Cisco SDN 3.0 DDoS
DDoS
Cisco DDoS
Real Demo
© 2008 Cisco Systems, Inc. All rights reserved. 2
Cisco SDN 3.0 DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 3
Cisco SDN (Self Defending Network)
Integrated Adaptive Collaborativeg p
Cisco Self Defending Networkg
© 2008 Cisco Systems, Inc. All rights reserved. 4
Cisco SDN 3.0 DDoS
Network Security
DDoS
Cisco Guard&Detector
© 2008 Cisco Systems, Inc. All rights reserved. 5
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 6
DDoS 1
Changed
© 2008 Cisco Systems, Inc. All rights reserved. 7
……
DDoS 2
,
, / IT
/ UDP Traffic ( )TCP Connection
20062H
20071H
20072H
20081H
TCP Connection
IT
© 2008 Cisco Systems, Inc. All rights reserved. 8
./ TCP
(TCP/UDP/ICMP/IGMP)
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 9
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 10
DDoS ?
DDoSDDoSRouter & Switch Access-List
DDoSDDoS
Router & Switch Blackhole Routing
Firewall & IPSFoundation Security
L7 Switch & WebSyn Cookie Proxy L7 Switch & Web y y
ProtectionProtection© 2008 Cisco Systems, Inc. All rights reserved. 11
ProtectionProtection
/
ACL
(UDP,ICMP)
ACL 수작업
access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x x x x host x x x x eq 80access list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80
전체 Subnet 영향
………………..
Committed to Being a Key Partner in Saudi Arabia’s T f ti i t
Null Routing …
© 2008 Cisco Systems, Inc. All rights reserved. 12
Transformation into a Connected Kingdom
Black hole & Sink hole routing
/
Routing
Blackhole Routing
ISP / IDC
.
Traffic .
Committed to Being a Key Partner in Saudi Arabia’s T f ti i t
Major .
Blackhole Trigger
© 2008 Cisco Systems, Inc. All rights reserved. 13
Transformation into a Connected Kingdom
Firewall / IPS
/
/IPS .
.
(DDoS + IPS)
DDoS .
H.W / S.W
(High CPU : 90 ~99%)
© 2008 Cisco Systems, Inc. All rights reserved. 14
.
L7 Switch / Web
/
DNS
Proxy IP
Core Router
TCP Syn
Backbone
L7Switch
Server S.W
Web
UDP / TCP Outgoing .
DDoS .
.
© 2008 Cisco Systems, Inc. All rights reserved. 15
.
Cisco Guard&Detector DDoS
Internet
GuardGuard
4
Core Router
5 MVP
6
Backbone Switch
Host IP 3
S tc
DetectorDetector11
2
Network ………………..………………..
© 2008 Cisco Systems, Inc. All rights reserved. 16
Cisco Guard/Detector
Guard / Detector
–
Out Of Path
– 16G
- Active/Active .
© 2008 Cisco Systems, Inc. All rights reserved. 17
TCP/UDP/ICMP/DNS/SIP << Cisco Guard/Detector >>
Cisco Guard/Detector DDoS .
Flood AttacksTCP, UDP, ICMP
Fragmentation AttacksIP/UDP, ,
SYN FloodSYN Flood
UDP Flood
IP/ICMPIP/TCP
HTTP AttacksUDP FloodFIN, SYNACK Flood( , )Ping Flood
Connection Flood (Client attack)http errors 404 etc.http half connections
Ping FloodSmurf FloodCombined UDP/TCP/ICMP
BGP AttacksDNS AttacksSIP Attack
© 2008 Cisco Systems, Inc. All rights reserved. 18
Cisco Guard/Detector TCP
Zone(Destination)
Guard (Scrubber)Client(Source) (Destination)(Source)
IP 192.2.3.4 IP 192.2.3.4 Authenticated? NOGenerate Unique Cookie for IP 192.2.3.4
Cookie 유효 여부 Check,,Authenticate IP 192.2.3.4
IP 192.2.3.4 Authenticated? YES
© 2008 Cisco Systems, Inc. All rights reserved. 19
Cisco Guard/Detector
ADM AGM
Type
Service Module Service Module
Type
Physical Port 7600/6500 Channel 7600/6500 Channel
10
Static(RHI)
10
Static(RHI)
P f2Gbps 3Gbps
PerformanceClustering 16Gbps
Zone 500 Zone 500 Zone
50 Zone
Zombie X 10
X 1ms
© 2008 Cisco Systems, Inc. All rights reserved. 20
Real Case #1
게임아이템거래사이트, ‘DDoS 공격툴’에 휘둘렸다
지난달부터 DDoS 서버 공격으로 인해지난달부터 DDoS 서버 공격으로 인해정상적인 서비스를 제공하지 못했던 주요게임아이템 거래 웹사이트들의 서버다운원인이 정체 불명의 ‘DDoS 공격 툴’에의한 것으로 드러났다.
조선일보 2007.10.15
게임 아이템 거래 사이트 상위 2개사 Cisco Guard/Detector 솔루션 도입
2007.12 ~ 현재까지 UDP/TCP DDoS 공격 차단
© 2008 Cisco Systems, Inc. All rights reserved. 21
2007.12 현재까지 UDP/TCP DDoS 공격 차단
게임 아이템 거래 사이트 정상 서비스 재개 !!!
Real Case #2
서비스 유지하려면 돈내서비스 유지하려면 돈내
14일 업계에 따르면, 국내 중소규모사이트를 겨냥한 중국발 DDoS 공격이기승을 부리고 있다. 공격자들은 이들사이트를 겨냥해 해킹 공격을사이트를 겨냥해 DDoS 해킹 공격을시도해 서비스를 마비시킨 뒤 관리자에게메일을 보내 적게는 수백~수천만원 상당의돈을 입금시키지 않으면 아예 서비스를중단하겠다는 협박하고 있는 것으로중단하겠다는 협박하고 있는 것으로
전해졌다. 머니투데이2007.02.11
국내 대형 파일공유 사이트 Cisco Guard/Detector 솔루션 적용
TCP 80 포트 기반 Connection Oriented 공격 및 다양한 공격 차단
© 2008 Cisco Systems, Inc. All rights reserved. 22
TCP 80 포트 기반 Connection Oriented 공격 및 다양한 공격 차단
파일 공유 정상 서비스 재개 !!!
Real Case #3
Internet
Guard
Core Router
GuardHijacking
RouterInjection
Backbone Switch
공격발생시자동통지
공격발생시자동통지
FirewallPassive
MonitoringPassive
Monitoring
Detector DetectorServer Farm
Switch
© 2008 Cisco Systems, Inc. All rights reserved. 23
Real Case #4IDC Mgmd SVC –
Internet
Clean ZoneDist S.W
Core Backbone
가입자Network Guard & Detector
Cluster
가입자Network
가입자Network
© 2008 Cisco Systems, Inc. All rights reserved. 24
Real Case #4IDC Mgmd SVC –
Internet
Core Backbone
Dist S.W
가입자Network
가입자Network
Clean Pipe SystemACE ACE
Guard Detector
© 2008 Cisco Systems, Inc. All rights reserved. 25
Guard Cluster
DetectorCluster
Real Case #7ISP Mgmd SVC
국제G W타사 ISP
국제G.W
Peer Router Peer Router
Guard Cluster
Core Router
POP Router 가입자Detector
기업회선 Premium기업회선
© 2008 Cisco Systems, Inc. All rights reserved. 26
Why Cisco Guard&Detector…
DDoSDDoS
16G
( )
TCPUDP
DNS SIPActive/Active
Out of PathRouting
( ) DNS,SIP
DDoS© 2008 Cisco Systems, Inc. All rights reserved. 27
DDoS ….
DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 28
Demo Topology
InternetBotnet 좀비 PC
Guard
Core Router
GuardHijacking
RouterInjection
Backbone Switch
공격발생시자동통지
공격발생시자동통지
FirewallPassive
MonitoringPassive
Monitoring
Detector DetectorServer Farm
Switch
© 2008 Cisco Systems, Inc. All rights reserved. 29
www.ciscofashion.com 쇼핑몰
Cisco Guard & DetectorCisco Guard & Detector DDoS
© 2008 Cisco Systems, Inc. All rights reserved. 30
…