Network+ Guide to Networks, Fourth Edition Chapter 13 Ensuring Integrity and Availability.
Protection On-Demand: Ensuring Resource Availability
description
Transcript of Protection On-Demand: Ensuring Resource Availability
![Page 1: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/1.jpg)
111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Protection On-Demand: Ensuring Resource Availability
Dan Touitou
![Page 2: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/2.jpg)
222© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Agenda
The Growing DDoS Challenge
Existing Solutions
Our Approach
Technical Overview
![Page 3: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/3.jpg)
333© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
How do DDoS Attacks Start ?
DNS Email‘Zombie
s’
‘Zombies’
Innocent PCs & Servers turn into
‘Zombies’
![Page 4: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/4.jpg)
444© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
The Effects of DDoS Attacks
Server-level DDoS
attacks
Bandwidth-level DDoS
attacks
DNS Email
Infrastructure-level DDoS
attacks
Attack Zombies: Massively distributed Spoof Source IP Use valid protocols
![Page 5: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/5.jpg)
555© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Attacks - examples
• SYN attack
Huge number of crafted spoofed TCP SYN packets
Fills up the “connection queue”
Denial of TCP service
• HTTP attacks
Attackers send a lot of “legitimate” HTTP requests
![Page 6: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/6.jpg)
666© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
A few of the Latest High Profile Attacks
• Payment Gateways – extortion (on the news)- Authorize.net, PSIGateway, Worldpay, 2checkout
• Online Brokerage firms (confidential)
• Commercial banks (confidential)
• Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google
• Doubleclick – DNS servers
• Akamai - DNS servers
• On line gambling sites – extortion
• Many others, but most companies will not want the world to know that they were attacked
![Page 7: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/7.jpg)
888© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Distributed Denial of Service Attacks
• DDoS is often driven by financial motivation
– DoS for hire
– Economically-driven
– Politically driven
– Cyber terrorism
• DDoS cannot be ignored, modern business
depends on effective handling of attacks
![Page 8: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/8.jpg)
999© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Extortion Process
• Target enterprise gets an attack to prove attackers capabilities
• Typically followed by a demand to transfer about $10,000 at a time to a European bank account
– Extorter can withdraw the money using an ATM machine without showing his face in the bank
• Attackers use over 100K PCs
• Latest attacks were 2 – 3 Gbps
• The attackers can change the attack type very quickly (Change protocol, change target etc.)
![Page 9: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/9.jpg)
101010© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Attack EvolutionStronger and More Widespread
Non-essential protocols (eg ICMP)
100s sources 10Ks
packets/sec
Sc
ale
of
Att
ac
ks
Sophistication of Attacks
Two Scaling Dimensions: Million+ packets/sec 100Ks of zombies
Essential protocols Spoofed 10Ks of zombies 100Ks packets/sec Compound and
morphing
Past Present Emerging
![Page 10: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/10.jpg)
111111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Existing Solutions
![Page 11: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/11.jpg)
121212© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
SYN Cookies – how it works
Source Guard
syn(isn#)
ack(isn’#+1)
Target
synack(cky#,isn#+1) WS=0
State createdonly for authenticated connections
State createdonly for authenticated connections
syn(isn#)
synack(isn’#,isn#+1)
ack(cky#+1)
ack(isn#+1) WS<>0
Sequence #adaptation
Sequence #adaptation
statelesspart
![Page 12: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/12.jpg)
131313© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Blackholing
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
= Disconnecting the
customer
= Disconnecting the
customer
![Page 13: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/13.jpg)
141414© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
At the Edge / Firewall/IPS
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Easy to choke
•Point of failure
•Not scalable
![Page 14: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/14.jpg)
151515© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
At the Backbone
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Throughput
•Point of failure
•Not Scalable
![Page 15: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/15.jpg)
161616© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Cisco
Solution
![Page 16: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/16.jpg)
171717© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Dynamic Diversion Architecture
Guard XTBGP announcement
Target
1. Detect
2. Activate: Auto/Manual
3. Divert only target’s traffic
Detector XT or Cisco IDS, Arbor Peakflow
Non-targeted servers
![Page 17: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/17.jpg)
181818© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Guard XT
Target
Legitimate traffic to target
5. Forward the legitimate
Dynamic Diversion Architecture
Traffic destined to the target
4. Identify and filter the malicious
Non-targeted servers
6. Non targetedtraffic flowsfreely
Detector XT or Cisco IDS, Arbor Peakflow
![Page 18: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/18.jpg)
191919© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Technical overview
• Diversion/Injection
• Anti Spoofing
• Anomaly Detection
• Performance Issues
![Page 19: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/19.jpg)
202020© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversion
How to “steal” traffic without creating loops?
