Prevent DoS using IP source address spoofing

Similar documents
Securing network infrastructure

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Configuring ARP attack protection 1

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Chapter 7. Denial of Service Attacks

Configuring ARP attack protection 1

Contents. Configuring urpf 1

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Unicast Reverse Path Forwarding Loose Mode

IPv6 Commands: ipv6 su to m

Data Plane Protection. The googles they do nothing.

Cloudflare Advanced DDoS Protection

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

UDP-based Amplification Attacks and its Mitigations

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

HP High-End Firewalls

HP High-End Firewalls

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Configuring Unicast RPF

IPv6 Security Safe, Secure, and Supported.

Configuring IP Services

Denial of Service (DoS)

Network Security. Thierry Sans

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

DNS Security. Ch 1: The Importance of DNS Security. Updated

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

CSE 565 Computer Security Fall 2018

ICS 451: Today's plan

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Technical White Paper June 2016

COMPUTER NETWORK SECURITY

Welcome to PHOENIX CONTACT Routing

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Remember Extension Headers?

ARP attack protection commands

Firewall Stateful Inspection of ICMP

DDoS Testing with XM-2G. Step by Step Guide

Configuring attack detection and prevention 1

Configuring Unicast Reverse Path Forwarding

H3C S10500 Attack Protection Configuration Examples

Guide to DDoS Attacks November 2017

DDoS and Traceback 1

Cisco CCIE Security Written.

History Page. Barracuda NextGen Firewall F

Network Infra Security Filtering at the Border. Network Security Workshop April 2017 Bali Indonesia

Example: Conditionally Generating Static Routes

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

Network Configuration Example

Lab - Troubleshooting ACL Configuration and Placement Topology

Configuring Dynamic ARP Inspection

Cisco Implementing Cisco IP Routing (ROUTE v2.0)

Multicast operational concerns

Routing and router security in an operator environment

Configuring Dynamic ARP Inspection

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

H3C SecPath Series High-End Firewalls

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Network Policy Enforcement

Configuring attack detection and prevention 1

A proposal of a countermeasure method against DNS amplification attacks using distributed filtering by traffic route changing

20-CS Cyber Defense Overview Fall, Network Basics

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Computer Security: Principles and Practice

Introduction to Network. Topics

Configuring IP Services

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Denial of Service Protection Standardize Defense or Loose the War

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Memcached amplification: lessons learned. Artyom Gavrichenkov

Configuring Unicast Reverse Path Forwarding

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Denial of Service. EJ Jung 11/08/10

IPv6 DEPLOYMENT GLOBAL TRANSIT COMMUNICATIONS. Presented by Mark Tinka Chief Network Architect Global Transit Kuala Lumpur, Malaysia

Unit 4: Firewalls (I)

Symbols I N D E X. (vertical bar), string searches, 19 20

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Network Security. Tadayoshi Kohno

HP Load Balancing Module

ICMP. Routing TCP. Sequence Number Guessing Attack

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Detection of DNS Traffic Anomalies in Large Networks

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Transaction oriented DNS flow analysis (WIP)

ip dhcp-client network-discovery through ip nat sip-sbc

Using DNS Service for Amplification Attack

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

SecBlade Firewall Cards Attack Protection Configuration Example

LARGE SCALE IP ROUTING

Network Infrastructure Filtering at the border. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

Transcription:

Prevent DoS using IP source address spoofing MATSUZAKI maz Yoshinobu <maz@iij.ad.jp> 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 1

ip spoofing creation of IP packets with source addresses other than those assigned to that host 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 2

Malicious uses with IP spoofing impersonation session hijack or reset hiding flooding attack reflection ip reflected attack 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 3

impersonation sender ip spoofed packet src: partner dst: victim partner Oh, my partner sent me a packet. I!"l process this. victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 4

hiding sender src: random dst: victim ip spoofed packet Oops, many packets are coming. But, who is the real source? victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 5

reflection sender ip spoofed packet src: victim dst: reflector reflector reply packet src: reflector dst: victim Oops, a lot of replies without any request victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 6

ip reflected attacks smurf attacks icmp echo (ping) ip spoofing(reflection) amplification(multiple replies) dns amplification attacks dns query ip spoofing(reflection) amplification(bigger reply/multiple replies) 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 7

amplification 1. multiple replies Sender 2. bigger reply Sender 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 8

ip reflected attacks attacker ip spoofed packets open amplifier replies victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 9

smurf attack ip spoofed ping Attacker ICMP echo replies victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 10

dns amplification attack Attacker ip spoofed DNS queries DNS DNS DNS DNS DNS replies victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 11

relations dns amp attack DNS root-servers Command&Control stub-resolvers DNS full-resolvers DNS DNS IP spoofed DNS queries tld-servers DNS example-servers botnet victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 12

solutions for ip reflected attacks attacker ip spoofed packets open amplifier prevent ip spoofing replies disable open amplifiers victim 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 13

two solutions disable open amplifier disable directed-broadcast disable open recursive DNS server contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer. prevent ip spoofing!! source address validation BCP38 & BCP84 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 14

Source Address Validation Check the source ip address of ip packets filter invalid source address filter close to the packets orign as possible filter precisely as possible If no networks allow ip spoofing, we can eliminate these kinds of attacks 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 15

close to the origin You are spoofing!! RT.a srcip: 0.0.0.0 You are spoofing! srcip: 0.0.0.0 RT.b! You are spoofing!! srcip: 0.0.0.0 10.0.0.0/23 Hmm, this looks ok...but.. srcip: 10.0.0.1 srcip: 10.0.0.1 You are spoofing!!! You are spoofing! 10.0.3.0/24 srcip: 10.0.0.1 we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 16

how to configure the checking ACL packet filter permit valid-source, then drop any urpf check check incoming packets using routing table look-up the return path for the source ip address loose mode can t stop ip reflected attacks use strict mode or feasible mode 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 17

cisco ACL example ISP Edge Router point-to-point 10.0.0.0/30 ip access-list extended fromcustmer permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any! interface Gigabitethernet0/0 ip access-group fromcustomer in! customer network 192.168.0.0/24 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 18

juniper ACL example point-to-point 10.0.0.0/30 ISP Edge Router customer network 192.168.0.0/24 firewall family inet { filter fromcustomer { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } } } [edit interface ge-0/0/0 unit 0 family inet] filter { input fromcustomer; } 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 19

cisco urpf example ISP Edge Router point-to-point 10.0.0.0/30 interface Gigabitethernet0/0 ip verify unicast source reachable-via rx customer network 192.168.0.0/24 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 20

juniper urpf example ISP Edge Router point-to-point 10.0.0.0/30 [edit interface ge-0/0/0 unit 0 family inet] rpf-check; customer network 192.168.0.0/24 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 21

IIJ s policy peer ISP upstream ISP IIJ/AS2497 customer ISP single homed static customer multi homed static customer urpf strict mode urpf loose mode 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 22

ACL and urpf ACL deterministic! statically configured maintenance of access-list " urpf easy to configure! care about asymmetric routing " strict mode is working well only for symmetric routing loose mode can t stop the ip reflected attack there is no good implementation of feasible mode 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 23

END 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback