Embed Size (px)
DESCRIPTION
Detailed slides that provide a DDoS overview, trends, architecture overview, and BGP flowspec overview.
Citation preview
1 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation strategy
Bertrand Duvivier [email protected] BGP product manager
2 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS Mitigation – a stepstone approach
Phase III Dynamic application aware redirection and traffic handling
Phase II Malicious traffic mitigation Cleaning of Malicious traffic Dirty and clean traffic handling Usage of Multi-instance BGP
Phase I ACL RTBH PBR uRPF
IOS-XR 4.3.1 IOS-XE partial
IOS-XR 5.2.0 IOS-XE 3.1.2
3 © 2013 Cisco Systems, Inc. All rights reserved.
Agenda
DDoS trends
DDoS - Phase 2 – Architecture overview
DDoS - Phase 3 – BGP flowspec overview
4 © 2013 Cisco Systems, Inc. All rights reserved.
Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources.
Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served
Addressing DDoS attacks ― Detection – Detect incoming fake requests ― Mitigation o Diversion – Send traffic to a specialized device that removes the
fake packets from the traffic stream while retaining the legitimate packets
o Return – Send back the clean traffic to the server
5 © 2013 Cisco Systems, Inc. All rights reserved.
DDOS impact on customer Business
GOOD DDOS
6 © 2013 Cisco Systems, Inc. All rights reserved.
DDOS impact on customer Business
Enterprise customer can’t defend themselve, when DDoS hit the FW… it’s already too late.
SP could protect enterprise by cleaning DDoS traffic at ingress peering point.
New revenue for SP.
Mandated service to propose to Financial and visible customers.
7 © 2013 Cisco Systems, Inc. All rights reserved.
2011 DDoS trends (Nanog source) Any Internet Operator Can Be a Target for DDoS Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the
most commonly identified attack motivations
Size and Scope of Attacks Continue to Grow at an Alarming Pace
High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps
Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common
First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on Production Networks
8 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture 1. Detection (no DDoS)
DDOS scrubber
Security Server
DDOS Analyser
Netflow
Scan Netflow data to detect DDOS attacks
9 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture 2. Detection (DDOS)
DDOS scrubber
Security Server
DDOS Analyser
Netflow
Scan Netflow data Find DDOS signature
10 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture 3. Redirect traffic to DDOS scruber
DDoS scrubber
Security Server
DDoS Analyser
Scan Netflow data Find DDoS signature
BGP DDoS Mitigation Action: redirect to DDoS scrubber
11 © 2013 Cisco Systems, Inc. All rights reserved.
Agenda
DDoS trends
DDoS - Phase 2 – Architecture overview
DDoS - Phase 3 – BGP flowspec overview
12 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS Mitigation: Architecture Considerations Normal traffic flow when there is no attack
Redirect traffic from any edge PE to any specific DDoS scrubber ― Including the PE that is connected to the host network
Granular (prefix level/network) diversion ― Customers buy DDoS mitigation service for some prefixes ― Pre-provisioned DDoS service for those prefixes (using policy such as standard community flag)
Centralized controller that injects the diversion route
VPN based Labeled return path for the clean traffic ― To prevent routing loops
Sollution support redirection of BGP less/more specific prefixes or local originated prefixes (static route, redistributed route)
Support for multi-homed customers ― During attack, send clean traffic from DDOS scrubber to multiple PE’s
13 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture Step 1: create Clean-VPN (off attack configuration)
Security Server
DDoS Analyser
Clean VPN will transport clean traffic from scrubber back to customer next hop
DDoS scrubber
out in
14 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture Step 2: inject customers prefixes to clean Clean-VPN (off attack)
Security Server
DDoS Analyser
VRF dynamic route leaking function to inject VRF glogal prefix in VRF and VPN clean using route-map policy.
DDoS scrubber
out in
15 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture Step 3: inject BGP redirection in DDoS control plane (under attack)
Security Server
DDoS Analyser
Security server will inject BGP update with scrubber as next hop.
DDoS scrubber
out in
BGP update NH: scrubber Prefix: purple
16 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS mitigation architecture Traffic flow under attack
Security Server
DDoS Analyser
Traffic is redirect via DDoS scrubber. Loop free solution.
DDoS scrubber
17 © 2013 Cisco Systems, Inc. All rights reserved.
Why injecting DDoS in separate BGP instance ?
Sollution support redirection of BGP less/more specific prefixes or local originated prefixes (static route, redistributed route)
Separate Inter-Domain control plane and DDoS plane No need to withdraw and re-signal Inter-Domain prefixes, keep internet route intacts in control plane.
Easy to troubleshout
18 © 2013 Cisco Systems, Inc. All rights reserved.
Agenda
DDoS trends
DDoS - Phase 2 – Architecture overview
DDoS - Phase 3 – BGP flowspec overview
19 © 2013 Cisco Systems, Inc. All rights reserved.
Next-Gen BGP flowspec is RFC-5575 (aka BGP flowspec)
+ IPv6 support (draft-ietf-idr-flow-spec-v6)
+ Flowspec origin check relax (draft-djsmith-idr-flowspec-origin)
+ Extra redirection options (draft-simpson-idr-flowspec-redirect)
+ Comprehensive CLI/XML to inject BGP flowspec updates
+ Internet in VPN use-case
+ Optimized flow based forwarding plane : E-PBR (specific to ASR9K/CRS)
XR 5.2.0 XE 3.12
20 © 2013 Cisco Systems, Inc. All rights reserved.
Next Gen BGP flowspec infrastructure phase 1 (XML/CLI model)
BGP flowspec
BGP
BGP
XML/CLI
ACL QoS
Flow forwarding
Application
PBR
Flow Spec Manager
ASR9K/CRS
XR-VR
XML/CLI
Application VM
21 © 2013 Cisco Systems, Inc. All rights reserved.
Next Gen BGP flowspec infrastructure phase 2 (OnePK model)
BGP flowspec
BGP
BGP
Flow OnePK
ACL QoS
Flow forwarding
Application
PBR
Flow Spec Manager
ASR9K/CRS
XR-VR
OnePK API/SDK
Application VM
22 © 2013 Cisco Systems, Inc. All rights reserved.
NextGen BGP flowspec Flow encoding (phase 1)
Type 1 Destination Prefix (mask) prefix
Type 2 Source Prefix (mask) prefix
Type 3 IP Protocol udp,tcp,icmp,…
Type 4 Port
Type 5 Destination port
Type 6 Source port
Type 7 ICMP type
Type 8 ICMP code
Type 9 TCP flags
Type 10 Packet length
Type 11 DSCP
Type 12 Fragment
23 © 2013 Cisco Systems, Inc. All rights reserved.
Next-Gen BGP flowspec Action encoding (phase 1)
Ext Community Action Data 0x8006 traffic-rate (bw zero) BW or Drop
0x8007
traffic-action: Terminal action
(bit 7)
0x8008 Redirect (VRF) 6-byte Route Target
idr-flowspec-redirect Redirect (IP/MPLS) Next Hop
24 © 2013 Cisco Systems, Inc. All rights reserved.
Summary
DDOS mitigation is a Mandatory service.
DDOS phase 2 provides optimized architecture
DDOS phase 3 provides flow base mitigation granularity
For more details, contact [email protected]
25 © 2013 Cisco Systems, Inc. All rights reserved.
THANKS
26 © 2013 Cisco Systems, Inc. All rights reserved.
DDoS phase 2
Technical details
27 © 2013 Cisco Systems, Inc. All rights reserved.
Architecture based on BGP multi-instance
Two planes based on multi-instance BGP ― The default BGP instance for creating normal routing and the return path of the clean traffic ― The DDoS instance for injecting the diversion route in the routers
BGP DDos
Instance
BGP Default
Instance
DDOS RR Internet RR
PE-C
Normal routes
Diversion routes
28 © 2013 Cisco Systems, Inc. All rights reserved.
BGP ddos instance
router bgp 99 instance ddos bgp router-id 3.3.3.3
Creation of DDoS BGP instance
29 © 2013 Cisco Systems, Inc. All rights reserved.
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
CGSE Scrubber
C
X/Y
PE-C PE-S
VPN RR
@ RR
DDOS RR
Architecture details
The default BGP instance uses a VRF, “Clean”, to setup the return path On the scrubber PE, the clean traffic enters via the VRF “Clean” interface
Clean
Dirty
30 © 2013 Cisco Systems, Inc. All rights reserved.
