Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Solutions For Denial of Service (DoS) Minimization Ian Quinn APRICOT 2001 Kuala Lumpur, Malaysia Agenda The Impact Of Denial of Service (D0S) Detecting And Minimising DoS SMURF Attacks SYN Attacks Infrastructure Requirements Proactive Measures Popular Points Of Attack And Pressure Data Center Peering Points Service Providers & Regional/National backbones Customers On Access Circuits Core Infrastructure Actual Targets Customers Datacenters ISP servers Infrastructure (eg routers) Additional Pressure Points Access circuits Peering points Low bandwidth core links Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 3 What Are The Threats To A Service Provider Disruption Of Customer Networks Desirable to be able to assist customer Consumption Of Bandwidth Lower bandwidth links susceptible Often a big problem in Asia Pacific Network Stability Frequently a problem for older platforms Related to additional workload, and performance headroom All Affect Service Delivered Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 4 Emergence Of Distributed Denial Of Service (DDoS) Targeted largely at servers Harnessed networks of compromised machines Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 5 Specific Impact Of DoS In Asia Pacific Tier 1 Provider United States Tier 1 Provider DoS Attack Tier 1 Provider Service Provider 1 DoS Attack Australia Service Provider 2 Service Provider 3 New Zealand Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 6 Impacts Of Security Incidents Customer service levels Internet access, web farms, ecommerce Especially if impact is repeated Support overhead Especially in isolating and blocking Denial of Service (DoS) attacks Service provider reputation Service Level Agreement (SLA) breaches SLA increasingly being offered Multi-service networks change the game STRESS!!! Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 7 Agenda The Impact Of Denial of Service (D0S) Detecting And Minimising DoS SMURF Attacks SYN Attacks Infrastructure Requirements Proactive Measures Generic Approach To DoS Attacks Use statistics to detect attack in progress Use sampling or logging to capture traffic for analysis Isolate attack Attack type Source (often difficult or impractical) Destination Block or traceback the attack using Filter on destination and protocols Drop traffic or rate limit Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 9 filters Detecting Attacks Sudden changes in traffic profiles Average packet size changes Link utilisation increases Traffic by destination address Source Generate address normally forged or distributed alarms in response to changes Alarm for closer human inspection Overview easily available for NOC staff Migrate to some level of automated response Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 10 Complicating Factors With DoS Distinguishing DoS traffic from normal usage Forged source address More difficult to isolate and track attack Distributed attacks Attack could enter from multiple points Difficult to track back and shut down Blocking attacks that match valid traffic Disruption of normal service Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 11 Agenda The Impact Of Denial of Service (D0S) Detecting And Minimising DoS SMURF Attacks SYN Attacks Infrastructure Requirements Proactive Measures SMURF Attacks The attacker sends a broadcast ping to an intermediary subnet using a forged source address The forged source address belongs to the target of the attack The result is an over-burdened CPU on the target server and overutilized access trunks Intermediary Hosts (Several on Same Subnet) Data Server Attacker’s Work Station Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 13 Dealing With SMURF Attacks Detection is achieved by using the count action within firewall filters The filtering is achieved by changing the accept to a discard The log action assists in the tracing term a { from { destination-address { 10.1.1.0/24; } protocol icmp; } then { count icmp-counter; log; accept; } } term b { then accept; } Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 14 Dealing With SMURF Attacks Once the filter is applied to the interface, you can view the firewall counters If the ICMP counter increments quickly, an attack is underway unit 0 { family inet { filter { output count-icmp; } address 10.10.10.1/24; } } root@ballpark> show firewall Filter/Counter Packet count Byte count count-icmp icmp-counter 78516 Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 5025000 15 Dealing with SMURF Attacks Stopping the attack is a matter of changing the accept action to a discard Discarding all ICMP traffic to the targeted host at the router closest to that host is not most efficient Bandwidth resources are still wasted Also apply this filter at AS boundaries where the targeted host resides Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 16 Where Did that SMURF Come From? Finding the bad guy is not easy View show firewall log to see source addresses of ICMP traffic; however, this step identifies only the intermediary, not the attacker Contact the owner of the intermediary and ask him to Disable broadcast pings Track back the pings to the attacker Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 17 Agenda The Impact Of Denial of Service (D0S) Detecting And Minimising DoS SMURF Attacks SYN Attacks Infrastructure