DDoS by pengxuebo

VIEWS: 33 PAGES: 28

									DDoS
Recent Trends in DoS Attacks

• Network-based flood attacks
   – vulnerable software is being patched, it is harder to find susceptible hosts
• Local Subnet spoofing
   – ingress / egress filtering becoming more popular
• Infrastructure attacks
   – targeting upstream routers and links
• Hit-and-run
   – pulsing / short-lived floods
   – Cyclic use of multiple zombie armies
• Internet-scale
   – widely-distributed, large-scale zombie “armies”
Emerging DoS Threats

• Obfuscation of network audit trail
  – redirection features of certain application protocols – recursive DNS
    queries, gnutella, etc.
• Mutation of attack signatures
  – address, protocol, port randomization
• Routing infrastructure attacks
  – BGP route hijacking for attack launch
• Automated conscription of zombie armies
  – recent Internet worms and viruses
  – Microsoft Outlook, IE, IIS, SMB
Sequence of a DDoS attack

A.   A large set of machines are compromised
B.   Attacker identifies exploitable hosts with scanners, or other techniques
C.   Attacker accesses the system with automated remote exploits, sniffers,
     password cracking, worms, trojans
D.   Attacker installs attack tools
E.   Attacker remotely instructs compromised machines to attack target
Mitigation Options




Customer




             Customer Portal
             or Operator
Mitigation Options




Customer




             Customer Portal
             or Operator
Mitigation Options




Customer




             Customer Portal
             or Operator
Mitigation Options




Customer




             Customer Portal
             or Operator
  Version 5 - Flow Format



   Usage      • Packet Count      • Source IP Address
                                           IP Address          From/To
              • Byte Count        • Destination IP Address
                                    Destination IP Address

  Time        • Start sysUpTime   • Source TCP/UDP Port        Application
 of Day       • End sysUpTime     • Destination TCP/UDP Port

   Port       • Input ifIndex     • Next Hop Address
Utilization   • Output ifIndex    • Source AS Number
                                                                Routing
                                                                  and
                                  • Dest. AS Number             Peering
              • Type of Service   • Source Prefix Mask
   QoS        • TCP Flags         • Dest. Prefix Mask
              • Protocol
Misuse Anomalies

 Detected against /32 hosts
 Misuse anomalies cover the following types of traffic:
    ICMP Anomaly
    TCP NULL Flag Anomaly
    TCP SYN Flag Anomaly
    TCP RST Flag Anomaly
    IP NULL (Proto 0) Anomaly
    IP Fragmentation Anomaly
    IP Private Address Space Anomaly
    Total Traffic bps
    Total traffic pps
 Deployed against common attacks targeted at individual network
hosts.
How Peakflow SP IS works
Three types of anomalies are reported by Peakflow SP IS:

• Profiled Anomalies – deviations from normal traffic levels on the network

• Misuse Anomalies – Traffic towards specific hosts that should not normally be
  seen on a network

• Fingerprint Anomalies – Traffic that fits a user specified signature
Fingerprint Anomalies

• User can define detection „fingerprint‟ using TCP Dump syntax
  or GUI wizard:

               (dst port 445 or dst port 9996) and proto tcp

• Triggered by the detection of traffic matching the specified
  signature
   – User can specify pps / bps trigger and severity thresholds per
     Fingerprint.
• Used effectively for tracking traffic on known attack vectors
  e.g. SPAM, Worms etc..
• Fingerprint syntax can be used to „share‟ anomaly information
  between carriers.
Mitigation Strategies
• Unicast Reverse Path Forwarding (uRPF)
• Rate Limiting
• ACL
  – Filter traffic targeted at a destination
• Blackhole / Sinkhole / Shunt
  – Off-ramping for filtering, scrubbing and forensics
• Integrated Filtering
  – Uses a combination of BGP sinkhole and network „cleaning‟ appliances.
• Fingerprint Sharing
  – Mitigation closer to the source
IF Filtering Levels: Standard & Integrated

• Standard integration
  – Peakflow has recommended filtering options
     » ACLs, rate limiting, BGP blackholing, off-ramping/sinkholing and flexible
       scripting
  – Peakflow can detect and then initiate scrubbing


• Integrated Filtering API
  – Tightly coupled API, remain mitigation agnostic (dedicated or shared
    mitigation)
     » Cisco/Riverhead Guard
Intelligent Filtering
• Integration with dedicated mitigation devices
  – Cisco Guard
• Peakflow triggers devices to use BGP to off-ramp attack traffic
  through themselves
• Process data at gigabit per second speeds and do deep packet
  inspection
• Apply advanced heuristics to traffic to filter bad while preserving
  good
  – TCP SYN authentication
  – Zombie army detection
  – Enforce traffic baselines
• Provide Feedback to Peakflow system on what is filtered/passed
Dealing with DDoS attacks: Remediation

• Three key steps:
   – Detection
    »Determine attack methodology and what resources are
     affected
  – Traceback
    »Determine the source and transit path
  – Mitigation
    »Determine what traffic to block, and where best to block it
What is a DoS Attack ?

