Post on 23-Dec-2015
DDoS Mitigation for ISP subscribers
Rajaram Pejaver
November 23, 2010
De-DDoS
November 23, 2010 © Rajaram Pejaver 2
Agenda• An introduction to DDoS• Solution Architecture• Operation
– Configuration and Provisioning– Mitigation Operation– Tear down
• Simple Questions™ • Product positioning• Conclusions
November 23, 2010 © Rajaram Pejaver 3
Introduction to DDoS
History & Motivation
DDoS attack structure
November 23, 2010 © Rajaram Pejaver 4
Architecture - 1
Attacked Site
AttackingHosts
Legitimate Host
ISP Infrastructure Router
ISP Infrastructure Router
Attack traffic
Good traffic
Unrelated traffic
ISP Peering points
Before Mitigation
Last hop router
November 23, 2010 © Rajaram Pejaver 5
Architecture - 2
Mitigation Service
Good traffic
Attack traffic
Attacked Site
AttackingHosts
Legitimate Host
Tunnel
Unrelated traffic
Good traffic inside Tunnel
Diverted Attack traffic
During Mitigation
GRE De-encapsulation
Good traffic
November 23, 2010 © Rajaram Pejaver 6
Configuration & ProvisioningSTART DDoS Attack
Observed
Engage Mitigation Service
Contract Terms
Configure Mitigation Service
Configuration data:- IP address- Service ports- Welcome banner- Initial WhiteList- SSL certs
Setup GRE Tunnel
Update Routing tables
Mitigation ServiceStarted
Alternate
November 23, 2010 © Rajaram Pejaver 7
Mitigation Operation - 1• What happens at the Mitigation Service?
• Mega service accepts ALL incoming connections. Consists of a cluster of powerful servers, load balanced.
• Responds to every HTTP request with a query. Humans can easily recognize and answer the query. Computer programs can’t.
• IP addresses of correct responders are White Listed. White Listed traffic is forwarded to subscriber via tunnel.
• Statistical sharing of Mitigation Service.• Only a few subscribers will be under attack at any one time.
Service needs to handle only a few simultaneous attacks. Capital costs are spread over entire subscriber base.
November 23, 2010 © Rajaram Pejaver 8
Mitigation Operation - 2
Source IP in WhiteList?
Forward good packet to Tunnel
Yes
No
New Connection
request?
Add to connection
table
Send connection response
Discard packet
Already in Connection
table?
Yes
No
No
Yes
1: Accept Connection
2: Setup SSL(if required)
3: Accept HTTP GET
4: Respond with query
5: Receive query
response
Yes
No
Processing State MachineInbound packets
Correct response?
Send HTTP Redirect
Add IP address to WhiteList
Remove from connection
table
Disconnect
November 23, 2010 © Rajaram Pejaver 9
Tear Down• Ending Mitigation Service is easy.
• Just restore normal routing to the subscriber’s IP address.• GRE tunnel can be left up for a bit (useful if attack resumes.)
• Final billing and usage statistics can include:• Mitigation duration, start & end times.• Connections permitted through & blocked.• Total packets (& bytes) permitted through & blocked.• Traffic rates to subscriber, before and during mitigation.• Final White List (useful if attack resumes.)• Geographic distribution of blocked IP addresses.
November 23, 2010 © Rajaram Pejaver 10
Simple Questions • Represents an improvement over CAPTCHA.
“Which letter follows D in the alphabet?” E “How much is five plus two?” 7
• CAPTCHA needs: Character recognition.
• Simple Questions needs: Character recognition. Sentence parsing. Semantic understanding. Common sense for response.
• Video nuCAPTCHA increases Bot work load.
November 23, 2010 © Rajaram Pejaver 11
Product Placement• Current products for DDoS infected subscribers:
• Constant Guard: List based infection notification.• AUPM: Acceptable use traffic monitoring.
Both limit damage done by infected subscribers.
• Proposal protects uninfected subscribers from attacks from everywhere around the world.• Premium service – for a fee.• Subscription or on-demand models.• Product differentiator from other ISPs.• Can be advertized as a “must have” for businesses.
November 23, 2010 © Rajaram Pejaver 12
Conclusions• A new & unique method of DDoS Mitigation.
• Distinguishes between Attack & Valid traffic. Acceptable to human users. Very reliable; very low false positive rates.
• Revenue Generator. • Product Differentiator.• A “must have” for today.• Possible patentable idea.
• Questions?