Data Plane Protection. The googles they do nothing.

Transcription

1 Data Plane Protection The googles they do nothing.

2 Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing.

3 Can be, ICMP (smurf, POD), SYN, Application attacks. Turning off the effected device works pretty good too. Single Source

4 Multiple Source

5 Reflection DoS

6 Reflection DDoS

7 Network Effects

8 Service DoS effects

9 Bandwidth DoS Effects

10 Bandwidth DDoS effects

11 Router Service DoS

12 Dual Router Service DoS

13 Dual Router Service DoS

14 Defenses Firewall Anycast ACL s BCP38 Blackholing BGP trigged blackholing

15 Firewalls The antithesis of routers. Drop by default.

16 Firewalls They choose to accept or drop a packet based on (generally) layer 3 and 4 data. But they can t protect a buggy application (mostly). Scales until it doesn t.

17 Mail, HTTP or whatever. Textbook Architecture

18 But more like this.

19 Policies Then create network to network policies.

20 Count the policies

21 EASY Three networks, three polices Oh, I mean six.

22 Next example

23 Internet ->

24 Oh other Internet

25 RAAAAGH

26 How many policies? So there are eight networks the formula is, n(n-1)/2 /2? Only for bidirectional links Actually n(n-1) So fifty six policies!

27 How many policies Fifty six Policies! That s not rules! There needs to be one rule per service per policy! There are three firewalls as well.

28 Firewall configuration doesn t scale well. Try and use an automation system.

29 Weaknesses? Lordy

30 Weaknesses

31 Weaknesses

32 Weaknesses

33 Weaknesses

34 Weaknesses

35 FIREWALLS

36 More resources for firewalls as they look at more. Lookup Loops

37 Back to this

38 Remote user?

39 Remote user? VPN!

40 General recommendations Multiple layers of firewall. Least specific rules to more specific rules. Isolate groups and areas. Firewalls on hosts! Anything that simplifies configuration.

41 Anycast Anycast is a method of load balancing traffic to multiple nodes, while delivering traffic to a single address.

42 Anycast Here we have a network, the nodes could be either AS s or could be individual routers. Doesn t matter.

43 In this case, there is no anycast and we have a single node. Anycast

44 Anycast So for load balancing reasons we put in a second node advertising the same space.

45 Anycast So now the traffic is split over the two sites. Remember this is load balanced using routing protocols, so it s not going to be based on traffic loads.

46 But if we have a fault on the network. Let s say a node goes down. Anycast

47 Anycast Now the routing protocol converges and suddenly the traffic is now all going to the remaining node.

48 Anycast What work did we have to do for that? What new technologies did I need? What licenses did I need? Anycast has been in use since 1995, PCH has been involved in it s deployment for a long time. We are even references in Wikipedia.

49 Anycast Uses? DNS serving is the most widely deployed. Content distribution is possible. Easing configuration in your network. Increase resilience in your management network by deploying more data collection nodes in the network without having to worry about additional equipment configuration. How does this help network protection?

50 Anycast Uses DNS Serving. All but one of the root DNS servers use Anycast. It s the only way to scale when you are limited to only 13 addresses. Uses BGP for advertising networks. Never been taken down.

51 Anycast Uses Management. At my previous employer I set up Anycast for the management network. Collecting SNMP and syslog. Providing DNS, and TACACS+. Done over OSPF instead of BGP.

52 ACL s Just block traffic at your edge. We already have ACL s at the edge as it is. This is a fast way to drop traffic at the edge, but comes with some challenges. If the network is seriously effected, it may be difficult or impossible to access a stressed router. Also you have to maintain the ACL on all the network edge devices.

53 BCP 38 Can someone tell me what that is? It s filtering traffic to ensure that the source address is valid.

54 BCP 38

55 BCP 38

56 BCP 38

57 BCP 38

58 BCP 38

59 BCP 38

60 How can I filter for it? You ll need to use extended ACL s But that s not going to scale if you have to manually maintain it. Add it to AAA profiles for dynamic clients.

61 ACLs!! Looks like this.! access-list 121 permit ip any access-list 121 deny ip any any log! interface Fa0/1 description Local LAN ip access-group 121 in!

62 ACLs A custom ACL for every interface in your network isn t really going to scale.

63 ip source guard Configured on Cisco switches it verifies port + mac + ip bindings. But requires DHCP so it knows what is configured where. Great for LANs. Not for peering.

64 Easy BCP38 Unicast Reverse Path Filtering. Strict Feasible Loose Operates on a per interface basis Only operates at ingress

65 urpf - Strict The source address of the packet is checked to see if the arriving interface is the best path for the source address. If it isn t, the packet is dropped.

66 urpf - Feasible The source address of the packet is checked to see if the arriving interface is a possible path for the source address of the packet. If it isn t a possible path the packet is dropped.

67 urpf - Loose The router checks to see if there are any possible paths for the source address of the packet. If there are no valid routes for the address, it is dropped.

68 urpf I ve only seem implementations of loose and strict. Interesting tip, if the best route is via Null0 the router will drop the packet.

69 BCP38 What are the applications of this? Anti-spoofing Junk traffic dropping Active network protection

70 Anti-Spoofing This prevents forged DDoS and reflection attacks being sourced from your network. Malware is no longer able to spoof source addresses, so their unable to pretend to be someone else or randomise the source address.

71 Drop Junk Traffic Saves on maintaining ACL s for RFC1918 traffic and such. If you don t have a route for it, it gets dropped. (or the route is Null) Pretty handy, like the communities it saves changing ACL and prefix lists all the time for provisioning.

72 Strict vs Loose For implementation which should you use? For a customers and downstream? Strict For a peer where there is a chance of multiple paths? Should be Feasible, but we only have access to Loose.

73 Active Network Protection It s also allows us to filter traffic we choose based on source. How can we do that? But how can we set the next hop to Null0? Not via static routes on every device! that s just silly. Perhaps via a routing protocol? Remember this is all done in hardware.

74 RTBH Real Time Black Hole Triggered using BGP.

75 Here we have a single source DoS. DoS - RTBH

76 Add in the Null0 next hops. DoS - RTBH

77 We set the targets route as the next hop. DoS - RTBH

78 But that router will drop ALL traffic destined for that target. DoS - RTBH

79 For a DDoS DDoS - RTBH

80 Okay here we have triggered the blackhole this time, it s network wide. Great damage contained. DDoS - RTBH

81 DDoS - RTBH But if the attack traffic is greater than our available link bandwidth (which is likely), then the network is still DoSed. What if we could signal our neighbours and ask them to drop it.

82 DDoS - RTBH

83 DDoS - RTBH

84 But there is still a problem the victim is still unreachable. :( DDoS - RTBH

85 Can we do better? kinda

86 Take another look at this diagram. What if we had urpf enabled? Take a step back

87 This would happen Any traffic sourced from the victim that passed through the black holing router would be dropped. Why?

88 Source RTBH So just the traffic from the attacker would be dropped. Success, the victim is still available to the rest of the internet? Would this work for a DDoS? (only reflection attacks) If it was a reflection how would you signal it to peers? But Arbor Networks will sell you a solution that will do it.

89 Traffic Analyse

90 How is that achieved? It s not too hard

91 RTBH You can t pass an interface as a next-hop through BGP. Pick and address you re never going to use. Create a static route, ip route Null0 on all the routers. Then create a route with as the next hop. QED

92 But there are a couple of tricks to it. But we ll go over those in the lab.

93 Other Methods There are other methods to protect against application and service attacks. But we re only dealing with things at the network layer. Other methods? Firewalls, IDS, application proxy and tcp proxy.

94 Quiz Time! What does RTBH stand for? What is BCP 38? How does Anycast work? What is a reflection attack? What s the difference between a service and bandwidth attack? Which is most dangerous?