Bharat Sanchar Nigam Limited

CYBER SECURITY ISSUES

IN BROADBAND
Presented by
Atul Kumar Singh
DGM (Project)
Broadband Network Circle
Agenda
Introduction to BSNL Broadband Network
1
2
3
Regulatory Issues of Broadband
4
Cyber Threats/ Crimes Cases/ Issues
6
5
Conclusion
Cyber Security- International Perspective
Cyber Security- Readiness of BSNL
Introduction to BSNL
Broadband Network
NIB Access Method
Internet
NIB BSNL
ISDN PSTN Broadband
M
NT/TA
ADSL
RAS BRAS/BNG
R
M
LAN
33Kbps
64/128Kbps
>256
Kbps

PCs
64Kbps
100 Mbps
RAS
CDMA/WLL
Access
Network
Multiplay
Access
Network
Internet Services in BSNL
NIB II
MPLS Backbone
External
Internet
Cloud
NIB1
NRAS
2.2 Access
Network
Multiplay
BNG
CPE
Internet
Leased Line
Customer
GPRS
Customers
CDMA / WLL
Customers
P 2.1
Customers
NIB1
Customers
Broadband
Customers
2.2 BRAS
PDSN
GSM
Access
Network
MSC
PE
Respective
Access
Networks
Wi-Fi / Wi-Max /
Ku-Band / BDLC
Customers
IGW / IXP
Network diagram of NIB-II
Tier 2 LAN Switch
ADSL
terminals
FE
ADSL
terminals
..DSLAM.. X-ge B
X-ge C
ADSL
terminals
FE
ADSL
terminals
..DSLAM..
X-ge D
X-ge E
ADSL
terminals
FE
..DSLAM..
Tier1 GigE
Aggregation
SW
GigE
BB
Broadband
RAS
GigE
Core
router
ADSL
terminals
..DSLAM..
Multiplay Network Architecture A1 & A2 cities
NOC,
DRNOC,
RPOP
BNG Broadband Network Gateway RPR Resilient Packet Ring
OCLAN Other Cities Local Area Network DSLAMs Digital Subscriber Line Access Multiplexer
GE Gigabit Ethernet FE Fast Ethernet L3PE Layer 3 Providers Edge Router
PE
BNG
BNG
7
Data Networks, BSNL
Multiplay Network Architecture A3 & A4 cities
BNG
8
Data Networks, BSNL
Multiplay Network Architecture B1 & (B2+BNG) Cities
BNG
9
Data Networks, BSNL
Multiplay Network Architecture Other
Cities
BNG
10
Data Networks, BSNL
Typical Subscriber connectivity
Noida
Kolkat
a
Chenna
i
Bangalore
Mumba
i
Connectivity at Gateway/NIXI/Peering locations
PE Router
IXPRouter
BW Provider
IGW Router
Peering N/w
Yahoo/Google
NIXI
NIXI
IGW Router
IGW Router
IXPRouter
IXPRouter
BW Provider
BW Provider
NIXI
STM-1 LINK
GigE LINK
Chennai
10 GigELINK
STM-16 LINK
Typical connectivity at Core
BNG
BRAS
BNG BNG
P Router
Co-located Access eqpt
Non Co-located Access Eqpt
NRAS
PE
NIB-1
ILL
NRAS NRAS
NIB-1
NIB-1
STM16
GigE GigE
STM16
Regulatory Issues related
to Broadband
DIT
Regulatory Framework
High Court/
Supreme Court
TDSAT
DoT
TRAI
Ministry of I & B
Internet Security Framework
NIA/ MHA
MoD
CERT-In
Other Agencies &
State Police
NTRO
C-DoT
Ministry of IT
BSNL
DoT
TRAI Regulation 2006 (11 of 2006) on
Quality of Service of Broadband Service
These Regulations applicable to all the Internet
Service Providers, Basic Service Providers,
Unified Access Service Providers and Cellular
Mobile Telecom Service providing Broadband
Service
These Regulations came into force with effect
from 1st January, 2007.
Quality of Service (QoS) Parameters
The service providers shall meet the benchmarks for the Quality of
Service parameters for Broadband

Service provisioning/ Activation Time: 100% cases in =<15 working
days.
Fault Repair/ Restoration Time: By next working day>90% and within
3 working days 99%
Billing Performance: 100% billing complaints resolved within 4 weeks
Response time to the customer for assistance (call centers): 60%
within 60 sec and 80% within 90 sec
Bandwidth Utilization/ Throughput: <80% during peak hours
Service availability/ uptime: 98%
Packet loss: <1%
Network Latency: 120 msec to 800 msec

TRAIs Reporting Requirement
The service providers shall submit the
Performance Monitoring Reports on the QoS
benchmarks for all the parameters in the format
to be prescribed by the Authority on Quarterly
basis, ending 31st March, 30th June, 30th
September and31st December, but not later than
6 weeks from the end of the Quarter.
The Authority may review from time to time the
periodicity and the format of such report.
Regulatory requirement for number of plans
It is noticed that the broadband plans are forming
the part of Fixed Wire line Services whereas the
broadband is a separate service provided
through Wire line.
Broadband service will not be counted in the
Wire line service segment to have uniform policy
in allocation of Unique Numbers to the plans
issued by the Corporate Office.
CYBER CRIMES/
THREATS
Cyber crimes
Illegal Access (hacking)
Data Espionage (key-loggers hw or sw based)
Illegal Interception (WIPP encryption used in Wi-Fi is
already broken)
Data Interference
Content Related Offences
Child Pornography & Sexual abuse of children
Hate Speech
Religious Offences
Illegal Gambling
SPAM


Cyber crimes
Copyright & Trademark offences/ violations
Computer related frauds (manipulation of digital
document, phishing, identity theft etc.)
Misuse of Device (like rent a Botnet)
Combined Attacks (Cyber terrorism)


Internet Crime reported in Year-2008
Cyber Crime Cases Reported
What is Cyber crime ?
Statistics of Defaced Indian Web Sites

CYBER THRETS- Cases
2009-10 attacks overview


Conficker
Slowloris & Sockstress
Mydoom.EA
Twitter
Google
Conficker attack
Conficker: Zero-Minute Attack
Malware
Victim
Victim
Victim
Victim
Victim
Victim
Victim
Victim
Main propagation vector:
TCP Port 445 (RPC)

Slide 30
Conficker Malware Spread
Slide 31
Low Rate Denial-of-Service Attacks
Introduction
Typical DoS/DDoS attacks
High rate network / application flooding
single packet attacks (vulnerability exploitation)
A new trend: Low rate flood attacks
Exploit software weaknesses that allow attackers to
misuse Web applications or TCP stack resources
Service denial to legitimate users
Go undetected by threshold-based tools
Recent attacks
Slowloris (July 2009)
Sockstress (September 2009)
Slide 33
Slowloris
Slide 34
Attacker
Apache Web Server
HTTP GET / CRLF/CRLF
HTTP REPLY
HTTP GET / CRLF/
HTTP GET/CRLF
HTTP REPLY
HTTP GET / CRLF
HTTP GET / CRLF
HTTP GET / CRLF
Service misuse attack
Server overload due to pending
GET requests
Minimal traffic exchange


