Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions...

54
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco DDoS Mitigation Service Provider Solutions CISCO DDoS MITIGATION SERVICE PROVIDER SOLUTIONS February 15, 2005

Transcript of Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions...

Page 1: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

1© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

CISCO DDoS MITIGATIONSERVICE PROVIDER SOLUTIONSFebruary 15, 2005

Page 2: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

222© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Executive Summary

• Detects AND MITIGATES the broadest rangeof distributed denial of service (DDoS) attacks

• With the granularity and accuracy to ENSUREBUSINESS CONTINUITY by forwarding legitimatetransactions

• Delivering the performance and architecturesuitable for the LARGEST ENTERPRISES ANDPROVIDERS

• Addresses DDoS attacks today, and its network-based behavioral anomaly capability will beextended to additional threats

Page 3: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

333© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

THE DDoS PROBLEM

Page 4: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

444© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Attack Evolution

• Nonessentialprotocols(e.g., ICMP)

• 100s of sources• 10K packets/second

Scal

e of

Atta

cks

Sophistication of Attacks

Two scaling dimensions:• Millions of

packets/second• 100Ks zombies

• Essential protocols• Spoofed• 10K zombies• 100K packets/second• Compound and

morphing

Past Present Emerging

Potentiallyrandom

Targetedeconomic

Publicitydriven

Mainstreamcorporations

High-profiletargets

Niche targets

Stronger and More Widespread

Page 5: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

555© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

“Much larger attack network than anything before. Thishorsepower could take down thousands of big sites…atthe same time, and keep them down for quite a while.”

555© 2004 Cisco Systems, Inc. All rights reserved.Presentation_ID

“MyDoom Taste of Viruses to Come, Says Security Analyst,” Reuters,February 3, 2004

Page 6: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

666© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Security ChallengesDollar Amount of Loss by Type of Attack (CSI/FBI 2004 Survey)

SabotageSystem Penetration

Web Site DefacementMisuse of Public Web Application

Telecom FraudUnauthorized Access

Laptop TheftFinancial Fraud

Abuse of Wireless NetworkInsider Net Abuse

Theft of Proprietary Info

0

$871,000$901,500$958,100

$2,747,000

$3,997,500$4,278,205

$6,734,500

$7,670,500

$10,159,250

$10,601,055

$11,460,000 $26,064,050

5M 10M 20M 25M 30M

Denial of Service

2004 CSI/FBI Computer Crime and Security SurveySource: Computer Security Institute Total Losses for 2004—$141,496,560

2004: 269 Respondents

Dollar Amount of Loss by Type of Attack (CSI/FBI 2004 Survey)

The Cost of Threats

Page 7: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

777© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

“E-biz Sites Hit With Targeted Attacks”

“16% of the attacks against e-commerce sites wereidentified as targeted. Last year, only 4% wereaimed at specific sites.”

• ComputerWorld, September 27, 2004

“Extortion schemes that use attacks like the oneagainst Authorize.Net are becoming more common. . . definitely targeted, ransom-type attacks, andthere's going to be a lot more of them.”

• John Pescatore, Gartner Inc.ComputerWorld, September 27, 2004

Page 8: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

888© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

DDoS Is a Business IssueImpacts Revenue and Customer Retention

Not justdowntime:• Lost customers• Damaged

reputations• Contractual

liabilities

Online payment system badly disrupted for three days by maliciousDDoS attack. Worldpay’s rivals attempted to poach online retailcustomers during the attack by offering “emergency services”

Page 9: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

999© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

SOLUTION OVERVIEW

Page 10: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

101010© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

DDoS ProtectionCisco Service Modules FCS 1QCY05

Attack DETECTIONto support on-demand,shared scrubbingMonitors COPY OF TRAFFIC

Cisco Anomaly Guard Module

Cisco Traffic Anomaly Detector Module

Attack ANALYSIS ANDMITIGATION

Diverts traffic flows for ON-DEMAND SCRUBBING

Page 11: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

111111© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Cisco DDoS Product Family

Cisco Guard XT 5650

Cisco Traffic Anomaly Detector XT 5600

DDoS Mitigation Cisco Anomaly Guard Module

DDoS DetectionCisco Traffic Anomaly

Detector Module

Maximum deployment flexibility.Similar functionality and performance.Interoperable for mixed deployments.

Page 12: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

121212© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

DDoS ProtectionCisco Service Modules (cont.)

• Guard/Detector MVP-OS Release 4.0• Single-slot modules for Cisco Catalyst® 6500

Switch and 7600 Router• Interfaces via backplane—no external ports• Gigabit performance—future licensed upgrade to

multigigabit supported• Native Cisco IOS® 12.2(18)SXD3• Multiple Guards and Detectors per chassis and

single-destination IP/zone• CLI, Web GUI, and SNMP management

Page 13: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

131313© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Integrated Services Benefits

High-Performance

IntelligentNetwork

High-Performance

IntelligentNetwork

DeploymentFlexibility

DeploymentFlexibility

Lower Cost ofOperations

Lower Cost ofOperations

ScalabilityScalability

Infrastructure andServices IntegrationInfrastructure and

Services Integration

Reliability andHigh AvailabilityReliability and

High Availability

Page 14: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

141414© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Layer 4–7 Services Modules Family

IDSM-2 Module

CSM Module

NAM-1 and NAM-2Module

Firewall Module

VPN Module SSL Module

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

Page 15: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

151515© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Flexible Deployment Options

Integrated system:

• Fits existing switch/routinginfrastructure with other services

• Utilizes available slots—no interfaceports or rack space

• Ideal for data center deploymentsof 1–3 modules

• Intrachassis diversion

Guard ModuleDetector Module

Page 16: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

161616© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Flexible Deployment Options (cont.)

Dedicated system:

• New chassis dedicatedto DDoS

• Supports large range offlexible I/O

• Ideal for high-capacitydeployments (4+ modules)with supervisor for loadleveling

• External diversion viaCisco IOS® supervisor routing

Anomaly Guard Modules

Page 17: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

171717© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Key Features

DIVERSION ARCHITECTURE

MULTISTAGE VERIFICATION PROCESS

Page 18: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

181818© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

DIVERSION ARCHITECTURE

Page 19: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

191919© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module (or Cisco IDSor third- party system)

Cisco AnomalyGuard Module

Page 20: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

202020© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

1. Detect

Target

Page 21: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

212121© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

1. Detect

Target

2. Activate: Auto/Manual

Page 22: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

222222© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

1. Detect

Target

2. Activate: Auto/Manual

3. Divert onlytarget’s traffic

Route update:RHI internal, or BGP/other external

Page 23: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

232323© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

1. Detect

Target

2. Activate: Auto/Manual

3. Divert onlytarget’s traffic

4. Identify and filtermalicious traffic

Traffic Destinedto the Target

Page 24: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

242424© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

1. Detect

Target

2. Activate: Auto/Manual

3. Divert onlytarget’s traffic

4. Identify and filtermalicious traffic

Traffic Destinedto the Target

LegitimateTraffic to

Target

5. Forward legitimatetraffic

O 192.168.3.0/24 [110/2] via 10.0.0.3, 2d11h, GigabitEthernet2B 192.168.3.128/32 [20/0] via 10.0.0.2, 00:00:01

192.168.3.128 = zone 10.0.0.2 = Guard

Page 25: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

252525© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Dynamic Diversion At Work

ProtectedZone 1: Web Protected

Zone 2: NameServers

Protected Zone 3:E-Commerce Application

Cisco Traffic AnomalyDetector Module

Cisco AnomalyGuard Module

1. Detect

Target

2. Activate: Auto/Manual

3. Divert onlytarget’s traffic

4. Identify and filtermalicious traffic

Traffic Destinedto the Target

LegitimateTraffic to

Target

5. Forward legitimatetraffic

6. Non-targetedtrafficflowsfreely

Page 26: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

262626© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Cisco Catalyst Service Module