BGP read-only
router bgp 99 instance ddos bgp router-id 3.3.3.3 bgp read-only
bgp read-only • Allows config of 2th IPv4 or IPv6 instance
• Suppresses BGP Update Generation
31 © 2013 Cisco Systems, Inc. All rights reserved.
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->C
VPN RR
@ RR Route setup
C sends X/Y to the default-VRF of the default instance of PE-C
DDoS RR
32 © 2013 Cisco Systems, Inc. All rights reserved.
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->C
X/Y->C X/Y->C
VPN RR
@ RR Route setup
PE-C imports X/Y to VRF “Clean”
PE-C downloads X/Y->C to RIB
DDoS RR
33 © 2013 Cisco Systems, Inc. All rights reserved.
VRF dynamic route leaking
vrf clean address-family ipv4 unicast import from default-vrf route-policy ddos advertise-as-vpn export route-target 111:1 // ddos policy = match community-string 100:123
Importing selected global route’s in the clean VRF
34 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->C
X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR X/Y->PE-C
X/Y->PE-C Route setup
PE-C advertises X/Y to @ RR (as IPv4) and VPN RR (as VPNv4) PE-C RIB downloads X/Y->C to FIB
DDoS RR
35 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->C X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C X/Y->PE-C
X/Y->C
X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR X/Y->PE-C
X/Y->PE-C Route setup
@ RR advertises X/Y to default VRF of PE-S and VPN RR advertises X/Y to default-VRF as a VPN route. Then the route is downloaded to RIB and FIB of default VRF and VRF “Clean”
DDoS RR
36 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C X/Y->PE-C
X/Y->C
X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR
Attack scenario X/Y->PE-C
X/Y->PE-C
X/Y->S
Arbor detects X/Y under DDoS attack Arbor injects diversion route X/Y to nexthop “S” on the DDoS RR
X/Y->PE-C
DDoS RR
37 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C X/Y->PE-C X/Y->S
X/Y->C
X/Y->S X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR
Attack scenario X/Y->PE-C
X/Y->PE-C
X/Y->S
DDoS RR advertises X/Y->S to the DDoS instances on PE-C and PE-S
X/Y->PE-C
DDoS RR
38 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->S X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->S X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->PE-C ->S
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C X/Y->PE-C X/Y->S
X/Y->C ->S
X/Y->S X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR
Attack scenario X/Y->PE-C
X/Y->PE-C
X/Y->S
DDoS instance downloads diversion route to RIB. RIB now has two paths for X/Y
X/Y->PE-C
DDoS RR
39 © 2013 Cisco Systems, Inc. All rights reserved.
BGP install diversion
router bgp 99 instance ddos bgp router-id 3.3.3.3
bgp read-only bgp install diversion
bgp install diversion Triggers BGP ddos instance to install
diversion path to RIB, so that the paths are pushed down to FIB
40 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->S
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->S X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->S X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->PE-C ->S
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C X/Y->PE-C X/Y->S
X/Y->C ->S
X/Y->S X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR
Attack scenario X/Y->PE-C
X/Y->PE-C
X/Y->S
RIB downloads the diversion route to FIB ― Based on special flags and/or admin distance
X/Y->S
DDoS RR
41 © 2013 Cisco Systems, Inc. All rights reserved.
X/Y->S
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->S X/Y->PE-C
BGP DDos
Instance
RIB
FIB
VRF default VRF Clean
BGP Default
Instance
VRF RIB
VRF FIB
X/Y->S X/Y->C
CGSE Scrubber
C
X/Y
PE-C PE-S
X/Y->PE-C ->S
X/Y->PE-C
X/Y->PE-C
X/Y->PE-C X/Y->PE-C X/Y->S
X/Y->C ->S
X/Y->S X/Y->C
X/Y->C
X/Y->C
X/Y->C
VPN RR
@ RR
IP traffic enters PE-C (or any other PE) and finds X/Y->S in default VRF. Goes to S.
Clean traffic from S finds X/Y->PE-C in VRF “clean” and returns to PE-C
On PE-C, the VPN label asks the packet to do IP lookup in VRF “Clean”. Goes to C.
Attack scenario X/Y->PE-C
X/Y->PE-C
X/Y->S
X/Y->S
DDoS RR
