Cisco DDoS Solution Clean Pipes Architecture Dynamic filters to block attack sources Anti-spoofing to block spoofed packets Legitimate traffic Rate limits Dynamic & Static Filters Active Statistical Verification Analysis Layer 7 Analysis Behavioral Anomaly Engine Rate Limiting Michal Remper systems engineer mremper@cisco.com 2008 Cisco Systems, Inc. All rights reserved. 1
2008 Cisco Systems, Inc. All rights reserved. 2
2008 Cisco Systems, Inc. All rights reserved. 3
mbehring Denial of Service Attacks DoS and DDoS DoS are meant to deny access to authorized users and consume enterprise resources: bandwidth, CPU, memory blocks The hacker can utilize compromised PCs / Servers that become Zombies or Bots to launch the attack (DDoS) Web Server Web Server 2008 Cisco Systems, Inc. All rights reserved. 4
Distributed Denial of Service (DDoS) Multiple Threats and Targets Attack ombies: Use valid protocols Spoof source IP Massively distributed Variety of attacks POP Peering point ISP Backbone Provider infrastructure: DNS, routers, and links Access line Attacked server Entire data center: Servers, security devices, routers E-commerce, Web, DNS, e-mail 2008 Cisco Systems, Inc. All rights reserved. 5
Why traditional mechanisms are not enough! Firewalls FW based on static policy enforcement -Most DDoS attacks today use approved traffic that bypass the firewall Lack of anomaly detection Lack of anti-spoofing capabilities to separate good from bad traffic IDS Optimized for signature based application layer detection most sophisticated DDoS attacks are characterized by anomalous behavior in layers 3 and 4 Cannot easily detect DDoS attacks using valid packets require extensive manual tuning 2008 Cisco Systems, Inc. All rights reserved. 6
TYP Flood Attack Vector With the TCP Flood the attacker is hoping to: Fill and overflow the TCP sever s queue (memory) so that the oldest _RVCD entries are flushed. Fill the TCP queue faster than the typical +ACK RTT so that valid customer entries are crowded out. 2008 Cisco Systems, Inc. All rights reserved. 7
TCP -Flood Pushing out the Old Entries Attacker Server s TCP Table Filling faster than it can FIFO out. drop TCP Server New s push out oldest entries 2008 Cisco Systems, Inc. All rights reserved. 8
TCP -Flood gets pushed Attacker Valid User Valid user gets to the ACK, but the server does not set up / ACK ACK Data Silence TCP Server 2008 Cisco Systems, Inc. All rights reserved. 9?? drop No waiting when the ACK gets back.
Principles for Complete DDoS Protection A complete solution: Detects and mitigates the effects of an attack Distinguishes good traffic from bad Protects all points of vulnerability Provides reliable and cost effective scalability 2008 Cisco Systems, Inc. All rights reserved. 10
Riverhead: Basic Concepts 1. Detection 2. Diversion of victims traffic 3. Sieve out malicious traffic 4. Legitimate traffic continues on its route R Victim traffic Victim clean traffic Malicious packets Database 2008 Cisco Systems, Inc. All rights reserved. 11
Cisco DDoS Solution Cisco Guard XT Cisco Detector XT Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application 2008 Cisco Systems, Inc. All rights reserved. 12
Cisco DDoS Solution Cisco Guard XT Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 2008 Cisco Systems, Inc. All rights reserved. 13
Cisco DDoS Solution Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 2008 Cisco Systems, Inc. All rights reserved. 14
Cisco DDoS Solution BGP Announcement 3. Divert Only Target s Traffic Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 2008 Cisco Systems, Inc. All rights reserved. 15
Cisco DDoS Solution BGP Announcement Traffic Destined to the Target 4. Identify and Filter the Malicious 3. Divert Only Target s Traffic Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 2008 Cisco Systems, Inc. All rights reserved. 16
Cisco DDoS Solution BGP Announcement Traffic Destined to the Target Legitimate Traffic to Target 4. Identify and Filter the Malicious 3. Divert Only Target s Traffic Cisco Guard XT 2. Activate: Auto/Manual Cisco Detector XT 1. Detect Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 5. Forward the Legitimate 2008 Cisco Systems, Inc. All rights reserved. 17
Cisco DDoS Solution 6. Non- Targeted Traffic Flows Freely BGP Announcement Traffic Destined to the Target Legitimate Traffic to Target 4. Identify and Filter the Malicious 2. Activate: Auto/Manual Cisco Detector XT 1. Detect 3. Divert Only Target s Traffic Cisco Guard XT Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 5. Forward the Legitimate 2008 Cisco Systems, Inc. All rights reserved. 18
Detection Process 1 Attack launched Dirty traffic Peering Edge Guard Activation via SSH, SSL, BGP from Detector Cisco Guard 3 Detector activates Guard, synchronize zone config Provider Edge Customer Edge SPAN traffic 2 Detector Detection Option 1 Detector detects anomaly based on SPAN traffic 2008 Cisco Systems, Inc. All rights reserved. 19
Mitigation Process 4 5 All traffic gets diverted to Guard 6 Guard scrubs dirty traffic Cisco Guard Peering Edge Guard sends out BGP announcement traffic diversion Cisco Guard Provider Edge Dirty traffic Cleaned traffic Guard Activation via SSH, SSL, BGP from Detector 7 Clean traffic is injected back into the data path SPAN traffic Customer Edge 8 Detector Detection Option 1 Guard continuously monitors traffic 2008 Cisco Systems, Inc. All rights reserved. 20
Cisco DDoS Solution Appliances and Service Modules DDoS Appliances: Cisco Guard XT 5650 DDoS Service Modules: Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector XT 5600 Cisco Traffic Anomaly Detector Module 1 Gbps Performance IBM X345/x346 Server Platform 2 GE Fiber Interfaces 10/100/GE Copper Mgmt 2U rack mount single/dual power supply Dual RAID hard drive 2 GB DDRAM 1 Broadcom SiByte Network Processor 1 Gbps OR 3/2 Gbps Performance (AGM Cluster 10Gbps+ Performance!!!) Single slot service module No external interfaces uses line card or supervisor interfaces Cat6k IOS support: 12.2(18)SXD3 7600 IOS support: 12.2(18)SXE & 12.2(33)SRA/SRB 3 Broadcom SiByte Network Processors Multiple AGMs per chassis 2008 Cisco Systems, Inc. All rights reserved. 21
High Performance and Capacity 1 MPPS+ most attacks, good and bad traffic, typical features 150 K DYNAMIC FILTERS for zombie attacks CLUSTERING TO 8 GUARDS (24Gbps Cluster Performance) for single protected host Capacity 30 CONCURRENTLY PROTECTED ZONES (90 for the Detector) and 500 total1.5 million concurrent connections 1.5 million concurrent connections Latency or jitter: < 1 MSEC 3Gig Guard Module / 2Gig Detector Module 2008 Cisco Systems, Inc. All rights reserved. 22
Deploying Cisco DDoS Defense Solution in Service Provider Networks AS AS Cisco Guard XT ISP Backbone Cisco Guard XT Peering Point Clean Traffic Returned Through Guard Cisco Detector Cisco Detector Web Server Cisco Guard XT Enterprise AS Traffic for Targeted Device Diverted Through Guard DNS Servers Attacked Server 2008 Cisco Systems, Inc. All rights reserved. 23
Deploying Cisco DDoS Defense Solution in Enterprise Networks ISP 1 Cisco IOS Router ISP 2 Cisco Guard XT Cisco Anomaly Detector XT Cisco PIX Security Appliance Internal Network Cisco Catalyst Switch GE Cisco Guard XT Cisco Anomaly Detector XT Web DNS, E-Mail Attacked Server 2008 Cisco Systems, Inc. All rights reserved. 24
Defend Mitigate Detect Inject Divert Detection Proactively looking for traffic anomalies 2008 Cisco Systems, Inc. All rights reserved. 25
Detection What is Detection? Building a baseline (a previously collected profile or a reference point) is essential to look for the existence of attacks Anomaly/Misuse an event or condition of the network characterized by a statistical abnormality from the baseline On detection of an anomaly or a misuse, the next step is to notify device(s) capable of analyzing the traffic/look for the presence of an attack Cisco Guard, via an out-of-band network 2008 Cisco Systems, Inc. All rights reserved. 26
Ways to Detect and Classify DoS Attacks Customer Call SNMP: Line/CPU overload NetFlow: Counting Flows ACLs with Logging Backscatter Cisco Detector and Guard Narus Insight Security Suite slow & manual targeted/scalable Clean Pipes focus 2008 Cisco Systems, Inc. All rights reserved. 27
Threat Types that can be detected Legitimate use & Misuse of control traffic (e.g. ICMP, TCP FINs etc) Data Plane Traffic (e.g. ftp, http traffic) within reasonable limits of baseline and it s Anomalies Bandwidth Consumption Attacks Spoofed & Non-spoofed Flood Attacks TCP Flag (, -ACK, ACK, FIN) ICMP, UDP Examples: Flood, Smurf, LAND, UDP Flood Zombie/Botnet Attacks Each zombie or bot source opens multiple TCP connections Each zombie or bot source opens multiple TCP sessions & issues repetitive HTTP requests DNS Attacks DNS Request Flood Resource Starvation Attacks Packet Size Attacks Fragmented Packets Large Packets Examples: Teardrop, Ping-of-Death Low Rate Zombie/Botnet Attacks Similar to Bandwidth consumption attacks except that each attack source sends multiple requests at low rate DNS Attacks DNS Recursive Lookup 2008 Cisco Systems, Inc. All rights reserved. 28
Traffic Anomaly Detector 2008 Cisco Systems, Inc. All rights reserved. 29
Cisco Detector What is it? The Traffic Anomaly Detector is a Cisco Systems detection and protection activation component The Detector is designed to work alongside the Cisco Guard however, it can operate independently as a DDoS detection and alarm component Monitors every packet by using the port mirroring or by using an optical splitter Continuously monitors traffic and closely remains tuned to zone traffic characteristics for evolving traffic patterns 2008 Cisco Systems, Inc. All rights reserved. 30
Cisco Detector How does it work? An algorithm based learning system that learns zone traffic, adopts itself to its particular characteristics and supports the Detector s detection mechanisms with references and instructions in the form of Thresholds and Policies A system that either records the traffic abnormalities in the Detector syslog or remotely activates Cisco Guard(s) to initiate protection over the zone(s) Integrating these components enables the Detection to assume its detection role while unobtrusively staying in the background 2008 Cisco Systems, Inc. All rights reserved. 31
What is a Zone? A Zone is a network element (server, server s or a network) that are continuously monitored for DDoS attacks Various Zones can be monitored simultaneously as long as the their network address ranges do not overlap Once an attack has been identified, the Detector can activate a remote Guard automatically or send a notification which allows for manual activation User configurable on a zone by zone basis 2008 Cisco Systems, Inc. All rights reserved. 32
Cisco Detector Learning System Two Phase Process: Construct Policies Tune Threshold Construct Policies: Discovers services the zone uses. The policy templates provide the rules that are used to construct the policies Tune Threshold: Tunes to the zone traffic to establish policy thresholds whose violation would cause the policies to launch an action It is recommended to be in learning mode for at least 24 hours 2008 Cisco Systems, Inc. All rights reserved. 33
Detect Mode After the learning phase is complete the zone is put into detect mode and begins applying its policies The detection policies begin to detect abnormal or malicious traffic in the form of a threshold violation A violation will trigger the policy to construct a set of dynamic filters The dynamic filter either records the event in syslog or remotely activates a Cisco Guard for DDoS mitigation After the Traffic Analysis the Detector drops the mirrored or split zone traffic 2008 Cisco Systems, Inc. All rights reserved. 34
Detector Filter and Module System Server Farm Zone Under detection Syslog Server 2008 Cisco Systems, Inc. All rights reserved. 35
Partners Detection Solutions: Arbor Solution Component Peakflow DoS Controller: Aggregates and correlates attack data Central User Interface 2 RU Rack Height Gathers and analyzes traffic data Configured for Netflow (OC48+) 2 RU Rack Height Peakflow DoS Controller DC power and NEBS available 2008 Cisco Systems, Inc. All rights reserved. 36
Collection Layer Partners Detection Solutions: NarusInsight OverviewSecure Suite (NSS) High Speed Analyzers (HSA) Passive probes (DELL or IBM BC) Collect Layer 3 to Layer 7 data directly off network links No impact to network performance Supported interface speeds include IBM BladeCenter 10/100BT, GigE, 10GigE, OC3, OC12, OC48, OC192 Supported variety of Layer-7 applications: Dell PowerEdge VoIP (SIP, H323, MGCP, RTP, RTCP), Skype, P2P (Gnutella, BitTorrent, Kazaa, edonkey, etc.), HTTP, SMTP, FTP, DNS, Messaging (IM, MMS), etc. Virtual Analyzers (VA) Software agents Collect Layer-4 flow records (Netflow/CFlowd), Routing information (BGP) and Network/Security Events (IDS, IPS, NAT, Firewalls via SNMP Traps, Syslogs and Netflow V9) directly from network elements Eliminates additional cost for implementing probes Key Differentiators: Collection and Normalization of data from various sources: Data is normalized for further processing (Narus Vectors) Dynamic zoom-in / zoom-out collection in real-time: From Netflow into full packet capture as requested 2008 Cisco Systems, Inc. All rights reserved. 37
Control Layer Cisco Guard Mitigation NSS offers an option for mitigation via Cisco Guard Potentially malicious traffic will be diverted to the guard for scrubbing, using BGP NSS has an awareness of router topology, zones and guards Zones can be added, removed and edited via NSS Guard is limited to 500 zones with 30 actively protected Actions will be suggested for a detected threat Actions/zones can be coalesced to stay within limits Associations between the alert and the actions can be monitored Actions can also be applied manually Actions are applied using SSH + Expect 2008 Cisco Systems, Inc. All rights reserved. 38
Cleaning/Scrubbing - Mitigation 2008 Cisco Systems, Inc. All rights reserved. 39
Cisco Guard Overview Mitigate DDoS attacks sourced from the Internet against destinations such as web servers, DNS servers, email servers, firewalls, and other network infrastructure. Anomaly based mitigation Learn normal traffic behaviors, begin protection when unexpected patterns are detected Advantage: can mitigate previously unknown attacks Goal: filter out malicious traffic, pass all the legitimate traffic Protect on per a destination zone basis Zone = IP address, a group of IPs, or a subnet basis Not an inline device. On-demand scrubbing Divert only traffic destined to a zone under attack for scrubbing. Traffic for other destinations remain on the same forwarding path Two product variants: Guard appliance and Guard module for 7600/CAT6K 2008 Cisco Systems, Inc. All rights reserved. 40
Guard Multi-Verification Process (MVP) Architecture Apply anti-spoofing to block malicious flows Dynamically insert specific filters to block attack flows & sources Detect anomalous behavior & identify precise attack flows and sources Apply rate limits Legitimate + Legitimate attack traffic to target Dynamic & Static Filters Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting 2008 Cisco Systems, Inc. All rights reserved. 41
Intelligent Countermeasures Benefits: Accuracy Maximized performance Maximum transparency Automated response STRONG PROTECTION Strong antispoofing (proxy) if needed Dynamic filtering of zombie sources BASIC PROTECTION Basic antispoofing applied Analysis for continuing anomalies ANALYSIS Diversion for more granular inline analysis Flex filters, dynamic filters, and bypass in operation All flows forwarded but analyzed for anomalies DETECTION Passive copy of traffic monitoring Anomaly Sources Identified Anomaly Verified Attack Detected LEARNING Periodic observation of patterns to automatically update baseline profiles 2008 Cisco Systems, Inc. All rights reserved. 42
Guard: Anti-Spoofing Overview 2008 Cisco Systems, Inc. All rights reserved. 43 43
What is Anti-Spoofing? Spoofing sending IP traffic using a bogus Source IP address Anti-Spoofing a mechanism that identifies and distinguishes between real and spoofed IP sources Spoofed attacks are easy to generate Spoofed traffic can hide the source of the attack 2008 Cisco Systems, Inc. All rights reserved. 44
Anti-Spoofing in the Guard Anti-Spoofing operates in the Basic and Strong protection levels Anti-Spoofing categorizes source IP addresses as Authenticated Non-Authenticated Spoofed traffic is dropped and is not forwarded to the victim Spoofed traffic is not counted for threshold calculation 2008 Cisco Systems, Inc. All rights reserved. 45
Types of Anti-Spoofing traffic Anti-spoofing functions for the following protocols TCP traffic DNS (UDP/TCP) traffic But, there is also Anti-Spoofing by association A source IP will become authenticated when sending traffic using other protocols if it was authenticated in parallel or beforehand by the active Anti-Spoofing mechanisms 2008 Cisco Systems, Inc. All rights reserved. 46
User-Filters Overview Just Basic Algorithms :o) 2008 Cisco Systems, Inc. All rights reserved. 47 47
Basic/Redirect for HTTP Services Client (Source) Guard IP 201.2.3.4 (SrcIP=201.2.3.4;seq=x) ACK http://www.cisco.com Is Source IP 201.2.3.4 Authenticated? NO Generate unique cookie for IP 201.2.3.4 (seq=cookie;ack=x+1) ACK If cookie is valid, authenticate IP 201.2.3.4 (seq=x+1;ack=cookie+1) GET (http://www.cisco.com) REDIRECT Tells client to refresh the session and the HTTP request Is Source IP 201.2.3.4 Authenticated? YES Zone (Destination) FIN (SrcIP=201.2.3.4;seq=y) GET (http://www.cisco.com) (seq=y) ACK (seq=z;ack=y+1) ACK (seq=y+1;ack=z+1) ACK (seq=y+1;ack=z+1) GET (http://www.cisco.com) DATA 2008 Cisco Systems, Inc. All rights reserved. 48
Spoofed Attack example IP 201.2.3.10 Client (Source) Guard Is Source IP 7.0.0.1 Authenticated? NO (SrcIP=7.0.0.1;seq=x;Port=80) Is Source IP 7.0.0.2 Authenticated? NO Is Source IP 10.0.0.1 Authenticated? NO Is Source IP 10.0.0.3 Authenticated? NO Is Source IP 7.7.7.7 Authenticated? NO (SrcIP=7.0.0.2;seq=y;Port=80) (SrcIP=10.0.0.1;seq=z;Port=80) (SrcIP=10.0.0.3.;seq=a;Port=80) (SrcIP=7.7.7.7;seq=b;Port=80) ACK Generate unique cookie for IP 7.0.0.1 (seq=cookie;ack=x+1) Generate unique cookie for IP 7.0.0.2 Generate unique cookie for IP 10.0.0.1 Generate unique cookie for IP 10.0.0.3 Generate unique cookie for IP 7.7.7.7 Zone (Destination) ACK (seq=cookie;ack=y+1) ACK (seq=cookie;ack=z+1) ACK (seq=cookie;ack=a+1) ACK (seq=cookie;ack=b+1) 2008 Cisco Systems, Inc. All rights reserved. 49
Deployment Models 2008 Cisco Systems, Inc. All rights reserved. 50
Managed Network DDoS Protection Key Benefits and Capabilities New SP revenue model Protection against the saturation of the last mile bandwidth Added insurance for corporations to preserve business continuance CPE based Cisco Detector provides customer driven activation of the Guard NetFlow + Peakflow SP provide SP driven activation of the Guard Subscription or on-demand based protection with Guard Corporations Customer attack reports exported from the Guard to SP portals such as Peakflow MS 2008 Cisco Systems, Inc. All rights reserved. 51
Managed Hosting DDoS Protection Key Benefits and Capabilities New revenue model for hosting providers Protect critical managed web and application servers Detection closest to the assets under attack Cisco Detector provides anomaly detection with deep packet inspection Mitigation closest to the attack entry point Guards deployed close to ingress points Subscription or ondemand based protection with Guard 2008 Cisco Systems, Inc. All rights reserved. 52
Managed Peering Point DDoS Protection AS 123 AS 234 Key Benefits and Capabilities Cleaning Center Peering Edge Arbor Peakflow SP New SP revenue model Downstream ISP receives a DDoS-free wholesale connection SP Core Maximizes bandwidth for legitimate traffic Out of Band Management Arbor Peakflow SP Service Provider Netflow + Arbor Peakflow SP provide the network visibility and correlation Wholesale Service Dirty Traffic Cleaned Traffic NetFlow Export Guard Activation SSH Peering Edge AS 234 Downstream ISP Easy entry point for carriers that already has Infrastructure DDoS protection in place Reduces DDoS on the internet 2008 Cisco Systems, Inc. All rights reserved. 53
Infrastructure DDoS Protection Trans-oceanic Peering Key Benefits and Capabilities Protect the Infrastructure from DDoS attacks Used in conjunction with NFP to mitigate attacks data, control, mgmt and services planes SP Data Center Cleaning Center Out of Band Mgmt AS 123 Arbor Peakflow SP Peering Edge Arbor Peakflow SP SP Core SP Data Center AS 234 Dirty Traffic Cleaned Traffic NetFlow Export Guard Activation SSH Reduce directed attacks on vital places in the network (Peering Points, Core Routers, Provider Edges) Protect critical servers in the SP data centers like DNS, HTTP, SMTP servers Reduce collateral damage upon the network Reduce OPEX (bandwidth preservation of expensive trans-oceanic links) 2008 Cisco Systems, Inc. All rights reserved. 54
A 2008 Cisco Systems, Inc. All rights reserved. 55