Blackhole for network security

There is a few paper on the net discuss how to divert and mitigate the damages caused by network attacks, in particular DDOS. Both papers describe a means to create a “black hole” on the network.

One is on the network layer and one is on the web server layer
Cisco Black Hole Filtering
Cisco's paper explain a specifically built infrastructure can help ISP to route malicious packets to a null interface(blackhole filtering).

Microsoft Beat Hackers At Their Own Game With A Hackerbasher Site
Utilizing the principle that all vistors must know my name. This method divert incoming traffic using IP address not hostname.

These papers give a good illustration that security can be achieved by thoughtful design. All the tools and technology is available to everyone or what they call built-in. By good designing, we increase the effectiveness of our security investment.

Comments

Post a Comment

Popular posts from this blog

Risk on Radio

This morning I joined a talk show on RTHK and discussed risk of usnig credit cards. Media attendtion is high after the recent security breach at Cardsystems. The story was uncovered on 17 June 2005, but after 6 days it is still lingering on. WHY? First, I believe this incident is huge in terms of people affected. 40 million card numbers were lost. Secondly, it was uncovered on SAT. I am not joking. One of my lectures in a Crisis Management class told his student in class that when reporters are hungry for news, even lost of a penny can be headline news. On Saturday, when reporters unable to find new story, a incident like this one will be reported by every newspaper. Back to the talk show, there were few people called in. And one mentioned that when he visited a Indian online shop and was diverted to a HSBC credit card website. This website asked him to enter his personal information like birthday and passport number. He worried this may be fraudulent website and asked for advice. As ...
Read more

How the Security Breach Occurred

Below is the testimony from CEO of Cardsystem, which can be found at here It seems an insider job (knowing which file to look for and can bypass FW setups). It is very difficult to uncover a script on a server if it is plant by an insider. BUT having this script running for 8 months is another thing. Security Audits, periodic port scanning and health check should uncover this abnormality of the systems. If one look into the root cause of this problem, it is the credit card data is stored for incomplete transactions. I believe lots of other card processing companies also store these type of data for manual settlements. How the Security Breach Occurred In September 2004, an unauthorized party placed a script (a sequence of instructions interpreted or carried out by another program) on the CardSystems platform (an underlying computer system on which application programs run) through an internet-facing application that is used by our customers to access data. In contrast to scripts, viruse...
Read more

Root Certificate update and software design

Recently, a member of PISA (also called Anthony) noticed that when using HK Post office website, FireFox displayed security warning saying the digital certificate used bu HK Post is invalid. A detailed study by other PISA members showed that the reason HK Post (once is the root CA for HK) used their own root certificate. Root certificates are usually shipped with the browser installation and HK Post digital certificate was not included in their default software package. Hong Kong Post setup a page to teach users on how to add the root certificate to most used browsers . However, how many users know this link, willing to follow or could follow the instructions !! It is quite clear that currently most browsers develop and distributed by US company or US-based community. The interest of adding other root certificates is likely lower than adding new functions. Having said that, FireFox developers have a process to add Root Certificates to their software package, for example this li...
Read more