111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Boaz Elgar Product Manager November, 2002
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Lecture 15 Denial of Service Attacks
11 1/43 Protection On-Demand: Ensuring Resource Availability.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Anomaly Detection and Mitigation. Outline DoS and DDoS Anomaly Detection and Mitigation Systems Cisco DDoS Anomaly Detection and Mitigation Solutions.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
– Chapter 4 – Secure Routing
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.
Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
Web Application Firewall (WAF) RSA ® Conference 2013.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Network Layer Lecture 13 Imran Ahmed University of Management & Technology.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Distributed Denial of Service Attacks
Module 10: How Middleboxes Impact Performance
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
TCP Security Vulnerabilities Phil Cayton CSE
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DoS/DDoS attack and defense
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
DDoS Defense: Utilizing P2P architecture By Joshua Aslan Smith.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 Course Introduction.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç Consulting System Engineer.
KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.
SDN and Security Security as a service in the cloud
Outline Basics of network security Definitions Sample attacks
دیواره ی آتش.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

222 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Agenda lThe Growing DDoS Challenge lExisting Solutions lOur Approach lTechnical Overview

333 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 How do DDoS Attacks Start ? DNS ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’

444 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 The Effects of DDoS Attacks Server-level DDoS attacks Bandwidth-level DDoS attacks DNS Infrastructure-level DDoS attacks Attack Zombies:  Massively distributed  Spoof Source IP  Use valid protocols

555 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attacks - examples SYN attack Huge number of crafted spoofed TCP SYN packets Fills up the “connection queue” Denial of TCP service HTTP attacks Attackers send a lot of “legitimate” HTTP requests

666 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attack Evolution Stronger and More Widespread l Non-essential protocols (eg ICMP) l 100s sources l 10Ks packets/sec Scale of Attacks Sophistication of Attacks Two Scaling Dimensions: l Million+ packets/sec l 100Ks of zombies l Essential protocols l Spoofed l 10Ks of zombies l 100Ks packets/sec l Compound and morphing PastPresent Emerging

777 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Existing Solutions

888 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 SYN Cookies – how it works Source Guard syn(isn#) ack(isn’#+1) Target synack(cky#,isn#+1) WS=0 State created only for authenticated connections State created only for authenticated connections syn(isn#) synack(isn’#,isn#+1) ack(cky#+1) ack(isn#+1) WS<>0 Sequence # adaptation Sequence # adaptation stateless part

999 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Blackholing Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 = Disconnecting the customer = Disconnecting the customer

10 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Edge / Firewall/IPS Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Easy to choke Point of failure Not scalable

11 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Backbone Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Throughput Point of failure Not Scalable

12 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cisco Solution

13 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Dynamic Diversion Architecture Guard XT BGP announcement Target 1. Detect 2. Activate: Auto/Manual 3. Divert only target’s traffic Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

14 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard XT Target Legitimate traffic to target 5. Forward the legitimate Dynamic Diversion Architecture Traffic destined to the target 4. Identify and filter the malicious Non-targeted servers 6. Non targeted traffic flows freely Detector XT or Cisco IDS, Arbor Peakflow

15 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Technical overview Diversion/Injection Anti Spoofing Anomaly Detection Performance Issues

16 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion How to “steal” traffic without creating loops?

17 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example L3 next hop BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

18 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 I S Ctays 50 Pr py SS Pw p t rcsr RI CSTS CSS Diversion L3 next hop application Router Switch Firewall Internal network ISP 1 ISP 2 GEthernet Guard XT Switch DNS Servers Web, Chat, , etc. Web console Guard XT Riverhead Detector XT Detector XT Target Alert

19 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example – Injecting with tunnels BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

20 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/ Diversion one example: long distance diversion

21 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Filtering bad traffic Anti Spoofing Anomaly detection Performance

22 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard Architecture – high level Rate Limiter Sampler Flex Filter Bypass Filter Classifier: Static & Dynamic Filters Analysis Basic Strong Anomaly Recognition Engine Connections & Authenticated Clients Policy Database Insert filters Anti-Spoofing Modules Control & Analysis Plane Data Plane Drop Packets AS Replies Management

23 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti spoofing Unidirectional…..

24 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti-Spoofing Defense - One example: HTTP Source Guard Syn(isn#) ack(isn#+1,cky#) Target synack(cky#,isn#+1) Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified GET uri Redirect to same URI fin 1. SYN cookie alg. 2. Redirect rqst 3. Close connection Client authenticated

25 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 RST cookies – how it works Source Guard Target ack(,cky#) syn(isn#) rst(cky) syn(isn#) Client authenticated

26 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Ab.com rqst UDP/53 syn Reply synack ack Reply Repeated IP - UDP Authenticated IP Client Guard Target Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Anti-Spoofing Defense - One example: DNS Client-Resolver (over UDP) Ab.com rqst UDP/53 Ab.com rqst TCP/53 Ab.com reply TC=1

27 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anomaly Detection Against Non-Spoofed Attacks Extensive profiling Hundreds of anomaly sensors/victim For global, proxies, discovered top sources, typical source,… Auto discovery and profiling of services Automatically detects HTTP proxies and maintains specific profiles Learns individual profiles for top sources, separate from composite profile Depth of profiles PPS rates Ratios eg SYNs to FINs Connection counts by status Protocol validity eg DNS queries

28 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Performance Wire Speed - requirement … GigE = 1.48 Millions pps… Avoid copying Avoid interrupt/system call Limit number of memory access PCI bottleneck DDoS NIC Accelerator

29 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

30 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

31 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Customer Switches More performance - clustering ISP Upstream Load Leveling Router Riverhead Guards Mitigation Cluster

32 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Comments: THANK YOU!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.