Czy można żyć bez systemu

ochrony przed atakami DDoS ?

Marek Janik

Marek.Janik@huawei.com

Agenda • Typy ataków a typ potencjalnych ofiar

• Obrona bez sprzętu – Usługa – Polityka routingu

– Mechanizmy w „infrastrukturze”

• Czym wykrywać ?

• Jak sie bronić czyli „produkt plejsment”

• Gdzie jest używany sprzęt Huawei ?

• A może by tak ....?

Typ ataku i typ „ofiary

• Atak – Wolumetryczny

– „Infrastrukturalny”

– Aplikacyjny

• „Ofiara” – Firma/DC

– Operator

– Operator z użytkownikami

Obrona w formie usługi

„On demand”

• Bardzo drogo

Stały abonament

• Drogo

• Wykonywana przez wyspecjalizowane firmy

• Doświadczony zespół ludzi

• Dobry sprzęt choć różnie jest z jego skalowalnością

• Usługa przeznaczona dla „firm”

Blackholing

• Przekierowanie ruchu do /dev/null

• Prosty i efektywny sposób pozbycia sie niechcianych pakietów

• Dla kogo właściwie dobry ? – Firma ?

– Alternatywny ISP ?

– Tier-1 ISP ?

Różny feed BGP/IP lub bardzo dużo pasma

• Kilka sesji BGP do IXP, ISP

• Community „no-export”

• Zmiany BGP - Tylko dla „firm”

• Mało kto może mieć dowolną ilość pasma

BGP Flowspec • Co możemy wyciąć

– Source / Destination Prefix

– IP Protocol (UDP, TCP, ICMP, etc.)

– Source and/or Destination Port

– ICMP Type and Code

– TCP Flags

– Packet Length

– DSCP (Diffserv Code Point)

– Fragment (DF, IsF, FF, LF)

• Akcje – 0x8006: traffic-rate (rate 0 discards all

traffic for the flow)

– 0x8007: traffic-action (sample)

– 0x8008: redirect to VRF

– 0x8009: traffic-marking (DSCP value )

• Dla kogo dobry ?

• Jak nakarmić flowspec ?

• Przed czym broni ?

NetFow/sFlow Packets

Management Channel

Customer 3

Controller (HA) Collector

Regional

Network

Backbone Network

Customer 1

Customer 2

Collector

Note: Controller supports up to 30 Collectors

Jak wykryć DDoS - Netflow

Jak wykryć DDoS – Specjalizowane urządzenie

Management Center

Anti-DDoS System

Data Center

Split/Mirroring

Diversion-Reinjection

Internet

Detecting link

Divert & Re-inject link

Mirroring traffic for detection

DDoS attack traffic are diverted to the

cleaning center

DDoS attack traffic

Send back the good traffic after cleaning

Send BGP host route to divert traffic to

cleaning system

Customer

Network

Detecting & Cleaning reports

BGP host route to divert traffic

1

2

5

6

7

8

1

2

5

6

7

8

Cleaning Center

Detecting Center

Send attack alerts to Management Center

3

3

4

Send command to clean device to

divert traffic 4

Chronimy DC/Serwer/Aplikację

Internet

Protected Internal

Network

BGP host route to divert

traffic

DDoS Detecting

(Netflow Analyzer)

DDoS Cleaning

Netflow information of the service traffic

DDoS attack traffic are diverted to the

cleaning center

DDoS attack traffic

Send back the good traffic after cleaning

Send BGP host route to divert traffic to cleaning system

Cleaning reports

Netflow analyzer send attack alerts to Management Center

Send command to clean device to divert traffic

1

2

3

4

5

6

7

8

Anti-DDoS System Customer

Network

2

3

4

5

6

7

8

1

Management Center

Chronimy sieć ISP/MAN/Użytkownika

Data Center:

Per Packet Detect &

Accurate Clean

MAN/ISP:

Netflow Detect & Accurate

Clean

Detection Method Per Packet Detection Flow sample and statistics

detection

Detection ability Bandwidth flood & application

layer attacks Bandwidth flood attacks

Detection time 2~3 seconds 2~3 minutes

Suitable for

scenario Data Center Internet Gateway

Porównanie dwóch metod

In-line a przekierowanie ruchu

• Obrona działająca w trybie In-Line lub wymagająca dwukierunkowego przekierowania ruchu

– ACK flood, FIN/RST flood,

– TCP connection exhaustion,

– DNS reply flood

– DNS cache poisoning

Współpraca z dowolnym systemem wykrywającym ataki DDoS

• <189>2013-07-18 15:51:56 128.18.74.109 %%01SEC/5/ATCKDF(l): Anomaly ID:222; Creation Time: Mon Nov 7 15:30:20 2014; Update Time: Mon Nov 7 15:35:21 2014; Type: Traffic Anomaly; Sub-type: TCP SYN Flood; Severity: Red; Status: ongoing; Direction: Incoming; Resource: Zone; Resource ID: 666; Importance: High; Current: 678; Threshold:500; Unit: pps; DIP1:18.112.32.88; DIP2: ; DIP3: ; DPort1:23; DPort2: ; SIP1: ; SIP2: ; SIP3: ; SPort1: ; SPort2:; Protocol:6; URL to Link the Report:www.huawei.com

ATIC Management

Center

Detecting Center Cleaning Center

Dedicated device for cleaning

abnormal traffic Dedicated device for analyzing

abnormal traffic

Device management

Service configuration

Reports

Rozwiązanie Anti-DDoS Huawei

SPUA02 Boards SPUA01 Boards

LPU Mother Boards LPU Sub-cards

Throughput 200Gbps 100Gbps 40Gbps

Port capacity 240Gbps 120Gbps 40Gbps

Slots number 16 8 3

Height 32U 14U 4U

Anti-DDoS8080 Anti-DDoS8030 Anti-DDoS8160

Chassis Boards & sub-

cards

Detect Board

(20Gbps throughput)

Clean Board

(20Gbps throughput)

Detect Board

(10Gbps throughput)

Clean Board

(10Gbps throughput)

LPUF-40 motherboard

(40Gbps throughput)

2*10GE

20*GE optical

1*10GE

12*GE optical 12*GE electrical

1*10G POS

LPUF-21 motherboard

(20Gbps throughput)

Per Packet Detect and Clean Products (Anti-DDS8000 Series)

Rodzaje obrony przed atakami

Comprehensive Attack Defense

• SYN flood

• ACK flood

• SYN-ACK flood

• FIN/RST flood

• TCP fragment flood

• UDP flood

• UDP fragment flood

• ICMP flood

Scanning And Sniffing

• IP Spoofing attack

• Land attack

• Fraggle attack

• WinNuke

• Ping of Death

• Tear Drop

• Smurf

• IP option

• Large ICMP

• DNS vulnerabilities

• Fast-Flux

• LOIC

• HOIC

• Slowloris

• Pyloris

• HttpDosTool

• Slowhttptest

• Thc-ssl-dos

• ….

• Over 200 kinds of

bots ,worms and

Trojans detect.

• Port scanning

• IP scanning

• Tracert

• IP source routing packet

control

• IP routing record packet

control

Protocol Vulnerability Flood Attacks Application Attacks Bots And worms

• DNS query flood

• DNS reply flood

• DNS cache poisoning

• DNS reflection

• TCP connection flood

• TCP low-rate connection

• Sockstress

• HTTP flood

• HTTP retransmission

• HTTP slow headers

• HTTP slow post

• SIP flood

• HTTPS flood

• SSL DoS/DDoS

• Web application threat

• Icmp flood

• Syn flood

• Tcp flood

• Udp flood

• Ack flood

Szybszy cleaner – przełącznik aplikacyjny

North

interface

programming

environment

Python

Java

Rest

C

3rd SDN APIs

set of the SDN Controller

Upper-layer services

Performance

monitoring

Basic

forwarding

Security

monitoring

Management

protocol

Policy control

Tools

Path control

Routing

protocol

Server

Event

monitoring Resource

status

System management

S12700

ENP

Flow table

Micro code

POF config tool

SDN controller

POF

Option1: GUI

Option2: Editor command

Users can create new packet types,

tables, entries, etc. via POF configure tool.

Users can create any new protocol/packet

types at will.

POF uses multiple flow tables for packet processing. Each flow table can realize one or

more functions.

POF realizes the description of each field through the offset and length , and don’t depend

on the protocol format and the standard RFC. So users can freely modify the code,

enhance them with new features, and try out new ideas.

Deploy new services

or protocols easily

Do 10Gpps

AntiDDoS V5R1

Global botnet IP reputation

Reputation database with 5 million IP addresses

with dynamic updates on a daily basis.

Local real-time session reputation

Tens of millions of sessions guarantee authorized

users' service access.

Proactive botnet defense feature library

Active zombie, Trojan horse, and worm control packet

feature library and C&C domains library.

Dynamic fingerprint learning

Over 20,000 dynamic fingerprint features with real-

time updates to find out attacks.

Static fingerprints

Dynamically updated signature database of global

active zombie tools.

Fingerprint + intelligent filtering based on

session， effectively defenses against DDoS attacks

from mobile terminals.

60+

5 dimensions

qps, pps, bps, cps, and ratio

8 protocol families

IP, TCP, UDP, ICMP, HTTP, DNS, HTTPS, and SIP

38 protocol statuses

TCP Flags, TCP connections, TCP window size, UDP fragment, HTTP connections, HTTP URI, HTTP Host, SSL Renegotiating, DNS query, and DNS domain...

60+ traffic models

TCP SYN pps, UDP packet bps, DNS pps, HTTP get QPS, SIP

pps, ICMP pps, TCP FIN pps, and TCP ACK pps...

T-grade defense performance

120G/240G LPU，160G SPU

1.44Tbps defense performance

Attack response time: <2s

Latency: 80us

Fingerprint Protection

60+ Traffic Models

Full-Scale Reputation System

T-grade Defense Performance

Alibaba - czyli gdzie my to zastosowaliśmy??

Challenge • Frequent DDoS attacks of 10 Gbit/s to 100 Gbit/s

• Diversified attacks Frequent application-layer attacks

• Defense against DDoS attacks for thousands of tenants (small and medium-

sized enterprises) and growth in return on investment

Solution • Deploy Huawei Security gateways in bypass mode on the outgoing gateway server

to protect carriers against more than 100 types of DDoS attacks.

• Offer operation features, such as fine-grained multi-tenancy configurations and self-

services.

"Huawei's Anti-DDoS solution protects Alibaba from

more than 40,000 DDoS attacks every year and more

than 100 DDoS attacks per day. The largest attack

traffic volume was 100 Gbps, which the solution handled without

any issues. The solution is stable, accurate, and user-friendly."

---Wei Xingguo, department director of the Information Security Center

The Movie – „przerwa na reklamę ”

A może by tak razem ?

Kto mogłby tworzyć wspólne „Scrubbing Center”?

• Alternatywni ISP

• „Portale”

• Instytucje finansowe

• Instytucje rządowe

Reasumując

• Da się ale zależy to od wielu czynników

• Można nie „inwestować”w sprzęt/usługi

• Im większy koszt przestoju tym bardziej opłaca sie „inwestować”

• Warto pomyśleć o współpracy – statystycznie atak będzie tylko na jednego/kilku członków

Marek Janik

Marek.Janik@huawei.com