Distributed Denial of Service

Similar documents
Cisco DDoS Solution Clean Pipes Architecture

CISCO DDoS MITIGATION SERVICE PROVIDER SOLUTIONS

CISCO DDoS MITIGATION ENTERPRISE SOLUTIONS

Check Point DDoS Protector Introduction

Cisco Traffic Anomaly Detector Module

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Clean Pipe Solution 2.0

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

Comprehensive datacenter protection

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

Thunder TPS. Overview. A10 Networks, Inc.

Network Security. Thierry Sans

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Chapter 10: Denial-of-Services

Web Security. Outline

Corrigendum 3. Tender Number: 10/ dated

A Security Orchestration System for CDN Edge Servers

Imperva Incapsula Product Overview

CSE 565 Computer Security Fall 2018

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

ASA/PIX Security Appliance

A10 DDOS PROTECTION CLOUD

DDoS Protection in Backbone Networks

Chapter 7. Denial of Service Attacks

Network Security Platform Overview

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Chapter 8 roadmap. Network Security

DDoS Detection&Mitigation: Radware Solution

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

WHITE PAPER Hybrid Approach to DDoS Mitigation

Basic Concepts in Intrusion Detection

Imma Chargin Mah Lazer

Monitoring GSS Global Server Load-Balancing Operation

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Introducing the Global Site Selector

Cisco ASR 9000 vddos Protection Solution

Connection Logging. Introduction to Connection Logging

Detecting Specific Threats

dfence: Transparent Network- based Denial of Service Mitigation

Connection Logging. About Connection Logging

Validating the Security of the Borderless Infrastructure

McAfee Network Security Platform

On the State of the Inter-domain and Intra-domain Routing Security

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

CISCO TRAFFIC ANOMALY DETECTOR MODULE AND CISCO ANOMALY GUARD MODULE

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

ASA Access Control. Section 3

Protection Against Distributed Denial of Service Attacks

Configuring Firewall TCP SYN Cookie

OpenFlow DDoS Mitigation

Lecture 12. Application Layer. Application Layer 1

ProCurve Network Immunity

Check Point DDoS Protector Simple and Easy Mitigation

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Unit 4: Firewalls (I)

INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Configuring DDoS Prevention

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

DNS Authentication-as-a-Service Preventing Amplification Attacks

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Cisco Security Monitoring, Analysis and Response System 4.2

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

DDoS Managed Security Services Playbook

Configuring Cisco IOS IP SLAs Operations

Configuring Cisco IOS IP SLA Operations

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

DDoS Mitigation & Case Study Ministry of Finance

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Introduction. Learning Network License Introduction

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

F5 DDoS Hybrid Defender : Setup. Version

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

haltdos - Web Application Firewall

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

Firewalls, Tunnels, and Network Intrusion Detection

Arbor Solution Brief Arbor Cloud for Enterprises

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1.0

Anti-DDoS. User Guide. Issue 05 Date

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Computer Security: Principles and Practice

Network Security Monitoring with Flow Data

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

COMPUTER NETWORK SECURITY

PrepKing. PrepKing

CIH

PROTECTING INFORMATION ASSETS NETWORK SECURITY

August 14th, 2018 PRESENTED BY:

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Transcription:

Distributed Denial of Service Vimercate 17 Maggio 2005 anegroni@cisco.com DDoS 1

Agenda PREFACE EXAMPLE: TCP EXAMPLE: DDoS CISCO S DDoS SOLUTION COMPONENTS MODES OF PROTECTION DETAILS 2

Distributed Denial of Service PREFACE 3

What are DDoS Attacks? Name: DISTRIBUTED DENIAL OF SERVICE What: DDoS attacks block legitimate users from accessing network resources How: DDoS attacks block network resources (Infrastructure, DNS, Mail, Web and more ) Where: DDoS attacks enter the network from all directions When: DDoS attacks happen everyday and all over the Internet 4

Dollar Amount of Losses by Type 5

Denial of service Background TWO VARIANTS LOGICAL software related vulnerability (SMBNUKE) FLOODING -CPU -Bandwidth -Memory ( FLOOD) 6

Denial of Service EXAMPLE: TCP 7

Normal TCP/IP Connection Initiation / ACK TCP Client ACK TCP Server 9

TCP The TCP server will hold the in _RCVD state until timeout. Multiple s open multiple _RCVD waiting. This continues until the full memory area allocated for maintaining TCP state is exhausted. Once the memory area is exhausted, the waiting _RCVDs are FIFOed out of the table. FREE FREE FREE _RCVD FREE _RCVD FREE _RCVD FREE _RCVD FREE _RCVD FREE A TCP requires the server to allocate memory, then the total amount of available memory becomes a finite resource which can be DoSed _RCVD FREE TCP Queue (MEMORY) 11

+ACK RTT Round Trip Time (RTT) is the interval between the sending of +ACK and reception of the corresponding ACK from the other host. / ACK Time 0 TCP Client ACK??? TCP Server +ACK RTT is the time it take between the +ACK and the ACK 14

TCP -Flood _RCVD gets pushed Attacker Valid User Valid user gets to the ACK, but the server does not set up / ACK ACK Data Silence?? _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD drop _RCVD TCP Server No _RCVD waiting when the ACK gets back. 17

Distributed Denial of Service EXAMPLE: DDoS 19

How do DDoS Attacks Start? Zombies Zombies Innocent PCs & Servers turn into Zombies DNS Email 21

Types and Influence of DDoS Attacks Attack ombies: Use valid protocols Spoof source IP Massively distributed Server-level DDoS attacks DNS Email 22

DDoS Mitigation CISCO S DDoS SOLUTION COMPONENTS 23

DDoS Defense In Action BGP Announcement 3. Divert Only Target s Traffic Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Applications 25

DDoS Defense In Action 6. Non- Targeted Traffic Flows Freely Legitimate traffic to the zone 4. Identify and Filter the Malicious Cisco Guard XT 5. Forward the Legitimate Cisco Detector XT Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Applications 26

Cisco DDoS Solution Appliances and Service Modules DDoS Mitigation: Cisco Guard XT 5650 DDoS Detection: Cisco Traffic Anomaly Detector XT 5600 Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector Module Attack ANALYSIS AND MITIGATION Diverts traffic flows for ON- DEMAND SCRUBBING Maximum deployment flexibility. Similar functionality and performance. Interoperable for mixed deployments. Attack DETECTION to support ondemand, shared scrubbing CPE LEARNING for managed service Monitors COPY OF TRAFFIC 27

Key Solution Benefits Detects and Mitigates DDoS attacks Dynamically identifies and blocks malicious attack traffic Ensures infrastructure stability and business continuity Ensures legitimate users get access to network resources Not on the critical path or inline Has minimal impact on routers, switches and infrastructure High Scalability and Performance Multi-Gigabit performance Optional clustering 28

High Performance and Capacity 1 MPPS+ most attacks, good and bad traffic, typical features CLUSTERING TO 8 GUARDS for single protected host Capacity 30 CONCURRENTLY PROTECTED ZONES (90 for the Detector) Latency or jitter: < 1 MSEC 29

DDoS Mitigation MODES OF PROTECTION DETAILS 30

Measured Response Modes of Protection CISCO GUARD Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Analysis Diversion for more granular in-line analysis Flex filters, static and bypass filters in operation All flows forwarded but analyzed for anomalies Anomaly Identified Anomaly Verified CISCO DETECTOR Detection Passive copy of traffic monitoring Attack Detected Learning Periodic observation of patterns to update baseline profiles 31

Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Apply anti-spoofing to block malicious flows Dynamically insert specific filters to block attack flows & sources Detect anomalous behavior & identify precise attack flows and sources Apply rate limits Legitimate + Legitimate attack traffic to target Dynamic & Static Filters Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting 32

From Analysis to Basic Statistical Inspection SRC_IP 12.10.8.5 To-user-filter basic 37

From Analysis to Basic Statistical Inspection SRC_IP 12.10.8.5 basic Legitimate traffic Spoofed traffic Rate Limit 38

Basic/Redirect for HTTP Services Client (Source) Guard 39 IP 201.2.3.4 (SrcIP=201.2.3.4;seq=x) ACK www.cisco.com Is Source IP 201.2.3.4 Authenticated? NO Generate unique cookie for IP 201.2.3.4 (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP 201.2.3.4 (seq=x+1;ack=cookie+1) GET (http://www.cisco.com) REDIRECT Tells client to refresh the session and the HTTP request Is Source IP 201.2.3.4 Authenticated? YES Zone (Destination) FIN (SrcIP=201.2.3.4;seq=y) ACK (seq=y+1;ack=z+1) GET (http://www.cisco.com) (seq=y) ACK (seq=z;ack=y+1) ACK (seq=y+1;ack=z+1) GET (http://www.cisco.com) DATA

Spoofed Attack example IP 201.2.3.10 Client (Source) Guard 40 Is Source IP 7.0.0.1 Authenticated? NO (SrcIP=7.0.0.1;seq=x;Port=80) Is Source IP 7.0.0.2 Authenticated? NO Is Source IP 10.0.0.1 Authenticated? NO Is Source IP 10.0.0.3 Authenticated? NO Is Source IP 7.7.7.7 Authenticated? NO (SrcIP=7.0.0.2;seq=y;Port=80) (SrcIP=10.0.0.1;seq=z;Port=80) (SrcIP=10.0.0.3.;seq=a;Port=80) (SrcIP=7.7.7.7;seq=b;Port=80) ACK Generate unique cookie for IP 7.0.0.1 (seq=cookie;ack=x+1) Generate unique cookie for IP 7.0.0.2 Generate unique cookie for IP 10.0.0.1 Generate unique cookie for IP 10.0.0.3 Generate unique cookie for IP 7.7.7.7 Zone (Destination) ACK (seq=cookie;ack=y+1) ACK (seq=cookie;ack=z+1) ACK (seq=cookie;ack=a+1) ACK (seq=cookie;ack=b+1)

From Basic to Strong SRC_IP 12.10.8.5 strong basic 43

From Basic to Strong SRC_IP 12.10.8.5 strong basic Spoofed traffic Legitimate traffic 44

Strong Mode for TCP Services IP 201.2.3.4 Client (Source) Guard Zone (Destination) 45 Is IP 201.2.3.4 Authenticated? NO (SrcIP=201.2.3.4;seq=x) Generate unique cookie for IP 201.2.3.4 ACK + Window=0 (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP 201.2.3.4 (seq=x+1;ack=cookie+1) (SrcIP=Guard Proxy IP) ACK ACK DATA DATA Window Update (SrcIP=201.2.3.4) (SrcIP=Guard Proxy IP) (SrcIP=Guard Proxy IP) DATA DATA (DstIP=201.2.3.4) (DstIP=Guard Proxy IP)

From Strong to Drop SRC_IP 12.10.8.5 drop strong 48

From Strong to Drop SRC_IP 12.10.8.5 drop strong 49

Management Features Web GUI, CLI and SNMP At-a-glance operations management Detailed attack data Per-customer summary reports 50

Hosting & Data Center / Enterprise ISP A ISP B Internal Network BGP Neighbor 51

I CS T S Ctays 50 RI t rcs S S P r p y Pw p r CS S S Enterprise or Hosting Data Center with Service Modules in Integrated Mode Catalyst 6K or 7600 Anomaly Guard Module RHI Route Update ISP 1 Sup720 or Sup2 w MSFC GEnet ISP 2 Guard/Detector Device Manager Attack Alert Traffic Anomaly Detector Module Firewall Service Module Catalyst Switch Target Internal Network Web, Chat, E-mail, etc. DNS Servers 52

Presentation_ID 53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback