1 / 56

Boaz Elgar Product Manager November, 2002

Boaz Elgar Product Manager November, 2002. Agenda. Some known DDoS attacks Types of DDoS attacks Current measures for blocking DDoS Riverhead Solution overview. Riverhead Profile. Solution: Secure internet availability against crippling DDoS cyber-attacks

pancho
Télécharger la présentation

Boaz Elgar Product Manager November, 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Boaz Elgar Product ManagerNovember, 2002

  2. Agenda • Some known DDoS attacks • Types of DDoS attacks • Current measures for blocking DDoS • Riverhead Solution overview

  3. Riverhead Profile • Solution:Secure internet availability against crippling DDoS cyber-attacks • Customers: Large enterprises, new media companies, service providers and government organizations • Investors: • HQ: Cupertino, California • Products: Riverhead Guard and Detector - infrastructure security devices

  4. Overview of DDoS attacks

  5. DDoS Incidents Around The Globe • Global World Economic Forum's, CERT • Europe Deutsche Bank, Lufthansa, Firenet, Tiscali, edNET, TheDogmaGroup, DonHost, British telecom, Cloud9 • US Amazon, Yahoo, CNN, e-Bay, e-Trade, Microsoft, White House NY Times, NASA, OZ.Net • ROW 200 small corporations, 30 educational organizations and 20 government systems (Korea), St George Bank(Australia)

  6. Infrastructure-level DDoS attacks Server-level DDoS attacks Bandwidth-level DDoS attacks Distributed Denial of ServiceAn Upstream Issue Zombies on innocent computers

  7. DST SRC prtcl CRC Port Port SYN FIN SSL GET URL CGI www.victim.com…. Server-level DDoS attacks Layer 4 attacks • SYN receive • Establish • FIN_WAIT_1 • Application layer attacks • 404 File Not Found Flood • SSL • CGI • DNS Bogus requests attack

  8. TCP Level DDoS attacks

  9. SYN RQST SYN ACK SYN ACK victim zombie Waiting buffer overflows Zombies Spoofed SYN RQST TCP SYN flood server • One of the first CERT DDoS advisories issued – 9/1996 • http://www.cert.org/advisories/CA-1996-21.html client

  10. TCP SYN Flood News - February 3,2002 Firenet ISP Suffers DoS Attack Firenet MD Mr Castle also stated:"The list of attacks were Syn Flood attacks, Ip Spoofing the Lan interfaces, and Total Denial of service attacks. We had taken down the servers for 4 nights in a row, from 11oclock till 6.00 am daily and worked all through the night with BT fighting this hacker or hackers, and had stopped the problems on Wednesday night Thursday morning".

  11. SYN RQST ACK NAPHTA: TCP connections server SYN ACK • Repeatedly establishing a connection and then abandoning it, an attacker can tie up resources. Fill up the TCP connections buffer. • Multiple FIN_WAIT_1 state in the servers • http://people.internet2.edu/~shalunov/netkill clients HTTP request FIN

  12. Half open Connections syn rqst server • Repeatedly establishing a connection • Requesting a unfinished request GE. (GET) • Server waits for the end of request • Application layer saturation synack clients

  13. www.victim.com www.proxyserver.com HTTP attack tool Click to get latest victim Where to attack Control how fast to attack First came out in January 1999!

  14. Client attack • URL attacks • Repeated request • Repeated REFRESH • Random URL • Avoids proxy • Works hard • Large log file • cgi, long forms, heavy search requests • http://all.net/journal/netsec/9512.html victim

  15. “Wednesday morning, in a planned attack, demonstrators began accessing Lufthansa's Web site. Although demonstrators claim they knocked the site off-line for about 10 minutes, Lufthansa said the claim was untrue.” “Lufthansa's servers got 67,004 hits per second at one point in the two-hour Web attack” “The attack was planned to protest Lufthansa's contract with the German government to fly people who are denied asylum in Germany out of the country.” Computerworld 6/21/01 Client attack on Lufthansa

  16. Client attack on WTO

  17. DNS attack • DNS request • Spoofing • Random requests • Reflectors • DNS recursive requests • Amplifications www.bogus.com www.bla-bla.com www.!@$$.com DNS Server www.*&^.com UDP spoofed traffic Reply to recursive

