Growing DDoS attacks what have we learned (29. June 2015)

Similar documents
DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

DDoS Protection in Backbone Networks

Data Plane Protection. The googles they do nothing.

DDoS Mitigation & Case Study Ministry of Finance

Internet2 DDoS Mitigation Update

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

GÉANT IP Service Description. High Performance IP Services to Support Advanced Research

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

GARR customer triggered blackholing

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

DoS Mitigation Strategies

Denial of Service Protection Standardize Defense or Loose the War

Arbor Optima. Best Current Practices (BCPs) for DDoS Mitigation

Research and Education Networking Ecosystem and NSRC Assistance

GÉANT L3VPN Service Description. Multi-point, VPN services for NRENs

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Security by BGP 101 Building distributed, BGP-based security system

Network Automation at Oracle+Dyn NANOG on the Road Boston, 14 Sept 2017

Technical White Paper June 2016

Compare Security Analytics Solutions

Network Security Monitoring with Flow Data

Flow-based Traffic Visibility

50+ Incident Response Preparedness Checklist Items.

Introduction to DDoS Attacks

Silverline DDoS Protection. Filip Verlaeckt

CLOUD-BASED DDOS PROTECTION FOR HOSTING PROVIDERS

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Cisco Protects Data Center Assets with Network-Based Intrusion Prevention System

A10 DDOS PROTECTION CLOUD

Andrisoft Wanguard. On-premise anti-ddos solution. Carrier-grade DDoS detection and mitigation software. Product Data Sheet Wanguard 6.

Cisco Security Monitoring, Analysis and Response System 4.2

Table of Contents. Cisco How NAT Works

Imma Chargin Mah Lazer

Multihoming Complex Cases & Caveats

NetFlow Basics and Deployment Strategies

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Illegitimate Source IP Addresses At Internet Exchange Points

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Routing and router security in an operator environment

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

COSC 301 Network Management

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Scrutinizer Flow Analytics

DICE Network Diagnostic Services

Filtering Trends Sorting Through FUD to get Sanity

Barracuda Link Balancer

SANGFOR AD Product Series

Configuring Antivirus Devices

Improving PF's performance and reliability Lessons learned from bashing pf with DDoS attacks and other malicious traffic. By Kajetan Staszkiewicz,

AT&T SD-WAN Network Based service quick start guide

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Cybersecurity, Cybercrime, Cyberwar, Cyberespionage...

Setup a Professional ISP Using MikroTik and Bandwidth Control in Bridge mode

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Case study: NBA as a Service at GÉANT

FloCon 2017 San Diego, CA January, 2017

UDP-based Amplification Attacks and its Mitigations

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

Have you ever considered what it takes for the operating system (OS) on

Configuring the Westell DSL Modem for EchoLink

2020: Time to Shutdown DDoS?

New Research Challenge: Design for Resiliency. Lixia Zhang UCLA Computer Science Dept

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Securing Home Networks with SPIN

Nippon-European Cyberdefense-Oriented Multilayer Threat Analysis (NECOMA Project)

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

MPLS-based traffic shunt. Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept. 2003

Flows at Masaryk University Brno

Use Cases. E-Commerce. Enterprise

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

SANGFOR AD Product Series

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

Network Configuration Example

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Network Traffic Visibility and Anomaly October 27th, 2016 Dan Ellis

Cyber War Chronicles Stories from the Virtual Trenches

Challenges in Answering Infosec Questions at Scale. Alexander Barsamian John Murphy

N-Partner solution. VPN should be able to do AI and Abnormal Analysis, detect problems and solve them

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

SOTI SUMMER [state of the internet] / security ATTACK SPOTLIGHT

IT Briefing. December 18, 2014 North Decatur Building 4 th Floor Auditorium

TDC DoS Protection Service Description and Special Terms

DOWNLOAD PDF CISCO IRONPORT CONFIGURATION GUIDE

Service Provider View of Cyber Security. July 2017

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

What is an Internet exchange Point (IXP)?

What Makes Corsa Red Armor So Great?

Presentation and Demo: Flow Valuations based on Network-Service Cooperation

Implementing Cisco Network Security (IINS) 3.0

SCP-500. SolarWinds Certified Professional Exam Exam.

Withstanding the Infinite: DDoS Defense in the Terabit Era

Chapter 10: Denial-of-Services

Stakeholders Analysis

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Transcription:

Growing DDoS attacks what have we learned (29. June 2015) Miloš Kukoleča AMRES milos.kukoleca@amres.ac.rs financed by the European Union from the START Danube Region

Network protection Strict network policy Inbound traffic limited set of allowed ports; everything else is discarded Outbound traffic antispoof rules; limited set of blocked ports; everything else is allowed Router control plane is protected Majority of users use proxy service; filtering the malware and phishing content In 2015 we started to liberalize this policy Some customers have open network; they protect themselves 2

Network monitoring Monitoring network using netflow and IPFIX Operators are monitoring traffic on backbone links More links difficult to monitor Alarm trigering mechanisms for links in down state No alarm trigering mechanism for links that hit saturation point Occasional monitoring of netflow data Response time for a particular network anomaly within one working day 3

Previous DDoS attacks AMRES network was used as the source of attacks Usualy DNS and NTP amplifications attacks Receiving external reports about our network involvement Detecting networks anomalies via netflow data AMRES network was the target of small scale DDoS attacks NTP service on routers Web service of particular customers DNS service of particular customers Never a problem for the backbone in volume 4

Detection of DDoS attacks Small scale attacks were usualy detected by: Report from our cutomers Spotting network anomaly in SNMP data Spotting network anomaly in netflow data Detection time is approx. one working day Services were partialy affected 5

Mittigating DDoS attacks Bandwidth used in these DDoS attacks was very limited Solutions applied: Filtering the traffic in our core network Route blackholing on our border routers Parsing the netflow data, obtaining the source IP address used in the attack Finding abuse contacts and sending reports Everything is done manualy Response time after DDoS detection: within 15 mins. 6

Roumors about DDoS attacks Many NRENs were targets of DDoS attacks in 2015. The volumes of attacks was huge From several Gbps to couple of hundreds of Gbps!!! Volumes of attacks were bigger than the link capacities Reports about attacks reached the newspapers Academic networks are very important for the educational system in many countries and the goverments were woried 7

Previous experience No experience with major DDoS attacks AMRES is not a user of GÉANT Firewall on Demand service No DDoS mitigation mechanisms in place World according to AMRES 8

26 th of November 2015 NOC operators noticed larger traffice from one particular customer Nothing to be worried about NOC notified customer and asked to investigate This was just one ticket among 10-20 other tickets Lesson No. 1 : CSIRT engineer should be informed about all network anomalies noticed by NOC team!!! 9

Early stages of attack Several customers complained about slow network access in the evening Low network activities on the links toward those customers No syslog messages related to some errors on our devices However, AMRES core network links were saturated Someone is overflowing our network, but who? Lesson No. 2 : Set up alarm triggering mechanism on all major links!!! After some time, we finaly found the troubling host/customer 10

Link saturation Our external network links are 10G capacity 11

Attack analysis Huge amount of traffic was entering our network Link toward GÉANT was saturated Links toward domestic ISPs were saturated Web server was the target of DDoS attack Attackers used UDP traffic, random source port, destination port 4444 Sample of aggregated netflow logs 12

Solution? No point in blocking the traffic on our end since the volume of incoming traffic exceeds the bandwidht on external links Traffic should be blocked in the neighbouring networks with higher capacities Lesson No. 3 : Keep the good relationship with your neighbouring ISPs!!! 13

DDoS attack volume Graphs provided by GEANT neighbouring ISP 14

Coordination GÉANT reacted quickly and blackholed traffic destined to the targeted web server Firewall on Demand is a great service in these situations Domestic ISPs were little bit slower Our network became operational once again Until the customer decided to change the IP address of a web server The attackers targeted the DNS name of the web server Let s dance again Lesson No. 4 : Maintain the good communication channel with the customer and coordinate actions!!! 15

Final Solution Simply blackholing the traffic isn t the final solution The attack needs to be stopped at the source It is important to notify the networks which are the source of the attack Around 55,000 different IP addresses were involved in this attack Find the abuse contact Find the log lines which prove the attack Send the generic e-mail with the log lines attached Lesson No. 5 : Deploy the solution which will automatically send reports on DDoS attack!!! 16

Reports about DDoS attack We managed to generate reports manualy for all domestic IPs used in this attack Arround 5,000 domestic Ips were involved 10 domestic ISPs were source of attack Each report had: IP adresses involved, matching log lines and request to block this traffic Network admins didn t know what actions to take Eventualy majority patched and cleaned their systems (PCs, NAT routers etc.) 17

End of Attack Attack was active for more than 45 days This happens when CSIRT is unable to send generlic e-mail reports to the networks which are source of attack Buying specialized equipment for dealing with this type od DDoS is not effective Subscription for DDoS protection service might be the good solution 18

Firewall on Demand Service offered by GEANT NRENs have access to a specialized portal Route blackholing can be implemented Firewall filters for particular source and destination addresse can be made Use of BGP flowspec capability on Juniper routers Rules defined on portal are pushed to the GEANT backbone network effectively blocking the unwanted traffic 19

Firewall on Demand 20

Conclusions Have the alarm trigering mechanisms in network monitoring system Keep the good relationships with the neighbouring ISPs Keep the good communication channel with the customers and always coordinate actions Deploy the solution that will automatically generate reports on DDoS attack and send it to respecive abuse contacts Think about DDoS protection services offered by commercial or academic sector 21

Questions & Answers? CS Danube (Cyber Security in Danube Region) project is supported by START Programme within the EU strategy for Danube Region. 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback