DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects...
Transcript of DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects...
![Page 1: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/1.jpg)
DDOS MITIGATION
![Page 2: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/2.jpg)
I. DDoS Report
II. DDoS Mitigation techinques
III. Recommendations
Agenda
![Page 3: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/3.jpg)
DDoS Reportsource:Worldwide DDoS Attacks & Protection Report - Neustar
![Page 4: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/4.jpg)
DDoS Report
![Page 5: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/5.jpg)
DDoS Report
![Page 6: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/6.jpg)
DDoS Report
Mirai botnet: 608,083 unique IPs across 196 countries
Source:http://blog.netlab.360.com/a-quick-stats-on-the-608-083-mirai-ips-that-hit-our-honeypots-in-the-past-2-5-months/
![Page 7: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/7.jpg)
DDoS ReportSource:http://blog.netlab.360.com/a-quick-stats-on-the-608-083-mirai-ips-that-hit-our-honeypots-in-the-past-2-5-months/
![Page 8: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/8.jpg)
DDoS ReportSource:http://blog.netlab.360.com/a-quick-stats-on-the-608-083-mirai-ips-that-hit-our-honeypots-in-the-past-2-5-months/
![Page 9: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/9.jpg)
DDoS Mitigation Techniques
Common types of DDoS attacks
Volumetric attacks Protocol attacks Application layer attacks
![Page 10: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/10.jpg)
DDoS Mitigation Techniques
DDoS protection options Cloud service DDoS mitigation
CDN/DNS-based DDoS mitigation
In-house DDoS mitigation
Outsourced specialist DDoS protection
![Page 11: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/11.jpg)
DDoS Mitigation Techniques
DDoS Mitigation
Monitor/Detection
Mitigation
![Page 12: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/12.jpg)
DDoS Mitigation Techniques
DDoS Detection
Passive traffic flow infomation collection
Netflow, sFlow, IPFIX
Real-time analysis (faster)
Inline Appliance, Port mirroring, Network TAP
![Page 13: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/13.jpg)
DDoS Mitigation Techniques
Detection Detects bandwidth-related traffic anomalies
Distributed Denial of Service (DDoS) attacks
Volumetric DoS attacks
NTP amplification attacks, generic UDP floods, ICMP floods, SMURF attacks
SYN floods, TCP/UDP port 0, LOIC, peer-to-peer attacks
![Page 14: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/14.jpg)
DDoS Mitigation Techniques
Mitigation Discard (Blackhole/shinkhole)
Filtering (Scrubber)
![Page 15: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/15.jpg)
DDoS Mitigation Techniques
Remotely Triggered Black Hole
D/RTBH: Blackhole basd on destination address
S/RTBH: Blackhole based on source address
![Page 16: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/16.jpg)
DDoS Mitigation Techniques
S/RTBH
Use Unicast Reverse Path Forwarding (uRPF) filter
uRPF:loosing mode
![Page 17: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/17.jpg)
DDoS Mitigation Techniques
Flowspec (RFC5575)Basic idea: Use BGP to distribute flow specification filters and dynamically filter on routers.
![Page 18: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/18.jpg)
DDoS Mitigation Techniques
BGP Flowspec can include the following information:Type 1 - Destination PrefixType 2 - Source PrefixType 3 - IP ProtocolType 4 – Source or Destination PortType 5 – Destination PortType 6 - Source PortType 7 – ICMP TypeType 8 – ICMP CodeType 9 - TCP flagsType 10 - Packet lengthType 11 – DSCPType 12 - Fragment Encoding
Actions are defined using BGP Extended Communities:0x8006 – traffic-rate (set to 0 to drop all traffic)0x8007 – traffic-action (sampling)0x8008 – redirect to VRF (route target)0x8009 – traffic-marking (DSCP value)
BGP Flow Specification
![Page 19: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/19.jpg)
DDoS Mitigation Techniques
DDoS Detection Vendors: Arbor Peakflow SP 3.5
Juniper DDoS Secure 5.14.2-0
Router Vendors: Alcatel-Lucent SR OS 9.0R1
Juniper JUNOS 7.3
Cisco 5.2.0 for ASR and CRS [6]
![Page 20: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/20.jpg)
DDoS Mitigation Techniques
Filtering (Scrubber)
Software base fitler: netfilter
Hardware base filter (Appliance)
FPGA card (40-100Gbps)
NICs (10Gbps)
![Page 21: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/21.jpg)
DDoS Mitigation Techniques
AntiDDoS
D/RTBH, S/RTBH
BGP off/on ramping
Nic Filtering
![Page 22: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/22.jpg)
DDoS Mitigation Techniques
Collect data Flow
Impact hardware perfomance
Network Tap Tap insertion loss
Port Mirroring Limit session
Port mirroring and Tap
![Page 23: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/23.jpg)
DDoS Mitigation Techniques
Network Tap
Split ratio Lost signal
![Page 24: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/24.jpg)
DDoS Mitigation Techniques
Hardware Performance
Capture Backend PF_RING_ZC Netmap
Turning OS, Software
![Page 25: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/25.jpg)
DDoS Mitigation Techniques
Hardware Performance Reduce Sampling rate
![Page 26: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/26.jpg)
DDoS Mitigation Techniques
Network Policy and Action
International Upstream Services (Blackhole, Filter)
Domestic Upstream services: not widely support auto Blackhole/Filter
![Page 27: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/27.jpg)
DDoS Mitigation Techniques
Domestic Attack
Delay to detect attack source to stop (DoS)
Not yet mechanisms to coordination between ISPs with each other and role of VNIX
![Page 28: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/28.jpg)
Recommendations
DDoS is not only the concern of service provider but also of national security
ISPs need to more attention to issues and investment DDoS systems to prevent attacks
There should be closer coordination between ISP about preventing DDoS attacks
![Page 29: DDOS MITIGATION - 2016.vnix-nog.vn · DDoS Mitigation Techniques Detection Detects bandwidth-related traffic anomalies Distributed Denial of Service (DDoS) attacks Volumetric DoS](https://reader030.fdocuments.us/reader030/viewer/2022041019/5ecdfdf1d9593424501de79a/html5/thumbnails/29.jpg)