been compromised by a hacker
 A botnet is an army of zombies
 Zombies are used for:
 Sending spam
 Propogating worms
 Contributing to DDos attacks

Attack
Impact of Zombies & Botnets

 Increased call center

complaints/costs
 Email ‘blacklisting’ – no email
service
 Increased international
bandwidth costs
What Is The Overall Impact to the SPs?

 Increased OPEX
 Bandwidth Costs
 Call Center Costs
 SLA Penalties
 Infrastructure Costs
 Customer demand for Denial of
Service protection services
 Failure to deliver on internal network
performance SLA’s
 Blacklisting due to outbound spam
from subscribers
Agenda

 Threats to Network Security

 ServiceProtector Solution
 NBAD/HBAD Technology
 Introducing the GUI
ServiceProtector: Features

Provide immediate identification of network service threats to

enable blocking, limiting and isolation of unwanted traffic.

 10GE support
 Passive network sensors
 Behavior based detection
 Quick to deploy, easy to manage
 Vendor agnostic
 Dynamically create packet
signatures or packet filters
 Deep Packet Signatures
 User configurable alarms
ServiceProtector: Benefits

 Regain network control

 Eliminate anomalous/unwanted traffic
 Avoid email blacklisting Profitability

 Reduce complaints
 Protect network performance Operational
Costs
 Improve Services
 Protect existing and add new revenue streams

Rapid Detection Precise Mitigation

Stand Alone Deployment

Standalone systems deployed on a single box

 Functions both as SP Controller

and SP Sensor
 Stores the database
 Non-scalable
 No 10Gbps version
Distributed Deployment

Distributed systems are installed on at least two boxes

 One box functions as the SP SP-Controller

Controller
 One or more boxes function as SP
Sensors
 Sensor is connected in TAP or
SPAN
 Each 1Gbps SP-Sensor has:
 4x1GE monitoring ports for 2 x
full duplex links
 Each 10Gbps SP-Sensor has:
 2X10GE monitoring ports for 1 x SP-Sensor SP-Sensor
full duplex link
 Deployment Overview

SP-Controller SMP Server NXServer

Cable Subscribers
SP-Sensor

Access
NetEnforcer SP Sensor

Core IP
Network

DSLSubscribers SG-Omega
SP-Sensor Internet peering
partners
International/local

Access
NetEnforcer
How Does It Work?
(HBAD Detection & Mitigation)

Core IP
1. SPS detects Network
2
abnormal subscriber
SMP SPC
activity
2. SPC triggers SMP to NE 3
quarantine
subscriber on NE 1 SPS
3. Undesirable
subscriber traffic is
blocked, redirected
or rate-limited
Zombie
activity

DSL Network

Residential
Limitations and Sizing

Model Maximum Recommended

Groups No. of Sensors

80 Up to 8
SPC-80

200 Up to 16
SPC-200

30 None – a single
SPCS sensor is built in

 Max groups in any sensor: 30

 Typical Group Assignment: 10-12 groups per sensor
Agenda

 Threats to Network Security

 ServiceProtector Solution
 NBAD/HBAD Technology
 Introducing the GUI
Network Based Anomaly Detection:
Technology Overview

 NBAD designed to identify

disruptions in absolute and
relative statistics Service
 Uses L3 (Network) and L4 Provider’s
Network
(Transport) statistics
 Connectionless, session-less,
stateless
NBAD Example:
 Detection speed inversely
DDoS attack targeting the
proportional to attack magnitude Service Provider’s Network
 Designed for zero configuration

Network attacks disrupt fundamental

balances in the network statistics
NBAD Process

Data collection All packets are monitored

TCP/IP headers are used to build models of

Traffic models network behavior in terms of ratios and
absolute values of traffic statistics

Ratios amplify anomalies due to attacks;

Anomalous activity Absolute stats add weighting to the anomaly

Packet sample Packets are sampled from anomalous traffic.

Common packet characteristics are

Signature creation dynamically identified in the sample;
Patterns with the lowest entropy across
highest number of packets are selected; The
full packet is used for analysis

Notification Notification of network anomaly

Host Based Anomaly Detection:
Technology Overview

 HBAD designed to track

subscriber connections
and identify infected
Service
subscribers according to Provider’s
infected behavior profiles Network
 Monitors 100% of flows
for the HBAD behavior
profiling HBAD Example:
Outgoing SPAM attack
launched by a subscriber

Malware infected subscribers reveal

themselves by their connection behavior
 Host Behavior Profiles – Anomaly Categories

Behavior Connections Services

profile

Flow Bomb Fixed destination service Eg. Port 80

Address Fixed Eg. TCP/135, UDP/1434, ICMP

Scan echo request

Mass SMTP Destination TCP/25 and UDP 53

Port scan Scan services

Host Behavior Anomaly Detection Process

All traffic is monitored. Flows are created

Data collection by the sensor. Does not rely upon
external devices or routers for flows

Flow tables Flow tables are built for subscribers (IP’s)

Elevated and sustained activity is

Anomalous activity identified using multi-dimensional
vectors

Sample flows are taken from suspicious

Flows Capture subscribers for further analysis and
verification

Flow samples are matched with

Profile match behavioral profiles

Notification Notification of subscriber behavior

Comparing NBAD and HBAD Technology

NBAD HBAD
Focus on Network anomalies and their Subscribers demonstrating
identifying packet characteristics malware infected behavior and
(signatures) classifying the behavior
What is being The ISP’s network and The subscriber by detecting
protected? infrastructure botnet infections. The ISP from
email blacklisting, etc…
Examples of DoS and DDoS floods using SYN, Outbound spam, worm scanning,
detected RST, ACK etc, unusual flag port scanning, subscriber-target
events combinations, UDP, DNS floods, flooding
ICMP/request/reply, fragmented
packets, very large packets and
unusual protocols
Enables Surgical filtering of anomalous Isolating the subscriber by
response by traffic using signatures blocking, limiting or quarantining
their traffic
Agenda

 Threats to Network Security

 ServiceProtector Solution
 NBAD/HBAD Technology
 Introducing the GUI
Logging In

https://SPC IP or hostname
Start Page
Using Filters & Updating Reports

 * = Select All Filters

 Σ = Join All Filters
 Clicking update button
generates new report
 “Form inputs changed”
warning allows rollback
Traffic Detail
Traffic Trends
Ad-Hoc Sampling
Review Question

A customer has 8 full duplex 1Gbps links which are accessible for
monitoring. Which controller should be proposed?

SPCS X
? 8 full duplex links means 16
directions. Each sensor has 4
monitoring ports therefore
you need 4 sensors (4x4=16);

SPC-80 ? A guideline of 10-12 groups

per sensor means about 40-50
groups therefore the SPC-80
will suffice (80 groups
maximum) and leaves room
SPC-200 ?
X for projected growth
Review Question

Match the two threats on the left side with the damage they
typically cause to Service Providers

Rising bandwidth costs

DDoS Attacks

Rising call center complaints

Email blacklisting
SPAMBots

SLA penalties