End-to-End Mitigation
BRKSEC-3009
BRKSEC-3009
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
DDoS Attacks:<br />
<strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong><br />
Nicolas Fevrier, Technical Leader Engineering, @CiscoIOSXR<br />
James Weathersby, Direc<strong>to</strong>r Technical Marketing
Introduction<br />
• Audience: Service Providers and Enterprises<br />
• Out of the scope of this session:<br />
• Hardening servers against DDoS attacks<br />
• How do we define a DDoS ?<br />
• Distributed:<br />
• Many sources<br />
• Denial of Service:<br />
• Makes the resource unreachable<br />
or out-of-service<br />
• Many <strong>to</strong>ols presented here,<br />
no “one-fit-all” solution<br />
3
Agenda<br />
• Introduction, DDoS Attacks Landscape<br />
• Deployment Models<br />
• <strong>Mitigation</strong> of<br />
• Amplification Attacks and other L3 Stateless Attacks<br />
• HTTP and SSL Volumetric Attacks<br />
• Attacks on Application and Resources<br />
• <strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong>, Cisco Solutions<br />
• Conclusion<br />
4
Introduction<br />
DDoS Attacks Landscape<br />
5
Introduction<br />
• Do we still need <strong>to</strong> explain the risk in 2016 ?<br />
• Distributed Denial of Service (DDoS) is a very<br />
lucrative activity for attackers<br />
• Victims:<br />
• ISP, Hosting Services<br />
• Governments, Education<br />
• Enterprises<br />
• Individuals<br />
Everyone is at risk.<br />
• Just scratching the surface, attacks complexity<br />
is increasing<br />
• DDoS <strong>Mitigation</strong> is about business<br />
continuity<br />
http://www.pcworld.com/article/3002356/pro<strong>to</strong>nmailrecovers-from-ddos-punch-after-being-ex<strong>to</strong>rted.html<br />
6
Where are they coming from ?<br />
• Compromised sources / botnets (zombies)<br />
• Unpatched CMS (Content Management Systems)<br />
• IAD (Home Routers) w/ old versions<br />
• Unpatched internet services (DNS/NTP…)<br />
• Cloud (booters or legitimate services)<br />
• Sooner or later 4G/5G Mobiles handsets<br />
• IoT (“Botnets of Things”)<br />
• …<br />
7
Largest DDOS Attack in His<strong>to</strong>ry<br />
8
DDoS Failure Points Within the Network<br />
• Internet Pipe became the #1 failure point in 2014<br />
• Extra-large attacks are seen on daily basis<br />
• Attacks are targeting all types of organizations<br />
• Enabled by “better” technology via reflective attacks,<br />
at attacker’s disposal
ATLAS Initiative: Attack Sizes<br />
"Last year, we highlighted that 20 percent of respondents reported attacks over 50 Gbps …<br />
This year nearly one-quarter of respondents report peak attack sizes over 100 Gbps."<br />
10
DDoS <strong>Mitigation</strong><br />
Black Holing is NOT DDoS <strong>Mitigation</strong><br />
• RTBH<br />
• BGP dummy route advertised<br />
• Route <strong>to</strong> null or route <strong>to</strong> a forensic probe<br />
• Based on source or destination address<br />
• Better granularity with FlowSpec<br />
• All traffic (good and bad) dropped<br />
• Limits collateral damages but attackers’<br />
main objective attained<br />
Victim<br />
Victim<br />
11
DDoS <strong>Mitigation</strong><br />
<strong>Mitigation</strong> implies business continuity<br />
• Sink Holing <strong>to</strong> scrubbing device(s)<br />
• Differentiation of legitimate and malicious<br />
traffic<br />
• Victim’s services maintained<br />
• Collateral damages avoided<br />
Victim<br />
But some types of traffic can only be malicious…<br />
Victim<br />
12
Different Business, Different Targets<br />
Enterprise or Service Provider ?<br />
DataCenter<br />
Web<br />
Server<br />
Web<br />
Cache<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Core<br />
DC<br />
Firewall<br />
Database<br />
Enterprise<br />
Agg<br />
PE<br />
Fw<br />
IPS/IDS<br />
DNS, Mail,<br />
ERP, SAN, …<br />
Residential<br />
LB/SSL<br />
DPI<br />
13
Different Business, Different Targets<br />
DataCenter and Hosting<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Core<br />
!<br />
DC<br />
!<br />
!<br />
Firewall<br />
DataCenter<br />
Web<br />
Server<br />
!<br />
Database<br />
Web<br />
Cache<br />
! !<br />
• Volumetric attacks can saturate DC<br />
router link<br />
• Sessions flood can overcome stateful<br />
firewall capacity<br />
• HTTP attacks can exhaust web server<br />
and cache<br />
• Queries attacks can exceed database<br />
capacity<br />
• Slow pace attacks can consume<br />
resources in servers (stack, etc)<br />
14
Different Business, Different Targets<br />
Enterprise<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Core<br />
• Volumetric attacks PE router link<br />
• Sessions flood can overcome stateful<br />
firewall or IDS capacity<br />
• Slow pace attacks can consume<br />
resources in servers (TCP stack,<br />
Applications, etc)<br />
Enterprise<br />
!<br />
PE<br />
!<br />
Fw IPS/IDS<br />
! !<br />
LB/SSL<br />
DNS, Mail,<br />
ERP, SAN, …<br />
!<br />
DPI<br />
15
Different Business, Different Targets<br />
Residential Service Provider<br />
The Internet<br />
Peering<br />
Transit<br />
!<br />
Edge<br />
Agg<br />
Core<br />
• Volumetric attacks on DSL/Cable<br />
subscriber<br />
• Can saturate access and aggregation<br />
device<br />
• Attack against an individual can<br />
impact all subscribers served by the<br />
same access device<br />
!<br />
Residential<br />
! ! ! ! ! !<br />
! ! ! ! ! !<br />
! ! ! ! ! !<br />
! ! ! ! ! !<br />
16
Deployment Models<br />
17
Deployment Models<br />
In-the-Cloud / On-Premises Services<br />
• In the Cloud services<br />
• DNS-Based DDoS Protection<br />
• BGP “inter-AS” based DDoS Protection<br />
• ISP DDoS <strong>Mitigation</strong><br />
• On-Premises services<br />
• Centralized<br />
• Distributed<br />
• Mixed<br />
• In-line<br />
18
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
DNS<br />
The Internet<br />
Local<br />
DNS<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
DNS<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
Where is<br />
mysite.com ?<br />
DNS<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
Where is<br />
mysite.com ?<br />
mysite.com<br />
Is 1.2.3.4<br />
DNS<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
Where is<br />
mysite.com ?<br />
mysite.com<br />
Is 1.2.3.4<br />
DNS<br />
The Internet<br />
mysite.com<br />
Is 1.2.3.4<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
DNS<br />
The Internet<br />
Local<br />
DNS<br />
Traffic <strong>to</strong><br />
mysite.com<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Free service offered by various<br />
companies in the internet<br />
• Based on DNS only<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
DNS<br />
Attack traffic <strong>to</strong><br />
mysite.com<br />
The Internet<br />
Local<br />
DNS<br />
Traffic <strong>to</strong><br />
mysite.com<br />
mysite.com<br />
1.2.3.4<br />
1
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
DDoS <strong>Mitigation</strong> Service<br />
proxy<br />
Scrubbing<br />
device<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
DNS<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
mysite.com<br />
is now 5.6.7.8<br />
DDoS <strong>Mitigation</strong> Service<br />
proxy<br />
Scrubbing<br />
device<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
DNS<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
mysite.com<br />
is now 5.6.7.8<br />
DDoS <strong>Mitigation</strong> Service<br />
proxy<br />
Scrubbing<br />
device<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
DNS<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
mysite.com<br />
is now 5.6.7.8<br />
DDoS <strong>Mitigation</strong> Service<br />
proxy<br />
Scrubbing<br />
device<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
Where is<br />
mysite.com ?<br />
DNS<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
Where is<br />
mysite.com ?<br />
Where is<br />
mysite.com ?<br />
mysite.com<br />
is now 5.6.7.8<br />
mysite.com<br />
Is 5.6.7.8<br />
DDoS <strong>Mitigation</strong> Service<br />
DNS<br />
proxy<br />
The Internet<br />
Scrubbing<br />
device<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
mysite.com<br />
Is 5.6.7.8<br />
Where is<br />
mysite.com ?<br />
Where is<br />
mysite.com ?<br />
mysite.com<br />
is now 5.6.7.8<br />
mysite.com<br />
Is 5.6.7.8<br />
DDoS <strong>Mitigation</strong> Service<br />
DNS<br />
proxy<br />
The Internet<br />
Scrubbing<br />
device<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
DDoS <strong>Mitigation</strong> Service<br />
proxy<br />
Scrubbing<br />
device<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
DNS<br />
The Internet<br />
Traffic <strong>to</strong><br />
mysite.com<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
DDoS <strong>Mitigation</strong> Service<br />
DNS<br />
Traffic <strong>to</strong><br />
mysite.com<br />
proxy<br />
The Internet<br />
Attack traffic <strong>to</strong><br />
mysite.com<br />
Scrubbing<br />
device<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
DNS-based DDoS Protection<br />
• Traffic is diverted by announcing<br />
a new DNS record<br />
• Good traffic is send using<br />
the IP address<br />
• Limits:<br />
Easy <strong>to</strong> bypass this<br />
protection when<br />
knowing the victim<br />
IP address<br />
Local<br />
DNS<br />
DDoS <strong>Mitigation</strong> Service<br />
DNS<br />
Traffic <strong>to</strong><br />
mysite.com<br />
proxy<br />
The Internet<br />
Attack traffic <strong>to</strong><br />
mysite.com<br />
Scrubbing<br />
device<br />
Traffic <strong>to</strong><br />
1.2.3.4<br />
mysite.com<br />
1.2.3.4<br />
2
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
• Traffic <strong>to</strong> the victim is steered-up<br />
in<strong>to</strong> the DDoS protection service<br />
by advertising a /24 prefix owned<br />
by the victim<br />
• Similar as BGP hijacking<br />
• Good traffic is filtered and<br />
transmitted through a tunnel<br />
<strong>to</strong> the victim<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
The Internet<br />
mysite.com<br />
1.2.3.4<br />
3
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
• Traffic <strong>to</strong> the victim is steered-up<br />
in<strong>to</strong> the DDoS protection service<br />
by advertising a /24 prefix owned<br />
by the victim<br />
• Similar as BGP hijacking<br />
• Good traffic is filtered and<br />
transmitted through a tunnel<br />
<strong>to</strong> the victim<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
The Internet<br />
1.2.0.0/16<br />
BGP<br />
mysite.com<br />
1.2.3.4<br />
3
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
• Traffic <strong>to</strong> the victim is steered-up<br />
in<strong>to</strong> the DDoS protection service<br />
by advertising a /24 prefix owned<br />
by the victim<br />
• Similar as BGP hijacking<br />
• Good traffic is filtered and<br />
transmitted through a tunnel<br />
<strong>to</strong> the victim<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
The Internet<br />
Traffic <strong>to</strong><br />
1.2.3.4<br />
mysite.com<br />
1.2.3.4<br />
3
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
• Traffic <strong>to</strong> the victim is steered-up<br />
in<strong>to</strong> the DDoS protection service<br />
by advertising a /24 prefix owned<br />
by the victim<br />
• Similar as BGP hijacking<br />
• Good traffic is filtered and<br />
transmitted through a tunnel<br />
<strong>to</strong> the victim<br />
DDoS <strong>Mitigation</strong> Service<br />
Scrubbing<br />
device<br />
Attack traffic <strong>to</strong><br />
1.2.3.4<br />
The Internet<br />
Traffic <strong>to</strong><br />
1.2.3.4<br />
mysite.com<br />
1.2.3.4<br />
3
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
Limits<br />
• Most specific prefix advertised<br />
in the internet: /24<br />
attracts all traffic for<br />
the prefix, not only the victim<br />
• Similar as BGP hijacking<br />
• future adoption of BGP Origin<br />
Validation could make this<br />
approach challenging<br />
DDoS <strong>Mitigation</strong> Service<br />
The Internet<br />
Scrubbing<br />
device<br />
mysite.com<br />
1.2.3.4<br />
4
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
Limits<br />
• Most specific prefix advertised<br />
in the internet: /24<br />
attracts all traffic for<br />
the prefix, not only the victim<br />
• Similar as BGP hijacking<br />
• future adoption of BGP Origin<br />
Validation could make this<br />
approach challenging<br />
DDoS <strong>Mitigation</strong> Service<br />
The Internet<br />
Scrubbing<br />
device<br />
1.2.0.0/16<br />
BGP<br />
mysite.com<br />
1.2.3.4<br />
4
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
Limits<br />
• Most specific prefix advertised<br />
in the internet: /24<br />
attracts all traffic for<br />
the prefix, not only the victim<br />
• Similar as BGP hijacking<br />
• future adoption of BGP Origin<br />
Validation could make this<br />
approach challenging<br />
DDoS <strong>Mitigation</strong> Service<br />
1.2.3.0/24<br />
The Internet<br />
Scrubbing<br />
device<br />
1.2.0.0/16<br />
BGP<br />
mysite.com<br />
1.2.3.4<br />
4
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
Limits<br />
• Most specific prefix advertised<br />
in the internet: /24<br />
attracts all traffic for<br />
the prefix, not only the victim<br />
• Similar as BGP hijacking<br />
• future adoption of BGP Origin<br />
Validation could make this<br />
approach challenging<br />
DDoS <strong>Mitigation</strong> Service<br />
1.2.3.0/24<br />
The Internet<br />
1.2.3.0/24<br />
Scrubbing<br />
device<br />
1.2.0.0/16<br />
Traffic <strong>to</strong><br />
1.2.3.4<br />
BGP<br />
mysite.com<br />
1.2.3.4<br />
4
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
Limits<br />
• Most specific prefix advertised<br />
in the internet: /24<br />
attracts all traffic for<br />
the prefix, not only the victim<br />
• Similar as BGP hijacking<br />
• future adoption of BGP Origin<br />
Validation could make this<br />
approach challenging<br />
DDoS <strong>Mitigation</strong> Service<br />
1.2.3.0/24<br />
The Internet<br />
1.2.3.0/24<br />
Attack traffic<br />
<strong>to</strong> 1.2.3.4<br />
Scrubbing<br />
device<br />
1.2.0.0/16<br />
Traffic <strong>to</strong><br />
1.2.3.4<br />
BGP<br />
mysite.com<br />
1.2.3.4<br />
4
In-the-Cloud Services<br />
BGP-based “inter-AS” DDoS Protection<br />
Limits<br />
• Most specific prefix advertised<br />
in the internet: /24<br />
attracts all traffic for<br />
the prefix, not only the victim<br />
• Similar as BGP hijacking<br />
• future adoption of BGP Origin<br />
Validation could make this<br />
approach challenging<br />
DDoS <strong>Mitigation</strong> Service<br />
1.2.3.0/24<br />
The Internet<br />
1.2.3.0/24<br />
Attack traffic<br />
<strong>to</strong> 1.2.3.4<br />
Scrubbing<br />
device<br />
1.2.0.0/16<br />
Traffic <strong>to</strong><br />
1.2.3.4<br />
BGP<br />
mysite.com<br />
1.2.3.4<br />
4
In-the-Cloud Services<br />
DDoS <strong>Mitigation</strong> as a Service<br />
• Final cus<strong>to</strong>mers can buy services from their ISP and manage themselves their<br />
DDoS mitigation<br />
Fw<br />
Enterprise<br />
IPS/IDS<br />
DNS, Mail,<br />
ERP, SAN, …<br />
Edge<br />
The Internet<br />
DPI<br />
Scrubbing<br />
device<br />
Help!<br />
45
In-the-Cloud Services<br />
DDoS <strong>Mitigation</strong> as a Service<br />
• Final cus<strong>to</strong>mers can buy services from their ISP and manage themselves their<br />
DDoS mitigation<br />
Fw<br />
Enterprise<br />
IPS/IDS<br />
DNS, Mail,<br />
ERP, SAN, …<br />
Edge<br />
The Internet<br />
DPI<br />
Scrubbing<br />
device<br />
46
On-Premises: Centralized vs Distributed<br />
• The Centralized approach: we have a dedicated part of the network for<br />
mitigation, the scrubbing center<br />
Peering<br />
Scrubbing Center<br />
Victim<br />
Transit<br />
Core<br />
47
On-Premises: Centralized vs Distributed<br />
• The Centralized approach: we divert the traffic targeted <strong>to</strong> the victim via the<br />
scrubbing center<br />
Peering<br />
Scrubbing Center<br />
Victim<br />
Transit<br />
Core<br />
48
On-Premises: Centralized vs Distributed<br />
• The Distributed approach: we install scrubbers at the edge of the backbone<br />
Peering<br />
Victim<br />
Transit<br />
Core<br />
49
On-Premises: Centralized vs Distributed<br />
• Mixed model: both distributed for the main scrubbing work and the scrubbing<br />
center <strong>to</strong> handle the extra load is necessary<br />
Peering<br />
Scrubbing Center<br />
Victim<br />
Transit<br />
Core<br />
50
Attack Detection: Sampling<br />
• One approach consists in sampling packets and send statistics <strong>to</strong> a Netflow<br />
collec<strong>to</strong>r<br />
Peering<br />
Attack<br />
detected<br />
Collec<strong>to</strong>r<br />
NetFlow<br />
NetFlow<br />
NetFlow<br />
Victim<br />
Transit<br />
Core<br />
Problem: can not detect low speed attacks<br />
51
Attack Detection: In-line Inspection<br />
• The other approach consists in inspecting all packets, in both direction<br />
• Can not be done in the core at several times 100Gbps<br />
• Needs <strong>to</strong> be closer <strong>to</strong> the service platforms<br />
• Can correlated traffic from both directions<br />
DC<br />
DataCenter<br />
Web<br />
Server<br />
Web<br />
Cache<br />
! !<br />
FP9300<br />
!<br />
Database<br />
52
Infrastructure Protection<br />
53
Protecting your Infrastructure<br />
Infrastructure ACL / Rate-limiters<br />
• This common practice<br />
• Some pro<strong>to</strong>cols have no reason <strong>to</strong> cross your network boundaries<br />
• Identify them, then filter or rate-limit them<br />
• Examples (be careful, all networks are different):<br />
• SSDP UDP 1900<br />
• NetBIOS UDP 138<br />
• NTP 123<br />
• Chargen UDP 19<br />
• Large TCP SYN packets (what is the maximum acceptable size for a SYN packet is a big debate)<br />
• Fragments<br />
• Know exactly what you do (controversial)<br />
54
Protecting your Infrastructure<br />
MicroFlow Policer or User-based Rate-Limiter<br />
• UBRL is a feature available in:<br />
• Catalyst 6500,<br />
• Catalyst 4500<br />
• ASR 9000<br />
• Used in Enterprise environments, but also in hosting environments<br />
• Extends the QoS concepts <strong>to</strong> final users<br />
• Instead of matching and rate-limiting a class of traffic per interface<br />
• Allows policers per class of traffic per user<br />
• Example:<br />
• Rate-limit DNS for each user <strong>to</strong> 500Mbps<br />
