Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

Published byRaul Mock Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques."— Presentation transcript:

1 1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS

2 2 DDoS protection, Where & How? Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100

3 3 At the Routers Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Rand. Spoofing Throws good with bad Router degradation ACLs, CARs, null/rt. 1

4 4 At the Edge Server1VictimServer2 2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Chocked Point of failure Not scalable

5 5 At the Back Bone Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 3 100 Throughput Point of failure All suffer

6 6 Diversion Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 4 4 100 Not on critical path Router route Upstream Sharing Dynamic

7 7 Basic Scheme ISP Backbone AS 56 Victim AS 24 PR

8 8 Basic Concepts 1.Divert victim’s traffic 2.Sieve 3.Legitimate traffic continues on its route Database Victim traffic Victim clean traffic Malicious packets R

9 9 Operational process Victim AS x N O C 1 2

10 10 Sieving Malicious traffic Packet filtering Anti spoofing Learning & Statistical analysis Output HTTP Analysis & Authentication

11 11 Sieving techniques Filters: IP's, ports, flags, etc. Anti-spoofing: l TCP l Other Recognition: l Statistical Analysis l Layers 3-7 High-level Protocols: l HTTP specific (recognize anomalous behavior) l Other

12 12 Diversion 1. Divert 2. Return good traffic Without looping ! Victim traffic Victim clean traffic Malicious packets Database R

13 13 Diversion: BGP + next L3 1. Divert: BGP announce a /32 from the box no_export and no_advertise community 2. Return: Next layer 3 device Victim traffic Victim clean traffic Malicious packets L2 device L3 R

14 14 1. Divert: BGP 2. Return: GRE GRE de-cap increases VIP load < 20% [Wessels & Hardie, NANOG19, Albuquerque] R Victim traffic Victim clean traffic Malicious packets BGP GRE Diversion: BGP + GRE R

15 15 Diversion test A A C R X V I Gig 100BT W Phase 1: Normal traffic victimNon-victim R X Phase 2: Attack + Normal traffic Phase 2: Attack + Normal traffic Phase 3: Attack + Normal traffic + Diversion Gig

16 16 Diversion effect normal Attack Attack + diversion usec

17 17 Diversion WCCP v2 Web Cache Coordination Protocol v2 [IETF internet draft draft-wilson-wrec-wccp-v2-00.txt] l remote diversion l Protocol, no dynamic config. Current Status Available on 6500, 7200, 7500, 7600SR, from IOS 12.0(3)T and 12.0(11)S with dCEF Other vendors? Victim traffic Victim clean traffic Malicious packets R WCCP

18 18 Diversion PBR / FBF 1. Divert: Policy Based Routing Filter Based Forwarding 2. Return: Normal Route Table Victim traffic Victim clean traffic Malicious packets R PBR

19 19 Diversion: BGP + PBR 1. Divert: BGP 2. Return: PBR guard’s Interface card Victim traffic Victim clean traffic Malicious packets R PBR BGP

20 20 PBR Dynamic configuration l adding access list on demand CPU load: l VIP or RSP CPU load l Juniper FBF dedicated processor, Internet proc II (from JunOS 4.4) Victim traffic Victim clean traffic Malicious packets R PBR

21 21 PBR Warts 12.1(8a)E4 and 12.0(18)S and 12.2(2)T with “distributed cef” will not PBR properly! BUG ID: cscdp78100 l all packets diverted - rather than what is matched l but “ip cef” works properly l tested on 7513 on FE as well as GE (GEIP+) ip access-list extended WW33 permit ip any victim-ip victim-mask route-map WWMap permit 33 match ip address WW33 set ip next-hop Guard-guard-IP end interface GigabitEthernet0/0/0 ip policy route-map WWMap

22 22 Diversion Double Addressing 1. Divert: BGP 2. Return: Double addressing victim with private IP address, routed only internally Victim traffic Victim clean traffic Malicious packets R BGP

23 23 Double Addressing Data Center Victim AS PR NAT

24 24 Reverse Protection AS y AS x Victim

25 25 Flash Crowd Reverse Proxy AS x [Wessels & Hardie; Surrogate NANOG19]

26 26 Diversion for DDoS Summary l Maximize goodput to victim l Leave data path free l Let routers route l Protect any device l Sharing a large resouce on demand l Upstream (ala push back)

27 27 Comments: {afek,anat,alon,hank,dan}@wanwall.com

Download ppt "1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques."

Similar presentations

Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Route Optimisation RD-CSY3021.

Route Optimisation RD-CSY3021.
MPLS-based traffic shunt Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept. 2003.

MPLS-based traffic shunt Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
Restoration by Path Concatenation: Fast Recovery of MPLS Paths Anat Bremler-Barr Yehuda Afek Haim Kaplan Tel-Aviv University Edith Cohen Michael Merritt.

Restoration by Path Concatenation: Fast Recovery of MPLS Paths Anat Bremler-Barr Yehuda Afek Haim Kaplan Tel-Aviv University Edith Cohen Michael Merritt.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.
Transparent Caching The art of caching network traffic without requiring user / browser side configuration.

Transparent Caching The art of caching network traffic without requiring user / browser side configuration.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Similar presentations

Ads by Google