Denial of Service Protection Standardize Defense or Loose the War ETSI : the threats, risk and opportunities 16th and 17th - Sophia-Antipolis, France By: Emir@cw.net Arslanagic Head of Security Engineering Cable and Wireless 1
Vulnerability Lifecycle Risk Admins did not have enough resources to patch everything. Intruders have GUI tools, and self propagating malicious code Vulnerability has been discovered Presented by Emir Arslanagic @ INFORMATION SOCIETY CONNECTING EUROPE, Ljubjana 2002 Time 2 Administrators panic patch all systems and Change FW and networking rules Intruders are learning about vulnerability Vulnerability is announced. Some critical systems have been patched or protect
08 November 2005 03:36 Subject: 6GB-20GB DDOS attack heading near you!!! 5pps DNS TXT queries size of 48 bytes are sent to a series of 100K+ DNS servers Response packets are between 4059 and 4162 bytes in size POBLEM: miss configured DNS SOLUTION: stop allowing open recursive lookups from external sources US-CERT is working on a product for public release that will hopefully raise awareness on the dangers of DNS servers that permit open recursion This is NOT new. There where a long running dns-smurf attacks in 2000!!! 3
What We Need??? No matter how many times you save the Internet it always manages to get back in to jeopardy again 4
Agenda What is dos Standardizations efforts to protect from dos Security and dos protection Dos tracking Black-holing Anti-spoofing Real DDoS protection How does it work DOS protection powered by ISP and ASP Where to go from here 5
What Is Denial of Service DoS is an incident in which a system is deprived of the resources it would normally have DoS is usually a target of choice risk, and very often related to extortion or racketeering DoS usually targets publicly available services that make money (extortion), or other opinioned portals (political violence) Distributed DoS sometimes involves more then hundred thousands boots It s estimate that close to 10 million networked computers are a potential source of DoS 6
Standardization Efforts IETF RFCs (denial of service has become serious consideration) 3704 ingress filtering for Multihomed networks 3882 configuring BGP to block denial-of-service attacks Drafts Internet denial of service considerations (M. Handley, E. Rescorla ) Protecting internet routing infrastructure from outsider dos attacks (Zinin) ITU Recognise spam as a threat to the internet No work has been done on DOS prevention and protection USA Government policy for cyber security relies on voluntary and cooperative action by the private sector and has, until now, explicitly rejected the use of mandate or regulation. (By James Andrew Lewis CSIS, Oct. 2005) Many informal information exchange means are established to facilitate cooperation ETSI Improving regulation related to NGN 7
Extraordinarily Complex Security Security is currently where networking was 15 years ago Multiple, complex components Lack of expertise in the industry No common GUIs Lack of standards Attacks are growing Customers require security for business Vulnerability Management is time consuming Source: Dr. Bill Hancock, Cable & Wireless 8
DDoS Protection History of DOS protection DOS tracker Black-holing Sinking Customer is impacted Inline protection is not sufficient Only solution is to stop attacks as close as possible to source urpf Sound security practices Traffic cleaning 9
Current Issues Multiple groups are involved in extortion From 300 to 1mil.+ devices involved Sophisticated full spectrum attacks TCP connection attack; syn attack URL attack UDP flood ICMP flood TCP flood Malformed packets It is not getting better 10
DDoS Traffic Black-holing or Sinking When DOS is detected /32 routes is assign to BGP community that routes to null (black-holing) or to local server (sinking). Benefit: Remote ISPs that are paying high price for link to the upstream provider. Downside: Attacker has succeeded in their intent, victim IP is unreachable. 11
DDoS Traffic Black-holing or Sinking Attack Network Attacker Network Service Provider Switch Victim Network Attacker Network IP Network User Network NOC Attack Network Enterprise Network 12
DDoS Traffic Black-holing or Sinking Peers Switch 141.1.1.1/32 Community 1273:100 Victim Network IP Network 141.1.1.1 Peers NOC Customers Customers 13
DDOS-tracker DCU Approach When DDOS is detected /32 routes is assign to BGP community with instruction to count packets. Using SNMP or Syslog counts are presented to NOC. On interfaces with highest number of packets ACLs are manually applied to protect victim IP. 14
DDOS-tracker DCU Approach Peers Switch Victim Network IP Network Peers NOC Customers Customers 15
DDOS-tracker DCU Approach Peers Switch 141.1.1.1/32 Community 1273:31 Victim Network IP Network 141.1.1.1 Peers NOC Customers Customers 16
DDOS-tracker Screen Shot 17
Ingress Filtering Strict Reverse Path Forwarding Only symmetrical routing Feasible Path Reverse Path Forwarding alternative paths have been added and they are valid for consideration Loose Reverse Path Forwarding route presence check Why this does not work? Prevent only spoofed packets Not all ISPs are implementing it 18
Real DOS Protection Must be scalable Must be available to all customers Must protect backbone infrastructure Must let good packets trough Must detect bad sites Must NOT impact operation Must NOT add additional point of failure in the network Must be implemented globally 19
Real DOS Protection Peers Switch Victim Network IP Network Peers NOC Customers Customers 20
Real DOS Protection Peers Switch Victim Network IP Network Peers NOC Customers Customers 21
Things to Consider Does internet users have a right to expect only benign packets to be send to them??? Road and car analogy At the beginning was primary goal to increase road coverage and car speed. Passenger safety has not been consider seriously until seventies Moor s law is working for us Or Is there another killer application that will eat all available bandwidth? Cleaning function in every switch Standardization will come when technology is ready 22
Real DOS Protection Where Is the Value? Education and Education If one customer in data center is target all customers are victims Bandwidth that we need for normal operation is not in any relation with bandwidth that we need for protection Targeted are usually content provider, enterprises and opinionated organizations Victims are all of us if there is no protection Insurance model is the closest, how much insurance you can afford 23
NGN VoIP Interconnects SBCs are becoming de-facto standards Should we demand packet inspection and cleaning? Is it to early? Can we be to late? 24
Questions emir@cw.net 25