Presentation is loading. Please wait.

Presentation is loading. Please wait.

Boaz Elgar Product Manager November, 2002

Published byCody Jenkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Boaz Elgar Product Manager November, 2002"— Presentation transcript:

1 Boaz Elgar Product Manager November, 2002

2 Agenda Some known DDoS attacks Types of DDoS attacks
Current measures for blocking DDoS Riverhead Solution overview Confidential, © Riverhead Networks, Inc., 2002

3 Riverhead Profile Solution: Secure internet availability against crippling DDoS cyber-attacks Customers: Large enterprises, new media companies, service providers and government organizations Investors: HQ: Cupertino, California Products: Riverhead Guard and Detector - infrastructure security devices                                                                                                                                                                                Confidential, © Riverhead Networks, Inc., 2002

4 Overview of DDoS attacks
Confidential, © Riverhead Networks, Inc., 2002

5 DDoS Incidents Around The Globe
Global World Economic Forum's, CERT Europe Deutsche Bank, Lufthansa, Firenet, Tiscali, edNET, TheDogmaGroup, DonHost, British telecom, Cloud9 US Amazon, Yahoo, CNN, e-Bay, e-Trade, Microsoft, White House NY Times, NASA, OZ.Net ROW small corporations, 30 educational organizations and 20 government systems (Korea), St George Bank (Australia) Confidential, © Riverhead Networks, Inc., 2002

6 Distributed Denial of Service An Upstream Issue
Zombies on innocent computers Infrastructure-level DDoS attacks Server-level DDoS attacks Bandwidth-level DDoS attacks Confidential, © Riverhead Networks, Inc., 2002

7 Server-level DDoS attacks
DST SRC prtcl CRC Port SYN FIN SSL GET URL CGI Application layer attacks 404 File Not Found Flood SSL CGI DNS Bogus requests attack Layer 4 attacks SYN receive Establish FIN_WAIT_1 Confidential, © Riverhead Networks, Inc., 2002

8 TCP Level DDoS attacks Confidential, © Riverhead Networks, Inc., 2002

9 Waiting buffer overflows
TCP SYN flood SYN RQST server SYN ACK client Spoofed SYN RQST zombie victim Waiting buffer overflows Zombies SYN ACK One of the first CERT DDoS advisories issued – 9/1996 Confidential, © Riverhead Networks, Inc., 2002

10 TCP SYN Flood News - February 3,2002 Firenet ISP Suffers DoS Attack
Firenet MD Mr Castle also stated: "The list of attacks were Syn Flood attacks, Ip Spoofing the Lan interfaces, and Total Denial of service attacks. We had taken down the servers for 4 nights in a row, from 11oclock till 6.00 am daily and worked all through the night with BT fighting this hacker or hackers, and had stopped the problems on Wednesday night Thursday morning". Confidential, © Riverhead Networks, Inc., 2002

11 NAPHTA: TCP connections
SYN RQST server SYN ACK ACK clients HTTP request FIN Repeatedly establishing a connection and then abandoning it, an attacker can tie up resources. Fill up the TCP connections buffer. Multiple FIN_WAIT_1 state in the servers Confidential, © Riverhead Networks, Inc., 2002

12 Half open Connections Repeatedly establishing a connection
syn rqst server synack clients Repeatedly establishing a connection Requesting a unfinished request GE. (GET) Server waits for the end of request Application layer saturation Confidential, © Riverhead Networks, Inc., 2002

13 HTTP attack tool First came out in January 1999!
Click to get latest victim Where to attack Control how fast to attack First came out in January 1999! Confidential, © Riverhead Networks, Inc., 2002

14 Client attack URL attacks Repeated request Repeated REFRESH Random URL
Avoids proxy Works hard Large log file cgi, long forms, heavy search requests victim Confidential, © Riverhead Networks, Inc., 2002

15 Client attack on Lufthansa
Computerworld 6/21/01 “Wednesday morning, in a planned attack, demonstrators began accessing Lufthansa's Web site. Although demonstrators claim they knocked the site off-line for about 10 minutes, Lufthansa said the claim was untrue.” “Lufthansa's servers got 67,004 hits per second at one point in the two-hour Web attack” “The attack was planned to protest Lufthansa's contract with the German government to fly people who are denied asylum in Germany out of the country.” Confidential, © Riverhead Networks, Inc., 2002

16 Client attack on WTO Confidential, © Riverhead Networks, Inc., 2002

17 DNS attack DNS request DNS recursive requests Spoofing Random requests
Reflectors DNS recursive requests Amplifications DNS Server UDP spoofed traffic Reply to recursive Confidential, © Riverhead Networks, Inc., 2002

18 Bandwidth-level DDoS attacks
ICMP echo, unreachable UDP Flood Reflectors Smurf Flood Bandwidth-level DDoS attacks Confidential, © Riverhead Networks, Inc., 2002

19 Reflector-1 Reflector-2 Reflector-3 Reflector-4 ….
Reflectors Sock proxy zombie Proxy List: Reflector-1 Reflector-2 Reflector-3 Reflector-4 …. Web server Router DNS server victim Confidential, © Riverhead Networks, Inc., 2002

20 Reflectors Sock proxy zombie Proxy zombie zombie Web server zombie
Router DNS server victim Confidential, © Riverhead Networks, Inc., 2002

21 Reflectors -> Bandwidth attack
Reflectors= returns a packet if one is sent Web servers, DNS servers and routers Returns SYNACK or RST in response to a SYN or other TCP packets with ACK ICMP Time Exceeded or Host Unreachable in response to particular IP packets Amplification if knowing the sequence number (FTP, streaming…) DNS replies The second form of DNS reflection concerns DNS servers that in turn recursively query other servers to resolve a request. If the victim is a name server for a particular zone, then the attacker can issue a stream of queries to large number of name servers that will in turn cause those name servers to bombard the victim server with recursive queries. The queries needn’t even be spoofed, which would enable the attacker to launch them in the presence of anti-spoof filtering, though this would reveal the slaves’ locations to any monitoring or logging done at the reflectors. But if the queries are spoofed, then the attacker could even use the victim’s address as the purported source, such that when the reflector DNS server supplies a reply of some form, that too goes to the victim, a form of amplification though one that can be filtered out). Confidential, © Riverhead Networks, Inc., 2002

22 Direct broadcast address
Smurf Amplification victim amp.255 ping.rqst src dst 1 Direct broadcast address zombie 500 500 500 500 500 Jan 1998 amp/ victim Confidential, © Riverhead Networks, Inc., 2002

23 Set packet size from 10 to 1300 octets
Smurf Tool Set packet size from 10 to 1300 octets Came out in March 1999! Confidential, © Riverhead Networks, Inc., 2002

24 Smurf attack Internet attack slows Web to a crawl Assault on Oz.net affects entire area Tuesday, January 18, 2000 an ISP serving 7,000 subscribers, is known to have been targeted in the so-called smurf attack in Seattle, the assault affected many, perhaps even most, of the Internet users in the Seattle area, said experts. “… all the corporate or academic networks the smurf attacker used in the assault -- as many as 2,000 nationwide” “The Seattle attack was most likely launched by a single person…” Confidential, © Riverhead Networks, Inc., 2002

25 Cisco – stopping Smurf no ip directed-broadcast
Translation of directed broadcast to physical MAC broadcasts is disabled As of 12.0 this is the default In order to prevent your site from being used as the intermediary network in these attacks, it is only necessary to block the broadcast echo requests before they are converted to hardware level broadcasts. The interface command “no ip directed-broadcast” prevents a router from performing this conversion. It is especially important that this configuration command be implemented on routers that provide routing to large broadcast networks. In addition, if a router is positioned in such that it may forward broadcast requests to other routers on the protected network, the router should be configured to prevent this forwarding from occurring. This is accomplished by specifically blocking ICMP echo request traffic destined for broadcast addresses. For more information concerning how to block these attacks using packet filtering devices, see the document Minimizing the Effects of “Smurfing” Denial of Service Attacks published by Cisco. This document (and several others regarding DoS attacks) may be found at Confidential, © Riverhead Networks, Inc., 2002

26 Infrastructure-level DDoS attacks
BGP / OSPF / … attacks SYN flood TCP 179, SSH ICMP attack DNS attacks Infrastructure-level DDoS attacks Confidential, © Riverhead Networks, Inc., 2002

27 Attacks directly on routers
Attacks directed at routers can have broader impact than attacks directed at hosts Packets directed at a router may be more CPU (slow path) consuming then packets transiting a router Confidential, © Riverhead Networks, Inc., 2002

28 October 2002 Massive attack on 13 DNS root servers
ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours) AS y AS x AS 56 DNS root servers Confidential, © Riverhead Networks, Inc., 2002

29 October 2002 Massive attack on 13 DNS root servers
ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours) AS y AS 56 AS x DNS root servers Confidential, © Riverhead Networks, Inc., 2002

30 Attacks & Attack Tools examples
TFN Spoofed SYN Flood non-Spoofed SYN Flood UDP Flood FIN, SYNACK Flood (Spoofed and non-spoofed) Ping Flood Smurf Flood Combined UDP/TCP/ICMP Targa3 Attack Fragmentation Attack IP/UDP (jolt2) IP/ICMP (trash, and fawx) IP/TCP HTTP Connection Flood (Client attack) http errors 404 etc. http half connections DNS attacks BGP attacks on routers Partial list of covered tools: JOLT, WINNUKE, TRINOO, TFN, Targa3, Naphta, Trash… Confidential, © Riverhead Networks, Inc., 2002

31 How are DDoS handled? Confidential, © Riverhead Networks, Inc., 2002

32 . . Router Filtering ACLs, CARs 1 R4 R5 peering R2 R3 R1 R R R Server1
Built-in and distributed but… Blocks good with bad Ineffective against random spoofing and application level attacks Potential performance degradation Manually intensive process Router Filtering ACLs, CARs 1 R4 R5 peering R2 R3 1000 1000 R1 100 . R R R FE . Server1 Victim Server2 Confidential, © Riverhead Networks, Inc., 2002

33 Cisco ACLs - 1 Use ACL to determine which interface is being attacked and characteristics of attack Initial ACL to determine what type of attack access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply log-input access-list 101 permit udp any any access-list 101 permit tcp any any access-list 101 permit ip any any interface serial 1/1 ip access-group 101 out ! Wait 10 seconds no ip access-group 101 out Confidential, © Riverhead Networks, Inc., 2002

34 Cisco ACLs - 2 sh access-l 101
Extended IP access list 101 permit icmp any any echo (2 matches) permit icmp any any echo-reply (21374 matches) permit udp any any (18 matches) permit tcp any any (123 matches) permit ip any any (5 matches) Indications are that there is some sort of ICMP attack Need to place ACL on each successive router in upstream path Confidential, © Riverhead Networks, Inc., 2002

35 Cisco ACLs - 3 Next use ‘log-input’ to determine from where – via ‘sho logging’: %SEC-6-IPACCESSLOGDP: list 101 permit icmp (Serial1/1) -> (0/0), 1 packet %SEC-6-IPACCESSLOGDP: list 101 permit icmp (Serial1/1) -> (0/0), 1 packet %SEC-6-IPACCESSLOGDP: list 101 permit icmp (FastEthernet1/0/0) -> (0/0), 1 packet %SEC-6-IPACCESSLOGDP: list 101 permit icmp (Serial1/1) -> (0/0), 1 packet Serial 1/1 is our prime suspect! Link: Confidential, © Riverhead Networks, Inc., 2002

36 Cisco CAR CAR – Committed Access Rate
Normal Burst in bytes Max Burst in bytes CAR – Committed Access Rate interface ATM1/1/0.21 point-to-point rate-limit input access-group conform-action continue exceed-action drop rate-limit input access-group conform-action transmit exceed-action drop ! access-list 180 deny icmp any access-list 180 permit icmp any any access-list 190 deny tcp any any established access-list 190 permit tcp any any b/w No one really understands “burst” – best to read: Confidential, © Riverhead Networks, Inc., 2002

37 Does routing back to the source go through same interface ?
Cisco uRPF Router A Router B Pkt w/ source comes in Path back on this line? Check source in routing table Path via different interface? Accept pkt Reject pkt Does routing back to the source go through same interface ? Confidential, © Riverhead Networks, Inc., 2002

38 Cisco uRPF - 1 Unicast Reverse Path Forwarding
Requires CEF Available starting in 11.1(17)CC, and 12.0 Not available in 11.2 or 11.3 images Cisco interface command: ip verify unicast rpf URPF would not help to stop Code Red attacks Confidential, © Riverhead Networks, Inc., 2002

39 . . Blackholing = Disconnecting the customer R4 R5 peering R2 R3 R1 R
1000 1000 R1 100 . R R R FE . Server1 Victim Server2 Confidential, © Riverhead Networks, Inc., 2002

