网络安全攻防ppt课件.pptx

网络安全攻防,新闻一则,10月18日：Belgacom investigates router compromise at its carrier services armUndersea cables: 160 countries 700 operatorsOn Sept. 16, Belgacom announced it had discovered a previously unknown virus on some of its internal systems.GCHQ code-named Operation Socialist.“An investigation found changes to the router software that most likely resulted from the intrusion reported in September,旧闻一则,.cn事件网易科技讯 8月25日消息，今天凌晨，.CN的根服务器因受到攻击发生故障，大面积CN域名均无法解析，凌晨4点左右.cn根服务器恢复正常。工信部: 峰值流量较平常激增近1000倍WSJ: CloudFlare observed a 32% drop in traffic for the thousands of Chinese domains on the companys network during the attack compared with the same time 24 hours earlier.botnet直接向6个.cn根域名查询某私服网址,旧闻一则,.cn的攻击流量由多大？最大的根 L 的数据（anycast全球146个点）25000q/s = 12Mb/s inbound,挑战1 Visibility,Right now，你能说得清楚你的网络是个什么状况么？流量是怎么回事？Span + 7层分析=Visibility?签名问题告诉我你要看啥管中窥豹更进一步的逻辑和关系？,挑战1,最简单的四元组分析如果不知道要看啥的时候你愿意看这个？,挑战1,最简单的四元组分析还是这个？,挑战1,挑战1,Umbrella的一个可视化展示,挑战1,基于不同数据的多视角的可视化的关系关联是未来？,挑战2 网络方面,网络本身安全么？国内的网络设备加固文档禁用telnet, 开启ssh关闭echo, chargen, proxy-arp等服务,网络方面,网络设备加固的核心任务是啥？保护control|management plane,网络方面,路由器Data（forwarding）plane流量分布式专用硬件 （ASIC）高性能，不向上 e.g. CRS-3 2.2Tbit/s max 322Tbit/sControl|Management planeProtocl makes the network|router run bgp|ospf|ssh|snmp|arp|icmp erroretc软件实现，普通CPU性能|功能 （后门等如暗藏帐号）NSA backdoor? 你是攻击者你选谁？,网络方面,Step back来看一看最火的抗D场景,网络方面,历史上最大的ddos攻击Cloudflare流量Amazon+Wikipedia+Twitter+Instagram+Apple每分钟日志数据是20G, 28800G/d global anycast, edge flowspec,网络方面,历史上最大的ddos攻击事件回放3月中 cyberbunker spamhaus3月20 cyberbunker cloudflare spamhaus 3月23 cyberbunker cloudflare spamhaus 攻击者获取了大部分的cloudflare peering exchange点IPcyberbunker ISP cloudflare spamhaus,网络方面,历史上最大的ddos攻击,网络方面,历史上最大的ddos攻击,网络方面,腾讯 ,网络方面,国内某著名抗D专业公司traceroute,网络方面,国内某著名抗D专业公司,网络方面,更进一步,抗攻击手段,Big players google, amazonetc如何做的？他们有个 “total solution” boxCost $1M除了抗D外，还可以以线速接员工上下班,抗攻击手段,如果你想抵抗各种攻击，同时对网络影响最小，你需要针对你的环境采用layered的defense没有siliver bullet, 发挥各种“平淡无奇”的技术到极致,抗攻击手段,网络层面ACL BGP is your friendFlowspecMPLS+Flowspec未来 SDNAnycastbogon其他trickControl plane保护免费darknet没有payload没用锤子 钉子？layer3 layer4 layer7,抗攻击手段,参考Google的内部标准value packets/second bits/second http queries/second IPs,抗攻击手段,ACL 在接入层面的3,4层快速过滤功能iACL,抗攻击手段,BGP(routing protocol) is your friendBGP to the rack (facebook)BGP blackhole（SRC based DST based） Diagram from ,抗攻击手段,BGP(routing protocol) is your friendCT Dst rtbhCT has loose urpf enabled, so it can do Src rtbh,抗攻击手段,FlowspecACL on steroidLayer4 infoUse bgp control plane to distribute ACLBenefits are hugeUse BGP to distribute flow specification filters and dynamically take action(drop, sampling, redirect) on routers. Supported by Juniper and AlcatelFast :ACL propgate via bgp advertisementWe can block traffic by src|dst ip, src|dst port, packet size, protocol, tcp flags, icmp 他type|code. and any of the combinationAmazon, cloudflare, google？Goolge is moving into SDN world,抗攻击手段,MPLS+FlowspecI want to see the payload!You have to redirect traffic if you want to see l7牵引+tunnelchinabyte网图,抗攻击手段,MPLS+Flowspec貌似本人是第一个用这个手段来做的，今年5月份nanog才有人做这一技术报告Traffic redirect: We can redirect matched traffic (we can collect any traffic from any interface on any peering router and get it sent to our collector)具体内容flowspec ppt.pdf http:/ sample config.pdf http:/ benefit,抗攻击手段,AnycastMagic! Everybody likes it, life is good after thatReally? How about .cn which uses anycast蝗虫Attack comes, moves away, comes back again, moves away againBgp withdrawn, advertise, withdrawn, advertiseControl how far it goes,抗攻击手段,BogonTeam cymru,抗攻击手段,其他trickE.g.,抗攻击手段,其他trickE.g.,抗攻击手段,其他trickE.g.双IP DNS server白名单+TTL,抗攻击手段,保护control planeCore hiding Dont redistribute connected设计合理的内部ip段（loopbacks, interface ips）bgp null,抗攻击手段,保护control plane依然有问题脆弱的Chain,抗攻击手段,保护control plane脆弱的Chain :Peeringdb,抗攻击手段,保护control plane脆弱的Chain : Bgp looking glass,抗攻击手段,DarknetExpensive!?Not reallyNobody should touch your infrasturcureNobody should touch your unused Ips,抗攻击手段,Darknet,抗攻击手段,Darknet,抗攻击手段,Darknet see 15169 there?,抗攻击手段,Darknet,最后,合作企业和企业，企业和运营商，运营商和运营商一个人一个企业走不远Security community,