Low rate DoS attack
A single client can reach
complete denial-of service within a
few minutes
Sockstress
On September 8th Microsoft and Cisco released a patch
against Sockstress tool which was rated as critical.
Sockstress includes a set of tools each exploits a different
weaknesses of the TCP/IP stack.
Sockstress tool uses various techniques to create local
resource consumption, which crashes a service or the
entire machine - essentially a denial of service attack.
So far it is reported that this affects all systems running
any service utilizing TCP, including Windows, Mac, Linux,
and BSD.
Slide 35
Mydoom.EA
(AKA as July 2009 Cyber Attacks)
Slide 37
Spreading the Bot Malware: spam
Advertiser
Message with
malware code
Victim
Victim
Victim
Spammer
Slide 38
Activating the Bot malware
Victim
Command & Control
Server
Slide 39
Internet
Public Web Servers
Bot
(Infected host)
Bot
(Infected host)
Attacker
BOT Command
C&C Server
Bot
(Infected host)
Bot
(Infected host)
Legitimate User
Bot Characteristics
~20,000 zombie computers
Diversified attacks:
HTTP page flood
SYN flood with packet anomalies
UDP flood
ICMP flood
Destinations in US and S/Korea
~ 1-2 Gbps inbound traffic (200K-500K) PPS
Mydoom.EA: 1
st
Strike
Slide 40
Internet
Public Web Servers
Bot
(Infected host)
Bot
(Infected host)
Attacker
BOT Command
C&C Server
Bot
(Infected host)
Bot
(Infected host)
Legitimate User
Bot Characteristics
~50,000 zombie computers
Diversified attacks:
HTTP page flood
SYN flood with packet anomalies
UDP flood
ICMP flood
Destinations in US and S/Korea
~ 6-7 Gbps inbound traffic (>2 Million PPS)
Mydoom.EA: 2
nd
Strike
Slide 41
Mydoom.EA: Time Flow
1
st
Strike
(July 5
th
, 2009)

Targets in the US:
Government, Media &
eCommerce
2
nd
Strike
(July 7
th
, 2009)

Target sin the US and
S/Korea
Over 25 sites

4
th
Attack
(July 9
th
~ 10
th
, 2009)

Targets in US and
S/Korea
Over 60 sites
3
rd
Strike
(July 8
th
~ 9
th
, 2009)

Targets in US and
S/ Korea
Over 45 sites
Slide 42
Mydoom.EA: USA Targets
Botnet
Attack
Slide 43
July 2009 Cyber Attacks
Slide 44
Why Mydoom.EA is so challenging?
Dynamic attack tool
Generates diversified attacks
Both spoofed (DDoS) and non-
spoofed (HTTP flood) attacks
Highly distributed attack
HTTP page flood targets home
page of victim sites
High attack rate
July 2009 Cyber Attacks: fighting back
Slide 45
Attack Vector Probable Solution
Bot malware spread IPS or
Network Behavior
Analysis
Bot Command & Control messages IPS
Application flooding
- HTTP page flood attack
Network Behavior
Analysis
Network flooding
- SYN/UDP/ICMP flood attack
DoS Protection
No single protection tool can handle
todays Cyber threats
Twitter Attacks
Emerging Threats Cyxymu DDoS
(Aug 2009)
Attack
Distributed SYN floods and UDP floods
Result
Twitter suffered hours of downtime
All victims had poor QoS for days
Slide 47
Google Attacks
Operation Aurora
Google hacked
Slide 49
Google / Twitter
Attacks
2009

Hackers Change in Motivation
2001 2009
Vandalism and publicity Hacktivism Financially motivated
Blaster
(Attacking Microsoft web site)
2003

Storm
(Botnet)
2007
CodeRed
(Defacing IIS web servers)
2001
Nimda
(Installed Trojan)
2001
Slammer
(Attacking SQL websites)
2003
Agobot
(DoS Botnet)
2005
Republican
website DoS
2004

Estonias Web Sites
DoS
2007

Attack
Risk
Time
Georgia Web sites
DoS
2008

Srizbi
(Botnet)
2007
Rustock
(Botnet)
2007
Kracken
(Botnet)
2009
July 2009
Cyber Attacks
US & Korea
Slide 50
How to prevent Cyber crime
Technical prevention At ISP level

At User/ Customer level

Network & Data Center security: Solutions
IPS
DoS
Protection
NBA
SYN
Cookies
Rate
Limit
Signatures
Behaviour
Analysis
Signatures
Stateful
Inspection
Rate
Limit
Source
Behaviour
Service
Patterns
Internet
Access
Router
Web Servers
Application Servers
Firewall
DoS
Protection
IPS
NBA
Anti Trojan /
phishing
Slide 52
How to Mitigate/ Prevent- Cyber Threats/ Crimes
Slide 53
How to prevent Cyber crime- at user level
Update OS
Updated Antivirus protection
Anti-spam and Trojan protection
Safe Internet banking
Good legal policies

How to prevent Cyber crime- in Organisation
Using the computer at workplace between
efficiency and privacy
- Include the Policy on how to use Internet at
workplace as a part of the labour contract
- Training the employees on usage of Internet and
software
- Training the employees on how they should treat
confidential information and the essential
passwords
Cyber Security
International Perspective
Cyber Security
We are on Information Super Highway without
seatbelts on.

