distributed denial of service - cisco - global home …name: distributed denial of service what:...

1© 2003 Cisco Systems, Inc. All rights reserved.DDoSAndrea Negroni

Andrea [email protected]

Distributed Denial of ServiceDistributed Denial of Service

Vimercate 17 Maggio 2005

222© 2003 Cisco Systems, Inc. All rights reserved.Andrea Negroni

Agenda

PREFACE

EXAMPLE: TCP SYN

EXAMPLE: DDoS

CISCO’S DDoS SOLUTION COMPONENTS

MODES OF PROTECTION DETAILS


Distributed Denial of ServicePREFACE


What are DDoS Attacks ?

Name: DISTRIBUTED DENIAL OF SERVICE

What: DDoS attacks block legitimate users from accessing network resources

How: DDoS attacks block network resources(Infrastructure, DNS, Mail, Web and more…)

Where: DDoS attacks enter the network from all directions

When: DDoS attacks happen everyday and all over the Internet


Dollar Amount of Losses by Type


Denial of service Background

LOGICALsoftware related

vulnerability(SMBNUKE)

FLOODING-CPU-Bandwidth-Memory(SYN FLOOD)

TWO VARIANTS


Denial of ServiceEXAMPLE: TCP SYN


Normal TCP/IP Connection Initiation

SYN

ACK

SYN / ACK

TCP Client

TCP Server


TCP SYN

The TCP server will hold the SYN in SYN_RCVD state until timeout.

Multiple SYNs open multiple SYN_RCVD waiting.

This continues until the full memory area allocated for maintaining TCP state is exhausted.

Once the memory area is exhausted, the waiting SYN_RCVDs are FIFOed out of the table.

TCP Queue (MEMORY)

FREEFREE

FREE

FREE

FREE

FREE

FREE

FREE

FREE

FREE

SYN_RCVD

SYN_RCVD

SYN_RCVD

SYN_RCVD

SYN_RCVD

SYN_RCVD

A TCP SYN requires the server to allocate A TCP SYN requires the server to allocate memory, then the total amount of available memory, then the total amount of available memory becomes a finite resource which can memory becomes a finite resource which can be be DoSedDoSed


SYN+ACK RTT

SYN

SYN / ACKTime 0

TCP Client

TCP ServerSYN+ACK RTT is the time it take between the SYN+ACK

and the ACK

SYN Round Trip Time (RTT) is the interval between the sending ofSYN+ACK and reception of the corresponding ACK from the other host.

ACK???


TCP SYN-Flood – SYN_RCVD gets pushed

Attacker

TCP Server

SYN

SYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVD

drop

SYNSYNSYNSYNSYNSYNSYNSYNSYN

Valid User

SYNSYN / ACK

Valid user gets to the ACK, but the server

does not set up

ACKData

Silence

?? SYN_RCVD

No SYN_RCVD waiting when the ACK gets back.


Distributed Denial of ServiceEXAMPLE: DDoS


How do DDoS Attacks Start ?

DNS Email‘Zombies’

‘Zombies’

Innocent PCs & Servers turn into ‘Zombies’


Types and Influence of DDoS Attacks

Server-level DDoS attacks

DNS Email

Attack ombies:• Use valid protocols• Spoof source IP• Massively distributed


DDoS MitigationCISCO’S DDoS SOLUTION COMPONENTS

232323


DDoS Defense In Action

Cisco Detector XT

Protected Zone 1: Web

Protected Zone 2: Name Servers Protected Zone 3:

E-Commerce Applications

Cisco Guard XT

1. Detect

Target

2. Activate: Auto/Manual

3. Divert Only Target’s Traffic

BGP Announcement


DDoS Defense In Action

Cisco Detector XT

Protected Zone 1: Web

Protected Zone 2: Name Servers Protected Zone 3:

E-Commerce Applications

Cisco Guard XT

Target

Legitimate traffic to the zone

4. Identify and Filter the Malicious

5. Forward the Legitimate

6. Non-Targeted Traffic FlowsFreely


Cisco DDoS Solution Appliances and Service Modules

DDoS Mitigation:

Cisco Guard XT 5650

Cisco Anomaly Guard Module

Cisco Traffic Anomaly Detector XT 5600

Cisco Traffic Anomaly Detector Module

Attack DETECTION to support on-demand, shared scrubbingCPE LEARNING for managed serviceMonitors COPY OF TRAFFIC

Attack ANALYSIS AND MITIGATION

Diverts traffic flows for ON-DEMAND SCRUBBING

DDoS Detection:

Maximum deployment flexibility.Similar functionality and performance.Interoperable for mixed deployments.


Key Solution Benefits

• Detects and Mitigates DDoS attacksDynamically identifies and blocks malicious attack traffic

Ensures infrastructure stability and business continuity

Ensures legitimate users get access to network resources

• Not on the critical path or inline Has minimal impact on routers, switches and infrastructure

• High Scalability and PerformanceMulti-Gigabit performance

Optional clustering


High Performance and Capacity

• 1 MPPS+ most attacks, good and bad traffic, typical features

• CLUSTERING TO 8 GUARDS for single protected host• Capacity

30 CONCURRENTLY PROTECTED ZONES(90 for the Detector)

• Latency or jitter: < 1 MSEC


DDoS MitigationMODES OF PROTECTION DETAILS

303030


Measured ResponseModes of Protection

DetectionPassive copy of traffic monitoring

AnalysisDiversion for more granular in-line analysis

Flex filters, static and bypass filters in operationAll flows forwarded but analyzed for anomalies

Basic ProtectionBasic anti-spoofing applied

Analysis for continuing anomalies

Strong ProtectionStrong anti-spoofing (proxy) if appropriate

Dynamic filters deployed for zombie sources

AnomalyVerified

LearningPeriodic observation of patterns to update baseline profiles

AttackDetected

AnomalyIdentified

CISC

O G

UARD

CISC

O D

ETEC

TOR


ActiveVerification

StatisticalAnalysis

Layer 7Analysis

Rate Limiting

Multi-Verification Process (MVP)Integrated Defenses in the Guard XT

Legitimate + attack traffic to target

Dynamic &Static Filters

Detect anomalous behavior & identify precise attack flows and sources

Apply anti-spoofingto block malicious

flowsDynamically insert

specific filters to block attack flows & sources

Apply rate limits

Legitimate traffic


Statistical Inspection

To-u

ser-

filte

rba

sic

SRC_IP 12.10.8.5SRC_IP 12.10.8.5

From Analysis to Basic


From Analysis to Basic

Rate

Limit

basi

c

Statistical Inspection

SRC_IP 12.10.8.5Legitimate traffic

Spoofed

traffic


Basic/Redirect for HTTP ServicesClient

(Source)Guard

SYN(SrcIP=201.2.3.4;seq=x)

SYN ACK(seq=cookie;ack=x+1)

ACK(seq=x+1;ack=cookie+1)GET

(http://www.cisco.com)

REDIRECT

Tells client to refresh the session

and the HTTP request

www.cisco.com

SYN(SrcIP=201.2.3.4;seq=y)

IP 201.2.3.4Is Source IP 201.2.3.4 Authenticated ? NO

SYN(seq=y)

Is Source IP 201.2.3.4 Authenticated ? YES

GET(http://www.cisco.com)

ACK(seq=y+1;ack=z+1)GET

(http://www.cisco.com)

ACK(seq=y+1;ack=z+1)

SYN ACK(seq=z;ack=y+1)

Generate unique cookie for IP 201.2.3.4

If cookie is valid,authenticate IP 201.2.3.4

DATA

Zone(Destination)

FIN


Spoofed SYN Attack exampleClient

(Source)Guard

IP 201.2.3.10 SYN(SrcIP=7.0.0.1;seq=x;Port=80)

Is Source IP 7.0.0.1 Authenticated ? NO


SYN(SrcIP=7.0.0.2;seq=y;Port=80)

Is Source IP 7.0.0.2 Authenticated ? NOSYN

(SrcIP=10.0.0.1;seq=z;Port=80)Is Source IP 10.0.0.1 Authenticated ? NO

SYN(SrcIP=7.7.7.7;seq=b;Port=80)


SYN(SrcIP=10.0.0.3.;seq=a;Port=80)


SYN ACK(seq=cookie;ack=x+1)

SYN ACK(seq=cookie;ack=y+1)

SYN ACK(seq=cookie;ack=z+1)

SYN ACK(seq=cookie;ack=a+1)

SYN ACK(seq=cookie;ack=b+1)

Generate unique cookie for IP 7.0.0.2Generate unique cookie for IP 10.0.0.1Generate unique cookie for IP 10.0.0.3Generate unique cookie for IP 7.7.7.7

Zone(Destination)


From Basic to Strong

stro

ng basi

cSRC_IP 12.10.8.5SRC_IP 12.10.8.5


From Basic to Strong

stro

ng ba

sicSRC_IP 12.10.8.5

Legitimate trafficSpoofed traffic


Client(Source)

IP 201.2.3.4

Zone(Destination)

Guard

Strong Mode for TCP Services

SYN(SrcIP=201.2.3.4;seq=x)

SYN ACK + Window=0

(seq=cookie;ack=x+1)

ACK(seq=x+1;ack=cookie+1)

DATA(SrcIP=201.2.3.4)

Is IP 201.2.3.4 Authenticated ? NO


If cookie is valid,authenticate IP 201.2.3.4

SYN(SrcIP=Guard Proxy IP)

SYN ACK

ACK(SrcIP=Guard Proxy IP)

DATA(SrcIP=Guard Proxy IP)

Window Update

DATA(DstIP=Guard Proxy IP)DATA

(DstIP=201.2.3.4)


From Strong to Drop

drop

stro

ng

SRC_IP 12.10.8.5SRC_IP 12.10.8.5


From Strong to Drop

drop

stro

ng

SRC_IP 12.10.8.5


Management Features

• Web GUI, CLI and SNMP

• At-a-glance operations management

• Detailed attack data

• Per-customer summary reports


Internal Network

ISPA

ISPB

BGP Neighbor

Hosting & Data Center / Enterprise


Enterprise or Hosting Data Centerwith Service Modules in “Integrated Mode”

I

S

C ta ys5 0

P r p yS S P w p

tr c s r

RI

C S T S

C S S

Sup720 or Sup2 w MSFC

Catalyst®

6K or 7600

GEnet

Catalyst Switch

Guard/Detector Device Manager

Anomaly Guard Module

Traffic Anomaly Detector Module

Attack Alert

ISP 1 ISP 2

DNS ServersWeb, Chat, E-mail, etc.

Target Internal Network

RHI Route Update

Firewall Service Module

distributed denial of service - cisco - global home …name: distributed denial of service what:...

Documents