1 boaz elgar product manager november, 2002. confidential, © riverhead networks, inc., 2002 2...
TRANSCRIPT
![Page 1: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/1.jpg)
1
Boaz Elgar Product ManagerNovember, 2002
![Page 2: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/2.jpg)
Confidential, © Riverhead Networks, Inc., 2002 2
Agenda
Some known DDoS attacks
Types of DDoS attacks
Current measures for blocking DDoS
Riverhead Solution overview
![Page 3: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/3.jpg)
Confidential, © Riverhead Networks, Inc., 2002 3
Riverhead Profile
Solution: Secure internet availability against
crippling DDoS cyber-attacks
Customers: Large enterprises, new media companies,
service providers and government
organizations
Investors:
HQ: Cupertino, California
Products: Riverhead Guard and Detector -
infrastructure security devices
![Page 4: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/4.jpg)
Confidential, © Riverhead Networks, Inc., 2002 4
Overview of DDoS attacks
![Page 5: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/5.jpg)
Confidential, © Riverhead Networks, Inc., 2002 5
DDoS Incidents Around The Globe
GlobalWorld Economic Forum's, CERT
Europe Deutsche Bank, Lufthansa, Firenet, Tiscali, edNET, TheDogmaGroup, DonHost, British telecom, Cloud9
US Amazon, Yahoo, CNN, e-Bay, e-Trade, Microsoft, White House NY Times, NASA, OZ.Net
ROW 200 small corporations, 30 educational organizations and 20 government systems (Korea),
St George Bank (Australia)
![Page 6: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/6.jpg)
Confidential, © Riverhead Networks, Inc., 2002 6
Zombies on innocent computers
Distributed Denial of ServiceAn Upstream Issue
Server-level DDoS attacks
Infrastructure-level DDoS attacks
Bandwidth-level DDoS attacks
![Page 7: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/7.jpg)
Confidential, © Riverhead Networks, Inc., 2002 7
Server-level DDoS attacks
Layer 4 attacks SYN receive Establish FIN_WAIT_1
DST SRC prtcl CRC Port SYN FIN SSL GET URL CGI www.victim.com….Port
Application layer attacks404 File Not Found FloodSSLCGIDNS Bogus requests attack
![Page 8: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/8.jpg)
Confidential, © Riverhead Networks, Inc., 2002 8
TCP Level DDoS attacks
![Page 9: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/9.jpg)
Confidential, © Riverhead Networks, Inc., 2002 9
TCP SYN floodSYN RQST
SYN ACKclient
server
• One of the first CERT DDoS advisories issued – 9/1996
• http://www.cert.org/advisories/CA-1996-21.html
Spoofed SYN RQST
zombie victim
Waiting buffer
overflowsZombies
SYN ACK
![Page 10: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/10.jpg)
Confidential, © Riverhead Networks, Inc., 2002 10
TCP SYN Flood
Firenet MD Mr Castle also stated:"The list of attacks were Syn Flood attacks, Ip Spoofing the Lan interfaces, and Total Denial of service attacks. We had taken down the servers for 4 nights in a row, from 11oclock till 6.00 am daily and worked all through the night with BT fighting this hacker or hackers, and had stopped the problems on Wednesday night Thursday morning".
News - February 3,2002 Firenet ISP Suffers DoS Attack
![Page 11: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/11.jpg)
Confidential, © Riverhead Networks, Inc., 2002 11
NAPHTA: TCP connections
Repeatedly establishing a connection and then abandoning it, an attacker can tie up resources. Fill up the TCP connections buffer.
Multiple FIN_WAIT_1 state in the servers http://people.internet2.edu/~shalunov/netkill
clients
SYN RQST
ACK
serverSYN ACK
HTTP request
FIN
![Page 12: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/12.jpg)
Confidential, © Riverhead Networks, Inc., 2002 12
Half open Connections
Repeatedly establishing a connection Requesting a unfinished request GE. (GET) Server waits for the end of request Application layer saturation
syn rqst
synackclients
server
![Page 13: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/13.jpg)
Confidential, © Riverhead Networks, Inc., 2002 13
HTTP attack tool
First came out in January 1999!
www.victim.com
www.proxyserver.com
Click to get latest victim
Where to attack
Control how fast to attack
![Page 14: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/14.jpg)
Confidential, © Riverhead Networks, Inc., 2002 14
Client attack
URL attacks Repeated request Repeated REFRESH Random URL
• Avoids proxy• Works hard• Large log file
cgi, long forms, heavy search requests
http://all.net/journal/netsec/9512.html
victim
![Page 15: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/15.jpg)
Confidential, © Riverhead Networks, Inc., 2002 15
Client attack on Lufthansa
“Wednesday morning, in a planned attack, demonstrators began accessing Lufthansa's Web site. Although demonstrators claim they knocked the site off-line for about 10 minutes, Lufthansa said the claim was untrue.”
“Lufthansa's servers got 67,004 hits per second at one point in the two-hour Web attack”
“The attack was planned to protest Lufthansa's contract with the German government to fly people who are denied asylum in Germany out of the country.”
Computerworld 6/21/01
![Page 16: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/16.jpg)
Confidential, © Riverhead Networks, Inc., 2002 16
Client attack on WTO
![Page 17: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/17.jpg)
Confidential, © Riverhead Networks, Inc., 2002 17
DNS attack
DNS request Spoofing Random requests Reflectors
DNS recursive requests Amplifications
www.bogus.com
DNS Server
UDP spoofed traffic
www.!@$$.com
www.bla-bla.com
www.*&^.com
Reply to recursive
![Page 18: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/18.jpg)
Confidential, © Riverhead Networks, Inc., 2002 18
Bandwidth-level DDoS attacks
ICMP echo, unreachable UDP Flood Reflectors Smurf Flood
Bandwidth-level DDoS attacks
![Page 19: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/19.jpg)
Confidential, © Riverhead Networks, Inc., 2002 19
Reflectors
victim
zombie
List:
Reflector-1
Reflector-2
Reflector-3
Reflector-4 ….
…
Proxy
Web server
DNS server
Sock proxy
Router
![Page 20: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/20.jpg)
Confidential, © Riverhead Networks, Inc., 2002 20
Reflectors
victim
zombieProxy
Web server
DNS server
Sock proxy
Router
zombie
zombie
zombie
![Page 21: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/21.jpg)
Confidential, © Riverhead Networks, Inc., 2002 21
Reflectors -> Bandwidth attack
Reflectors= returns a packet if one is sent Web servers, DNS servers and routers
• Returns SYNACK or RST in response to a SYN or other TCP packets with ACK
• ICMP Time Exceeded or Host Unreachable in response to particular IP packets
• Amplification if knowing the sequence number (FTP, streaming…)
• DNS replies
http://grc.com/dos/drdos.htm http://www.aciri.org/vern/papers/reflectors.CCR.01.pdf
![Page 22: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/22.jpg)
Confidential, © Riverhead Networks, Inc., 2002 22
Smurf Amplification
victim
zombie
amp/255.255.255.0
500
victim amp.255 ping.rqst
src dst
1
Direct broadcast address
500500500500
•Jan 1998
•http://www.cert.org/advisories/CA-1998-01.html
![Page 23: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/23.jpg)
Confidential, © Riverhead Networks, Inc., 2002 23
Smurf Tool
Came out in March 1999!
Set packet size from 10 to 1300 octets
![Page 24: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/24.jpg)
Confidential, © Riverhead Networks, Inc., 2002 24
Smurf attackInternet attack slows Web to a crawl Assault on
Oz.net affects entire area
Tuesday, January 18, 2000
“The Seattle attack was most likely launched by a single person…”
an ISP serving 7,000 subscribers, is known to have been targeted in the so-called smurf attack in Seattle, the assault affected many, perhaps even most, of the Internet users in the Seattle area, said experts.
“… all the corporate or academic networks the smurf attacker used in the assault -- as many as 2,000 nationwide”
![Page 25: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/25.jpg)
Confidential, © Riverhead Networks, Inc., 2002 25
Cisco – stopping Smurf
no ip directed-broadcast Translation of directed broadcast to
physical MAC broadcasts is disabled As of 12.0 this is the default
![Page 26: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/26.jpg)
Confidential, © Riverhead Networks, Inc., 2002 26
Infrastructure-level DDoS attacks
Infrastructure-level DDoS attacks
BGP / OSPF / … attacks SYN flood TCP 179, SSH ICMP attack DNS attacks
![Page 27: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/27.jpg)
Confidential, © Riverhead Networks, Inc., 2002 27
Attacks directly on routers
Attacks directed at routers can have broader impact than attacks directed at hosts
Packets directed at a router may be more CPU (slow path) consuming then packets transiting a router
![Page 28: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/28.jpg)
Confidential, © Riverhead Networks, Inc., 2002 28
October 2002Massive attack on 13 DNS root servers
AS y
AS x
AS 56
DNS root servers
ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours)
![Page 29: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/29.jpg)
Confidential, © Riverhead Networks, Inc., 2002 29
October 2002Massive attack on 13 DNS root servers
AS y
AS x
AS 56
DNS root servers
ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours)
![Page 30: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/30.jpg)
Confidential, © Riverhead Networks, Inc., 2002 30
Attacks & Attack Tools examples TFN
Spoofed SYN Flood non-Spoofed SYN Flood UDP Flood FIN, SYNACK Flood
(Spoofed and non-spoofed)
Ping Flood Smurf Flood Combined UDP/TCP/ICMP
Targa3 Attack
Fragmentation Attack IP/UDP (jolt2) IP/ICMP (trash, and
fawx) IP/TCP
HTTP Connection Flood (Client
attack) http errors 404 etc. http half connections
DNS attacks BGP attacks on routers
Partial list of covered tools: JOLT, WINNUKE, TRINOO, TFN, Targa3, Naphta, Trash…
![Page 31: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/31.jpg)
Confidential, © Riverhead Networks, Inc., 2002 31
How are DDoS handled?
![Page 32: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/32.jpg)
Confidential, © Riverhead Networks, Inc., 2002 32
Built-in and distributed but…
• Blocks good with bad
• Ineffective against random spoofing
and application level attacks
• Potential performance degradation
• Manually intensive process
Built-in and distributed but…
• Blocks good with bad
• Ineffective against random spoofing
and application level attacks
• Potential performance degradation
• Manually intensive process
Router Filtering
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
ACLs, CARs
1
![Page 33: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/33.jpg)
Confidential, © Riverhead Networks, Inc., 2002 33
Cisco ACLs - 1
Use ACL to determine which interface is being attacked and characteristics of attack Initial ACL to determine what type of attackaccess-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply log-input
access-list 101 permit udp any any
access-list 101 permit tcp any any
access-list 101 permit ip any any
interface serial 1/1
ip access-group 101 out
! Wait 10 seconds
no ip access-group 101 out
![Page 34: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/34.jpg)
Confidential, © Riverhead Networks, Inc., 2002 34
Cisco ACLs - 2
sh access-l 101
Extended IP access list 101permit icmp any any echo (2 matches)permit icmp any any echo-reply (21374 matches)permit udp any any (18 matches)permit tcp any any (123 matches)permit ip any any (5 matches)
• Indications are that there is some sort of ICMP attack• Need to place ACL on each successive
router in upstream path
![Page 35: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/35.jpg)
Confidential, © Riverhead Networks, Inc., 2002 35
Cisco ACLs - 3
Next use ‘log-input’ to determine from where – via ‘sho logging’:%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.1.1 (Serial1/1) -> 128.139.19.5 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 101 permit icmp 172.17.3.34 (Serial1/1) -> 128.139.11.2 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.2.15 (FastEthernet1/0/0) -> 128.139.6.1 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.3.4 (Serial1/1) -> 128.139.6.1 (0/0), 1 packet
Serial 1/1 is our prime suspect!Link: http://www.cisco.com/warp/public/707/22.html
![Page 36: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/36.jpg)
Confidential, © Riverhead Networks, Inc., 2002 36
Cisco CAR
CAR – Committed Access Rateinterface ATM1/1/0.21 point-to-point
rate-limit input access-group 180 96000 24000 32000 conform-action continue exceed-action drop
rate-limit input access-group 190 128000 30000 30000 conform-action transmit exceed-action drop
!
access-list 180 deny icmp 128.139.252.0 0.0.0.255 any
access-list 180 permit icmp any any
access-list 190 deny tcp any any established
access-list 190 permit tcp any any
Normal Burst in bytes
b/w
MaxBurst
in bytes
No one really understands “burst” – best to read: http://www.nanog.org/mtg-9811/ppt/witt/index.htm
![Page 37: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/37.jpg)
Confidential, © Riverhead Networks, Inc., 2002 37
Cisco uRPFRouter A Router B
Pkt w/ source comes in
Path back on this line?
Accept pkt
Path via different interface?
Reject pkt
Does routing back to the source gothrough same interface ?
