Thursday, June 11, 2015

Where is this Attack Coming From?!

Help Desk Technician: We’re getting reports of users complaining about the internet being slow.  Is there something going on with the network?
Network Technician: It looks like the internet pipes are getting saturated.
Help Desk Technician: By whom?
Network Technician: I’m looking into it… (A couple minutes pass), looks like it’s coming from a number of different IP addresses out on the internet.  I’ll have to look at IANA’s website to find out where they’re coming from and who they belong to.  Call security and inform them that we might be getting attacked.

The situation above isn’t as uncommon as you might think.  With would-be attackers constantly out and about trolling the internet and performing reconnaissance on potential targets, this situation is actually pretty common, and could be happening on your network as we speak.  Most likely, it’s on a smaller scale, but there is a good chance it is happening nonetheless.  So the question becomes, “How do I prevent this from happening?”

The first and most important thing to be done, in my opinion, is to have a sit down with the security team and the business/organization to determine who your target customers are and where they should be coming from.  Does it make sense to leave your online services open to anyone and everyone in the world?  I would say, if security is a priority to the organization, then, it is importation to limit incoming access to the organization’s online services and the geographic regions where it has a significant business interest.  That is to say, if an organization has a target customer base in the United States, as well as some manufacturing in India or China, and is looking to expand their customer base to parts of Europe, then it would make sense to limit access to an organization’s online services to those geographic regions.

Once the discussion above has taken place, you can start to plan how access based on IP is going to be implemented.  The network technician mentioned that you could go to the Internet Assigned Numbers Authority (IANA) website www.iana.org, and begin your search there. However, this would be extremely time-consuming and cumbersome, especially when you consider that would just be the starting point to determine which of the subsidiary sites, for example, the American Registry for Internet Numbers (ARIN) www.arin.net would be the most relevant. Sure, there are other all-in-one sites, such as www.dazzlepod.com or www.tcpiputils.com, but it is important to take note that the database might be a bit outdated or there might be some conflicting information. 

There are easier ways to determine which IPs belong to which geographic region than having to research IANA’s website.  For example, many manufacturers are starting to offer IP identification as part of their security portfolio. Fortinet utilizes its own FortiGuard labs to provide an IP reputation service that can be utilized when writing firewall policies if you wanted to block or monitor activity of addresses from a particular country (Fortinet, 2015).  Juniper Networks offers a similar service through its Spotlight Secure product, as well as Palo Alto Networks with WildFire.  While it’s not a silver bullet that is going to eliminate threats altogether, it is a great place to start shrinking down your attack surface - making it that much more difficult for would-be attackers to compromise your network.

References
Fortinet. (2015). FortiGuard IP Reputation Service. Retrieved from www.fortinet.com:                         http://www.fortinet.com/support/fortiguard_services/iris.html
Juniper. (2015). Spotlight Secure. Retrieved from www.juniper.net: http://www.juniper.net/us/en/products-services/security/spotlight/

No comments:

Post a Comment