Data Plane Protection The googles they do nothing.
Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing.
Can be, ICMP (smurf, POD), SYN, Application attacks. Turning off the effected device works pretty good too. Single Source
Multiple Source
Reflection DoS
Reflection DDoS
Network Effects
Service DoS effects
Bandwidth DoS Effects
Bandwidth DDoS effects
Router Service DoS
Dual Router Service DoS
Dual Router Service DoS
Defenses Firewall Anycast ACL s BCP38 Blackholing BGP trigged blackholing
Firewalls The antithesis of routers. Drop by default.
Firewalls They choose to accept or drop a packet based on (generally) layer 3 and 4 data. But they can t protect a buggy application (mostly). Scales until it doesn t.
Mail, HTTP or whatever. Textbook Architecture
But more like this.
Policies Then create network to network policies.
Count the policies
EASY Three networks, three polices Oh, I mean six.
Next example
Internet ->
Oh other Internet
RAAAAGH
How many policies? So there are eight networks the formula is, n(n-1)/2 /2? Only for bidirectional links Actually n(n-1) So fifty six policies!
How many policies Fifty six Policies! That s not rules! There needs to be one rule per service per policy! There are three firewalls as well.
Firewall configuration doesn t scale well. Try and use an automation system.
Weaknesses? Lordy
Weaknesses https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160210-asa-ike
Weaknesses https://kb.juniper.net/infocenter/index?page=content&id=jsa10713&actp=search
Weaknesses
https://www.cvedetails.com/cve/cve-2016-1909/ Weaknesses
Weaknesses https://blog.coresecurity.com/2015/03/18/analysis-of-a-remote-code-execution-vulnerability-on-fortinet-single-sign-on/
FIREWALLS
More resources for firewalls as they look at more. Lookup Loops
Back to this
Remote user?
Remote user? VPN!
General recommendations Multiple layers of firewall. Least specific rules to more specific rules. Isolate groups and areas. Firewalls on hosts! Anything that simplifies configuration.
Anycast Anycast is a method of load balancing traffic to multiple nodes, while delivering traffic to a single address.
Anycast Here we have a network, the nodes could be either AS s or could be individual routers. Doesn t matter.
In this case, there is no anycast and we have a single node. Anycast
Anycast So for load balancing reasons we put in a second node advertising the same space.
Anycast So now the traffic is split over the two sites. Remember this is load balanced using routing protocols, so it s not going to be based on traffic loads.
But if we have a fault on the network. Let s say a node goes down. Anycast
Anycast Now the routing protocol converges and suddenly the traffic is now all going to the remaining node.
Anycast What work did we have to do for that? What new technologies did I need? What licenses did I need? Anycast has been in use since 1995, PCH has been involved in it s deployment for a long time. We are even references in Wikipedia.
Anycast Uses? DNS serving is the most widely deployed. Content distribution is possible. Easing configuration in your network. Increase resilience in your management network by deploying more data collection nodes in the network without having to worry about additional equipment configuration. How does this help network protection?
Anycast Uses DNS Serving. All but one of the root DNS servers use Anycast. It s the only way to scale when you are limited to only 13 addresses. Uses BGP for advertising networks. Never been taken down.
Anycast Uses Management. At my previous employer I set up Anycast for the management network. Collecting SNMP and syslog. Providing DNS, and TACACS+. Done over OSPF instead of BGP.
ACL s Just block traffic at your edge. We already have ACL s at the edge as it is. This is a fast way to drop traffic at the edge, but comes with some challenges. If the network is seriously effected, it may be difficult or impossible to access a stressed router. Also you have to maintain the ACL on all the network edge devices.
BCP 38 Can someone tell me what that is? It s filtering traffic to ensure that the source address is valid.
BCP 38
BCP 38
BCP 38
BCP 38
BCP 38
BCP 38
How can I filter for it? You ll need to use extended ACL s But that s not going to scale if you have to manually maintain it. Add it to AAA profiles for dynamic clients.
