Upload
dokiet
View
224
Download
0
Embed Size (px)
Citation preview
1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Event-Driven SDN for Dynamic DDoS Mitigation
Craig Hill Distinguished SE, US Federal [email protected] CCIE #1628
2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Jason King • Steven Carter
• Chris Hocker
• Tae Hwang
• Jim Kotantoulas
Concept and Content Creators The Cisco Engineering Team:
3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtualization = explosion in Objects
Business Imperative Cost per Object must Agility must Operations must Adapt
Evolving choices in abstraction
Easy Button GUI CLI API
50%+ of outages from mis-config
Speed to activation too slow
Mechanization of logic in CCIE brains
Peering of Controller & Network Element Intelligence
4 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Control Plane Architecture (Distributed)
• Control plane is tightly coupled to the network device • Minimal application programmability of network devices (CLI, SNMP,
NETCONF) • EX: Cisco Routers, Catalyst L2/L3 switches, Nexus switches, etc…
Application
Distributed Control Plane
Data Plane
Centralized Control Plane
APIs
5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Control plane is centralized
• Control plane abstracted from the forwarding HW
• Communications channel exists between control plane and forwarding HW (OpenFlow agent on device)
• EX: OpenFlow Model (controller, agent on network element)
Application
Distributed Control Plane
Data Plane
Centralized Control Plane
APIs
SDN Control Plane Architecture (Centralized)
OpenFlow
6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hybrid Control Plane Models
Application
Distributed Control Plane
Data Plane
Centralized Control Plane
APIs
Applications
Network Devices: On-Box Control Plane
Centralize When Needed, Default Distributed Control Plane for All Else
Source: ONF Hybrid WG
© 2013 Cisco Systems, Inc. All rights reserved.
Hybrid SDN Model Distributed and Centralized (via controller) Control Plane + Standards Data Plane
Packet Forwarding
Hardware + CP Packet
Forwarding Hardware + CP
Packet Forwarding
Hardware + CP Network Element (Phy, Virt), with Distributed CP + programming capabilities through Southbound API
SDN Control Plane Architecture (Hybrid)
Communication Channel To Network Element
NB API’s
IP/MPLS BGP/OSPF
© 2013 Cisco Systems, Inc. All rights reserved.
Hybrid SDN Model Distributed and Centralized (via controller) Control Plane + Standards Data Plane
Packet Forwarding
Hardware + CP Packet
Forwarding Hardware + CP
Packet Forwarding
Hardware + CP Network Element (Phy, Virt), with Distributed CP + programming capabilities through Southbound API
Controller Operating System controlling specific functions of the network
SDN Control Plane Architecture (Hybrid)
Communication Channel To Network Element
NB API’s
IP/MPLS BGP/OSPF
© 2013 Cisco Systems, Inc. All rights reserved.
Hybrid SDN Model Distributed and Centralized (via controller) Control Plane + Standards Data Plane
“South Bound” control and API
Packet Forwarding
Hardware + CP Packet
Forwarding Hardware + CP
Packet Forwarding
Hardware + CP Network Element (Phy, Virt), with Distributed CP + programming capabilities through Southbound API
Controller Operating System controlling specific functions of the network
SDN Control Plane Architecture (Hybrid)
Communication Channel To Network Element
NETCONF, BGPLS, PCEP, OpenFlow, OVSDB, CLI
NB API’s
IP/MPLS BGP/OSPF
© 2013 Cisco Systems, Inc. All rights reserved.
Hybrid SDN Model Distributed and Centralized (via controller) Control Plane + Standards Data Plane
“South Bound” control and API
Packet Forwarding
Hardware + CP Packet
Forwarding Hardware + CP
Packet Forwarding
Hardware + CP Network Element (Phy, Virt), with Distributed CP + programming capabilities through Southbound API
Controller Operating System controlling specific functions of the network
“North Bound” control and API
App App App App Applications layered on top
SDN Control Plane Architecture (Hybrid)
Communication Channel To Network Element
NETCONF, BGPLS, PCEP, OpenFlow, OVSDB, CLI
(AAA – Auth) REST NB API’s
IP/MPLS BGP/OSPF
11 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Programmability: Network Automation Interfaces
Application Frameworks, Management Systems, Controllers, ...
