The networks of financial services firms experience a wide range of network threats, from BGP route hijacks to DDoS attacks and DNS cache poisoning. Yet many firms do not have in-depth, real-time monitoring and alerting for these threats. ThousandEyes helps security and network operations teams to gain in-depth DNS, network and BGP visibility of security events as they're happening.
Reviewing real life examples from the financial services industry, we share how to:
Visualize key network services such as BGP and DNS
Create alerts based on security threats
Troubleshoot and take action during situations such as BGP hijacks, DDoS attacks and DNS cache poisoning.
Watch the recorded webinar with live demo here: https://www.thousandeyes.com/resources/network-security-webinar
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
1. Monitoring for Network Security:
BGP Hijacks, DDoS Attacks & DNS Cache Poisoning
Nick Kephart, Sr. Director of Product Marketing
2. 1
About ThousandEyes
Founded by network
experts; strong
investor backing
Relied on for
critical operations by
leading enterprises
Recognized as
an innovative
new approach
ThousandEyes delivers network intelligence into every network.
24 Fortune 500
4 top 5 SaaS Companies
4 top 6 US Banks
3 Fortune 5
3. 2
Routes incoming or
outgoing traffic to the
wrong network
Three Network Security Threats
Spoofs DNS
mappings to reroute
traffic to a malicious
endpoint
BGP Hijack DNS Poisoning
Saturates network
links, hardware or
servers to deny
service
DDoS
4. 3
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
AS 7018
AT&T
AS 3356
Level3
Border Router
Autonomous System
Salesforce advertises
routes among BGP peers
to upstream ISPs
Salesforce.com advertises
prefix 96.43.144.0/22
AT&T receives route
advertisements to
Salesforce via Level3 and
NTT
AS 4761
Indosat
Traffic Path
5. 4
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
AS 7018
AT&T
AS 3356
Level3
AS 4761
Indosat
Indosat also advertises
prefix 96.43.144.0/22,
‘hijacking’ Salesforce’s
routes
AT&T now directs
Salesforce-destined
traffic to Indosat
Traffic Path
6. 5
Cloud-Based DDoS Mitigation
Chicago, IL
YourBank.comLondon
Tokyo
Atlanta
Portland, OR
Sydney
Traffic is rerouted, using DNS or
BGP, to cloud-based scrubbing
centers and ‘real’ traffic is routed
back to your network
Internet EnterpriseScrubbing
Center
7. 6
DNS Cache Poisoning
Local DNS Cache
Authoritative
DNS Server
dns.website.com
Attacker
www.website.com
Attacker
DNS Server
dns.attack.com
www.attack.com
Attacker inserts a
false record into the
DNS cache
Unsecured DNS server, no
DNSSEC, no port
randomization
User
1
User requests DNS
record for
www.website.com
2
Looks up record
on spoofed
name server
3
User accesses
spoofed URL
4
8. 7
• View global path
changes,
reachability
• Alert on
Origin AS, Next
Hop AS, more
specific prefix
ThousandEyes Helps Monitor Network Security
• View DNS record
from global points
• DNSSEC
validation
• Alert on DNS
availability,
resolution time,
mapping
BGP Hijack DNS Poisoning
• Monitor global
performance
• Ensure mitigation
is effective
• Share data with
ISPs and
mitigation
vendors
DDoS
9. 8
How ThousandEyes Works
DNS Provider
Consumers
Enterprise
Agents
2 BGP Hijacks / Leaks
Cloud Agent
3 DDoS Mitigation Performance
Branch
Data
Center
1 DNS Records and Availability
DNS Server
Internet
Route
Monitors
15. 14
DDoS Attack: Mitigation Handoff Using BGP
New
Autonomous
System
(VeriSign)
Prior
Autonomous
System (HSBC)
Withdrawn routes
New routes
Prefixes
automatically
identified
16. 15
DDoS Attack: Drop in Global Availability
Global
availability
issues
Problems at TCP
connection and
HTTP receive
phases
20. 19
DDoS Attack: Mitigation Handoff Using BGP
New
Autonomous
System
(VeriSign)
Prior
Autonomous
System (HSBC)
Withdrawn routes
New routes
Prefixes
automatically
identified
21. 20
DNS Hijack: Craigslist’s Records Compromised
Spoofed
mapping
Vantage points
with spoofed
record
Prevalence of spoofed
mapping over time
22. 21
DNS Hijack: Networks with Records to Flush
Breakdown available by
country and network
Number of vantage points
with spoofed records
23. See what you’re missing.
Watch the webinar
www.thousandeyes.com/resources/network-security-webinar