Distributed Denial of Service Vimercate 17 Maggio 2005 anegroni@cisco.com DDoS 1
Agenda PREFACE EXAMPLE: TCP EXAMPLE: DDoS CISCO S DDoS SOLUTION COMPONENTS MODES OF PROTECTION DETAILS 2
Distributed Denial of Service PREFACE 3
What are DDoS Attacks? Name: DISTRIBUTED DENIAL OF SERVICE What: DDoS attacks block legitimate users from accessing network resources How: DDoS attacks block network resources (Infrastructure, DNS, Mail, Web and more ) Where: DDoS attacks enter the network from all directions When: DDoS attacks happen everyday and all over the Internet 4
Dollar Amount of Losses by Type 5
Denial of service Background TWO VARIANTS LOGICAL software related vulnerability (SMBNUKE) FLOODING -CPU -Bandwidth -Memory ( FLOOD) 6
Denial of Service EXAMPLE: TCP 7
Normal TCP/IP Connection Initiation / ACK TCP Client ACK TCP Server 9
TCP The TCP server will hold the in _RCVD state until timeout. Multiple s open multiple _RCVD waiting. This continues until the full memory area allocated for maintaining TCP state is exhausted. Once the memory area is exhausted, the waiting _RCVDs are FIFOed out of the table. FREE FREE FREE _RCVD FREE _RCVD FREE _RCVD FREE _RCVD FREE _RCVD FREE A TCP requires the server to allocate memory, then the total amount of available memory becomes a finite resource which can be DoSed _RCVD FREE TCP Queue (MEMORY) 11
+ACK RTT Round Trip Time (RTT) is the interval between the sending of +ACK and reception of the corresponding ACK from the other host. / ACK Time 0 TCP Client ACK??? TCP Server +ACK RTT is the time it take between the +ACK and the ACK 14
TCP -Flood _RCVD gets pushed Attacker Valid User Valid user gets to the ACK, but the server does not set up / ACK ACK Data Silence?? _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD _RCVD drop _RCVD TCP Server No _RCVD waiting when the ACK gets back. 17
Distributed Denial of Service EXAMPLE: DDoS 19
How do DDoS Attacks Start? Zombies Zombies Innocent PCs & Servers turn into Zombies DNS Email 21
Types and Influence of DDoS Attacks Attack ombies: Use valid protocols Spoof source IP Massively distributed Server-level DDoS attacks DNS Email 22
DDoS Mitigation CISCO S DDoS SOLUTION COMPONENTS 23
DDoS Defense In Action BGP Announcement 3. Divert Only Target s Traffic Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Applications 25
DDoS Defense In Action 6. Non- Targeted Traffic Flows Freely Legitimate traffic to the zone 4. Identify and Filter the Malicious Cisco Guard XT 5. Forward the Legitimate Cisco Detector XT Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Applications 26
Cisco DDoS Solution Appliances and Service Modules DDoS Mitigation: Cisco Guard XT 5650 DDoS Detection: Cisco Traffic Anomaly Detector XT 5600 Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector Module Attack ANALYSIS AND MITIGATION Diverts traffic flows for ON- DEMAND SCRUBBING Maximum deployment flexibility. Similar functionality and performance. Interoperable for mixed deployments. Attack DETECTION to support ondemand, shared scrubbing CPE LEARNING for managed service Monitors COPY OF TRAFFIC 27
Key Solution Benefits Detects and Mitigates DDoS attacks Dynamically identifies and blocks malicious attack traffic Ensures infrastructure stability and business continuity Ensures legitimate users get access to network resources Not on the critical path or inline Has minimal impact on routers, switches and infrastructure High Scalability and Performance Multi-Gigabit performance Optional clustering 28
High Performance and Capacity 1 MPPS+ most attacks, good and bad traffic, typical features CLUSTERING TO 8 GUARDS for single protected host Capacity 30 CONCURRENTLY PROTECTED ZONES (90 for the Detector) Latency or jitter: < 1 MSEC 29
DDoS Mitigation MODES OF PROTECTION DETAILS 30
Measured Response Modes of Protection CISCO GUARD Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Analysis Diversion for more granular in-line analysis Flex filters, static and bypass filters in operation All flows forwarded but analyzed for anomalies Anomaly Identified Anomaly Verified CISCO DETECTOR Detection Passive copy of traffic monitoring Attack Detected Learning Periodic observation of patterns to update baseline profiles 31
Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Apply anti-spoofing to block malicious flows Dynamically insert specific filters to block attack flows & sources Detect anomalous behavior & identify precise attack flows and sources Apply rate limits Legitimate + Legitimate attack traffic to target Dynamic & Static Filters Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting 32
From Analysis to Basic Statistical Inspection SRC_IP 12.10.8.5 To-user-filter basic 37
From Analysis to Basic Statistical Inspection SRC_IP 12.10.8.5 basic Legitimate traffic Spoofed traffic Rate Limit 38
Basic/Redirect for HTTP Services Client (Source) Guard 39 IP 201.2.3.4 (SrcIP=201.2.3.4;seq=x) ACK www.cisco.com Is Source IP 201.2.3.4 Authenticated? NO Generate unique cookie for IP 201.2.3.4 (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP 201.2.3.4 (seq=x+1;ack=cookie+1) GET (http://www.cisco.com) REDIRECT Tells client to refresh the session and the HTTP request Is Source IP 201.2.3.4 Authenticated? YES Zone (Destination) FIN (SrcIP=201.2.3.4;seq=y) ACK (seq=y+1;ack=z+1) GET (http://www.cisco.com) (seq=y) ACK (seq=z;ack=y+1) ACK (seq=y+1;ack=z+1) GET (http://www.cisco.com) DATA
Spoofed Attack example IP 201.2.3.10 Client (Source) Guard 40 Is Source IP 7.0.0.1 Authenticated? NO (SrcIP=7.0.0.1;seq=x;Port=80) Is Source IP 7.0.0.2 Authenticated? NO Is Source IP 10.0.0.1 Authenticated? NO Is Source IP 10.0.0.3 Authenticated? NO Is Source IP 7.7.7.7 Authenticated? NO (SrcIP=7.0.0.2;seq=y;Port=80) (SrcIP=10.0.0.1;seq=z;Port=80) (SrcIP=10.0.0.3.;seq=a;Port=80) (SrcIP=7.7.7.7;seq=b;Port=80) ACK Generate unique cookie for IP 7.0.0.1 (seq=cookie;ack=x+1) Generate unique cookie for IP 7.0.0.2 Generate unique cookie for IP 10.0.0.1 Generate unique cookie for IP 10.0.0.3 Generate unique cookie for IP 7.7.7.7 Zone (Destination) ACK (seq=cookie;ack=y+1) ACK (seq=cookie;ack=z+1) ACK (seq=cookie;ack=a+1) ACK (seq=cookie;ack=b+1)
From Basic to Strong SRC_IP 12.10.8.5 strong basic 43
From Basic to Strong SRC_IP 12.10.8.5 strong basic Spoofed traffic Legitimate traffic 44
Strong Mode for TCP Services IP 201.2.3.4 Client (Source) Guard Zone (Destination) 45 Is IP 201.2.3.4 Authenticated? NO (SrcIP=201.2.3.4;seq=x) Generate unique cookie for IP 201.2.3.4 ACK + Window=0 (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP 201.2.3.4 (seq=x+1;ack=cookie+1) (SrcIP=Guard Proxy IP) ACK ACK DATA DATA Window Update (SrcIP=201.2.3.4) (SrcIP=Guard Proxy IP) (SrcIP=Guard Proxy IP) DATA DATA (DstIP=201.2.3.4) (DstIP=Guard Proxy IP)
From Strong to Drop SRC_IP 12.10.8.5 drop strong 48
From Strong to Drop SRC_IP 12.10.8.5 drop strong 49
Management Features Web GUI, CLI and SNMP At-a-glance operations management Detailed attack data Per-customer summary reports 50
Hosting & Data Center / Enterprise ISP A ISP B Internal Network BGP Neighbor 51
I CS T S Ctays 50 RI t rcs S S P r p y Pw p r CS S S Enterprise or Hosting Data Center with Service Modules in Integrated Mode Catalyst 6K or 7600 Anomaly Guard Module RHI Route Update ISP 1 Sup720 or Sup2 w MSFC GEnet ISP 2 Guard/Detector Device Manager Attack Alert Traffic Anomaly Detector Module Firewall Service Module Catalyst Switch Target Internal Network Web, Chat, E-mail, etc. DNS Servers 52
Presentation_ID 53