40 Works only on destination addresses Simple blackhole:
Null0 routing Works only on destination addresses Simple blackhole: ip route null0 Caveat: routers can forward faster than they can drop packets Blackholes good packets with bad packets Confidential, © Riverhead Networks, Inc., 2002

41 Router Capabilities ACLs CAR uRPF Manual process
Performance impact on some routers CAR Also limits good traffic uRPF Not enforced, limited attacks protection Blocks good along with the bad Issue: Too coarse – affects good as well as bad traffic Router CPU/ASIC limitations – impacts performance Ineffective on several different attacks Confidential, © Riverhead Networks, Inc., 2002

42 In-line Mitigation: Edge Device
Low cost and simple deployment, but… Upstream ingress still choked Device itself becomes point of failure Doesn’t scale –requires many Easy to overwhelm a FW R4 R5 peering R2 R3 1000 1000 R1 100 . R R R FE . Server1 Victim Server2 Confidential, © Riverhead Networks, Inc., 2002

43 . . Diversion and Precise Filtering R4 R5 R2 R3 R1 R R R Server1
Guard Guard R2 R3 Protects all resources No point of failure or latency on critical path No router impact Scales via sharing Dynamic and precise filtering 1000 1000 R1 100 . R R R . Server1 Victim Server2 Confidential, © Riverhead Networks, Inc., 2002

44 Solution Overview Upstream = Not on the Critical Path
DDoS Protection=Riverhead Guard DDoS Detection= Riverhead Detector Victim Non-victimized servers Confidential, © Riverhead Networks, Inc., 2002

45 Non-victimized servers
Solution Overview Riverhead Guard BGP announcement 3. Divert only victim’s traffic Activate 2. Activate: Auto/Manual 1. Detect OR IDS system Firewall Health checks Riverhead Detector Victim Non-victimized servers Confidential, © Riverhead Networks, Inc., 2002

46 Solution Overview Hijack traffic = BGP
Riverhead Guard Traffic destined to the victim Legitimate traffic to victim Inject= GRE, VRF, VLAN, FBF, PBR… Victim “No Dynamic configuration” Non-victimized servers Confidential, © Riverhead Networks, Inc., 2002

47 Adaptive and Dynamic Filtering
Per flow queues and aggregate rates 1 to 100s of dynamic filters by flow, protocol, … Rate-limiting & DDoS Traffic Shaping Static & Dynamic Filters Anti spoofing Statistical analysis Layer 7 http smtp Confidential, © Riverhead Networks, Inc., 2002

48 ISP Perimeter Protection
Confidential, © Riverhead Networks, Inc., 2002

49 ISP Perimeter Protection
Confidential, © Riverhead Networks, Inc., 2002

50 ISP Edge Protection Confidential, © Riverhead Networks, Inc., 2002

51 IDC Enterprise Protection
Confidential, © Riverhead Networks, Inc., 2002

52 Stop Attacks on Provider Infrastucture Routers, Root DNS, Cache Proxies
AS y AS 56 AS x DNS root servers Riverhead Guard Confidential, © Riverhead Networks, Inc., 2002

53 Actual Production Network
ISP 1 ISP 2 Juniper Foundry, etc Cisco,Foundry Riverhead, Other detectors S D C a t l y s 8 5 P o w e r u p I O Y T E M 1 i c h R D a l t 8 o w e S u p C I O Y T E M r y 1 i c h P s GSR 12000 C a t s S y S P r p y P w p S I 5 R I r t c s r Riverhead Guard Catalyst I C O S Y E M I C O S Y T E M GEthernet C S T S C S S Firewall Alert Catalyst IDS I C O S Y E M I C O S Y T E M IDS Internal network Customers’ Servers Confidential, © Riverhead Networks, Inc., 2002

54 Live Data Center Test Victim & Guard: Actual Hosting Center Attackers:
` Attackers: Mercury Interactive A A C C A User experience Netax, Philadelphia Confidential, © Riverhead Networks, Inc., 2002

55 Real World Results Confidential, © Riverhead Networks, Inc., 2002

56 Detailed Effect Victim vs Non-victim
normal Attack Attack + diversion usec Confidential, © Riverhead Networks, Inc., 2002

57 Thank you! Comments: boaz@riverhead.com
Confidential, © Riverhead Networks, Inc., 2002

Download ppt "Boaz Elgar Product Manager November, 2002"

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:

Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google