distributed denial of service - cisco - global home …name: distributed denial of service what:...
TRANSCRIPT
1© 2003 Cisco Systems, Inc. All rights reserved.DDoSAndrea Negroni
Andrea [email protected]
Distributed Denial of ServiceDistributed Denial of Service
Vimercate 17 Maggio 2005
222© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Agenda
PREFACE
EXAMPLE: TCP SYN
EXAMPLE: DDoS
CISCO’S DDoS SOLUTION COMPONENTS
MODES OF PROTECTION DETAILS
333© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Distributed Denial of ServicePREFACE
444© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
What are DDoS Attacks ?
Name: DISTRIBUTED DENIAL OF SERVICE
What: DDoS attacks block legitimate users from accessing network resources
How: DDoS attacks block network resources(Infrastructure, DNS, Mail, Web and more…)
Where: DDoS attacks enter the network from all directions
When: DDoS attacks happen everyday and all over the Internet
666© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Denial of service Background
LOGICALsoftware related
vulnerability(SMBNUKE)
FLOODING-CPU-Bandwidth-Memory(SYN FLOOD)
TWO VARIANTS
999© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Normal TCP/IP Connection Initiation
SYN
ACK
SYN / ACK
TCP Client
TCP Server
111111© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
TCP SYN
The TCP server will hold the SYN in SYN_RCVD state until timeout.
Multiple SYNs open multiple SYN_RCVD waiting.
This continues until the full memory area allocated for maintaining TCP state is exhausted.
Once the memory area is exhausted, the waiting SYN_RCVDs are FIFOed out of the table.
TCP Queue (MEMORY)
FREEFREE
FREE
FREE
FREE
FREE
FREE
FREE
FREE
FREE
SYN_RCVD
SYN_RCVD
SYN_RCVD
SYN_RCVD
SYN_RCVD
SYN_RCVD
A TCP SYN requires the server to allocate A TCP SYN requires the server to allocate memory, then the total amount of available memory, then the total amount of available memory becomes a finite resource which can memory becomes a finite resource which can be be DoSedDoSed
141414© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
SYN+ACK RTT
SYN
SYN / ACKTime 0
TCP Client
TCP ServerSYN+ACK RTT is the time it take between the SYN+ACK
and the ACK
SYN Round Trip Time (RTT) is the interval between the sending ofSYN+ACK and reception of the corresponding ACK from the other host.
ACK???
171717© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
TCP SYN-Flood – SYN_RCVD gets pushed
Attacker
TCP Server
SYN
SYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVD
drop
SYNSYNSYNSYNSYNSYNSYNSYNSYN
Valid User
SYNSYN / ACK
Valid user gets to the ACK, but the server
does not set up
ACKData
Silence
?? SYN_RCVD
No SYN_RCVD waiting when the ACK gets back.
191919© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Distributed Denial of ServiceEXAMPLE: DDoS
212121© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
How do DDoS Attacks Start ?
DNS Email‘Zombies’
‘Zombies’
Innocent PCs & Servers turn into ‘Zombies’
222222© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Types and Influence of DDoS Attacks
Server-level DDoS attacks
DNS Email
Attack ombies:• Use valid protocols• Spoof source IP• Massively distributed
232323© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
DDoS MitigationCISCO’S DDoS SOLUTION COMPONENTS
232323
252525© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
DDoS Defense In Action
Cisco Detector XT
Protected Zone 1: Web
Protected Zone 2: Name Servers Protected Zone 3:
E-Commerce Applications
Cisco Guard XT
1. Detect
Target
2. Activate: Auto/Manual
3. Divert Only Target’s Traffic
BGP Announcement
262626© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
DDoS Defense In Action
Cisco Detector XT
Protected Zone 1: Web
Protected Zone 2: Name Servers Protected Zone 3:
E-Commerce Applications
Cisco Guard XT
Target
Legitimate traffic to the zone
4. Identify and Filter the Malicious
5. Forward the Legitimate
6. Non-Targeted Traffic FlowsFreely
272727© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Cisco DDoS Solution Appliances and Service Modules
DDoS Mitigation:
Cisco Guard XT 5650
Cisco Anomaly Guard Module
Cisco Traffic Anomaly Detector XT 5600
Cisco Traffic Anomaly Detector Module
Attack DETECTION to support on-demand, shared scrubbingCPE LEARNING for managed serviceMonitors COPY OF TRAFFIC
Attack ANALYSIS AND MITIGATION
Diverts traffic flows for ON-DEMAND SCRUBBING
DDoS Detection:
Maximum deployment flexibility.Similar functionality and performance.Interoperable for mixed deployments.
282828© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Key Solution Benefits
• Detects and Mitigates DDoS attacksDynamically identifies and blocks malicious attack traffic
Ensures infrastructure stability and business continuity
Ensures legitimate users get access to network resources
• Not on the critical path or inline Has minimal impact on routers, switches and infrastructure
• High Scalability and PerformanceMulti-Gigabit performance
Optional clustering
292929© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
High Performance and Capacity
• 1 MPPS+ most attacks, good and bad traffic, typical features
• CLUSTERING TO 8 GUARDS for single protected host• Capacity
30 CONCURRENTLY PROTECTED ZONES(90 for the Detector)
• Latency or jitter: < 1 MSEC
303030© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
DDoS MitigationMODES OF PROTECTION DETAILS
303030
313131© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Measured ResponseModes of Protection
DetectionPassive copy of traffic monitoring
AnalysisDiversion for more granular in-line analysis
Flex filters, static and bypass filters in operationAll flows forwarded but analyzed for anomalies
Basic ProtectionBasic anti-spoofing applied
Analysis for continuing anomalies
Strong ProtectionStrong anti-spoofing (proxy) if appropriate
Dynamic filters deployed for zombie sources
AnomalyVerified
LearningPeriodic observation of patterns to update baseline profiles
AttackDetected
AnomalyIdentified
CISC
O G
UARD
CISC
O D
ETEC
TOR
323232© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate Limiting
Multi-Verification Process (MVP)Integrated Defenses in the Guard XT
Legitimate + attack traffic to target
Dynamic &Static Filters
Detect anomalous behavior & identify precise attack flows and sources
Apply anti-spoofingto block malicious
flowsDynamically insert
specific filters to block attack flows & sources
Apply rate limits
Legitimate traffic
373737© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Statistical Inspection
To-u
ser-
filte
rba
sic
SRC_IP 12.10.8.5SRC_IP 12.10.8.5
From Analysis to Basic
383838© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
From Analysis to Basic
Rate
Limit
basi
c
Statistical Inspection
SRC_IP 12.10.8.5Legitimate traffic
Spoofed
traffic
393939© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Basic/Redirect for HTTP ServicesClient
(Source)Guard
SYN(SrcIP=201.2.3.4;seq=x)
SYN ACK(seq=cookie;ack=x+1)
ACK(seq=x+1;ack=cookie+1)GET
(http://www.cisco.com)
REDIRECT
Tells client to refresh the session
and the HTTP request
www.cisco.com
SYN(SrcIP=201.2.3.4;seq=y)
IP 201.2.3.4Is Source IP 201.2.3.4 Authenticated ? NO
SYN(seq=y)
Is Source IP 201.2.3.4 Authenticated ? YES
GET(http://www.cisco.com)
ACK(seq=y+1;ack=z+1)GET
(http://www.cisco.com)
ACK(seq=y+1;ack=z+1)
SYN ACK(seq=z;ack=y+1)
Generate unique cookie for IP 201.2.3.4
If cookie is valid,authenticate IP 201.2.3.4
DATA
Zone(Destination)
FIN
404040© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Spoofed SYN Attack exampleClient
(Source)Guard
IP 201.2.3.10 SYN(SrcIP=7.0.0.1;seq=x;Port=80)
Is Source IP 7.0.0.1 Authenticated ? NO
Generate unique cookie for IP 7.0.0.1
SYN(SrcIP=7.0.0.2;seq=y;Port=80)
Is Source IP 7.0.0.2 Authenticated ? NOSYN
(SrcIP=10.0.0.1;seq=z;Port=80)Is Source IP 10.0.0.1 Authenticated ? NO
SYN(SrcIP=7.7.7.7;seq=b;Port=80)
Is Source IP 7.7.7.7 Authenticated ? NO
SYN(SrcIP=10.0.0.3.;seq=a;Port=80)
Is Source IP 10.0.0.3 Authenticated ? NO
SYN ACK(seq=cookie;ack=x+1)
SYN ACK(seq=cookie;ack=y+1)
SYN ACK(seq=cookie;ack=z+1)
SYN ACK(seq=cookie;ack=a+1)
SYN ACK(seq=cookie;ack=b+1)
Generate unique cookie for IP 7.0.0.2Generate unique cookie for IP 10.0.0.1Generate unique cookie for IP 10.0.0.3Generate unique cookie for IP 7.7.7.7
Zone(Destination)
434343© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
From Basic to Strong
stro
ng basi
cSRC_IP 12.10.8.5SRC_IP 12.10.8.5
444444© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
From Basic to Strong
stro
ng ba
sicSRC_IP 12.10.8.5
Legitimate trafficSpoofed traffic
454545© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Client(Source)
IP 201.2.3.4
Zone(Destination)
Guard
Strong Mode for TCP Services
SYN(SrcIP=201.2.3.4;seq=x)
SYN ACK + Window=0
(seq=cookie;ack=x+1)
ACK(seq=x+1;ack=cookie+1)
DATA(SrcIP=201.2.3.4)
Is IP 201.2.3.4 Authenticated ? NO
Generate unique cookie for IP 201.2.3.4
If cookie is valid,authenticate IP 201.2.3.4
SYN(SrcIP=Guard Proxy IP)
SYN ACK
ACK(SrcIP=Guard Proxy IP)
DATA(SrcIP=Guard Proxy IP)
Window Update
DATA(DstIP=Guard Proxy IP)DATA
(DstIP=201.2.3.4)
484848© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
From Strong to Drop
drop
stro
ng
SRC_IP 12.10.8.5SRC_IP 12.10.8.5
494949© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
From Strong to Drop
drop
stro
ng
SRC_IP 12.10.8.5
505050© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Management Features
• Web GUI, CLI and SNMP
• At-a-glance operations management
• Detailed attack data
• Per-customer summary reports
515151© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Internal Network
ISPA
ISPB
BGP Neighbor
Hosting & Data Center / Enterprise
525252© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni
Enterprise or Hosting Data Centerwith Service Modules in “Integrated Mode”
I
S
C ta ys5 0
P r p yS S P w p
tr c s r
RI
C S T S
C S S
Sup720 or Sup2 w MSFC
Catalyst®
6K or 7600
GEnet
Catalyst Switch
Guard/Detector Device Manager
Anomaly Guard Module
Traffic Anomaly Detector Module
Attack Alert
ISP 1 ISP 2
DNS ServersWeb, Chat, E-mail, etc.
Target Internal Network
RHI Route Update
Firewall Service Module