![Page 20: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/20.jpg)
212121© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversionone example L3 next hop
BGP
Diversion:
announce a longer prefix from the guard no-export and no-advertise community
Injection:
Send directly to the next L3 device
![Page 21: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/21.jpg)
222222© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Diversion L3 next hop application
Router
Switch
Firewall
Internal network
ISP 1 ISP 2
GEthernet Guard XT
Switch
DNS ServersWeb, Chat, E-mail, etc.
Web console
Guard XT
Riverhead Detector XT
Detector XTTarget
AlertAlert
![Page 22: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/22.jpg)
232323© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversionone example – Injecting with tunnels
BGPDiversion:
announce a longer prefix from the guard no-export and no-advertise community
Injection:
Send directly to the next L3 device
![Page 23: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/23.jpg)
242424© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
61.1.1.1
Diversionone example: long distance diversion
![Page 24: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/24.jpg)
252525© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Filtering bad traffic
• Anti Spoofing
• Anomaly detection
• Performance
![Page 25: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/25.jpg)
262626© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Guard Architecture – high level
RateLimiter
Sam
ple
r
Flex Filter
Bypass Filter
Classifier:Static & Dynamic Filters
Analysis
Basic
Strong
Anomaly Recognition Engine
Connections & Authenticated Clients
Policy Database
Insert filters
Anti-Spoofing Modules
Control & Analysis Plane
Data Plane
Drop Packets
AS Replies
Management
![Page 26: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/26.jpg)
272727© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anti spoofing
Unidirectional…..
![Page 27: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/27.jpg)
282828© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anti-Spoofing Defense- One example: HTTP
Source Guard
Syn(isn#)
ack(isn#+1,cky#)
Target
synack(cky#,isn#+1)Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
GET uri
Redirect to same URI
finfin
1. SYN cookie alg.
2. Redirect rqst
3. Close connection
Client authenticated
![Page 28: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/28.jpg)
292929© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
RST cookies – how it works
Source Guard Target
ack(,cky#)
syn(isn#)
rst(cky)
syn(isn#)
Client authenticated
![Page 29: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/29.jpg)
303030© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Ab.com rqst UDP/53
syn
Reply
synackack
Reply
Repeated IP - UDP
Authenticated IP
Client Guard Target
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP)
Ab.com rqst UDP/53Ab.com rqst TCP/53
Ab.com reply TC=1
![Page 30: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/30.jpg)
313131© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anomaly DetectionAgainst Non-Spoofed Attacks
• Extensive profiling
Hundreds of anomaly sensors/victim
For global, proxies, discovered top sources, typical source,…
• Auto discovery and profiling of services
Automatically detects HTTP proxies and maintains specific profiles
Learns individual profiles for top sources, separate from composite profile
• Depth of profiles
PPS rates
Ratios eg SYNs to FINs
Connection counts by status
Protocol validity eg DNS queries
![Page 31: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/31.jpg)
323232© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Performance
• Wire Speed - requirement …
• GigE = 1.48 Millions pps… Avoid copying
Avoid interrupt/system call
Limit number of memory access
• PCI bottleneck DDoS NIC Accelerator
![Page 32: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/32.jpg)
333333© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Cosmo board
Replaces the NIC
Handles the data path
Based on Broadcom BCM1250
integrated processor
![Page 33: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/33.jpg)
343434© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
BCM1250
Budget - ~500 cycles per packet(memory access 90 cycles)
![Page 34: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/34.jpg)
353535© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
CustomerSwitches
More performance - clustering
ISP Upstream ISP Upstream
Load LevelingRouter
Riverhead Guards
MitigationCluster
![Page 35: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/35.jpg)
363636© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
• Full managed services offered:
Service agreement and multiyear contract typical
Gigabit+ dedicated capacity with shared overage
Customized policies
• Part of a managed security services portfolio
AT&T Internet protect
DDoS Defense Option for Internet Protect
IP Defender
and many others
Managed DDoS ServicesCisco Powered Providers
Largest carriers offering “clean pipes” services to F500 enterprises:
IP Guardian
![Page 36: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/36.jpg)
373737© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Managed DDoS ServicesCisco Powered Providers
Managed hosting providers are offering DDoS protected services:
PrevenTier DDoS Mitigation Service
SureArmour DDoS Protection service
and many others
• Protection offered with hosting:
A la carte option, bundled with premium services or included with hosting
Capacity matched to hosting
Standardized or customized policies
Service and attack reporting
![Page 37: Protection On-Demand: Ensuring Resource Availability](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fcf550346895daaaf22/html5/thumbnails/37.jpg)
383838© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Comments: [email protected]
THANK YOU!