Transcript DDOS攻击的近况
大流量DDOS攻击的全网解决方案 郭庆 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 议程 DDOS攻击的近况 全网DDOS缓解方案部署要点 设备选型 其他 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 DDOS攻击的近况 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 DDOS攻击的近况 主要攻击分析 – 以前主要攻击是TCP Sync为主的DDOS,近期已经转变成基 于ICMP Flooding和UDP Flooding以及碎片为主的特大流量 攻击(IDC近期的攻击,单个IP遭受10G以上的攻击) 攻击影响范围 – 之前的TCP Sync攻击流量相对较小,主要受影响为用户主机 或网络,目前的特大流量网络攻击已经影响到城域网的基础 网络架构,主要表现为国干至城域网的中继中断,板卡转发 异常,城域网内的网络中继拥塞等,受影响的不只是被攻击 的用户,还波及相当数量的其他用户。 – 城域网宽带用户受攻击严重,主要涉及IDC,网吧,近期甚至 出现针对普通宽带拨号用户的攻击 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 UDP 80 为主的DDOS攻击现场 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 碎片为主的DDOS攻击现场 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 ICMP flood + Syn flood混合攻击现场 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 全网DDOS缓解方案部署要点 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 DDOS泄洪原理 – 上游力保下游堤坝安全 •预警能力(Bornet, SuperWarm) •对客户服务分级区别处理能力 •事后分析报表提高客户满意度能力 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 全网DDOS清洗中心部署要点 骨干网 ISP ASBR 网间路由器 Guard清洗中心 Guard清洗中心 城域网出口清洗中心 CE Presentation_ID Detector VIP大客户 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 网间部署:控制网间异 常流量的费用 均可专业防护DNS, Radius, SIP Server Detector 网吧等宽带用户 城域网部署:保护VIP ,网吧,专线用户以及 IDC出口的带宽资源 IDC部署:保护托管服 务器的业务永续运行 城域网 DDN 骨干网部署:缓解城域 网出口压力 IDC清洗中心 IDC DDOS检测部署:广域 网Netflow,MSS/IDC 部署Detector 10 大流量DDOS处理流程 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 设备选型 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 独立设备 Dual Xeon 3G Processor Alone DDOS Chips 双致强3G CPU 专用DDOS处理板与芯片 Cat6K / 7600 板卡注意事项 推荐Sup720, Sup32 不支持, Sup2支持但不推荐 Cat6k IOS support: 12.2(18)SXD3 or later 7600 IOS support: 12.2(18)SXE or later 面板上有Reset键,重启后, sh mod ,直到软件版本显示方可Sess Slot Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 主推模块 – DDOS专业处理器 Simpson Daughter card Komodo plus Base board Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 模块逻辑连接图 Komodo+/Simpson Card Complex #2 eth 1 PC GI<slot#>/3 Management Path Sup2 / 3 Complex #0 Complex #1 eth 0 Data Path GI<slot#>/1 GI<slot#>/2 eth 2 127.0.0.<slot#>1 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Anomaly Guard Module Packet Flow Supervisor 2/SFM or Supervisor 720 Routing Table Master FIB Table R(x)000 CPU Supervisor 2 or Supervisor 720 1 2 Crossbar Fabric Si Si Si Si Si Si Medusa Input Line Card Crossbar Fabric 3 4 5 Output Line Card Anomaly Guard Module Cisco Catalyst® 6000 32 Gbps BUS Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 其他 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 设备64字节DDOS实测线速报告 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 Clean Pipe 案例点评 客户名称 部署规模简介 1 中国银行 两套Guard / Detector,保护网上银行 2 河北网通 两套Guard / Dectector,防护城域网与IDC业务 3 辽宁网通 两套Cisco7609/AGM 模块,防护城域网安全 4 深圳电信/深圳网通 1 套 Guard 在线DDOS防护银行重点客户 5 湛江电信 1 套 Guard 防护IDC 网站 6 北京电信 /北京网通 1 套 Guard 防护IDC 网站 7 广东电信 2 套AGM 与 6 套 Detector,防护城域网骨干 8 云南电信 1 套 AGM 与 Detector,防护城域网骨干 9 黑龙江网通 2 套AGM与Detector,防护哈尔滨IDC业务 10 江西移动 1 套 Guard / Detector 保护BOSS, DCN 网络 11 福建电信 Cisco7609 /AGM 模块,防护DNS认证等重要服务 12 吉林网通 Cisc7909 / AGM 模块 防护城域网DDOS攻击 13 河南移动 两套Guard XT /Detector 防护 DCN / BOSS 攻击 14 大连网通 4 套Guard XT / 2 * Detector 防护 MAN / IDC攻击 15 重庆电信 1套Guard XT / 2 * Detector 骨干网部署防护 网吧 16 腾迅QQ 1套Guard XT / 2 * Detector 防护 DNS / Chat 攻击 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 实施时间 19 Managed DDoS Service Providers Provider Service Deployment Detection DDoS defense Option for Internet Protect managed services Managed Network DDoS Protection Service NetFlow + Arbor Peakflow SP + Guard IP Defender managed service Managed Network DDoS Protection Service Detector + Guard DDoS Attack Mitigation Service Managed Network DDoS Protection Service Detector + Guard DDoS Peering Point Protection Peering Edge DDoS Protection Service NetFlow + Arbor Peakflow SP + Guard PrevenTier DDoS Mitigation service Managed Hosting DDoS Protection Service SureArmour DDoS protection service Managed Hosting DDoS Protection Service Arbor PeakflowSP + NetFlow Detector + Guard Detector + Guard AT&T, Sprint, Verizon, BT, Savvis, Broadwing, Qwest Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 AT&T - Internet Protect Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Sprint – IP Defender Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 Cable&Wireless – Secure Internet Gateway Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 MCI – DDoS Defense Detection & Mitigation Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 SAAVIS – Network based DDOS Mitigation Service Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 NTT – DDOS Attack Protection Service Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 IIJ – DDoS Protect System Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 URL ATT : Internet Protect w / DDoS Mitigation: http://www.business.att.com/service_fam_overview.jsp?repoid=ProductSubCategory&repoitem=eb_internet_protect&serv_port=eb_security&serv_fam=eb_internet_protect& Sprint : Sprint IP Defender: http://www.sprint.com/business/products/products/ipDefender_tabC.html MCI : WAN Defense http://global.mci.com/us/enterprise/security/managed/wan/ SAAVIS: DDoS mitigation http://www4.savvis.net/NR/rdonlyres/FE2C21FF-9D3E-4233-9DEB16A952FE5A17/9908/DDOSMitigation.pdf Presentation_ID NTT COM - Verio http://www.ntt.net/products/ddos/index.html IIJ: http://www.iij.ad.jp/solution/sec-sol/ddos.html © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28 Guards and Detector in Telstra's Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30