Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

Similar presentations


Presentation on theme: "1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques."— Presentation transcript:

1 1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques to Defeat DDoS

2 2 DDoS protection, Where & How? Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100

3 3 At the Routers Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Rand. Spoofing Throws good with bad Router degradation ACLs, CARs, null/rt. 1

4 4 At the Edge Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering 100 Chocked Point of failure Not scalable

5 5 At the Back Bone Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering Throughput Point of failure All suffer

6 6 Diversion Server1VictimServer R3 R1 R2 R5R4 R R R 1000 FE peering Not on critical path Router route Upstream Sharing Dynamic

7 7 Basic Scheme ISP Backbone AS 56 Victim AS 24 PR

8 8 Basic Concepts 1.Divert victim’s traffic 2.Sieve 3.Legitimate traffic continues on its route Database Victim traffic Victim clean traffic Malicious packets R

9 9 Operational process Victim AS x N O C 1 2

10 10 Sieving Malicious traffic Packet filtering Anti spoofing Learning & Statistical analysis Output HTTP Analysis & Authentication

11 11 Sieving techniques Filters: IP's, ports, flags, etc. Anti-spoofing: l TCP l Other Recognition: l Statistical Analysis l Layers 3-7 High-level Protocols: l HTTP specific (recognize anomalous behavior) l Other

12 12 Diversion 1. Divert 2. Return good traffic Without looping ! Victim traffic Victim clean traffic Malicious packets Database R

13 13 Diversion: BGP + next L3 1. Divert: BGP announce a /32 from the box no_export and no_advertise community 2. Return: Next layer 3 device Victim traffic Victim clean traffic Malicious packets L2 device L3 R

14 14 1. Divert: BGP 2. Return: GRE GRE de-cap increases VIP load < 20% [Wessels & Hardie, NANOG19, Albuquerque] R Victim traffic Victim clean traffic Malicious packets BGP GRE Diversion: BGP + GRE R

15 15 Diversion test A A C R X V I Gig 100BT W Phase 1: Normal traffic victimNon-victim R X Phase 2: Attack + Normal traffic Phase 2: Attack + Normal traffic Phase 3: Attack + Normal traffic + Diversion Gig

16 16 Diversion effect normal Attack Attack + diversion usec

17 17 Diversion WCCP v2 Web Cache Coordination Protocol v2 [IETF internet draft draft-wilson-wrec-wccp-v2-00.txt] l remote diversion l Protocol, no dynamic config. Current Status Available on 6500, 7200, 7500, 7600SR, from IOS 12.0(3)T and 12.0(11)S with dCEF Other vendors? Victim traffic Victim clean traffic Malicious packets R WCCP

18 18 Diversion PBR / FBF 1. Divert: Policy Based Routing Filter Based Forwarding 2. Return: Normal Route Table Victim traffic Victim clean traffic Malicious packets R PBR

19 19 Diversion: BGP + PBR 1. Divert: BGP 2. Return: PBR guard’s Interface card Victim traffic Victim clean traffic Malicious packets R PBR BGP

20 20 PBR Dynamic configuration l adding access list on demand CPU load: l VIP or RSP CPU load l Juniper FBF dedicated processor, Internet proc II (from JunOS 4.4) Victim traffic Victim clean traffic Malicious packets R PBR

21 21 PBR Warts 12.1(8a)E4 and 12.0(18)S and 12.2(2)T with “distributed cef” will not PBR properly! BUG ID: cscdp78100 l all packets diverted - rather than what is matched l but “ip cef” works properly l tested on 7513 on FE as well as GE (GEIP+) ip access-list extended WW33 permit ip any victim-ip victim-mask route-map WWMap permit 33 match ip address WW33 set ip next-hop Guard-guard-IP end interface GigabitEthernet0/0/0 ip policy route-map WWMap

22 22 Diversion Double Addressing 1. Divert: BGP 2. Return: Double addressing victim with private IP address, routed only internally Victim traffic Victim clean traffic Malicious packets R BGP

23 23 Double Addressing Data Center Victim AS PR NAT

24 24 Reverse Protection AS y AS x Victim

25 25 Flash Crowd Reverse Proxy AS x [Wessels & Hardie; Surrogate NANOG19]

26 26 Diversion for DDoS Summary l Maximize goodput to victim l Leave data path free l Let routers route l Protect any device l Sharing a large resouce on demand l Upstream (ala push back)

27 27 Comments:


Download ppt "1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques."

Similar presentations


Ads by Google