Download presentation
Presentation is loading. Please wait.
1
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com
2
222 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Agenda lThe Growing DDoS Challenge lExisting Solutions lOur Approach lTechnical Overview
3
333 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 How do DDoS Attacks Start ? DNSEmail ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’
4
444 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 The Effects of DDoS Attacks Server-level DDoS attacks Bandwidth-level DDoS attacks DNSEmail Infrastructure-level DDoS attacks Attack Zombies: Massively distributed Spoof Source IP Use valid protocols
5
555 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attacks - examples SYN attack Huge number of crafted spoofed TCP SYN packets Fills up the “connection queue” Denial of TCP service HTTP attacks Attackers send a lot of “legitimate” HTTP requests
6
666 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 A few of the Latest High Profile Attacks Payment Gateways – extortion (on the news) - Authorize.net, PSIGateway, Worldpay, 2checkout Online Brokerage firms (confidential) Commercial banks (confidential) Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google Doubleclick – DNS servers Akamai - DNS servers On line gambling sites – extortion Many others, but most companies will not want the world to know that they were attacked
7
777 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Case Study – A Merchant Bank Customer uses two of the leading IXCs as upstream providers Customer was under attack for a week (third week of April) Both carriers failed to provide a stable solution The case was escalated by the bank’s CEO to vendors “C” level After a week, one of the carriers installed a Guard and stopped the attack in 10 minutes The other carrier deployed Guard for the bank the following day Attack statistics: – 1.1 Gbps malicious traffic – 0.008 Gbps (8 Mbps) legitimate traffic
8
888 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Distributed Denial of Service Attacks DDoS is often driven by financial motivation – DoS for hire – Economically-driven – Politically driven – Cyber terrorism DDoS cannot be ignored, modern business depends on effective handling of attacks
9
999 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Extortion Process Target enterprise gets an attack to prove attackers capabilities Typically followed by a demand to transfer about $10,000 at a time to a European bank account – Extorter can withdraw the money using an ATM machine without showing his face in the bank Attackers use over 100K PCs Latest attacks were 2 – 3 Gbps The attackers can change the attack type very quickly (Change protocol, change target etc.)
10
10 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attack Evolution Stronger and More Widespread l Non-essential protocols (eg ICMP) l 100s sources l 10Ks packets/sec Scale of Attacks Sophistication of Attacks Two Scaling Dimensions: l Million+ packets/sec l 100Ks of zombies l Essential protocols l Spoofed l 10Ks of zombies l 100Ks packets/sec l Compound and morphing PastPresent Emerging
11
11 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Existing Solutions
12
12 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 SYN Cookies – how it works Source Guard syn(isn#) ack(isn’#+1) Target synack(cky#,isn#+1) WS=0 State created only for authenticated connections State created only for authenticated connections syn(isn#) synack(isn’#,isn#+1) ack(cky#+1) ack(isn#+1) WS<>0 Sequence # adaptation Sequence # adaptation stateless part
13
13 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Blackholing Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 = Disconnecting the customer = Disconnecting the customer
14
14 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Edge / Firewall/IPS Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Easy to choke Point of failure Not scalable
15
15 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Backbone Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Throughput Point of failure Not Scalable
16
16 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cisco Solution
17
17 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Dynamic Diversion Architecture Guard XT BGP announcement Target 1. Detect 2. Activate: Auto/Manual 3. Divert only target’s traffic Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers
18
18 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard XT Target Legitimate traffic to target 5. Forward the legitimate Dynamic Diversion Architecture Traffic destined to the target 4. Identify and filter the malicious Non-targeted servers 6. Non targeted traffic flows freely Detector XT or Cisco IDS, Arbor Peakflow
19
19 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Technical overview Diversion/Injection Anti Spoofing Anomaly Detection Performance Issues
20
20 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion How to “steal” traffic without creating loops?
21
21 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example L3 next hop BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device
22
22 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 I S Ctays 50 Pr py SS Pw p t rcsr RI CSTS CSS Diversion L3 next hop application Router Switch Firewall Internal network ISP 1 ISP 2 GEthernet Guard XT Switch DNS Servers Web, Chat, E-mail, etc. Web console Guard XT Riverhead Detector XT Detector XT Target Alert
23
23 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example – Injecting with tunnels BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device
24
24 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 61.1.1.1 Diversion one example: long distance diversion
25
25 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Filtering bad traffic Anti Spoofing Anomaly detection Performance
26
26 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard Architecture – high level Rate Limiter Sampler Flex Filter Bypass Filter Classifier: Static & Dynamic Filters Analysis Basic Strong Anomaly Recognition Engine Connections & Authenticated Clients Policy Database Insert filters Anti-Spoofing Modules Control & Analysis Plane Data Plane Drop Packets AS Replies Management
27
27 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti spoofing Unidirectional…..
28
28 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti-Spoofing Defense - One example: HTTP Source Guard Syn(isn#) ack(isn#+1,cky#) Target synack(cky#,isn#+1) Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified GET uri Redirect to same URI fin 1. SYN cookie alg. 2. Redirect rqst 3. Close connection Client authenticated
29
29 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 RST cookies – how it works Source Guard Target ack(,cky#) syn(isn#) rst(cky) syn(isn#) Client authenticated
30
30 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Ab.com rqst UDP/53 syn Reply synack ack Reply Repeated IP - UDP Authenticated IP Client Guard Target Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Anti-Spoofing Defense - One example: DNS Client-Resolver (over UDP) Ab.com rqst UDP/53 Ab.com rqst TCP/53 Ab.com reply TC=1
31
31 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anomaly Detection Against Non-Spoofed Attacks Extensive profiling Hundreds of anomaly sensors/victim For global, proxies, discovered top sources, typical source,… Auto discovery and profiling of services Automatically detects HTTP proxies and maintains specific profiles Learns individual profiles for top sources, separate from composite profile Depth of profiles PPS rates Ratios eg SYNs to FINs Connection counts by status Protocol validity eg DNS queries
32
32 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Performance Wire Speed - requirement … GigE = 1.48 Millions pps… Avoid copying Avoid interrupt/system call Limit number of memory access PCI bottleneck DDoS NIC Accelerator
33
33 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor
34
34 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)
35
35 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Customer Switches More performance - clustering ISP Upstream Load Leveling Router Riverhead Guards Mitigation Cluster
36
36 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Full managed services offered: Service agreement and multiyear contract typical Gigabit+ dedicated capacity with shared overage Customized policies Part of a managed security services portfolio AT&T Internet protect DDoS Defense Option for Internet Protect IP Defender and many others Managed DDoS Services Cisco Powered Providers Largest carriers offering “clean pipes” services to F500 enterprises: IP Guardian
37
37 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Managed DDoS Services Cisco Powered Providers Managed hosting providers are offering DDoS protected services: PrevenTier DDoS Mitigation Service SureArmour DDoS Protection service and many others Protection offered with hosting: A la carte option, bundled with premium services or included with hosting Capacity matched to hosting Standardized or customized policies Service and attack reporting
38
38 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Comments: dtouitou@cisco.comdtouitou@cisco.com THANK YOU!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.