Protection On-Demand: Ensuring Resource Availability

111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04

Protection On-Demand: Ensuring Resource Availability

Dan Touitou

[email protected]


Agenda

The Growing DDoS Challenge

Existing Solutions

Our Approach

Technical Overview


How do DDoS Attacks Start ?

DNS Email‘Zombie

s’

‘Zombies’

Innocent PCs & Servers turn into

‘Zombies’


The Effects of DDoS Attacks

Server-level DDoS

attacks

Bandwidth-level DDoS

attacks

DNS Email

Infrastructure-level DDoS

attacks

Attack Zombies: Massively distributed Spoof Source IP Use valid protocols


Attacks - examples

• SYN attack

Huge number of crafted spoofed TCP SYN packets

Fills up the “connection queue”

Denial of TCP service

• HTTP attacks

Attackers send a lot of “legitimate” HTTP requests


Existing Solutions


SYN Cookies – how it works

Source Guard

syn(isn#)

ack(isn’#+1)

Target

synack(cky#,isn#+1) WS=0

State createdonly for authenticated connections

State createdonly for authenticated connections

syn(isn#)

synack(isn’#,isn#+1)

ack(cky#+1)

ack(isn#+1) WS<>0

Sequence #adaptation

Sequence #adaptation

statelesspart


Blackholing

Server1 Victim Server2

....

....

R3

R1

R2

R5R4

RR R

1000 1000

FE

peering

100

= Disconnecting the

customer

= Disconnecting the

customer


At the Edge / Firewall/IPS


....

....

R3

R1

R2

R5R4

RR R

1000 1000

FE

peering

100

•Easy to choke

•Point of failure

•Not scalable


At the Backbone


....

....

R3

R1

R2

R5R4

RR R

1000 1000

FE

peering

100

•Throughput

•Point of failure

•Not Scalable


Cisco

Solution


Dynamic Diversion Architecture

Guard XTBGP announcement

Target

1. Detect

2. Activate: Auto/Manual

3. Divert only target’s traffic

Detector XT or Cisco IDS, Arbor Peakflow

Non-targeted servers


Guard XT

Target

Legitimate traffic to target

5. Forward the legitimate

Dynamic Diversion Architecture

Traffic destined to the target

4. Identify and filter the malicious

Non-targeted servers

6. Non targetedtraffic flowsfreely

Detector XT or Cisco IDS, Arbor Peakflow


Technical overview

• Diversion/Injection

• Anti Spoofing

• Anomaly Detection

• Performance Issues


Diversion

How to “steal” traffic without creating loops?


Diversionone example L3 next hop

BGP

Diversion:

announce a longer prefix from the guard no-export and no-advertise community

Injection:

Send directly to the next L3 device


I

S

C ta ys5 0

P r p y S S P w p

tr c s r

RI

C S T S

C S S

Diversion L3 next hop application

Router

Switch

Firewall

Internal network

ISP 1 ISP 2

GEthernet Guard XT

Switch

DNS ServersWeb, Chat, E-mail, etc.

Web console

Guard XT

Riverhead Detector XT

Detector XTTarget

AlertAlert


Diversionone example – Injecting with tunnels

BGPDiversion:

announce a longer prefix from the guard no-export and no-advertise community

Injection:

Send directly to the next L3 device


61.1.1.1

Diversionone example: long distance diversion


Filtering bad traffic

• Anti Spoofing

• Anomaly detection

• Performance


Guard Architecture – high level

RateLimiter

Sam

ple

r

Flex Filter

Bypass Filter

Classifier:Static & Dynamic Filters

Analysis

Basic

Strong

Anomaly Recognition Engine

Connections & Authenticated Clients

Policy Database

Insert filters

Anti-Spoofing Modules

Control & Analysis Plane

Data Plane

Drop Packets

AS Replies

Management


Anti spoofing

Unidirectional…..


Anti-Spoofing Defense- One example: HTTP

Source Guard

Syn(isn#)

ack(isn#+1,cky#)

Target

synack(cky#,isn#+1)Antispoofing only when under attack

• Authenticate source on initial query

• Subsequent queries verified

Antispoofing only when under attack



GET uri

Redirect to same URI

finfin

1. SYN cookie alg.

2. Redirect rqst

3. Close connection

Client authenticated


RST cookies – how it works

Source Guard Target

ack(,cky#)

syn(isn#)

rst(cky)

syn(isn#)

Client authenticated


Ab.com rqst UDP/53

syn

Reply

synackack

Reply

Repeated IP - UDP

Authenticated IP

Client Guard Target







Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP)

Ab.com rqst UDP/53Ab.com rqst TCP/53

Ab.com reply TC=1


Anomaly DetectionAgainst Non-Spoofed Attacks

• Extensive profiling

Hundreds of anomaly sensors/victim

For global, proxies, discovered top sources, typical source,…

• Auto discovery and profiling of services

Automatically detects HTTP proxies and maintains specific profiles

Learns individual profiles for top sources, separate from composite profile

• Depth of profiles

PPS rates

Ratios eg SYNs to FINs

Connection counts by status

Protocol validity eg DNS queries


Performance

• Wire Speed - requirement …

• GigE = 1.48 Millions pps… Avoid copying

Avoid interrupt/system call

Limit number of memory access

• PCI bottleneck DDoS NIC Accelerator


Cosmo board

Replaces the NIC

Handles the data path

Based on Broadcom BCM1250

integrated processor


BCM1250

Budget - ~500 cycles per packet(memory access 90 cycles)


CustomerSwitches

More performance - clustering

ISP Upstream ISP Upstream

Load LevelingRouter

Riverhead Guards

MitigationCluster


Comments: [email protected]

THANK YOU!

Documents

Protection On-Demand: Ensuring Resource Availability