© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Authors: Thomas Ristenpart, et at.
Lecture 15 Denial of Service Attacks
Computer Networks IGCSE ICT Section 4.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Introduction to Honeypot, Botnet, and Security Measurement
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Name Resolution Domain Name System.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Harness Your Internet Activity. Drilling down into DNS DDoS Data Amsterdam, May 2015 Ralf Weber.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Final Introduction ---- Web Security, DDoS, others
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.
--Harish Reddy Vemula Distributed Denial of Service.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.
2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
DoS/DDoS attack and defense
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
The Domain Name System The Components, Functions, Legality and Issues of the Domain Name System.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
Denial-of-Service Attacks
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Firewalls.
Intro to Denial of Serice Attacks
D* (DNS, and DNSSEC and DDOS)
Presentation transcript:

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key

2 © A10 Networks, Inc. DoS Background What is a Denial of Service attack? An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity Effects the availability and utility of computing and network resources Attacks can be distributed for even more significant effect L7 attacks can be time consuming and involve high levels of manual process to ensure live users remain enabled The collateral damage caused by an attack can be as bad, if not worse, than the attack itself Attacks can be sustained for months

3 © A10 Networks, Inc.  The main point: DoS is an Outage!  Slow starvation or volumetric (simple attacks are still hitting the headlines) What is Denial of Service?

4 © A10 Networks, Inc.  One system is sending the traffic vs many systems are sending the traffic  Does it really matter?  …in what cases? DoS vs. DDoS?

5 © A10 Networks, Inc. Youtube

6 © A10 Networks, Inc. Botnets & C&C Servers  Botnet – (Zombie Army) A collection of internet connected programs to perform certain tasks. The can be used to send spam or launch Ddos attacks.  C&C Servers - A botnet's originator (known as a bot herder or bot master) can control all these compromise programs to basically send bad traffic to a destination machine. x2000 compromised hosts Control signal

7 © A10 Networks, Inc. Key Considerations For DDoS Protection  Scalability - How many resources may be brought to bear? –Different levels of scale depending on positioning  Flexibility - What types of attacks may be mitigated & what techniques may be used?  Specialized Resources, Expertise & Focus - Who or what is analyzing the attacks, what resources are available, and who has the responsibility to coordinate the defense?  What is the full breadth of tools at your disposal?  Cost, not just monetary, but collateral damage (Brand damage)  Insurance or Loss?

8 © A10 Networks, Inc. Contributing factors (what can you influence?)  Not patched Content Management Systems (CMSes)  Available reflectors (DNS, NTP, SSDP)  …with ability to amplify  More bandwidth available  Unpatched embedded devices – version control awareness  Misconfigured nodes  Vulnerable network elements i.e. CPEs  Weak security

9 © A10 Networks, Inc. Reflective attacks  Attacks where the an unwilling intermediary is used to deliver the attack traffic  The attacker would normally send a packet with a forged/spoofed source IP address to the intermediary. The forged address is going to be the one of the target. The intermediary will deliver a response which will go to the target instead of the attacker  Note to audience: think what protocols we can use for that?

10 © A10 Networks, Inc. Reflector types  The ones that are of interest and provide reflections are:  DNS  NTP  SNMP  SSDP  Other UDP???

11 © A10 Networks, Inc. What is DNS resolution?  The process of mapping: com => …if the answer was cached

12 © A10 Networks, Inc. What is DNS reflection?  What happens if an attacker forges the victim address as its source? …the reflected traffic goes to the target server  … and what if hundreds of misconfigured open DNS resolvers are used?

13 © A10 Networks, Inc. What is an amplification attack?  Asymmetric attack where the response is much larger than the original query

14 © A10 Networks, Inc. Amplification types  The ones that are of interest and provide reflections are:  DNS  NTP  SNMP  SSDP  What else?

15 © A10 Networks, Inc. Reflection and Amplification

16 © A10 Networks, Inc. What is a subdomain attack?  Direct or Reflection attack where the intermediary and victim spend cycles on nonsense S: D: What is the IP for Xyz S: D: NXDOMAIN Response to legitimate protocol query

17 © A10 Networks, Inc. NTP servers  Stratum servers  NTP queries  MONLIST command –provides a list of clients that have time readings  What’s next?

18 © A10 Networks, Inc.  DNS “Any” Request Filtering –DNS “Any” requests can be used for a DDoS attack, since they occupy DNS server resources as the target server sends its many records to the requesters.  DNS Request Rate Limiting—by FQDN –IP address – Limits the rate of queries from a given source. –Requested domain name – Limits the rate of requests for the same domain name, from any sender, i.e. DNS Birthday attack –Scope for FQDN rate limiting– Specify how many labels of the FQDN to consider together when applying the rate limit –Maximum label length – Specify the maximum length for a given label within the FQDN, either at any suffix position or beginning at a specific suffix position.  DNS Request Rate Limiting—by Record Type  NXDomain Inspection and Rate Limiting Solution?

19 © A10 Networks, Inc.  Label Inspection and Label Length Limiting –Limit the label length of the FQDN after a number of suffixes  Anything greater than suffix x will be limited Ddos template dns tp-dns fqdn-label-length 15 suffix 2 fqdn-label-length 10 suffix 3 test. randominvalidstring.google.comDoes not pass label length 15 after suffix 2 check alongstring. label length 15 after suffix 2 check, but does not pass label length 10 after suffix 3 check Solution?

20 © A10 Networks, Inc. Backscatter  What is backscatter and why do I care?  Traffic that is a by-product of the attack  Why is that interesting? –It is important to distinguish between the actual attack traffic and unintended traffic sent by the victim –Classify the attacker and victim differently

21 © A10 Networks, Inc. Metrics –Bandwidth (Kbps, Gbps) –PPS –QPS –Storage –CPU –Application specific – usually latency –Bad actors –Victims –Geo-temporal

Good Internet citizenship

23 © A10 Networks, Inc. Mitigations (Assumption – preaching to the converted)  Defend yourself –Anycast –Some form of IPS/DDoS mitigation gear – inline or asymmetric (service dependent or independent?) –Overall network architecture  Defend the Internet –Rate-limiting –BCP38/140 (outbound filtering) source address validation –Securely configured DNS, NTP and SNMP servers –No open resolvers  Talk to other security professionals like yourself  Talk to vendors like A10 Networks

24 © A10 Networks, Inc. Are you noticing the imbalance? Defend yourself/your consumers Defend the Internet –Anycast (DNS) –Some form of IPS/DDoS mitigation gear –Rate-limiting –BCP38/140 (outbound filtering) source address validation –Securely configured authoritative DNS servers –No open resolvers Lots of money Effective, scalable, faster to rollout Somewhat cheap More touch points, slower to rollout

25 © A10 Networks, Inc. What’s the point I’m trying to make?  It’s not feasible to mitigate those attacks single handedly all of the time  Companies need to start including “defending the Internet from themselves” as a part of their budget – not only “defending themselves from the Internet”  We need cooperation amongst Service Providers and Security Vendors –More can always be done, the war continues –Shared intelligence is key

26 © A10 Networks, Inc.  Evaluate the quick wins in your own network –RFC 2827/BCP 38 –If possible filter all outgoing traffic and use proxy –BCP 140: “Preventing Use of Recursive Nameservers in Reflector Attacks”  Collaborate with your peers to raise the bar collectively  Use high-scale, high performance mitigation infrastructure that defends your network and gives your consumers and peers levels of protection that keep pace and exceed the pace of change  Use dedicated DDoS platforms that understand the in-the-wild attacks –Don’t exacerbate the situation, reduce the backscatter  Share the key metrics, KPIs and mitigation techniques (public forum?) In Summary (Assumption – this is part of your strategy already)

THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.