1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

Slides:

Advertisements

Similar presentations

Chapter 1: Introduction to Scaling Networks

Advertisements

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)

Route Optimisation RD-CSY3021.

MPLS-based traffic shunt Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Restoration by Path Concatenation: Fast Recovery of MPLS Paths Anat Bremler-Barr Yehuda Afek Haim Kaplan Tel-Aviv University Edith Cohen Michael Merritt.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.

Transparent Caching The art of caching network traffic without requiring user / browser side configuration.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Firewall Typical Networking and Troubleshooting Common Faults.

– Chapter 4 – Secure Routing

TCOM 515 Lecture 6.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.

Bellwether: Surrogate Services for Popular Content Duane Wessels & Ted Hardie NANOG 19 June 12, 2000.

1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.

1 MPLS-based Traffic Shunt Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom NANOG28 Salt Lake City June 2003.

Chapter 9. Implementing Scalability Features in Your Internetwork.

© Synergon Informatika Rt., 1999 Chapter 12 Connecting Enterprises to an Internet Service Provider.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Understanding and troubleshooting of Nat address Translation( NAT) and IP.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.

Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.

TCP/IP Model & How it Relates to Browsing the Internet Anonymously BY: HELEN LIN.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks.

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

© 2001, Cisco Systems, Inc. Policy Propagation Through BGP.

CS 6401 Overlay Networks Outline Overlay networks overview Routing overlays Resilient Overlay Networks Content Distribution Networks.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Routing Chapter 7.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Chapter 4: Routing Concepts

Connecting an Enterprise Network to an ISP Network

BGP 1. BGP Overview 2. Multihoming 3. Configuring BGP.

CONNECTING TO THE INTERNET

Computer Data Security & Privacy

Instructor Materials Chapter 9: NAT for IPv4

Chapter 4: Routing Concepts

Routing and Switching Essentials v6.0

인터넷 구조 2002년 2학기 장주욱.

CIS 82 Routing Protocols and Concepts Chapter 11 NAT

Firewalls Purpose of a Firewall Characteristic of a firewall

Chapter 2: Static Routing

Instructor Materials Chapter 9: NAT for IPv4

– Chapter 4 – Secure Routing

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Rick Graziani Cabrillo College

Firewalls Chapter 8.

Introduction to Network Security

Multicasting Unicast.

Presentation transcript:

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS

2 DDoS protection, Where & How? Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100

3 At the Routers Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Rand. Spoofing Throws good with bad Router degradation ACLs, CARs, null/rt. 1

4 At the Edge Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Chocked Point of failure Not scalable

5 At the Back Bone Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering Throughput Point of failure All suffer

6 Diversion Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering Not on critical path Router route Upstream Sharing Dynamic

7 Basic Scheme ISP Backbone AS 56 Victim AS 24 PR

8 Basic Concepts 1.Divert victim’s traffic 2.Sieve 3.Legitimate traffic continues on its route Database Victim traffic Victim clean traffic Malicious packets R

9 Operational process Victim AS x N O C 1 2

10 Sieving Malicious traffic Packet filtering Anti spoofing Learning & Statistical analysis Output HTTP Analysis & Authentication

11 Sieving techniques Filters: IP's, ports, flags, etc. Anti-spoofing: l TCP l Other Recognition: l Statistical Analysis l Layers 3-7 High-level Protocols: l HTTP specific (recognize anomalous behavior) l Other

12 Diversion 1. Divert 2. Return good traffic Without looping ! Victim traffic Victim clean traffic Malicious packets Database R

13 Diversion: BGP + next L3 1. Divert: BGP announce a /32 from the box no_export and no_advertise community 2. Return: Next layer 3 device Victim traffic Victim clean traffic Malicious packets L2 device L3 R

14 1. Divert: BGP 2. Return: GRE GRE de-cap increases VIP load < 20% [Wessels & Hardie, NANOG19, Albuquerque] R Victim traffic Victim clean traffic Malicious packets BGP GRE Diversion: BGP + GRE R

15 Diversion test A A C R X V I Gig 100BT W Phase 1: Normal traffic victimNon-victim R X Phase 2: Attack + Normal traffic Phase 2: Attack + Normal traffic Phase 3: Attack + Normal traffic + Diversion Gig

16 Diversion effect normal Attack Attack + diversion usec

17 Diversion WCCP v2 Web Cache Coordination Protocol v2 [IETF internet draft draft-wilson-wrec-wccp-v2-00.txt] l remote diversion l Protocol, no dynamic config. Current Status Available on 6500, 7200, 7500, 7600SR, from IOS 12.0(3)T and 12.0(11)S with dCEF Other vendors? Victim traffic Victim clean traffic Malicious packets R WCCP

18 Diversion PBR / FBF 1. Divert: Policy Based Routing Filter Based Forwarding 2. Return: Normal Route Table Victim traffic Victim clean traffic Malicious packets R PBR

19 Diversion: BGP + PBR 1. Divert: BGP 2. Return: PBR guard’s Interface card Victim traffic Victim clean traffic Malicious packets R PBR BGP

20 PBR Dynamic configuration l adding access list on demand CPU load: l VIP or RSP CPU load l Juniper FBF dedicated processor, Internet proc II (from JunOS 4.4) Victim traffic Victim clean traffic Malicious packets R PBR

21 PBR Warts 12.1(8a)E4 and 12.0(18)S and 12.2(2)T with “distributed cef” will not PBR properly! BUG ID: cscdp78100 l all packets diverted - rather than what is matched l but “ip cef” works properly l tested on 7513 on FE as well as GE (GEIP+) ip access-list extended WW33 permit ip any victim-ip victim-mask route-map WWMap permit 33 match ip address WW33 set ip next-hop Guard-guard-IP end interface GigabitEthernet0/0/0 ip policy route-map WWMap

22 Diversion Double Addressing 1. Divert: BGP 2. Return: Double addressing victim with private IP address, routed only internally Victim traffic Victim clean traffic Malicious packets R BGP

23 Double Addressing Data Center Victim AS PR NAT

24 Reverse Protection AS y AS x Victim

25 Flash Crowd Reverse Proxy AS x [Wessels & Hardie; Surrogate NANOG19]

26 Diversion for DDoS Summary l Maximize goodput to victim l Leave data path free l Let routers route l Protect any device l Sharing a large resouce on demand l Upstream (ala push back)

27 Comments: