End-to-End Mitigation

DDoS Attacks:
End-to-End Mitigation
Nicolas Fevrier, Technical Leader Engineering, @CiscoIOSXR
James Weathersby, Director Technical Marketing

Introduction
• Audience: Service Providers and Enterprises
• Out of the scope of this session:
• Hardening servers against DDoS attacks
• How do we define a DDoS ?
• Distributed:
• Many sources
• Denial of Service:
• Makes the resource unreachable
or out-of-service
• Many tools presented here,
no “one-fit-all” solution
3

Agenda
• Introduction, DDoS Attacks Landscape
• Deployment Models
• Mitigation of
• Amplification Attacks and other L3 Stateless Attacks
• HTTP and SSL Volumetric Attacks
• Attacks on Application and Resources
• End-to-End Mitigation, Cisco Solutions
• Conclusion
4

Introduction
DDoS Attacks Landscape
5

Introduction
• Do we still need to explain the risk in 2016 ?
• Distributed Denial of Service (DDoS) is a very
lucrative activity for attackers
• Victims:
• ISP, Hosting Services
• Governments, Education
• Enterprises
• Individuals
Everyone is at risk.
• Just scratching the surface, attacks complexity
is increasing
• DDoS Mitigation is about business
continuity
http://www.pcworld.com/article/3002356/protonmailrecovers-from-ddos-punch-after-being-extorted.html
6

Where are they coming from ?
• Compromised sources / botnets (zombies)
• Unpatched CMS (Content Management Systems)
• IAD (Home Routers) w/ old versions
• Unpatched internet services (DNS/NTP…)
• Cloud (booters or legitimate services)
• Sooner or later 4G/5G Mobiles handsets
• IoT (“Botnets of Things”)
• …
7

Largest DDOS Attack in History
8

DDoS Failure Points Within the Network
• Internet Pipe became the #1 failure point in 2014
• Extra-large attacks are seen on daily basis
• Attacks are targeting all types of organizations
• Enabled by “better” technology via reflective attacks,
at attacker’s disposal

ATLAS Initiative: Attack Sizes
"Last year, we highlighted that 20 percent of respondents reported attacks over 50 Gbps …
This year nearly one-quarter of respondents report peak attack sizes over 100 Gbps."
10

DDoS Mitigation
Black Holing is NOT DDoS Mitigation
• RTBH
• BGP dummy route advertised
• Route to null or route to a forensic probe
• Based on source or destination address
• Better granularity with FlowSpec
• All traffic (good and bad) dropped
• Limits collateral damages but attackers’
main objective attained
Victim
Victim
11

DDoS Mitigation
Mitigation implies business continuity
• Sink Holing to scrubbing device(s)
• Differentiation of legitimate and malicious
traffic
• Victim’s services maintained
• Collateral damages avoided
Victim
But some types of traffic can only be malicious…
Victim
12

Different Business, Different Targets
Enterprise or Service Provider ?
DataCenter
Web
Server
Web
Cache
The Internet
Peering
Transit
Edge
Core
DC
Firewall
Database
Enterprise
Agg
PE
Fw
IPS/IDS
DNS, Mail,
ERP, SAN, …
Residential
LB/SSL
DPI
13

Different Business, Different Targets
DataCenter and Hosting
The Internet
Peering
Transit
Edge
Core
!
DC
!
!
Firewall
DataCenter
Web
Server
!
Database
Web
Cache
! !
• Volumetric attacks can saturate DC
router link
• Sessions flood can overcome stateful
firewall capacity
• HTTP attacks can exhaust web server
and cache
• Queries attacks can exceed database
capacity
• Slow pace attacks can consume
resources in servers (stack, etc)
14

Different Business, Different Targets
Enterprise
The Internet
Peering
Transit
Edge
Core
• Volumetric attacks PE router link
• Sessions flood can overcome stateful
firewall or IDS capacity
• Slow pace attacks can consume
resources in servers (TCP stack,
Applications, etc)
Enterprise
!
PE
!
Fw IPS/IDS
! !
LB/SSL
DNS, Mail,
ERP, SAN, …
!
DPI
15

Different Business, Different Targets
Residential Service Provider
The Internet
Peering
Transit
!
Edge
Agg
Core
• Volumetric attacks on DSL/Cable
subscriber
• Can saturate access and aggregation
device
• Attack against an individual can
impact all subscribers served by the
same access device
!
Residential
! ! ! ! ! !
! ! ! ! ! !
! ! ! ! ! !
! ! ! ! ! !
16

Deployment Models
17

Deployment Models
In-the-Cloud / On-Premises Services
• In the Cloud services
• DNS-Based DDoS Protection
• BGP “inter-AS” based DDoS Protection
• ISP DDoS Mitigation
• On-Premises services
• Centralized
• Distributed
• Mixed
• In-line
18

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
DNS
The Internet
Local
DNS
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
DNS
Local
DNS
Where is
mysite.com ?
The Internet
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
Where is
mysite.com ?
DNS
Local
DNS
Where is
mysite.com ?
The Internet
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
Local
DNS
Where is
mysite.com ?
Where is
mysite.com ?
mysite.com
Is 1.2.3.4
DNS
The Internet
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
Local
DNS
Where is
mysite.com ?
Where is
mysite.com ?
mysite.com
Is 1.2.3.4
DNS
The Internet
mysite.com
Is 1.2.3.4
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
DNS
The Internet
Local
DNS
Traffic to
mysite.com
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Free service offered by various
companies in the internet
• Based on DNS only
DDoS Mitigation Service
Scrubbing
device
DNS
Attack traffic to
mysite.com
The Internet
Local
DNS
Traffic to
mysite.com
mysite.com
1.2.3.4
1

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
DDoS Mitigation Service
proxy
Scrubbing
device
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
DNS
The Internet
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
mysite.com
is now 5.6.7.8
DDoS Mitigation Service
proxy
Scrubbing
device
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
DNS
The Internet
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
mysite.com
is now 5.6.7.8
DDoS Mitigation Service
proxy
Scrubbing
device
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
Where is
mysite.com ?
DNS
The Internet
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
mysite.com
is now 5.6.7.8
DDoS Mitigation Service
proxy
Scrubbing
device
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
Where is
mysite.com ?
Where is
mysite.com ?
DNS
The Internet
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
Where is
mysite.com ?
Where is
mysite.com ?
mysite.com
is now 5.6.7.8
mysite.com
Is 5.6.7.8
DDoS Mitigation Service
DNS
proxy
The Internet
Scrubbing
device
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
mysite.com
Is 5.6.7.8
Where is
mysite.com ?
Where is
mysite.com ?
mysite.com
is now 5.6.7.8
mysite.com
Is 5.6.7.8
DDoS Mitigation Service
DNS
proxy
The Internet
Scrubbing
device
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
DDoS Mitigation Service
proxy
Scrubbing
device
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
DNS
The Internet
Traffic to
mysite.com
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
DDoS Mitigation Service
DNS
Traffic to
mysite.com
proxy
The Internet
Attack traffic to
mysite.com
Scrubbing
device
mysite.com
1.2.3.4
2

In-the-Cloud Services
DNS-based DDoS Protection
• Traffic is diverted by announcing
a new DNS record
• Good traffic is send using
the IP address
• Limits:
Easy to bypass this
protection when
knowing the victim
IP address
Local
DNS
DDoS Mitigation Service
DNS
Traffic to
mysite.com
proxy
The Internet
Attack traffic to
mysite.com
Scrubbing
device
Traffic to
1.2.3.4
mysite.com
1.2.3.4
2

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
• Traffic to the victim is steered-up
into the DDoS protection service
by advertising a /24 prefix owned
by the victim
• Similar as BGP hijacking
• Good traffic is filtered and
transmitted through a tunnel
to the victim
DDoS Mitigation Service
Scrubbing
device
The Internet
mysite.com
1.2.3.4
3

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
• Traffic to the victim is steered-up
into the DDoS protection service
by advertising a /24 prefix owned
by the victim
• Similar as BGP hijacking
• Good traffic is filtered and
transmitted through a tunnel
to the victim
DDoS Mitigation Service
Scrubbing
device
The Internet
1.2.0.0/16
BGP
mysite.com
1.2.3.4
3

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
• Traffic to the victim is steered-up
into the DDoS protection service
by advertising a /24 prefix owned
by the victim
• Similar as BGP hijacking
• Good traffic is filtered and
transmitted through a tunnel
to the victim
DDoS Mitigation Service
Scrubbing
device
The Internet
Traffic to
1.2.3.4
mysite.com
1.2.3.4
3

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
• Traffic to the victim is steered-up
into the DDoS protection service
by advertising a /24 prefix owned
by the victim
• Similar as BGP hijacking
• Good traffic is filtered and
transmitted through a tunnel
to the victim
DDoS Mitigation Service
Scrubbing
device
Attack traffic to
1.2.3.4
The Internet
Traffic to
1.2.3.4
mysite.com
1.2.3.4
3

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
Limits
• Most specific prefix advertised
in the internet: /24
attracts all traffic for
the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin
Validation could make this
approach challenging
DDoS Mitigation Service
The Internet
Scrubbing
device
mysite.com
1.2.3.4
4

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
Limits
• Most specific prefix advertised
in the internet: /24
attracts all traffic for
the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin
Validation could make this
approach challenging
DDoS Mitigation Service
The Internet
Scrubbing
device
1.2.0.0/16
BGP
mysite.com
1.2.3.4
4

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
Limits
• Most specific prefix advertised
in the internet: /24
attracts all traffic for
the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin
Validation could make this
approach challenging
DDoS Mitigation Service
1.2.3.0/24
The Internet
Scrubbing
device
1.2.0.0/16
BGP
mysite.com
1.2.3.4
4

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
Limits
• Most specific prefix advertised
in the internet: /24
attracts all traffic for
the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin
Validation could make this
approach challenging
DDoS Mitigation Service
1.2.3.0/24
The Internet
1.2.3.0/24
Scrubbing
device
1.2.0.0/16
Traffic to
1.2.3.4
BGP
mysite.com
1.2.3.4
4

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
Limits
• Most specific prefix advertised
in the internet: /24
attracts all traffic for
the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin
Validation could make this
approach challenging
DDoS Mitigation Service
1.2.3.0/24
The Internet
1.2.3.0/24
Attack traffic
to 1.2.3.4
Scrubbing
device
1.2.0.0/16
Traffic to
1.2.3.4
BGP
mysite.com
1.2.3.4
4

In-the-Cloud Services
BGP-based “inter-AS” DDoS Protection
Limits
• Most specific prefix advertised
in the internet: /24
attracts all traffic for
the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin
Validation could make this
approach challenging
DDoS Mitigation Service
1.2.3.0/24
The Internet
1.2.3.0/24
Attack traffic
to 1.2.3.4
Scrubbing
device
1.2.0.0/16
Traffic to
1.2.3.4
BGP
mysite.com
1.2.3.4
4

In-the-Cloud Services
DDoS Mitigation as a Service
• Final customers can buy services from their ISP and manage themselves their
DDoS mitigation
Fw
Enterprise
IPS/IDS
DNS, Mail,
ERP, SAN, …
Edge
The Internet
DPI
Scrubbing
device
Help!
45

In-the-Cloud Services
DDoS Mitigation as a Service
• Final customers can buy services from their ISP and manage themselves their
DDoS mitigation
Fw
Enterprise
IPS/IDS
DNS, Mail,
ERP, SAN, …
Edge
The Internet
DPI
Scrubbing
device
46

On-Premises: Centralized vs Distributed
• The Centralized approach: we have a dedicated part of the network for
mitigation, the scrubbing center
Peering
Scrubbing Center
Victim
Transit
Core
47

On-Premises: Centralized vs Distributed
• The Centralized approach: we divert the traffic targeted to the victim via the
scrubbing center
Peering
Scrubbing Center
Victim
Transit
Core
48

On-Premises: Centralized vs Distributed
• The Distributed approach: we install scrubbers at the edge of the backbone
Peering
Victim
Transit
Core
49

On-Premises: Centralized vs Distributed
• Mixed model: both distributed for the main scrubbing work and the scrubbing
center to handle the extra load is necessary
Peering
Scrubbing Center
Victim
Transit
Core
50

Attack Detection: Sampling
• One approach consists in sampling packets and send statistics to a Netflow
collector
Peering
Attack
detected
Collector
NetFlow
NetFlow
NetFlow
Victim
Transit
Core
Problem: can not detect low speed attacks
51

Attack Detection: In-line Inspection
• The other approach consists in inspecting all packets, in both direction
• Can not be done in the core at several times 100Gbps
• Needs to be closer to the service platforms
• Can correlated traffic from both directions
DC
DataCenter
Web
Server
Web
Cache
! !
FP9300
!
Database
52

Infrastructure Protection
53

Protecting your Infrastructure
Infrastructure ACL / Rate-limiters
• This common practice
• Some protocols have no reason to cross your network boundaries
• Identify them, then filter or rate-limit them
• Examples (be careful, all networks are different):
• SSDP UDP 1900
• NetBIOS UDP 138
• NTP 123
• Chargen UDP 19
• Large TCP SYN packets (what is the maximum acceptable size for a SYN packet is a big debate)
• Fragments
• Know exactly what you do (controversial)
54

Protecting your Infrastructure
MicroFlow Policer or User-based Rate-Limiter
• UBRL is a feature available in:
• Catalyst 6500,
• Catalyst 4500
• ASR 9000
• Used in Enterprise environments, but also in hosting environments
• Extends the QoS concepts to final users
• Instead of matching and rate-limiting a class of traffic per interface
• Allows policers per class of traffic per user
• Example:
• Rate-limit DNS for each user to 500Mbps
• Rate-limit NTP for each user in a particular range to 1Mbps
• Even more controversial, use only with perfect understanding of your traffic patterns
55

Introducing
BGP FlowSpec
56

Concept: BGP FlowSpec
• A powerful tool in the SP Security toolbox
• A controller programs remotely forwarding decision
in routers (clients)
• BGP is used to program remotely a rule made of:
• A traffic description
• An action to apply on this traffic
• Three elements:
• Controller
• Client
• Route-reflector (Optional)
BGP
BGP
BGP FS
controller
57

BGP FlowSpec Matching Criteria and Action
• Traffic is described with L3 and L4 information
• Address
• Port
• ICMP type and code
• TCP flag
• Packet length
• Fragmentation flags
• Actions can be a mix of
• Rate-limit / Drop
• DSCP remarking
• NH modification (diversion)
• VRF leaking
CP
DP
BGP FS
client
BGP FS
client
CP
BGP FS
controller
More details? BRKSPG-3012: Leveraging BGP FlowSpec to protect your infrastructure
CP
DP
CP
DP
BGP FS
client
BGP FS
RR
CP
58

Mitigation Strategies
59

Amplification Attacks
• Specific stateless attacks based on spoofed source addresses
• not using a full handshake, large answer is sent to the victim address
• Use vulnerable protocols on high bandwidth servers
Much larger reply
2.1.1.1
Small request
Spoofed source
UDP traffic
60

Amplification Attacks
• DNS
• NTP
• SSDP
• SNMP
• CharGen
• QOTD
And some more protocols discovered in 2015
• RIPv1
• Port Mapper (UDP 111)
Frequently seen with fragmented packets
http://blog.level3.com/security/a-new-ddos-reflection-attackportmapper-an-early-warning-to-the-industry/
61

Mitigating Amplification Attacks
Service Provider Perspective
• No need to send it to a “smart” scrubbing system for mitigation
A router will do the same job with much higher performance
• Identified by precisely matching traffic pattern and filtered at the edge router
level, as close as possible from the internet via ACL or BGP FlowSpec
Much larger reply
2.1.1.1
2.1.1.1
Small request
Match: dest-IP: 2.1.1.1
+ src-port: 123
+ size

Mitigating Amplification Attacks
Enterprise Perspective
• From a final customer or enterprise perspective, no mitigation possible
• Too late, PE router pipes are saturated
• Problem needs to be addressed earlier in the path
• Request assistance to the Service Provider (Portal, phone call, …)
• If possible, use BGP FlowSpec to signal a rule filtering the attack in the SP
• Use in-the-cloud mitigation services
Much larger reply
PE
!
!
Fw
DPI
Enterprise
IPS/IDS
DNS, Mail,
ERP, SAN, …
63
Small request

Mitigating L3 / L4 Stateless Volumetric Attacks
Service Provider Perspective
• Generic family covering
• UDP Frag (could be the consequence an amp attack)
• ICMP Flood
• Ideally, must be filtered at the edge router via ACL or BGP FS
• Example with a fragmentation attack and BGP FlowSpec
2.1.1.1
2.1.1.1
Match: dest-IP: 2.1.1.1
+ frag field set
Action: rate-limit 0bps
BGP FS
controller

Mitigating L3 / L4 Stateless Volumetric Attacks
Enterprise Perspective
• If the amount of attack traffic exceeds the PE links capacity, same situation than
amplification attacks:
Too late, needs to be addressed earlier in the path
• Similar situation than amplification attacks:
• Request assistance from SP, if possible use BGP FlowSpec or hire in-the-cloud service
Enterprise
PE
!
Fw
IPS/IDS
DNS, Mail,
ERP, SAN, …
!
DPI
65

Mitigating L3 / L4 Stateless Volumetric Attacks
Enterprise Perspective
If the amount of attack traffic does NOT exceed the PE links capacity
• Inline mitigation solution can be used
• Several security services can be collapsed in FirePower 9300, including NGFW
and DDoS mitigation
PE
Enterprise
DNS, Mail,
ERP, SAN, …
DPI
66

TCP SYN, HTTP, SSL and SIP Volumetric Attacks
• More advanced attacks using Botnets or even real users (LOIC) needs to be
addressed differently by a specific scrubbing device. Examples:
• SYN floods: usually spoofed sources
• HTTP: bots mimicking the behavior of a real web browser
• SSL
• SIP
Requests
2.1.1.1
Replies
67

Mitigating SYN floods, HTTP, SSL and SIP Attacks
SP/Datacenter Perspective
• Stateful attacks requiring to be challenged by advanced countermeasures
• Traffic targeted to the victim needs to be diverted to a scrubbing device
• Locally for distributed architecture
• Remotely for centralized architecture (traffic re-injection is a topic by itself)
2.1.1.1
Match: dest-IP: 2.1.1.1
+ dest-port: 80
Action: NH @TMS
68

Mitigating SYN floods, HTTP, SSL and SIP Attacks
SP/Datacenter Perspective
The Internet
Peering
Transit
Edge
Core
DC
DataCenter
!
Firewall
Web
Server
!
Database
Web
Cache
! !
DataCenter
Web
Server
Web
Cache
The Internet
Peering
Transit
Edge
Core
DC
Firewall
Database
69

Mitigating SYN floods, HTTP, SSL and SIP Attacks
SP/Datacenter Perspective
• The closer to the internet, the better
• Diversion can be done in many different ways, and it will have a direct influence
on the re-injection strategy too
• BGP FlowSpec
• More specific route injection
• VRF leaking (VRF Clear / VRF Dirty)
• Use Arbor TMS Software in ASR9000 VSM card
• Rich set of countermeasures
• High performance boosted by the Dynamic
Black-List Offload feature
70

Mitigating SYN floods, HTTP, SSL and SIP Attacks
Enterprise Perspective
• If the PE capacity (in bandwidth and PPS) is not exceeded, the Firewall is the
first stage of the security infrastructure hit by TCP SYN floods attacks
• Servers resources can be impacted by SYN Floods too
Enterprise
PE
Fw
!
IPS/IDS
DNS, Mail,
ERP, SAN, …
!
DPI
71

Mitigating SYN floods, HTTP and SSL
Enterprise Perspective
• If replacing the in-site security infrastructure is not possible
• Request assistance from SP or hire in-the-cloud service
• Inline mitigation solution should be used
• Radware DefensePro solution used in FirePower 9300 can be used to protect
the firewall
PE
Enterprise
DNS, Mail,
ERP, SAN, …
DPI
72

Particular Case of Residential Subscriber
Service Provider Perspective
The Internet
Peering
Transit
Edge
Agg
Residential
Core
• Volumetric attacks on DSL/Cable
subscriber create a lot of collateral
damages
• Victims can be easily identified based
on their IP address blocks
• Attacks are detected instantly
• A 25Mbps DSL subscriber can not receive
multiple Gbps
• Auto-mitigation presents no faultpositive
risk in this case
!
73

Particular Case of Residential Subscribers
Service Provider Perspective
The Internet
Peering
Transit
Edge
Agg
Core
• Auto-mitigation is triggered and traffic
for this host is diverted to the local or
centralized scrubbing system
• Service for the subscriber is restored
• But more important, collateral
damages are no longer present
Residential
74

Slow Pace Attacks
• Attacks against servers resources
• Can not be detected by traffic sampling, requires inline system(s)
• Low and Slow attacks: Slowloris
• HTTP Floods
• SSL Floods
• SQL Injections
• XSS, CSRF
• Brute Force
• App Misuse
PE
FW
DPI
IPS/IDS
LB/SSL
DNS, Mail,
ERP, SAN, …
!
75

Slow Pace Attacks
DC and Enterprise Perspective
DataCenter
Web
Server
Web
Cache
The Internet
Peering
Transit
Edge
Core
DC
FP9300
Database
Enterprise
Service Provider doesn’t
have any visibility on these attacks
Can only be detected
• On the victim
• With a device in-line
PE
FP9300
DNS, Mail,
ERP, SAN, …
76

Cisco Partnerships
77

Partnership
• Cisco established partnership with two major actors in this industry
• Arbor Networks
• Radware
• Different products for different positions / roles
• SP edge / scrubbing center based on traffic diversion
• DC and enterprise in-line analysis
• Arbor products are used in ASR9000
• Radware products are used in FirePower 9300
78

Cisco Partnerships
Arbor Networks
79

Arbor SP solution
Portfolio
Arbor Networks offers a variety of products to address DDoS attacks detection
and mitigation
• Arbor SP (formerly known as Peakflow SP / Collector Platform CP)
• Collects Flow records
• Detects abnormal network behavior and trigger alerts
• Can influence the routing, injecting BGP routes in the network
• Supports BGP FlowSpec as a Controller
• Sets up and monitors the TMS remotely
• Software can run in a virtual machine
• Orderable in Cisco Price List
80

Arbor SP solution
Portfolio
Arbor Networks offers a variety of products to address DDoS attacks detection
and mitigation
• Arbor TMS (Threat Management System)
• Configured by SP, receives diverted traffic and proceeds to in-depth packet analysis
• Discards the attack packets and transmits the legit ones
• Provides real-time monitoring info to operators
• Software running in ASR9000 VSM line card
81

Arbor SP solution: Cisco vDDoS Protection Solution
Integration in ASR9000 Virtual Service Module Line Card
• Supported with
• RSP440 onwards (not RSP2)
• All 9000 chassis except 9001
• Multi-purpose service card
• CGN
• Mobile GW
• DDoS Mitigation
• KVM virtualized environment based
on Wind River distribution
• 40Gbps of mitigation, PAYG model
with 10G/20G/40G licenses
82

Arbor SP solution
Dynamic Black-list Offload Feature
1• A countermeasure is activated
and detects an offender
2• TMS instructs the ASR9000 via
OpenFlow program an ACL for the offender
src-@ or the pair src-@+dst-@
For one minute
3• After 1min, the ACL is removed.
src-@
If the offender is seen by the
countermeasure again, ACL will be
programmed for 5min, and then 5
min, again and again 3
Match: src-IP: 2.1.1.1
Action: drop
2
1
victim
dst-@
83