SwitchFabric

Supervisor Engine 2 or 720

Line Card Module

Line Card Module

Anomaly GuardModule

Traffic AnomalyDetector Module

Cat6K/7600

Firewall ServiceModule

InternalNetwork

• Solution Overview

Alert

Dynamic routediversion

Page 27: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

272727© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Cisco Catalyst Service Module (cont.)

• Maintains “on-demand”scrubbing model

Internal to chassis fromSupervisor to GuardUses Route HealthInjection protocol

• Supports dedicated“appliance” mode

Suitable for clusterSupervisor redistributesroute update

• Cisco Catalyst® 6K/7600Router benefits:

IOS routing: extensiveprotocol and tunnelingsupport and familiar CLI

Extensive interfacesincluding fiber OC/STM

Control Plane Policing forDDoS hardening

Page 28: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

282828© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Anomaly Guard Module Packet FlowSupervisor 2/SFM or Supervisor 720

RoutingTable

RoutingTable

Master FIB Table

Master FIB Table

Supervisor 2 or Supervisor 720Supervisor 2 or Supervisor 720R(x)000 CPUR(x)000 CPU

Cisco Catalyst® 6000 32 Gbps BUSCisco Catalyst® 6000 32 Gbps BUS

OutputLine Card

Med

usa

Med

usa

AnomalyGuardModule

Si SiSi

SiSi

1 23

InputLine Card 4 5

CrossbarFabric

CrossbarFabric

CrossbarFabric

CrossbarFabric

Si

Page 29: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

292929© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

MULTISTAGE VERIFICATIONPROCESS

Page 30: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

303030© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Multiverification Process (MVP)Integrated Defenses in the Guard

ActiveVerification

StatisticalAnalysis

Layer 7Analysis

Rate LimitingDynamic and Static Filters

Detect anomalousbehavior and identifyprecise attack flows

and sources

Legitimate + Attack Traffic to Target

Page 31: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

313131© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Multiverification Process (MVP)Integrated Defenses in the Guard

ActiveVerification

StatisticalAnalysis

Layer 7Analysis

Rate LimitingDynamic and Static Filters

Apply antispoofingto block malicious

flows

Legitimate + Attack Traffic to Target

Page 32: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

323232© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Multiverification Process (MVP)Integrated Defenses in the Guard

ActiveVerification

StatisticalAnalysis

Layer 7Analysis

Rate LimitingDynamic and Static Filters

Legitimate Traffic

Dynamically insertspecific filters to block

attack flows and sourcesApply rate limits

Page 33: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

333333© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Intelligent Countermeasures

DETECTION• Passive copy of traffic monitoring

ANALYSIS• Diversion for more granular inline analysis

• Flex filters, static filters, and bypass in operation• All flows forwarded but analyzed for anomalies

BASIC PROTECTION• Basic antispoofing applied

• Analysis for continuing anomalies

STRONG PROTECTION• Strong antispoofing (proxy) if needed• Dynamic filtering of zombie sources

AnomalyVerified

LEARNING• Periodic observation of patterns to automatically update baseline profiles

AttackDetected

AnomalySourcesIdentified

Benefits:• Accuracy• Maximized

performance• Maximum

transparency• Automated

response

Page 34: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

343434© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

High Performance and Capacity

• 1 MPPS+ most attacks, good and bad traffic, typicalfeatures

• 150 K DYNAMIC FILTERS for zombie attacks

• CLUSTERING TO 8 GUARDS for single protected host• Capacity

30 CONCURRENTLY PROTECTED ZONES(90 for the Detector) and 500 total1.5 million concurrentconnections1.5 million concurrent connections

• Latency or jitter: < 1 MSEC

Page 35: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

353535© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Anomaly Recognition and ActiveVerification Features (cont.)

