solutions for denial of service (dos) minimization ian quinn apricot 2001 kuala lumpur, malaysia
TRANSCRIPT
Solutions For Denial of Service (DoS) Minimization
Ian QuinnAPRICOT 2001
Kuala Lumpur, Malaysia
The Impact Of Denial of Service (D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Agenda
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 3
Popular Points OfAttack And Pressure
Service Providers Service Providers
&&
Regional/National Regional/National backbonesbackbones
Customers Customers On Access On Access
CircuitsCircuits
Data CenterData CenterPeering Peering PointsPoints
Core Core InfrastructurInfrastructur
ee
Actual Targets Customers Datacenters ISP servers Infrastructure (eg
routers)
Additional Pressure Points Access circuits Peering points Low bandwidth core
links
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 4
What Are The Threats To A Service Provider
Disruption Of Customer Networks Desirable to be able to assist customer
Consumption Of Bandwidth Lower bandwidth links susceptible Often a big problem in Asia Pacific
Network Stability Frequently a problem for older platforms Related to additional workload, and
performance headroomAll Affect Service Delivered
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 5
Emergence Of DistributedDenial Of Service (DDoS)
Targeted largely at servers Harnessed networks of compromised
machines
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 6
Specific ImpactOf DoS In Asia Pacific
ServiceService
Provider 1Provider 1
ServiceService
Provider 2Provider 2ServiceService
Provider 3Provider 3
Tier 1Tier 1
ProviderProvider
AustraliaAustralia
New ZealandNew Zealand
United StatesUnited States
DoSDoS
AttackAttack
DoS AttackDoS Attack
Tier 1Tier 1
ProviderProvider
Tier 1Tier 1
ProviderProvider
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 7
Impacts Of Security Incidents
Customer service levels Internet access, web farms, ecommerce Especially if impact is repeated
Support overhead Especially in isolating and blocking Denial of
Service (DoS) attacks Service provider reputation Service Level Agreement (SLA) breaches
SLA increasingly being offered Multi-service networks change the game
STRESS!!!
The Impact Of Denial of Service (D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Agenda
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 9
Generic Approach To DoS Attacks
Use statistics to detect attack in progress
Use sampling or logging to capture traffic for analysis
Isolate attack Attack type Source (often difficult or impractical) Destination
Block or traceback the attack using filters Filter on destination and protocols Drop traffic or rate limit
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 10
Detecting Attacks
Sudden changes in traffic profiles Average packet size changes Link utilisation increases Traffic by destination address
Source address normally forged or distributed
Generate alarms in response to changes Alarm for closer human inspection Overview easily available for NOC staff Migrate to some level of automated
response
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 11
Complicating Factors With DoS
Distinguishing DoS traffic from normal usage
Forged source address More difficult to isolate and track attack
Distributed attacks Attack could enter from multiple points Difficult to track back and shut down
Blocking attacks that match valid traffic Disruption of normal service
The Impact Of Denial of Service (D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Agenda
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 13
SMURF Attacks
The attacker sends a broadcast ping to an intermediary subnet using a forged source address
The forged source address belongs to the target of the attack
The result is an over-burdened CPU on the target server and over-utilized access trunks
Intermediary Hosts (Several on
Same Subnet)
Data Server
Attacker’s Work Station
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 14
Detection is achievedby using the countaction within firewall filters
The filtering is achieved by changing the accept to a discard
The log action assists in the tracing
Dealing With SMURF Attacks
term a { from { destination-address { 10.1.1.0/24; } protocol icmp; } then { count icmp-counter; log; accept; }}term b { then accept;}
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 15
Once the filter is applied to the interface, you can view the firewall counters
If the ICMP counter increments quickly, an attack is underway
unit 0 { family inet { filter { output count-icmp; } address 10.10.10.1/24; }}
root@ballpark> show firewall
Filter/Counter Packet count Byte count
count-icmp
icmp-counter 78516 5025000
Dealing With SMURF Attacks
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 16
Stopping the attack is a matter of changing the accept action to a discard
Discarding all ICMP traffic to the targeted host at the router closest to that host is not most efficient
Bandwidth resources are still wastedAlso apply this filter at AS
boundaries where the targeted host resides
Dealing with SMURF Attacks
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 17
Where Did that SMURF Come From?
Finding the bad guy is not easy
View show firewall log to see source addresses of ICMP traffic; however, this step identifies only the intermediary, not the attacker
Contact the owner of the intermediary and ask him to
Disable broadcast pings Track back the pings to the
attacker
The Impact Of Denial of Service (D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Agenda
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 19
SYN Attacks
The attacker sends a stream of SYNs to the server under attack using a forged source address
The forged source address is unused by anyone
The result is over-burdened CPU and/or memory exhaustion on the target server and over-utilized access trunks
Attacker
DataServer
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 20
SYN Attacks
During a SYN attack, the SYN-ACK never reaches the client
Sockets remain open on the server
The result is over-burdened CPU and/or memory exhaustion on the target server, and over-utilized access trunks
Client Server SYN--------------------> <--------------------SYN-ACK ACK-------------------->
Correct Three-way Handshake
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 21
Dealing With SYN Attacks
Detection is achieved by configuring a firewall filter to count TCP versus SYN traffic
Tracing is achieved by leveraging the sampling capability to derive the incoming interface
term a { from { protocol tcp; tcp-flags SYN; } then { count syn-packets; accept; }}term b { from { protocol tcp; } then { count tcp-packets; accept; }}
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 22
Details of the Detection Process
Once the filteris applied to the interface, you can view the counters
If the ratio of SYN to TCP is high (> 1:5), a SYN attack is underway
unit 0 { family inet { filter { output detect-syn-attack; } address 10.10.10.1/24; }
root@ballpark# run show firewall
Filter/Counter Packet count Byte countdetect-syn-attacktcp-packets 289144 86743200syn-packets 56388 16916640
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 23
Dealing with SYN Attacks
Stopping the attack is usually not an option. If the attack is not distributed, you can change the accept action to discard and apply to the ingress of all AS boundary routers
If the attack is distributed, filtering SYNs also effectively shuts down the server
Tracing the attack requires co-operation with peers of the network under attack
Examining the sampled output reveals incoming interface
Repeat this process until the source is found
The Impact Of Denial of Service (D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Agenda
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 25
Infrastructure Requirements
Sufficient forwarding capacity in times of stress Large numbers of small packets
Filtering to detect and block attacks Filter on significant ICMP/IP/TCP/UDP fields Implement consistently on all interface types,
including logical interfaces (eg VLAN) Sufficient performance to permit NOC to enable
Rate limiting Rate limit based on significant ICMP/IP/TCP/UDP fields Sufficient performance to permit NOC to enable
Sampling and logging for additional insight
The Impact Of Denial of Service (D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Agenda
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 27
Pro-active Approaches
More reliable and secure network Policy at AS boundaries detect and minimize
the effects of DoS attacks Warn NOCs when thresholds are exceeded,
and update configurations using scripts to discard the attack
SwitchSwitchHostHost
AttackAttack
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 28
Proactive Planning
Establish procedures for detecting security events
Pre-plan response Techniques for isolating problem, tracking it
through the network to a source Standard responses to alleviate impact to service Train staff and practice
Document and update a security policy
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 29
Further References
Juniper Networks Whitepapers Rate-limiting and Traffic-policing Features Fortifying the Core Visibility into Network Operations Minimizing the Effects of DoS Attacks
Available from http://www.juniper.net/techcenter
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 31
Proactive Measures
Service Providers Service Providers
&&
Regional/National Regional/National backbonesbackbones
Customers Customers On Access On Access
CircuitsCircuits
Data CenterData CenterPeering Peering PointsPoints
Core Core InfrastructurInfrastructur
ee
Areas requiring attention Core routers (protect) Customers access links (protect, and protect from) Datacenters & ISP servers (protect) Peering (protect, and protect from)
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 32
Securing The Core Routers
Performance headroom What happens when
the going gets tough! Protect the route
processing capability Performance Authenticated
protocols Services
Secure mgmt access Authentication Private access Multi-level access
authorisation
Core Core InfrastructureInfrastructure
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 33
Protecting Data Center And Hosts
Permit only relevant traffic For example, http, https, icmp echo request
Prevent traffic overwhelming server capacity Drop traffic before it hits the server
Reactive filtering to limit impact of DoS Detect, isolate and drop
CoreCore
CoreCore
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 34
Securing Customer Access Links
Limit traffic coming into the network from customers Legitimate IP source addresses Legitimate route announcements Maybe rate limit ICMP
Reactive filtering to limit impact of DoS Detect, isolate and drop
Optical CoreOptical Core
IP CoreIP Core
Access LayerAccess Layer
TDM BackhaulTDM Backhaul
InfrastructureInfrastructure
ATM/FRATM/FR
T1T1E1E1
DS1DS1OC-3OC-3
STM-1cSTM-1c
OC-3/12 ATMOC-3/12 ATMDS1DS1OC-3OC-3
E1E1ChDS3ChDS3
ChOC-12ChOC-12