Presentation is loading. Please wait.

Presentation is loading. Please wait.

FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.

Published byDeirdre Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering."— Presentation transcript:

1 FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom nico@colt.net - http://www.securite.org/nico/

2 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20062 > ~4 months 21962 anomalies detected 5302 High (“displayed”) 15513 Medium 1147 Low > Per day ~40 anomalies make it to the “Security” screen in the NMC/NOC Some are duplicates for the same attack, some are false positives, etc. Overall 20 “real attacks” a day… A third of them are probably “business affecting” from the customer's point of view Some DDoS statistics : 1 year ago

3 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20063 > Sep/28: Eat this... 200kPPS of TCP SYNs Really distributed… 80/TCP > Sep/6: Nearly 1MPPS Some DDoS statistics : 1 year ago

4 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20064 > Aug/13: Eat this... Nearly 3Gb/s of traffic Mainly from America/AP 0/UDP Some DDoS statistics : 1 year ago

5 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20065 > Jul/10: Let’s try over different peering points Some DDoS statistics : 1 year ago

6 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20066 > Why care ? > I'm or even better, I provide capacity to large NRENs > I'm running a 10Gb/s core, so [censored] should I bother... > Well... Some DDoS statistics : today

7 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20067 > Largest DDoS attacks: 14M and 22MPPS Confirmed: 9MPPS seen by one Tier1 transit Towards hosting/customer, not infrastructure (except when collateral damage) > Most attacks in the 1-4Gb/s range (17Gb/s seen) > Good old TCP SYN, ICMP and UDP floods > Good old targets: IRC, adult, gam(bl)ing, etc. > Target : customer access link and DNS servers (at the same time) Some DDoS statistics : today Source: Danny McPherson/Arbor, H2'05 survey

8 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20068 > Most botnets pretty small (in the hundreds or thousands) > Some really large (100K+, xM+) > Most common C&C is still IRC > But some experiments with alternative methods seen (web-based, P2P, some form of encryption and obfuscation) > Pretty well organized > Quite some firepower : but DDoS is only for “fun”, the real activities are for “profit” Trends in botnets

9 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC20069 > Arbor Peakflow DoS + Riverhead-now-Cisco Guard deployed since 2002 > Edge (peering/transit) sourced Netflow (1/100) > MPLS-based traffic diversion to regional Guards > Dedicated Guards in NYC to protect US/int'l links > Part of a global security project MPLS core hiding WRED/Engine QoS CoPP t/i/rACLs OneTACACS, OneSyslog, etc > 24x7 or on-demand protection DDoS detection and mitigation

10 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200610 > Security features across HW and SW platforms > IP routing moving closer to the CPEs (IP DSLAMs, MSPs) > Netflow accounting and CAPEX-scalability for access layer > Botnet detection vs telco license requirements (and EU regulations – 13+ countries) > How to enforce the AUP > Customers Who think DDoS protection == “hacker” protection Who aren't willing to understand that there's no magic solution > EU Data Retention Act > How to protect the VoIP infrastructure Challenges

11 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200611 > Detection Most common : customer call ;-) Hop-by-hop traceback is so “old school” SNMP polling too (and not very effective either) Netflow DDoS detection and mitigation

12 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200612 DDoS detection : Netflow Edge Access Router “types” NOC tr ccr ar tr ppr ixpr (Sampled) Netflow Aggregated Netflow Flows (SNMP) Alerts collector controller

13 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200613 Netflow vs DPI internet host ircd/p2p malware (ddos agent/ zombie) dns attack peering edge Deep Packet Inspection Sampled Netflow access layer core

14 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200614 > Mitigation Most common : BGP-based destination blackhole ACLs Not a fan Quite some Tier1 use it Depends heavily on your network structure and HW/SW capabilities BGP-based source blackhole Diversion for scrubbing DDoS detection and mitigation

15 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200615 > Regional deployment, linked via GE to the Core and BGP sessions to Edge routers IP anycast-like engineering Traffic diversion using MPLS LSPs (the scrubber doesn’t have to speak MPLS) LSP from Edge to DCR (Directly Connected Router) DCR doesn’t perform a routing lookup and “sends” the IP packet to the scrubber (penultimate hop) DDoS mitigation : traffic diversion

16 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200616 DDoS mitigation : traffic diversion Edge Access Router “types” “Attack” traffic “Good” traffic Flows “Bad” traffic cr tr ccr cr ar cr tr ppr ixpr ar inspection server Core

17 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200617 > Do you need a baseline ? Helps to build a filter template > Inter-city spare capacity (STM-4/GE+) ? > No old engine cards on the divert path ? > No software based systems on the path ? > As complex to configure/fine tune than a NIDS (on a per attack basis) ! > UDP traffic (especially DNS) > VoIP traffic > Reporting and customer “experience” DDoS mitigation : traffic diversion

18 Network Response to DDoS attacks – Nicolas FISCHBACH - TNC200618 Exceed with COLT

Download ppt "FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering."

Similar presentations

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
A Broadband Network Management Practice: KT Internet

A Broadband Network Management Practice: KT Internet
All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.

All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.
MPLS-based traffic shunt Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept. 2003.

MPLS-based traffic shunt Nicolas FISCHBACH Senior Manager - IP Engineering/Security RIPE46 - Sept
Experience in fighting DDoS attacks Nicolas FISCHBACH Senior Manager - Network Engineering/Security SwiNOG-9.

Experience in fighting DDoS attacks Nicolas FISCHBACH Senior Manager - Network Engineering/Security SwiNOG-9.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Secure Network Infrastructure.

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Secure Network Infrastructure.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
CanSecWest/core07 NGN – Next Generation Nightmare ? What telco 2.0 really means Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom.

CanSecWest/core07 NGN – Next Generation Nightmare ? What telco 2.0 really means Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Version 3.0 DEFCON 10 August 2002 Anatomy of Denial of Service Mitigation Testing.

Version 3.0 DEFCON 10 August 2002 Anatomy of Denial of Service Mitigation Testing.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

Similar presentations

Ads by Google