cisco ddos mitigation service provider solutions...cisco ddos mitigation service provider solutions...
Post on 04-Feb-2020
3 Views
Preview:
TRANSCRIPT
1© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
CISCO DDoS MITIGATIONSERVICE PROVIDER SOLUTIONSFebruary 15, 2005
222© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Executive Summary
• Detects AND MITIGATES the broadest rangeof distributed denial of service (DDoS) attacks
• With the granularity and accuracy to ENSUREBUSINESS CONTINUITY by forwarding legitimatetransactions
• Delivering the performance and architecturesuitable for the LARGEST ENTERPRISES ANDPROVIDERS
• Addresses DDoS attacks today, and its network-based behavioral anomaly capability will beextended to additional threats
333© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
THE DDoS PROBLEM
444© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Attack Evolution
• Nonessentialprotocols(e.g., ICMP)
• 100s of sources• 10K packets/second
Scal
e of
Atta
cks
Sophistication of Attacks
Two scaling dimensions:• Millions of
packets/second• 100Ks zombies
• Essential protocols• Spoofed• 10K zombies• 100K packets/second• Compound and
morphing
Past Present Emerging
Potentiallyrandom
Targetedeconomic
Publicitydriven
Mainstreamcorporations
High-profiletargets
Niche targets
Stronger and More Widespread
555© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
“Much larger attack network than anything before. Thishorsepower could take down thousands of big sites…atthe same time, and keep them down for quite a while.”
555© 2004 Cisco Systems, Inc. All rights reserved.Presentation_ID
“MyDoom Taste of Viruses to Come, Says Security Analyst,” Reuters,February 3, 2004
666© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Security ChallengesDollar Amount of Loss by Type of Attack (CSI/FBI 2004 Survey)
SabotageSystem Penetration
Web Site DefacementMisuse of Public Web Application
Telecom FraudUnauthorized Access
Laptop TheftFinancial Fraud
Abuse of Wireless NetworkInsider Net Abuse
Theft of Proprietary Info
0
$871,000$901,500$958,100
$2,747,000
$3,997,500$4,278,205
$6,734,500
$7,670,500
$10,159,250
$10,601,055
$11,460,000 $26,064,050
5M 10M 20M 25M 30M
Denial of Service
2004 CSI/FBI Computer Crime and Security SurveySource: Computer Security Institute Total Losses for 2004—$141,496,560
2004: 269 Respondents
Dollar Amount of Loss by Type of Attack (CSI/FBI 2004 Survey)
The Cost of Threats
777© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
“E-biz Sites Hit With Targeted Attacks”
“16% of the attacks against e-commerce sites wereidentified as targeted. Last year, only 4% wereaimed at specific sites.”
• ComputerWorld, September 27, 2004
“Extortion schemes that use attacks like the oneagainst Authorize.Net are becoming more common. . . definitely targeted, ransom-type attacks, andthere's going to be a lot more of them.”
• John Pescatore, Gartner Inc.ComputerWorld, September 27, 2004
888© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DDoS Is a Business IssueImpacts Revenue and Customer Retention
Not justdowntime:• Lost customers• Damaged
reputations• Contractual
liabilities
Online payment system badly disrupted for three days by maliciousDDoS attack. Worldpay’s rivals attempted to poach online retailcustomers during the attack by offering “emergency services”
999© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
SOLUTION OVERVIEW
101010© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DDoS ProtectionCisco Service Modules FCS 1QCY05
Attack DETECTIONto support on-demand,shared scrubbingMonitors COPY OF TRAFFIC
Cisco Anomaly Guard Module
Cisco Traffic Anomaly Detector Module
Attack ANALYSIS ANDMITIGATION
Diverts traffic flows for ON-DEMAND SCRUBBING
111111© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Cisco DDoS Product Family
Cisco Guard XT 5650
Cisco Traffic Anomaly Detector XT 5600
DDoS Mitigation Cisco Anomaly Guard Module
DDoS DetectionCisco Traffic Anomaly
Detector Module
Maximum deployment flexibility.Similar functionality and performance.Interoperable for mixed deployments.
121212© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DDoS ProtectionCisco Service Modules (cont.)
• Guard/Detector MVP-OS Release 4.0• Single-slot modules for Cisco Catalyst® 6500
Switch and 7600 Router• Interfaces via backplane—no external ports• Gigabit performance—future licensed upgrade to
multigigabit supported• Native Cisco IOS® 12.2(18)SXD3• Multiple Guards and Detectors per chassis and
single-destination IP/zone• CLI, Web GUI, and SNMP management
131313© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Integrated Services Benefits
High-Performance
IntelligentNetwork
High-Performance
IntelligentNetwork
DeploymentFlexibility
DeploymentFlexibility
Lower Cost ofOperations
Lower Cost ofOperations
ScalabilityScalability
Infrastructure andServices IntegrationInfrastructure and
Services Integration
Reliability andHigh AvailabilityReliability and
High Availability
141414© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Layer 4–7 Services Modules Family
IDSM-2 Module
CSM Module
NAM-1 and NAM-2Module
Firewall Module
VPN Module SSL Module
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
151515© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Flexible Deployment Options
Integrated system:
• Fits existing switch/routinginfrastructure with other services
• Utilizes available slots—no interfaceports or rack space
• Ideal for data center deploymentsof 1–3 modules
• Intrachassis diversion
Guard ModuleDetector Module
161616© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Flexible Deployment Options (cont.)
Dedicated system:
• New chassis dedicatedto DDoS
• Supports large range offlexible I/O
• Ideal for high-capacitydeployments (4+ modules)with supervisor for loadleveling
• External diversion viaCisco IOS® supervisor routing
Anomaly Guard Modules
171717© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Key Features
DIVERSION ARCHITECTURE
MULTISTAGE VERIFICATION PROCESS
181818© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DIVERSION ARCHITECTURE
191919© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module (or Cisco IDSor third- party system)
Cisco AnomalyGuard Module
202020© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
212121© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
222222© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
Route update:RHI internal, or BGP/other external
232323© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
4. Identify and filtermalicious traffic
Traffic Destinedto the Target
242424© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
4. Identify and filtermalicious traffic
Traffic Destinedto the Target
LegitimateTraffic to
Target
5. Forward legitimatetraffic
O 192.168.3.0/24 [110/2] via 10.0.0.3, 2d11h, GigabitEthernet2B 192.168.3.128/32 [20/0] via 10.0.0.2, 00:00:01
192.168.3.128 = zone 10.0.0.2 = Guard
252525© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
4. Identify and filtermalicious traffic
Traffic Destinedto the Target
LegitimateTraffic to
Target
5. Forward legitimatetraffic
6. Non-targetedtrafficflowsfreely
262626© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Cisco Catalyst Service Module
SwitchFabric
Supervisor Engine 2 or 720
Line Card Module
Line Card Module
Anomaly GuardModule
Traffic AnomalyDetector Module
Cat6K/7600
Firewall ServiceModule
InternalNetwork
• Solution Overview
Alert
Dynamic routediversion
272727© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Cisco Catalyst Service Module (cont.)
• Maintains “on-demand”scrubbing model
Internal to chassis fromSupervisor to GuardUses Route HealthInjection protocol
• Supports dedicated“appliance” mode
Suitable for clusterSupervisor redistributesroute update
• Cisco Catalyst® 6K/7600Router benefits:
IOS routing: extensiveprotocol and tunnelingsupport and familiar CLI
Extensive interfacesincluding fiber OC/STM
Control Plane Policing forDDoS hardening
282828© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Anomaly Guard Module Packet FlowSupervisor 2/SFM or Supervisor 720
RoutingTable
RoutingTable
Master FIB Table
Master FIB Table
Supervisor 2 or Supervisor 720Supervisor 2 or Supervisor 720R(x)000 CPUR(x)000 CPU
Cisco Catalyst® 6000 32 Gbps BUSCisco Catalyst® 6000 32 Gbps BUS
OutputLine Card
Med
usa
Med
usa
AnomalyGuardModule
Si SiSi
SiSi
1 23
InputLine Card 4 5
CrossbarFabric
CrossbarFabric
CrossbarFabric
CrossbarFabric
Si
292929© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
MULTISTAGE VERIFICATIONPROCESS
303030© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Multiverification Process (MVP)Integrated Defenses in the Guard
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate LimitingDynamic and Static Filters
Detect anomalousbehavior and identifyprecise attack flows
and sources
Legitimate + Attack Traffic to Target
313131© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Multiverification Process (MVP)Integrated Defenses in the Guard
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate LimitingDynamic and Static Filters
Apply antispoofingto block malicious
flows
Legitimate + Attack Traffic to Target
323232© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Multiverification Process (MVP)Integrated Defenses in the Guard
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate LimitingDynamic and Static Filters
Legitimate Traffic
Dynamically insertspecific filters to block
attack flows and sourcesApply rate limits
333333© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Intelligent Countermeasures
DETECTION• Passive copy of traffic monitoring
ANALYSIS• Diversion for more granular inline analysis
• Flex filters, static filters, and bypass in operation• All flows forwarded but analyzed for anomalies
BASIC PROTECTION• Basic antispoofing applied
• Analysis for continuing anomalies
STRONG PROTECTION• Strong antispoofing (proxy) if needed• Dynamic filtering of zombie sources
AnomalyVerified
LEARNING• Periodic observation of patterns to automatically update baseline profiles
AttackDetected
AnomalySourcesIdentified
Benefits:• Accuracy• Maximized
performance• Maximum
transparency• Automated
response
343434© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
High Performance and Capacity
• 1 MPPS+ most attacks, good and bad traffic, typicalfeatures
• 150 K DYNAMIC FILTERS for zombie attacks
• CLUSTERING TO 8 GUARDS for single protected host• Capacity
30 CONCURRENTLY PROTECTED ZONES(90 for the Detector) and 500 total1.5 million concurrentconnections1.5 million concurrent connections
• Latency or jitter: < 1 MSEC
353535© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Anomaly Recognition and ActiveVerification Features (cont.)
Anomaly Recognition:• Extensive profiling of individual flows
From individual src-IPs and src-nets to dst-IPs/ports byprotocol
• Depth of profilesPackets, syns and requests, fragments as well as ratiosConnections by status, authenication status and protocolspecific data…
• Default normal baselines with auto-learning on siteBaselines for typical as well as top sources and proxies
363636© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Anomaly Recognition and ActiveVerification Features (cont.)
Active Verification/Antispoofing:• Broad application support
TCP and UDP applications, including HTTP, HTTPS, SMTP, IRC,DNS and commercial and custom applications
• AuthenticatesSYNs, SYNACKs, FINs, regular TCP packets, DNS requests andreplies and more…
373737© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Antispoofing DefensesExample: Basic Level for HTTP Protocol
Source Guard
Syn(c#)
Hash-function(SrcIP,port,t)
ack(c#,s#)SrcIP, port#
=
Redirect(c#,s#)
Synack(c#’,s#’)
Syn(c#’)
request(c#’,s#’)
Target
Verified connections
synack(c#,s#)
• Antispoofingonly whenunder attack
• Authenticatesource oninitial query
• State kept onlyfor legitimatesources
• Subsequentqueriesverified
• Antispoofingonly whenunder attack
• Authenticatesource oninitial query
• State kept onlyfor legitimatesources
• Subsequentqueriesverified
383838© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Broadest Attack Protection
• Random spoofed attacks (e.g., SYN)Removes spoofed flows that evade statistical identification
• Focused spoofed of good source (e.g., AOL proxy)Distinguishes good vs. bad flows with same src-IP forselective blocking
• Nonspoofed distributed attackCapacity for blocking high-volume, massive and morphingbotnets of attackers that:
Penetrate SYN response defenses
Thwart any manual responses
393939© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Broadest Attack Protection (cont.)
• Nonspoofed client attack (e.g., http half-open)Identifies low-volume, protocol anomaly attacks that evadesampled flow data
404040© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Management Features
• Console or SSH CLI• Embedded device manager
GUI• DDoS SNMP MIB and traps• Extensive syslogging• Interactive
recommendations• Extensive reporting: GUI,
CLI, and XML export byzone
• Packet capture and export• TACACS+ for AAA• Future CVDM for Cisco
Cisco Catalyst® 6K support
414141© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DEPLOYMENT SCENARIOS
424242© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Hosting or Service Provider Data Centerwith Service Modules in “Integrated Mode”
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Sup720 orSup2 w MSFC
Catalyst®
6K or 7600
GEnet
Catalyst Switch
Guard/DetectorDevice Manager
Anomaly GuardModule
Traffic AnomalyDetector Module
AttackAlert
ISP 1 ISP 2
DNS ServersWeb, Chat, E-mail, etc.
Target Internal Network
RHI RouteUpdate
FirewallServiceModule
434343© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Service ProviderDistributed or Edge Protection
• Distributed, dedicated Guards• Detector CPE for monitoring
and optionally activation
PeeringPoint
PeeringPoint
Core Router
Core Router
POP
POP
Enterprise A
Enterprise C
Cisco AnomalyGuard Module(s)
Enterprise BTargeted
Cisco TrafficAnomaly DetectorModule or Appliance
Optional CPE:
444444© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Managed DDoS ServiceCentralized Protection
PeeringPoint
PeeringPoint
Core Router
Core Router
POP
POPEnterprise A
Enterprise C
Enterprise BTargeted
Cisco Traffic Anomaly Detector Module
Cisco Anomaly Guard Modules
NetFlow-based Backbone Monitoring
NetFlow-based Backbone Monitoring
NOC
Activation fromBackbone or CPEDetector
Catalyst 6500/7600 Series Router
454545© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Clustering Topology
CustomerSwitches
ISPUpstream
ISPUpstream
Load-LevelingRouter
MitigationCluster
B 200.1.1.99 [20/0] via 192.168.1.3, 00:04:08 [20/0] via 192.168.1.4, 00:04:08 [20/0] via 192.168.1.5, 00:04:08 [20/0] via 192.168.1.1, 00:04:08 [20/0] via 192.168.1.2, 00:04:08200.1.1.99 = zone 192.168.1.1-5 = Guards
Cisco Anomaly GuardModules
Cat 6k/7600
464646© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Clustering Topology (cont.)
Equal cost multipath routing• Load levels traffic to a single destination IP• Across up to 8 Guards per router• CEF Layer 3 hash delivers consistent assignment
per src-dst pair• NO SPECIAL LOAD BALANCING SOLUTION
REQUIRED• Additional router provides functional partitioning
474747© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
PROVIDER FEATURESAND BENEFITS
484848© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Solution Supports CriticalManaged Service Requirements
• Significant value-addMitigation, not just detectionBroadest types of attacksAccuracy and transparencyAutomation for fast response
• Proven competitive advantage => customerretention and acquisitionWithin hours of attacks that primary provider could nothandle, enterprises shifted traffic to backup providers withCisco DDoSAnd when subsequently contracting for managed DDoSservices, dropped providers that didn’t offerCommerical enterprises readily shift hosting providers basedon DDoS capabilityDDoS protection also on new vendor selection criteria
494949© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Solution Supports CriticalManaged Service Requirements (cont.)
• Cost-effective operationDefaults and templates for efficient provisioningAutomated learning for policy tuningAutomation for efficient attack responseProvider network deploymentOn-demand scrubbing
505050© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Solution Supports CriticalManaged Service Requirements (cont.)
• Provider deployment architectureSupports distributed and centralized deployment
Dynamic diversion for ease of installation andhigh reliability
High performance plus N+X clustering for redundancy,incremental scaling, and maintenance
SNMP, XML, TACACS+, CLI, syslog for management
Activation from and data export to third-party systems
• Shared resources and virtualization supportedOn-demand scrubbing
Zone concept
515151© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Managed Services Momentum
DDoS Defense Option forInternet Protect managed services
Almost all available DDoS managed services are basedon the Cisco Guard for mitigation:
and many others
IP Defender managed service
PrevenTier DDoS Mitigation service
SureArmour DDoS protection service
525252© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Positive Industry Response
“We are taking a very positive stance on AT&T’sDDoS Defense option for its Internet Protectservice….”Current Analysis, June 2004
“This announcement is most important to Sprintcustomers. The service is attractive to customersthat want to increase network uptime and avoidDoS attacks.”
Gartner, October 2004
535353© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Provider Service Advantages
Protects last-mile bandwidth andall enterprise infrastructure
Provider can protect against largestattacks
Provision and pay only forbandwidth for legitimate traffic
Upstream protection can covermultiple data centers
DDoS protection can be efficientlyoffered as managed service
Leverage focused securityoperations team
Last-mile bandwidth and edge routernot protected
Can only defend against attacks thatdon’t exceed last-mile bandwidth
Must overprovision for largest potentialattacks and/or pay burst charges
Must replicate protection at all datacenters
CPE infrastructure only protects locallyand cannot be shared
Difficult to maintain staff skill on DDoSattacks
Managed Service at Provider Enterprise Deployment at Data Center
545454© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
top related