Building An Early Warning System In A Service Provider Network

No ratings

Presented at SyScan 2004 by

Nico Fischbach

Service Provider networks and systems are, by definition, a forced point of transit for most of the attacks we see nowadays on the Internet.Combining data from exposed systems (like DNS and SMTP servers), BGP updates, Netflow accounting, uRPF, ACLs and interfaces counters helps to build a network's behaviour baseline and to detect activities like DDoS attacks, worms, covert channels, hacked systems, open proxies, etc. This can even be compared to a high bandwidth, distributed, low-cost IDS.To improve the quality of the anomaly detection one can add sensors in the network, mainly composed of low-interaction honeypots and sinkholes. Additional deployments, like honeybots (running DDoS zombies in a sandbox to gather attack data) and honeyrouters (to catch BGP speaking routers hunters) are more resource intensive but broaden the scope of the EWS.Such an approach is not CAPEX/OPEX intensive, and comes with nearly zero impact on the infrastructure thanks to the re-use data and statistics that are already available from monitoring, security and management systems. When combined with real-time traffic diversion techniques the macroscopic (high level flows and anomalies) view can become a microscopic one (full header and payload).Most of these concepts and ideas also apply to internal IT networks and can be really helpful when it comes to detect rogue activities like worm breakouts or unusual traffic flows.