• Malicious attempt by a group of people to cripple an online service

• Flood the victim (server) with packets
  – Overload packet processing capacity
  – Saturate network bandwidth


• Two Types of DoS Attacks
  – Resource Exhaustion Attacks
  – Bandwidth Consumption Attacks
Attack Architecture – Direct Attacks



                                  Attacker
               Direct traffic
               towards victim



                                                     Zombie 3
                 Zombie 1

                                  Zombie 2




                                             “zombies” send streams of
              Src: random
                                             spoofed traffic to victim
              Dst: victim




                                 Victim
Example – SYN Flooding


• Establishment of TCP connection using three-way handshake
                                                                       SYN Packet with
                                                                       spoofed IP address




                                                        Malicious                            Victim
                     SYN    1                                            SYN       1
   TCP                            TCP                   TCP                                  TCP
   Client                         Server                Client                               Server
                   2 SYN / ACK
  Client Ports                                          Client Ports
                                                                            ?
                     ACK    3
                                      Service Ports (                                           Service Ports (
                                 80                                                         80 1 – 1023)
                                      1 – 1023)
                                                                        2 SYN / ACK




      Attacker makes connection requests aimed at the victim server with packets from
      spoofed source addresses
Technical Delivery Model
                                                                                                                             Event Collection and Consolodation (common event format )
                                                                                                                             Secure Shell Console Connectivity , Nessus Agent , Nagios
                                                                                                                                    (Health and Status Monitoring ), TFTP Server




                                                                                                                                                        Consolidated IDP
                                                         Out of Band PSTN Connectivity                                                                     Alert Data
                                                                                            Verizon Security Agent
                                                                                                    (VSA)    Bay Netwo rks




                                                                   OC3
                                                                                                                                              IDP Management
               Remedy 1
                                                                                                                                              Server Database
                                                                                                                                                      IDP Alert Data
    Storage    Arcsight 1                                                                    Reomote Power
      Area                                                                                    Management
    Network
               Remedy 2


               Arcsight 2
                                                                         Public Internet
       Primary Security Operations Center (Irving, TX)                                                                              IDP Appliance

                                                                                                          Firewall
     Data Synchronization

                                                               OC3
                                                                                                       Encrypted Tunnels
                                                                                                     Terminating on Verizon
                                                                                                      Security Agent (VSA)                      Enterprise Customer
                                                                                                     Appliance at Customer                            Network
                                                                                                             Location
               Remedy 1
     Storage                                                              Public Internet
       Area
     Network
                 Arcsight 1




               Hot Site Security Operations Center
                         (Baltimore, MD)
Cisco DDoS Mitigation Solution



                             BGP announcement              DDoS Protection Device


                                                              3. Divert only target‟s traffic



                                                    2. Activate: Auto/Manual



                                                         1. Detect
                                                   DDoS Detector


                                                Target

      Non-targeted servers
Cisco DDoS Mitigation Solution



                           Traffic destined                 DDoS Protection Device
                             to the target
                                                               4. Identify and filter the
                          Legitimate traffic to                malicious
                                 target
                                                              5. Forward the legitimate




                                                     DDoS Detector
6. Non
targeted
traffic flows                                     Target
freely
   Non-targeted servers
Peakflow SP Anomaly Reporting

• Profiled Anomalies – deviations from normal traffic levels on the
  network


• Misuse Anomalies – Traffic towards specific hosts that exceed
  what should normally be seen on a network


• Fingerprint/Worm Anomalies – Traffic that fits a user specified
  signature
Detect Attack - Profiled Anomalies

• Detects network-wide anomalies such as DDoS attacks and worm
  outbreaks in non-intrusive data collection methods.
• A baseline of normal behavior leveraging flow data
  available from the routers deployed on the network
  would be built.
• In real-time, the system compares traffic against the
  baseline.
Detection Classes: Misuse

• Detected independently from the established baselines,
  on a set of known attack signatures.
• Traffic of specific types exceeding what should be
 normal for a network.
• Misuse anomalies cover the following types of traffic:
 – ICMP Anomaly
 –   TCP NULL Flag Anomaly
 –   TCP SYN Flag Anomaly
 –   TCP RST Flag Anomaly
 –   IP NULL (Proto 0) Anomaly
 –   IP Fragmentation Anomaly
 –   IP Private Address Space Anomaly
 Misuse Anomalies - Dark IP

Fingerprint/Worm Anomalies(1)

Tracing Anomalies

• Automatically trace the source and destination IP/Port, TCP Flag
  of abnormal traffic.
• Distribution of attack traffic by source and destination IP/Port.
• Trace the network device that the abnormal traffic pass through.
Prevent/Mitigate Network-wide Anomalies

• System can recommend appropriate mitigation measures
  to mitigate anomalies such as DoS attack and worm
  outbreaks.
 – Generate recommended ACLs or rate limit commands.
 – Blackhole routing
 – Sinkhole routing
Alert

• BGP
  – BGP Instability
  – BGP Route Hijacking

• Data Source
  – BGP Down
  – Flow Down
  – SNMP Down

• DoS Alert
• Interface Usage: traffic exceeded configured baseline
Use E-mail, SNMP Traps, Syslog etc to notify network
administrators.

								
To top