Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP...
Transcript of Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP...
![Page 2: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/2.jpg)
Cisco SDN 3.0 DDoS
DDoS
Cisco DDoS
Real Demo
© 2008 Cisco Systems, Inc. All rights reserved. 2
![Page 3: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/3.jpg)
Cisco SDN 3.0 DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 3
![Page 4: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/4.jpg)
Cisco SDN (Self Defending Network)
Integrated Adaptive Collaborativeg p
Cisco Self Defending Networkg
© 2008 Cisco Systems, Inc. All rights reserved. 4
![Page 5: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/5.jpg)
Cisco SDN 3.0 DDoS
Network Security
DDoS
Cisco Guard&Detector
© 2008 Cisco Systems, Inc. All rights reserved. 5
![Page 6: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/6.jpg)
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 6
![Page 7: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/7.jpg)
DDoS 1
Changed
© 2008 Cisco Systems, Inc. All rights reserved. 7
……
![Page 8: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/8.jpg)
DDoS 2
,
, / IT
/ UDP Traffic ( )TCP Connection
20062H
20071H
20072H
20081H
TCP Connection
IT
© 2008 Cisco Systems, Inc. All rights reserved. 8
./ TCP
(TCP/UDP/ICMP/IGMP)
![Page 9: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/9.jpg)
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 9
![Page 10: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/10.jpg)
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 10
![Page 11: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/11.jpg)
DDoS ?
DDoSDDoSRouter & Switch Access-List
DDoSDDoS
Router & Switch Blackhole Routing
Firewall & IPSFoundation Security
L7 Switch & WebSyn Cookie Proxy L7 Switch & Web y y
ProtectionProtection© 2008 Cisco Systems, Inc. All rights reserved. 11
ProtectionProtection
![Page 12: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/12.jpg)
/
ACL
(UDP,ICMP)
ACL 수작업
access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x x x x host x x x x eq 80access list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80
전체 Subnet 영향
………………..
Committed to Being a Key Partner in Saudi Arabia’s T f ti i t
Null Routing …
© 2008 Cisco Systems, Inc. All rights reserved. 12
Transformation into a Connected Kingdom
![Page 13: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/13.jpg)
Black hole & Sink hole routing
/
Routing
Blackhole Routing
ISP / IDC
.
Traffic .
Committed to Being a Key Partner in Saudi Arabia’s T f ti i t
Major .
Blackhole Trigger
© 2008 Cisco Systems, Inc. All rights reserved. 13
Transformation into a Connected Kingdom
![Page 14: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/14.jpg)
Firewall / IPS
/
/IPS .
.
(DDoS + IPS)
DDoS .
H.W / S.W
(High CPU : 90 ~99%)
© 2008 Cisco Systems, Inc. All rights reserved. 14
.
![Page 15: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/15.jpg)
L7 Switch / Web
/
DNS
Proxy IP
Core Router
TCP Syn
Backbone
L7Switch
Server S.W
Web
UDP / TCP Outgoing .
DDoS .
.
© 2008 Cisco Systems, Inc. All rights reserved. 15
.
![Page 16: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/16.jpg)
Cisco Guard&Detector DDoS
Internet
GuardGuard
4
Core Router
5 MVP
6
Backbone Switch
Host IP 3
S tc
DetectorDetector11
2
Network ………………..………………..
© 2008 Cisco Systems, Inc. All rights reserved. 16
![Page 17: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/17.jpg)
Cisco Guard/Detector
Guard / Detector
–
Out Of Path
– 16G
- Active/Active .
© 2008 Cisco Systems, Inc. All rights reserved. 17
TCP/UDP/ICMP/DNS/SIP << Cisco Guard/Detector >>
![Page 18: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/18.jpg)
Cisco Guard/Detector DDoS .
Flood AttacksTCP, UDP, ICMP
Fragmentation AttacksIP/UDP, ,
SYN FloodSYN Flood
UDP Flood
IP/ICMPIP/TCP
HTTP AttacksUDP FloodFIN, SYNACK Flood( , )Ping Flood
Connection Flood (Client attack)http errors 404 etc.http half connections
Ping FloodSmurf FloodCombined UDP/TCP/ICMP
BGP AttacksDNS AttacksSIP Attack
© 2008 Cisco Systems, Inc. All rights reserved. 18
![Page 19: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/19.jpg)
Cisco Guard/Detector TCP
Zone(Destination)
Guard (Scrubber)Client(Source) (Destination)(Source)
IP 192.2.3.4 IP 192.2.3.4 Authenticated? NOGenerate Unique Cookie for IP 192.2.3.4
Cookie 유효 여부 Check,,Authenticate IP 192.2.3.4
IP 192.2.3.4 Authenticated? YES
© 2008 Cisco Systems, Inc. All rights reserved. 19
![Page 20: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/20.jpg)
Cisco Guard/Detector
ADM AGM
Type
Service Module Service Module
Type
Physical Port 7600/6500 Channel 7600/6500 Channel
10
Static(RHI)
10
Static(RHI)
P f2Gbps 3Gbps
PerformanceClustering 16Gbps
Zone 500 Zone 500 Zone
50 Zone
Zombie X 10
X 1ms
© 2008 Cisco Systems, Inc. All rights reserved. 20
![Page 21: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/21.jpg)
Real Case #1
게임아이템거래사이트, ‘DDoS 공격툴’에 휘둘렸다
지난달부터 DDoS 서버 공격으로 인해지난달부터 DDoS 서버 공격으로 인해정상적인 서비스를 제공하지 못했던 주요게임아이템 거래 웹사이트들의 서버다운원인이 정체 불명의 ‘DDoS 공격 툴’에의한 것으로 드러났다.