Cyber Security is one of the most critical concerns of
information age.

Connecting the World Responsibly

It forms cornerstone of a healthy, connected world.




ITU -Initiative
Mission : Cyber security for All
Global Cybersecurity Agenda (GCA)
A framework for International Cooperation & Response
Launched on 7
th
March -2007
GCA focuses on building partnership and collaboration
between all relevant parties in the fight against cyber threats.
Dr. Arias, President of Costa Rica, is the patron of GCA.
With its 191 Member states and more than 700 sector
members ITU has enough reach to cater to Cyber security
need of the world


ITU -Initiative
GCA is built on 5 Strategic Pillars/ Work Areas with 7
main Strategic goals
1. Legal Measures- ITU Toolkit for cyber crime legislation
(http://www.itu.int/ITU-D/cyb/cubersecurity/legistation.html)
2. Technical and Procedural Measures
By ITUs Standardization Sector (ITU-T)
Latest one is H.323 Security Standards for use by H.3 series IP
multimedia systems (like VoIP, Video conferencing etc.)
J.170 Security Standards for two way IP services on Cable TV n/w.
X.1205 Overview of Cybersecurity which provides definition and
taxonomy of security threats.
M.1078 for IMT-2000 Networks (3G & Mobile Broadband)

ITU -Initiative
3. Organizational Structures
Member states to establish CIRTs (Computer Incident
Response Team) -India has CERT
4. Capacity Building
To develop a sustainable and proactive culture of
Cybersecurity.
CIIP Self-Assessment Tool (Critical Information
Infrastructure Protection)
ITU -Initiative
5. International Cooperation
A High Level Expert Group (HLEG) comprised a group of
high level experts from governments, industry, relevant
regional/ international organizations, research institutes,
academic institutions and individual experts appointed by
ITU for further developing the GCA.
IMPACT
IMPACT Center for Policy and International Cooperation
ITU Cybersecurity Gateway
Child Online Protection (COP)-Nov-2008
IMPACT (International Multilateral Partnership Against Cyber Threats)
Is an public-private initiative dedicated to
enhancing the global communitys capacity to
prevent, defend and respond to cyber threats.
In Nov-2008 ITU become a member of IMPACT
Advisory Board.
HQ in Cyberjaya in Malaysia
Is also GRCs main center.

IMPACT- GRC
As part of ITUs collaboration with International
Multilateral Partnership Against Cyber Threats,
the Global Response Centre (GRC) plays a
pivotal role in putting technical measures in place
to combat new and evolving cyber threats. Two
prime highlights of GRC are

NEWS: Network Early Warning System
ESCAPE: Electronically Secure Collaboration
Application Platform for Experts
Cyber Security - Australia
17.7 Million incidents reported in 2008
650 Million Aus $ in monetary terms
CIRT established in 1993, 2
nd
after US. Based in University of
Queensland, Brisbane
Have Trusted Infrastructure Sharing n/w.
Have Critical Infrastructure Advisory Council
International gateway Consolidation
ISP Code & Practices.
Contributing towards Cyber crime legislation for other countries.
They have Dept. of Broadband and Digital Economy
http://www.staysmartonline.gov.au
E-Security awareness week 5
th
to 12
th
June



Cyber Security - India
1.1 billion subs as on July-2009
More than 2 million domains in India
Growth of about 11 million GSM users every
month
CERT-In formed on 27
th
- Oct-2009 under
Ministry of IT.
ISO 27001 Best Practices for Cybersecurity
http://www.cert-in.org.in/securepc/index.html




Cyber Security
Readiness of BSNL
Security Measure By BSNL
Security Hardware /Software
Security policy
Physical Security Policy
Network Security Policy
Secrecy of Information
Security Advisory
Advisory to BSNL Personnel
Advisory to BSNL Customers
Security Drill done with CERT-In and others

Security Hardware/Software in NIB
Firewalls
Load Balancers (Firewall & Server)
Network Application Switch
Host Based Intrusion Detection System(HIDS)
Network IDS (NIDS)
Antivirus Solution
Antispam solution
Security Management Solution
Symantec Enterprise Security Architecture (SESA)
Symantec Incident Manager (SIM)
Symantec Correlation Manager.
Symantec Event Collector for Checkpoint
Symantec Event Relay for IBM

Physical Security Policy
Lock and Key Room
Biometrics Access
Recording of sensitive area
Remote observation
Room Access policy
Maintaining of Log Register
Network Security Policy
Access Policy
Privilege level of access
Password Management
Access/Filter List
For access of equipments
For internet traffic
Limit simultaneous access users
Encryption user/password etc

Secrecy of Information
Networks Resources Information like
equipments H/W & S/W, IP address policy
etc
Information of security Policy
Information of security measure
Information about access policy
Information about Password policy

Security Advisory to Node BSNL
Personnel
Physical Access of Equipments
Only authorised person
Log register etc
Password Management
Alphanumeric
Dont use name, DOB etc
Up-date PC Software, Patch etc.
Beware in installing freeware patch
Educate about Antivirus, antispam etc.


Security Advisory to Customers/ Users
Password management
Misuse of E-mail/Internet
PCs security

PCs Security Guidelines
Virus Protection
Password
Disable Vulnerable services
Firewalls
Disable File/Print sharing
Keep OS Security patch updated- important
for Windows users
Disconnect Internet Cable from PC when not
in use.



Efforts made along with CERT-In
A Network Security Drill was conducted in Noida Data
Center on 18
th
March-2010 of NIB-II Project-3.
Vodafone, DMRC, CRIS, SBI, Airtel, CBEC, IAF, PNB,
NTPC, IDBI, ONGC and Tata Communications participated
in the drill.
Kingfisher, ICICI, NSE, MTNL, Power Grid, Bank of India,
Income Tax Department could not later participate in the drill
BSNL scored 65% marks.
It helped in improving security settings in Data Center
Firewall Etc.

Efforts made along with CERT-In
Along with CERT-In BBNW Circle tested our ADSL Modems with respect to
security of our Broadband customers in their lab and they issued following
suggestions for security :-
Disable web management, telnet, ICMP and SSH services from WAN port of ADSL/ VOIP Routers
right at the time of installations.
Only devices web management port should be enabled from LAN, disable telnet, SSH or any file
uploading/ downloading services from LAN port.
Check and remove file uploading/ downloading utilities such as wget, ftp etc.
Upgrade the firmware of the modems/ Routers and educate users for the same.
Create unique user name and/ or password for web management specific to the customer and
deliver to him/ her in confidential manner.
Provide usage details to the users in monthly bill.
CERT-In has created a Crisis Management Group for Countering Cyber
attacks and cyber terrorism.- BSNL is part of that team.
CERT-In is publishing open proxy servers on their website http://www.cert-
in.org.in/knowledgebase/whitepapers/openproxy.htm and we have to take
necessary action related to our network.
Security Advisories/ Vulnerabilities issued by CERT-In are regularly published on
BBNW website http://dnw.bsnl.co.in.



Bharat Sanchar Nigam Limited

Lawful Interception & Monitoring
Requirement
As per ISP Licensing Policy
Security Requirement Two Stage
1. Traffic interception
The complete traffic of n/w to be provided for monitoring
The data is being analyzed by respective security
agencies as per their requirement
2. CDR Analysis
CDR analysis based on IP, Time & date to trace the user
information
The CDR of respective project are available with their
respective billing system
The user information is being provided through
Billing/provisioning system
License clause
1.10.10.1 Monitoring facilities.
(a) At each - International Gateway location and / or ISP node with
a router/switch having an outbound capacity of 2 Mbps or more
--- ALL BSNL NODES FALLS UNDER THIS
(i) Every international gateway location and/or the ISP node with a
router/switch having a capacity of 2 Mbps or more shall be
equipped with a monitoring Centre at the cost of the ISP.
Suitable appropriate monitoring system is to be set up by ISPs
carrying Internet telephony traffic through their Internet
gateways and /or ISP nodes at their own cost.
(ii) Office space of 10 feet x 10 feet with adequate uninterrupted
power supply and air-conditioning
(iii) one local exclusive telephone line
(iv) cost of maintenance of the equipment and infrastructure