Check source in routing table
![Page 38: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/38.jpg)
Confidential, © Riverhead Networks, Inc., 2002 38
Cisco uRPF - 1
Unicast Reverse Path Forwarding Requires CEF Available starting in 11.1(17)CC, and
12.0• Not available in 11.2 or 11.3 images
Cisco interface command: ip verify unicast rpf
![Page 39: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/39.jpg)
Confidential, © Riverhead Networks, Inc., 2002 39
Blackholing
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
= Disconnecting the
customer
= Disconnecting the
customer
![Page 40: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/40.jpg)
Confidential, © Riverhead Networks, Inc., 2002 40
Null0 routing
Works only on destination addresses
Simple blackhole:ip route 191.1.1.1 255.255.255.255 null0 Caveat: routers can forward faster than
they can drop packets Blackholes good packets with bad
packets
![Page 41: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/41.jpg)
Confidential, © Riverhead Networks, Inc., 2002 41
Router Capabilities ACLs
Manual process Performance impact on some routers
CAR Performance impact on some routers Also limits good traffic
uRPF Not enforced, limited attacks protection
Issue: •Too coarse – affects good as well as bad traffic•Router CPU/ASIC limitations – impacts performance •Ineffective on several different attacks
Issue: •Too coarse – affects good as well as bad traffic•Router CPU/ASIC limitations – impacts performance •Ineffective on several different attacks
Blocks good along with the
bad
![Page 42: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/42.jpg)
Confidential, © Riverhead Networks, Inc., 2002 42
Low cost and simple deployment, but…
• Upstream ingress still choked
• Device itself becomes point of failure
• Doesn’t scale –requires many
•Easy to overwhelm a FW
Low cost and simple deployment, but…
• Upstream ingress still choked
• Device itself becomes point of failure
• Doesn’t scale –requires many
•Easy to overwhelm a FW
In-line Mitigation: Edge Device
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
![Page 43: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/43.jpg)
Confidential, © Riverhead Networks, Inc., 2002 43
Protects all resources
• No point of failure or latency
on critical path
• No router impact
• Scales via sharing
• Dynamic and precise filtering
Protects all resources
• No point of failure or latency
on critical path
• No router impact
• Scales via sharing
• Dynamic and precise filtering
Guard
Guard
R4
Server1 Victim Server2
....
....
R3
R1
R2
R5
RR R
1000 1000
100
Diversion and Precise Filtering
![Page 44: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/44.jpg)
Confidential, © Riverhead Networks, Inc., 2002 44
Solution Overview
Victim
Non-victimized servers
DDoS Detection= Riverhead Detector
DDoS Protection=Riverhead Guard
Upstream = Not on the Critical Path
![Page 45: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/45.jpg)
Confidential, © Riverhead Networks, Inc., 2002 45
Solution Overview
Riverhead Guard
Victim
Non-victimized servers
BGP announcement
1. Detect
2. Activate: Auto/Manual
3. Divert only victim’s traffic
Activate
Riverhead Detector
OR IDS system Firewall Health checks
![Page 46: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/46.jpg)
Confidential, © Riverhead Networks, Inc., 2002 46
Solution Overview
Riverhead Guard
Victim
Non-victimized servers
Traffic destined to the victim
Legitimate traffic to victim
“No Dynamic configuration”
Inject= GRE, VRF, VLAN, FBF, PBR…
Hijack traffic = BGP
![Page 47: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/47.jpg)
Confidential, © Riverhead Networks, Inc., 2002 47
Adaptive and Dynamic Filtering
Static &Dynamic
Filters
Anti spoofing Statistical analysis
Rate-limiting& DDoS Traffic Shaping
Layer 7httpsmtp
1 to 100s of
dynamic filters by
flow, protocol,
…
Per flow queues
and aggregate rates
![Page 48: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/48.jpg)
Confidential, © Riverhead Networks, Inc., 2002 48
ISP Perimeter Protection
![Page 49: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/49.jpg)
Confidential, © Riverhead Networks, Inc., 2002 49
ISP Perimeter Protection
![Page 50: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/50.jpg)
Confidential, © Riverhead Networks, Inc., 2002 50
ISP Edge Protection
![Page 51: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/51.jpg)
Confidential, © Riverhead Networks, Inc., 2002 51
IDC Enterprise Protection
![Page 52: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/52.jpg)
Confidential, © Riverhead Networks, Inc., 2002 53
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Actual Production Network
SD
Catalyst8500
Power Supply 0CISCO YSTEMSS Power Supply 1
SwitchProcessor
SERES
GSR 12000
D
a l t8 0
owe Su pl 0CISCO Y TEMS o erSu ply1
Swi chP o e so
SEES
I CO SYS EMCatalyst I CO SYSTEM
Firewall
Internal network
ISP 1 ISP 2
GEthernet Riverhead Guard
Catalyst IDS
IDS
Customers’ Servers
I CO SYS EMI CO SYSTEM
Juniper Foundry,etc
Cisco,Foundry
Riverhead,Other detectors
Alert
![Page 53: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/53.jpg)
Confidential, © Riverhead Networks, Inc., 2002 54
Live Data Center Test
A
A
A
CC
User experience
Netax, Philadelphia
Victim & Guard:
Actual Hosting Center
`
Attackers:Mercury
Interactive
![Page 54: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/54.jpg)
Confidential, © Riverhead Networks, Inc., 2002 55
Real World Results
![Page 55: 1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d0e5503460f949e43c4/html5/thumbnails/55.jpg)
Confidential, © Riverhead Networks, Inc., 2002 56
100
1000
10000
time
Late
ncy
( usec
)
Latency to Victim Latency to Non-Victim
normal Attack Attack + diversion
usec
Detailed EffectVictim vs Non-victim