  18. Bandwidth-level DDoS attacks Bandwidth-level DDoS attacks • ICMP echo, unreachable • UDP Flood • Reflectors • Smurf Flood

  19. Reflectors Sock proxy zombie Proxy List: Reflector-1 Reflector-2 Reflector-3 Reflector-4 …. … Web server DNS server Router victim

  20. zombie zombie zombie zombie Reflectors Sock proxy Proxy Web server DNS server Router victim

  21. Reflectors -> Bandwidth attack • Reflectors= returns a packet if one is sent • Web servers, DNS servers and routers • Returns SYNACK or RST in response to a SYN or other TCP packets with ACK • ICMP Time Exceeded or Host Unreachable in response to particular IP packets • Amplification if knowing the sequence number (FTP, streaming…) • DNS replies • http://grc.com/dos/drdos.htm • http://www.aciri.org/vern/papers/reflectors.CCR.01.pdf

  22. Direct broadcast address dst src victim amp.255 ping.rqst 1 500 500 500 500 500 Smurf Amplification zombie • Jan 1998 • http://www.cert.org/advisories/CA-1998-01.html amp/255.255.255.0 victim

  23. Smurf Tool Set packet size from 10 to 1300 octets Came out in March 1999!

  24. Smurf attack Internet attack slows Web to a crawl Assault on Oz.net affects entire area Tuesday, January 18, 2000 an ISP serving 7,000 subscribers, is known to have been targeted in the so-called smurf attack in Seattle, the assault affected many, perhaps even most, of the Internet users in the Seattle area, said experts. “… all the corporate or academic networks the smurf attacker used in the assault -- as many as 2,000 nationwide” “The Seattle attack was most likely launched by a single person…”

  25. Cisco – stopping Smurf • no ip directed-broadcast • Translation of directed broadcast to physical MAC broadcasts is disabled • As of 12.0 this is the default

  26. Infrastructure-level DDoS attacks Infrastructure-level DDoS attacks • BGP / OSPF / … attacks • SYN flood TCP 179, SSH • ICMP attack • DNS attacks

  27. Attacks directly on routers • Attacks directed at routers can have broader impact than attacks directed at hosts • Packets directed at a router may be more CPU (slow path) consuming then packets transiting a router

  28. AS y AS 56 AS x DNS root servers October 2002Massive attack on 13 DNS root servers • ICMP floods 150K PPS (primitive attack) • Took down 7 root servers (two hours)

  29. October 2002Massive attack on 13 DNS root servers • ICMP floods 150K PPS (primitive attack) • Took down 7 root servers (two hours) AS y AS 56 AS x DNS root servers

  30. TFN Spoofed SYN Flood non-Spoofed SYN Flood UDP Flood FIN, SYNACK Flood (Spoofed and non-spoofed) Ping Flood Smurf Flood Combined UDP/TCP/ICMP Targa3 Attack Fragmentation Attack IP/UDP (jolt2) IP/ICMP (trash, and fawx) IP/TCP HTTP Connection Flood (Client attack) http errors 404 etc. http half connections DNS attacks BGP attacks on routers Attacks & Attack Tools examples Partial list of covered tools: JOLT, WINNUKE, TRINOO, TFN, Targa3, Naphta, Trash…

  31. How are DDoS handled?

  32. 1 ACLs, CARs . . . . . . . . Router Filtering Built-in and distributed but… • Blocks good with bad • Ineffective against random spoofing and application level attacks • Potential performance degradation • Manually intensive process R4 R5 peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  33. Cisco ACLs - 1 • Use ACL to determine which interface is being attacked and characteristics of attack • Initial ACL to determine what type of attack access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply log-input access-list 101 permit udp any any access-list 101 permit tcp any any access-list 101 permit ip any any interface serial 1/1 ip access-group 101 out ! Wait 10 seconds no ip access-group 101 out

