FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.

Slides:

Advertisements

Similar presentations

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION

Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

A Broadband Network Management Practice: KT Internet

All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.

MPLS-based traffic shunt Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept

Experience in fighting DDoS attacks Nicolas FISCHBACH Senior Manager - Network Engineering/Security SwiNOG-9.

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Secure Network Infrastructure.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

CanSecWest/core07 NGN – Next Generation Nightmare ? What telco 2.0 really means Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom.

Firewalls and Intrusion Detection Systems

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

15-441: Computer Networking Lecture 26: Networking Future.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Version 3.0 DEFCON 10 August 2002 Anatomy of Denial of Service Mitigation Testing.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Arbor Multi-Layer Cloud DDoS Protection

Broadband Network By Lav Gupta, BSNL Introduction  Operators need long-term revenue streams  Must have convergent networks to offer voice, data, and.

DDoS Protection, An Inside Look The 3 main types of attacks Will I be victim ? Why Us ? The Top 3 Misconceptions Fact vs Fiction A Realistic Defense.

Putting the Tools to Work – DDOS Attack 111. DDOS = SLA Violation! ISPCPETarget Hacker What do you tell the Boss? SP’s Operations Teams have found that.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Anomaly Detection and Mitigation. Outline DoS and DDoS Anomaly Detection and Mitigation Systems Cisco DDoS Anomaly Detection and Mitigation Solutions.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

ISSA Nashville Chapter, May 17 th 2013 Alexander Karstens Senior Systems Engineer IXIA Communications Preparing your organization for DDoS.

TUNDRA The Ultimate Netflow Data Realtime Analysis Jeffrey Papen Yahoo! Inc.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

Connect. Communicate. Collaborate A Network Security Service for GÉANT2 (and beyond….) Maurizio Molina, DANTE TNC 08, Brugges, 20 th May 2008.

Applications of MPLS in GEANT Agnès Pouélé Applications of MPLS in GÉANT MPLS WORLD CONGRESS 2002 Paris 7th February 2002 Agnes.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.

Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Hack.LU 2006 In SPace Nobody Can Hear You Scream Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom -

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 DDoS, Worms and.

Using Measurement Data to Construct a Network-Wide View Jennifer Rexford AT&T Labs—Research Florham Park, NJ

--Harish Reddy Vemula Distributed Denial of Service.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2.

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

© 2004 AARNet Pty Ltd Measurement in aarnet3 4 July 2004.

Distributed Denial of Service Attacks

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Internet Security Trends LACNOG 2011 Julio Arruda LATAM Engineering Manager.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.

Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.

Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Global One Communications

Presentation transcript:

FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom -

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20062 > ~4 months anomalies detected 5302 High (“displayed”) Medium 1147 Low > Per day ~40 anomalies make it to the “Security” screen in the NMC/NOC Some are duplicates for the same attack, some are false positives, etc. Overall 20 “real attacks” a day… A third of them are probably “business affecting” from the customer's point of view Some DDoS statistics : 1 year ago

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20063 > Sep/28: Eat this kPPS of TCP SYNs Really distributed… 80/TCP > Sep/6: Nearly 1MPPS Some DDoS statistics : 1 year ago

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20064 > Aug/13: Eat this... Nearly 3Gb/s of traffic Mainly from America/AP 0/UDP Some DDoS statistics : 1 year ago

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20065 > Jul/10: Let’s try over different peering points Some DDoS statistics : 1 year ago

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20066 > Why care ? > I'm or even better, I provide capacity to large NRENs > I'm running a 10Gb/s core, so [censored] should I bother... > Well... Some DDoS statistics : today

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20067 > Largest DDoS attacks: 14M and 22MPPS Confirmed: 9MPPS seen by one Tier1 transit Towards hosting/customer, not infrastructure (except when collateral damage) > Most attacks in the 1-4Gb/s range (17Gb/s seen) > Good old TCP SYN, ICMP and UDP floods > Good old targets: IRC, adult, gam(bl)ing, etc. > Target : customer access link and DNS servers (at the same time) Some DDoS statistics : today Source: Danny McPherson/Arbor, H2'05 survey

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20068 > Most botnets pretty small (in the hundreds or thousands) > Some really large (100K+, xM+) > Most common C&C is still IRC > But some experiments with alternative methods seen (web-based, P2P, some form of encryption and obfuscation) > Pretty well organized > Quite some firepower : but DDoS is only for “fun”, the real activities are for “profit” Trends in botnets

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20069 > Arbor Peakflow DoS + Riverhead-now-Cisco Guard deployed since 2002 > Edge (peering/transit) sourced Netflow (1/100) > MPLS-based traffic diversion to regional Guards > Dedicated Guards in NYC to protect US/int'l links > Part of a global security project MPLS core hiding WRED/Engine QoS CoPP t/i/rACLs OneTACACS, OneSyslog, etc > 24x7 or on-demand protection DDoS detection and mitigation

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC > Security features across HW and SW platforms > IP routing moving closer to the CPEs (IP DSLAMs, MSPs) > Netflow accounting and CAPEX-scalability for access layer > Botnet detection vs telco license requirements (and EU regulations – 13+ countries) > How to enforce the AUP > Customers Who think DDoS protection == “hacker” protection Who aren't willing to understand that there's no magic solution > EU Data Retention Act > How to protect the VoIP infrastructure Challenges

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC > Detection Most common : customer call ;-) Hop-by-hop traceback is so “old school” SNMP polling too (and not very effective either) Netflow DDoS detection and mitigation

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC DDoS detection : Netflow Edge Access Router “types” NOC tr ccr ar tr ppr ixpr (Sampled) Netflow Aggregated Netflow Flows (SNMP) Alerts collector controller

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC Netflow vs DPI internet host ircd/p2p malware (ddos agent/ zombie) dns attack peering edge Deep Packet Inspection Sampled Netflow access layer core

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC > Mitigation Most common : BGP-based destination blackhole ACLs Not a fan Quite some Tier1 use it Depends heavily on your network structure and HW/SW capabilities BGP-based source blackhole Diversion for scrubbing DDoS detection and mitigation

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC > Regional deployment, linked via GE to the Core and BGP sessions to Edge routers IP anycast-like engineering Traffic diversion using MPLS LSPs (the scrubber doesn’t have to speak MPLS) LSP from Edge to DCR (Directly Connected Router) DCR doesn’t perform a routing lookup and “sends” the IP packet to the scrubber (penultimate hop) DDoS mitigation : traffic diversion

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC DDoS mitigation : traffic diversion Edge Access Router “types” “Attack” traffic “Good” traffic Flows “Bad” traffic cr tr ccr cr ar cr tr ppr ixpr ar inspection server Core

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC > Do you need a baseline ? Helps to build a filter template > Inter-city spare capacity (STM-4/GE+) ? > No old engine cards on the divert path ? > No software based systems on the path ? > As complex to configure/fine tune than a NIDS (on a per attack basis) ! > UDP traffic (especially DNS) > VoIP traffic > Reporting and customer “experience” DDoS mitigation : traffic diversion

Network Response to DDoS attacks – Nicolas FISCHBACH - TNC Exceed with COLT