Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç Consulting System Engineer.

Published byNelson Caldwell Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç Consulting System Engineer."— Presentation transcript:

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç htagmac@cisco.com Consulting System Engineer

2 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Agenda DDoS Problemi Ürün tanıtımı - "Guard" ve "Detector" Atağın Yönünü Değiştirme ve Durdurma Kurulum Modelleri "Guard" Yönetimi "Guard"ın Ağa Bağlanması Filtreler ve Politikalar Paket tipleri ve trafik karakteristikleri Kullanıcı filtreleri ve "Antispoofing" Mekanizması Operasyon modları Özet

3 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 The DDoS Problem

4 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 Distributed Denial of Service (DDoS) Multiple Threats and Targets Peering point POP ISP Backbone Attacked server Attack ombies :  Use valid protocols  Spoof source IP  Massively distributed  Variety of attacks Entire data center: Servers, security devices, routers E-commerce, Web, DNS, e-mail… Provider infrastructure: DNS, routers, and links Access line

5 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 DDoS Attacks Are Here To Stay Symantec Internet Security Report – June ‘05  DoS attacks grow from 119 to 927 per day - an increase of 679%  Large % of DDoS attacks are motivated by extortion demands  75 Million computers estimated to be infested with bot software  Attack size is in the 2-7 Gig range  The DoS problem is not a 100 year flood anymore! ‘Zombie' ring allegedly hit 1.5 million computers http://www.msnbc.msn.com/id/9763824/ Dutch Internet provider XS4ALL identified the zombie network – “only a drop in the ocean."

6 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Why traditional mechanisms are not enough! Optimized for signature based application layer detection – most sophisticated DDoS attacks are characterized by anomalous behavior in layers 3 and 4 Cannot easily detect DDoS attacks using valid packets – require extensive manual tuning FW based on static policy enforcement - Most DDoS attacks today use “approved” traffic that bypass the firewall Lack of “anomaly detection” Lack of anti-spoofing capabilities –to separate good from bad traffic Firewalls IDS

7 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Authenticated Access Data Integrity AVAILABILITY DDoS Solution Completes Security in Depth Addresses “secure availability” of infrastructure “Network behavior-based solution” required to stop DDoS Does not use attack signatures—catches day-zero attacks Complements and strengthens overall security solution Firewall, IPS, SSL, and antivirus as well as content switching Efficient sequential elimination of different levels of threats

8 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Cisco Guard and Detector Product Overview

9 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 Value Proposition  Detects and mitigates the broadest range of Distributed Denial of Service (DDoS) attacks  Behavioral anomaly recognition engine provides granularity and accuracy to ensure availability, business continuity, while dropping attack traffic  High Performance, Multi-Gigabit architectures protects both enterprises and service providers from large attacks  Leading edge innovation with protection for DNS, SIP infrastructure  Several Enterprise, Service Provider WINS, deployments

10 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Cisco DDoS Solution Appliances and Service Modules DDoS Appliances: Cisco Guard XT 5650 Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector XT 5600 Cisco Traffic Anomaly Detector Module DDoS Service Modules:  IBM X345/x346 Server Platform  2 GE Fiber Interfaces  10/100/GE Copper Mgmt  2U rack mount single/dual power supply  Dual RAID hard drive  2 GB DDRAM  1 Broadcom SiByte Network Processor  Single slot service module  No external interfaces – uses line card or supervisor interfaces  Cat6k IOS support: 12.2(18)SXD3 or later  7600 IOS support: 12.2(18)SXE or later  3 Broadcom SiByte Network Processors  Multiple AGMs per chassis

11 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Cisco DDoS Protection – Value Proposition Observe Traffic Behavior: (TCP, UDP, HTTP, DNS, SIP) Packet Rates (ex: SYNs in PPS) Packet Ratios (SYN: FIN) # of Open, Half-open TCP Connections For Destination & Source: By destination host IP By destination host subnet By source host IP FirewallNo IPSNo Load Balancer No Anomaly Recognition Spoofed Attack Protection TCP Anti-Spoofing : SYN Cookie - HTTP Redirect TCP Anti-spoofing method #2 TCP Anti-spoofing method #3 Strong Anti-Spoofing – Proxy mode anti-spoofing UDP Anti-Spoofing : DNS Anti-Spoofing Protection SIP Anti-Spoofing Protection FirewallSYN Cookie only IPSNo Load Balancer SYN Cookie only Per-Source Dynamic Filtering: Block only attack sources 150K filters in real-time Upto 3Gbps protection/ 3.5 Mpps 10 Gbps performance with 4 modules in a chassis <1 ms latency Dynamic Filtering FirewallNo IPSNo Load Balancer No Botnet Protection Protection from Botnet Attack: Unique Anti-Zombie Mechanism Can stop upto 1M hosts Low Rate botnet attacks FirewallNo IPSNo Load Balancer No DDoS Protectio n with Surgical Precision