Anomaly Recognition:• Extensive profiling of individual flows

From individual src-IPs and src-nets to dst-IPs/ports byprotocol

• Depth of profilesPackets, syns and requests, fragments as well as ratiosConnections by status, authenication status and protocolspecific data…

• Default normal baselines with auto-learning on siteBaselines for typical as well as top sources and proxies

Page 36: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

363636© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Anomaly Recognition and ActiveVerification Features (cont.)

Active Verification/Antispoofing:• Broad application support

TCP and UDP applications, including HTTP, HTTPS, SMTP, IRC,DNS and commercial and custom applications

• AuthenticatesSYNs, SYNACKs, FINs, regular TCP packets, DNS requests andreplies and more…

Page 37: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

373737© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Antispoofing DefensesExample: Basic Level for HTTP Protocol

Source Guard

Syn(c#)

Hash-function(SrcIP,port,t)

ack(c#,s#)SrcIP, port#

=

Redirect(c#,s#)

Synack(c#’,s#’)

Syn(c#’)

request(c#’,s#’)

Target

Verified connections

synack(c#,s#)

• Antispoofingonly whenunder attack

• Authenticatesource oninitial query

• State kept onlyfor legitimatesources

• Subsequentqueriesverified

• Antispoofingonly whenunder attack

• Authenticatesource oninitial query

• State kept onlyfor legitimatesources

• Subsequentqueriesverified

Page 38: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

383838© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Broadest Attack Protection

• Random spoofed attacks (e.g., SYN)Removes spoofed flows that evade statistical identification

• Focused spoofed of good source (e.g., AOL proxy)Distinguishes good vs. bad flows with same src-IP forselective blocking

• Nonspoofed distributed attackCapacity for blocking high-volume, massive and morphingbotnets of attackers that:

Penetrate SYN response defenses

Thwart any manual responses

Page 39: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

393939© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Broadest Attack Protection (cont.)

• Nonspoofed client attack (e.g., http half-open)Identifies low-volume, protocol anomaly attacks that evadesampled flow data

Page 40: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

404040© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Management Features

• Console or SSH CLI• Embedded device manager

GUI• DDoS SNMP MIB and traps• Extensive syslogging• Interactive

recommendations• Extensive reporting: GUI,

CLI, and XML export byzone

• Packet capture and export• TACACS+ for AAA• Future CVDM for Cisco

Cisco Catalyst® 6K support

Page 41: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

414141© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

DEPLOYMENT SCENARIOS

Page 42: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

424242© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Hosting or Service Provider Data Centerwith Service Modules in “Integrated Mode”

I

S

C ta ys5 0

P r p y S S P w p

tr c s r

RI

C S T S

C S S

Sup720 orSup2 w MSFC

Catalyst®

6K or 7600

GEnet

Catalyst Switch

Guard/DetectorDevice Manager

Anomaly GuardModule

Traffic AnomalyDetector Module

AttackAlert

ISP 1 ISP 2

DNS ServersWeb, Chat, E-mail, etc.

Target Internal Network

RHI RouteUpdate

FirewallServiceModule

Page 43: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

434343© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Service ProviderDistributed or Edge Protection

• Distributed, dedicated Guards• Detector CPE for monitoring

and optionally activation

PeeringPoint

PeeringPoint

Core Router

Core Router

POP

POP

Enterprise A

Enterprise C

Cisco AnomalyGuard Module(s)

Enterprise BTargeted

Cisco TrafficAnomaly DetectorModule or Appliance

Optional CPE:

Page 44: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

444444© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Managed DDoS ServiceCentralized Protection

