110 likes | 302 Views
18-9-2012. 2. The old Internet. More or less until 2000/2001Collaboration via mail and NewsInformation publishing and retrievingeCommerce starting to growAttacks then took out specific destinations for specific reasons. 18-9-2012. 3. The new Internet. Enterprises are moving more and more of the
E N D
1. 18-9-2012 1 Denial of Service attacks Kurtis@KPNQwest.net
2. 18-9-2012 2 The old Internet More or less until 2000/2001
Collaboration via mail and News
Information publishing and retrieving
eCommerce starting to grow
Attacks then took out specific destinations for specific reasons
3. 18-9-2012 3 The new Internet Enterprises are moving more and more of their internal traffic to run over the Internet
IP-VPNs
MP<whatever>S
Data is getting more and more critical
Attacks are still the same
But the stakes are higher…
…and affects more than just the destination networks and hosts
4. 18-9-2012 4 Why? Attacks are based on a relationship between humans
We could eliminate the reasons…
Shut down IRC
Close down Internet access to universities
…but it’s not a very efficient way…
…and perhaps we are looking at it from the wrong perspective…
5. 18-9-2012 5 Attacks This is a real problem
3-4 attacks in 1.5 days….
Attacks are well known and well documented
ACKs, SYNs, ICMP etc
Are mostly targeting a single host
Most likely a single user
Often involves academic or research networks
Or generally clueless server/network operators
Most often takes out providers networks as well as the target
Routers can not handle the load
Starts to drop packets
Customers VPNs go down as well as the attacked host
6. 18-9-2012 6 How do we detect them? Not really a problem…
…DDoS attacks are now around 200M and upwards
End-user IDS systems also have rudimentary detections
7. 18-9-2012 7 How do we stop them? By fixing our networks!
Most of the attacks are with spoofed addresses
Carriers and network operators should filter incoming packets at the edge
RFC2827
“no ip directed-broadcast” have been known for years
It is now even default…
…but still attacks are being generated
We also need to fix host security…
Hosts used as bases for attacks and participants in attacks
This becomes blurred in hosted environments
8. 18-9-2012 8 How do we stop them? Filtering(?)
Where to get the data…
…RIPE database is not up to date…
…does really a national registry make us keep this up-to-date?
Depending on attack there is always a pattern to match
Problem is in the volume…
…how to find the pattern…
…and how to be able to drop…
9. 18-9-2012 9 How do we stop them? Black-holes
KPNQwest uses a standard BGP community
Routes matching community will be Null:ed on the edges
Makes for a easy and fast implementation
Has drawbacks
No “security” or authentication of community
Adds small routes in iBGP
Only applicable inside our networks
Perhaps this could be evolved though
This will actually make the attacker succeed
10. 18-9-2012 10 How do we stop them? CAR filtering of ICMP packets
Also hit’s “good” traffic, both under attack and in normal situation
Will load the routers
All of the above most of the time require good co-operation
Mostly working due to personal relationships
Number of vendors equipment
Wanwall, Cisco, Foundry, etc
All only work on a sub-set of attacks
Do they perform any better than our routing equipment?
11. 18-9-2012 11 Summary… The only real solution is to take away “most” of the attackers “tools”
Servers and networks
This is something we will have to do in the future anyway…
Monitoring and understanding of the attacks in the NOCs help us limit the damage…
…but mostly by helping the attackers succeed.
What are other people doing?