1 / 42

Protection On-Demand: Ensuring Resource Availability

Protection On-Demand: Ensuring Resource Availability. Agenda. The Growing DDoS Challenge Existing Solutions Our Approach Technical Overview. ‘Zombies’. Innocent PCs & Servers turn into ‘Zombies’. ‘Zombies’. How do DDoS Attacks Start ?. DNS. Email. The Effects of DDoS Attacks.

arosario
Download Presentation

Protection On-Demand: Ensuring Resource Availability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protection On-Demand: Ensuring Resource Availability

  2. Agenda • The Growing DDoS Challenge • Existing Solutions • Our Approach • Technical Overview

  3. ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’ ‘Zombies’ How do DDoS Attacks Start ? DNS Email

  4. The Effects of DDoS Attacks Attack Zombies: • Massively distributed • Spoof Source IP • Use valid protocols Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks DNS Email

  5. Attacks - examples • SYN attack • Huge number of crafted spoofed TCP SYN packets • Fills up the “connection queue” • Denial of TCP service • HTTP attacks • Attackers send a lot of “legitimate” HTTP requests

  6. A few of the Latest High Profile Attacks • Payment Gateways – extortion (on the news) • Authorize.net, PSIGateway, Worldpay, 2checkout • Online Brokerage firms (confidential) • Commercial banks (confidential) • Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google • Doubleclick – DNS servers • Akamai - DNS servers • On line gambling sites – extortion • Many others, but most companies will not want the world to know that they were attacked

  7. Distributed Denial of Service Attacks • DDoS is often driven by financial motivation • DoS for hire  • Economically-driven • Politically driven • Cyber terrorism • DDoS cannot be ignored, modern business depends on effective handling of attacks

  8. Extortion Process • Target enterprise gets an attack to prove attackers capabilities • Typically followed by a demand to transfer about $10,000 at a time to a European bank account • Extorter can withdraw the money using an ATM machine without showing his face in the bank • Attackers use over 100K PCs • Latest attacks were 2 – 3 Gbps • The attackers can change the attack type very quickly (Change protocol, change target etc.)

  9. Zombies • הערכות: עד 150 מליון מחשבים (25% מהאינטרנט) נגועים • התקדמות מהירה מאוד בפיתוח, תחכום גובר והולך

  10. Spoofed and Non-Spoofed Flood Attacks TCP Flag (SYN, SYN-ACK, ACK, FIN) ICMP UDP Examples: SYN Flood, Smurf, LAND, UDP Flood Zombie/Botnet Attacks Each zombie or bot source opens multiple TCP connections Each zombie or bot source opens multiple TCP sessions and issue repetitive HTTP requests DNS Attacks DNS Request Flood Malformed packet checks Packet Size Attacks - Fragmented Packets - Large Packets Examples: Teardrop, Ping-of-Death Low Rate Zombie/Botnet Attacks Similar to Bandwidth consumption attacks except that each attack source sends multiple requests at low rate DNS Attacks DNS Recursive Lookup SIP Protection SIP Anti-Spoofing Attack types Bandwidth Consumption Attacks Resource Starvation Attacks

  11. היקף האיום * CSI/FBI 2009 survey

  12. DDOS Attack Size

  13. תקיפות ברמה לאומית

  14. תרחישי תקיפה \ דפ"אות • DDOS הוא וקטור תקיפה משמעותי • דפאו"ת

  15. Attack EvolutionStronger and More Widespread • Essential protocols • Spoofed • 10Ks of zombies • 100Ks packets/sec • Compound and morphing • Non-essential protocols (eg ICMP) • 100s sources • 10Ks packets/sec Scale of Attacks Two Scaling Dimensions: • Million+ packets/sec • 100Ks of zombies Past Present Emerging Sophistication of Attacks

  16. Existing Solutions

  17. SYN Cookies – how it works syn(isn#) stateless part State created only for authenticated connections synack(cky#,isn#+1) WS=0 ack(cky#+1) syn(isn#) synack(isn’#,isn#+1) ack(isn#+1) WS<>0 ack(isn’#+1) Sequence # adaptation Source Guard Target

  18. . . . . . . . . Blackholing R4 R5 = Disconnecting the customer peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  19. . . . . . . . . At the Edge / Firewall/IPS R4 R5 peering • Easy to choke • Point of failure • Not scalable R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  20. . . . . . . . . At the Backbone R4 R5 peering R2 R3 • Throughput • Point of failure • Not Scalable 1000 1000 R1 100 R R R FE Server1 Victim Server2

  21. Cisco Solution

  22. BGP announcement 1. Detect Target Dynamic Diversion Architecture Guard XT 3. Divert only target’s traffic 2. Activate: Auto/Manual Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

  23. Traffic destined to the target Legitimate traffic to target 5. Forward the legitimate 6.Non targeted traffic flows freely Target Dynamic Diversion Architecture Guard XT 4. Identify and filter the malicious Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

  24. Technical overview • Diversion/Injection • Anti Spoofing • Anomaly Detection • Performance Issues

  25. Diversion How to “steal” traffic without creating loops?

  26. Diversionone example L3 next hop Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device

  27. Alert Alert Diversion L3 next hop application ISP 1 ISP 2 Web console Router S P r p y P w p S S C t a y s 5 0 R I I t r c s r Guard XT Switch GEthernet Guard XT C S S C S T S Firewall Switch Target Detector XT Internal network Riverhead Detector XT Web, Chat, E-mail, etc. DNS Servers

  28. Diversionone example – Injecting with tunnels Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device

  29. Diversionone example: long distance diversion 61.1.1.1

  30. Filtering bad traffic • Anti Spoofing • Anomaly detection • Performance

  31. Guard Architecture – high level Control & Analysis Plane Policy Database Management Anomaly Recognition Engine Insert filters Data Plane AS Replies Anti-Spoofing Modules Classifier: Static & Dynamic Filters Bypass Filter Sampler Rate Limiter Strong Basic Flex Filter Analysis Connections & Authenticated Clients Drop Packets

  32. Anti spoofing Unidirectional…..

  33. Anti-Spoofing Defense- One example: HTTP Syn(isn#) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified synack(cky#,isn#+1) 1. SYN cookie alg. ack(isn#+1,cky#) GET uri 2. Redirect rqst Redirect to same URI fin fin 3. Close connection Client authenticated Source Guard Target

  34. RST cookies – how it works syn(isn#) ack(,cky#) rst(cky) Client authenticated syn(isn#) Source Guard Target

  35. Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified Ab.com rqst UDP/53 Ab.com reply TC=1 syn synack ack Ab.com rqst UDP/53 Ab.com rqst TCP/53 Reply Authenticated IP Reply Repeated IP - UDP Target Guard Client

  36. Anomaly DetectionAgainst Non-Spoofed Attacks • Extensive profiling • Hundreds of anomaly sensors/victim • For global, proxies, discovered top sources, typical source,… • Auto discovery and profiling of services • Automatically detects HTTP proxies and maintains specific profiles • Learns individual profiles for top sources, separate from composite profile • Depth of profiles • PPS rates • Ratios eg SYNs to FINs • Connection counts by status • Protocol validity eg DNS queries

  37. Performance • Wire Speed - requirement … • GigE = 1.48 Millions pps… • Avoid copying • Avoid interrupt/system call • Limit number of memory access • PCI bottleneck • DDoS NIC Accelerator

  38. Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

  39. BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

  40. ISP Upstream ISP Upstream More performance - clustering Load Leveling Router Mitigation Cluster Customer Switches Riverhead Guards

  41. Managed DDoS ServicesCisco Powered Providers Largest carriers offering “clean pipes” services to F500 enterprises: • Full managed services offered: • Service agreement and multiyear contract typical • Gigabit+ dedicated capacity with shared overage • Customized policies • Part of a managed security services portfolio • AT&T Internet protect DDoS Defense Option for Internet Protect IP Guardian IP Defender and many others

  42. Managed DDoS ServicesCisco Powered Providers Managed hosting providers are offering DDoS protected services: • Protection offered with hosting: • A la carte option, bundled with premium services or included with hosting • Capacity matched to hosting • Standardized or customized policies • Service and attack reporting SureArmour DDoS Protection service PrevenTier DDoS Mitigation Service and many others

More Related