12 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 Anomaly Recognition Packet Rates(PPS) Packet Ratios # of Open Connections Behavior Based Intelligent Mitigation Detection Passive copy of traffic monitoring Anomaly based detection Analysis Diversion for more granular in-line analysis Flex filters, static and bypass filters in operation All flows forwarded but analyzed for anomalies Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Anomaly Verified Learning Periodic observation of patterns to update baseline profiles Traffic profile during peacetime Attack Detected Anomaly Identified

13 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 Cisco Guard Broadest Attack Protection 1.Spoofed and Non-Spoofed Flood Attacks – TCP Flag (SYN, SYN-ACK, ACK, FIN) – ICMP – UDP – Examples: SYN Flood, Smurf, LAND, UDP Flood 2.Zombie/Botnet Attacks – Each zombie or bot source opens multiple TCP connections – Each zombie or bot source opens multiple TCP sessions and issue repetitive HTTP requests 3.DNS Attacks –DNS Request Flood 1.Packet Size Attacks Fragmented Packets Large Packets Examples: Teardrop, Ping-of-Death 2.Low Rate Zombie/Botnet Attacks – Similar to Bandwidth consumption attacks except that each attack source sends multiple requests at low rate 3.DNS Attacks – DNS Recursive Lookup  SIP Protection –SIP Anti-Spoofing Bandwidth Consumption Attacks Resource Starvation Attacks

14 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 High Performance and Capacity 1 MPPS+ most attacks, good and bad traffic, typical features 150 K DYNAMIC FILTERS for zombie attacks CLUSTERING TO 8 GUARDS for single protected host Capacity 30 CONCURRENTLY PROTECTED ZONES (90 for the Detector) and 500 total1.5 million concurrent connections 1.5 million concurrent connections Latency or jitter: < 1 MSEC 3Gig Guard Module – Q1 CY 07

15 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 DIVERSION, MITIGATION ARCHITECTURE

16 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system) Cisco Anomaly Guard Module

17 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target

18 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual

19 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Dynamic Diversion At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic Route update: RHI internal, or BGP/other external

20 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Dynamic Mitigation At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target

21 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 Dynamic Mitigation At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic

22 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 Dynamic Mitigation At Work Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic 6. Non- targeted traffic flows freely

23 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 ENTERPRISE DEPLOYMENT SCENARIO

24 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 Enterprise or Hosting Data Center with Service Modules in “Integrated Mode”

25 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 MANAGED DDoS SERVICE

26 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 DDoS Service Providers Largest carriers offering “clean pipes” services to F500 enterprises Both Dedicated, Shared Protection models Pricing based on multiples of gigabit, in cleaning capacity Various detection options (manual, detector, Peakflow SP) Attack activation with customer Standard or Customized policies Service and attack reporting Service Providers PrevenTier DDoS Mitigation Service SureArmour DDoS Protection service Hosting Providers

27 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27 MDM Summary

28 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 DDoS MultiDevice Manager 1.0  The DDoS MultiDevice Manager 1.0(MDM) is a software product that enables monitoring, management and reporting of several Cisco Guards and Detectors in a customer network  The MDM provides a coherent and consolidated view of attack information, both in real-time and as detailed reports  The MDM 1.0 runs on a Linux Server and needs to be installed on a server owned and operated by the customer  MDM 1.0 requires R5.1(5) on the Guard and Detector devices

29 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 DDoS MultiDevice Manager 1.0 (Cont.)  The MDM GUI is based on the Web Based Management GUI that is currently available on the Guard and Detector devices  The attack information like size, type and other characteristics are aggregated across devices and displayed on a single screen using a web based interface  The MDM also supports the distribution of basic zone level configuration from a master device to a set of other devices (guards, detectors) on the network  Consolidation is done on counters, rates, graphs, attack reports, events log and zone status across all devices.

30 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 Consolidated Information  The MDM gives the user the ability to monitor all DDOS detection and mitigation actions in its network from a WEB GUI: all zones that are under detection, all zone that are under attack, all mitigation actions.  When a zone is being protected by several Guards all information regarding the zone is consolidated to one view.  Consolidated information includes: Aggregate zone state in all devices (e.g. indicates whether all Guard detected the attack or subset) Aggregating all dynamic filters across all devices to one list Aggregating all log events from all devices to one log file sorted by time in devices level and zone level Aggregating counters and rates (e.g. malicious traffic and legitimate traffic across all Guards – counters aggregation does not include for Detectors) Generating attack reports that consolidate information from all Guards.

31 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31 Summary  Fighting DDoS attacks is an on-going war and Cisco has more experience and the most successful track record of any vendor The Guard and the Detector dominate the DDoS managed service market: – Major IXCs and Web hosting players world wide are using the products for managed services – Many successful deployments in the largest enterprises – The most scalable and reliable solution – Mitigating attacks every day providing ongoing feedback to product improvements

Download ppt "© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Guard Semineri Hakan Tağmaç Consulting System Engineer."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing

Computer Security and Penetration Testing
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks

Similar presentations

Ads by Google