1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
COEN 252: Computer Forensics Router Investigation.
Lecture 15 Denial of Service Attacks
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Department Of Computer Engineering
Anomaly Detection and Mitigation. Outline DoS and DDoS Anomaly Detection and Mitigation Systems Cisco DDoS Anomaly Detection and Mitigation Solutions.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
– Chapter 4 – Secure Routing
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai
Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.
Current Practice for Network Analysis in CSTNet Chunjing Han CSTNET, CNIC
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
DoS/DoS Detection and Mitigation Mujahid Khan
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Distributed Denial of Service Attacks
FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DoS/DDoS attack and defense
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Network Devices and Firewalls Lesson 14. It applies to our class…
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç Consulting System Engineer.
Denial-of-Service Attacks
AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Filtering Spoofed Packets
Session 3 Response Measure
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems

2 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Agenda DDoS Reality CheckDDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure

3 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. DDoS Vulnerabilities Multiple Threats & Targets Peering Point POP ISP Backbone Attacked server Attack ombies :  Use valid protocols  Spoof source IP  Massively distributed  Variety of attacks Entire data center: Servers, security devices, routers E-commerce, web, DNS, ,… Provider infrastructure: DNS, routers and links Access line

4 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Evolution Manually (hack to servers) Non critical Protocols (eg ICMP) Distribution Management # Attackers (Bandwidth) Type of attackProtection Spoofed SYN Enterprise level Firewall/ ACL access routers X0-X00 attackers (X0 Mbps) ─ attach ─ Download from questionable site ─ via “chat” ─ ICQ, AIM, IRC ─ Worms ~X00-X,000 Attackers (X00 Mbps) Via botnets ISP/IDC Blackhole ACL DDoS solutions All type of applicatios (HTTP, DNS, SMTP) Spoofed SYN Manually ─ attach ─ via “chat” ICQ, AIM, IRC… ~X00,000 attackers (X-X0 Gbps) Legitimate requests Infrastructure elements (DNS, SMTP, HTTP…) Blackhole (?) ACL (?) DDoS solutions Anycast (?)

5 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Security Challenges The Cost of Threats Dollar Amount of Loss By Type of Attack - CSI/FBI 2004 Survey

6 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. ISP Security Incident Response ISP’s Operations Team response to a security incident can typically be broken down into six phases: Preparation Identification Classification Traceback Reaction Post Mortem

7 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Sink Hole Routers (for ISP mainly) -Use unallocated addresses A lot of them on the Internet… /8, /4, … -Sink hole Router locally advertises these addresses -Infected hosts will seek to contact them -Log will provide list of locally infected hosts -Will be useful for other tricks

8 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Sink Hole (aka Network Honey Pot) Set-Up Sink Hole Router Let’s advertise non used IP networks (in routing protocol): / / /4 … Infected System XYZ

9 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Sink Hole In Action Worm Detection Infected System XYZ Sink Hole Router Let’s infect all other hosts Try: IDS Sensor The very same set-up will be used for other games Could be used for enterprise as well

10 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Agenda DDoS Reality Check DetectingDetecting Tracing Mitigation Protecting the Infrastructure

11 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identification Tools Customer/User Phone call CPU Load on Router SNMP – Watching the baseline and tracking variations/surges. Netflow/IPFIX – Traffic Anomaly Detection Tools. Sink Holes – Look for Backscatter

12 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Netflow: Statistics per TCP/UDP Flows DoS == Unusual Behavior Real data deleted in this presentation Real data deleted in this presentation Real data deleted in this presentation Potential DoS attack (33 flows) on router1 Estimated: 660 pkt/s Mbps ASxxx is: … ASddd is: … src_ipdst_ipinoutsrcdestpktsbytesprotsrc_asdst_as intintportport 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd 192.xx.xxx yyy.yyy xxxddd ……………………………

13 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Sink Hole Router Backscatter Analysis Under DDoS victim replies to random destinations -> Some backscatter goes to sink hole router, where it can be analysed

14 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Backscatter Analysis Target Ingress Routers Other ISPs random sources Sink Hole Router random destinations

15 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Agenda DDoS Reality Check Detecting TracingTracing Mitigation Protecting the Infrastructure

