Denial of Service attacks

1. 18-9-2012 1 Denial of Service attacks Kurtis@KPNQwest.net

2. 18-9-2012 2 The old Internet More or less until 2000/2001 Collaboration via mail and News Information publishing and retrieving eCommerce starting to grow Attacks then took out specific destinations for specific reasons

3. 18-9-2012 3 The new Internet Enterprises are moving more and more of their internal traffic to run over the Internet IP-VPNs MP<whatever>S Data is getting more and more critical Attacks are still the same But the stakes are higher� �and affects more than just the destination networks and hosts

4. 18-9-2012 4 Why? Attacks are based on a relationship between humans We could eliminate the reasons� Shut down IRC Close down Internet access to universities �but it�s not a very efficient way� �and perhaps we are looking at it from the wrong perspective�

5. 18-9-2012 5 Attacks This is a real problem 3-4 attacks in 1.5 days�. Attacks are well known and well documented ACKs, SYNs, ICMP etc Are mostly targeting a single host Most likely a single user Often involves academic or research networks Or generally clueless server/network operators Most often takes out providers networks as well as the target Routers can not handle the load Starts to drop packets Customers VPNs go down as well as the attacked host

6. 18-9-2012 6 How do we detect them? Not really a problem� �DDoS attacks are now around 200M and upwards End-user IDS systems also have rudimentary detections

7. 18-9-2012 7 How do we stop them? By fixing our networks! Most of the attacks are with spoofed addresses Carriers and network operators should filter incoming packets at the edge RFC2827 �no ip directed-broadcast� have been known for years It is now even default� �but still attacks are being generated We also need to fix host security� Hosts used as bases for attacks and participants in attacks This becomes blurred in hosted environments

8. 18-9-2012 8 How do we stop them? Filtering(?) Where to get the data� �RIPE database is not up to date� �does really a national registry make us keep this up-to-date? Depending on attack there is always a pattern to match Problem is in the volume� �how to find the pattern� �and how to be able to drop�

9. 18-9-2012 9 How do we stop them? Black-holes KPNQwest uses a standard BGP community Routes matching community will be Null:ed on the edges Makes for a easy and fast implementation Has drawbacks No �security� or authentication of community Adds small routes in iBGP Only applicable inside our networks Perhaps this could be evolved though This will actually make the attacker succeed

10. 18-9-2012 10 How do we stop them? CAR filtering of ICMP packets Also hit�s �good� traffic, both under attack and in normal situation Will load the routers All of the above most of the time require good co-operation Mostly working due to personal relationships Number of vendors equipment Wanwall, Cisco, Foundry, etc All only work on a sub-set of attacks Do they perform any better than our routing equipment?

11. 18-9-2012 11 Summary� The only real solution is to take away �most� of the attackers �tools� Servers and networks This is something we will have to do in the future anyway� Monitoring and understanding of the attacks in the NOCs help us limit the damage� �but mostly by helping the attackers succeed. What are other people doing?