PeeringPoint

PeeringPoint

Core Router

Core Router

POP

POPEnterprise A

Enterprise C

Enterprise BTargeted

Cisco Traffic Anomaly Detector Module

Cisco Anomaly Guard Modules

NetFlow-based Backbone Monitoring

NetFlow-based Backbone Monitoring

NOC

Activation fromBackbone or CPEDetector

Catalyst 6500/7600 Series Router

Page 45: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

454545© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Clustering Topology

CustomerSwitches

ISPUpstream

ISPUpstream

Load-LevelingRouter

MitigationCluster

B 200.1.1.99 [20/0] via 192.168.1.3, 00:04:08 [20/0] via 192.168.1.4, 00:04:08 [20/0] via 192.168.1.5, 00:04:08 [20/0] via 192.168.1.1, 00:04:08 [20/0] via 192.168.1.2, 00:04:08200.1.1.99 = zone 192.168.1.1-5 = Guards

Cisco Anomaly GuardModules

Cat 6k/7600

Page 46: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

464646© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Clustering Topology (cont.)

Equal cost multipath routing• Load levels traffic to a single destination IP• Across up to 8 Guards per router• CEF Layer 3 hash delivers consistent assignment

per src-dst pair• NO SPECIAL LOAD BALANCING SOLUTION

REQUIRED• Additional router provides functional partitioning

Page 47: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

474747© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

PROVIDER FEATURESAND BENEFITS

Page 48: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

484848© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Solution Supports CriticalManaged Service Requirements

• Significant value-addMitigation, not just detectionBroadest types of attacksAccuracy and transparencyAutomation for fast response

• Proven competitive advantage => customerretention and acquisitionWithin hours of attacks that primary provider could nothandle, enterprises shifted traffic to backup providers withCisco DDoSAnd when subsequently contracting for managed DDoSservices, dropped providers that didn’t offerCommerical enterprises readily shift hosting providers basedon DDoS capabilityDDoS protection also on new vendor selection criteria

Page 49: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

494949© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Solution Supports CriticalManaged Service Requirements (cont.)

• Cost-effective operationDefaults and templates for efficient provisioningAutomated learning for policy tuningAutomation for efficient attack responseProvider network deploymentOn-demand scrubbing

Page 50: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

505050© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Solution Supports CriticalManaged Service Requirements (cont.)

• Provider deployment architectureSupports distributed and centralized deployment

Dynamic diversion for ease of installation andhigh reliability

High performance plus N+X clustering for redundancy,incremental scaling, and maintenance

SNMP, XML, TACACS+, CLI, syslog for management

Activation from and data export to third-party systems

• Shared resources and virtualization supportedOn-demand scrubbing

Zone concept

Page 51: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

515151© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Managed Services Momentum

DDoS Defense Option forInternet Protect managed services

Almost all available DDoS managed services are basedon the Cisco Guard for mitigation:

and many others

IP Defender managed service

PrevenTier DDoS Mitigation service

SureArmour DDoS protection service

Page 52: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

525252© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Positive Industry Response

“We are taking a very positive stance on AT&T’sDDoS Defense option for its Internet Protectservice….”Current Analysis, June 2004

“This announcement is most important to Sprintcustomers. The service is attractive to customersthat want to increase network uptime and avoidDoS attacks.”

Gartner, October 2004

Page 53: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

535353© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions

Provider Service Advantages

Protects last-mile bandwidth andall enterprise infrastructure

Provider can protect against largestattacks

Provision and pay only forbandwidth for legitimate traffic

Upstream protection can covermultiple data centers

DDoS protection can be efficientlyoffered as managed service

Leverage focused securityoperations team

Last-mile bandwidth and edge routernot protected

Can only defend against attacks thatdon’t exceed last-mile bandwidth

Must overprovision for largest potentialattacks and/or pay burst charges

Must replicate protection at all datacenters

CPE infrastructure only protects locallyand cannot be shared

Difficult to maintain staff skill on DDoSattacks

Managed Service at Provider Enterprise Deployment at Data Center

Page 54: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0

545454© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions