VIEWS: 33 PAGES: 28 POSTED ON: 8/8/2011
DDoS Recent Trends in DoS Attacks • Network-based flood attacks – vulnerable software is being patched, it is harder to find susceptible hosts • Local Subnet spoofing – ingress / egress filtering becoming more popular • Infrastructure attacks – targeting upstream routers and links • Hit-and-run – pulsing / short-lived floods – Cyclic use of multiple zombie armies • Internet-scale – widely-distributed, large-scale zombie “armies” Emerging DoS Threats • Obfuscation of network audit trail – redirection features of certain application protocols – recursive DNS queries, gnutella, etc. • Mutation of attack signatures – address, protocol, port randomization • Routing infrastructure attacks – BGP route hijacking for attack launch • Automated conscription of zombie armies – recent Internet worms and viruses – Microsoft Outlook, IE, IIS, SMB Sequence of a DDoS attack A. A large set of machines are compromised B. Attacker identifies exploitable hosts with scanners, or other techniques C. Attacker accesses the system with automated remote exploits, sniffers, password cracking, worms, trojans D. Attacker installs attack tools E. Attacker remotely instructs compromised machines to attack target Mitigation Options Customer Customer Portal or Operator Mitigation Options Customer Customer Portal or Operator Mitigation Options Customer Customer Portal or Operator Mitigation Options Customer Customer Portal or Operator Version 5 - Flow Format Usage • Packet Count • Source IP Address IP Address From/To • Byte Count • Destination IP Address Destination IP Address Time • Start sysUpTime • Source TCP/UDP Port Application of Day • End sysUpTime • Destination TCP/UDP Port Port • Input ifIndex • Next Hop Address Utilization • Output ifIndex • Source AS Number Routing and • Dest. AS Number Peering • Type of Service • Source Prefix Mask QoS • TCP Flags • Dest. Prefix Mask • Protocol Misuse Anomalies Detected against /32 hosts Misuse anomalies cover the following types of traffic: ICMP Anomaly TCP NULL Flag Anomaly TCP SYN Flag Anomaly TCP RST Flag Anomaly IP NULL (Proto 0) Anomaly IP Fragmentation Anomaly IP Private Address Space Anomaly Total Traffic bps Total traffic pps Deployed against common attacks targeted at individual network hosts. How Peakflow SP IS works Three types of anomalies are reported by Peakflow SP IS: • Profiled Anomalies – deviations from normal traffic levels on the network • Misuse Anomalies – Traffic towards specific hosts that should not normally be seen on a network • Fingerprint Anomalies – Traffic that fits a user specified signature Fingerprint Anomalies • User can define detection „fingerprint‟ using TCP Dump syntax or GUI wizard: (dst port 445 or dst port 9996) and proto tcp • Triggered by the detection of traffic matching the specified signature – User can specify pps / bps trigger and severity thresholds per Fingerprint. • Used effectively for tracking traffic on known attack vectors e.g. SPAM, Worms etc.. • Fingerprint syntax can be used to „share‟ anomaly information between carriers. Mitigation Strategies • Unicast Reverse Path Forwarding (uRPF) • Rate Limiting • ACL – Filter traffic targeted at a destination • Blackhole / Sinkhole / Shunt – Off-ramping for filtering, scrubbing and forensics • Integrated Filtering – Uses a combination of BGP sinkhole and network „cleaning‟ appliances. • Fingerprint Sharing – Mitigation closer to the source IF Filtering Levels: Standard & Integrated • Standard integration – Peakflow has recommended filtering options » ACLs, rate limiting, BGP blackholing, off-ramping/sinkholing and flexible scripting – Peakflow can detect and then initiate scrubbing • Integrated Filtering API – Tightly coupled API, remain mitigation agnostic (dedicated or shared mitigation) » Cisco/Riverhead Guard Intelligent Filtering • Integration with dedicated mitigation devices – Cisco Guard • Peakflow triggers devices to use BGP to off-ramp attack traffic through themselves • Process data at gigabit per second speeds and do deep packet inspection • Apply advanced heuristics to traffic to filter bad while preserving good – TCP SYN authentication – Zombie army detection – Enforce traffic baselines • Provide