Requirements Proactive Measures SYN Attacks Attacker The attacker sends a stream of SYNs to the server under attack using a forged source address The forged source address is unused by anyone The result is over-burdened CPU and/or memory exhaustion on the target server and over-utilized access trunks Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential Data Server 19 SYN Attacks During a SYN attack, the Correct Three-way Handshake SYN-ACK never reaches the client Sockets remain open on the server Client Server SYN--------------------> The result is <--------------------SYN-ACK over-burdened CPU and/or memory ACK--------------------> exhaustion on the target server, and over-utilized access trunks Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 20 Dealing With SYN Attacks Detection is achieved by configuring a firewall filter to count TCP versus SYN traffic Tracing is achieved by leveraging the sampling capability to derive the incoming interface term a { from { protocol tcp; tcp-flags SYN; } then { count syn-packets; accept; } } term b { from { protocol tcp; } then { count tcp-packets; accept; } } Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 21 Details of the Detection Process Once the filter is applied to the interface, you can view the counters If the ratio of SYN to TCP is high (> 1:5), a SYN attack is underway unit 0 { family inet { filter { output detect-syn-attack; } address 10.10.10.1/24; } root@ballpark# run show firewall Filter/Counter detect-syn-attack tcp-packets syn-packets Packet count Byte count 289144 56388 Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 86743200 16916640 22 Dealing with SYN Attacks Stopping the attack is usually not an option. If the attack is not distributed, you can change the accept action to discard and apply to the ingress of all AS boundary routers If the attack is distributed, filtering SYNs also effectively shuts down the server Tracing the attack requires co-operation with peers of the network under attack Examining the sampled output reveals incoming interface Repeat this process until the source is found Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 23 Agenda The Impact Of Denial of Service (D0S) Detecting And Minimising DoS SMURF Attacks SYN Attacks Infrastructure Requirements Proactive Measures Infrastructure Requirements Sufficient forwarding capacity in times of stress Large numbers of small packets Filtering to detect and block attacks Filter on significant ICMP/IP/TCP/UDP fields Implement consistently on all interface types, including logical interfaces (eg VLAN) Sufficient performance to permit NOC to enable Rate limiting Rate limit based on significant ICMP/IP/TCP/UDP fields Sufficient performance to permit NOC to enable Sampling and logging for additional insight Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 25 Agenda The Impact Of Denial of Service (D0S) Detecting And Minimising DoS SMURF Attacks SYN Attacks Infrastructure Requirements Proactive Measures Pro-active Approaches Attack Switch Host More reliable and secure network Policy at AS boundaries detect and minimize the effects of DoS attacks Warn NOCs when thresholds are exceeded, and update configurations using scripts to discard the attack Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 27 Proactive Planning Establish procedures for detecting security events Pre-plan response Techniques for isolating problem, tracking it through the network to a source Standard responses to alleviate impact to service Train staff and practice Document and update a security policy Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 28 Further References Juniper Networks Whitepapers Rate-limiting and Traffic-policing Features Fortifying the Core Visibility into Network Operations Minimizing the Effects of DoS Attacks Available from http://www.juniper.net/techcenter Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 29 Thank You [email protected] http://www.juniper.net Proactive Measures Data Center Peering Points Service Providers & Regional/National backbones Customers On Access Circuits Core Infrastructure Areas requiring attention Core routers (protect) Customers access links (protect, and protect from) Datacenters & ISP servers (protect) Peering (protect, and protect from) Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 31 Securing The Core Routers Performance headroom What happens when the going gets tough! Protect the route processing capability Core Infrastructure Performance Authenticated protocols Services Secure mgmt access Authentication Private access Multi-level access authorisation Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 32 Protecting Data Center And Hosts Core Core Permit only relevant traffic Prevent traffic overwhelming server capacity For example, http, https, icmp echo request Drop traffic before it hits the server Reactive filtering to limit impact of DoS Detect, isolate and drop Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 33 Securing Customer Access Links ATM/FR T1 E1 DS1 OC-3 STM-1c OC-3/12 ATM DS1 OC-3 E1 ChDS3 ChOC-12 Optical Core TDM Backhaul Infrastructure IP Core Access Layer Limit traffic coming into the network from customers Legitimate IP source addresses Legitimate route announcements Maybe rate limit ICMP Reactive filtering to limit impact of DoS Detect, isolate and drop Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 34