????? ??????? ??? TA4

1
????? ??????? ??? TA4

• ???? 3
• ???? RSA ?? ??????? ????????? p7, q13 ?-
  e5.
• ??? ?? d ??? n.
• ???? ?? ?????? "COMMUNICATION". ????? ????????
  ?????? ?????? ASCII. ???? A ??? 65, B ??? 66 ???'
  ?? Z ???? 90. ???? ?? ??? ?????? ?????. (????
  ?????? ??? ??? ??? ?????? ????????, ?? ?? ????
  ?????? ?? ???????? ??????.)

2
Protection On-Demand Ensuring Resource
Availability

3
Agenda

• The Growing DDoS Challenge
• Existing Solutions
• Our Approach
• Technical Overview

4
How do DDoS Attacks Start ?
DNS
Email
5
The Effects of DDoS Attacks

• Attack Zombies
• Massively distributed
• Spoof Source IP
• Use valid protocols

Server-level DDoS attacks
Infrastructure-level DDoS attacks
Bandwidth-level DDoS attacks
DNS
Email
6
Attacks - examples

• SYN attack
• Huge number of crafted spoofed TCP SYN packets
• Fills up the connection queue
• Denial of TCP service
• HTTP attacks
• Attackers send a lot of legitimate HTTP
  requests

7
A few of the Latest High Profile Attacks

• Payment Gateways extortion (on the news)
• Authorize.net, PSIGateway, Worldpay, 2checkout
• Online Brokerage firms (confidential)
• Commercial banks (confidential)
• Mydoom Worm Microsoft, SCO, Yahoo, Lycos,
  Google
• Doubleclick DNS servers
• Akamai - DNS servers
• On line gambling sites extortion
• Many others, but most companies will not want the
  world to know that they were attacked

8
Case Study A Merchant Bank

• Customer uses two of the leading IXCs as upstream
  providers
• Customer was under attack for a week (third week
  of April)
• Both carriers failed to provide a stable solution
• The case was escalated by the banks CEO to
  vendors C level
• After a week, one of the carriers installed a
  Guard and stopped the attack in 10 minutes
• The other carrier deployed Guard for the bank the
  following day
• Attack statistics
• 1.1 Gbps malicious traffic
• 0.008 Gbps (8 Mbps) legitimate traffic

9
Distributed Denial of Service Attacks

• DDoS is often driven by financial motivation
• DoS for hire ?
• Economically-driven
• Politically driven
• Cyber terrorism
• DDoS cannot be ignored, modern business depends
  on effective handling of attacks

10
Extortion Process

• Target enterprise gets an attack to prove
  attackers capabilities
• Typically followed by a demand to transfer about
  10,000 at a time to a European bank account
• Extorter can withdraw the money using an ATM
  machine without showing his face in the bank
• Attackers use over 100K PCs
• Latest attacks were 2 3 Gbps
• The attackers can change the attack type very
  quickly (Change protocol, change target etc.)

11
Zombies

• ?????? ?? 150 ????? ?????? (25 ?????????)
  ??????
• ??????? ????? ???? ??????, ????? ???? ?????

Zombie machines emails
Conficker 10,000,000 10 billion/day
Kraken 495,000 9 billion/day
Srizbi 450,000 60 billion/day
Bobax 185,000 9 billion/day
Rustock 150,000 30 billion/day
Cutwail 125,000 16 billion/day
Storm 85,000 3 billion/day
Donbot 80,000 500 million/day
Grum 50,000 2 billion/day
Onewordsub 40,000  ?
Mega-D 35,000 10 billion/day
Nucrypt 20,000 5 billion/day
Wopla 20,000 600 million/day
Spamthru 12,000 350 million/day
Attack Team 10,000 250 million/day
12
Attack types
Bandwidth Consumption Attacks
Resource Starvation Attacks

• Spoofed and Non-Spoofed Flood Attacks
• TCP Flag (SYN, SYN-ACK, ACK, FIN)
• ICMP
• UDP
• Examples SYN Flood, Smurf, LAND, UDP Flood
• Zombie/Botnet Attacks
• Each zombie or bot source opens multiple TCP
  connections
• Each zombie or bot source opens multiple TCP
  sessions and issue repetitive HTTP requests
• DNS Attacks
• DNS Request Flood
• Malformed packet checks

• Packet Size Attacks
• - Fragmented Packets
• - Large Packets
• Examples Teardrop, Ping-of-Death
• Low Rate Zombie/Botnet Attacks
• Similar to Bandwidth consumption attacks except
  that each attack source sends multiple requests
  at low rate
• DNS Attacks
• DNS Recursive Lookup
• SIP Protection
• SIP Anti-Spoofing

13
???? ?????
2005 2006 2007 2008 2009
Bots / zombies in organization 21 20 23
DOS 32 25 25 21 29
CSI/FBI 2009 survey
14
DDOS Attack Size
15
?????? ???? ??????
????? ????? \ ?????? ?????
????? DDOS ????? ?????? ??????? ????? ?????? ??????? ??? ????, ????? ?????? ?? ????? ???? ???? ????, ?????, ????? ???????? \ ????? (????) 2008 ????????
????? DDOS ????? ????? ????, 20-50 ??? ?????? (??????) ???? ????, ????? \ ????? (????) 2009 ?. ?????? \ ???"?
????? DDOS ????? ????? ????, ?? 500 ??? ?????? ???? ???? \ ????? (????) 2007 ????? (????? ?????)
16
?????? ????? \ ??"???

• DDOS ??? ????? ????? ???????
• ????"?

??????? ???? ??"?
100 ???? ??????? ????? ???? ??????? ????????
????? ??????, ??????? ????? ?????? ???????? (?????? ?????, DNS), ?????
??? DDOS? ??????, ?????? ????? ?????? ???????
??? ?????? ????? ????? ?????? \ ???????
17
Attack EvolutionStronger and More Widespread

• Essential protocols
• Spoofed
• 10Ks of zombies
• 100Ks packets/sec
• Compound and morphing

• Non-essential protocols (eg ICMP)
• 100s sources
• 10Ks packets/sec

Scale of Attacks

• Two Scaling Dimensions
• Million packets/sec
• 100Ks of zombies

Past
Present
Emerging
Sophistication of Attacks
18
Existing Solutions
19
SYN Cookies how it works

syn(isn)
stateless part
State created only for authenticated
connections
synack(cky,isn1) WS0
ack(cky1)
syn(isn)
synack(isn,isn1)
ack(isn1) WSltgt0
ack(isn1)
Sequence adaptation
Source
Guard
Target
20
Blackholing
R5
R4
Disconnecting the customer
peering
R2
R3
1000
1000
R1
100
R
R
R
FE
Server1
Victim
Server2
21
At the Edge / Firewall/IPS
R5
R4
peering

• Easy to choke
• Point of failure
• Not scalable

R2
R3
1000
1000
R1
100
R
R
R
FE
Server1
Victim
Server2
22
At the Backbone
R5
R4
peering
R2
R3

• Throughput
• Point of failure
• Not Scalable

1000
1000
R1
100
R
R
R
FE
Server1
Victim
Server2
23
Cisco Solution
24
Dynamic Diversion Architecture
Guard XT
3. Divert only targets traffic
2. Activate Auto/Manual
Detector XT or Cisco IDS, Arbor Peakflow
Non-targeted servers
25
Dynamic Diversion Architecture
Guard XT
4. Identify and filter the malicious
Detector XT or Cisco IDS, Arbor Peakflow
Non-targeted servers
26
Technical overview

• Diversion/Injection
• Anti Spoofing
• Anomaly Detection
• Performance Issues

27
Diversion

• How to steal traffic without creating loops?

