Denial of Service Protection Standardize Defense or Loose the War

Similar documents
Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Data Plane Protection. The googles they do nothing.

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Unicast Reverse Path Forwarding Loose Mode

Network Policy Enforcement

DDoS Protection in Backbone Networks

Imma Chargin Mah Lazer

Unit 4: Firewalls (I)

Collective responsibility for security and resilience of the global routing system

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

CIRT: Requirements and implementation

Security Baseline Data Model for Network Infrastructure Device draft-xia-sacm-nid-dp-security-baseline-00 draft-dong-sacm-nid-cp-security-baseline-00

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Introduction to DDoS Attacks

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CSE 565 Computer Security Fall 2018

NETWORK THREATS DEMAN

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

IxLoad-Attack TM : Network Security Testing

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Configuring attack detection and prevention 1

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

RESELLER LOGO RADICALLY BETTER. DDoS PROTECTION. Radically more effective, radically more affordable solutions for small and medium enterprises

PROTECTING INFORMATION ASSETS NETWORK SECURITY

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Network Security. Thierry Sans

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

August 14th, 2018 PRESENTED BY:

CSE Computer Security

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Collective responsibility for security and resilience of the global routing system

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

Configuring attack detection and prevention 1

DDoS Managed Security Services Playbook

Check Point DDoS Protector Introduction

CyberP3i Course Module Series

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Denial of Service (DDoS)

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Configuring Unicast Reverse Path Forwarding

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

DDoS and Traceback 1

European Internet Situation Awareness The Global View

DoS Mitigation Strategies

DENIAL OF SERVICE ATTACKS

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

Prevent DoS using IP source address spoofing

HP High-End Firewalls

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Cloudflare Advanced DDoS Protection

DDoS Detection&Mitigation: Radware Solution

Cyber Security Guidelines Distributed Denial of Service (DDoS) Attacks

NETWORK SECURITY. Ch. 3: Network Attacks

Configuring Unicast RPF

WHITE PAPER Hybrid Approach to DDoS Mitigation

Service Provider View of Cyber Security. July 2017

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

DDoS Protection Service

haltdos - Web Application Firewall

Optimizing the Internet Quality of Service and Economics for the Digital Generation. Dr. Lawrence Roberts President and CEO,

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Computer Science 461 Final Exam May 22, :30-3:30pm

Validating the Security of the Borderless Infrastructure

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

SmartWall Threat Defense System - NTD1100

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Security Issues In Mobile IP

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Trends in Denial of Service Attack Technology -or Oh, please, they aren t smart enough to do that

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Distributed Denial of Service

USG2110 Unified Security Gateways

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Internet Continuous Situation Awareness

Chapter 10: Denial-of-Services

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Universal Trusted Service Provider Identity to Reduce Vulnerabilities

Cyber Criminal Methods & Prevention Techniques. By

DDoS Testing with XM-2G. Step by Step Guide

Chapter 7. Denial of Service Attacks

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Cisco DDoS Solution Clean Pipes Architecture

(Distributed) Denial-of-Service. in theory and in practice

Guide to DDoS Attacks November 2017

Security in inter-domain routing

Configuring Unicast Reverse Path Forwarding

Global cybersecurity and international standards

Security & Phishing

MANRS Mutually Agreed Norms for Routing Security

Transcription:

Denial of Service Protection Standardize Defense or Loose the War ETSI : the threats, risk and opportunities 16th and 17th - Sophia-Antipolis, France By: Emir@cw.net Arslanagic Head of Security Engineering Cable and Wireless 1

Vulnerability Lifecycle Risk Admins did not have enough resources to patch everything. Intruders have GUI tools, and self propagating malicious code Vulnerability has been discovered Presented by Emir Arslanagic @ INFORMATION SOCIETY CONNECTING EUROPE, Ljubjana 2002 Time 2 Administrators panic patch all systems and Change FW and networking rules Intruders are learning about vulnerability Vulnerability is announced. Some critical systems have been patched or protect

08 November 2005 03:36 Subject: 6GB-20GB DDOS attack heading near you!!! 5pps DNS TXT queries size of 48 bytes are sent to a series of 100K+ DNS servers Response packets are between 4059 and 4162 bytes in size POBLEM: miss configured DNS SOLUTION: stop allowing open recursive lookups from external sources US-CERT is working on a product for public release that will hopefully raise awareness on the dangers of DNS servers that permit open recursion This is NOT new. There where a long running dns-smurf attacks in 2000!!! 3

What We Need??? No matter how many times you save the Internet it always manages to get back in to jeopardy again 4

