Detecting and Mitigating Denial of Service Attacks BRKSEC-214 Peter Provart BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public HOUSEKEEPING  We value your feedback, don’t forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Friday  Visit the World of Solutions on Level -01!  Please remember this is a ‘No Smoking’ venue!  Please switch off your mobile phones!  Please remember to wear your badge at all times including the Party!  Do you have a question? Feel free to ask them during the Q&A section or write your question on the Question form given to you and hand it to the Room Monitor when you see them holding up the Q&A sign BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Objectives and Assumptions  How to detect and mitigate Denial of Services Attacks in a network  Explaining what kind of threats which we need to defend against  Explaining the various detection mechanisms which are available  Explaining the different mitigation techniques, how they are used and the possible consequences of implementing them  The audience is assumed to consist of network architects, security officers and project managers from SP and Large Enterprise customers  Assumtion : The audience has a basic knowledge of routing protocols and a good and broad understanding of various security techniques and tools used in large networks today  This session is related to sessions: Network Core Infrastructure Protection: Best Practices (BRKSEC-2013) Detecting Router Abuse (BRKSEC-2015) Network-based Solutions for Broadband Residential Security (BRKSEC-2016) The Techtorial Mitigating DoS Attacks (TECSEC-2003) also cover all those techniques, so, if you attended the techtorial, there is no need to attend this break-out session BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Agenda  Introduction : Threat Landscape  Six Phases of Incident Reaction process Planning, Detection, Classification, Traceback, Reaction, Post Mortem  Advanced Reaction Techniques BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Introduction Motivation and Trends BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public DDoS Attacks Are Here To Stay  DoS attacks grow from 119 to 1500 per day in 2005- an increase of 1200%  Jan06-Jun06 : Avg 6110 Dos Attacks per day an increase of 600% *Symantec Sept2006  Large % of DDoS attacks are motivated by extortion demands  50K Average Active Bots  Attack size is in the 2-7 Gig range Symantec Internet Security Report – March ‘06  The DoS problem is not a 100 year flood anymore! ‘Zombie' ring allegedly hit 1.5 million computers http://www.msnbc.msn.com/id/9763824/ Dutch Internet provider XS4ALL identified the zombie network – “only a drop in the ocean." BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Threat Economy: In the Past Writers Asset End Value Tool and Toolkit Writers Compromise Individual Host or Application Fame Malware Writers Worms Compromise Environment Viruses Theft Espionage (Corporate/ Government) Trojans BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Threat Economy: Today Writers First Stage Abusers Tool and Toolkit Writers Hacker/Direct Attack Middle Men Second Stage Abusers Fame Compromised Host and Application Theft Malware Writers Worms Machine Harvesting Bot-Net Creation End Value Extortionist/ DDoS-for-Hire Espionage (Corporate/ Government) Extorted Pay-Offs Viruses Bot-Net Management: Trojans For Rent, for Lease, for Sale Spyware Information Harvesting Personal Information Spammer Commercial Sales Phisher Pharmer/DNS Poisoning Information Brokerage Identity Theft Internal Theft: Abuse of Privilege Fraudulent Sales Click-Through Revenue Financial Fraud Electronic IP Leakage $$$ Flow of Money $$$ BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Denial of Service Trends  Multipath Truly distributed DNS servers, large botnets Reflective  Multivector SYN AND UDP AND—  Use of non-TCP/UDP/ICMP protocols Get past ACLs Increased awareness in community  Target ISP Infrastructure  Target Applications SMTP reflective, VoIP BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public Incident Response How you handle a DDOS attack? BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 10 Shunts with MPLS VPNs  Easy to deploy: Core remains untouched, injection VPN preconfigured VPN invisible to core  No performance impact  No need to touch CPE  But: MPLS VPN required on core BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 106 MPLS VPN Shunt Attack BGP: I’m next-hop for 1.1.1.1 Rerouting to 1.1.1.1 Redistribution into Core VPN Guard (2.2.2.2) Injection to VPN VPN MPLS VPN (Preconfigured) Target (1.1.1.1) BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 107 Cisco DDoS Protection Service Provider Distributed/Edge Protection POP Peering Point Enterprise A Core Router Core Router Peering Point Cisco Anomaly Detector XT • Distributed, potentially dedicated Guards • Detector CPE for monitoring and potentially activation • Potentially Detector at SP for monitoring, or NetFlow BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Guard XT Cisco Public Options: Cisco Anomaly Detector XT POP Enterprise B Targeted Enterprise C 108 Cisco DDoS Protection Via Provider Edge Co-Location ISP Traffic from Internet Co-Lo Rack Guard XT  Enterprise located detector activates the guard via separate management circuit Switch GRE Tunnel for Traffic Injection Alert Traffic Anomaly Detector XT SPAN Port for Monitoring BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved  Enterprise controlled, but upstream mitigation protects link and enterprise edge router 7x00 Edge Router Core Switch Cisco Public  Additional router isolates routing updates  GRE Tunnel is configured from guard to enterprise edge router for traffic injection 109 Signature Extraction Guard Ver 5.1  Some DDoS attacks carry a relatively fixed payload pattern (e.g “Get error.html”)  Signature Extraction can find prominent patterns in the payload of captured packets  This is done by the user saving the appropriate capture, where a significant portion of the packets includes malicious payload, and the algorithm analyzing these packets to extract a signature  The resulting signature can then be entered into the Guard as a content-filter (see below) BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 110 Signature Extraction – screen capture BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 111 Threat Information Distribution Protocol (TIDP)  Framework to distribute threat information to network devices  Distributed from TIDP Mitigation Service (TMS) controller  Messages authenticated, encrypted, and have replay protection  Uses TCP port 7548  Receiving devices configured with unique rule sets  Uses Threat Information Message (TIM) to ID suspect traffic  TIM created in threat definition file using XML  Associates enforcement actions (Block or Redirect) with suspect traffic  Available in 12.4(6)T http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00 805ec975.html BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 112 TIDP Architecture  TIDP/TMS distributes device independent Threat Information TIMs through networks  Each devices uses local device rules to convert TIMs into dynamic device specific enforcement actions  TIDP/TMS are not network configuration protocols NMS/Syslog Server for Logging Control of TIM Generation, Distribution and Management BRKSEC-2014 TIM TIDP/TMS Controller © 2006 Cisco Systems, Inc All rights reserved Cisco Public Threat Information Distribution Protocol Responses Rules Engine Local to Each Device Intelligence Resides in Endpoint Devices 113 Summary BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 114 Summary  Six Phases of Incident Response to DDOS attacks  Preparation and Post-Mortem often forgotten  Netflow is your friend  Advanced Mechanisms to react Anomaly Detection Packet Scrubbing Automatic Signature generation BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 115 Meet the Experts Security  Andres Gasson Consulting Systems Engineer  Christophe Paggen Technical Marketing Engineer  Eric Vyncke Distinguished Consulting Engineer  Erik Lenten Technical Marketing Engineer  Fredéric Detienne CA Technical Leader  Luc Billot Consulting Engineer BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 116 Meet the Experts Security  Michael Behringer Distinguished System Engineer  Olivier Dupont Corporate Dev Consulting Engineer  Peter Matthews Technical Marketing Engineer  Scott Wainner Distinguished System Engineer  Steinthor Bjarnason Consulting Engineer BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 117 Recommended Reading BRKSEC - 2013  Self-Defending Networks: The Next Generation of Network Security  Network Security Principles and Practices Available in the Cisco Company Store BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 118 Q and A BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 119 BRKSEC-2014 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 120