Protection On-Demand: Ensuring Resource Availability

1. Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com

2. Agenda • The Growing DDoS Challenge • Existing Solutions • Our Approach • Technical Overview

3. ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’ ‘Zombies’ How do DDoS Attacks Start ? DNS Email

4. The Effects of DDoS Attacks Attack Zombies: • Massively distributed • Spoof Source IP • Use valid protocols Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks DNS Email

5. Attacks - examples • SYN attack • Huge number of crafted spoofed TCP SYN packets • Fills up the “connection queue” • Denial of TCP service • HTTP attacks • Attackers send a lot of “legitimate” HTTP requests

6. Existing Solutions

7. SYN Cookies – how it works syn(isn#) stateless part State created only for authenticated connections synack(cky#,isn#+1) WS=0 ack(cky#+1) syn(isn#) synack(isn’#,isn#+1) ack(isn#+1) WS<>0 ack(isn’#+1) Sequence # adaptation Source Guard Target

8. . . . . . . . . Blackholing R4 R5 = Disconnecting the customer peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

9. . . . . . . . . At the Edge / Firewall/IPS R4 R5 peering • Easy to choke • Point of failure • Not scalable R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

10. . . . . . . . . At the Backbone R4 R5 peering R2 R3 • Throughput • Point of failure • Not Scalable 1000 1000 R1 100 R R R FE Server1 Victim Server2

11. Cisco Solution

12. BGP announcement 1. Detect Target Dynamic Diversion Architecture Guard XT 3. Divert only target’s traffic 2. Activate: Auto/Manual Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

13. Traffic destined to the target Legitimate traffic to target 5. Forward the legitimate 6.Non targeted traffic flows freely Target Dynamic Diversion Architecture Guard XT 4. Identify and filter the malicious Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

14. Technical overview • Diversion/Injection • Anti Spoofing • Anomaly Detection • Performance Issues

15. Diversion How to “steal” traffic without creating loops?

16. Diversionone example L3 next hop Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device

17. Alert Alert Diversion L3 next hop application ISP 1 ISP 2 Web console Router S P r p y P w p S S C t a y s 5 0 R I I t r c s r Guard XT Switch GEthernet Guard XT C S S C S T S Firewall Switch Target Detector XT Internal network Riverhead Detector XT Web, Chat, E-mail, etc. DNS Servers

18. Diversionone example – Injecting with tunnels Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device

19. Diversionone example: long distance diversion 61.1.1.1

20. Filtering bad traffic • Anti Spoofing • Anomaly detection • Performance

21. Guard Architecture – high level Control & Analysis Plane Policy Database Management Anomaly Recognition Engine Insert filters Data Plane AS Replies Anti-Spoofing Modules Classifier: Static & Dynamic Filters Bypass Filter Sampler Rate Limiter Strong Basic Flex Filter Analysis Connections & Authenticated Clients Drop Packets

22. Anti spoofing Unidirectional…..

23. Anti-Spoofing Defense- One example: HTTP Syn(isn#) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified synack(cky#,isn#+1) 1. SYN cookie alg. ack(isn#+1,cky#) GET uri 2. Redirect rqst Redirect to same URI fin fin 3. Close connection Client authenticated Source Guard Target

24. RST cookies – how it works syn(isn#) ack(,cky#) rst(cky) Client authenticated syn(isn#) Source Guard Target

25. Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified Ab.com rqst UDP/53 Ab.com reply TC=1 syn synack ack Ab.com rqst UDP/53 Ab.com rqst TCP/53 Reply Authenticated IP Reply Repeated IP - UDP Target Guard Client

26. Anomaly DetectionAgainst Non-Spoofed Attacks • Extensive profiling • Hundreds of anomaly sensors/victim • For global, proxies, discovered top sources, typical source,… • Auto discovery and profiling of services • Automatically detects HTTP proxies and maintains specific profiles • Learns individual profiles for top sources, separate from composite profile • Depth of profiles • PPS rates • Ratios eg SYNs to FINs • Connection counts by status • Protocol validity eg DNS queries

27. Performance • Wire Speed - requirement … • GigE = 1.48 Millions pps… • Avoid copying • Avoid interrupt/system call • Limit number of memory access • PCI bottleneck • DDoS NIC Accelerator

28. Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

29. BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

30. ISP Upstream ISP Upstream More performance - clustering Load Leveling Router Mitigation Cluster Customer Switches Riverhead Guards

31. THANK YOU! Comments: dtouitou@cisco.com