조선일보 2007.10.15
게임 아이템 거래 사이트 상위 2개사 Cisco Guard/Detector 솔루션 도입
2007.12 ~ 현재까지 UDP/TCP DDoS 공격 차단
© 2008 Cisco Systems, Inc. All rights reserved. 21
2007.12 현재까지 UDP/TCP DDoS 공격 차단
게임 아이템 거래 사이트 정상 서비스 재개 !!!
![Page 22: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/22.jpg)
Real Case #2
서비스 유지하려면 돈내서비스 유지하려면 돈내
14일 업계에 따르면, 국내 중소규모사이트를 겨냥한 중국발 DDoS 공격이기승을 부리고 있다. 공격자들은 이들사이트를 겨냥해 해킹 공격을사이트를 겨냥해 DDoS 해킹 공격을시도해 서비스를 마비시킨 뒤 관리자에게메일을 보내 적게는 수백~수천만원 상당의돈을 입금시키지 않으면 아예 서비스를중단하겠다는 협박하고 있는 것으로중단하겠다는 협박하고 있는 것으로
전해졌다. 머니투데이2007.02.11
국내 대형 파일공유 사이트 Cisco Guard/Detector 솔루션 적용
TCP 80 포트 기반 Connection Oriented 공격 및 다양한 공격 차단
© 2008 Cisco Systems, Inc. All rights reserved. 22
TCP 80 포트 기반 Connection Oriented 공격 및 다양한 공격 차단
파일 공유 정상 서비스 재개 !!!
![Page 23: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/23.jpg)
Real Case #3
Internet
Guard
Core Router
GuardHijacking
RouterInjection
Backbone Switch
공격발생시자동통지
공격발생시자동통지
FirewallPassive
MonitoringPassive
Monitoring
Detector DetectorServer Farm
Switch
© 2008 Cisco Systems, Inc. All rights reserved. 23
![Page 24: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/24.jpg)
Real Case #4IDC Mgmd SVC –
Internet
Clean ZoneDist S.W
Core Backbone
가입자Network Guard & Detector
Cluster
가입자Network
가입자Network
© 2008 Cisco Systems, Inc. All rights reserved. 24
![Page 25: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/25.jpg)
Real Case #4IDC Mgmd SVC –
Internet
Core Backbone
Dist S.W
가입자Network
가입자Network
Clean Pipe SystemACE ACE
Guard Detector
© 2008 Cisco Systems, Inc. All rights reserved. 25
Guard Cluster
DetectorCluster
![Page 26: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/26.jpg)
Real Case #7ISP Mgmd SVC
국제G W타사 ISP
국제G.W
Peer Router Peer Router
Guard Cluster
Core Router
POP Router 가입자Detector
기업회선 Premium기업회선
© 2008 Cisco Systems, Inc. All rights reserved. 26
![Page 27: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/27.jpg)
Why Cisco Guard&Detector…
DDoSDDoS
16G
( )
TCPUDP
DNS SIPActive/Active
Out of PathRouting
( ) DNS,SIP
DDoS© 2008 Cisco Systems, Inc. All rights reserved. 27
DDoS ….
![Page 28: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/28.jpg)
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 28
![Page 29: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/29.jpg)
Demo Topology
InternetBotnet 좀비 PC
Guard
Core Router
GuardHijacking
RouterInjection
Backbone Switch
공격발생시자동통지
공격발생시자동통지
FirewallPassive
MonitoringPassive
Monitoring
Detector DetectorServer Farm
Switch
© 2008 Cisco Systems, Inc. All rights reserved. 29
www.ciscofashion.com 쇼핑몰
![Page 30: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/30.jpg)
Cisco Guard & DetectorCisco Guard & Detector DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 30
…
![Page 31: Ú ¢,R SDN . $V DDoS '² - Cisco...ó $ÿ ó $ÿ $ 3 $ 3 % $ÿ# j"_ þ& þ* 6() Ê#Î æ$ ) TCP Connection ó 3R 2006 2H 2007 1H 2007 2H 2008 1H %ú# ó 1Z %ú# ó 1Z TCP Connection](https://reader034.fdocuments.us/reader034/viewer/2022052014/602acd69babbf643a43612dd/html5/thumbnails/31.jpg)