Arbor SP solution
Deployment and Use-cases
• Used in internet border routers in distributed architecture
• Used in scrubbing centers in centralized architecture
• Traffic is diverted with route injection or VRF route leaking
• BGP FlowSpec used to program border routers
84

Arbor SP solution
Features
For Reference
• Mitigation in 4 seconds, Auto-mitigation
• Flood Attacks
• (TCP, UDP, ICMP, DNS, SSDP, NTP, SNMP, SQL RS, Chargen Amplification, DNS
Amplification, Microsoft SQL Resolution Service Amplification, NTP Amplification, SNMP
Amplification, SSDP Amplification)
• Fragmentation Attacks
• (Teardrop, Targa3, Jolt2, Nestea), TCP Stack Attacks (SYN, FIN, RST, SYN ACK,
URG-PSH, TCP Flags), Application Attacks (HTTP GET floods, SIP Invite floods, DNS
attacks, HTTPS protocol attacks), DNS Cache Poisoning, Vulnerability attacks,
Resource exhaustion attacks (Slowloris, Pyloris, LOIC, etc.).
• Flash crowd protection. IPv4 and IPv6 attacks hidden in SSL encrypted packets
85

Demo
86

Arbor Peakflow SP Solution
Recorded Demo
87

Cisco Partnerships
Radware DefensePro
88

Radware DefensePro
• Provides protection against application layer attacks and state-table exhaustion attacks
• Primarily deployed to protect the firewall itself and the application servers behind it
In phase 1, FirePower 9300 supports the following modules
• Behavioral protections
• Challenge response
• Signature Protection
Application
Server
Network
Behavioral HTTP Flood
Protection
DNS Protection
Behavioral DoS
Available
Service
Server Cracking
Anti-Scan
Connection Limit
SYN Protection
Out-Of-State
Signature Protection
Connection PPS Limit
BL/WL
89

Understand 9300 Radware DDoS Solution Components
• Cisco FirePower 9300 is a scalable,
carrier & enterprise-grade,
multi-service security appliance featuring:
• Cisco ASA firewall
• Radware DDoS Mitigation (OEM)
• What is required?
• 9300 Chassis
• DDoS License (vDP)
• Vision Management Software
• Optional: DefensePipe Cloud Protection
DDoS FW NGIPS
90

Introducing the FirePower 9300
Supervisor
• Application deployment and orchestration
• Network attachment and traffic distribution
• Clustering base layer for ASA/NGFW
Network Modules
• 10GE/40GE
Security Modules
• Embedded packet/flow classifier and crypto hardware
• Cisco (ASA, NGFW) and third-party (DDoS, load-balancer) applications
• Standalone or clustered within and across chassis
91

Security Services Architecture on Firepower 9300
Security Module 1
ASA Cluster
Security Module 2 Security Module 3
ASA ASA ASA
DDoS DDoS DDoS
Primary
Application
Decorator
Application
External
Connector
Supervisor
Ethernet1/7
(Management)
On-board 8x10GE
interfaces
8x10GE NM
Slot 1
Data
PortChannel1
4x40GE NM
Slot 2
Application
Image Storage
Packet
Flow
Ethernet 1/1-8 Ethernet 2/1-8
Ethernet 3/1-4
92

Additional Information
• BRKSEC-3010 Firepower 9300 Deep Dive
• Weds 16:30-18:00
• BRKSEC-3032 ASA Clustering Deep Dive
• Fri 9:00-11:00
93

Demo
94

Mitigation on FP 9300
with Radware vDP
95

Behavioral DOS – Network baselining and response
• Detects and prevents zero-day DoS/DDoS
flood attacks
• Automatically detects traffic anomalies
• Adapts footprint to new traffic pattern
• No manual tuning
• Low false positive rate
• Passes legitimate traffic
• While under attack
• Protects against all kinds of flooding attacks
96

BDOS Detection and Mitigation of a DNS Attack
IRC Server
DoS Bot
(Infected host)
BOT
Command
Public DNS Servers
DoS Bot
(Infected host)
Internet
Attacker
DoS Bot
(Infected host)
DoS Bot
(Infected host)
1

BDOS Detection and Mitigation of a DNS Attack
IRC Server
DoS Bot
(Infected host)
Behavioral Pattern Detection (1)
Detect rate increase of DNS requests
BOT
Command
Public DNS Servers
DoS Bot
(Infected host)
Internet
Attacker
DoS Bot
(Infected host)
DoS Bot
(Infected host)
1

BDOS Detection and Mitigation of a DNS Attack
IRC Server
DoS Bot
(Infected host)
Behavioral Pattern Detection (1)
Detect rate increase of DNS requests
BOT
Command
Public DNS Servers
DoS Bot
(Infected host)
Internet
Attacker
DoS Bot
(Infected host)
DoS Bot
(Infected host)
Behavioral Pattern Detection (2)
Identify abnormal ratio of DNS request to other
protocols 1

BDOS Detection and Mitigation of a DNS Attack
IRC Server
DoS Bot
(Infected host)
BOT
Command
DoS Bot
(Infected host)
Real Time Signature:
Block DNS requests
matching specific packet
parameters Internet (e.g., DNS query
name,...)
Public DNS Servers
Attacker
DoS Bot
(Infected host)
DoS Bot
(Infected host)
1

Configuration
Define Global Options
• Learning
• Strictness
• Footprint Bypass
Create Profile
• Name
• Protection Options
• Bandwidth and Traffic Quotas
Add Profile to Policy and
Update Policies
2

Configuration
Define Global Options
• Learning
• Strictness
• Footprint Bypass
Day, Week, Month
Create Profile
• Name
• Protection Options
• Bandwidth and Traffic Quotas
Add Profile to Policy and
Update Policies
2

Configuration
Define Global Options
• Learning
• Strictness
• Footprint Bypass
Create Profile
• Name
• Protection Options
• Bandwidth and Traffic Quotas
Add Profile to Policy and
Update Policies
2

Configuration
Define Global Options
• Learning
• Strictness
• Footprint Bypass
Low, Medium, High
Create Profile
• Name
• Protection Options
• Bandwidth and Traffic Quotas
Add Profile to Policy and
Update Policies
2

Configuration
Define Global Options
• Learning
• Strictness
• Footprint Bypass
Create Profile
• Name
• Protection Options
• Bandwidth and Traffic Quotas
Add Profile to Policy and
Update Policies
2

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

BDOS Profile
Three main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
3

DNS Protection escalates –
• DNS-Flood Attacks
• Detects when an attack has started
• Advantages
• Implements mitigation in escalating order
• When enabled, protects at first sign of attack
• Disadvantages
• Escalation period to mitigate successfully
• May drop legitimate traffic
• More-severe mitigation limits DNS queries
113

DNS Mitigation Attack Escalation
Botnet is identified
(suspicious traffic is
detected per query type)
Attack
Detection
Real-Time
signature created
Behavioral RT
signature technology
RT signature scope protection
per query type
Collective scope protection
per query Type
1

DNS Mitigation Attack Escalation
Botnet is identified
(suspicious traffic is
detected per query type)
Attack
Detection
Real-Time
signature created
DNS query
challenge
Behavioral RT
signature technology
RT signature scope protection
per query type
Collective scope protection
per query Type
1

DNS Mitigation Attack Escalation
Botnet is identified
(suspicious traffic is
detected per query type)
Attack
Detection
Real-Time
signature created
DNS query
challenge
?
Behavioral RT
signature technology
RT signature scope protection
per query type
Collective scope protection
per query Type
1

DNS Mitigation Attack Escalation
Botnet is identified
(suspicious traffic is
detected per query type)
Attack
Detection
Real-Time
signature created
DNS query
challenge
Query rate
limit
? ?
X
Behavioral RT
signature technology
RT signature scope protection
per query type
Collective scope protection
per query Type
1

DNS Mitigation Attack Escalation
Botnet is identified
(suspicious traffic is
detected per query type)
Attack
Detection
Real-Time
signature created
DNS query
challenge
Query rate
limit
Collective query
challenge
?
?
?
X
X
Behavioral RT
signature technology
RT signature scope protection
per query type
Collective scope protection
per query Type
1

DNS Mitigation Attack Escalation
Botnet is identified
(suspicious traffic is
detected per query type)
Attack
Detection
Real-Time
signature created
DNS query
challenge
Query rate
limit
Collective query
challenge
Collective query
rate limit
?
?
?
X
X
X
Behavioral RT
signature technology
RT signature scope protection
per query type
Collective scope protection
per query Type
1

SYN Flood Protection is adaptive
Uses SYN cookies
SYN Flood Attacks
‒ Aimed as specific servers
• Intends to consume server resources
‒ A type of DoS attack used to overflow server session table
Large volume SYN packets (cookies) generated
Typical SYN Attacks:
‒ Incomplete TCP 3-way handshakes
‒ Untraceable packets
• random source addresses
‒ Fully-open connections
‒ Large volume of victimized participants
• bot or zombie systems
120

SYN Cookies
• TCP SYN Cookie
• Inserts hash of date/time for ISN
• No connection maintained until client is validated
• Only in symmetric environments
• TCP Challenge
• At high volume SYN, DefensePro issues Safe-Reset
• Safe-reset has invalid ACK packet
• Client sends RESET (RST) packet; then sends SYN packet
• DefensePro places client in Safe-sender list
• No need for SYN cookies or delayed bind for this operation.
• Works in asymmetric environments
• Web Cookie Redirect (HTTP Redirect)
• Issues 302 to client with a cookie
• If client doesn’t return correct cookie -- session is dropped
• JavaScript Redirect
• Issues a cookie in the JavaScript
• If clients doesn’t return correct cookie – session is dropped
SYN
SYN-ACK
ACK
SYN
SYN-ACK
RST
SYN
121