ACLs!! Looks like this.! access-list 121 permit ip 192.168.0.0 0.0.0.255 any access-list 121 deny ip any any log! interface Fa0/1 description Local LAN ip access-group 121 in!
ACLs A custom ACL for every interface in your network isn t really going to scale.
ip source guard Configured on Cisco switches it verifies port + mac + ip bindings. But requires DHCP so it knows what is configured where. Great for LANs. Not for peering.
Easy BCP38 Unicast Reverse Path Filtering. Strict Feasible Loose Operates on a per interface basis Only operates at ingress http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html http://leighfinch.net/cisco_wiki/index.php/unicast_reverse_path_forwarding
urpf - Strict The source address of the packet is checked to see if the arriving interface is the best path for the source address. If it isn t, the packet is dropped.
urpf - Feasible The source address of the packet is checked to see if the arriving interface is a possible path for the source address of the packet. If it isn t a possible path the packet is dropped.
urpf - Loose The router checks to see if there are any possible paths for the source address of the packet. If there are no valid routes for the address, it is dropped.
urpf I ve only seem implementations of loose and strict. Interesting tip, if the best route is via Null0 the router will drop the packet.
BCP38 What are the applications of this? Anti-spoofing Junk traffic dropping Active network protection
Anti-Spoofing This prevents forged DDoS and reflection attacks being sourced from your network. Malware is no longer able to spoof source addresses, so their unable to pretend to be someone else or randomise the source address.
Drop Junk Traffic Saves on maintaining ACL s for RFC1918 traffic and such. If you don t have a route for it, it gets dropped. (or the route is Null) Pretty handy, like the communities it saves changing ACL and prefix lists all the time for provisioning.
Strict vs Loose For implementation which should you use? For a customers and downstream? Strict For a peer where there is a chance of multiple paths? Should be Feasible, but we only have access to Loose.
Active Network Protection It s also allows us to filter traffic we choose based on source. How can we do that? But how can we set the next hop to Null0? Not via static routes on every device! that s just silly. Perhaps via a routing protocol? Remember this is all done in hardware.
RTBH Real Time Black Hole Triggered using BGP.
Here we have a single source DoS. DoS - RTBH
Add in the Null0 next hops. DoS - RTBH
We set the targets route as the next hop. DoS - RTBH
But that router will drop ALL traffic destined for that target. DoS - RTBH
For a DDoS DDoS - RTBH
Okay here we have triggered the blackhole this time, it s network wide. Great damage contained. DDoS - RTBH
DDoS - RTBH But if the attack traffic is greater than our available link bandwidth (which is likely), then the network is still DoSed. What if we could signal our neighbours and ask them to drop it.
DDoS - RTBH
DDoS - RTBH
But there is still a problem the victim is still unreachable. :( DDoS - RTBH
Can we do better? kinda
Take another look at this diagram. What if we had urpf enabled? Take a step back
This would happen Any traffic sourced from the victim that passed through the black holing router would be dropped. Why?
Source RTBH So just the traffic from the attacker would be dropped. Success, the victim is still available to the rest of the internet? Would this work for a DDoS? (only reflection attacks) If it was a reflection how would you signal it to peers? But Arbor Networks will sell you a solution that will do it.
Traffic Analyse
How is that achieved? It s not too hard
RTBH You can t pass an interface as a next-hop through BGP. Pick and address you re never going to use. Create a static route, ip route 192.0.2.1 255.255.255.255 Null0 on all the routers. Then create a route with 192.0.2.1 as the next hop. QED
But there are a couple of tricks to it. But we ll go over those in the lab.
Other Methods There are other methods to protect against application and service attacks. But we re only dealing with things at the network layer. Other methods? Firewalls, IDS, application proxy and tcp proxy.
Quiz Time! What does RTBH stand for? What is BCP 38? How does Anycast work? What is a reflection attack? What s the difference between a service and bandwidth attack? Which is most dangerous?