  34. Cisco ACLs - 2 • sh access-l 101 Extended IP access list 101 permit icmp any any echo (2 matches) permit icmp any any echo-reply (21374 matches) permit udp any any (18 matches) permit tcp any any (123 matches) permit ip any any (5 matches) • Indications are that there is some sort of ICMP attack • Need to place ACL on each successive router in upstream path

  35. Cisco ACLs - 3 • Next use ‘log-input’ to determine from where – via ‘sho logging’: %SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.1.1 (Serial1/1) -> 128.139.19.5 (0/0), 1 packet %SEC-6-IPACCESSLOGDP: list 101 permit icmp 172.17.3.34 (Serial1/1) -> 128.139.11.2 (0/0), 1 packet %SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.2.15 (FastEthernet1/0/0) -> 128.139.6.1 (0/0), 1 packet %SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.3.4 (Serial1/1) -> 128.139.6.1 (0/0), 1 packet Serial 1/1 is our prime suspect! Link: http://www.cisco.com/warp/public/707/22.html

  36. Cisco CAR Max Burst in bytes Normal Burst in bytes • CAR – Committed Access Rate interface ATM1/1/0.21 point-to-point rate-limit input access-group 180 96000 24000 32000 conform-action continue exceed-action drop rate-limit input access-group 190 128000 30000 30000 conform-action transmit exceed-action drop ! access-list 180 deny icmp 128.139.252.0 0.0.0.255 any access-list 180 permit icmp any any access-list 190 deny tcp any any established access-list 190 permit tcp any any b/w No one really understands “burst” – best to read: http://www.nanog.org/mtg-9811/ppt/witt/index.htm

  37. Pkt w/ source comes in Check source in routing table Path back on this line? Path via different interface? Cisco uRPF Router A Router B Accept pkt Reject pkt Does routing back to the source go through same interface ?

  38. Cisco uRPF - 1 • Unicast Reverse Path Forwarding • Requires CEF • Available starting in 11.1(17)CC, and 12.0 • Not available in 11.2 or 11.3 images • Cisco interface command: ip verify unicast rpf

  39. . . . . . . . . Blackholing = Disconnecting the customer R4 R5 peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  40. Null0 routing • Works only on destination addresses • Simple blackhole: ip route 191.1.1.1 255.255.255.255 null0 • Caveat: routers can forward faster than they can drop packets • Blackholes good packets with bad packets

  41. Router Capabilities • ACLs • Manual process • Performance impact on some routers • CAR • Performance impact on some routers • Also limits good traffic • uRPF • Not enforced, limited attacks protection Blocks good along with the bad Issue: • Too coarse – affects good as well as bad traffic • Router CPU/ASIC limitations – impacts performance • Ineffective on several different attacks

  42. . . . . . . . . In-line Mitigation: Edge Device Low cost and simple deployment, but… • Upstream ingress still choked • Device itself becomes point of failure • Doesn’t scale –requires many • Easy to overwhelm a FW R4 R5 peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  43. Guard Guard . . . . . . . . Diversion and Precise Filtering R4 R5 R2 R3 Protects all resources • No point of failure or latency on critical path • No router impact • Scales via sharing • Dynamic and precise filtering 1000 1000 R1 100 R R R Server1 Victim Server2

  44. Solution Overview Upstream = Not on the Critical Path DDoS Protection=Riverhead Guard DDoS Detection= Riverhead Detector Victim Non-victimized servers

  45. BGP announcement Activate Solution Overview Riverhead Guard 3.Divert only victim’s traffic 2.Activate: Auto/Manual 1.Detect OR IDS system Firewall Health checks Riverhead Detector Victim Non-victimized servers

  46. Hijack traffic = BGP Traffic destined to the victim Legitimate traffic to victim Inject= GRE, VRF, VLAN, FBF, PBR… Solution Overview Riverhead Guard Victim “No Dynamic configuration” Non-victimized servers

  47. Adaptive and Dynamic Filtering Per flow queues and aggregate rates 1 to 100s of dynamic filters by flow, protocol, … • Rate-limiting • & DDoS Traffic Shaping • Anti spoofing Static & Dynamic Filters • Statistical • analysis Layer 7 http smtp

  48. ISP Perimeter Protection

  49. ISP Perimeter Protection

  50. ISP Edge Protection

More Related