Agenda What is dos Standardizations efforts to protect from dos Security and dos protection Dos tracking Black-holing Anti-spoofing Real DDoS protection How does it work DOS protection powered by ISP and ASP Where to go from here 5

What Is Denial of Service DoS is an incident in which a system is deprived of the resources it would normally have DoS is usually a target of choice risk, and very often related to extortion or racketeering DoS usually targets publicly available services that make money (extortion), or other opinioned portals (political violence) Distributed DoS sometimes involves more then hundred thousands boots It s estimate that close to 10 million networked computers are a potential source of DoS 6

Standardization Efforts IETF RFCs (denial of service has become serious consideration) 3704 ingress filtering for Multihomed networks 3882 configuring BGP to block denial-of-service attacks Drafts Internet denial of service considerations (M. Handley, E. Rescorla ) Protecting internet routing infrastructure from outsider dos attacks (Zinin) ITU Recognise spam as a threat to the internet No work has been done on DOS prevention and protection USA Government policy for cyber security relies on voluntary and cooperative action by the private sector and has, until now, explicitly rejected the use of mandate or regulation. (By James Andrew Lewis CSIS, Oct. 2005) Many informal information exchange means are established to facilitate cooperation ETSI Improving regulation related to NGN 7

Extraordinarily Complex Security Security is currently where networking was 15 years ago Multiple, complex components Lack of expertise in the industry No common GUIs Lack of standards Attacks are growing Customers require security for business Vulnerability Management is time consuming Source: Dr. Bill Hancock, Cable & Wireless 8

DDoS Protection History of DOS protection DOS tracker Black-holing Sinking Customer is impacted Inline protection is not sufficient Only solution is to stop attacks as close as possible to source urpf Sound security practices Traffic cleaning 9

Current Issues Multiple groups are involved in extortion From 300 to 1mil.+ devices involved Sophisticated full spectrum attacks TCP connection attack; syn attack URL attack UDP flood ICMP flood TCP flood Malformed packets It is not getting better 10

DDoS Traffic Black-holing or Sinking When DOS is detected /32 routes is assign to BGP community that routes to null (black-holing) or to local server (sinking). Benefit: Remote ISPs that are paying high price for link to the upstream provider. Downside: Attacker has succeeded in their intent, victim IP is unreachable. 11

DDoS Traffic Black-holing or Sinking Attack Network Attacker Network Service Provider Switch Victim Network Attacker Network IP Network User Network NOC Attack Network Enterprise Network 12

DDoS Traffic Black-holing or Sinking Peers Switch 141.1.1.1/32 Community 1273:100 Victim Network IP Network 141.1.1.1 Peers NOC Customers Customers 13

DDOS-tracker DCU Approach When DDOS is detected /32 routes is assign to BGP community with instruction to count packets. Using SNMP or Syslog counts are presented to NOC. On interfaces with highest number of packets ACLs are manually applied to protect victim IP. 14

DDOS-tracker DCU Approach Peers Switch Victim Network IP Network Peers NOC Customers Customers 15

DDOS-tracker DCU Approach Peers Switch 141.1.1.1/32 Community 1273:31 Victim Network IP Network 141.1.1.1 Peers NOC Customers Customers 16

DDOS-tracker Screen Shot 17

Ingress Filtering Strict Reverse Path Forwarding Only symmetrical routing Feasible Path Reverse Path Forwarding alternative paths have been added and they are valid for consideration Loose Reverse Path Forwarding route presence check Why this does not work? Prevent only spoofed packets Not all ISPs are implementing it 18

Real DOS Protection Must be scalable Must be available to all customers Must protect backbone infrastructure Must let good packets trough Must detect bad sites Must NOT impact operation Must NOT add additional point of failure in the network Must be implemented globally 19

Real DOS Protection Peers Switch Victim Network IP Network Peers NOC Customers Customers 20

Real DOS Protection Peers Switch Victim Network IP Network Peers NOC Customers Customers 21

Things to Consider Does internet users have a right to expect only benign packets to be send to them??? Road and car analogy At the beginning was primary goal to increase road coverage and car speed. Passenger safety has not been consider seriously until seventies Moor s law is working for us Or Is there another killer application that will eat all available bandwidth? Cleaning function in every switch Standardization will come when technology is ready 22

Real DOS Protection Where Is the Value? Education and Education If one customer in data center is target all customers are victims Bandwidth that we need for normal operation is not in any relation with bandwidth that we need for protection Targeted are usually content provider, enterprises and opinionated organizations Victims are all of us if there is no protection Insurance model is the closest, how much insurance you can afford 23

NGN VoIP Interconnects SBCs are becoming de-facto standards Should we demand packet inspection and cleaning? Is it to early? Can we be to late? 24

Questions emir@cw.net 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback