building 100g ddos mitigation device with fpga technology · protector looks for exceeding traffic...
Post on 22-May-2020
4 Views
Preview:
TRANSCRIPT
BUILDING 100G DDOS MITIGATION DEVICE
WITH FPGA TECHNOLOGY
Martin Žádník CESNET
2018
Brno
MOTIVATION
DDoS attacks
DDoS attacks as a service
DDoS-for-hire industry
Booters/Stresser service
Mirai
STATS
AKAMAI ■ Several hundreds DDoS per year
■ Largest more than 1 Tbps
CESNET ■ Order of magnitude lower volume
■ Similar amount
■ Testing playground
DDOS MITIGATION
RTBH and Rate limiting at routers ■ Too coarse grain
■ Legitimate traffic is rate-limited together with attack
What’s needed ■ More fine grained
■ Order of magnitude cheaper
■ Customizable
■ Own solution
GOAL
To protect infrastructure (connectivity)
To reduce extensive amount of traffic targeting victim organization
under the limit which can be actually processed by the organization
HW ACCELERATION
CESNET experience with network flow probes
Paket Paket Paket
tmin
40 Gb/s 12 ns ~ 45 CPU clock cycles
100 Gb/s 5 ns ~ 18 CPU clock cycles
400 Gb/s 1.25 ns ~ 6 CPU clock cycles
3.6 GHz CPU
John Lockwood, Stanford University
HW ACCELERATION
CESNET experience with network flow probes
Platform ■ Network card with programmable FPGA
■ Own firmware into FPGA
■ Decent server with threaded software
DEPLOYMENT
10x 10Gbps
1x 100 Gbps
ARCHITECTURE
Software
Detection Control
Selection Blocking
Firmware
Net Traffic
Stats
Legitimate traffic
LESSONS LEARNED
Deal with how to deploy ■ Support of VLAN translation
■ Support of routing
■ Support of ARP, ND
■ Dead-man's vigilance device
Utilize what is already available ■ BIRD, Suricata (to be utilized)
Practical and straight-forward approach usually works well ■ Single-direction only
■ Heuristics to deal with various types of attacks
ATTACKS OF INTEREST
Large reflection attacks ■ DNS
■ NTP
■ LDAP
■ SSDP
■ SNMP
■ CharGEN
TCP SYN flood
DETECTION REFLECTION
Protector looks for exceeding traffic thresholds per IP prefixes
Time window is configurable (default 1 s)
Simple static rules se by administrator
„VUT UDP“ dst net 147.229.0.0/16 protocol 17 src port 53
threshold 1 Gbps limit 100 Mbps
If matching traffic
exceeds 1+ Gbps
then lreduce it to
100 Mbps
MITIGATION
Drop matching traffic from IP addresses that contributed the most to
exceeding the threshold
To this end ■ Keep contribution of each IP address
■ If threshold is exceeded choose such a number of IP address to reduce the traffic
below limit
EXAMPLE
0
2
4
6
8
10
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Optimal
Limit
Time
Gb
ps
Gb
ps
EXAMPLE
0
20
40
60
80
100
120
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33
Gb
ps
Unordered IP addresses
EXAMPLE
0
20
40
60
80
100
120
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29
Limit
Unordered IP addresses
Mbps
TCP SYN FLOOD I.
SYN drop heuristic
TCP SYN FLOOD II.
RST cookies – Alternative to SYN drop
Protector generates non-valid SYN-ACK packet
If a client sends RST then whitelisted
FEATURES
Wire speed throughput 100Gbps
Extremely low latency (microseconds)
Support IPv6
TCP flags
Fragments
Configuration: Linux CLI + database rules
Stats: SNMP, logs
PLANS
Extended blocking capacity
Support various heuristics
Build less proprietary interface ■ BGP FlowSpec
■ Cisco-like CLI
Release ■ Polish it till anyone can use it
■ Offer to others
CONCLUSION
Straightforward extensible and customizable solution
Deployed in productional CESNET backbone
Interest of other entities
THANK YOU FOR YOUR ATTENTION
TRAFFIC REDIRECTION
Forward suspicious traffic to Protector
Return cleansed traffic to target destination
DETAILED REDIRECTION
top related