No description available.
Detecting and Mitigating DoS Attack in a Network : Detecting and Mitigating DoS Attack in a Network Cisco SystemsAgenda: Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure DDoS Vulnerabilities Multiple Threats & Targets: DDoS Vulnerabilities Multiple Threats & Targets Peering Point POP ISP Backbone Attacked server Attack ombies: Use valid protocols Spoof source IP Massively distributed Variety of attacks Entire data center: Servers, security devices, routers E-commerce, web, DNS, email,… Provider infrastructure: DNS, routers and links Access lineEvolution : Evolution Manually (hack to servers) Non critical Protocols (eg ICMP) Distribution Management # Attackers (Bandwidth) Type of attack Protection Spoofed SYN Enterprise level Firewall/ ACL access routers X0-X00 attackers (X0 Mbps) Email attach Download from questionable site via “chat” ICQ, AIM, IRC Worms ~X00-X,000 Attackers (X00 Mbps) Via botnets ISP/IDC Blackhole ACL DDoS solutions All type of applicatios (HTTP, DNS, SMTP) Spoofed SYN Manually Manually Email attach via “chat” ICQ, AIM, IRC… ~X00,000 attackers (X-X0 Gbps) Legitimate requests Infrastructure elements (DNS, SMTP, HTTP…) Blackhole (?) ACL (?) DDoS solutions Anycast (?) Security Challenges The Cost of Threats: Security Challenges The Cost of Threats Dollar Amount of Loss By Type of Attack - CSI/FBI 2004 SurveyISP Security Incident Response: ISP Security Incident Response ISP’s Operations Team response to a security incident can typically be broken down into six phases: Preparation Identification Classification Traceback Reaction Post MortemSink Hole Routers (for ISP mainly): Sink Hole Routers (for ISP mainly) Use unallocated addresses A lot of them on the Internet… 10.0.0.0/8, 96.0.0.0/4, … Sink hole Router locally advertises these addresses Infected hosts will seek to contact them Log will provide list of locally infected hosts Will be useful for other tricksSink Hole (aka Network Honey Pot) Set-Up: Sink Hole (aka Network Honey Pot) Set-Up Sink Hole Router Infected System XYZSink Hole In Action Worm Detection: Sink Hole In Action Worm Detection Infected System XYZ Sink Hole Router IDS Sensor The very same set-up will be used for other games Could be used for enterprise as wellAgenda: Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure Identification Tools: Identification Tools Customer/User Phone call CPU Load on Router SNMP – Watching the baseline and tracking variations/surges. Netflow/IPFIX – Traffic Anomaly Detection Tools. Sink Holes – Look for BackscatterNetflow: Statistics per TCP/UDP Flows DoS == Unusual Behavior: Netflow: Statistics per TCP/UDP Flows DoS == Unusual Behavior Real data deleted in this presentation Real data deleted in this presentation Real data deleted in this presentation Potential DoS attack (33 flows) on router1 Estimated: 660 pkt/s 0.2112 Mbps ASxxx is: … ASddd is: … src_ip dst_ip in out src dest pkts bytes prot src_as dst_as int int port port 192.xx.xxx.69 194.yyy.yyy.2 29 49 1308 77 1 40 6 xxx ddd 192.xx.xxx.222 194.yyy.yyy.2 29 49 1774 1243 1 40 6 xxx ddd 192.xx.xxx.108 194.yyy.yyy.2 29 49 1869 1076 1 40 6 xxx ddd 192.xx.xxx.159 194.yyy.yyy.2 29 49 1050 903 1 40 6 xxx ddd 192.xx.xxx.54 194.yyy.yyy.2 29 49 2018 730 1 40 6 xxx ddd 192.xx.xxx.136 194.yyy.yyy.2 29 49 1821 559 1 40 6 xxx ddd 192.xx.xxx.216 194.yyy.yyy.2 29 49 1516 383 1 40 6 xxx ddd 192.xx.xxx.111 194.yyy.yyy.2 29 49 1894 45 1 40 6 xxx ddd 192.xx.xxx.29 194.yyy.yyy.2 29 49 1600 1209 1 40 6 xxx ddd 192.xx.xxx.24 194.yyy.yyy.2 29 49 1120 1034 1 40 6 xxx ddd 192.xx.xxx.39 194.yyy.yyy.2 29 49 1459 868 1 40 6 xxx ddd 192.xx.xxx.249 194.yyy.yyy.2 29 49 1967 692 1 40 6 xxx ddd 192.xx.xxx.57 194.yyy.yyy.2 29 49 1044 521 1 40 6 xxx ddd … … … … … … … … … … … Sink Hole Router Backscatter Analysis: Sink Hole Router Backscatter Analysis Under DDoS victim replies to random destinations -> Some backscatter goes to sink hole router, where it can be analysedBackscatter Analysis: Backscatter Analysis Target Ingress Routers Other ISPs random sources random sources Sink Hole RouterAgenda: Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure Tracing DoS Attacks: Tracing DoS Attacks If source prefix is not spoofed: -> Routing table -> Internet Routing Registry (IRR) -> direct site contact If source prefix is spoofed: -> Trace packet flow through the network ACL, NetFlow, IP source tracker -> Find upstream ISP -> Upstream needs to continue tracing Nowadays, 1000’s of sources not spoofed -> not always meaningful to trace back…Trace-Back in One Step: ICMP Backscatter: Trace-Back in One Step: ICMP Backscatter Border routers: Allow ICMP (rate limited) On packet drop, ICMP unreachable will be sent to the source Use ACL or routing tricks (routing to NULL interface) All ingress router drop traffic to <victim> And send ICMP unreachables to spoofed source!! Sink hole router logs the ICMPs!Trace-Back Made Easy: ICMP Backscatter Step 1: no drop: Trace-Back Made Easy: ICMP Backscatter Step 1: no drop Target Ingress Routers Other ISPs random sources random sources Sink hole RouterTrace-Back Made Easy: ICMP Backscatter Step 2: Drop Packets: Trace-Back Made Easy: ICMP Backscatter Step 2: Drop Packets Target Ingress Routers Other ISPs Sink hole Router with logging ICMP unreachablesAgenda: Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure At the Edge / Firewalls ACL/QoS to Drop/Throttle DDoS Traffic : At the Edge / Firewalls ACL/QoS to Drop/Throttle DDoS Traffic Server1 Target Server2 R3 R1 R2 R5 R4 R R R 1000 1000 FE peering 100 Easy to choke Point of failure Not scalable Consumer tuned Too lateAt the Routers in the Network ACL/QoS to Drop/Throttle DDoS Traffic : At the Routers in the Network ACL/QoS to Drop/Throttle DDoS Traffic Server1 Victim Server2 R3 R1 R2 R5 R4 R R R 1000 1000 FE peering 100 Rand. Spoofing? Throws good with bad ~X0,000 ACLs? ACLs, Upper bound on traffic Black Holing the DoS Traffic Re-Directing Traffic to the Victim: Black Holing the DoS Traffic Re-Directing Traffic to the Victim Target Ingress Routers Other ISPs Sink hole Router: Announces route “target/32” Logging!! Keeps line to customer clear But cuts target host off completely Discuss with customer!!! Just for analysis normallyIdentifying and Dropping only DDoS Traffic/1: Identifying and Dropping only DDoS Traffic/1 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system) Cisco Anomaly Guard ModuleIdentifying and Dropping only DDoS Traffic/2: Identifying and Dropping only DDoS Traffic/2 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect TargetIdentifying and Dropping only DDoS Traffic/3: Identifying and Dropping only DDoS Traffic/3 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/ManualIdentifying and Dropping only DDoS Traffic/4: Identifying and Dropping only DDoS Traffic/4 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic Route update: RHI internal, or BGP/other external Identifying and Dropping only DDoS Traffic/5: Identifying and Dropping only DDoS Traffic/5 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the TargetIdentifying and Dropping only DDoS Traffic/6: Identifying and Dropping only DDoS Traffic/6 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate trafficIdentifying and Dropping only DDoS Traffic/7: Identifying and Dropping only DDoS Traffic/7 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic 6. Non-targeted traffic flows freelySlide31: Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Legitimate + attack traffic to target Dynamic & Static Filters Detect anomalous behavior & identify precise attack flows and sourcesSlide32: Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Legitimate + attack traffic to target Dynamic & Static Filters Apply anti-spoofing to block malicious flows Multi-Verification Process (MVP) Integrated Defenses in the Guard XTAnti-Spoofing Example – http/TCP : Anti-Spoofing Example – http/TCP SrcIP, Source IP Guard Syn(c#) Synack(c#’,s#’) Hash-function(SrcIP,port,t) ack(c#,s#) SrcIP,port# = Redirect(c#,s#) Syn(c#’) request(c#’,s#’) Victim Verified connections synack(c#,s#)Slide34: Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Dynamic & Static Filters Legitimate traffic Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Dynamically insert specific filters to block attack flows & sources Apply rate limitsMeasured Response: Measured Response Detection Passive copy of traffic monitoring Analysis Diversion for more granular in-line analysis Flex filters, static filters and bypass in operation All flows forwarded but analyzed for anomalies Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Anomaly Verified Learning Periodic observation of patterns to update baseline profiles Attack Detected Anomaly IdentifiedAgenda: Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure Three Planes, Definition: Three Planes, Definition A device typically consists of Data/forwarding Plane: the useful traffic Control Plane: routing protocols, ARP, … Management Plane: SSH, SNMP, … In these slides Control Plane refers to all the Control/Management plane traffic destined to the device. Hardware SoftwareControl Plane Overrun: Control Plane Overrun Loss of protocol keep-alives: line go down route flaps major network transitions. Loss of routing protocol updates: route flaps major network transitions. Near 100% CPU utilization Can prevent other high priority tasksNeed for Control Plane Policing: Need for Control Plane Policing Classify all Control Plane traffic in multiple classes Each class is capped to a certain amount Fair share for each classes or each source in each classes one class cannot overflow the others even an ICMP flood to the router won’t affect routingSlide40: Q and A 40 40 40Slide41: 41 41 41
2007 9 DDOS
By: JJMiller
Cisco Network..
By: dhgardin
The Anti-Hack..
By: ThundaKl..
07 2006 Cisco..
By: Jeremiah
buc Tranh - H..
By: vnlib
06 Enhancing ..
By: Massimo
news cisco
By: Heather
Sol &Lu FOR E..
By: aSGuest1..
hack
By: kakarot3
Tranh Jia Lu
By: MyHanh
logging in or signing up