Upload
lucien
View
35
Download
0
Embed Size (px)
DESCRIPTION
Protection On-Demand: Ensuring Resource Availability. Dan Touitou [email protected]. Agenda. The Growing DDoS Challenge Existing Solutions Our Approach Technical Overview. ‘Zombies’. Innocent PCs & Servers turn into ‘Zombies’. ‘Zombies’. How do DDoS Attacks Start ?. DNS. Email. - PowerPoint PPT Presentation
Citation preview
111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Protection On-Demand: Ensuring Resource Availability
Dan Touitou
222© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Agenda
The Growing DDoS Challenge
Existing Solutions
Our Approach
Technical Overview
333© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
How do DDoS Attacks Start ?
DNS Email‘Zombie
s’
‘Zombies’
Innocent PCs & Servers turn into
‘Zombies’
444© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
The Effects of DDoS Attacks
Server-level DDoS
attacks
Bandwidth-level DDoS
attacks
DNS Email
Infrastructure-level DDoS
attacks
Attack Zombies: Massively distributed Spoof Source IP Use valid protocols
555© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Attacks - examples
• SYN attack
Huge number of crafted spoofed TCP SYN packets
Fills up the “connection queue”
Denial of TCP service
• HTTP attacks
Attackers send a lot of “legitimate” HTTP requests
777© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Existing Solutions
888© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
SYN Cookies – how it works
Source Guard
syn(isn#)
ack(isn’#+1)
Target
synack(cky#,isn#+1) WS=0
State createdonly for authenticated connections
State createdonly for authenticated connections
syn(isn#)
synack(isn’#,isn#+1)
ack(cky#+1)
ack(isn#+1) WS<>0
Sequence #adaptation
Sequence #adaptation
statelesspart
999© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Blackholing
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
= Disconnecting the
customer
= Disconnecting the
customer
101010© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
At the Edge / Firewall/IPS
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Easy to choke
•Point of failure
•Not scalable
111111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
At the Backbone
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Throughput
•Point of failure
•Not Scalable
121212© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Cisco
Solution
131313© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Dynamic Diversion Architecture
Guard XTBGP announcement
Target
1. Detect
2. Activate: Auto/Manual
3. Divert only target’s traffic
Detector XT or Cisco IDS, Arbor Peakflow
Non-targeted servers
141414© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Guard XT
Target
Legitimate traffic to target
5. Forward the legitimate
Dynamic Diversion Architecture
Traffic destined to the target
4. Identify and filter the malicious
Non-targeted servers
6. Non targetedtraffic flowsfreely
Detector XT or Cisco IDS, Arbor Peakflow
151515© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Technical overview
• Diversion/Injection
• Anti Spoofing
• Anomaly Detection
• Performance Issues
161616© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversion
How to “steal” traffic without creating loops?
171717© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversionone example L3 next hop
BGP
Diversion:
announce a longer prefix from the guard no-export and no-advertise community
Injection:
Send directly to the next L3 device
181818© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Diversion L3 next hop application
Router
Switch
Firewall
Internal network
ISP 1 ISP 2
GEthernet Guard XT
Switch
DNS ServersWeb, Chat, E-mail, etc.
Web console
Guard XT
Riverhead Detector XT
Detector XTTarget
AlertAlert
191919© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversionone example – Injecting with tunnels
BGPDiversion:
announce a longer prefix from the guard no-export and no-advertise community
Injection:
Send directly to the next L3 device
202020© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
61.1.1.1
Diversionone example: long distance diversion
212121© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Filtering bad traffic
• Anti Spoofing
• Anomaly detection
• Performance
222222© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Guard Architecture – high level
RateLimiter
Sam
ple
r
Flex Filter
Bypass Filter
Classifier:Static & Dynamic Filters
Analysis
Basic
Strong
Anomaly Recognition Engine
Connections & Authenticated Clients
Policy Database
Insert filters
Anti-Spoofing Modules
Control & Analysis Plane
Data Plane
Drop Packets
AS Replies
Management
232323© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anti spoofing
Unidirectional…..
242424© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anti-Spoofing Defense- One example: HTTP
Source Guard
Syn(isn#)
ack(isn#+1,cky#)
Target
synack(cky#,isn#+1)Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
GET uri
Redirect to same URI
finfin
1. SYN cookie alg.
2. Redirect rqst
3. Close connection
Client authenticated
252525© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
RST cookies – how it works
Source Guard Target
ack(,cky#)
syn(isn#)
rst(cky)
syn(isn#)
Client authenticated
262626© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Ab.com rqst UDP/53
syn
Reply
synackack
Reply
Repeated IP - UDP
Authenticated IP
Client Guard Target
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP)
Ab.com rqst UDP/53Ab.com rqst TCP/53
Ab.com reply TC=1
272727© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anomaly DetectionAgainst Non-Spoofed Attacks
• Extensive profiling
Hundreds of anomaly sensors/victim
For global, proxies, discovered top sources, typical source,…
• Auto discovery and profiling of services
Automatically detects HTTP proxies and maintains specific profiles
Learns individual profiles for top sources, separate from composite profile
• Depth of profiles
PPS rates
Ratios eg SYNs to FINs
Connection counts by status
Protocol validity eg DNS queries
282828© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Performance
• Wire Speed - requirement …
• GigE = 1.48 Millions pps… Avoid copying
Avoid interrupt/system call
Limit number of memory access
• PCI bottleneck DDoS NIC Accelerator
292929© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Cosmo board
Replaces the NIC
Handles the data path
Based on Broadcom BCM1250
integrated processor
303030© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
BCM1250
Budget - ~500 cycles per packet(memory access 90 cycles)
313131© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
CustomerSwitches
More performance - clustering
ISP Upstream ISP Upstream
Load LevelingRouter
Riverhead Guards
MitigationCluster
323232© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Comments: [email protected]
THANK YOU!