• Rate-limit NTP for each user in a particular range <strong>to</strong> 1Mbps<br />
• Even more controversial, use only with perfect understanding of your traffic patterns<br />
55
Introducing<br />
BGP FlowSpec<br />
56
Concept: BGP FlowSpec<br />
• A powerful <strong>to</strong>ol in the SP Security <strong>to</strong>olbox<br />
• A controller programs remotely forwarding decision<br />
in routers (clients)<br />
• BGP is used <strong>to</strong> program remotely a rule made of:<br />
• A traffic description<br />
• An action <strong>to</strong> apply on this traffic<br />
• Three elements:<br />
• Controller<br />
• Client<br />
• Route-reflec<strong>to</strong>r (Optional)<br />
BGP<br />
BGP<br />
BGP FS<br />
controller<br />
57
BGP FlowSpec Matching Criteria and Action<br />
• Traffic is described with L3 and L4 information<br />
• Address<br />
• Port<br />
• ICMP type and code<br />
• TCP flag<br />
• Packet length<br />
• Fragmentation flags<br />
• Actions can be a mix of<br />
• Rate-limit / Drop<br />
• DSCP remarking<br />
• NH modification (diversion)<br />
• VRF leaking<br />
CP<br />
DP<br />
BGP FS<br />
client<br />
BGP FS<br />
client<br />
CP<br />
BGP FS<br />
controller<br />
More details? BRKSPG-3012: Leveraging BGP FlowSpec <strong>to</strong> protect your infrastructure<br />
CP<br />
DP<br />
CP<br />
DP<br />
BGP FS<br />
client<br />
BGP FS<br />
RR<br />
CP<br />
58
<strong>Mitigation</strong> Strategies<br />
59
Amplification Attacks<br />
• Specific stateless attacks based on spoofed source addresses<br />
• not using a full handshake, large answer is sent <strong>to</strong> the victim address<br />
• Use vulnerable pro<strong>to</strong>cols on high bandwidth servers<br />
Much larger reply<br />
2.1.1.1<br />
Small request<br />
Spoofed source<br />
UDP traffic<br />
60
Amplification Attacks<br />
• DNS<br />
• NTP<br />
• SSDP<br />
• SNMP<br />
• CharGen<br />
• QOTD<br />
And some more pro<strong>to</strong>cols discovered in 2015<br />
• RIPv1<br />
• Port Mapper (UDP 111)<br />
Frequently seen with fragmented packets<br />
http://blog.level3.com/security/a-new-ddos-reflection-attackportmapper-an-early-warning-<strong>to</strong>-the-industry/<br />
61
Mitigating Amplification Attacks<br />
Service Provider Perspective<br />
• No need <strong>to</strong> send it <strong>to</strong> a “smart” scrubbing system for mitigation<br />
A router will do the same job with much higher performance<br />
• Identified by precisely matching traffic pattern and filtered at the edge router<br />
level, as close as possible from the internet via ACL or BGP FlowSpec<br />
Much larger reply<br />
2.1.1.1<br />
2.1.1.1<br />
Small request<br />
Match: dest-IP: 2.1.1.1<br />
+ src-port: 123<br />
+ size
Mitigating Amplification Attacks<br />
Enterprise Perspective<br />
• From a final cus<strong>to</strong>mer or enterprise perspective, no mitigation possible<br />
• Too late, PE router pipes are saturated<br />
• Problem needs <strong>to</strong> be addressed earlier in the path<br />
• Request assistance <strong>to</strong> the Service Provider (Portal, phone call, …)<br />
• If possible, use BGP FlowSpec <strong>to</strong> signal a rule filtering the attack in the SP<br />
• Use in-the-cloud mitigation services<br />
Much larger reply<br />
PE<br />
!<br />
!<br />
Fw<br />
DPI<br />
Enterprise<br />
IPS/IDS<br />
DNS, Mail,<br />
ERP, SAN, …<br />
63<br />
Small request
Mitigating L3 / L4 Stateless Volumetric Attacks<br />
Service Provider Perspective<br />
• Generic family covering<br />
• UDP Frag (could be the consequence an amp attack)<br />
• ICMP Flood<br />
• Ideally, must be filtered at the edge router via ACL or BGP FS<br />
• Example with a fragmentation attack and BGP FlowSpec<br />
2.1.1.1<br />
2.1.1.1<br />
Match: dest-IP: 2.1.1.1<br />
+ frag field set<br />
Action: rate-limit 0bps<br />
BGP FS<br />
controller
Mitigating L3 / L4 Stateless Volumetric Attacks<br />
Enterprise Perspective<br />
• If the amount of attack traffic exceeds the PE links capacity, same situation than<br />
amplification attacks:<br />
Too late, needs <strong>to</strong> be addressed earlier in the path<br />
• Similar situation than amplification attacks:<br />
• Request assistance from SP, if possible use BGP FlowSpec or hire in-the-cloud service<br />
Enterprise<br />
PE<br />
!<br />
Fw<br />
IPS/IDS<br />
DNS, Mail,<br />
ERP, SAN, …<br />
!<br />
DPI<br />
65
Mitigating L3 / L4 Stateless Volumetric Attacks<br />
Enterprise Perspective<br />
If the amount of attack traffic does NOT exceed the PE links capacity<br />
• Inline mitigation solution can be used<br />
• Several security services can be collapsed in FirePower 9300, including NGFW<br />
and DDoS mitigation<br />
PE<br />
Enterprise<br />
DNS, Mail,<br />
ERP, SAN, …<br />
DPI<br />
66
TCP SYN, HTTP, SSL and SIP Volumetric Attacks<br />
• More advanced attacks using Botnets or even real users (LOIC) needs <strong>to</strong> be<br />
addressed differently by a specific scrubbing device. Examples:<br />
• SYN floods: usually spoofed sources<br />
• HTTP: bots mimicking the behavior of a real web browser<br />
• SSL<br />
• SIP<br />
Requests<br />
2.1.1.1<br />
Replies<br />
67
Mitigating SYN floods, HTTP, SSL and SIP Attacks<br />
SP/Datacenter Perspective<br />
• Stateful attacks requiring <strong>to</strong> be challenged by advanced countermeasures<br />
• Traffic targeted <strong>to</strong> the victim needs <strong>to</strong> be diverted <strong>to</strong> a scrubbing device<br />
• Locally for distributed architecture<br />
• Remotely for centralized architecture (traffic re-injection is a <strong>to</strong>pic by itself)<br />
2.1.1.1<br />
Match: dest-IP: 2.1.1.1<br />
+ dest-port: 80<br />
Action: NH @TMS<br />
68
Mitigating SYN floods, HTTP, SSL and SIP Attacks<br />
SP/Datacenter Perspective<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Core<br />
DC<br />
DataCenter<br />
!<br />
Firewall<br />
Web<br />
Server<br />
!<br />
Database<br />
Web<br />
Cache<br />
! !<br />
DataCenter<br />
Web<br />
Server<br />
Web<br />
Cache<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Core<br />
DC<br />
Firewall<br />
Database<br />
69
Mitigating SYN floods, HTTP, SSL and SIP Attacks<br />
SP/Datacenter Perspective<br />
• The closer <strong>to</strong> the internet, the better<br />
• Diversion can be done in many different ways, and it will have a direct influence<br />
on the re-injection strategy <strong>to</strong>o<br />
• BGP FlowSpec<br />
• More specific route injection<br />
• VRF leaking (VRF Clear / VRF Dirty)<br />
• Use Arbor TMS Software in ASR9000 VSM card<br />
• Rich set of countermeasures<br />
• High performance boosted by the Dynamic<br />
Black-List Offload feature<br />
70
Mitigating SYN floods, HTTP, SSL and SIP Attacks<br />
Enterprise Perspective<br />
• If the PE capacity (in bandwidth and PPS) is not exceeded, the Firewall is the<br />
first stage of the security infrastructure hit by TCP SYN floods attacks<br />
• Servers resources can be impacted by SYN Floods <strong>to</strong>o<br />
Enterprise<br />
PE<br />
Fw<br />
!<br />
IPS/IDS<br />
DNS, Mail,<br />
ERP, SAN, …<br />
!<br />
DPI<br />
71
Mitigating SYN floods, HTTP and SSL<br />
Enterprise Perspective<br />
• If replacing the in-site security infrastructure is not possible<br />
• Request assistance from SP or hire in-the-cloud service<br />
• Inline mitigation solution should be used<br />
• Radware DefensePro solution used in FirePower 9300 can be used <strong>to</strong> protect<br />
the firewall<br />
PE<br />
Enterprise<br />
DNS, Mail,<br />
ERP, SAN, …<br />
DPI<br />
72
Particular Case of Residential Subscriber<br />
Service Provider Perspective<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Agg<br />
Residential<br />
Core<br />
• Volumetric attacks on DSL/Cable<br />
subscriber create a lot of collateral<br />
damages<br />
• Victims can be easily identified based<br />
on their IP address blocks<br />
• Attacks are detected instantly<br />
• A 25Mbps DSL subscriber can not receive<br />
multiple Gbps<br />
• Au<strong>to</strong>-mitigation presents no faultpositive<br />
risk in this case<br />
!<br />
73
Particular Case of Residential Subscribers<br />
Service Provider Perspective<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Agg<br />
Core<br />
• Au<strong>to</strong>-mitigation is triggered and traffic<br />
for this host is diverted <strong>to</strong> the local or<br />
centralized scrubbing system<br />
• Service for the subscriber is res<strong>to</strong>red<br />
• But more important, collateral<br />
damages are no longer present<br />
Residential<br />
74
Slow Pace Attacks<br />
• Attacks against servers resources<br />
• Can not be detected by traffic sampling, requires inline system(s)<br />
• Low and Slow attacks: Slowloris<br />
• HTTP Floods<br />
• SSL Floods<br />
• SQL Injections<br />
• XSS, CSRF<br />
• Brute Force<br />
• App Misuse<br />
PE<br />
FW<br />
DPI<br />
IPS/IDS<br />
LB/SSL<br />
DNS, Mail,<br />
ERP, SAN, …<br />
!<br />
75
Slow Pace Attacks<br />
DC and Enterprise Perspective<br />
DataCenter<br />
Web<br />
Server<br />
Web<br />
Cache<br />
The Internet<br />
Peering<br />
Transit<br />
Edge<br />
Core<br />
DC<br />
FP9300<br />
Database<br />
Enterprise<br />
Service Provider doesn’t<br />
have any visibility on these attacks<br />
Can only be detected<br />
• On the victim<br />
• With a device in-line<br />
PE<br />
FP9300<br />
DNS, Mail,<br />
ERP, SAN, …<br />
76
Cisco Partnerships<br />
77
Partnership<br />
• Cisco established partnership with two major ac<strong>to</strong>rs in this industry<br />
• Arbor Networks<br />
• Radware<br />
• Different products for different positions / roles<br />
• SP edge / scrubbing center based on traffic diversion<br />
• DC and enterprise in-line analysis<br />
• Arbor products are used in ASR9000<br />
• Radware products are used in FirePower 9300<br />
78
Cisco Partnerships<br />
Arbor Networks<br />
79
Arbor SP solution<br />
Portfolio<br />
Arbor Networks offers a variety of products <strong>to</strong> address DDoS attacks detection<br />
and mitigation<br />
• Arbor SP (formerly known as Peakflow SP / Collec<strong>to</strong>r Platform CP)<br />
• Collects Flow records<br />
• Detects abnormal network behavior and trigger alerts<br />
• Can influence the routing, injecting BGP routes in the network<br />
• Supports BGP FlowSpec as a Controller<br />
• Sets up and moni<strong>to</strong>rs the TMS remotely<br />
• Software can run in a virtual machine<br />
• Orderable in Cisco Price List<br />
80
Arbor SP solution<br />
Portfolio<br />
Arbor Networks offers a variety of products <strong>to</strong> address DDoS attacks detection<br />
and mitigation<br />
• Arbor TMS (Threat Management System)<br />
• Configured by SP, receives diverted traffic and proceeds <strong>to</strong> in-depth packet analysis<br />
• Discards the attack packets and transmits the legit ones<br />
• Provides real-time moni<strong>to</strong>ring info <strong>to</strong> opera<strong>to</strong>rs<br />
• Software running in ASR9000 VSM line card<br />
81
Arbor SP solution: Cisco vDDoS Protection Solution<br />
Integration in ASR9000 Virtual Service Module Line Card<br />
• Supported with<br />
• RSP440 onwards (not RSP2)<br />
• All 9000 chassis except 9001<br />
• Multi-purpose service card<br />
• CGN<br />
• Mobile GW<br />
• DDoS <strong>Mitigation</strong><br />
• KVM virtualized environment based<br />
on Wind River distribution<br />
• 40Gbps of mitigation, PAYG model<br />
with 10G/20G/40G licenses<br />
82
Arbor SP solution<br />
Dynamic Black-list Offload Feature<br />
1• A countermeasure is activated<br />
and detects an offender<br />
2• TMS instructs the ASR9000 via<br />
OpenFlow program an ACL for the offender<br />
src-@ or the pair src-@+dst-@<br />
For one minute<br />
3• After 1min, the ACL is removed.<br />
src-@<br />
If the offender is seen by the<br />
countermeasure again, ACL will be<br />
programmed for 5min, and then 5<br />
min, again and again 3<br />
Match: src-IP: 2.1.1.1<br />
Action: drop<br />
2<br />
1<br />
victim<br />
dst-@<br />
83
Arbor SP solution<br />
Deployment and Use-cases<br />
• Used in internet border routers in distributed architecture<br />
• Used in scrubbing centers in centralized architecture<br />
• Traffic is diverted with route injection or VRF route leaking<br />
• BGP FlowSpec used <strong>to</strong> program border routers<br />
84
Arbor SP solution<br />
Features<br />
For Reference<br />
• <strong>Mitigation</strong> in 4 seconds, Au<strong>to</strong>-mitigation<br />
• Flood Attacks<br />
• (TCP, UDP, ICMP, DNS, SSDP, NTP, SNMP, SQL RS, Chargen Amplification, DNS<br />
Amplification, Microsoft SQL Resolution Service Amplification, NTP Amplification, SNMP<br />
Amplification, SSDP Amplification)<br />
• Fragmentation Attacks<br />
• (Teardrop, Targa3, Jolt2, Nestea), TCP Stack Attacks (SYN, FIN, RST, SYN ACK,<br />
URG-PSH, TCP Flags), Application Attacks (HTTP GET floods, SIP Invite floods, DNS<br />
attacks, HTTPS pro<strong>to</strong>col attacks), DNS Cache Poisoning, Vulnerability attacks,<br />
Resource exhaustion attacks (Slowloris, Pyloris, LOIC, etc.).<br />
• Flash crowd protection. IPv4 and IPv6 attacks hidden in SSL encrypted packets<br />
85
Demo<br />
86
Arbor Peakflow SP Solution<br />
Recorded Demo<br />
87
Cisco Partnerships<br />
Radware DefensePro<br />
88
Radware DefensePro<br />
• Provides protection against application layer attacks and state-table exhaustion attacks<br />
• Primarily deployed <strong>to</strong> protect the firewall itself and the application servers behind it<br />
In phase 1, FirePower 9300 supports the following modules<br />
• Behavioral protections<br />
• Challenge response<br />
• Signature Protection<br />
Application<br />
Server<br />
Network<br />
Behavioral HTTP Flood<br />
Protection<br />
DNS Protection<br />
Behavioral DoS<br />
Available<br />
Service<br />
Server Cracking<br />
Anti-Scan<br />
Connection Limit<br />
SYN Protection<br />
Out-Of-State<br />
Signature Protection<br />
Connection PPS Limit<br />
BL/WL<br />
89
Understand 9300 Radware DDoS Solution Components<br />
• Cisco FirePower 9300 is a scalable,<br />
carrier & enterprise-grade,<br />
multi-service security appliance featuring:<br />
• Cisco ASA firewall<br />
• Radware DDoS <strong>Mitigation</strong> (OEM)<br />
• What is required?<br />
• 9300 Chassis<br />
• DDoS License (vDP)<br />
• Vision Management Software<br />
• Optional: DefensePipe Cloud Protection<br />
DDoS FW NGIPS<br />
90
Introducing the FirePower 9300<br />
Supervisor<br />
• Application deployment and orchestration<br />
• Network attachment and traffic distribution<br />
• Clustering base layer for ASA/NGFW<br />
Network Modules<br />
• 10GE/40GE<br />
Security Modules<br />
• Embedded packet/flow classifier and cryp<strong>to</strong> hardware<br />
• Cisco (ASA, NGFW) and third-party (DDoS, load-balancer) applications<br />
• Standalone or clustered within and across chassis<br />
91
Security Services Architecture on Firepower 9300<br />
Security Module 1<br />
ASA Cluster<br />
Security Module 2 Security Module 3<br />
ASA ASA ASA<br />
DDoS DDoS DDoS<br />
Primary<br />
Application<br />
Decora<strong>to</strong>r<br />
Application<br />
External<br />
Connec<strong>to</strong>r<br />
Supervisor<br />
Ethernet1/7<br />
(Management)<br />
On-board 8x10GE<br />
interfaces<br />
8x10GE NM<br />
Slot 1<br />
Data<br />
PortChannel1<br />
4x40GE NM<br />
Slot 2<br />
Application<br />
Image S<strong>to</strong>rage<br />
Packet<br />
Flow<br />
Ethernet 1/1-8 Ethernet 2/1-8<br />
Ethernet 3/1-4<br />
92
Additional Information<br />
• BRKSEC-3010 Firepower 9300 Deep Dive<br />
• Weds 16:30-18:00<br />
• BRKSEC-3032 ASA Clustering Deep Dive<br />
• Fri 9:00-11:00<br />
93
Demo<br />
94
<strong>Mitigation</strong> on FP 9300<br />
with Radware vDP<br />
95
Behavioral DOS – Network baselining and response<br />
• Detects and prevents zero-day DoS/DDoS<br />
flood attacks<br />
• Au<strong>to</strong>matically detects traffic anomalies<br />
• Adapts footprint <strong>to</strong> new traffic pattern<br />
• No manual tuning<br />
• Low false positive rate<br />
• Passes legitimate traffic<br />
• While under attack<br />
• Protects against all kinds of flooding attacks<br />
96
BDOS Detection and <strong>Mitigation</strong> of a DNS Attack<br />
IRC Server<br />
DoS Bot<br />
(Infected host)<br />
BOT<br />
Command<br />
Public DNS Servers<br />
DoS Bot<br />
(Infected host)<br />
Internet<br />
Attacker<br />
DoS Bot<br />
(Infected host)<br />
DoS Bot<br />
(Infected host)<br />
1
BDOS Detection and <strong>Mitigation</strong> of a DNS Attack<br />
IRC Server<br />
DoS Bot<br />
(Infected host)<br />
Behavioral Pattern Detection (1)<br />
Detect rate increase of DNS requests<br />
BOT<br />
Command<br />
Public DNS Servers<br />
DoS Bot<br />
(Infected host)<br />
Internet<br />
Attacker<br />
DoS Bot<br />
(Infected host)<br />
DoS Bot<br />
(Infected host)<br />
1
BDOS Detection and <strong>Mitigation</strong> of a DNS Attack<br />
IRC Server<br />
DoS Bot<br />
(Infected host)<br />
Behavioral Pattern Detection (1)<br />
Detect rate increase of DNS requests<br />
BOT<br />
Command<br />
Public DNS Servers<br />
DoS Bot<br />
(Infected host)<br />
Internet<br />
Attacker<br />
DoS Bot<br />
(Infected host)<br />
DoS Bot<br />
(Infected host)<br />
Behavioral Pattern Detection (2)<br />
Identify abnormal ratio of DNS request <strong>to</strong> other<br />
pro<strong>to</strong>cols 1
BDOS Detection and <strong>Mitigation</strong> of a DNS Attack<br />
IRC Server<br />
DoS Bot<br />
(Infected host)<br />
BOT<br />
Command<br />
DoS Bot<br />
(Infected host)<br />
Real Time Signature:<br />
Block DNS requests<br />
matching specific packet<br />
parameters Internet (e.g., DNS query<br />
name,...)<br />
Public DNS Servers<br />
Attacker<br />
DoS Bot<br />
(Infected host)<br />
DoS Bot<br />
(Infected host)<br />
1
Configuration<br />
Define Global Options<br />
• Learning<br />
• Strictness<br />
• Footprint Bypass<br />
Create Profile<br />
• Name<br />
• Protection Options<br />
• Bandwidth and Traffic Quotas<br />
Add Profile <strong>to</strong> Policy and<br />
Update Policies<br />
2
Configuration<br />
Define Global Options<br />
• Learning<br />
• Strictness<br />
• Footprint Bypass<br />
Day, Week, Month<br />
Create Profile<br />
• Name<br />
• Protection Options<br />
• Bandwidth and Traffic Quotas<br />
Add Profile <strong>to</strong> Policy and<br />
Update Policies<br />
2
Configuration<br />
Define Global Options<br />
• Learning<br />
• Strictness<br />
• Footprint Bypass<br />
Create Profile<br />
• Name<br />
• Protection Options<br />
• Bandwidth and Traffic Quotas<br />
Add Profile <strong>to</strong> Policy and<br />
Update Policies<br />
2
Configuration<br />
Define Global Options<br />
• Learning<br />
• Strictness<br />
• Footprint Bypass<br />
Low, Medium, High<br />
Create Profile<br />
• Name<br />
• Protection Options<br />
• Bandwidth and Traffic Quotas<br />
Add Profile <strong>to</strong> Policy and<br />
Update Policies<br />
2
Configuration<br />
Define Global Options<br />
• Learning<br />
• Strictness<br />
• Footprint Bypass<br />
Create Profile<br />
• Name<br />
• Protection Options<br />
• Bandwidth and Traffic Quotas<br />
Add Profile <strong>to</strong> Policy and<br />
Update Policies<br />
2
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
BDOS Profile<br />
Three main tabs –<br />
• Flood Protection Settings<br />
• Bandwidth Settings<br />
• Quota Settings<br />
3
DNS Protection escalates –<br />
• DNS-Flood Attacks<br />
• Detects when an attack has started<br />
• Advantages<br />
• Implements mitigation in escalating order<br />
• When enabled, protects at first sign of attack<br />
• Disadvantages<br />
• Escalation period <strong>to</strong> mitigate successfully<br />
• May drop legitimate traffic<br />
• More-severe mitigation limits DNS queries<br />
113
DNS <strong>Mitigation</strong> Attack Escalation<br />
Botnet is identified<br />
(suspicious traffic is<br />
detected per query type)<br />
Attack<br />
Detection<br />
Real-Time<br />
signature created<br />
Behavioral RT<br />
signature technology<br />
RT signature scope protection<br />
per query type<br />
Collective scope protection<br />
per query Type<br />
1
DNS <strong>Mitigation</strong> Attack Escalation<br />
Botnet is identified<br />
(suspicious traffic is<br />
detected per query type)<br />
Attack<br />
Detection<br />
Real-Time<br />
signature created<br />
DNS query<br />
challenge<br />
Behavioral RT<br />
signature technology<br />
RT signature scope protection<br />
per query type<br />
Collective scope protection<br />
per query Type<br />
1
DNS <strong>Mitigation</strong> Attack Escalation<br />
Botnet is identified<br />
(suspicious traffic is<br />
detected per query type)<br />
Attack<br />
Detection<br />
Real-Time<br />
signature created<br />
DNS query<br />
challenge<br />
?<br />
Behavioral RT<br />
signature technology<br />
RT signature scope protection<br />
per query type<br />
Collective scope protection<br />
per query Type<br />
1
DNS <strong>Mitigation</strong> Attack Escalation<br />
Botnet is identified<br />
(suspicious traffic is<br />
detected per query type)<br />
Attack<br />
Detection<br />
Real-Time<br />
signature created<br />
DNS query<br />
challenge<br />
Query rate<br />
limit<br />
? ?<br />
X<br />
Behavioral RT<br />
signature technology<br />
RT signature scope protection<br />
per query type<br />
Collective scope protection<br />
per query Type<br />
1
DNS <strong>Mitigation</strong> Attack Escalation<br />
Botnet is identified<br />
(suspicious traffic is<br />
detected per query type)<br />
Attack<br />
Detection<br />
Real-Time<br />
signature created<br />
DNS query<br />
challenge<br />
Query rate<br />
limit<br />
Collective query<br />
challenge<br />
?<br />
?<br />
?<br />
X<br />
X<br />
Behavioral RT<br />
signature technology<br />
RT signature scope protection<br />
per query type<br />
Collective scope protection<br />
per query Type<br />
1
DNS <strong>Mitigation</strong> Attack Escalation<br />
Botnet is identified<br />
(suspicious traffic is<br />
detected per query type)<br />
Attack<br />
Detection<br />
Real-Time<br />
signature created<br />
DNS query<br />
challenge<br />
Query rate<br />
limit<br />
Collective query<br />
challenge<br />
Collective query<br />
rate limit<br />
?<br />
?<br />
?<br />
X<br />
X<br />
X<br />
Behavioral RT<br />
signature technology<br />
RT signature scope protection<br />
per query type<br />
Collective scope protection<br />
per query Type<br />
1
SYN Flood Protection is adaptive<br />
Uses SYN cookies<br />
SYN Flood Attacks<br />
‒ Aimed as specific servers<br />
• Intends <strong>to</strong> consume server resources<br />
‒ A type of DoS attack used <strong>to</strong> overflow server session table<br />
Large volume SYN packets (cookies) generated<br />
Typical SYN Attacks:<br />
‒ Incomplete TCP 3-way handshakes<br />
‒ Untraceable packets<br />
• random source addresses<br />
‒ Fully-open connections<br />
‒ Large volume of victimized participants<br />
• bot or zombie systems<br />
120
SYN Cookies<br />
• TCP SYN Cookie<br />
• Inserts hash of date/time for ISN<br />
• No connection maintained until client is validated<br />
• Only in symmetric environments<br />
• TCP Challenge<br />
• At high volume SYN, DefensePro issues Safe-Reset<br />
• Safe-reset has invalid ACK packet<br />
• Client sends RESET (RST) packet; then sends SYN packet<br />
• DefensePro places client in Safe-sender list<br />
• No need for SYN cookies or delayed bind for this operation.<br />
• Works in asymmetric environments<br />
• Web Cookie Redirect (HTTP Redirect)<br />
• Issues 302 <strong>to</strong> client with a cookie<br />
• If client doesn’t return correct cookie -- session is dropped<br />
• JavaScript Redirect<br />
• Issues a cookie in the JavaScript<br />
• If clients doesn’t return correct cookie – session is dropped<br />
SYN<br />
SYN-ACK <br />
ACK <br />
SYN<br />
SYN-ACK <br />
RST<br />
SYN<br />
121
Conclusion<br />
122
Cisco DDOS Offerings<br />
Arbor TMS on ASR9k<br />
• DDOS target is bandwidth<br />
• Volumetric attacks<br />
• Part of SP Clean Pipes solution<br />
• Traffic diverted <strong>to</strong> scrubber<br />
within router backplane<br />
• Clean traffic re-injected locally<br />
• Additional Arbor products can<br />
protect enterprise assets<br />
Radware vDP on FP9300<br />
• DDOS target is firewall and<br />
devices behind it, NOT<br />
bandwidth<br />
• vDP sits inline and sees all<br />
traffic going <strong>to</strong> firewall<br />
• Other Radware capabilities in<br />
the cloud can help with<br />
bandwidth-based attacks<br />
123
<strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong> Summary<br />
• Amplification Attacks<br />
• NTP, DNS, SSDP, CharGen, SNMP, RIPv1, Port Mapper, …<br />
DataCenter<br />
The Internet<br />
Edge<br />
DC<br />
DPI<br />
Fw<br />
IPS/IDS<br />
Peering<br />
Transit<br />
Core<br />
FP9300<br />
Amplification Attacks<br />
Handled at the Edge router<br />
level with BGP FlowSpec<br />
124
<strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong> Summary<br />
• Stateless Pro<strong>to</strong>cols Attacks<br />
• ICMP floods, UDP Frag, etc<br />
DataCenter<br />
The Internet<br />
Edge<br />
DC<br />
DPI<br />
Fw<br />
IPS/IDS<br />
Peering<br />
Transit<br />
Core<br />
FP9300<br />
Stateless Attacks<br />
Handled at the Edge router<br />
level with BGP FlowSpec<br />
125
<strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong> Summary<br />
• Stateful Pro<strong>to</strong>cols Attacks<br />
• SYN Flood, HTTP based, SSL, SIP, …<br />
DataCenter<br />
The Internet<br />
Edge<br />
DC<br />
DPI<br />
Fw<br />
IPS/IDS<br />
Peering<br />
Transit<br />
Core<br />
FP9300<br />
Stateful Attacks<br />
Traffic is diverted <strong>to</strong> a scrubbing<br />
device, local or centralized<br />
126
<strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong> Summary<br />
• Application and Slow Pace Attacks<br />
• Slowloris, Brute Force, SQL injections, XSS, …<br />
DataCenter<br />
The Internet<br />
Edge<br />
DC<br />
DPI<br />
Fw<br />
IPS/IDS<br />
Peering<br />
Transit<br />
Core<br />
FP9300<br />
Application Misuse<br />
Low and Slow attacks are<br />
handled in-line in FP9300<br />
127
<strong>End</strong>-<strong>to</strong>-<strong>End</strong> <strong>Mitigation</strong><br />
• Cisco offers products covering security, routing and switching<br />
• The Router and the Switch can be leveraged as the first layer of defense<br />
• Partnership has been established with two major ac<strong>to</strong>rs of the DDoS mitigation<br />
• Not a one-fit-all solution, but a case-by-case approach<br />
• Different attacks should be handled by different products at different places<br />
128
Call <strong>to</strong> Action<br />
• Visit the World of Solutions for<br />
• Cisco Campus<br />
• Walk in Labs<br />
• Technical Solution Clinics<br />
• Meet the Engineer<br />
• Lunch and Learn Topics<br />
• DevNet zone related sessions<br />
129
Complete Your Online Session Evaluation<br />
• Please complete your online session<br />
evaluations after each session.<br />
Complete 4 session evaluations<br />
& the Overall Conference Evaluation<br />
(available from Thursday)<br />
<strong>to</strong> receive your Cisco Live T-shirt.<br />
• All surveys can be completed via<br />
the Cisco Live Mobile App or the<br />
Communication Stations<br />
130
Thank you<br />
131
VSM Internal Architecture<br />
SFP+<br />
SFP+<br />
SFP+<br />
SFP+<br />
Quad<br />
PHY<br />
32GB<br />
DDR3<br />
32GB<br />
DDR3<br />
32GB<br />
DDR3<br />
32GB<br />
DDR3<br />
Cryp<strong>to</strong>/DPI<br />
Assist<br />
Ivy<br />
Bridge<br />
Ivy<br />
Bridge<br />
Cryp<strong>to</strong>/DPI<br />
Assist<br />
Cryp<strong>to</strong>/DPI<br />
Assist<br />
Ivy<br />
Bridge<br />
Ivy<br />
Bridge<br />
Niantic<br />
Niantic<br />
Niantic<br />
Niantic<br />
Niantic<br />
Niantic<br />
Niantic<br />
48<br />
ports<br />
10GE<br />
Typhoon<br />
NPU<br />
Typhoon<br />
NPU<br />
XAUI<br />
PCIe<br />
Fabric<br />
ASIC 0<br />
Fabric<br />
ASIC 1<br />
B<br />
A<br />
C<br />
K<br />
P<br />
L<br />
A<br />
N<br />
E<br />
Cryp<strong>to</strong>/DPI<br />
Assist<br />
Application Processor Module (APM)<br />
Service Infra Module (SIM)<br />
133
134
Enterprise Perimeter Protection Use Case<br />
Internet<br />
FirePower 9300 Solution highlights:<br />
• Integrated multi-service security<br />
platform<br />
• Closes security and visibility gaps<br />
• High performance and scalability<br />
Perimeter<br />
Solution highlights<br />
• Network and Application DDoS<br />
attacks protection<br />
• Most accurate detection & mitigation<br />
• Shortest time <strong>to</strong> mitigate<br />
Data Center<br />
Unified<br />
communi<br />
cations<br />
CRM<br />
BI<br />
FirePower 9300<br />
ADC<br />
Web<br />
Portals<br />
Mail<br />
135<br />
135
Enterprise Use Case with Cloud <strong>Mitigation</strong><br />
Internet<br />
• Volumetric attacks<br />
mitigation in the cloud<br />
• No protection gap<br />
Defense Messaging<br />
Perimeter<br />
FirePower 9300<br />
Solution highlights<br />
• Network and Application DDoS<br />
attacks protection<br />
• Most accurate detection & mitigation<br />
• Shortest time <strong>to</strong> mitigate<br />
Data Center<br />
ADC<br />
Unified<br />
communi<br />
cations<br />
CRM<br />
BI<br />
Web<br />
Portals<br />
Mail<br />
136<br />
136
Service Provider: Service Center DC Protection<br />
Internet<br />
FirePower 9300 Solution highlights:<br />
• Integrated multi-service security platform<br />
• Closes security and visibility gaps<br />
• High performance and scalability<br />
• Elasticity – add mitigation capacity on<br />
demand<br />
Perimeter<br />
DDoS Protection solution highlights:<br />
• Network and Application DDoS<br />
attacks protection<br />
• Most accurate detection & mitigation<br />
• Shortest time <strong>to</strong> mitigate<br />
LAN<br />
Web<br />
CDN<br />
DNS<br />
AAA<br />
Hosted<br />
Cus<strong>to</strong>mer<br />
1<br />
FirePower 9300<br />
ADC<br />
Hosted<br />
Cus<strong>to</strong>mer<br />
2<br />
137<br />
137
Service Provider: Service Center with Cloud<br />
<strong>Mitigation</strong><br />
Internet Perimeter LAN<br />
• Volumetric attacks<br />
mitigation in the cloud<br />
• No protection gap<br />
Defense Messaging<br />
FirePower 9300<br />
Solution highlights<br />
• Network and Application DDoS<br />
attacks protection<br />
• Most accurate detection & mitigation<br />
• Shortest time <strong>to</strong> mitigate<br />
ADC<br />
Web<br />
CDN<br />
DNS<br />
AAA<br />
Hosted<br />
Cus<strong>to</strong>mer<br />
1<br />
Hosted<br />
Cus<strong>to</strong>mer<br />
2<br />
138<br />
138