Professional Documents
Culture Documents
&
DNS Security
shailesh.gupta@vsnl.co.in
Internet Security
Best Practices
Brief on Tata Communications NW
Security Implementations in Tata Communications NW
DDOS attacks – Key learning & Mitigation Process/tool improvement
DNS Security
Best Practices
Brief on Tata Communications DNS architecture
Security implementations in Tata Communications DNS
DOS attack – Key learning & Mitigation Process/toll improvement
References
Q&A
Thanks
CORPORATE 1
CORPORATE 2
Tata Group Business Sectors
Voltas
Consumer
Tata Power Chemicals, 4%
Products, 5%
Tata
Energy, 7% Motors
Indian Services, 9% Engineering, 31%
Hotels
Tata
Autocomp
Information
Systems & Materials, 23%
REVENUE FY 2006
Communications,
TCS 20%
TTL
VSNL MPLS network
CORPORATE 4
International MPLS Network
London
Tokyo
Chicago
Amsterdam
Paris
SC Frankfurt
NY Hong Kong
Madrid
Dallas
Mumbai
Chennai
Ernakulam
Colombo Singapore
Sydney
Major POP
Minor POP
CORPORATE 5
VSNL India MPLS VPN Footprint (116 Locations)
CORPORATE 6
Network Diagram – Metro E
Mega PoP
Si Si
Business
Business Ring
Switch
CORPORATE 7
VSNL India MPLS VPN Footprint: India Map View
CNOC &
DATA NOC
CORPORATE 8
INTERNATIONAL TRANSIT / PEERING BW
TELEGLOBE 2-Gig
Google - Gig
London STM-1 Amsterdam
NTT-GIG
Frankfurt
TELEGLOBE-2xGig
New Jersey STM1
Dallas New York 3xSTM1 Paris
Madrid 2 XSTM-4
TELEGLOBE- Tokyo
Palo Alto 3xSTM1 Dubai 2xGig China
3xSTM1 4xSTM4
Santa Clara &STM16
TM4 Chicago 7xSTM1 DS3
Hong Kong
M16 5xSTM-4
Teleglobe- 5xGig Mumbai STM-1
Teleglobe-5xGig
M1 Chennai STM1
Ernakulam 3xSTM1
Yahoo-Gig 5 STM1
Singapore
Yahoo-Gig Above net-Gig Colombo Google-Gig
MSN-Gig
Google-Gig
3XSTM1
MSN-Gig
Transit Link
©2008 Tata Communications, Ltd. All Rights Reserved
Peering Link
Highly Resilient Network
• Gateway Locations
• Major Gateway locations at New York, Palo Alto, Santa Clara, London, Honk Kong and
Mumbai.
• 33% capacity is available in SMW-3, SMW-4 & TIC and 1% on SAFE cable system. It
ensures that optimum latency is available for Premium customers in case of any cable
system/Gateway failures.
CORPORATE 10
Current Services and Features
CORPORATE 11
Internet Security - Top Ten List
¾ Prepare your NOC
¾ Mitigation Communities
¾ iNOC-DBA Hotline
¾ Edge Protection
¾ Sink holes
¾
¾ Source address validation on all customer traffic
CORPORATE 12
What Do ISPs Need to Do?
2) Secure Resources
Firewall, Encryption, Authentication, Audit
PREPARATION
Prep the network
Create tools
POST MORTEM Test tools IDENTIFICATION
What was done? Prep procedures How do you know about the
Can anything be done to Train team attack?
prevent it? Practice What tools can you use?
How can it be less painful in the What’s your process for
future? communication?
REACTION
What options do you have to
remedy?
CLASSIFICATION
Which option is the best What kind of attack is it?
under the circumstances?
TRACEBACK
Where is the attack coming from?
Where and how is it affecting the
network?
CORPORATE 14
Important Points
CORPORATE 15
“Never underestimate the power of
human communications as a tool to
solve security problems. Our history
demonstrates that since the Morris
Worm, peer communication has been
the most effect security tool.”
Barry Raveendran Greene
CORPORATE 16
Need for Security – ISP NW
Significant increase in the DoS attacks & Various malicious activity on the
Internet. These attacks have not only given a negative impact to the users, but
also consumed a lot of network resources on the network. In order to minimize
the damage caused by these attacks from the Internet as well as the corporate
users, VSNL had implemented the following security strategy which is both
proactive as well as responsive.
