Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 1/43 Protection On-Demand: Ensuring Resource Availability.

Published byKerry John Fowler Modified over 9 years ago

Similar presentations

Presentation on theme: "11 1/43 Protection On-Demand: Ensuring Resource Availability."— Presentation transcript:

1 11 1/43 Protection On-Demand: Ensuring Resource Availability

2 22 2/43 Agenda lThe Growing DDoS Challenge lExisting Solutions lOur Approach lTechnical Overview

3 33 3/43 How do DDoS Attacks Start ? DNSEmail ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’

4 44 4/43 The Effects of DDoS Attacks Server-level DDoS attacks Bandwidth-level DDoS attacks DNSEmail Infrastructure-level DDoS attacks Attack Zombies:  Massively distributed  Spoof Source IP  Use valid protocols

5 55 5/43 Attacks - examples SYN attack Huge number of crafted spoofed TCP SYN packets Fills up the “connection queue” Denial of TCP service HTTP attacks Attackers send a lot of “legitimate” HTTP requests

6 66 6/43 A few of the Latest High Profile Attacks Payment Gateways – extortion (on the news) - Authorize.net, PSIGateway, Worldpay, 2checkout Online Brokerage firms (confidential) Commercial banks (confidential) Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google Doubleclick – DNS servers Akamai - DNS servers On line gambling sites – extortion Many others, but most companies will not want the world to know that they were attacked

7 77 7/43 Case Study – A Merchant Bank Customer uses two of the leading IXCs as upstream providers Customer was under attack for a week (third week of April) Both carriers failed to provide a stable solution The case was escalated by the bank’s CEO to vendors “C” level After a week, one of the carriers installed a Guard and stopped the attack in 10 minutes The other carrier deployed Guard for the bank the following day Attack statistics: – 1.1 Gbps malicious traffic – 0.008 Gbps (8 Mbps) legitimate traffic

8 88 8/43 Distributed Denial of Service Attacks DDoS is often driven by financial motivation – DoS for hire  – Economically-driven – Politically driven – Cyber terrorism DDoS cannot be ignored, modern business depends on effective handling of attacks

9 99 9/43 Extortion Process Target enterprise gets an attack to prove attackers capabilities Typically followed by a demand to transfer about $10,000 at a time to a European bank account – Extorter can withdraw the money using an ATM machine without showing his face in the bank Attackers use over 100K PCs Latest attacks were 2 – 3 Gbps The attackers can change the attack type very quickly (Change protocol, change target etc.)

10 10 10/43 Zombies הערכות: עד 150 מליון מחשבים (25% מהאינטרנט) נגועים התקדמות מהירה מאוד בפיתוח, תחכום גובר והולך Zombie#machines#emails Conficker10,000,00010 billion/day Kraken495,0009 billion/day Srizbi450,00060 billion/day Bobax185,0009 billion/day Rustock150,00030 billion/day Cutwail125,00016 billion/day Storm85,0003 billion/day Donbot80,000500 million/day Grum50,0002 billion/day Onewordsub40,000 ? Mega-D35,00010 billion/day Nucrypt20,0005 billion/day Wopla20,000600 million/day Spamthru12,000350 million/day Attack Team10,000250 million/day

11 11 11/43 Attack types 1.Spoofed and Non-Spoofed Flood Attacks TCP Flag (SYN, SYN-ACK, ACK, FIN) ICMP UDP Examples: SYN Flood, Smurf, LAND, UDP Flood 2.Zombie/Botnet Attacks Each zombie or bot source opens multiple TCP connections Each zombie or bot source opens multiple TCP sessions and issue repetitive HTTP requests 3.DNS Attacks DNS Request Flood Malformed packet checks 1.Packet Size Attacks - Fragmented Packets - Large Packets Examples: Teardrop, Ping-of-Death 2.Low Rate Zombie/Botnet Attacks Similar to Bandwidth consumption attacks except that each attack source sends multiple requests at low rate 3.DNS Attacks DNS Recursive Lookup 4.SIP Protection SIP Anti-Spoofing Bandwidth Consumption Attacks Resource Starvation Attacks

12 12 12/43 היקף האיום 20052006200720082009 Bots / zombies in organization 21%20%23% DOS32%25% 21%29% * CSI/FBI 2009 survey

13 13 13/43 DDOS Attack Size

14 14 14/43 תקיפות ברמה לאומית פרטיםמטרות \ תוצאותאירוע התקפת DDOS + חדירה לתשתית התקשורת ביצוע: גורמים אזרחיים תוך ציוד, תיאום ותמיכה של גורמי ממשל אתרי ממשל, בנקים, תשתית האינטרנט \ קריסה (ימים) 2008 גיאורגיה התקפת DDOS ביצוע: גורמי ממשל, 20-50 אלף זומבים (קיימים) אתרי ממשל, בנקים \ קריסה (ימים) 2009 ד. קוריאה \ ארה"ב התקפת DDOS ביצוע: גורמי טרור, עד 500 אלף מכונות אתרי ממשל \ קריסה (דקות) 2007 ישראל (עופרת יצוקה)

15 15 15/43 תרחישי תקיפה \ דפ"אות DDOS הוא וקטור תקיפה משמעותי דפאו"ת הסתברותמטרהדפ"א 100%בעקר תודעתית תקיפת אתרי אינטרנט ממשלתיים גבוההכלכלית, תודעתית תקיפת תשתיות האינטרנט (צווארי בקבוק, DNS), בנקים האם DDOS? כלכלית, מבצעית תקיפת תשתיות לאומיות ???מבצעיתתקיפת רשתות צבאיות \ קריטיות

16 16 16/43 Attack Evolution Stronger and More Widespread l Non-essential protocols (eg ICMP) l 100s sources l 10Ks packets/sec Scale of Attacks Sophistication of Attacks Two Scaling Dimensions: l Million+ packets/sec l 100Ks of zombies l Essential protocols l Spoofed l 10Ks of zombies l 100Ks packets/sec l Compound and morphing PastPresent Emerging

17 17 17/43 Existing Solutions

18 18 18/43 SYN Cookies – how it works Source Guard syn(isn#) ack(isn’#+1) Target synack(cky#,isn#+1) WS=0 State created only for authenticated connections State created only for authenticated connections syn(isn#) synack(isn’#,isn#+1) ack(cky#+1) ack(isn#+1) WS<>0 Sequence # adaptation Sequence # adaptation stateless part

19 19 19/43 Blackholing Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 = Disconnecting the customer = Disconnecting the customer

20 20 20/43 At the Edge / Firewall/IPS Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Easy to choke Point of failure Not scalable

21 21 21/43 At the Backbone Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Throughput Point of failure Not Scalable

22 22 22/43 Cisco Solution

23 23 23/43 Dynamic Diversion Architecture Guard XT BGP announcement Target 1. Detect 2. Activate: Auto/Manual 3. Divert only target’s traffic Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

24 24 24/43 Guard XT Target Legitimate traffic to target 5. Forward the legitimate Dynamic Diversion Architecture Traffic destined to the target 4. Identify and filter the malicious Non-targeted servers 6. Non targeted traffic flows freely Detector XT or Cisco IDS, Arbor Peakflow

25 25 25/43 Technical overview Diversion/Injection Anti Spoofing Anomaly Detection Performance Issues

26 26 26/43 Diversion How to “steal” traffic without creating loops?

27 27 27/43 Diversion one example L3 next hop BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

28 28 28/43 I S Ctays 50 Pr py SS Pw p t rcsr RI CSTS CSS Diversion L3 next hop application Router Switch Firewall Internal network ISP 1 ISP 2 GEthernet Guard XT Switch DNS Servers Web, Chat, E-mail, etc. Web console Guard XT Riverhead Detector XT Detector XT Target Alert

29 29 29/43 Diversion one example – Injecting with tunnels BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

30 30 30/43 61.1.1.1 Diversion one example: long distance diversion

31 31 31/43 Filtering bad traffic Anti Spoofing Anomaly detection Performance

32 32 32/43 Guard Architecture – high level Rate Limiter Sampler Flex Filter Bypass Filter Classifier: Static & Dynamic Filters Analysis Basic Strong Anomaly Recognition Engine Connections & Authenticated Clients Policy Database Insert filters Anti-Spoofing Modules Control & Analysis Plane Data Plane Drop Packets AS Replies Management

33 33 33/43 Anti spoofing Unidirectional…..

34 34 34/43 Anti-Spoofing Defense - One example: HTTP Source Guard Syn(isn#) ack(isn#+1,cky#) Target synack(cky#,isn#+1) Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified GET uri Redirect to same URI fin 1. SYN cookie alg. 2. Redirect rqst 3. Close connection Client authenticated

35 35 35/43 RST cookies – how it works Source Guard Target ack(,cky#) syn(isn#) rst(cky) syn(isn#) Client authenticated

36 36 36/43 Ab.com rqst UDP/53 syn Reply synack ack Reply Repeated IP - UDP Authenticated IP Client Guard Target Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Anti-Spoofing Defense - One example: DNS Client-Resolver (over UDP) Ab.com rqst UDP/53 Ab.com rqst TCP/53 Ab.com reply TC=1

37 37 37/43 Anomaly Detection Against Non-Spoofed Attacks Extensive profiling Hundreds of anomaly sensors/victim For global, proxies, discovered top sources, typical source,… Auto discovery and profiling of services Automatically detects HTTP proxies and maintains specific profiles Learns individual profiles for top sources, separate from composite profile Depth of profiles PPS rates Ratios eg SYNs to FINs Connection counts by status Protocol validity eg DNS queries

38 38 38/43 Performance Wire Speed - requirement … GigE = 1.48 Millions pps… Avoid copying Avoid interrupt/system call Limit number of memory access PCI bottleneck DDoS NIC Accelerator

39 39 39/43 Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

40 40 40/43 BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

41 41 41/43 Customer Switches More performance - clustering ISP Upstream Load Leveling Router Riverhead Guards Mitigation Cluster

42 42 42/43 Full managed services offered: Service agreement and multiyear contract typical Gigabit+ dedicated capacity with shared overage Customized policies Part of a managed security services portfolio AT&T Internet protect DDoS Defense Option for Internet Protect IP Defender and many others Managed DDoS Services Cisco Powered Providers Largest carriers offering “clean pipes” services to F500 enterprises: IP Guardian

43 43 43/43 Managed DDoS Services Cisco Powered Providers Managed hosting providers are offering DDoS protected services: PrevenTier DDoS Mitigation Service SureArmour DDoS Protection service and many others Protection offered with hosting: A la carte option, bundled with premium services or included with hosting Capacity matched to hosting Standardized or customized policies Service and attack reporting

Download ppt "11 1/43 Protection On-Demand: Ensuring Resource Availability."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Similar presentations

Ads by Google