310 likes | 429 Vues
Protection On-Demand: Ensuring Resource Availability. Dan Touitou dtouitou@cisco.com. Agenda. The Growing DDoS Challenge Existing Solutions Our Approach Technical Overview. ‘Zombies’. Innocent PCs & Servers turn into ‘Zombies’. ‘Zombies’. How do DDoS Attacks Start ?. DNS. Email.
E N D
Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com
Agenda • The Growing DDoS Challenge • Existing Solutions • Our Approach • Technical Overview
‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’ ‘Zombies’ How do DDoS Attacks Start ? DNS Email
The Effects of DDoS Attacks Attack Zombies: • Massively distributed • Spoof Source IP • Use valid protocols Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks DNS Email
Attacks - examples • SYN attack • Huge number of crafted spoofed TCP SYN packets • Fills up the “connection queue” • Denial of TCP service • HTTP attacks • Attackers send a lot of “legitimate” HTTP requests
SYN Cookies – how it works syn(isn#) stateless part State created only for authenticated connections synack(cky#,isn#+1) WS=0 ack(cky#+1) syn(isn#) synack(isn’#,isn#+1) ack(isn#+1) WS<>0 ack(isn’#+1) Sequence # adaptation Source Guard Target
. . . . . . . . Blackholing R4 R5 = Disconnecting the customer peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2
. . . . . . . . At the Edge / Firewall/IPS R4 R5 peering • Easy to choke • Point of failure • Not scalable R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2
. . . . . . . . At the Backbone R4 R5 peering R2 R3 • Throughput • Point of failure • Not Scalable 1000 1000 R1 100 R R R FE Server1 Victim Server2
BGP announcement 1. Detect Target Dynamic Diversion Architecture Guard XT 3. Divert only target’s traffic 2. Activate: Auto/Manual Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers
Traffic destined to the target Legitimate traffic to target 5. Forward the legitimate 6.Non targeted traffic flows freely Target Dynamic Diversion Architecture Guard XT 4. Identify and filter the malicious Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers
Technical overview • Diversion/Injection • Anti Spoofing • Anomaly Detection • Performance Issues
Diversion How to “steal” traffic without creating loops?
Diversionone example L3 next hop Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device
Alert Alert Diversion L3 next hop application ISP 1 ISP 2 Web console Router S P r p y P w p S S C t a y s 5 0 R I I t r c s r Guard XT Switch GEthernet Guard XT C S S C S T S Firewall Switch Target Detector XT Internal network Riverhead Detector XT Web, Chat, E-mail, etc. DNS Servers
Diversionone example – Injecting with tunnels Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device
Filtering bad traffic • Anti Spoofing • Anomaly detection • Performance
Guard Architecture – high level Control & Analysis Plane Policy Database Management Anomaly Recognition Engine Insert filters Data Plane AS Replies Anti-Spoofing Modules Classifier: Static & Dynamic Filters Bypass Filter Sampler Rate Limiter Strong Basic Flex Filter Analysis Connections & Authenticated Clients Drop Packets
Anti spoofing Unidirectional…..
Anti-Spoofing Defense- One example: HTTP Syn(isn#) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified synack(cky#,isn#+1) 1. SYN cookie alg. ack(isn#+1,cky#) GET uri 2. Redirect rqst Redirect to same URI fin fin 3. Close connection Client authenticated Source Guard Target
RST cookies – how it works syn(isn#) ack(,cky#) rst(cky) Client authenticated syn(isn#) Source Guard Target
Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified Ab.com rqst UDP/53 Ab.com reply TC=1 syn synack ack Ab.com rqst UDP/53 Ab.com rqst TCP/53 Reply Authenticated IP Reply Repeated IP - UDP Target Guard Client
Anomaly DetectionAgainst Non-Spoofed Attacks • Extensive profiling • Hundreds of anomaly sensors/victim • For global, proxies, discovered top sources, typical source,… • Auto discovery and profiling of services • Automatically detects HTTP proxies and maintains specific profiles • Learns individual profiles for top sources, separate from composite profile • Depth of profiles • PPS rates • Ratios eg SYNs to FINs • Connection counts by status • Protocol validity eg DNS queries
Performance • Wire Speed - requirement … • GigE = 1.48 Millions pps… • Avoid copying • Avoid interrupt/system call • Limit number of memory access • PCI bottleneck • DDoS NIC Accelerator
Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor
BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)
ISP Upstream ISP Upstream More performance - clustering Load Leveling Router Mitigation Cluster Customer Switches Riverhead Guards
THANK YOU! Comments: dtouitou@cisco.com