Distributed Denial of Service

Transcription

1 Distributed Denial of Service Vimercate 17 Maggio 2005 DDoS 1

2 Agenda PREFACE EXAMPLE: TCP EXAMPLE: DDoS CISCO S DDoS SOLUTION COMPONENTS MODES OF PROTECTION DETAILS 2

3 Distributed Denial of Service PREFACE 3

4 What are DDoS Attacks? Name: DISTRIBUTED DENIAL OF SERVICE What: DDoS attacks block legitimate users from accessing network resources How: DDoS attacks block network resources (Infrastructure, DNS, Mail, Web and more ) Where: DDoS attacks enter the network from all directions When: DDoS attacks happen everyday and all over the Internet 4

5 Dollar Amount of Losses by Type 5

6 Denial of service Background TWO VARIANTS LOGICAL software related vulnerability (SMBNUKE) FLOODING -CPU -Bandwidth -Memory ( FLOOD) 6

7 Denial of Service EXAMPLE: TCP 7

8 Normal TCP/IP Connection Initiation / ACK TCP Client ACK TCP Server 9

9 TCP The TCP server will hold the in _RCVD state until timeout. Multiple s open multiple _RCVD waiting. This continues until the full memory area allocated for maintaining TCP state is exhausted. Once the memory area is exhausted, the waiting _RCVDs are FIFOed out of the table. FREE FREE FREE _RCVD FREE _RCVD FREE _RCVD FREE _RCVD FREE _RCVD FREE A TCP requires the server to allocate memory, then the total amount of available memory becomes a finite resource which can be DoSed _RCVD FREE TCP Queue (MEMORY) 11

10 +ACK RTT Round Trip Time (RTT) is the interval between the sending of +ACK and reception of the corresponding ACK from the other host. / ACK Time 0 TCP Client ACK??? TCP Server +ACK RTT is the time it take between the +ACK and the ACK 14

11 TCP -Flood _RCVD gets pushed Attacker Valid User Valid user gets to the ACK, but the server does not set up / ACK ACK Data Silence?? _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD drop _RCVD TCP Server No _RCVD waiting when the ACK gets back. 17

12 Distributed Denial of Service EXAMPLE: DDoS 19

13 How do DDoS Attacks Start? Zombies Zombies Innocent PCs & Servers turn into Zombies DNS 21

14 Types and Influence of DDoS Attacks Attack ombies: Use valid protocols Spoof source IP Massively distributed Server-level DDoS attacks DNS 22

15 DDoS Mitigation CISCO S DDoS SOLUTION COMPONENTS 23

16 DDoS Defense In Action BGP Announcement 3. Divert Only Target s Traffic Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Applications 25

17 DDoS Defense In Action 6. Non- Targeted Traffic Flows Freely Legitimate traffic to the zone 4. Identify and Filter the Malicious Cisco Guard XT 5. Forward the Legitimate Cisco Detector XT Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Applications 26

18 Cisco DDoS Solution Appliances and Service Modules DDoS Mitigation: Cisco Guard XT 5650 DDoS Detection: Cisco Traffic Anomaly Detector XT 5600 Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector Module Attack ANALYSIS AND MITIGATION Diverts traffic flows for ON- DEMAND SCRUBBING Maximum deployment flexibility. Similar functionality and performance. Interoperable for mixed deployments. Attack DETECTION to support ondemand, shared scrubbing CPE LEARNING for managed service Monitors COPY OF TRAFFIC 27

19 Key Solution Benefits Detects and Mitigates DDoS attacks Dynamically identifies and blocks malicious attack traffic Ensures infrastructure stability and business continuity Ensures legitimate users get access to network resources Not on the critical path or inline Has minimal impact on routers, switches and infrastructure High Scalability and Performance Multi-Gigabit performance Optional clustering 28

20 High Performance and Capacity 1 MPPS+ most attacks, good and bad traffic, typical features CLUSTERING TO 8 GUARDS for single protected host Capacity 30 CONCURRENTLY PROTECTED ZONES (90 for the Detector) Latency or jitter: < 1 MSEC 29

21 DDoS Mitigation MODES OF PROTECTION DETAILS 30

22 Measured Response Modes of Protection CISCO GUARD Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Analysis Diversion for more granular in-line analysis Flex filters, static and bypass filters in operation All flows forwarded but analyzed for anomalies Anomaly Identified Anomaly Verified CISCO DETECTOR Detection Passive copy of traffic monitoring Attack Detected Learning Periodic observation of patterns to update baseline profiles 31

23 Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Apply anti-spoofing to block malicious flows Dynamically insert specific filters to block attack flows & sources Detect anomalous behavior & identify precise attack flows and sources Apply rate limits Legitimate + Legitimate attack traffic to target Dynamic & Static Filters Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting 32

24 From Analysis to Basic Statistical Inspection SRC_IP To-user-filter basic 37

25 From Analysis to Basic Statistical Inspection SRC_IP basic Legitimate traffic Spoofed traffic Rate Limit 38

26 Basic/Redirect for HTTP Services Client (Source) Guard 39 IP (SrcIP= ;seq=x) ACK Is Source IP Authenticated? NO Generate unique cookie for IP (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP (seq=x+1;ack=cookie+1) GET ( REDIRECT Tells client to refresh the session and the HTTP request Is Source IP Authenticated? YES Zone (Destination) FIN (SrcIP= ;seq=y) ACK (seq=y+1;ack=z+1) GET ( (seq=y) ACK (seq=z;ack=y+1) ACK (seq=y+1;ack=z+1) GET ( DATA

27 Spoofed Attack example IP Client (Source) Guard 40 Is Source IP Authenticated? NO (SrcIP= ;seq=x;Port=80) Is Source IP Authenticated? NO Is Source IP Authenticated? NO Is Source IP Authenticated? NO Is Source IP Authenticated? NO (SrcIP= ;seq=y;Port=80) (SrcIP= ;seq=z;Port=80) (SrcIP= ;seq=a;Port=80) (SrcIP= ;seq=b;Port=80) ACK Generate unique cookie for IP (seq=cookie;ack=x+1) Generate unique cookie for IP Generate unique cookie for IP Generate unique cookie for IP Generate unique cookie for IP Zone (Destination) ACK (seq=cookie;ack=y+1) ACK (seq=cookie;ack=z+1) ACK (seq=cookie;ack=a+1) ACK (seq=cookie;ack=b+1)

28 From Basic to Strong SRC_IP strong basic 43

29 From Basic to Strong SRC_IP strong basic Spoofed traffic Legitimate traffic 44

30 Strong Mode for TCP Services IP Client (Source) Guard Zone (Destination) 45 Is IP Authenticated? NO (SrcIP= ;seq=x) Generate unique cookie for IP ACK + Window=0 (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP (seq=x+1;ack=cookie+1) (SrcIP=Guard Proxy IP) ACK ACK DATA DATA Window Update (SrcIP= ) (SrcIP=Guard Proxy IP) (SrcIP=Guard Proxy IP) DATA DATA (DstIP= ) (DstIP=Guard Proxy IP)

31 From Strong to Drop SRC_IP drop strong 48

32 From Strong to Drop SRC_IP drop strong 49

33 Management Features Web GUI, CLI and SNMP At-a-glance operations management Detailed attack data Per-customer summary reports 50

34 Hosting & Data Center / Enterprise ISP A ISP B Internal Network BGP Neighbor 51

35 I CS T S Ctays 50 RI t rcs S S P r p y Pw p r CS S S Enterprise or Hosting Data Center with Service Modules in Integrated Mode Catalyst 6K or 7600 Anomaly Guard Module RHI Route Update ISP 1 Sup720 or Sup2 w MSFC GEnet ISP 2 Guard/Detector Device Manager Attack Alert Traffic Anomaly Detector Module Firewall Service Module Catalyst Switch Target Internal Network Web, Chat, , etc. DNS Servers 52

36 Presentation_ID 53