1 / 27

Diversion & Sieving Techniques to Defeat DDoS

Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS. DDoS protection, Where & How?. R4. R5. peering. R2. R3. 1000. 1000. R1. 100. R. R. R. FE. Server1. Victim.

flint
Download Presentation

Diversion & Sieving Techniques to Defeat DDoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Yehuda Afek, Tel-Aviv University / WANWall Ltd.Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS

  2. . . . . . . . . DDoS protection, Where & How? R4 R5 peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  3. 1 ACLs, CARs, null/rt. . . . . . . . . At the Routers R4 R5 peering R2 R3 • Rand. Spoofing • Throws good with bad • Router degradation 1000 1000 R1 100 R R R FE Server1 Victim Server2

  4. 2 . . . . . . . . At the Edge R4 R5 peering R2 R3 • Chocked • Point of failure • Not scalable 1000 1000 R1 100 R R R FE Server1 Victim Server2

  5. 3 . . . . . . . . At the Back Bone R4 R5 peering R2 R3 • Throughput • Point of failure • All suffer 1000 1000 R1 100 R R R FE Server1 Victim Server2

  6. 4 4 . . . . . . . . Diversion R4 R5 peering R2 R3 • Not on critical path • Router route • Upstream • Sharing • Dynamic 1000 1000 R1 100 R R R FE Server1 Victim Server2

  7. Basic Scheme AS 56 ISP Backbone PR AS 24 Victim

  8. Basic Concepts Divert victim’s traffic Sieve Legitimate traffic continues on its route Victim traffic R Victim clean traffic Malicious packets Database

  9. 2 1 Victim Operational process N O C AS x

  10. Sieving Malicious traffic Output Anti spoofing Learning & Statistical analysis HTTP Analysis & Authentication Packet filtering

  11. Sieving techniques Filters: IP's, ports, flags, etc. Anti-spoofing: • TCP • Other Recognition: • Statistical Analysis • Layers 3-7 High-level Protocols: • HTTP specific (recognize anomalous behavior) • Other

  12. Diversion • Divert • Return good traffic Without looping ! Victim traffic R Victim clean traffic Malicious packets Database

  13. Diversion: BGP + next L3 • Divert: BGP announce a /32 from the box no_export and no_advertise community • Return: Next layer 3 device R Victim traffic L2 device Victim clean traffic L3 Malicious packets

  14. Diversion: BGP + GRE • Divert: BGP • Return: GRE GRE de-cap increases VIP load < 20% [Wessels & Hardie, NANOG19, Albuquerque] BGP Victim traffic R GRE Victim clean traffic R Malicious packets

  15. Phase 2: Attack + Normal traffic Phase 2: Attack + Normal traffic Phase 3: Attack + Normal traffic + Diversion Diversion test A A C Phase 1: Normal traffic X Gig R Gig W X 100BT R I V victim Non-victim

  16. Diversion effect Attack + diversion Attack normal usec

  17. Diversion WCCP v2 Web Cache Coordination Protocol v2 [IETF internet draft draft-wilson-wrec-wccp-v2-00.txt] • remote diversion • Protocol, no dynamic config. Current Status Available on 6500, 7200, 7500, 7600SR, from IOS 12.0(3)T and 12.0(11)S with dCEF Other vendors? Victim traffic R WCCP Victim clean traffic Malicious packets

  18. Diversion PBR / FBF • Divert: Policy Based Routing Filter Based Forwarding • Return: Normal Route Table PBR Victim traffic R Victim clean traffic Malicious packets

  19. Diversion: BGP + PBR • Divert: BGP • Return: PBR guard’s Interface card BGP Victim traffic R PBR Victim clean traffic Malicious packets

  20. PBR Dynamic configuration • adding access list on demand CPU load: • VIP or RSP CPU load • Juniper FBF dedicated processor, Internet proc II (from JunOS 4.4) Victim traffic R PBR Victim clean traffic Malicious packets

  21. PBR Warts 12.1(8a)E4 and 12.0(18)S and 12.2(2)T with “distributed cef” will not PBR properly! BUG ID: cscdp78100 • all packets diverted - rather than what is matched • but “ip cef” works properly • tested on 7513 on FE as well as GE (GEIP+) ip access-list extended WW33 permit ip any victim-ipvictim-mask route-map WWMap permit 33 match ip address WW33 set ip next-hop Guard-guard-IP end interface GigabitEthernet0/0/0 ip policy route-map WWMap

  22. Diversion Double Addressing • Divert: BGP • Return: Double addressing victim with private IP address, routed only internally BGP Victim traffic R Victim clean traffic Malicious packets

  23. Double Addressing PR NAT AS Data Center Victim

  24. Reverse Protection AS y Victim AS x

  25. AS x Flash Crowd Reverse Proxy [Wessels & Hardie; Surrogate NANOG19]

  26. Diversion for DDoS Summary • Maximize goodput to victim • Leave data path free • Let routers route • Protect any device • Sharing a large resouce on demand • Upstream (ala push back)

  27. Comments: {afek,anat,alon,hank,dan}@wanwall.com

More Related