Backbone Network Security Visibility In Practice

BSidesDE 2016

Presented by: Yang Xu
Date: Saturday October 08, 2016
Time: 13:00 - 13:50
Location: Odeum 309
Track: Track 1

Threat Intelligence is extremely hot in the latest 2 years, meanwhile Threat Visibility is the first step to talk Threat Intelligence.

Our team is focused on collecting, processing, storage, analysis the security related basic data, in hope of sweeping away the dark corner of the internat and seeing more.

Now, we run the Chinese biggest public available PassiveDNS database (passivedns.cn), and the Global DDoS Attack Detection System (ddosmon.net) based on backbone network, meanwhile the Global Scanner Tracking System is expected to follow soon.

This talk will cover the following questions:

1. Intro - Monitor backbone network, Why and How
2. How we dealing with ""BIIIIIG Data"" in real-time
3. What Processing Module we use and what data feature matters
4. What can we get from backbone network monitor a. All kinds of scanner: SYN scan/ UDP scan/ HTTP banner scan/ Subdomain scan (brute-force) ... b. All kinds of attacks: SYN flood/ Amplification attack/ DNS flood/ HTTP flood(CC)/ Random sub domain attack ... c. Profile!
5. Cases
6. In Addition: a. MO b. Side indicator c. Partial data d. Effect of GFW e. Integration of third-party Data

Yang Xu

I'm a network security engineer with 7 years of experience in the field and currently a member of Netlab(Qihoo 360) where I focus on network/passive-dns data process/analysis and threat research. Before joining NetLab(Qihoo 360), I was a security engineer in NSFOCUS and has been involved in many different projects, like SoC architecture design and implementation, and intranet-traffic anomaly detection.