80
1. Narrow-Band (LIM at PE)
NIB-1
Project-2.1 of NIB-II
2. Broadband
Project-2.2 ( LIM at T-1/BRAS)
Multiplay (LIM at BNG)
3. Internet Leased Line (LIM at PE)
NIB-1 Eqpt.
Project-1

Present LIM Connectivity
DOT has authorized CDOT as the
coordinating agency for installation of
Monitoring Equipment.
CDOT has installed LIM equipment at 8
locations Jammu, Chandigarh, Noida,
Jalandhar, Kokatta, Hyderabad, Jaipur &
Guwahati.
Present LIM Connectivity contd.
Latest Development from June-2010
DoT and MHA are very serious on this issue.
DoT called review meeting with BSNL in June,
2010 to review LIM solution deployment in BSNL
and third review meeting will be held on 20
th

Aug-2010.
BSNL is finalising plans to deploy LIM solution as
per requirement of Security agencies at 5
Gateway locations and 9 States in Phase-1.
Typical Network Architecture of BSNL Internet Gateways at
Bangalore/Chennai/ Mumbai/Noida/ Kolkata
40 GE
(4*10GE)
20 GE (2*10 GE)
30 GE (3*10 GE)
Core 1
Core 2
IGW-PE
IGW
2* STM 16
IXP
20 GE
To IBP
To Peers
Tapping at these
points
Total 5 Taps Required.
Total 10 10GE ports required
5
84
Gateway Bandwidth Traffic Details
(as on 14-07-2010)
SN Name of
IGW node
Connected
STMs/ BW
(in Gbps)
Connected BW
for NIXI &
Others
(in Gbps)
Peak Traffic (in Gbps)
Incoming Outgoing Total
1 Bangalore 64 / 9.9 0 9.3 2.6 11.9
2 Chennai 80 / 12.4 2 14.2 5.3 19.5
3 Kolkatta 48 / 7.4 0 6.4 0 6.4
4 Mumbai 169 / 26.2 6 31.8 7.7 39.5
5 New Delhi 16 / 2.5 1 1.1 4.1 5.2
Total 377 / 58.4 9 62.8 19.7 82.5
Planned LIM deployment In Circles
In Circles BSNL is planning to deploy LIM
solution along with MPLS Core Routers.
Phase-1 will be covering 9 Circles (West Bengal,
Orissa, Jharkhand, Chhattisgarh, Jharkhand,
Bihar, North East, Jammu & Kashmir and Andhra
Pradesh.
Plan is still under finalization.

Login detail of users
The detail of all Narrowband /
Broadband/ messaging users are being
provided as per requirement
Logging detail are kept for 1 year in the
archive and 6 months on the system
It is provided on the basis of minimum
information of IP address, time and date
of user
Call Data Record Analysis
For cases related to identification of user based on IP
Address, date and time.

1. BSNL has designated nodal offices for taking such
request from these security/ police agencies in each
SSA.
2. All SSA nodal officers are required to get the user
details from BBNW nodal officer DGM (BB), Multiplay
NOC, BBNW Circle, Bangalore and reply back.
3. For Central Agencies like NIA, IB, CBI, CERT, TERM,
NTRO, DRI and Delhi Police DGM (Project), BBNW
Circle, New Delhi is the direct nodal officer for such
cases.

Process for handling Cyber Crime related
cases coming through Security/ Police
Agencies
India in also getting ready to deal with Cyber Crime
Conclusions

Security measures can never ensure 100% security.
Security measures/ methods/ equipments need constant
improvement.

Awareness is the key to Security.

So Be-aware, Be-alert and Be-ready

Bharat Sanchar Nigam Limited