Presentation is loading. Please wait.

Presentation is loading. Please wait.

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou"— Presentation transcript:

1 111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com

2 222 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Agenda lThe Growing DDoS Challenge lExisting Solutions lOur Approach lTechnical Overview

3 333 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 How do DDoS Attacks Start ? DNSEmail ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’

4 444 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 The Effects of DDoS Attacks Server-level DDoS attacks Bandwidth-level DDoS attacks DNSEmail Infrastructure-level DDoS attacks Attack Zombies:  Massively distributed  Spoof Source IP  Use valid protocols

5 555 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attacks - examples SYN attack Huge number of crafted spoofed TCP SYN packets Fills up the “connection queue” Denial of TCP service HTTP attacks Attackers send a lot of “legitimate” HTTP requests

6 666 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attack Evolution Stronger and More Widespread l Non-essential protocols (eg ICMP) l 100s sources l 10Ks packets/sec Scale of Attacks Sophistication of Attacks Two Scaling Dimensions: l Million+ packets/sec l 100Ks of zombies l Essential protocols l Spoofed l 10Ks of zombies l 100Ks packets/sec l Compound and morphing PastPresent Emerging

7 777 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Existing Solutions

8 888 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 SYN Cookies – how it works Source Guard syn(isn#) ack(isn’#+1) Target synack(cky#,isn#+1) WS=0 State created only for authenticated connections State created only for authenticated connections syn(isn#) synack(isn’#,isn#+1) ack(cky#+1) ack(isn#+1) WS<>0 Sequence # adaptation Sequence # adaptation stateless part

9 999 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Blackholing Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 = Disconnecting the customer = Disconnecting the customer

10 10 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Edge / Firewall/IPS Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Easy to choke Point of failure Not scalable

11 11 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Backbone Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Throughput Point of failure Not Scalable

12 12 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cisco Solution

13 13 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Dynamic Diversion Architecture Guard XT BGP announcement Target 1. Detect 2. Activate: Auto/Manual 3. Divert only target’s traffic Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

14 14 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard XT Target Legitimate traffic to target 5. Forward the legitimate Dynamic Diversion Architecture Traffic destined to the target 4. Identify and filter the malicious Non-targeted servers 6. Non targeted traffic flows freely Detector XT or Cisco IDS, Arbor Peakflow

15 15 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Technical overview Diversion/Injection Anti Spoofing Anomaly Detection Performance Issues

16 16 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion How to “steal” traffic without creating loops?

17 17 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example L3 next hop BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

18 18 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 I S Ctays 50 Pr py SS Pw p t rcsr RI CSTS CSS Diversion L3 next hop application Router Switch Firewall Internal network ISP 1 ISP 2 GEthernet Guard XT Switch DNS Servers Web, Chat, E-mail, etc. Web console Guard XT Riverhead Detector XT Detector XT Target Alert

19 19 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example – Injecting with tunnels BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

20 20 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 61.1.1.1 Diversion one example: long distance diversion

21 21 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Filtering bad traffic Anti Spoofing Anomaly detection Performance

22 22 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard Architecture – high level Rate Limiter Sampler Flex Filter Bypass Filter Classifier: Static & Dynamic Filters Analysis Basic Strong Anomaly Recognition Engine Connections & Authenticated Clients Policy Database Insert filters Anti-Spoofing Modules Control & Analysis Plane Data Plane Drop Packets AS Replies Management

23 23 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti spoofing Unidirectional…..

24 24 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti-Spoofing Defense - One example: HTTP Source Guard Syn(isn#) ack(isn#+1,cky#) Target synack(cky#,isn#+1) Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified GET uri Redirect to same URI fin 1. SYN cookie alg. 2. Redirect rqst 3. Close connection Client authenticated

25 25 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 RST cookies – how it works Source Guard Target ack(,cky#) syn(isn#) rst(cky) syn(isn#) Client authenticated

26 26 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Ab.com rqst UDP/53 syn Reply synack ack Reply Repeated IP - UDP Authenticated IP Client Guard Target Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Anti-Spoofing Defense - One example: DNS Client-Resolver (over UDP) Ab.com rqst UDP/53 Ab.com rqst TCP/53 Ab.com reply TC=1

27 27 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anomaly Detection Against Non-Spoofed Attacks Extensive profiling Hundreds of anomaly sensors/victim For global, proxies, discovered top sources, typical source,… Auto discovery and profiling of services Automatically detects HTTP proxies and maintains specific profiles Learns individual profiles for top sources, separate from composite profile Depth of profiles PPS rates Ratios eg SYNs to FINs Connection counts by status Protocol validity eg DNS queries

28 28 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Performance Wire Speed - requirement … GigE = 1.48 Millions pps… Avoid copying Avoid interrupt/system call Limit number of memory access PCI bottleneck DDoS NIC Accelerator

29 29 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

30 30 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

31 31 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Customer Switches More performance - clustering ISP Upstream Load Leveling Router Riverhead Guards Mitigation Cluster

32 32 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Comments: dtouitou@cisco.comdtouitou@cisco.com THANK YOU!

Download ppt "111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas.

DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Boaz Elgar Product Manager November, 2002

Boaz Elgar Product Manager November, 2002
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Similar presentations

Ads by Google