Device
Forwarding
Control
NetworkServices
Orchestra8on
Management
…
…
OpenFlow
OpenFlow
Opera8ngSystems–IOS/NX-OS/IOS-XRAPI(OnePK)andDataModels(YANG)
OpenStack PuppetOnePK C/Java
Puppet
Neutron
Protocols
“Protocols”BGP,PCEP,...
Python NETCONF REST ACIFabric
OpFlex
NetworkDevicePlug-Ins
RESTful
YANG XML/JSON
© 2013 Cisco Systems, Inc. All rights reserved.
Hybrid SDN Model What Are Examples These Applications?
App App App App Applications layered on top
SDN Control Plane Architecture (Hybrid)
Communication Channel To Network Element
NB API’s
IP/MPLS BGP/OSPF
• WAN Automation Application • QoS, Plug n Play, PathTrace • OpenFlow, NETCONF, BGPLS, config tool • Cloud Platform API’s (OpenStack Neutron) • Integrated Services Engine (ISE) • 3rd party developed interfacing to “published” REST
API’s • Eco-System Applications – Splunk, Lancope, LiveAction • Orchestration engines (Tail-f)
16 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy (Application + Network + Security)
Expose Network Intelligence – Bi-Directionally
Services Orchestration
(Traffic Steering, Blocking)
Analytics (Splunk)
Applications (Splunk)
Network
Workflow and Intent
Programmability
Network Intelligence, Guidance
Statistics, States, Objects and Events
Harvest Network Intelligence, Telemetry,
and Events
Program for Blocking and Steering of Traffic
to End-points
Analyze data and response with “action”
17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event-Driven SDN - Solution Overview
18 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• “Event Driven” = no operator intervention to react to a vulnerability
• Leverage the automation, programmability, and open API’s to simplify a multi-system and multi-operator process in the network
• Leverage open source and open standard across the system
• Trigger system automation based on “events” in the application (Splunk)
• Leverage customers existing investment application (Splunk in this case)
• Target other 3rd party solutions/partners to leverage similar components (ODL, routers, switches)
• Options to leverage “other” protocols and SDN agents that exist
• Designers can tailor the system to their specific IA requirements
Event-Driven SDN for DDoS - Concept
20 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
SDN DDoS Reference Implementation
Nexus 3K
Internet2/AL2SCommodityInternet
DMZ
SecureCorporateNetworks
High-ThroughputScienceNetworks
BGPNullRoutes
Ac8veBlocking
DTNCompute
FlowNo8fica8on
• Event Correlation • Log Storage • Auditing • Analysis
NextGenera=onFirewall• Commodity:In-Line• Internet2:In-LineorOOB
w/Steering
CampusCorporateDC ExternalServices
ASR 1K ASR 9K
Nexus 9K
ASA 5585
BGP
Open DayLight Controller
REST API
21 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Open platform for SDN app development
Single Northbound REST Interface
Multiple Southbound Interfaces
Cisco Open SDN Controller
23 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Splunk? • Software for searching, monitoring, and analyzing
machine-generated big data, via a web-style interface.
• Splunk captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.