Conclusion
122

Cisco DDOS Offerings
Arbor TMS on ASR9k
• DDOS target is bandwidth
• Volumetric attacks
• Part of SP Clean Pipes solution
• Traffic diverted to scrubber
within router backplane
• Clean traffic re-injected locally
• Additional Arbor products can
protect enterprise assets
Radware vDP on FP9300
• DDOS target is firewall and
devices behind it, NOT
bandwidth
• vDP sits inline and sees all
traffic going to firewall
• Other Radware capabilities in
the cloud can help with
bandwidth-based attacks
123

End-to-End Mitigation Summary
• Amplification Attacks
• NTP, DNS, SSDP, CharGen, SNMP, RIPv1, Port Mapper, …
DataCenter
The Internet
Edge
DC
DPI
Fw
IPS/IDS
Peering
Transit
Core
FP9300
Amplification Attacks
Handled at the Edge router
level with BGP FlowSpec
124

End-to-End Mitigation Summary
• Stateless Protocols Attacks
• ICMP floods, UDP Frag, etc
DataCenter
The Internet
Edge
DC
DPI
Fw
IPS/IDS
Peering
Transit
Core
FP9300
Stateless Attacks
Handled at the Edge router
level with BGP FlowSpec
125

End-to-End Mitigation Summary
• Stateful Protocols Attacks
• SYN Flood, HTTP based, SSL, SIP, …
DataCenter
The Internet
Edge
DC
DPI
Fw
IPS/IDS
Peering
Transit
Core
FP9300
Stateful Attacks
Traffic is diverted to a scrubbing
device, local or centralized
126

End-to-End Mitigation Summary
• Application and Slow Pace Attacks
• Slowloris, Brute Force, SQL injections, XSS, …
DataCenter
The Internet
Edge
DC
DPI
Fw
IPS/IDS
Peering
Transit
Core
FP9300
Application Misuse
Low and Slow attacks are
handled in-line in FP9300
127

End-to-End Mitigation
• Cisco offers products covering security, routing and switching
• The Router and the Switch can be leveraged as the first layer of defense
• Partnership has been established with two major actors of the DDoS mitigation
• Not a one-fit-all solution, but a case-by-case approach
• Different attacks should be handled by different products at different places
128

Call to Action
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs
• Technical Solution Clinics
• Meet the Engineer
• Lunch and Learn Topics
• DevNet zone related sessions
129

Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
130

Thank you
131

VSM Internal Architecture
SFP+
SFP+
SFP+
SFP+
Quad
PHY
32GB
DDR3
32GB
DDR3
32GB
DDR3
32GB
DDR3
Crypto/DPI
Assist
Ivy
Bridge
Ivy
Bridge
Crypto/DPI
Assist
Crypto/DPI
Assist
Ivy
Bridge
Ivy
Bridge
Niantic
Niantic
Niantic
Niantic
Niantic
Niantic
Niantic
48
ports
10GE
Typhoon
NPU
Typhoon
NPU
XAUI
PCIe
Fabric
ASIC 0
Fabric
ASIC 1
B
A
C
K
P
L
A
N
E
Crypto/DPI
Assist
Application Processor Module (APM)
Service Infra Module (SIM)
133

134

Enterprise Perimeter Protection Use Case
Internet
FirePower 9300 Solution highlights:
• Integrated multi-service security
platform
• Closes security and visibility gaps
• High performance and scalability
Perimeter
Solution highlights
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
Data Center
Unified
communi
cations
CRM
BI
FirePower 9300
ADC
Web
Portals
Mail
135
135

Enterprise Use Case with Cloud Mitigation
Internet
• Volumetric attacks
mitigation in the cloud
• No protection gap
Defense Messaging
Perimeter
FirePower 9300
Solution highlights
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
Data Center
ADC
Unified
communi
cations
CRM
BI
Web
Portals
Mail
136
136

Service Provider: Service Center DC Protection
Internet
FirePower 9300 Solution highlights:
• Integrated multi-service security platform
• Closes security and visibility gaps
• High performance and scalability
• Elasticity – add mitigation capacity on
demand
Perimeter
DDoS Protection solution highlights:
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
LAN
Web
CDN
DNS
AAA
Hosted
Customer
1
FirePower 9300
ADC
Hosted
Customer
2
137
137

Service Provider: Service Center with Cloud
Mitigation
Internet Perimeter LAN
• Volumetric attacks
mitigation in the cloud
• No protection gap
Defense Messaging
FirePower 9300
Solution highlights
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
ADC
Web
CDN
DNS
AAA
Hosted
Customer
1
Hosted
Customer
2
138
138