Transcript DDoS - IT Strategic Template Document Solutions

DDoS
Recent Trends in DoS Attacks
• Network-based flood attacks
– vulnerable software is being patched, it is harder to find susceptible hosts
• Local Subnet spoofing
– ingress / egress filtering becoming more popular
• Infrastructure attacks
– targeting upstream routers and links
• Hit-and-run
– pulsing / short-lived floods
– Cyclic use of multiple zombie armies
• Internet-scale
– widely-distributed, large-scale zombie “armies”
Emerging DoS Threats
• Obfuscation of network audit trail
– redirection features of certain application protocols – recursive DNS
queries, gnutella, etc.
• Mutation of attack signatures
– address, protocol, port randomization
• Routing infrastructure attacks
– BGP route hijacking for attack launch
• Automated conscription of zombie armies
– recent Internet worms and viruses
– Microsoft Outlook, IE, IIS, SMB
Sequence of a DDoS attack
A.
B.
C.
D.
E.
A large set of machines are compromised
Attacker identifies exploitable hosts with scanners, or other techniques
Attacker accesses the system with automated remote exploits, sniffers,
password cracking, worms, trojans
Attacker installs attack tools
Attacker remotely instructs compromised machines to attack target
Mitigation Options
Customer
Customer Portal
or Operator
Mitigation Options
Customer
Customer Portal
or Operator
Mitigation Options
Customer
Customer Portal
or Operator
Mitigation Options
Customer
Customer Portal
or Operator
Version 5 - Flow Format
• Packet Count
• Byte Count
• Source IP
IP Address
Address
• Destination
Destination IP
IPAddress
Address
• Start sysUpTime
• End sysUpTime
• Source TCP/UDP Port
• Destination TCP/UDP Port
Port
Utilization
• Input ifIndex
• Output ifIndex
QoS
• Type of Service
• TCP Flags
• Protocol
• Next Hop Address
• Source AS Number
• Dest. AS Number
• Source Prefix Mask
• Dest. Prefix Mask
Usage
Time
of Day
From/To
Application
Routing
and
Peering
Misuse Anomalies
 Detected against /32 hosts
 Misuse anomalies cover the following types of traffic:
 ICMP Anomaly
 TCP NULL Flag Anomaly
 TCP SYN Flag Anomaly
 TCP RST Flag Anomaly
 IP NULL (Proto 0) Anomaly
 IP Fragmentation Anomaly
 IP Private Address Space Anomaly
 Total Traffic bps
 Total traffic pps
 Deployed against common attacks targeted at individual network
hosts.
How Peakflow SP IS works
Three types of anomalies are reported by Peakflow SP IS:
• Profiled Anomalies – deviations from normal traffic levels on the network
• Misuse Anomalies – Traffic towards specific hosts that should not normally be
seen on a network
• Fingerprint Anomalies – Traffic that fits a user specified signature
Fingerprint Anomalies
• User can define detection ‘fingerprint’ using TCP Dump syntax
or GUI wizard:
(dst port 445 or dst port 9996) and proto tcp
• Triggered by the detection of traffic matching the specified
signature
– User can specify pps / bps trigger and severity thresholds per
Fingerprint.
• Used effectively for tracking traffic on known attack vectors
e.g. SPAM, Worms etc..
• Fingerprint syntax can be used to ‘share’ anomaly information
between carriers.
Mitigation Strategies
• Unicast Reverse Path Forwarding (uRPF)
• Rate Limiting
• ACL
– Filter traffic targeted at a destination
• Blackhole / Sinkhole / Shunt
– Off-ramping for filtering, scrubbing and forensics
• Integrated Filtering
– Uses a combination of BGP sinkhole and network ‘cleaning’ appliances.
• Fingerprint Sharing
– Mitigation closer to the source
IF Filtering Levels: Standard & Integrated
• Standard integration
– Peakflow has recommended filtering options
» ACLs, rate limiting, BGP blackholing, off-ramping/sinkholing and flexible
scripting
– Peakflow can detect and then initiate scrubbing
• Integrated Filtering API
– Tightly coupled API, remain mitigation agnostic (dedicated or shared
mitigation)
» Cisco/Riverhead Guard
Intelligent Filtering
• Integration with dedicated mitigation devices
– Cisco Guard
• Peakflow triggers devices to use BGP to off-ramp attack traffic
through themselves
• Process data at gigabit per second speeds and do deep packet
inspection
• Apply advanced heuristics to traffic to filter bad while preserving
good
– TCP SYN authentication
– Zombie army detection
– Enforce traffic baselines
• Provide Feedback to Peakflow system on what is filtered/passed
Dealing with DDoS attacks: Remediation
• Three key steps:
– Detection
»Determine attack methodology and what resources are
affected
– Traceback
»Determine the source and transit path
– Mitigation
»Determine what traffic to block, and where best to block it
What is a DoS Attack ?