28
Diversionone example L3 next hop
Diversion announce a longer prefix from the
guard no-export and no-advertise community
BGP
Injection Send directly to the next L3 device
29
Diversion L3 next hop application
ISP 1
ISP 2
Web console
Router
S
P
r

p
y




S
S
P
w

p

C
t
a
y
s
5
0
R
I
I
t
r
c
s
r
Guard XT
Switch
GEthernet
Guard XT
C
S
S
C
S
T
S
Firewall
Switch
Target
Detector XT
Internal network
Riverhead Detector XT
Web, Chat, E-mail, etc.
DNS Servers
30
Diversionone example Injecting with tunnels
Diversion announce a longer prefix from the
guard no-export and no-advertise community
BGP
Injection Send directly to the next L3 device
31
Diversionone example long distance diversion
61.1.1.1
32
Filtering bad traffic

• Anti Spoofing
• Anomaly detection
• Performance

33
Guard Architecture high level
Control Analysis Plane
Policy Database
Management
Anomaly Recognition Engine
Insert filters
Data Plane
AS Replies
Anti-Spoofing Modules
Classifier Static Dynamic Filters
Bypass Filter
Sampler
Rate Limiter
Strong
Basic
Flex Filter
Analysis
Connections Authenticated Clients
Drop Packets
34
Anti spoofing

• Unidirectional..

35
Anti-Spoofing Defense- One example HTTP
Syn(isn)

• Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified

synack(cky,isn1)
1. SYN cookie alg.
ack(isn1,cky)
GET uri
2. Redirect rqst
Redirect to same URI
fin
fin
3. Close connection
Client authenticated
Source
Guard
Target
36
RST cookies how it works

syn(isn)
ack(,cky)
rst(cky)
Client authenticated
syn(isn)
Source
Guard
Target
37
Anti-Spoofing Defense- One example DNS
Client-Resolver (over UDP)

• Antispoofing only when under attack
• Authenticate source on initial query
• Subsequent queries verified

Ab.com rqst UDP/53
Ab.com reply TC1
syn
synack
ack
Ab.com rqst UDP/53
Ab.com rqst TCP/53
Reply
Authenticated IP
Reply
Repeated IP - UDP
Target
Guard
Client
38
Anomaly DetectionAgainst Non-Spoofed Attacks

• Extensive profiling
• Hundreds of anomaly sensors/victim
• For global, proxies, discovered top sources,
  typical source,
• Auto discovery and profiling of services
• Automatically detects HTTP proxies and maintains
  specific profiles
• Learns individual profiles for top sources,
  separate from composite profile
• Depth of profiles
• PPS rates
• Ratios eg SYNs to FINs
• Connection counts by status
• Protocol validity eg DNS queries

39
Performance

• Wire Speed - requirement
• GigE 1.48 Millions pps
• Avoid copying
• Avoid interrupt/system call
• Limit number of memory access
• PCI bottleneck
• DDoS NIC Accelerator

40
Cosmo board
Replaces the NIC
Handles the data path
Based on Broadcom BCM1250 integrated processor
41
BCM1250
Budget - 500 cycles per packet (memory access
90 cycles)
42
More performance - clustering
Load Leveling Router
Mitigation Cluster
Customer Switches
Riverhead Guards
43
Managed DDoS ServicesCisco Powered Providers
Largest carriers offering clean pipes services
to F500 enterprises

• Full managed services offered
• Service agreement and multiyear contract typical
• Gigabit dedicated capacity with shared overage
• Customized policies
• Part of a managed security services portfolio
• ATT Internet protect

DDoS Defense Option for Internet Protect
IP Guardian
IP Defender
and many others
44
Managed DDoS ServicesCisco Powered Providers
Managed hosting providers are offering DDoS
protected services

• Protection offered with hosting
• A la carte option, bundled with premium services
  or included with hosting
• Capacity matched to hosting
• Standardized or customized policies
• Service and attack reporting

SureArmour DDoS Protection service
PrevenTier DDoS Mitigation Service
and many others