Feedback to Peakflow system on what is filtered/passed Dealing with DDoS attacks: Remediation • Three key steps: – Detection »Determine attack methodology and what resources are affected – Traceback »Determine the source and transit path – Mitigation »Determine what traffic to block, and where best to block it What is a DoS Attack ? • Malicious attempt by a group of people to cripple an online service • Flood the victim (server) with packets – Overload packet processing capacity – Saturate network bandwidth • Two Types of DoS Attacks – Resource Exhaustion Attacks – Bandwidth Consumption Attacks Attack Architecture – Direct Attacks Attacker Direct traffic towards victim Zombie 3 Zombie 1 Zombie 2 “zombies” send streams of Src: random spoofed traffic to victim Dst: victim Victim Example – SYN Flooding • Establishment of TCP connection using three-way handshake SYN Packet with spoofed IP address Malicious Victim SYN 1 SYN 1 TCP TCP TCP TCP Client Server Client Server 2 SYN / ACK Client Ports Client Ports ? ACK 3 Service Ports ( Service Ports ( 80 80 1 – 1023) 1 – 1023) 2 SYN / ACK Attacker makes connection requests aimed at the victim server with packets from spoofed source addresses Technical Delivery Model Event Collection and Consolodation (common event format ) Secure Shell Console Connectivity , Nessus Agent , Nagios (Health and Status Monitoring ), TFTP Server Consolidated IDP Out of Band PSTN Connectivity Alert Data Verizon Security Agent (VSA) Bay Netwo rks OC3 IDP Management Remedy 1 Server Database IDP Alert Data Storage Arcsight 1 Reomote Power Area Management Network Remedy 2 Arcsight 2 Public Internet Primary Security Operations Center (Irving, TX) IDP Appliance Firewall Data Synchronization OC3 Encrypted Tunnels Terminating on Verizon Security Agent (VSA) Enterprise Customer Appliance at Customer Network Location Remedy 1 Storage Public Internet Area Network Arcsight 1 Hot Site Security Operations Center (Baltimore, MD) Cisco DDoS Mitigation Solution BGP announcement DDoS Protection Device 3. Divert only target‟s traffic 2. Activate: Auto/Manual 1. Detect DDoS Detector Target Non-targeted servers Cisco DDoS Mitigation Solution Traffic destined DDoS Protection Device to the target 4. Identify and filter the Legitimate traffic to malicious target 5. Forward the legitimate DDoS Detector 6. Non targeted traffic flows Target freely Non-targeted servers Peakflow SP Anomaly Reporting • Profiled Anomalies – deviations from normal traffic levels on the network • Misuse Anomalies – Traffic towards specific hosts that exceed what should normally be seen on a network • Fingerprint/Worm Anomalies – Traffic that fits a user specified signature Detect Attack - Profiled Anomalies • Detects network-wide anomalies such as DDoS attacks and worm outbreaks in non-intrusive data collection methods. • A baseline of normal behavior leveraging flow data available from the routers deployed on the network would be built. • In real-time, the system compares traffic against the baseline. Detection Classes: Misuse • Detected independently from the established baselines, on a set of known attack signatures. • Traffic of specific types exceeding what should be normal for a network. • Misuse anomalies cover the following types of traffic: – ICMP Anomaly – TCP NULL Flag Anomaly – TCP SYN Flag Anomaly – TCP RST Flag Anomaly – IP NULL (Proto 0) Anomaly – IP Fragmentation Anomaly – IP Private Address Space Anomaly Misuse Anomalies - Dark IP Fingerprint/Worm Anomalies(1) Tracing Anomalies • Automatically trace the source and destination IP/Port, TCP Flag of abnormal traffic. • Distribution of attack traffic by source and destination IP/Port. • Trace the network device that the abnormal traffic pass through. Prevent/Mitigate Network-wide Anomalies • System can recommend appropriate mitigation measures to mitigate anomalies such as DoS attack and worm outbreaks. – Generate recommended ACLs or rate limit commands. – Blackhole routing – Sinkhole routing Alert • BGP – BGP Instability – BGP Route Hijacking • Data Source – BGP Down – Flow Down – SNMP Down • DoS Alert • Interface Usage: traffic exceeded configured baseline Use E-mail, SNMP Traps, Syslog etc to notify network administrators.