DDOS攻击的近况

Download Report

Transcript DDOS攻击的近况

大流量DDOS攻击的全网解决方案
郭庆
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
议程
 DDOS攻击的近况
 全网DDOS缓解方案部署要点
 设备选型
 其他
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
DDOS攻击的近况
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
DDOS攻击的近况

主要攻击分析
– 以前主要攻击是TCP Sync为主的DDOS,近期已经转变成基
于ICMP Flooding和UDP Flooding以及碎片为主的特大流量
攻击(IDC近期的攻击,单个IP遭受10G以上的攻击)

攻击影响范围
– 之前的TCP Sync攻击流量相对较小,主要受影响为用户主机
或网络,目前的特大流量网络攻击已经影响到城域网的基础
网络架构,主要表现为国干至城域网的中继中断,板卡转发
异常,城域网内的网络中继拥塞等,受影响的不只是被攻击
的用户,还波及相当数量的其他用户。
– 城域网宽带用户受攻击严重,主要涉及IDC,网吧,近期甚至
出现针对普通宽带拨号用户的攻击
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
UDP 80 为主的DDOS攻击现场
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
碎片为主的DDOS攻击现场
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
ICMP flood + Syn flood混合攻击现场
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
全网DDOS缓解方案部署要点
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
DDOS泄洪原理 – 上游力保下游堤坝安全
•预警能力(Bornet, SuperWarm)
•对客户服务分级区别处理能力
•事后分析报表提高客户满意度能力
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
全网DDOS清洗中心部署要点
骨干网
ISP
ASBR 网间路由器
Guard清洗中心
Guard清洗中心
城域网出口清洗中心
CE
Presentation_ID
Detector
VIP大客户
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
网间部署:控制网间异
常流量的费用
均可专业防护DNS,
Radius, SIP Server
Detector
网吧等宽带用户
城域网部署:保护VIP
,网吧,专线用户以及
IDC出口的带宽资源
IDC部署:保护托管服
务器的业务永续运行
城域网
DDN
骨干网部署:缓解城域
网出口压力
IDC清洗中心
IDC
DDOS检测部署:广域
网Netflow,MSS/IDC
部署Detector
10
大流量DDOS处理流程
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
设备选型
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
独立设备
 Dual Xeon 3G Processor
 Alone DDOS Chips
双致强3G CPU
专用DDOS处理板与芯片
Cat6K / 7600 板卡注意事项
 推荐Sup720, Sup32 不支持, Sup2支持但不推荐
 Cat6k IOS support: 12.2(18)SXD3 or later
 7600 IOS support: 12.2(18)SXE or later
 面板上有Reset键,重启后, sh mod ,直到软件版本显示方可Sess Slot
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
主推模块 – DDOS专业处理器
Simpson
Daughter
card
Komodo plus
Base board
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
模块逻辑连接图
Komodo+/Simpson Card
Complex #2
eth 1
PC
GI<slot#>/3
Management Path
Sup2 / 3
Complex #0
Complex #1
eth 0
Data Path
GI<slot#>/1
GI<slot#>/2
eth 2
127.0.0.<slot#>1
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Anomaly Guard Module Packet Flow
Supervisor 2/SFM or Supervisor 720
Routing
Table
Master FIB
Table
R(x)000 CPU
Supervisor 2 or Supervisor 720
1
2
Crossbar
Fabric
Si Si Si
Si Si Si
Medusa
Input
Line Card
Crossbar
Fabric
3
4 5
Output
Line Card
Anomaly
Guard
Module
Cisco Catalyst® 6000 32 Gbps BUS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
其他
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
设备64字节DDOS实测线速报告
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Clean Pipe 案例点评
客户名称
部署规模简介
1 中国银行
两套Guard / Detector,保护网上银行
2 河北网通
两套Guard / Dectector,防护城域网与IDC业务
3 辽宁网通
两套Cisco7609/AGM 模块,防护城域网安全
4 深圳电信/深圳网通
1 套 Guard 在线DDOS防护银行重点客户
5 湛江电信
1 套 Guard 防护IDC 网站
6 北京电信 /北京网通
1 套 Guard 防护IDC 网站
7 广东电信
2 套AGM 与 6 套 Detector,防护城域网骨干
8 云南电信
1 套 AGM 与 Detector,防护城域网骨干
9 黑龙江网通
2 套AGM与Detector,防护哈尔滨IDC业务
10 江西移动
1 套 Guard / Detector 保护BOSS, DCN 网络
11 福建电信
Cisco7609 /AGM 模块,防护DNS认证等重要服务
12 吉林网通
Cisc7909 / AGM 模块 防护城域网DDOS攻击
13 河南移动
两套Guard XT /Detector 防护 DCN / BOSS 攻击
14 大连网通
4 套Guard XT / 2 * Detector 防护 MAN / IDC攻击
15 重庆电信
1套Guard XT / 2 * Detector 骨干网部署防护 网吧
16 腾迅QQ
1套Guard XT / 2 * Detector 防护 DNS / Chat 攻击
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
实施时间
19
Managed DDoS Service Providers
Provider
Service
Deployment
Detection
DDoS defense Option for
Internet Protect managed
services
Managed Network DDoS
Protection Service
NetFlow + Arbor
Peakflow SP +
Guard
IP Defender managed
service
Managed Network DDoS
Protection Service
Detector + Guard
DDoS Attack Mitigation
Service
Managed Network DDoS
Protection Service
Detector + Guard
DDoS Peering Point
Protection
Peering Edge DDoS Protection
Service
NetFlow + Arbor
Peakflow SP +
Guard
PrevenTier DDoS
Mitigation service
Managed Hosting DDoS
Protection Service
SureArmour DDoS
protection service
Managed Hosting DDoS
Protection Service
Arbor PeakflowSP
+ NetFlow
Detector + Guard
Detector + Guard
 AT&T, Sprint, Verizon, BT, Savvis, Broadwing, Qwest
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
AT&T - Internet Protect
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Sprint – IP Defender
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
Cable&Wireless – Secure Internet
Gateway
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
MCI – DDoS Defense Detection &
Mitigation
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
SAAVIS – Network based DDOS Mitigation
Service
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
NTT – DDOS Attack Protection Service
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
IIJ – DDoS Protect System
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
URL
 ATT : Internet Protect w / DDoS Mitigation:
 http://www.business.att.com/service_fam_overview.jsp?repoid=ProductSubCategory&repoitem=eb_internet_protect&serv_port=eb_security&serv_fam=eb_internet_protect&

 Sprint : Sprint IP Defender:
 http://www.sprint.com/business/products/products/ipDefender_tabC.html

 MCI : WAN Defense
 http://global.mci.com/us/enterprise/security/managed/wan/

 SAAVIS: DDoS mitigation
 http://www4.savvis.net/NR/rdonlyres/FE2C21FF-9D3E-4233-9DEB16A952FE5A17/9908/DDOSMitigation.pdf





Presentation_ID
NTT COM - Verio
http://www.ntt.net/products/ddos/index.html
IIJ:
http://www.iij.ad.jp/solution/sec-sol/ddos.html
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Guards and Detector in Telstra's
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30