Presentation is loading. Please wait.

Presentation is loading. Please wait.

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

Published byReynard Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key."— Presentation transcript:

1 © A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key

2 2 © A10 Networks, Inc. DoS Background What is a Denial of Service attack? An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity Effects the availability and utility of computing and network resources Attacks can be distributed for even more significant effect L7 attacks can be time consuming and involve high levels of manual process to ensure live users remain enabled The collateral damage caused by an attack can be as bad, if not worse, than the attack itself Attacks can be sustained for months

3 3 © A10 Networks, Inc.  The main point: DoS is an Outage!  Slow starvation or volumetric (simple attacks are still hitting the headlines) What is Denial of Service?

4 4 © A10 Networks, Inc.  One system is sending the traffic vs many systems are sending the traffic  Does it really matter?  …in what cases? DoS vs. DDoS?

5 5 © A10 Networks, Inc. Youtube

6 6 © A10 Networks, Inc. Botnets & C&C Servers  Botnet – (Zombie Army) A collection of internet connected programs to perform certain tasks. The can be used to send spam or launch Ddos attacks.  C&C Servers - A botnet's originator (known as a bot herder or bot master) can control all these compromise programs to basically send bad traffic to a destination machine. x2000 compromised hosts Control signal

7 7 © A10 Networks, Inc. Key Considerations For DDoS Protection  Scalability - How many resources may be brought to bear? –Different levels of scale depending on positioning  Flexibility - What types of attacks may be mitigated & what techniques may be used?  Specialized Resources, Expertise & Focus - Who or what is analyzing the attacks, what resources are available, and who has the responsibility to coordinate the defense?  What is the full breadth of tools at your disposal?  Cost, not just monetary, but collateral damage (Brand damage)  Insurance or Loss?

8 8 © A10 Networks, Inc. Contributing factors (what can you influence?)  Not patched Content Management Systems (CMSes)  Available reflectors (DNS, NTP, SSDP)  …with ability to amplify  More bandwidth available  Unpatched embedded devices – version control awareness  Misconfigured nodes  Vulnerable network elements i.e. CPEs  Weak security

9 9 © A10 Networks, Inc. Reflective attacks  Attacks where the an unwilling intermediary is used to deliver the attack traffic  The attacker would normally send a packet with a forged/spoofed source IP address to the intermediary. The forged address is going to be the one of the target. The intermediary will deliver a response which will go to the target instead of the attacker  Note to audience: think what protocols we can use for that?

10 10 © A10 Networks, Inc. Reflector types  The ones that are of interest and provide reflections are:  DNS  NTP  SNMP  SSDP  Other UDP???

11 11 © A10 Networks, Inc. What is DNS resolution?  The process of mapping: www.a10networks. com => 191.236.103.221 …if the answer was cached

12 12 © A10 Networks, Inc. What is DNS reflection?  What happens if an attacker forges the victim address as its source? …the reflected traffic goes to the target server  … and what if hundreds of misconfigured open DNS resolvers are used?

13 13 © A10 Networks, Inc. What is an amplification attack?  Asymmetric attack where the response is much larger than the original query

14 14 © A10 Networks, Inc. Amplification types  The ones that are of interest and provide reflections are:  DNS  NTP  SNMP  SSDP  What else?

15 15 © A10 Networks, Inc. Reflection and Amplification

16 16 © A10 Networks, Inc. What is a subdomain attack?  Direct or Reflection attack where the intermediary and victim spend cycles on nonsense S: 191.236.103.221 D: 3.3.3.3 What is the IP for Xyz1234.www.cisco.com? S: 3.3.3.3 1 D: 91.236.103.221 NXDOMAIN Response to legitimate protocol query

17 17 © A10 Networks, Inc. NTP servers  Stratum servers  NTP queries  MONLIST command –provides a list of clients that have time readings  What’s next?

18 18 © A10 Networks, Inc.  DNS “Any” Request Filtering –DNS “Any” requests can be used for a DDoS attack, since they occupy DNS server resources as the target server sends its many records to the requesters.  DNS Request Rate Limiting—by FQDN –IP address – Limits the rate of queries from a given source. –Requested domain name – Limits the rate of requests for the same domain name, from any sender, i.e. DNS Birthday attack –Scope for FQDN rate limiting– Specify how many labels of the FQDN to consider together when applying the rate limit –Maximum label length – Specify the maximum length for a given label within the FQDN, either at any suffix position or beginning at a specific suffix position.  DNS Request Rate Limiting—by Record Type  NXDomain Inspection and Rate Limiting Solution?

19 19 © A10 Networks, Inc.  Label Inspection and Label Length Limiting –Limit the label length of the FQDN after a number of suffixes  Anything greater than suffix x will be limited Ddos template dns tp-dns fqdn-label-length 15 suffix 2 fqdn-label-length 10 suffix 3 www.googlegooglegoogle.com test.www.google.com randominvalidstring.google.comDoes not pass label length 15 after suffix 2 check alongstring.www.google.comPasses label length 15 after suffix 2 check, but does not pass label length 10 after suffix 3 check Solution?

20 20 © A10 Networks, Inc. Backscatter  What is backscatter and why do I care?  Traffic that is a by-product of the attack  Why is that interesting? –It is important to distinguish between the actual attack traffic and unintended traffic sent by the victim –Classify the attacker and victim differently

21 21 © A10 Networks, Inc. Metrics –Bandwidth (Kbps, Gbps) –PPS –QPS –Storage –CPU –Application specific – usually latency –Bad actors –Victims –Geo-temporal

22 Good Internet citizenship

23 23 © A10 Networks, Inc. Mitigations (Assumption – preaching to the converted)  Defend yourself –Anycast –Some form of IPS/DDoS mitigation gear – inline or asymmetric (service dependent or independent?) –Overall network architecture  Defend the Internet –Rate-limiting –BCP38/140 (outbound filtering) source address validation –Securely configured DNS, NTP and SNMP servers –No open resolvers  Talk to other security professionals like yourself  Talk to vendors like A10 Networks

24 24 © A10 Networks, Inc. Are you noticing the imbalance? Defend yourself/your consumers Defend the Internet –Anycast (DNS) –Some form of IPS/DDoS mitigation gear –Rate-limiting –BCP38/140 (outbound filtering) source address validation –Securely configured authoritative DNS servers –No open resolvers Lots of money Effective, scalable, faster to rollout Somewhat cheap More touch points, slower to rollout

25 25 © A10 Networks, Inc. What’s the point I’m trying to make?  It’s not feasible to mitigate those attacks single handedly all of the time  Companies need to start including “defending the Internet from themselves” as a part of their budget – not only “defending themselves from the Internet”  We need cooperation amongst Service Providers and Security Vendors –More can always be done, the war continues –Shared intelligence is key

26 26 © A10 Networks, Inc.  Evaluate the quick wins in your own network –RFC 2827/BCP 38 –If possible filter all outgoing traffic and use proxy –BCP 140: “Preventing Use of Recursive Nameservers in Reflector Attacks”  Collaborate with your peers to raise the bar collectively  Use high-scale, high performance mitigation infrastructure that defends your network and gives your consumers and peers levels of protection that keep pace and exceed the pace of change  Use dedicated DDoS platforms that understand the in-the-wild attacks –Don’t exacerbate the situation, reduce the backscatter  Share the key metrics, KPIs and mitigation techniques (public forum?) In Summary (Assumption – this is part of your strategy already)

27 THANK YOU www.a10networks.com

Download ppt "© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.

Similar presentations

Ads by Google