building 100g ddos mitigation device with fpga technology · protector looks for exceeding traffic...
TRANSCRIPT
![Page 1: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/1.jpg)
BUILDING 100G DDOS MITIGATION DEVICE
WITH FPGA TECHNOLOGY
Martin Žádník CESNET
2018
Brno
![Page 2: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/2.jpg)
MOTIVATION
DDoS attacks
DDoS attacks as a service
DDoS-for-hire industry
Booters/Stresser service
Mirai
![Page 3: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/3.jpg)
STATS
AKAMAI ■ Several hundreds DDoS per year
■ Largest more than 1 Tbps
CESNET ■ Order of magnitude lower volume
■ Similar amount
■ Testing playground
![Page 4: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/4.jpg)
DDOS MITIGATION
RTBH and Rate limiting at routers ■ Too coarse grain
■ Legitimate traffic is rate-limited together with attack
What’s needed ■ More fine grained
■ Order of magnitude cheaper
■ Customizable
■ Own solution
![Page 5: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/5.jpg)
GOAL
To protect infrastructure (connectivity)
To reduce extensive amount of traffic targeting victim organization
under the limit which can be actually processed by the organization
![Page 6: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/6.jpg)
HW ACCELERATION
CESNET experience with network flow probes
Paket Paket Paket
tmin
40 Gb/s 12 ns ~ 45 CPU clock cycles
100 Gb/s 5 ns ~ 18 CPU clock cycles
400 Gb/s 1.25 ns ~ 6 CPU clock cycles
3.6 GHz CPU
John Lockwood, Stanford University
![Page 7: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/7.jpg)
HW ACCELERATION
CESNET experience with network flow probes
Platform ■ Network card with programmable FPGA
■ Own firmware into FPGA
■ Decent server with threaded software
![Page 8: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/8.jpg)
DEPLOYMENT
10x 10Gbps
1x 100 Gbps
![Page 9: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/9.jpg)
ARCHITECTURE
Software
Detection Control
Selection Blocking
Firmware
Net Traffic
Stats
Legitimate traffic
![Page 10: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/10.jpg)
LESSONS LEARNED
Deal with how to deploy ■ Support of VLAN translation
■ Support of routing
■ Support of ARP, ND
■ Dead-man's vigilance device
Utilize what is already available ■ BIRD, Suricata (to be utilized)
Practical and straight-forward approach usually works well ■ Single-direction only
■ Heuristics to deal with various types of attacks
![Page 11: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/11.jpg)
ATTACKS OF INTEREST
Large reflection attacks ■ DNS
■ NTP
■ LDAP
■ SSDP
■ SNMP
■ CharGEN
TCP SYN flood
![Page 12: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/12.jpg)
DETECTION REFLECTION
Protector looks for exceeding traffic thresholds per IP prefixes
Time window is configurable (default 1 s)
Simple static rules se by administrator
„VUT UDP“ dst net 147.229.0.0/16 protocol 17 src port 53
threshold 1 Gbps limit 100 Mbps
If matching traffic
exceeds 1+ Gbps
then lreduce it to
100 Mbps
![Page 13: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/13.jpg)
MITIGATION
Drop matching traffic from IP addresses that contributed the most to
exceeding the threshold
To this end ■ Keep contribution of each IP address
■ If threshold is exceeded choose such a number of IP address to reduce the traffic
below limit
![Page 14: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/14.jpg)
EXAMPLE
0
2
4
6
8
10
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Optimal
Limit
Time
Gb
ps
Gb
ps
![Page 15: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/15.jpg)
EXAMPLE
0
20
40
60
80
100
120
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33
Gb
ps
Unordered IP addresses
![Page 16: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/16.jpg)
EXAMPLE
0
20
40
60
80
100
120
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29
Limit
Unordered IP addresses
Mbps
![Page 17: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/17.jpg)
TCP SYN FLOOD I.
SYN drop heuristic
![Page 18: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/18.jpg)
TCP SYN FLOOD II.
RST cookies – Alternative to SYN drop
Protector generates non-valid SYN-ACK packet
If a client sends RST then whitelisted
![Page 19: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/19.jpg)
FEATURES
Wire speed throughput 100Gbps
Extremely low latency (microseconds)
Support IPv6
TCP flags
Fragments
Configuration: Linux CLI + database rules
Stats: SNMP, logs
![Page 20: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/20.jpg)
PLANS
Extended blocking capacity
Support various heuristics
Build less proprietary interface ■ BGP FlowSpec
■ Cisco-like CLI
Release ■ Polish it till anyone can use it
■ Offer to others
![Page 21: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/21.jpg)
CONCLUSION
Straightforward extensible and customizable solution
Deployed in productional CESNET backbone
Interest of other entities
![Page 22: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/22.jpg)
THANK YOU FOR YOUR ATTENTION
![Page 23: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/23.jpg)
TRAFFIC REDIRECTION
Forward suspicious traffic to Protector
Return cleansed traffic to target destination
![Page 24: BUILDING 100G DDOS MITIGATION DEVICE WITH FPGA TECHNOLOGY · Protector looks for exceeding traffic thresholds per IP prefixes Time window is configurable (default 1 s) Simple static](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec8f339383a8725897caf20/html5/thumbnails/24.jpg)
DETAILED REDIRECTION