Diversion & Sieving Techniques to Defeat DDoS
27
1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS
description
Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS. DDoS protection, Where & How?. R4. R5. peering. R2. R3. 1000. 1000. R1. 100. R. R. R. FE. Server1. Victim. - PowerPoint PPT Presentation
Transcript of Diversion & Sieving Techniques to Defeat DDoS
1
Yehuda Afek, Tel-Aviv University / WANWall Ltd.
Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou
WANWall Ltd.
Diversion & Sieving Techniques to Defeat DDoS
2
DDoS protection, Where & How?
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
3
At the Routers
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Rand. Spoofing
•Throws good with bad
•Router degradation
ACLs, CARs, null/rt.
1
4
At the Edge
Server1 Victim Server2
2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Chocked
•Point of failure
•Not scalable
5
At the Back Bone
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering3
100
•Throughput
•Point of failure
•All suffer
6
Diversion
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering44
100
•Not on critical path
•Router route
•Upstream
•Sharing
•Dynamic
7
Basic Scheme
ISP Backbone
AS 56
Victim
AS 24
PR
8
Basic Concepts
1. Divert victim’s traffic
2. Sieve
3. Legitimate traffic
continues on its
route
Database
Victim traffic
Victimclean traffic
Maliciouspackets
R
9
Operational process
Victim
AS x
N O C
1
2
10
Sieving Malicious traffic
Packet filtering Anti
spoofing
Learning & Statistical
analysis
OutputHTTP Analysis &
Authentication
11
Sieving techniquesFilters: IP's, ports, flags, etc.
Anti-spoofing: TCP Other
Recognition: Statistical Analysis Layers 3-7
High-level Protocols: HTTP specific (recognize anomalous behavior) Other
12
Diversion
1. Divert
2. Return good traffic
Without looping !
Victim traffic
Victimclean traffic
Maliciouspackets
Database
R
13
Diversion: BGP + next L31. Divert:
BGP
announce a /32 from the box
no_export and no_advertise
community
2. Return:
Next layer 3 device
Victim traffic
Victimclean traffic
Maliciouspackets
L2 device
L3
R
14
1. Divert: BGP
2. Return: GRE
GRE de-cap increases VIP load < 20%
[Wessels & Hardie,
NANOG19, Albuquerque]
RVictim traffic
Victimclean traffic
Maliciouspackets
BGP
GRE
Diversion: BGP + GRE
R
15
Diversion testA A C
R
X
V I
Gig
100BT
W
Phase 1: Normal traffic
victim Non-victim
R
X
Phase 2: Attack + Normal traffic
Phase 2: Attack + Normal traffic
Phase 3: Attack + Normal traffic + Diversion
Gig
16
100
1000
10000
time
Lat
ency
( use
c
)
Latency to Victim Latency to Non-Victim
Diversion effect
normal Attack Attack + diversion
usec
17
Diversion WCCP v2
Web Cache Coordination Protocol v2
[IETF internet draft draft-wilson-wrec-wccp-v2-00.txt]
remote diversion
Protocol, no dynamic config.
Current Status
Available on 6500, 7200, 7500, 7600SR,
from IOS 12.0(3)T and 12.0(11)S with dCEF
Other vendors?
Victim traffic
Victimclean traffic
Maliciouspackets
R WCCP
18
Diversion PBR / FBF
1. Divert: Policy Based Routing Filter Based Forwarding
2. Return: Normal Route Table
Victim traffic
Victimclean traffic
Maliciouspackets
RPBR
19
Diversion: BGP + PBR
1. Divert: BGP
2. Return: PBR
guard’s Interface card
Victim traffic
Victimclean traffic
Maliciouspackets
R PBR
BGP
20
PBR
Dynamic configuration
adding access list on demand
CPU load:
VIP or RSP CPU load
Juniper FBF dedicated processor, Internet proc II (from JunOS 4.4)
Victim traffic
Victimclean traffic
Maliciouspackets
R PBR
21
PBR Warts12.1(8a)E4 and 12.0(18)S and 12.2(2)T with
“distributed cef” will not PBR properly! BUG ID: cscdp78100
all packets diverted - rather than what is matched but “ip cef” works properly tested on 7513 on FE as well as GE (GEIP+)
ip access-list extended WW33 permit ip any victim-ip victim-mask
route-map WWMap permit 33 match ip address WW33 set ip next-hop Guard-guard-IP end
interface GigabitEthernet0/0/0 ip policy route-map WWMap
22
Diversion Double Addressing
1. Divert: BGP
2. Return: Double
addressing
victim with private IP
address, routed only
internally
Victim traffic
Victimclean traffic
Maliciouspackets
R
BGP
23
Double Addressing
Data Center
Victim
AS
PR
NAT
24
Reverse Protection
AS y
AS x
Victim
25
Flash Crowd Reverse Proxy
AS x
[Wessels & Hardie; Surrogate NANOG19]
26
Diversion for DDoS Summary
Maximize goodput to victim
Leave data path free
Let routers route
Protect any device
Sharing a large resouce on demand
Upstream (ala push back)
27
Comments: {afek,anat,alon,hank,dan}@wanwall.com
![Worm DDos Spam - SecurityCN.net · CNCERT/CC CNCERT/CC CNCERTCC_TR_2005-001(Draft) Worm DDos Spam Phishing Spyware Botnet [1] Bot DDos DDos Bot: ±Robo Bot](https://static.fdocuments.us/doc/165x107/5c040e7609d3f203258dac36/worm-ddos-spam-cncertcc-cncertcc-cncertcctr2005-001draft-worm-ddos-spam.jpg)
