© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç Consulting System Engineer
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Agenda DDoS Problemi Ürün tanıtımı - "Guard" ve "Detector" Atağın Yönünü Değiştirme ve Durdurma Kurulum Modelleri "Guard" Yönetimi "Guard"ın Ağa Bağlanması Filtreler ve Politikalar Paket tipleri ve trafik karakteristikleri Kullanıcı filtreleri ve "Antispoofing" Mekanizması Operasyon modları Özet
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 The DDoS Problem
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 Distributed Denial of Service (DDoS) Multiple Threats and Targets Peering point POP ISP Backbone Attacked server Attack ombies : Use valid protocols Spoof source IP Massively distributed Variety of attacks Entire data center: Servers, security devices, routers E-commerce, Web, DNS, … Provider infrastructure: DNS, routers, and links Access line
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 DDoS Attacks Are Here To Stay Symantec Internet Security Report – June ‘05 DoS attacks grow from 119 to 927 per day - an increase of 679% Large % of DDoS attacks are motivated by extortion demands 75 Million computers estimated to be infested with bot software Attack size is in the 2-7 Gig range The DoS problem is not a 100 year flood anymore! ‘Zombie' ring allegedly hit 1.5 million computers Dutch Internet provider XS4ALL identified the zombie network – “only a drop in the ocean."
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Why traditional mechanisms are not enough! Optimized for signature based application layer detection – most sophisticated DDoS attacks are characterized by anomalous behavior in layers 3 and 4 Cannot easily detect DDoS attacks using valid packets – require extensive manual tuning FW based on static policy enforcement - Most DDoS attacks today use “approved” traffic that bypass the firewall Lack of “anomaly detection” Lack of anti-spoofing capabilities –to separate good from bad traffic Firewalls IDS
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Authenticated Access Data Integrity AVAILABILITY DDoS Solution Completes Security in Depth Addresses “secure availability” of infrastructure “Network behavior-based solution” required to stop DDoS Does not use attack signatures—catches day-zero attacks Complements and strengthens overall security solution Firewall, IPS, SSL, and antivirus as well as content switching Efficient sequential elimination of different levels of threats
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Cisco Guard and Detector Product Overview
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 Value Proposition Detects and mitigates the broadest range of Distributed Denial of Service (DDoS) attacks Behavioral anomaly recognition engine provides granularity and accuracy to ensure availability, business continuity, while dropping attack traffic High Performance, Multi-Gigabit architectures protects both enterprises and service providers from large attacks Leading edge innovation with protection for DNS, SIP infrastructure Several Enterprise, Service Provider WINS, deployments
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Cisco DDoS Solution Appliances and Service Modules DDoS Appliances: Cisco Guard XT 5650 Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector XT 5600 Cisco Traffic Anomaly Detector Module DDoS Service Modules: IBM X345/x346 Server Platform 2 GE Fiber Interfaces 10/100/GE Copper Mgmt 2U rack mount single/dual power supply Dual RAID hard drive 2 GB DDRAM 1 Broadcom SiByte Network Processor Single slot service module No external interfaces – uses line card or supervisor interfaces Cat6k IOS support: 12.2(18)SXD3 or later 7600 IOS support: 12.2(18)SXE or later 3 Broadcom SiByte Network Processors Multiple AGMs per chassis
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Cisco DDoS Protection – Value Proposition Observe Traffic Behavior: (TCP, UDP, HTTP, DNS, SIP) Packet Rates (ex: SYNs in PPS) Packet Ratios (SYN: FIN) # of Open, Half-open TCP Connections For Destination & Source: By destination host IP By destination host subnet By source host IP FirewallNo IPSNo Load Balancer No Anomaly Recognition Spoofed Attack Protection TCP Anti-Spoofing : SYN Cookie - HTTP Redirect TCP Anti-spoofing method #2 TCP Anti-spoofing method #3 Strong Anti-Spoofing – Proxy mode anti-spoofing UDP Anti-Spoofing : DNS Anti-Spoofing Protection SIP Anti-Spoofing Protection FirewallSYN Cookie only IPSNo Load Balancer SYN Cookie only Per-Source Dynamic Filtering: Block only attack sources 150K filters in real-time Upto 3Gbps protection/ 3.5 Mpps 10 Gbps performance with 4 modules in a chassis <1 ms latency Dynamic Filtering FirewallNo IPSNo Load Balancer No Botnet Protection Protection from Botnet Attack: Unique Anti-Zombie Mechanism Can stop upto 1M hosts Low Rate botnet attacks FirewallNo IPSNo Load Balancer No DDoS Protectio n with Surgical Precision
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 Anomaly Recognition Packet Rates(PPS) Packet Ratios # of Open Connections Behavior Based Intelligent Mitigation Detection Passive copy of traffic monitoring Anomaly based detection Analysis Diversion for more granular in-line analysis Flex filters, static and bypass filters in operation All flows forwarded but analyzed for anomalies Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Anomaly Verified Learning Periodic observation of patterns to update baseline profiles Traffic profile during peacetime Attack Detected Anomaly Identified
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 Cisco Guard Broadest Attack Protection 1.Spoofed and Non-Spoofed Flood Attacks – TCP Flag (SYN, SYN-ACK, ACK, FIN) – ICMP – UDP – Examples: SYN Flood, Smurf, LAND, UDP Flood 2.Zombie/Botnet Attacks – Each zombie or bot source opens multiple TCP connections – Each zombie or bot source opens multiple TCP sessions and issue repetitive HTTP requests 3.DNS Attacks –DNS Request Flood 1.Packet Size Attacks Fragmented Packets Large Packets Examples: Teardrop, Ping-of-Death 2.Low Rate Zombie/Botnet Attacks – Similar to Bandwidth consumption attacks except that each attack source sends multiple requests at low rate 3.DNS Attacks – DNS Recursive Lookup SIP Protection –SIP Anti-Spoofing Bandwidth Consumption Attacks Resource Starvation Attacks
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 High Performance and Capacity 1 MPPS+ most attacks, good and bad traffic, typical features 150 K DYNAMIC FILTERS for zombie attacks CLUSTERING TO 8 GUARDS for single protected host Capacity 30 CONCURRENTLY PROTECTED ZONES (90 for the Detector) and 500 total1.5 million concurrent connections 1.5 million concurrent connections Latency or jitter: < 1 MSEC 3Gig Guard Module – Q1 CY 07
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 DIVERSION, MITIGATION ARCHITECTURE
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system) Cisco Anomaly Guard Module
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic Route update: RHI internal, or BGP/other external
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Dynamic Mitigation At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 Dynamic Mitigation At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 Dynamic Mitigation At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic 6. Non- targeted traffic flows freely
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 ENTERPRISE DEPLOYMENT SCENARIO
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 Enterprise or Hosting Data Center with Service Modules in “Integrated Mode”
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 MANAGED DDoS SERVICE
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 DDoS Service Providers Largest carriers offering “clean pipes” services to F500 enterprises Both Dedicated, Shared Protection models Pricing based on multiples of gigabit, in cleaning capacity Various detection options (manual, detector, Peakflow SP) Attack activation with customer Standard or Customized policies Service and attack reporting Service Providers PrevenTier DDoS Mitigation Service SureArmour DDoS Protection service Hosting Providers
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27 MDM Summary
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 DDoS MultiDevice Manager 1.0 The DDoS MultiDevice Manager 1.0(MDM) is a software product that enables monitoring, management and reporting of several Cisco Guards and Detectors in a customer network The MDM provides a coherent and consolidated view of attack information, both in real-time and as detailed reports The MDM 1.0 runs on a Linux Server and needs to be installed on a server owned and operated by the customer MDM 1.0 requires R5.1(5) on the Guard and Detector devices
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 DDoS MultiDevice Manager 1.0 (Cont.) The MDM GUI is based on the Web Based Management GUI that is currently available on the Guard and Detector devices The attack information like size, type and other characteristics are aggregated across devices and displayed on a single screen using a web based interface The MDM also supports the distribution of basic zone level configuration from a master device to a set of other devices (guards, detectors) on the network Consolidation is done on counters, rates, graphs, attack reports, events log and zone status across all devices.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 Consolidated Information The MDM gives the user the ability to monitor all DDOS detection and mitigation actions in its network from a WEB GUI: all zones that are under detection, all zone that are under attack, all mitigation actions. When a zone is being protected by several Guards all information regarding the zone is consolidated to one view. Consolidated information includes: Aggregate zone state in all devices (e.g. indicates whether all Guard detected the attack or subset) Aggregating all dynamic filters across all devices to one list Aggregating all log events from all devices to one log file sorted by time in devices level and zone level Aggregating counters and rates (e.g. malicious traffic and legitimate traffic across all Guards – counters aggregation does not include for Detectors) Generating attack reports that consolidate information from all Guards.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31 Summary Fighting DDoS attacks is an on-going war and Cisco has more experience and the most successful track record of any vendor The Guard and the Detector dominate the DDoS managed service market: – Major IXCs and Web hosting players world wide are using the products for managed services – Many successful deployments in the largest enterprises – The most scalable and reliable solution – Mitigating attacks every day providing ongoing feedback to product improvements