16 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Tracing DoS Attacks If source prefix is not spoofed: -> Routing table -> Internet Routing Registry (IRR) -> direct site contact If source prefix is spoofed: -> Trace packet flow through the network ACL, NetFlow, IP source tracker -> Find upstream ISP -> Upstream needs to continue tracing Nowadays, 1000’s of sources not spoofed -> not always meaningful to trace back…

17 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Trace-Back in One Step: ICMP Backscatter Border routers: Allow ICMP (rate limited) On packet drop, ICMP unreachable will be sent to the source Use ACL or routing tricks (routing to NULL interface) All ingress router drop traffic to And send ICMP unreachables to spoofed source!! Sink hole router logs the ICMPs!

18 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Trace-Back Made Easy: ICMP Backscatter Step 1: no drop Target Ingress Routers Other ISPs random sources Sink hole Router

19 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Trace-Back Made Easy: ICMP Backscatter Step 2: Drop Packets Target Ingress Routers Other ISPs Sink hole Router with logging ICMP unreachables

20 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Agenda DDoS Reality Check Detecting Tracing MitigationMitigation Protecting the Infrastructure

21 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. At the Edge / Firewalls ACL/QoS to Drop/Throttle DDoS Traffic Server1TargetServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Easy to choke Point of failure Not scalable Consumer tuned Too late

22 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. At the Routers in the Network ACL/QoS to Drop/Throttle DDoS Traffic Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Rand. Spoofing? Throws good with bad ~X0,000 ACLs? ACLs, Upper bound on traffic

23 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Black Holing the DoS Traffic Re-Directing Traffic to the Victim Target Ingress Routers Other ISPs Sink hole Router: Announces route “target/32” Logging!! -Keeps line to customer clear -But cuts target host off completely -Discuss with customer!!! -Just for analysis normally

24 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/1 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system) Cisco Anomaly Guard Module

25 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/2 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target

26 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/3 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual

27 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/4 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic Route update: RHI internal, or BGP/other external

28 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/5 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target

29 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/6 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic

30 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Identifying and Dropping only DDoS Traffic/7 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic 6. Non- targeted traffic flows freely

31 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Legitimate + attack traffic to target Dynamic & Static Filters Detect anomalous behavior & identify precise attack flows and sources

32 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Legitimate + attack traffic to target Dynamic & Static Filters Apply anti-spoofing to block malicious flows Multi-Verification Process (MVP) Integrated Defenses in the Guard XT

33 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Anti-Spoofing Example – http/TCP SrcIP, Source IP Guard Syn(c#) Synack(c#’,s#’) Hash-function( SrcIP,port,t) ack(c#,s#) SrcIP,port# = Redirect(c#,s#) Syn(c#’) request(c#’,s#’) Victim Verified connections synack(c#,s#)

34 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Dynamic & Static Filters Legitimate traffic Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Dynamically insert specific filters to block attack flows & sources Apply rate limits

35 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Measured Response Detection Passive copy of traffic monitoring Analysis Diversion for more granular in-line analysis Flex filters, static filters and bypass in operation All flows forwarded but analyzed for anomalies Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Anomaly Verified Learning Periodic observation of patterns to update baseline profiles Attack Detected Anomaly Identified

36 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the InfrastructureProtecting the Infrastructure

37 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Three Planes, Definition A device typically consists of Data/forwarding Plane: the useful traffic Control Plane: routing protocols, ARP, … Management Plane: SSH, SNMP, … In these slides Control Plane refers to all the Control/Management plane traffic destined to the device. Hardware Software

38 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Control Plane Overrun Loss of protocol keep-alives: –line go down –route flaps –major network transitions. Loss of routing protocol updates: –route flaps –major network transitions. Near 100% CPU utilization –Can prevent other high priority tasks

39 Cisco DoS Cisco Public © 2005 Cisco Systems, Inc. All rights reserved. Need for Control Plane Policing -Classify all Control Plane traffic in multiple classes -Each class is capped to a certain amount -Fair share for each classes or each source in each classes  one class cannot overflow the others  even an ICMP flood to the router won’t affect routing

Q and A 40

41

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.