CORPORATE 17
General Security measures Followed in VSNL
¾Enable secret are changed every 2 months and before National holidays, ie
NYD, ID & RD.
CORPORATE 18
Control Plane Security
CORPORATE 19
Control Plane Security ..Contd
Some features on the routers like ip redirects etc can be used to generate
DDoS attacks on the Internet. All such services are turned off on the network.
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no ip unreachables
CORPORATE 20
Control Plane Security ..Contd
Define the ACL
! permit router originated traceroute
access-list 122 permit icmp any any
Rate limit ICMP packets that should ttl-exceeded
be processed by the device access-list 122 permit icmp any any
the ICMP traffic to be processed by the port-unreachable
router be throttled to 100 kbps ! permit receipt of responses to
router originated pings
access-list 122 permit icmp any any
Dedicated Bandwidth for control
echo-reply
traffic ! allow pings to router
2% of the BW on all links is reserved for access-list 122 permit icmp any any
the network control traffic as a part of echo
the QoS design ! Configure the Class-map
Standard ACL on VTY line class CoPP-ICMP
match access-group 122
One Local username is allowed with
! configure the policy-map
privilege level 15
Policy-map restrict-icmp-packets
Class CoPP-ICMP
police 64000 2000 2000 conform-action
transmit exceed-action drop
! Apply the policy to the control-
CORPORATE pane 21
Router(config)# control-plane
Router(config-cp)# service-policy
TACACS+ setup
MPLS
MPLS
NETWORK
NETWORK
TACACS+ Server Pool
TACACS+ 1 TACACS+ 2 TACACS+ 3
INTERNET
INTERNET SSH 1 SSH 2
Access Server Pool
FW
CORPORATE 22
Data Network Equipments are managed by Data NOC(2000+).
CORPORATE 23
Sample Access rights
Configuration Access
Access level Control through TACACS+
Pin
Level Access To Show Trace g Partial Control Plane Full
Data L1 All Devices Y Y Y Y
L2 All Devices Y Y Y Y
L3 All Devices Y Y Y Y
After CM
L4 All Devices Y Y Y Y Process Y
SOC L1 All Edge Devices Y Y Y
L2 All Edge Devices Y Y Y
L3 All Edge Devices Y Y Y Y
TM L1 All Edge Devices Y
L2 All Edge Devices Y
L3 Region Edge Devices Y
Branch
Data L1 Region Edge Devices Y Y Y
L2 Region Edge Devices Y Y Y Y
L3 Region Edge Devices Y Y Y Y
P&I All Edge Devices Y Y Y
CORPORATE 25
TACACS Online Monitoring System-Logs
CORPORATE 26
Control Plane Security - Cont..
SNMP authentications
SNMP communities are configured on all devices and an ACL is in place in each
router to allow only authorized SNMP servers respond to the SNMP requests.
CORPORATE 27
Control Plane Security - Cont..
CORPORATE 28
L2 security
CORPORATE 29
Complete Interface Config
interface FastEthernetx/y
description Residential Customer X interface
switchport mode access Blocking user-user L2 communication
switchport access VLAN 1100
switchport protected Limiting number of MAC addresses learnt
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security aging time 5 forwarding state from a blocking state
Access List
ACLs are the most common option for enforcing a policy at the data plane. However,
ACLs are not scalable and hence must not be used if the implementation is done in
software or the performance is not line rate.
CORPORATE 31
DOS/DDOS attack detection and mitigation
DOS and DDOS attacks are being monitored through ARBOR which raises
the alarm for any happening DOS/DDOS attack in the network. Depending
upon the nature of the attack it categorizes the attack as low medium and
high as shown in the snap shot. Once the source/destination of the attack is
being identified RTBF( Remote triggered black hole filtering) is used to black
hole the traffic to safe guard the network (All the GW and aggregate routers in
VSNL network are pre configured for RTBF).
Arbor is also capable of handling other attacks like BGP hijacking. In which
the attacker may announce VSNL prefix as his own and drag the traffic for
that particular prefix towards him (though this is controlled through proper
filters on neighbors but additional feature present in the system)
CORPORATE 32
CORPORATE 33
CORPORATE 34
CORPORATE 35
Network Audit - SYSLOG
CORPORATE 36
Tata Communications - IP Network
DDoS Mitigation
New Delhi
¾IP Traffic (Net Flow ) being monitored through at all AS interconnects with
Peers.
¾Arbor keeps monitoring the flows and has configured profiles which are
said as a DOS Attack.
¾Any Flow which exceeds the limits set is identified as a DOS and an Alert
Generated.
¾ Alert has the Source IP, Destination IP along with the Ports being used.
¾ It has the Packet per Second rate of traffic.
¾ It has the Bits per Second rate of traffic.
CORPORATE 38
DDoS Mitigation - RTBHF
CORPORATE 39
DDoS Mitigation – After Steps
CORPORATE 40
Recent DOS Attacks on 4755
CORPORATE 41
DNS Security
New Delhi
The Domain Name System uses a tree (or hierarchical) name structure. At
the top of the tree is the root followed by the Top Level Domains (TLDs)
then the domain-name and any number of lower levels each separated with
a dot.
NOTE: The root of the tree is represented most of the time as a silent dot ('.')
Fig 1.1
CORPORATE 43
Authority and Delegation
The concepts of Delegation and Authority lie at the core of the domain name system
hierarchy.
The Authority for the root domain lies with Internet Corporation for Assigned Numbers and
Names (ICANN). Since 1998 ICANN, a non-profit organization, has assumed this
responsibility from the US government.
Figure 1.1 above shows how any authority may in turn delegate to lower levels in the
hierarchy, in other words it may delegate anything for which it is authoritative. Each layer
in the hierarchy may delegate the authoritative control to the next lower level.
Countries with more centralized governments, like India and others, have opted for
functional segmentation in their delegation models e.g. .co = company, .ac = academic
etc.).
CORPORATE 44
DNS ORGANISATION AND STRUCTURE
The Internet's DNS exactly maps the 'Domain Name' delegation structure described above. There is a
DNS server running at each level in the delegated hierarchy and the responsibility for running the
DNS lies with the AUTHORITATIVE control at that level.
The Root Servers (Root DNS) are the responsibility of ICANN but operated by a consortium under a
delegation agreement. ICANN created the Root Servers Systems Advisory Committee (RSSAC) to
provide advice and guidance as to the operation and development of this critical resource. The IETF
was requested by the RSSAC to develop the engineering standards for operation of the Root-
Servers. This request resulted in the publication of RFC 2870.
There are currently (mid 2003) 13 root-servers world-wide. The Root-Servers are known to every
public DNS server in the world.
The TLD servers (ccTLD and gTLD) are operated by a variety of agencies and registrars under a
fairly complex set of agreements by Registry Operators.
The Authority and therefore the responsibility for the User (or 'Domain Name') DNS servers lie with
the owner of the domain. In many cases this responsibility is delegated by the owner of the Domain
to an ISP, Web Hosting Company or increasingly a registrar. Many companies, however, elect to run
their own DNS servers and even delegate the Authority and responsibility for sub-domain DNS
servers to separate parts of the organisation.
When any DNS cannot answer (resolve) a request for a domain name from a host e.g. example.com
the query is passed to a root-server which will direct the query to the appropriate TLD DNS server
which will in turn direct it to the appropriate Domain (User) DNS server.
CORPORATE 45
Recursive Query
In a recursive query a DNS server will, on behalf of the client (resolver), chase the trail of
DNS across the universe to get the real answer to the question. The journeys of a simple
query such as 'what is the IP address of xyz.example.com' to a DNS server which supports
recursive queries but is not authoritative for example.com could look something like this:
CORPORATE 46
DNSSEC - Best practices
CORPORATE 47
DNSSEC - Best practices …Contd
¾Disable recursion
We allow recursive queries on the resolver but by limiting the number of recursive
clients.
CORPORATE 48
DNSSEC - Best practices …Contd
¾Restricted zone transfers to only our own known slave DNS servers,
thus preventing hackers from listing the contents of zones and others
from taxing name server's resources.
CORPORATE 49
VSNL’s DNS Infrastucture
The mid-range Sun Fire V440 [4 CPU, 8 GB RAM] with SunOS 5.9 at Delhi, Chennai,
Kolkata, Bangalore, Mumbai and Pune with a failover to Mumbai and being shared
with Radius cache applications on the same servers are used.
CORPORATE 50
Other VSNL’s DNS servers
CORPORATE 51
Dos Attack on ns1chn.vsnl.com on
December 15, 2006:
CORPORATE 52
Mitigation and Securing DNS
Upgradation of BIND :
The Bind application has been upgraded from version 9.2.3 to latest stable version
9.3.x with the required security and logging.
Rndc Service:
Also rndc service has been configured on all the DNS servers, which allows one to
administer the named daemon with command line statements.
So in case if one wants to reload the DNS configuration file “named.conf”, one need
not require to stop and start the named process, but instead one can simply reload
it by the command “rndc reload” or “rndc reconfig”.
This will reduce the frequent restart of the named process causing the unavailability
of the DNS service for few seconds.
CORPORATE 53
References
1. www.cisco.com/security
2. VSNL Metro Ethernet LLD
3. VSNL DNS LLD
CORPORATE 54
Q&A
CORPORATE 55
Our Inspiration
CORPORATE 56
Thank you
New Delhi
Remedy –
Enrichment, Impact , Metasolv - OM
Trouble Ticketing
RCA
M a s te r W e b G U I CW2K
Auto-ticketting, Root
D M S F a rm
VSNL Corporate
D M S -1
(0)
Impact Analysis,
‘r ig h t- c lic k ’ s e le c t
MPLS Network
RCA etc
D M S -2
D M S -3
D M S -4
(0)
Mega POPS (0)
Po InterInter
IP - Network ACS
D M S -5 ‘r ig h t- c lic k ’ s e le c t p nationatio
M D Ro nal nal
e S L S
u ute Pops Path
H
IMS - Cramer
Meg C
a m
l 100rs O Gways
h
M (1) K
PO(0) N ( (1)(
Popba aj
i(0 i P_ ( 2
100 3
s (0) or
Me ) Meg M ( 100P Tier0 ( PO
100 )
)Lega
P M OP_ ) 100P
1 1
PO 1 P
gaP aPo ajo aj 100P
) Mi Tier1 (2)
LegaOP_
P_ ) T3_cy_T
op_ P_R or ps or OP_ ier3
Maj cr Rout
100P cy_TT3_TT1
Tier 100P
Rou oute P (1 P Tier2 (100)
er1
r2orP o )o OP_ 2ier2 1_R OP_
(20
r1 (1)
(0)
Network
Synchronizatio
Threshold n for delta
Violations reports
ISC
VPN Prov.
IP - Network
CORPORATE 58
DNSSEC Best Practices
CORPORATE 59
ME - OVERALL NETWORK TOPOLOGICAL VIEW
CORPORATE 60
Backbone Capacity Geo Wise
Usable
Backbone Capacity capacity In (Mb) Out (Mb) G/W % Util
West Coast US (CHN &
EKM ) Backbone 8084 7592 6745 1337 88.84%
CORPORATE 61
Cable Media Wise Capacity
Link Media
FROM TO SMW4 SMW3 SAFE TIC TOTAL MB DS3 STM1 STM4 STM 16
CHENNAI SANTA CLARA 7464 7464 4 2
ERNAKULAM STARHUB 45 45 1
ERNAKULAM TM 45 45 1
ERNAKULAM CAT, Thailand 45 45 1
ERNAKULAM TAIWAN 45 45 1
ERNAKULAM Phillipines 45 45 1
ERNAKULAM Korea 155 155 1
MUMBAI China Telecom 45 45 1
MUMBAI SINGTEL 155 155
MUMBAI EMIX 45 45 90 2
MUMBAI KDDI 90 90 2
MUMBAI London 1244 622 1866 3
Bharti (9498) 24 24 20 51 48 54 90 92 91
Sify (9583) 69 66 69 483 492 494 631 630 634
RIL (18101) 27 27 44 56 57 66 365 363 343
CORPORATE 63
VSNL DNS Server Uptime
100.1 dns.vsnl.net.in
100 ns3
99.9 ns4
99.8 ns5
99.7
corpdns
99.6
corpdns1
99.5
mmb4
99.4
ns1chn
99.3
ns1kol
99.2
ns1del
PERCENTAGE PERCENTAGE PERCENTAGE
Uptime Uptime Uptime ns1bgl
Nov '07 (mins) Dec '07 (mins) Jan '08 (mins) ns1pn
CORPORATE 64