• Actions from these searches allow a variation of programmability to open API’s and other correlation engines, as well as SDN controllers
Splunk as an SDN Application
25 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event-Driven SDN DDoS Mitigation – Solution Overview
• Blocking and steering are the two main functions needed for this solution
• Splunk uses data flow notification from Globus to inform OSC to steer the “elephant flow” around the IDS
• OSC sends commands to the N3K to bypass the IDS via OpenFlow
• Splunk uses events from security devices to inform OSC to block bad source IP addresses
• OSC sends commands to the ASR9K via netconf to block bad IP addresses using RTBH
SourceFire
OSC Block
Mirrored Traffic
Spl
unk
Alerts
REST N3K “Tap”
WAN
Globus Data Flow Notification
ASR 9K
Steer
26 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
OoB IDS with Active Steering and DDoS Blocking
• #1: non FTP traffic – sends all non-FTP traffic to the IDS. • All “non-FTP” traffic is steered to the IDS
(controlled via OpenFlow) • The IDS then sends its anomaly detection
messages to Splunk. • When certain anomaly’s are detected,
Splunk triggers an action to be taken to start blocking traffic (REST call to OSC via a Python script)
• OSC sends these requests to the ASR9K router, to block specific source “IP addresses” that need to be blocked from transmission
• (in this case, OSC uses NETCONF to send these specific IP addresses and requests to the ASR9K router)
SourceFire
OSC Block
Mirrored Traffic
Spl
unk
Alerts
REST N3K “Tap”
WAN
Globus
ASR 9K
Steer
30 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTP Steering for IDS Bypass
• #2: FTP events from Globus – in this case, flow source/destination are sent to Splunk (uses Globus data flow notification) upon FTP transfer initiation • Globus sends Splunk a basic 5-tuple of these
flows (dest/src IP, prot #, src/dest prot #) • Splunk calls the OSC controller, requesting the
source/destination IP address of the FTP flow be programmed into the Nexus 3K, with a source/destination and output port (OpenFlow format)
• The Nexus 3K prioritizes these flows via OF, by giving them a priority of 200 (overriding the current 100 priority programmed for the other flows
• So, in this case, OF is active, and it dictates what traffic goes to IDS, vs. bypass IDS.
OSC
Spl
unk
REST N3K “Tap”
WAN
Globus Data Flow Notification
ASR 9K
Steer
SourceFire
Mirrored Traffic Alerts
37 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
!
Flow start notification: Jun 10 10:53:43 localhost splunk_odl_action: log_level=INFO, action=start, flow=199.66.189.10:50368-128.55.29.41:42600, status_code=200!!
Flows added to Nexus 3000: Flow: 4! Match: tcp,in_port=54,nw_src=199.66.189.10,nw_dst=128.55.29.41,tp_src=50368,tp_dst=42600 ! Actions: output:52!
Priority: 200!!
Flow: 5! Match: tcp,in_port=52,nw_src=128.55.29.41,nw_dst=199.66.189.10,tp_src=42600,tp_dst=50368 ! Actions: output:54!
Priority: 200!
Flow stop notification: Jun 10 10:54:51 localhost splunk_odl_action: log_level=INFO, action=stop, flow=199.66.189.10:50368-128.55.29.41:42600, status_code=200!
OpenFlow Data Flow Steering Example
38 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Static routes added by COSC through Netconf on ASR 9000: router static!
address-family ipv4 unicast!
1.0.184.115/32 Null0 tag 666!
1.161.169.139/32 Null0 tag 666!
2.25.74.127/32 Null0 tag 666!
2.50.153.67/32 Null0 tag 666!
12.197.32.116/32 Null0 tag 666!
!
Export the Null routes setting next-hop to black hole IP: route-policy as-11017-out!
if tag is 666 then!
set next-hop 192.0.2.1!
set community (no-export) additive!
pass!
else!
pass!
endif!
end-policy!
Enable uRPF on WAN interface on ASR 9000: ipv4 verify unicast source reachable-via any allow-default!
Route Black Hole IP to NULL 0 on other border routers:
ip route 192.0.2.1 255.255.255.255 Null0!
Enable uRPF on WAN interface on ASR 1000: ip verify unicast source reachable-via any!
Remotely Triggered Black Hole Routing
46 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Leverage the automation, programmability, and open API’s to simplify a multi-system and multi-operator DDoS mitigation solution
• Leverage open source and open standard across to create an “Event Driven” system
• Leverage COTS applications, with API’s, to mix a variation of components using SDN
• Target other 3rd party solutions/partners to leverage similar components (OSC, routers, switches)
• Network designers and Security operations teams can leverage specific applications tailored to their environment and IA requirements
Summary
47 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank You