PLNOG14: Darmowe narzędzia wspomagające proces zabezpieczania Twojej firmy - Borys Łącki
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
Transcript of PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
Agenda • Typy ataków a typ potencjalnych ofiar
• Obrona bez sprzętu – Usługa – Polityka routingu
– Mechanizmy w „infrastrukturze”
• Czym wykrywać ?
• Jak sie bronić czyli „produkt plejsment”
• Gdzie jest używany sprzęt Huawei ?
• A może by tak ....?
Typ ataku i typ „ofiary
• Atak – Wolumetryczny
– „Infrastrukturalny”
– Aplikacyjny
• „Ofiara” – Firma/DC
– Operator
– Operator z użytkownikami
Obrona w formie usługi
„On demand”
• Bardzo drogo
Stały abonament
• Drogo
• Wykonywana przez wyspecjalizowane firmy
• Doświadczony zespół ludzi
• Dobry sprzęt choć różnie jest z jego skalowalnością
• Usługa przeznaczona dla „firm”
Blackholing
• Przekierowanie ruchu do /dev/null
• Prosty i efektywny sposób pozbycia sie niechcianych pakietów
• Dla kogo właściwie dobry ? – Firma ?
– Alternatywny ISP ?
– Tier-1 ISP ?
Różny feed BGP/IP lub bardzo dużo pasma
• Kilka sesji BGP do IXP, ISP
• Community „no-export”
• Zmiany BGP - Tylko dla „firm”
• Mało kto może mieć dowolną ilość pasma
BGP Flowspec • Co możemy wyciąć
– Source / Destination Prefix
– IP Protocol (UDP, TCP, ICMP, etc.)
– Source and/or Destination Port
– ICMP Type and Code
– TCP Flags
– Packet Length
– DSCP (Diffserv Code Point)
– Fragment (DF, IsF, FF, LF)
• Akcje – 0x8006: traffic-rate (rate 0 discards all
traffic for the flow)
– 0x8007: traffic-action (sample)
– 0x8008: redirect to VRF
– 0x8009: traffic-marking (DSCP value )
• Dla kogo dobry ?
• Jak nakarmić flowspec ?
• Przed czym broni ?
NetFow/sFlow Packets
Management Channel
Customer 3
Controller (HA) Collector
Regional
Network
Backbone Network
Customer 1
Customer 2
Collector
Note: Controller supports up to 30 Collectors
Jak wykryć DDoS - Netflow
Management Center
Anti-DDoS System
Data Center
Split/Mirroring
Diversion-Reinjection
Internet
Detecting link
Divert & Re-inject link
Mirroring traffic for detection
DDoS attack traffic are diverted to the
cleaning center
DDoS attack traffic
Send back the good traffic after cleaning
Send BGP host route to divert traffic to
cleaning system
Customer
Network
Detecting & Cleaning reports
BGP host route to divert traffic
1
2
5
6
7
8
1
2
5
6
7
8
Cleaning Center
Detecting Center
Send attack alerts to Management Center
3
3
4
Send command to clean device to
divert traffic 4
Chronimy DC/Serwer/Aplikację
Internet
Protected Internal
Network
BGP host route to divert
traffic
DDoS Detecting
(Netflow Analyzer)
DDoS Cleaning
Netflow information of the service traffic
DDoS attack traffic are diverted to the
cleaning center
DDoS attack traffic
Send back the good traffic after cleaning
Send BGP host route to divert traffic to cleaning system
Cleaning reports
Netflow analyzer send attack alerts to Management Center
Send command to clean device to divert traffic
1
2
3
4
5
6
7
8
Anti-DDoS System Customer
Network
2
3
4
5
6
7
8
1
Management Center
Chronimy sieć ISP/MAN/Użytkownika
Data Center:
Per Packet Detect &
Accurate Clean
MAN/ISP:
Netflow Detect & Accurate
Clean
Detection Method Per Packet Detection Flow sample and statistics
detection
Detection ability Bandwidth flood & application
layer attacks Bandwidth flood attacks
Detection time 2~3 seconds 2~3 minutes
Suitable for
scenario Data Center Internet Gateway
Porównanie dwóch metod
In-line a przekierowanie ruchu
• Obrona działająca w trybie In-Line lub wymagająca dwukierunkowego przekierowania ruchu
– ACK flood, FIN/RST flood,
– TCP connection exhaustion,
– DNS reply flood
– DNS cache poisoning
Współpraca z dowolnym systemem wykrywającym ataki DDoS
• <189>2013-07-18 15:51:56 128.18.74.109 %%01SEC/5/ATCKDF(l): Anomaly ID:222; Creation Time: Mon Nov 7 15:30:20 2014; Update Time: Mon Nov 7 15:35:21 2014; Type: Traffic Anomaly; Sub-type: TCP SYN Flood; Severity: Red; Status: ongoing; Direction: Incoming; Resource: Zone; Resource ID: 666; Importance: High; Current: 678; Threshold:500; Unit: pps; DIP1:18.112.32.88; DIP2: ; DIP3: ; DPort1:23; DPort2: ; SIP1: ; SIP2: ; SIP3: ; SPort1: ; SPort2:; Protocol:6; URL to Link the Report:www.huawei.com
ATIC Management
Center
Detecting Center Cleaning Center
Dedicated device for cleaning
abnormal traffic Dedicated device for analyzing
abnormal traffic
Device management
Service configuration
Reports
Rozwiązanie Anti-DDoS Huawei
SPUA02 Boards SPUA01 Boards
LPU Mother Boards LPU Sub-cards
Throughput 200Gbps 100Gbps 40Gbps
Port capacity 240Gbps 120Gbps 40Gbps
Slots number 16 8 3
Height 32U 14U 4U
Anti-DDoS8080 Anti-DDoS8030 Anti-DDoS8160
Chassis Boards & sub-
cards
Detect Board
(20Gbps throughput)
Clean Board
(20Gbps throughput)
Detect Board
(10Gbps throughput)
Clean Board
(10Gbps throughput)
LPUF-40 motherboard
(40Gbps throughput)
2*10GE
20*GE optical
1*10GE
12*GE optical 12*GE electrical
1*10G POS
LPUF-21 motherboard
(20Gbps throughput)
Per Packet Detect and Clean Products (Anti-DDS8000 Series)
Rodzaje obrony przed atakami
Comprehensive Attack Defense
• SYN flood
• ACK flood
• SYN-ACK flood
• FIN/RST flood
• TCP fragment flood
• UDP flood
• UDP fragment flood
• ICMP flood
Scanning And Sniffing
• IP Spoofing attack
• Land attack
• Fraggle attack
• WinNuke
• Ping of Death
• Tear Drop
• Smurf
• IP option
• Large ICMP
• DNS vulnerabilities
• Fast-Flux
• LOIC
• HOIC
• Slowloris
• Pyloris
• HttpDosTool
• Slowhttptest
• Thc-ssl-dos
• ….
• Over 200 kinds of
bots ,worms and
Trojans detect.
• Port scanning
• IP scanning
• Tracert
• IP source routing packet
control
• IP routing record packet
control
Protocol Vulnerability Flood Attacks Application Attacks Bots And worms
• DNS query flood
• DNS reply flood
• DNS cache poisoning
• DNS reflection
• TCP connection flood
• TCP low-rate connection
• Sockstress
• HTTP flood
• HTTP retransmission
• HTTP slow headers
• HTTP slow post
• SIP flood
• HTTPS flood
• SSL DoS/DDoS
• Web application threat
• Icmp flood
• Syn flood
• Tcp flood
• Udp flood
• Ack flood
Szybszy cleaner – przełącznik aplikacyjny
North
interface
programming
environment
Python
Java
Rest
C
3rd SDN APIs
set of the SDN Controller
Upper-layer services
Performance
monitoring
Basic
forwarding
Security
monitoring
Management
protocol
Policy control
Tools
Path control
Routing
protocol
Server
Event
monitoring Resource
status
System management
S12700
ENP
Flow table
Micro code
POF config tool
SDN controller
POF
Option1: GUI
Option2: Editor command
Users can create new packet types,
tables, entries, etc. via POF configure tool.
Users can create any new protocol/packet
types at will.
POF uses multiple flow tables for packet processing. Each flow table can realize one or
more functions.
POF realizes the description of each field through the offset and length , and don’t depend
on the protocol format and the standard RFC. So users can freely modify the code,
enhance them with new features, and try out new ideas.
Deploy new services
or protocols easily
Do 10Gpps
AntiDDoS V5R1
Global botnet IP reputation
Reputation database with 5 million IP addresses
with dynamic updates on a daily basis.
Local real-time session reputation
Tens of millions of sessions guarantee authorized
users' service access.
Proactive botnet defense feature library
Active zombie, Trojan horse, and worm control packet
feature library and C&C domains library.
Dynamic fingerprint learning
Over 20,000 dynamic fingerprint features with real-
time updates to find out attacks.
Static fingerprints
Dynamically updated signature database of global
active zombie tools.
Fingerprint + intelligent filtering based on
session, effectively defenses against DDoS attacks
from mobile terminals.
60+
5 dimensions
qps, pps, bps, cps, and ratio
8 protocol families
IP, TCP, UDP, ICMP, HTTP, DNS, HTTPS, and SIP
38 protocol statuses
TCP Flags, TCP connections, TCP window size, UDP fragment, HTTP connections, HTTP URI, HTTP Host, SSL Renegotiating, DNS query, and DNS domain...
60+ traffic models
TCP SYN pps, UDP packet bps, DNS pps, HTTP get QPS, SIP
pps, ICMP pps, TCP FIN pps, and TCP ACK pps...
T-grade defense performance
120G/240G LPU,160G SPU
1.44Tbps defense performance
Attack response time: <2s
Latency: 80us
Fingerprint Protection
60+ Traffic Models
Full-Scale Reputation System
T-grade Defense Performance
Alibaba - czyli gdzie my to zastosowaliśmy??
Challenge • Frequent DDoS attacks of 10 Gbit/s to 100 Gbit/s
• Diversified attacks Frequent application-layer attacks
• Defense against DDoS attacks for thousands of tenants (small and medium-
sized enterprises) and growth in return on investment
Solution • Deploy Huawei Security gateways in bypass mode on the outgoing gateway server
to protect carriers against more than 100 types of DDoS attacks.
• Offer operation features, such as fine-grained multi-tenancy configurations and self-
services.
"Huawei's Anti-DDoS solution protects Alibaba from
more than 40,000 DDoS attacks every year and more
than 100 DDoS attacks per day. The largest attack
traffic volume was 100 Gbps, which the solution handled without
any issues. The solution is stable, accurate, and user-friendly."
---Wei Xingguo, department director of the Information Security Center
A może by tak razem ?
Kto mogłby tworzyć wspólne „Scrubbing Center”?
• Alternatywni ISP
• „Portale”
• Instytucje finansowe
• Instytucje rządowe
Reasumując
• Da się ale zależy to od wielu czynników
• Można nie „inwestować”w sprzęt/usługi
• Im większy koszt przestoju tym bardziej opłaca sie „inwestować”
• Warto pomyśleć o współpracy – statystycznie atak będzie tylko na jednego/kilku członków