SP Security Empowerment Materials

SP Security Empowerment Materials


The following materials will help SPs, Hosting Centers, and Operators of any large network get details on a wide range of SP Security techniques. Many of these techniques are taking advantage of technologies that already exist in the network – it just takes a bit of time to empower yourself and deploy them. Most of these techniques are different from traditional enterprise approaches to security – using the tools of forwarding, QOS, and other technologies used to glue the Internet together to protect the Internet. Many of the links are to materials with a Video on Demand (i.e. the NANOG Sessions and Cisco Powersessions). These help you hear from people who are doing the technique and/or created the technique – many from large networks themselves.

STEP 1: Join Communities of People Working Together to Mitigate Miscreant Activities

Security on an SP’s Network is not something you can do alone. Effective security mitigation and prevention dictates the need to collaborate and work with peers all over the planet. Prior to September 2002, there were not any SP Security communities who worked with each other to mitigate threats. Today there are several groups – each evolving specialties.

It is strongly encouraged for all SPs to join and activity participate in these mitigation communities. In fact, not doing so is viewed as putting their SP business at severe risk to revenue disrupting events.


NSP-SEC is one of the best inter-provide mitigation forums active today. It is a community that is more than a mailing list, with secure line of communication and regular meetings. Details for NSP-SEC are listed here:


NSP-SEC’s Charter

“Cyber defenders, ever vigilant, ever responsive.” -Marjorie Gilbert, 2003

The nsp-security [NSP-SEC] forum is a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks. The list has helped mitigate attacks and will continue to do so.

Who Qualifies for NSP-SEC Membership?

Step one is to insure you meet the qualifications for NSP-SEC. Some common questions to ask yourself are:

  • Do you work for some type of IP transit provider, huge multi-homed content provider, or service provider?
  • Does your job include Operational Security?
  • Are you willing to offer free services, data, forensic, and other monitoring data to the NSP community?
  • Do you have authorization to actively mitigate incidents in your network? Do you actually log into a router and do something to mitigate an attack or call someone to task them to do the work?
  • Do you have the time for a real-time NSP mitigation forum?

If yes, then you might fit the expectations to be on the NSP-SEC Mitigation or Discussion Forums.

How to Join NSP-SEC?

Joining NSP-SEC is not simple – requiring layers of trust to be built with members of the community. Trust is built by working with members of the community. The challenge is finding out who is part of NSP-SEC so you can stat building a trust relationship. The following are guidelines that are known to build trust relationships to get on NSP-SEC. It is a path which will benefit the SP Security operator (or just a normal SP Engineer).

  1. SP Security Contacts for all your Upstream SPs. Many of the large SP’s in the world are already part of the NSP-SEC community. So insuring you have the SP Security contact information for all your upstreams is a way to built trust relationships. Besides, you need to have this information in case there is a critical security incident.

  1. DSHIELD Membership. DSHIELD (see below) is a community which actively analysis and mitigates issues on the Internet. It is another sphere of trust with members who intersect with the NSP-SEC world.

  1. NSP-SEC BOFs. Meeting people in person is perhaps the best way to get to know other NSP-SEC members. For that reason, NSP-SEC has BOF sessions at NANOG (www.nanog.org), RIPE (www.ripe.net), and APRICOT (www.apricot.net).

  1. Drone Armies. Drone Armies offers a different and broader community mix as compared to NSP-SEC. There may be more people who know you on Drone-Armies than on NSP-SEC. Yet, there are a lot of NSP-SEC members on Drone-Armies (and visa-versa).

  1. National CERTs. Meet your national CERT. Know the members, actively participate, and promote their activities. Many National CERTS are on NSP-SEC.


DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service. If you use a firewall, please submit your logs to the DShield database. You may either download one of our ready to go client programs, write your own, or use our Web Interface to manually submit your firewall logs. Registration is encouraged, but is not required. Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.

Distributed Detection Systems Individuals and Organizations can participate:

Dshield – www.dshield.org


he primary issue in internet security is not that hackers troll the Internet, but rather that the Internet is chock full of insecure systems which are easily compromised, providing means for hackers to perform untraceable, indirect attacks. The only profound way to improve Internet security is to reduce the number compromised systems and minimize the amount of time that a system remains in a compromised state. (Click here to learn more about the myNetWatchman Vision.) myNetWatchman achieves its goals through:

  • Security Event Aggregator
  • Centralized, web-based firewall log analyzer
  • Fully automated abuse escalation/management system



Drone-Armies’s mission brings together NSPs, Big Enterprises, Security Solutions vendors, Operating System Vendors, Networking Vendors, and Researchers together is an aggressive mitigation forum. It is a parallel forum to NSP-SEC. While NSP-SEC’s membership community focuses on the SP operational security community, Drone Armies focuses on the strength of the synergy of diversity to mitigate threats – combining host protection interest – system protection interest – and network protection interest. The nature of the community tends to focus on BOTNET and Trojan/Worm/Virus disruption.


How to Join Drone Armies?

To apply, please sign up via:


MWP – Malware Providers

MWP is a mitigation community specializes in detecting and reporting detected malware hosting(s). These include droppers trojans, phish, and other miscreant systems. The community is inclusive of a broad segment of the white hat community. Phishing detection/disruption is one of the general consequence of MWP’s detecting and reporting.

How to Join MWP?

To apply, please sign up via:


STEP 2: Deploy the Basics

TEAM CYMRU Templates and Tools

Team CYMRU provides configuration templates, security templates, and other services to help make the Internet a safer place to network. These can be found at:


The Original Backscattered Traceback and Customer Triggered Remote Triggered Black Hole Techniques



What is a BOTNET?

One of the best write ups is from a freeware tool gone commercial (I guess so they can scale).


NANOG SP Security Seminars and Talks

The NANOG Coordination Committee actively works to product sessions and seminars to help foster security on the Internet. All sessions are taped and converted to VOD for all to use for their personal education. Over time, this effort has generated a valuable On-Line Tutorial for engineers and organzations seeking to learn more about running a more secure network.

NANOG Security Tutorial Series

Tutorial: Implementing a Secure Network Infrastructure (Part I)

Tutorial: ISP Security – Real World Techniques I – Remote Triggered Black Hole Filtering and Backscatter Traceback.

Tutorial: ISP Security – Real World Techniques II – Secure the CPE Edge

Tutorial: ISP Security: Deploying and Using Sinkholes

Tutorial: Deploying IP Anycast

NANOG Security Sessions

A Day in the Security Life of a Service Provider—Qwest


Team Cymru Bogon Route Servers


Options for Blackhole and Discard Routing


ISP Security Toolkits




What Will Stop Spam?


DNSSEC Deployment: Big Steps Forward; Several Steps to Go


Tracking Global Threats with the Internet Motion Sensor


Implications of Securing Backbone Router Infrastructure


Preparing RIR Allocation Data for Network Security Analysis Tasks


Integrated Security for SNMP-Based Management


Watching Your Router Configurations and Detecting Those Exciting Little Changes


Building a Web of Trust


The Relationship Between Network Security and Spam


Simple Router Security, What Every ISP Router Engineer Should Know and Practice


Flawed Routers Flood University of Wisconsin Internet Time Server


Trends in Denial of Service Attack Technology


Recent Internet Worms: Who Are the Victims, and How Good Are We at Getting the Word Out?

` http://www.nanog.org/mtg-0110/moore.html

DoS Attacks in the Real World


Diversion & Sieving Techniques to Defeat DDoS


DNS Damage – Measurements at a Root Server


Protecting the BGP Routes to Top Level DNS Servers


BGP Security Update


Industry/Government Infrastructure Vulnerability Assessment: Background and Recommendations


A National Strategy to Secure Cyberspace


How to 0wn the Internet in Your Spare Time


ISP Security BOF I


The Spread of the Sapphire/Slammer Worm


ISP Security BOF II


The BGP TTL Security Hack


Security Considerations for Network Architecture


Lack of Priority Queuing on Route Processors Considered Harmful


Interception Technology: The Good, The Bad, and The Ugly!


The NIAC Vulnerability Disclosure Framework and What It Might Mean to the ISP Community


Inter-Provider Coordination for Real-Time Tracebacks


ISP Security BOF III


S-BGP/soBGP Panel: What Do We Really Need and How Do We Architect a Compromise to Get It?


BGP Vulnerability Testing: Separating Fact from FUD


BGP Attack Trees – Real World Examples


NRIC Best Practices for ISP Security


RIPE SP Security Presentations

RIPE-46 BoF: NSP-SEC (Hank Nussbacher)


IRT Object in the RIPE Database (Ulrich Kiermayr)


Operational Security Requirements (George M. Jones)


Infrastructure Security (Nicholas Fischbach)


MPLS-Based Traffic Shunt PDF (Nicholas Fischbach)


Address Space and AS Number Hijacking (Leslie Nobile, Leo Vegoda)


Managing a DoS Attack (Vincent Gillet, Jean-michel Valey)


ETSI & Lawful Interception of IP Traffic (Jaya Baloo)


Securing a Core Network: Tutorial (Michael Behringer)


Cisco SP Security Powersession Series

Service Providers Power Session in Dulles, Virginia, on October 20 and 21, 2004


Powersession on Core Security (4-6 May 2004)


CPN Summit SP Security Materials (April 2004)


Sydney Australia SP Security Powersession

DAY 1: Thursday, December 1, 2005

9:00 – 10:30 – How “SP/ISP/ASP and Big Network Security Differs from all Other Types of Traditional Network Security, Barry Greene, Security Architect, Cisco Systems, Inc.

11:00 – 12:00 – Identifying and Classifying Attacks and Security Incidents, Kunjal Trivedi, Product Manager, Cisco Systems, Inc.

13:00 – 14:00 – SP Control Place security – BGP

14:00 – 15:00 – DDoS Attack Methodology , Seo Boon Ng, Network Consulting Engineer, Cisco Systems, Inc.

15:30 – 17:00 – Protect the Infrastructure, Kunjal Trivedi, Product Manager, Cisco Systems, Inc. and Tony Kirkham, Network Consulting Engineer, Cisco

DAY 2: Friday, December 2, 2005

09:00 – 10:30 – How to Build a Security Operations Center, Barry Greene, Security Architect, Cisco Systems, Inc.

11:00 – 12:00 – Deploying Security Techniques –Using uRPF, rACLs, and other Tools as a Deployment Example, Tony Kirkham, Network Consulting Engineer, Cisco Systems, Inc.

13:00 – 14:00 – Principles of the Miscreants-Economic Theory, Cyberwar, Ego in Today’s Attacks, Barry Greene, Security Architect, Cisco Systems, Inc.

14:00 – 15:00 – Core Hiding – ISIS and Forwarding as a Security Tool, Seo Boon Ng, Network Consulting Engineer, Cisco Systems, Inc.

Cisco SP Security Materials

BGP ‘Attack Tree’ – Realities of BGP Security: Cisco’s CIAG Team moves beyond the armchair hypothesizing of BGP Security Risk and runs test again the industry’s multiple implementations of BGP


Protecting Your Core: Infrastructure Protection Access Control Lists

Infrastructure Protection on Cisco IOS Software-based Platforms

(Giving Lots of Hardware Examples)

Leave a Reply