Presentation is loading. Please wait.

Presentation is loading. Please wait.

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou"— Presentation transcript:

1 111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou dtouitou@cisco.com

2 222 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Agenda lThe Growing DDoS Challenge lExisting Solutions lOur Approach lTechnical Overview

3 333 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 How do DDoS Attacks Start ? DNSEmail ‘Zombies’ Innocent PCs & Servers turn into ‘Zombies’

4 444 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 The Effects of DDoS Attacks Server-level DDoS attacks Bandwidth-level DDoS attacks DNSEmail Infrastructure-level DDoS attacks Attack Zombies:  Massively distributed  Spoof Source IP  Use valid protocols

5 555 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attacks - examples SYN attack Huge number of crafted spoofed TCP SYN packets Fills up the “connection queue” Denial of TCP service HTTP attacks Attackers send a lot of “legitimate” HTTP requests

6 666 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 A few of the Latest High Profile Attacks Payment Gateways – extortion (on the news) - Authorize.net, PSIGateway, Worldpay, 2checkout Online Brokerage firms (confidential) Commercial banks (confidential) Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google Doubleclick – DNS servers Akamai - DNS servers On line gambling sites – extortion Many others, but most companies will not want the world to know that they were attacked

7 777 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Case Study – A Merchant Bank Customer uses two of the leading IXCs as upstream providers Customer was under attack for a week (third week of April) Both carriers failed to provide a stable solution The case was escalated by the bank’s CEO to vendors “C” level After a week, one of the carriers installed a Guard and stopped the attack in 10 minutes The other carrier deployed Guard for the bank the following day Attack statistics: – 1.1 Gbps malicious traffic – 0.008 Gbps (8 Mbps) legitimate traffic

8 888 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Distributed Denial of Service Attacks DDoS is often driven by financial motivation – DoS for hire  – Economically-driven – Politically driven – Cyber terrorism DDoS cannot be ignored, modern business depends on effective handling of attacks

9 999 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Extortion Process Target enterprise gets an attack to prove attackers capabilities Typically followed by a demand to transfer about $10,000 at a time to a European bank account – Extorter can withdraw the money using an ATM machine without showing his face in the bank Attackers use over 100K PCs Latest attacks were 2 – 3 Gbps The attackers can change the attack type very quickly (Change protocol, change target etc.)

10 10 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Attack Evolution Stronger and More Widespread l Non-essential protocols (eg ICMP) l 100s sources l 10Ks packets/sec Scale of Attacks Sophistication of Attacks Two Scaling Dimensions: l Million+ packets/sec l 100Ks of zombies l Essential protocols l Spoofed l 10Ks of zombies l 100Ks packets/sec l Compound and morphing PastPresent Emerging

11 11 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Existing Solutions

12 12 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 SYN Cookies – how it works Source Guard syn(isn#) ack(isn’#+1) Target synack(cky#,isn#+1) WS=0 State created only for authenticated connections State created only for authenticated connections syn(isn#) synack(isn’#,isn#+1) ack(cky#+1) ack(isn#+1) WS<>0 Sequence # adaptation Sequence # adaptation stateless part

13 13 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Blackholing Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 = Disconnecting the customer = Disconnecting the customer

14 14 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Edge / Firewall/IPS Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Easy to choke Point of failure Not scalable

15 15 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 At the Backbone Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 Throughput Point of failure Not Scalable

16 16 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cisco Solution

17 17 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Dynamic Diversion Architecture Guard XT BGP announcement Target 1. Detect 2. Activate: Auto/Manual 3. Divert only target’s traffic Detector XT or Cisco IDS, Arbor Peakflow Non-targeted servers

18 18 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard XT Target Legitimate traffic to target 5. Forward the legitimate Dynamic Diversion Architecture Traffic destined to the target 4. Identify and filter the malicious Non-targeted servers 6. Non targeted traffic flows freely Detector XT or Cisco IDS, Arbor Peakflow

19 19 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Technical overview Diversion/Injection Anti Spoofing Anomaly Detection Performance Issues

20 20 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion How to “steal” traffic without creating loops?

21 21 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example L3 next hop BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

22 22 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 I S Ctays 50 Pr py SS Pw p t rcsr RI CSTS CSS Diversion L3 next hop application Router Switch Firewall Internal network ISP 1 ISP 2 GEthernet Guard XT Switch DNS Servers Web, Chat, E-mail, etc. Web console Guard XT Riverhead Detector XT Detector XT Target Alert

23 23 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Diversion one example – Injecting with tunnels BGP Diversion : announce a longer prefix from the guard no-export and no-advertise community Injection : Send directly to the next L3 device

24 24 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 61.1.1.1 Diversion one example: long distance diversion

25 25 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Filtering bad traffic Anti Spoofing Anomaly detection Performance

26 26 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Guard Architecture – high level Rate Limiter Sampler Flex Filter Bypass Filter Classifier: Static & Dynamic Filters Analysis Basic Strong Anomaly Recognition Engine Connections & Authenticated Clients Policy Database Insert filters Anti-Spoofing Modules Control & Analysis Plane Data Plane Drop Packets AS Replies Management

27 27 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti spoofing Unidirectional…..

28 28 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anti-Spoofing Defense - One example: HTTP Source Guard Syn(isn#) ack(isn#+1,cky#) Target synack(cky#,isn#+1) Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified GET uri Redirect to same URI fin 1. SYN cookie alg. 2. Redirect rqst 3. Close connection Client authenticated

29 29 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 RST cookies – how it works Source Guard Target ack(,cky#) syn(isn#) rst(cky) syn(isn#) Client authenticated

30 30 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Ab.com rqst UDP/53 syn Reply synack ack Reply Repeated IP - UDP Authenticated IP Client Guard Target Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Antispoofing only when under attack Authenticate source on initial query Subsequent queries verified Anti-Spoofing Defense - One example: DNS Client-Resolver (over UDP) Ab.com rqst UDP/53 Ab.com rqst TCP/53 Ab.com reply TC=1

31 31 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Anomaly Detection Against Non-Spoofed Attacks Extensive profiling Hundreds of anomaly sensors/victim For global, proxies, discovered top sources, typical source,… Auto discovery and profiling of services Automatically detects HTTP proxies and maintains specific profiles Learns individual profiles for top sources, separate from composite profile Depth of profiles PPS rates Ratios eg SYNs to FINs Connection counts by status Protocol validity eg DNS queries

32 32 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Performance Wire Speed - requirement … GigE = 1.48 Millions pps… Avoid copying Avoid interrupt/system call Limit number of memory access PCI bottleneck DDoS NIC Accelerator

33 33 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Cosmo board Replaces the NIC Handles the data path Based on Broadcom BCM1250 integrated processor

34 34 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 BCM1250 Budget - ~500 cycles per packet (memory access 90 cycles)

35 35 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Customer Switches More performance - clustering ISP Upstream Load Leveling Router Riverhead Guards Mitigation Cluster

36 36 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Full managed services offered: Service agreement and multiyear contract typical Gigabit+ dedicated capacity with shared overage Customized policies Part of a managed security services portfolio AT&T Internet protect DDoS Defense Option for Internet Protect IP Defender and many others Managed DDoS Services Cisco Powered Providers Largest carriers offering “clean pipes” services to F500 enterprises: IP Guardian

37 37 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Managed DDoS Services Cisco Powered Providers Managed hosting providers are offering DDoS protected services: PrevenTier DDoS Mitigation Service SureArmour DDoS Protection service and many others Protection offered with hosting: A la carte option, bundled with premium services or included with hosting Capacity matched to hosting Standardized or customized policies Service and attack reporting

38 38 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Comments: dtouitou@cisco.comdtouitou@cisco.com THANK YOU!

Download ppt "111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas.

DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public Cisco DoS Detecting and Mitigating DoS Attack in a Network Cisco Systems.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou

111 © 2004 Cisco Systems, Inc. All rights reserved. Infrastructure Security, 3/04 Protection On-Demand: Ensuring Resource Availability Dan Touitou
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Similar presentations

Ads by Google