protection on-demand: ensuring resource availability
DESCRIPTION
Protection On-Demand: Ensuring Resource Availability. Dan Touitou [email protected]. Agenda. The Growing DDoS Challenge Existing Solutions Our Approach Technical Overview. ‘Zombies’. Innocent PCs & Servers turn into ‘Zombies’. ‘Zombies’. How do DDoS Attacks Start ?. DNS. Email. - PowerPoint PPT PresentationTRANSCRIPT
111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Protection On-Demand: Ensuring Resource Availability
Dan Touitou
222© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Agenda
The Growing DDoS Challenge
Existing Solutions
Our Approach
Technical Overview
333© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
How do DDoS Attacks Start ?
DNS Email‘Zombie
s’
‘Zombies’
Innocent PCs & Servers turn into
‘Zombies’
444© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
The Effects of DDoS Attacks
Server-level DDoS
attacks
Bandwidth-level DDoS
attacks
DNS Email
Infrastructure-level DDoS
attacks
Attack Zombies: Massively distributed Spoof Source IP Use valid protocols
555© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Attacks - examples
• SYN attack
Huge number of crafted spoofed TCP SYN packets
Fills up the “connection queue”
Denial of TCP service
• HTTP attacks
Attackers send a lot of “legitimate” HTTP requests
666© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
A few of the Latest High Profile Attacks
• Payment Gateways – extortion (on the news)- Authorize.net, PSIGateway, Worldpay, 2checkout
• Online Brokerage firms (confidential)
• Commercial banks (confidential)
• Mydoom Worm – Microsoft, SCO, Yahoo, Lycos, Google
• Doubleclick – DNS servers
• Akamai - DNS servers
• On line gambling sites – extortion
• Many others, but most companies will not want the world to know that they were attacked
888© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Distributed Denial of Service Attacks
• DDoS is often driven by financial motivation
– DoS for hire
– Economically-driven
– Politically driven
– Cyber terrorism
• DDoS cannot be ignored, modern business
depends on effective handling of attacks
999© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Extortion Process
• Target enterprise gets an attack to prove attackers capabilities
• Typically followed by a demand to transfer about $10,000 at a time to a European bank account
– Extorter can withdraw the money using an ATM machine without showing his face in the bank
• Attackers use over 100K PCs
• Latest attacks were 2 – 3 Gbps
• The attackers can change the attack type very quickly (Change protocol, change target etc.)
101010© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Attack EvolutionStronger and More Widespread
Non-essential protocols (eg ICMP)
100s sources 10Ks
packets/sec
Sc
ale
of
Att
ac
ks
Sophistication of Attacks
Two Scaling Dimensions: Million+ packets/sec 100Ks of zombies
Essential protocols Spoofed 10Ks of zombies 100Ks packets/sec Compound and
morphing
Past Present Emerging
111111© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Existing Solutions
121212© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
SYN Cookies – how it works
Source Guard
syn(isn#)
ack(isn’#+1)
Target
synack(cky#,isn#+1) WS=0
State createdonly for authenticated connections
State createdonly for authenticated connections
syn(isn#)
synack(isn’#,isn#+1)
ack(cky#+1)
ack(isn#+1) WS<>0
Sequence #adaptation
Sequence #adaptation
statelesspart
131313© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Blackholing
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
= Disconnecting the
customer
= Disconnecting the
customer
141414© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
At the Edge / Firewall/IPS
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Easy to choke
•Point of failure
•Not scalable
151515© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
At the Backbone
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Throughput
•Point of failure
•Not Scalable
161616© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Cisco
Solution
171717© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Dynamic Diversion Architecture
Guard XTBGP announcement
Target
1. Detect
2. Activate: Auto/Manual
3. Divert only target’s traffic
Detector XT or Cisco IDS, Arbor Peakflow
Non-targeted servers
181818© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Guard XT
Target
Legitimate traffic to target
5. Forward the legitimate
Dynamic Diversion Architecture
Traffic destined to the target
4. Identify and filter the malicious
Non-targeted servers
6. Non targetedtraffic flowsfreely
Detector XT or Cisco IDS, Arbor Peakflow
191919© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Technical overview
• Diversion/Injection
• Anti Spoofing
• Anomaly Detection
• Performance Issues
202020© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversion
How to “steal” traffic without creating loops?
212121© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversionone example L3 next hop
BGP
Diversion:
announce a longer prefix from the guard no-export and no-advertise community
Injection:
Send directly to the next L3 device
222222© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Diversion L3 next hop application
Router
Switch
Firewall
Internal network
ISP 1 ISP 2
GEthernet Guard XT
Switch
DNS ServersWeb, Chat, E-mail, etc.
Web console
Guard XT
Riverhead Detector XT
Detector XTTarget
AlertAlert
232323© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Diversionone example – Injecting with tunnels
BGPDiversion:
announce a longer prefix from the guard no-export and no-advertise community
Injection:
Send directly to the next L3 device
242424© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
61.1.1.1
Diversionone example: long distance diversion
252525© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Filtering bad traffic
• Anti Spoofing
• Anomaly detection
• Performance
262626© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Guard Architecture – high level
RateLimiter
Sam
ple
r
Flex Filter
Bypass Filter
Classifier:Static & Dynamic Filters
Analysis
Basic
Strong
Anomaly Recognition Engine
Connections & Authenticated Clients
Policy Database
Insert filters
Anti-Spoofing Modules
Control & Analysis Plane
Data Plane
Drop Packets
AS Replies
Management
272727© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anti spoofing
Unidirectional…..
282828© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anti-Spoofing Defense- One example: HTTP
Source Guard
Syn(isn#)
ack(isn#+1,cky#)
Target
synack(cky#,isn#+1)Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
GET uri
Redirect to same URI
finfin
1. SYN cookie alg.
2. Redirect rqst
3. Close connection
Client authenticated
292929© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
RST cookies – how it works
Source Guard Target
ack(,cky#)
syn(isn#)
rst(cky)
syn(isn#)
Client authenticated
303030© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Ab.com rqst UDP/53
syn
Reply
synackack
Reply
Repeated IP - UDP
Authenticated IP
Client Guard Target
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified
Anti-Spoofing Defense- One example: DNS Client-Resolver (over UDP)
Ab.com rqst UDP/53Ab.com rqst TCP/53
Ab.com reply TC=1
313131© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Anomaly DetectionAgainst Non-Spoofed Attacks
• Extensive profiling
Hundreds of anomaly sensors/victim
For global, proxies, discovered top sources, typical source,…
• Auto discovery and profiling of services
Automatically detects HTTP proxies and maintains specific profiles
Learns individual profiles for top sources, separate from composite profile
• Depth of profiles
PPS rates
Ratios eg SYNs to FINs
Connection counts by status
Protocol validity eg DNS queries
323232© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Performance
• Wire Speed - requirement …
• GigE = 1.48 Millions pps… Avoid copying
Avoid interrupt/system call
Limit number of memory access
• PCI bottleneck DDoS NIC Accelerator
333333© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Cosmo board
Replaces the NIC
Handles the data path
Based on Broadcom BCM1250
integrated processor
343434© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
BCM1250
Budget - ~500 cycles per packet(memory access 90 cycles)
353535© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
CustomerSwitches
More performance - clustering
ISP Upstream ISP Upstream
Load LevelingRouter
Riverhead Guards
MitigationCluster
363636© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
• Full managed services offered:
Service agreement and multiyear contract typical
Gigabit+ dedicated capacity with shared overage
Customized policies
• Part of a managed security services portfolio
AT&T Internet protect
DDoS Defense Option for Internet Protect
IP Defender
and many others
Managed DDoS ServicesCisco Powered Providers
Largest carriers offering “clean pipes” services to F500 enterprises:
IP Guardian
373737© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Managed DDoS ServicesCisco Powered Providers
Managed hosting providers are offering DDoS protected services:
PrevenTier DDoS Mitigation Service
SureArmour DDoS Protection service
and many others
• Protection offered with hosting:
A la carte option, bundled with premium services or included with hosting
Capacity matched to hosting
Standardized or customized policies
Service and attack reporting
383838© 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04
Comments: [email protected]
THANK YOU!