1 / 37

Protection On-Demand: Ensuring Resource Availability

Protection On-Demand: Ensuring Resource Availability. Dan Touitou dtouitou@cisco.com. Agenda. The Growing DDoS Challenge Existing Solutions Our Approach Technical Overview. ‘Zombies’. Innocent PCs & Servers turn into ‘Zombies’. ‘Zombies’. How do DDoS Attacks Start ?. DNS. Email.

lynn
Télécharger la présentation

Protection On-Demand: Ensuring Resource Availability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com

  2. Agenda • The Growing DDoS Challenge • Existing Solutions • Our Approach • Technical Overview

  3. ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’ ‘Zombies’ How do DDoS Attacks Start ? DNS Email

  4. The Effects of DDoS Attacks Attack Zombies: • Massively distributed • Spoof Source IP • Use valid protocols Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks DNS Email

  5. Attacks - examples • SYN attack • Huge number of crafted spoofed TCP SYN packets • Fills up the “connection queue” • Denial of TCP service • HTTP attacks • Attackers send a lot of “legitimate” HTTP requests

  6. A few of the Latest High Profile Attacks • Payment Gateways – extortion (on the news) • Authorize.net, PSIGateway, Worldpay, 2checkout • Online Brokerage firms (confidential) • Commercial banks (confidential) • Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google • Doubleclick – DNS servers • Akamai - DNS servers • On line gambling sites – extortion • Many others, but most companies will not want the world to know that they were attacked

  7. Distributed Denial of Service Attacks • DDoS is often driven by financial motivation • DoS for hire  • Economically-driven • Politically driven • Cyber terrorism • DDoS cannot be ignored, modern business depends on effective handling of attacks

  8. Extortion Process • Target enterprise gets an attack to prove attackers capabilities • Typically followed by a demand to transfer about $10,000 at a time to a European bank account • Extorter can withdraw the money using an ATM machine without showing his face in the bank • Attackers use over 100K PCs • Latest attacks were 2 – 3 Gbps • The attackers can change the attack type very quickly (Change protocol, change target etc.)

  9. Attack EvolutionStronger and More Widespread • Essential protocols • Spoofed • 10Ks of zombies • 100Ks packets/sec • Compound and morphing • Non-essential protocols (eg ICMP) • 100s sources • 10Ks packets/sec Scale of Attacks Two Scaling Dimensions: • Million+ packets/sec • 100Ks of zombies Past Present Emerging Sophistication of Attacks

  10. Existing Solutions

  11. SYN Cookies – how it works syn(isn#) stateless part State created only for authenticated connections synack(cky#,isn#+1) WS=0 ack(cky#+1) syn(isn#) synack(isn’#,isn#+1) ack(isn#+1) WS<>0 ack(isn’#+1) Sequence # adaptation Source Guard Target

  12. . . . . . . . . Blackholing R4 R5 = Disconnecting the customer peering R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  13. . . . . . . . . At the Edge / Firewall/IPS R4 R5 peering • Easy to choke • Point of failure • Not scalable R2 R3 1000 1000 R1 100 R R R FE Server1 Victim Server2

  14. . . . . . . . . At the Backbone R4 R5 peering R2 R3 • Throughput • Point of failure • Not Scalable 1000 1000 R1 100 R R R FE Server1 Victim Server2

  15. Cisco Solution

  16. BGP announcement 1. Detect Target Dynamic Diversion Architecture Guard XT 3. Divert only target’s traffic 2. Activate: Auto/Manual Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

  17. Traffic destined to the target Legitimate traffic to target 5. Forward the legitimate 6.Non targeted traffic flows freely Target Dynamic Diversion Architecture Guard XT 4. Identify and filter the malicious Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

  18. Technical overview • Diversion/Injection • Anti Spoofing • Anomaly Detection • Performance Issues

  19. Diversion How to “steal” traffic without creating loops?

  20. Diversionone example L3 next hop Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device

  21. Alert Alert Diversion L3 next hop application ISP 1 ISP 2 Web console Router S P r p y P w p S S C t a y s 5 0 R I I t r c s r Guard XT Switch GEthernet Guard XT C S S C S T S Firewall Switch Target Detector XT Internal network Riverhead Detector XT Web, Chat, E-mail, etc. DNS Servers

  22. Diversionone example – Injecting with tunnels Diversion: announce a longer prefix from the guard no-export and no-advertise community BGP Injection: Send directly to the next L3 device

  23. Diversionone example: long distance diversion 61.1.1.1

  24. Filtering bad traffic • Anti Spoofing • Anomaly detection • Performance

  25. Guard Architecture – high level Control & Analysis Plane Policy Database Management Anomaly Recognition Engine Insert filters Data Plane AS Replies Anti-Spoofing Modules Classifier: Static & Dynamic Filters Bypass Filter Sampler Rate Limiter Strong Basic Flex Filter Analysis Connections & Authenticated Clients Drop Packets

  26. Anti spoofing Unidirectional…..

  27. Anti-Spoofing Defense- One example: HTTP Syn(isn#) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified synack(cky#,isn#+1) 1. SYN cookie alg. ack(isn#+1,cky#) GET uri 2. Redirect rqst Redirect to same URI fin fin 3. Close connection Client authenticated Source Guard Target

  28. RST cookies – how it works syn(isn#) ack(,cky#) rst(cky) Client authenticated syn(isn#) Source Guard Target

  29. Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP) • Antispoofing only when under attack • Authenticate source on initial query • Subsequent queries verified Ab.com rqst UDP/53 Ab.com reply TC=1 syn synack ack Ab.com rqst UDP/53 Ab.com rqst TCP/53 Reply Authenticated IP Reply Repeated IP - UDP Target Guard Client

  30. Anomaly DetectionAgainst Non-Spoofed Attacks • Extensive profiling • Hundreds of anomaly sensors/victim • For global, proxies, discovered top sources, typical source,… • Auto discovery and profiling of services • Automatically detects HTTP proxies and maintains specific profiles • Learns individual profiles for top sources, separate from composite profile • Depth of profiles • PPS rates • Ratios eg SYNs to FINs • Connection counts by status • Protocol validity eg DNS queries

  31. Performance • Wire Speed - requirement … • GigE = 1.48 Millions pps… • Avoid copying • Avoid interrupt/system call • Limit number of memory access • PCI bottleneck • DDoS NIC Accelerator

  32. Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

  33. BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

  34. ISP Upstream ISP Upstream More performance - clustering Load Leveling Router Mitigation Cluster Customer Switches Riverhead Guards

  35. Managed DDoS ServicesCisco Powered Providers Largest carriers offering “clean pipes” services to F500 enterprises: • Full managed services offered: • Service agreement and multiyear contract typical • Gigabit+ dedicated capacity with shared overage • Customized policies • Part of a managed security services portfolio • AT&T Internet protect DDoS Defense Option for Internet Protect IP Guardian IP Defender and many others

  36. Managed DDoS ServicesCisco Powered Providers Managed hosting providers are offering DDoS protected services: • Protection offered with hosting: • A la carte option, bundled with premium services or included with hosting • Capacity matched to hosting • Standardized or customized policies • Service and attack reporting SureArmour DDoS Protection service PrevenTier DDoS Mitigation Service and many others

  37. THANK YOU! Comments: dtouitou@cisco.com

More Related