370 likes | 489 Views
Protection On-Demand: Ensuring Resource Availability. Dan Touitou dtouitou@cisco.com. Agenda. The Growing DDoS Challenge Existing Solutions Our Approach Technical Overview. ‘Zombies’. Innocent PCs & Servers turn into ‘Zombies’. ‘Zombies’. How do DDoS Attacks Start ?. DNS. Email.
E N D
Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com
Agenda • The Growing DDoS Challenge • Existing Solutions • Our Approach • Technical Overview
‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’ ‘Zombies’ How do DDoS Attacks Start ? DNS Email
The Effects of DDoS Attacks Attack Zombies: • Massively distributed • Spoof Source IP • Use valid protocols Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks DNS Email
Attacks - examples • SYN attack • Huge number of crafted spoofed TCP SYN packets • Fills up the “connection queue” • Denial of TCP service • HTTP attacks • Attackers send a lot of “legitimate” HTTP requests
A few of the Latest High Profile Attacks • Payment Gateways – extortion (on the news) • Authorize.net, PSIGateway, Worldpay, 2checkout • Online Brokerage firms (confidential) • Commercial banks (confidential) • Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google • Doubleclick – DNS servers • Akamai - DNS servers • On line gambling sites – extortion • Many others, but most companies will not want the world to know that they were attacked
Distributed Denial of Service Attacks • DDoS is often driven by financial motivation • DoS for hire • Economically-driven • Politically driven • Cyber terrorism • DDoS cannot be ignored, modern business depends on effective handling of attacks
Extortion Process • Target enterprise gets an attack to prove attackers capabilities • Typically followed by a demand to transfer about $10,000 at a time to a European bank account • Extorter can withdraw the money using an ATM machine without showing his face in the bank • Attackers use over 100K PCs • Latest attacks were 2 – 3 Gbps • The attackers can change the attack type very quickly (Change protocol, change target etc.)
Attack EvolutionStronger and More Widespread • Essential protocols • Spoofed • 10Ks of zombies • 100Ks packets/sec • Compound and morphing • Non-essential protocols (eg ICMP) • 100s sources • 10Ks packets/sec Scale of Attacks Two Scaling Dimensions: • Million+ packets/sec • 100Ks of zombies Past Present Emerging Sophistication of Attacks
SYN Cookies – how it works syn(isn#) stateless part State created only for authenticated connections synack(cky#,isn#+1) WS=0 ack(cky#+1) syn(isn#) synack(isn’#,isn#+1) ack(isn#+1) WS<>0 ack(isn’#+1) Sequence # adaptation Source Guard Target
. . . . . . . . Blackholing R4 R5 = Disconnecting the customer peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2
. . . . . . . . At the Edge / Firewall/IPS R4 R5 peering • Easy to choke • Point of failure • Not scalable R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2
. . . . . . . . At the Backbone R4 R5 peering R2 R3 • Throughput • Point of failure • Not Scalable 1000 1000 R1 100 R R R FE Server1 Victim Server2
BGP announcement 1. Detect Target Dynamic Diversion Architecture Guard XT 3. Divert only target’s traffic 2. Activate: Auto/Manual Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers
Traffic destined to the target Legitimate traffic to target 5. Forward the legitimate 6.Non targeted traffic flows freely Target Dynamic Diversion Architecture Guard XT 4. Identify and filter the malicious Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers
Technical overview • Diversion/Injection • Anti Spoofing • Anomaly Detection • Performance Issues
Diversion How to “steal” traffic without creating loops?
Diversionone example L3 next hop Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device
Alert Alert Diversion L3 next hop application ISP 1 ISP 2 Web console Router S P r p y P w p S S C t a y s 5 0 R I I t r c s r Guard XT Switch GEthernet Guard XT C S S C S T S Firewall Switch Target Detector XT Internal network Riverhead Detector XT Web, Chat, E-mail, etc. DNS Servers
Diversionone example – Injecting with tunnels Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device
Filtering bad traffic • Anti Spoofing • Anomaly detection • Performance
Guard Architecture – high level Control & Analysis Plane Policy Database Management Anomaly Recognition Engine Insert filters Data Plane AS Replies Anti-Spoofing Modules Classifier: Static & Dynamic Filters Bypass Filter Sampler Rate Limiter Strong Basic Flex Filter Analysis Connections & Authenticated Clients Drop Packets
Anti spoofing Unidirectional…..
Anti-Spoofing Defense- One example: HTTP Syn(isn#) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified synack(cky#,isn#+1) 1. SYN cookie alg. ack(isn#+1,cky#) GET uri 2. Redirect rqst Redirect to same URI fin fin 3. Close connection Client authenticated Source Guard Target
RST cookies – how it works syn(isn#) ack(,cky#) rst(cky) Client authenticated syn(isn#) Source Guard Target
Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified Ab.com rqst UDP/53 Ab.com reply TC=1 syn synack ack Ab.com rqst UDP/53 Ab.com rqst TCP/53 Reply Authenticated IP Reply Repeated IP - UDP Target Guard Client
Anomaly DetectionAgainst Non-Spoofed Attacks • Extensive profiling • Hundreds of anomaly sensors/victim • For global, proxies, discovered top sources, typical source,… • Auto discovery and profiling of services • Automatically detects HTTP proxies and maintains specific profiles • Learns individual profiles for top sources, separate from composite profile • Depth of profiles • PPS rates • Ratios eg SYNs to FINs • Connection counts by status • Protocol validity eg DNS queries
Performance • Wire Speed - requirement … • GigE = 1.48 Millions pps… • Avoid copying • Avoid interrupt/system call • Limit number of memory access • PCI bottleneck • DDoS NIC Accelerator
Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor
BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)
ISP Upstream ISP Upstream More performance - clustering Load Leveling Router Mitigation Cluster Customer Switches Riverhead Guards
Managed DDoS ServicesCisco Powered Providers Largest carriers offering “clean pipes” services to F500 enterprises: • Full managed services offered: • Service agreement and multiyear contract typical • Gigabit+ dedicated capacity with shared overage • Customized policies • Part of a managed security services portfolio • AT&T Internet protect DDoS Defense Option for Internet Protect IP Guardian IP Defender and many others
Managed DDoS ServicesCisco Powered Providers Managed hosting providers are offering DDoS protected services: • Protection offered with hosting: • A la carte option, bundled with premium services or included with hosting • Capacity matched to hosting • Standardized or customized policies • Service and attack reporting SureArmour DDoS Protection service PrevenTier DDoS Mitigation Service and many others
THANK YOU! Comments: dtouitou@cisco.com