3.4 Security Issue Identification
Identify security issues such as DDoS attacks, DNS hijacking, BGP hijacking, and route leaking affecting network performance
For a Network Assurance engineer, identifying the fingerprint parameters of security attacks such as DDoS, DNS hijacking, route leaking, and BGP hijacks is crucial. While reading and understanding the nature of these attacks is a good starting point, hands-on experience and the ability to interpret network and application protocol metrics shown in exhibits or outputs are essential to meet this requirement.
Key Concepts
DDoS Attack
A Distributed Denial of Service (DDoS) attack's primary objective is to render a service unavailable by denying service to users. One of the most effective ways to achieve this is to generate numerous rogue requests from different locations, making it difficult for real users' requests to be responded to.
Common DDoS attack types include:
- Volumetric Floods: Generating traffic to overwhelm bandwidth and resources (e.g., TCP floods, UDP floods).
- Protocol Attacks: Exploiting Layer 3 or Layer 4 weaknesses to consume servers' processing capacity (e.g., SYN Flood).
- Application Attacks: Generating traffic requests to consume all the server's processing capabilities (e.g., HTTP flood, DNS attacks).
- Reflection/Amplification Attacks: Exploiting open DNS resolvers or other vulnerable services to amplify traffic and overwhelm the target (e.g., NTP amplification, DNS amplification).
Monitor DDoS attack patterns or symptoms:
- Look for high latency links and packet loss from several locations (Cloud Agents might be best to provide this visibility).
Resources:
DNS Hijack
A DNS Hijack is a security attack that aims to redirect DNS queries to a rogue DNS server. Attackers may use techniques such as cache poisoning, rogue DNS servers, or man-in-the-middle attacks to achieve this.
Symptoms:
- Packet loss
- NS queries resolving to rogue name servers
- Unexpected redirection to malicious websites
Monitoring strategy:
- Monitor your name servers for any unauthorized changes.
- Monitor for query errors and increased resolution time of queries.
- Compare DNS records to known legitimate IP addresses or domain names.
Mitigation during an attack:
- Flush DNS cache or encourage network operators to do so.
- Implement DNSSEC to ensure the authenticity and integrity of DNS data.
Resources:
BGP Hijack
BGP Route Hijacking, also known as prefix hijacking, route hijacking, or IP hijacking, is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP). By maliciously manipulating BGP IP prefixes, an attacker (IP hijacker) can reroute traffic to intercept or modify it. This type of attack is successful because BGP ingests the announced IP address prefixes, which are presumed to be owned by the announcing peer.
Attackers may announce more specific prefixes or claim shorter paths to attract traffic. They often target unused prefixes to avoid immediate detection by legitimate owners.
Symptoms:
- BGP Path Changes: Observe and analyze changes in the AS Path at a specific monitoring point.
- Availability Drop: Traffic redirection due to rogue announcements can reduce availability.
- Packet Loss: Monitor and document packet loss incidents during the attack.
Resources:
- What is BGP Route Hijacking?
- Anatomy of a BGP Hijack on Amazon's Route 53 DNS Service
- Best Practices to Combat Route Leaks and Hijacks
BGP Route Leak
According to the IETF RFC, a BGP route leak is defined as "the propagation of routing announcement(s) beyond their intended scope." This means an announcement from an Autonomous System (AS) of a learned BGP route to another AS violates the intended policies, potentially causing traffic to be misdirected.
BGP's trust-based nature makes it vulnerable to route leaks. Attackers exploit this to propagate routes, causing issues like traffic blackholing, performance degradation, and increased latency. Using a more specific prefix can make the leaked route more preferable, increasing the impact.
Symptoms:
- Packet loss
- BGP path changes
- Increased latency
- Traffic blackholing
Resources:
Case Studies
Review these additional case studies to strengthen your skills in identifying security issues:
- Analysis of Amazon Route 53 BGP Hijack
- Twitter Outage Analysis
- Suspicious Route Against A Root DNS Prefix
- Akamai Prolexic Routed Outage Analysis
- Analyzing the Wikipedia DDoS Attack
- Craigslist DNS Hijack: Charting the Effects
Sample Questions
3.4 Question 1
In real-life applications using ThousandEyes, you can switch between various views. However, for the exam, you will be limited to up to three exhibits. When reviewing answer options, remember to
- Analyze using only the provided exhibits.
- Choose the answer that can be confirmed with the information given.
Carefully review the exhibits. Which detail indicates the network issue might be caused by a BGP Hijack?
- A) Availability Drop
- B) AS 16509 change to 10297
- C) HTTP Server response delay
- D) Packet Loss
Hint
- Analyze the details and contrast the provided exhibits to accurately identify potential network issues. Note any changes in Autonomous System (AS) numbers, which are crucial for determining the cause of network problems.
- If there are multiple agents visible in the path visualization view showing packet or forwarding loss, focus on one agent and compare its path against subsequent exhibits to determine the root cause.
3.4 Question 2
Considering the observed network behavior and the information in the exhibits, which action would be the most appropriate next step for the network administrator to take?
- A) Contact the internal network team to investigate potential misconfigurations on the local routers
- B) Reach out to the Internet Service Provider (ISP) to report the suspected BGP hijacking incident
- C) Implement traffic filtering rules on the firewall to block traffic originating from AS 10297
- D) Restart the DNS server to refresh its cache and potentially resolve the observed issue