• Malicious attempt by a group of people to cripple an online service
• Flood the victim (server) with packets
– Overload packet processing capacity
– Saturate network bandwidth
• Two Types of DoS Attacks
– Resource Exhaustion Attacks
– Bandwidth Consumption Attacks
Attack Architecture – Direct Attacks
Attacker
Direct traffic
towards victim
Zombie 3
Zombie 1
Zombie 2
“zombies” send streams of
spoofed traffic to victim
Src: random
Dst: victim
Victim
Example – SYN Flooding
• Establishment of TCP connection using three-way handshake
SYN Packet with
spoofed IP address
SYN
1
TCP
Client
TCP
Server
Malicious
TCP
Client
SYN
1
Victim
TCP
Server
2 SYN / ACK
Client Ports
Client Ports
?
ACK
3
80
Service Ports (
1 – 1023)
Service Ports (
2 SYN / ACK
80 1 – 1023)
Attacker makes connection requests aimed at the victim server with packets from
spoofed source addresses
Technical Delivery Model
Event Collection and Consolodation (common event format )
Secure Shell Console Connectivity , Nessus Agent , Nagios
(Health and Status Monitoring ), TFTP Server
Consolidated IDP
Alert Data
Out of Band PSTN Connectivity
Verizon Security Agent
(VSA)
Bay Netwo rks
OC3
IDP Management
Server Database
Remedy 1
Storage
Area
Network
IDP Alert Data
Reomote Power
Management
Arcsight 1
Remedy 2
Arcsight 2
Public Internet
Primary Security Operations Center (Irving, TX)
IDP Appliance
Firewall
Data Synchronization
OC3
Remedy 1
Storage
Area
Network
Arcsight 1
Hot Site Security Operations Center
(Baltimore, MD)
Encrypted Tunnels
Terminating on Verizon
Security Agent (VSA)
Appliance at Customer
Location
Public Internet
Enterprise Customer
Network
Cisco DDoS Mitigation Solution
BGP announcement
DDoS Protection Device
3. Divert only target’s traffic
2. Activate: Auto/Manual
1. Detect
DDoS Detector
Target
Non-targeted servers
Cisco DDoS Mitigation Solution
Traffic destined
to the target
DDoS Protection Device
4. Identify and filter the
malicious
Legitimate traffic to
target
5. Forward the legitimate
DDoS Detector
6. Non
targeted
traffic flows
freely
Non-targeted servers
Target
Peakflow SP Anomaly Reporting
• Profiled Anomalies – deviations from normal traffic levels on the
network
• Misuse Anomalies – Traffic towards specific hosts that exceed
what should normally be seen on a network
• Fingerprint/Worm Anomalies – Traffic that fits a user specified
signature
Detect Attack - Profiled Anomalies
• Detects network-wide anomalies such as DDoS attacks and worm
outbreaks in non-intrusive data collection methods.
• A baseline of normal behavior leveraging flow data
available from the routers deployed on the network
would be built.
• In real-time, the system compares traffic against the
baseline.
Detection Classes: Misuse
• Detected independently from the established baselines,
on a set of known attack signatures.
• Traffic of specific types exceeding what should be
normal for a network.
• Misuse anomalies cover the following types of traffic:
– ICMP Anomaly
–
–
–
–
–
–
TCP NULL Flag Anomaly
TCP SYN Flag Anomaly
TCP RST Flag Anomaly
IP NULL (Proto 0) Anomaly
IP Fragmentation Anomaly
IP Private Address Space Anomaly
Misuse Anomalies - Dark IP
Fingerprint/Worm Anomalies(1)
Tracing Anomalies
• Automatically trace the source and destination IP/Port, TCP Flag
of abnormal traffic.
• Distribution of attack traffic by source and destination IP/Port.
• Trace the network device that the abnormal traffic pass through.
Prevent/Mitigate Network-wide Anomalies
• System can recommend appropriate mitigation measures
to mitigate anomalies such as DoS attack and worm
outbreaks.
– Generate recommended ACLs or rate limit commands.
– Blackhole routing
– Sinkhole routing
Alert
• BGP
– BGP Instability
– BGP Route Hijacking
• Data Source
– BGP Down
– Flow Down
– SNMP Down
• DoS Alert
• Interface Usage: traffic exceeded configured baseline
Use E-mail, SNMP Traps, Syslog etc to notify network
administrators.