Hack lu cisco ddos

Information about Hack lu cisco ddos

Published on October 7, 2007

Author: Pravez

Source: authorstream.com

Content

Detecting and Mitigating DoS Attack in a Network :  Detecting and Mitigating DoS Attack in a Network Cisco Systems Agenda:  Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure DDoS Vulnerabilities Multiple Threats & Targets:  DDoS Vulnerabilities Multiple Threats & Targets Peering Point POP ISP Backbone Attacked server Attack ombies: Use valid protocols Spoof source IP Massively distributed Variety of attacks Entire data center: Servers, security devices, routers E-commerce, web, DNS, email,… Provider infrastructure: DNS, routers and links Access line Evolution :  Evolution Manually (hack to servers) Non critical Protocols (eg ICMP) Distribution Management # Attackers (Bandwidth) Type of attack Protection Spoofed SYN Enterprise level Firewall/ ACL access routers X0-X00 attackers (X0 Mbps) Email attach Download from questionable site via “chat” ICQ, AIM, IRC Worms ~X00-X,000 Attackers (X00 Mbps) Via botnets ISP/IDC Blackhole ACL DDoS solutions All type of applicatios (HTTP, DNS, SMTP) Spoofed SYN Manually Manually Email attach via “chat” ICQ, AIM, IRC… ~X00,000 attackers (X-X0 Gbps) Legitimate requests Infrastructure elements (DNS, SMTP, HTTP…) Blackhole (?) ACL (?) DDoS solutions Anycast (?) Security Challenges The Cost of Threats:  Security Challenges The Cost of Threats Dollar Amount of Loss By Type of Attack - CSI/FBI 2004 Survey ISP Security Incident Response:  ISP Security Incident Response ISP’s Operations Team response to a security incident can typically be broken down into six phases: Preparation Identification Classification Traceback Reaction Post Mortem Sink Hole Routers (for ISP mainly):  Sink Hole Routers (for ISP mainly) Use unallocated addresses A lot of them on the Internet… 10.0.0.0/8, 96.0.0.0/4, … Sink hole Router locally advertises these addresses Infected hosts will seek to contact them Log will provide list of locally infected hosts Will be useful for other tricks Sink Hole (aka Network Honey Pot) Set-Up:  Sink Hole (aka Network Honey Pot) Set-Up Sink Hole Router Infected System XYZ Sink Hole In Action Worm Detection:  Sink Hole In Action Worm Detection Infected System XYZ Sink Hole Router IDS Sensor The very same set-up will be used for other games Could be used for enterprise as well Agenda:  Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure Identification Tools:  Identification Tools Customer/User Phone call CPU Load on Router SNMP – Watching the baseline and tracking variations/surges. Netflow/IPFIX – Traffic Anomaly Detection Tools. Sink Holes – Look for Backscatter Netflow: Statistics per TCP/UDP Flows DoS == Unusual Behavior:  Netflow: Statistics per TCP/UDP Flows DoS == Unusual Behavior Real data deleted in this presentation Real data deleted in this presentation Real data deleted in this presentation Potential DoS attack (33 flows) on router1 Estimated: 660 pkt/s 0.2112 Mbps ASxxx is: … ASddd is: … src_ip dst_ip in out src dest pkts bytes prot src_as dst_as int int port port 192.xx.xxx.69 194.yyy.yyy.2 29 49 1308 77 1 40 6 xxx ddd 192.xx.xxx.222 194.yyy.yyy.2 29 49 1774 1243 1 40 6 xxx ddd 192.xx.xxx.108 194.yyy.yyy.2 29 49 1869 1076 1 40 6 xxx ddd 192.xx.xxx.159 194.yyy.yyy.2 29 49 1050 903 1 40 6 xxx ddd 192.xx.xxx.54 194.yyy.yyy.2 29 49 2018 730 1 40 6 xxx ddd 192.xx.xxx.136 194.yyy.yyy.2 29 49 1821 559 1 40 6 xxx ddd 192.xx.xxx.216 194.yyy.yyy.2 29 49 1516 383 1 40 6 xxx ddd 192.xx.xxx.111 194.yyy.yyy.2 29 49 1894 45 1 40 6 xxx ddd 192.xx.xxx.29 194.yyy.yyy.2 29 49 1600 1209 1 40 6 xxx ddd 192.xx.xxx.24 194.yyy.yyy.2 29 49 1120 1034 1 40 6 xxx ddd 192.xx.xxx.39 194.yyy.yyy.2 29 49 1459 868 1 40 6 xxx ddd 192.xx.xxx.249 194.yyy.yyy.2 29 49 1967 692 1 40 6 xxx ddd 192.xx.xxx.57 194.yyy.yyy.2 29 49 1044 521 1 40 6 xxx ddd … … … … … … … … … … … Sink Hole Router Backscatter Analysis:  Sink Hole Router Backscatter Analysis Under DDoS victim replies to random destinations -> Some backscatter goes to sink hole router, where it can be analysed Backscatter Analysis:  Backscatter Analysis Target Ingress Routers Other ISPs random sources random sources Sink Hole Router Agenda:  Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure Tracing DoS Attacks:  Tracing DoS Attacks If source prefix is not spoofed: -> Routing table -> Internet Routing Registry (IRR) -> direct site contact If source prefix is spoofed: -> Trace packet flow through the network ACL, NetFlow, IP source tracker -> Find upstream ISP -> Upstream needs to continue tracing Nowadays, 1000’s of sources not spoofed -> not always meaningful to trace back… Trace-Back in One Step: ICMP Backscatter:  Trace-Back in One Step: ICMP Backscatter Border routers: Allow ICMP (rate limited) On packet drop, ICMP unreachable will be sent to the source Use ACL or routing tricks (routing to NULL interface) All ingress router drop traffic to <victim> And send ICMP unreachables to spoofed source!! Sink hole router logs the ICMPs! Trace-Back Made Easy: ICMP Backscatter Step 1: no drop:  Trace-Back Made Easy: ICMP Backscatter Step 1: no drop Target Ingress Routers Other ISPs random sources random sources Sink hole Router Trace-Back Made Easy: ICMP Backscatter Step 2: Drop Packets:  Trace-Back Made Easy: ICMP Backscatter Step 2: Drop Packets Target Ingress Routers Other ISPs Sink hole Router with logging ICMP unreachables Agenda:  Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure At the Edge / Firewalls ACL/QoS to Drop/Throttle DDoS Traffic :  At the Edge / Firewalls ACL/QoS to Drop/Throttle DDoS Traffic Server1 Target Server2 R3 R1 R2 R5 R4 R R R 1000 1000 FE peering 100 Easy to choke Point of failure Not scalable Consumer tuned Too late At the Routers in the Network ACL/QoS to Drop/Throttle DDoS Traffic :  At the Routers in the Network ACL/QoS to Drop/Throttle DDoS Traffic Server1 Victim Server2 R3 R1 R2 R5 R4 R R R 1000 1000 FE peering 100 Rand. Spoofing? Throws good with bad ~X0,000 ACLs? ACLs, Upper bound on traffic Black Holing the DoS Traffic Re-Directing Traffic to the Victim:  Black Holing the DoS Traffic Re-Directing Traffic to the Victim Target Ingress Routers Other ISPs Sink hole Router: Announces route “target/32” Logging!! Keeps line to customer clear But cuts target host off completely Discuss with customer!!! Just for analysis normally Identifying and Dropping only DDoS Traffic/1:  Identifying and Dropping only DDoS Traffic/1 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system) Cisco Anomaly Guard Module Identifying and Dropping only DDoS Traffic/2:  Identifying and Dropping only DDoS Traffic/2 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target Identifying and Dropping only DDoS Traffic/3:  Identifying and Dropping only DDoS Traffic/3 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual Identifying and Dropping only DDoS Traffic/4:  Identifying and Dropping only DDoS Traffic/4 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic Route update: RHI internal, or BGP/other external Identifying and Dropping only DDoS Traffic/5:  Identifying and Dropping only DDoS Traffic/5 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Identifying and Dropping only DDoS Traffic/6:  Identifying and Dropping only DDoS Traffic/6 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic Identifying and Dropping only DDoS Traffic/7:  Identifying and Dropping only DDoS Traffic/7 Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module 1. Detect Target 2. Activate: Auto/Manual 3. Divert only target’s traffic 4. Identify and filter malicious traffic Traffic Destined to the Target Legitimate Traffic to Target 5. Forward legitimate traffic 6. Non-targeted traffic flows freely Slide31:  Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Legitimate + attack traffic to target Dynamic & Static Filters Detect anomalous behavior & identify precise attack flows and sources Slide32:  Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Legitimate + attack traffic to target Dynamic & Static Filters Apply anti-spoofing to block malicious flows Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Anti-Spoofing Example – http/TCP :  Anti-Spoofing Example – http/TCP SrcIP, Source IP Guard Syn(c#) Synack(c#’,s#’) Hash-function(SrcIP,port,t) ack(c#,s#) SrcIP,port# = Redirect(c#,s#) Syn(c#’) request(c#’,s#’) Victim Verified connections synack(c#,s#) Slide34:  Active Verification Statistical Analysis Layer 7 Analysis Rate Limiting Dynamic & Static Filters Legitimate traffic Multi-Verification Process (MVP) Integrated Defenses in the Guard XT Dynamically insert specific filters to block attack flows & sources Apply rate limits Measured Response:  Measured Response Detection Passive copy of traffic monitoring Analysis Diversion for more granular in-line analysis Flex filters, static filters and bypass in operation All flows forwarded but analyzed for anomalies Basic Protection Basic anti-spoofing applied Analysis for continuing anomalies Strong Protection Strong anti-spoofing (proxy) if appropriate Dynamic filters deployed for zombie sources Anomaly Verified Learning Periodic observation of patterns to update baseline profiles Attack Detected Anomaly Identified Agenda:  Agenda DDoS Reality Check Detecting Tracing Mitigation Protecting the Infrastructure Three Planes, Definition:  Three Planes, Definition A device typically consists of Data/forwarding Plane: the useful traffic Control Plane: routing protocols, ARP, … Management Plane: SSH, SNMP, … In these slides Control Plane refers to all the Control/Management plane traffic destined to the device. Hardware Software Control Plane Overrun:  Control Plane Overrun Loss of protocol keep-alives: line go down route flaps major network transitions. Loss of routing protocol updates: route flaps major network transitions. Near 100% CPU utilization Can prevent other high priority tasks Need for Control Plane Policing:  Need for Control Plane Policing Classify all Control Plane traffic in multiple classes Each class is capped to a certain amount Fair share for each classes or each source in each classes  one class cannot overflow the others  even an ICMP flood to the router won’t affect routing Slide40:  Q and A 40 40 40 Slide41:  41 41 41

Related presentations


Other presentations created by Pravez

BlueGene
19. 09. 2007
0 views

BlueGene

krul presentation1
22. 04. 2008
0 views

krul presentation1

GRP
17. 04. 2008
0 views

GRP

Howe1 25
14. 04. 2008
0 views

Howe1 25

Panview 3en
10. 04. 2008
0 views

Panview 3en

Global Trends and Prospects
09. 04. 2008
0 views

Global Trends and Prospects

2002 12 22 Christingle
07. 04. 2008
0 views

2002 12 22 Christingle

303 151renewableenergy
30. 03. 2008
0 views

303 151renewableenergy

mechanics of materials
05. 01. 2008
0 views

mechanics of materials

genetic recombination
06. 08. 2007
0 views

genetic recombination

DRAMA
19. 10. 2007
0 views

DRAMA

jong
19. 09. 2007
0 views

jong

C102 Bergallo
03. 10. 2007
0 views

C102 Bergallo

text cat tutorial
04. 10. 2007
0 views

text cat tutorial

Tornado Safety
07. 10. 2007
0 views

Tornado Safety

newborn screening
12. 10. 2007
0 views

newborn screening

Switzerland Presentation
17. 10. 2007
0 views

Switzerland Presentation

CP15633
22. 10. 2007
0 views

CP15633

DNA PowerPoint
15. 10. 2007
0 views

DNA PowerPoint

Membres du Bureau
23. 10. 2007
0 views

Membres du Bureau

23981
12. 10. 2007
0 views

23981

Joao LOBO ANTUNES
16. 10. 2007
0 views

Joao LOBO ANTUNES

Tomatoes
11. 12. 2007
0 views

Tomatoes

C avance
20. 11. 2007
0 views

C avance

Familias Unidas
22. 10. 2007
0 views

Familias Unidas

Module 20
23. 11. 2007
0 views

Module 20

media interview
08. 10. 2007
0 views

media interview

EO1 SysEngrColloq 03 02 04 Stu
05. 10. 2007
0 views

EO1 SysEngrColloq 03 02 04 Stu

hoffman arizona
30. 12. 2007
0 views

hoffman arizona

IA Emergency Preparedness
01. 01. 2008
0 views

IA Emergency Preparedness

Cohen NDIA
03. 01. 2008
0 views

Cohen NDIA

mathematicians
05. 01. 2008
0 views

mathematicians

hamm
23. 10. 2007
0 views

hamm

Prologue
15. 11. 2007
0 views

Prologue

geo inversion
19. 09. 2007
0 views

geo inversion

HIV AIDS Pandemic
06. 08. 2007
0 views

HIV AIDS Pandemic

Jeannie Armour Bearer
06. 08. 2007
0 views

Jeannie Armour Bearer

Hawaiian Cultural History
06. 08. 2007
0 views

Hawaiian Cultural History

jiscdigicon 07par1 1notay
06. 08. 2007
0 views

jiscdigicon 07par1 1notay

ESCpresentation
03. 01. 2008
0 views

ESCpresentation

Unit2 Lecture1
04. 01. 2008
0 views

Unit2 Lecture1

graficos ddet265
24. 10. 2007
0 views

graficos ddet265

Robin Room
07. 01. 2008
0 views

Robin Room

jageps
06. 08. 2007
0 views

jageps

Jewish Initiation
06. 08. 2007
0 views

Jewish Initiation

HIUG
06. 08. 2007
0 views

HIUG

singers
20. 02. 2008
0 views

singers

HGM2006 S7 01 Pedersen
06. 08. 2007
0 views

HGM2006 S7 01 Pedersen

ModuleA5Session3
04. 03. 2008
0 views

ModuleA5Session3

hlt 2004
06. 08. 2007
0 views

hlt 2004

Brussel Health Kuopio KPoutanen
20. 03. 2008
0 views

Brussel Health Kuopio KPoutanen

CIO Main Screens Sydney Final
26. 03. 2008
0 views

CIO Main Screens Sydney Final

Movimento Pentecostal 2 ok
01. 10. 2007
0 views

Movimento Pentecostal 2 ok

guyana csw 2000
06. 08. 2007
0 views

guyana csw 2000

05f 1800 lys a3
19. 02. 2008
0 views

05f 1800 lys a3

Guze 07 Sarah Pedersen
06. 08. 2007
0 views

Guze 07 Sarah Pedersen

Normativa Vittoria marzo06
18. 06. 2007
0 views

Normativa Vittoria marzo06

new Media Activism
18. 06. 2007
0 views

new Media Activism

LKD ACPC2005autoshow
18. 06. 2007
0 views

LKD ACPC2005autoshow

LAS VEGAS PRESENTATION
18. 06. 2007
0 views

LAS VEGAS PRESENTATION

lab storia marcia mille
18. 06. 2007
0 views

lab storia marcia mille

Kreutz
18. 06. 2007
0 views

Kreutz

kinder verzamelingen 05
18. 06. 2007
0 views

kinder verzamelingen 05

kereso halo
18. 06. 2007
0 views

kereso halo

japan overview
18. 06. 2007
0 views

japan overview

jaden
18. 06. 2007
0 views

jaden

2007 dossier pere
18. 06. 2007
0 views

2007 dossier pere

2005 NAIDC Promo
18. 06. 2007
0 views

2005 NAIDC Promo

1212 SLIDES CSR Briefing final1
18. 06. 2007
0 views

1212 SLIDES CSR Briefing final1

07PSPTribute
18. 06. 2007
0 views

07PSPTribute

bioprez1
17. 11. 2007
0 views

bioprez1

Chapter18
19. 09. 2007
0 views

Chapter18

LUXva
18. 06. 2007
0 views

LUXva

f38 math meets maps
15. 06. 2007
0 views

f38 math meets maps

Extraction of Beam into TT40
15. 06. 2007
0 views

Extraction of Beam into TT40

Experiencing HaShem
15. 06. 2007
0 views

Experiencing HaShem

Euthyphro
15. 06. 2007
0 views

Euthyphro

ethnic humor
15. 06. 2007
0 views

ethnic humor

Essentials of UP 1
15. 06. 2007
0 views

Essentials of UP 1

Catv2
15. 06. 2007
0 views

Catv2

Cartoons pig
15. 06. 2007
0 views

Cartoons pig

cartoons stick men 1
15. 06. 2007
0 views

cartoons stick men 1

attr 159897 115
12. 10. 2007
0 views

attr 159897 115

kskee
19. 09. 2007
0 views

kskee

akrishna
28. 11. 2007
0 views

akrishna

18cm
18. 06. 2007
0 views

18cm

BrazilSeminar
22. 10. 2007
0 views

BrazilSeminar

PRSarahL
13. 03. 2008
0 views

PRSarahL

prezent1
15. 11. 2007
0 views

prezent1

power law tut
19. 09. 2007
0 views

power law tut

EthicalEgoism
15. 06. 2007
0 views

EthicalEgoism

petersuter ppt
17. 10. 2007
0 views

petersuter ppt

Internet Equivalence
06. 08. 2007
0 views

Internet Equivalence

slogany
21. 11. 2007
0 views

slogany

Blue Chalkboard
19. 09. 2007
0 views

Blue Chalkboard

Gogol at the Edge of Being
27. 09. 2007
0 views

Gogol at the Edge of Being

ScottKsander10 10
02. 11. 2007
0 views

ScottKsander10 10

labrolazegbe
18. 06. 2007
0 views

labrolazegbe

chap12sp06 groups day 3
14. 12. 2007
0 views

chap12sp06 groups day 3

Resources Potpourri Final2006
26. 10. 2007
0 views

Resources Potpourri Final2006

powers tami portia topics
19. 09. 2007
0 views

powers tami portia topics

APGridPMA EU 200605
10. 10. 2007
0 views

APGridPMA EU 200605

Higgins Webinar Slides 070425
19. 09. 2007
0 views

Higgins Webinar Slides 070425