SDN DDoS

(whchoi@cisco.com)

© 2008 Cisco Systems, Inc. All rights reserved. 1

Cisco Systems Korea

Cisco SDN 3.0 DDoS

DDoS

Cisco DDoS

Real Demo

© 2008 Cisco Systems, Inc. All rights reserved. 2

Cisco SDN 3.0 DDoS

© 2008 Cisco Systems, Inc. All rights reserved. 3

Cisco SDN (Self Defending Network)

Integrated Adaptive Collaborativeg p

Cisco Self Defending Networkg

© 2008 Cisco Systems, Inc. All rights reserved. 4

Cisco SDN 3.0 DDoS

Network Security

DDoS

Cisco Guard&Detector

© 2008 Cisco Systems, Inc. All rights reserved. 5

DDoS

© 2008 Cisco Systems, Inc. All rights reserved. 6

DDoS 1

Changed

© 2008 Cisco Systems, Inc. All rights reserved. 7

……

DDoS 2

,

, / IT

/ UDP Traffic ( )TCP Connection

20062H

20071H

20072H

20081H

TCP Connection

IT

© 2008 Cisco Systems, Inc. All rights reserved. 8

./ TCP

(TCP/UDP/ICMP/IGMP)

DDoS

© 2008 Cisco Systems, Inc. All rights reserved. 9

DDoS

© 2008 Cisco Systems, Inc. All rights reserved. 10

DDoS ?

DDoSDDoSRouter & Switch Access-List

DDoSDDoS

Router & Switch Blackhole Routing

Firewall & IPSFoundation Security

L7 Switch & WebSyn Cookie Proxy L7 Switch & Web y y

ProtectionProtection© 2008 Cisco Systems, Inc. All rights reserved. 11

ProtectionProtection

/

ACL

(UDP,ICMP)

ACL 수작업

access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x x x x host x x x x eq 80access list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80

전체 Subnet 영향

………………..

Committed to Being a Key Partner in Saudi Arabia’s T f ti i t

Null Routing …

© 2008 Cisco Systems, Inc. All rights reserved. 12

Transformation into a Connected Kingdom

Black hole & Sink hole routing

/

Routing

Blackhole Routing

ISP / IDC

.

Traffic .

Committed to Being a Key Partner in Saudi Arabia’s T f ti i t

Major .

Blackhole Trigger

© 2008 Cisco Systems, Inc. All rights reserved. 13

Transformation into a Connected Kingdom

Firewall / IPS

/

/IPS .

.

(DDoS + IPS)

DDoS .

H.W / S.W

(High CPU : 90 ~99%)

© 2008 Cisco Systems, Inc. All rights reserved. 14

.

L7 Switch / Web

/

DNS

Proxy IP

Core Router

TCP Syn

Backbone

L7Switch

Server S.W

Web

UDP / TCP Outgoing .

DDoS .

.

© 2008 Cisco Systems, Inc. All rights reserved. 15

.

Cisco Guard&Detector DDoS

Internet

GuardGuard

4

Core Router

5 MVP

6

Backbone Switch

Host IP 3

S tc

DetectorDetector11

2

Network ………………..………………..

© 2008 Cisco Systems, Inc. All rights reserved. 16

Cisco Guard/Detector

Guard / Detector

–

Out Of Path

– 16G

- Active/Active .

© 2008 Cisco Systems, Inc. All rights reserved. 17

TCP/UDP/ICMP/DNS/SIP << Cisco Guard/Detector >>

Cisco Guard/Detector DDoS .

Flood AttacksTCP, UDP, ICMP

Fragmentation AttacksIP/UDP, ,

SYN FloodSYN Flood

UDP Flood

IP/ICMPIP/TCP

HTTP AttacksUDP FloodFIN, SYNACK Flood( , )Ping Flood

Connection Flood (Client attack)http errors 404 etc.http half connections

Ping FloodSmurf FloodCombined UDP/TCP/ICMP

BGP AttacksDNS AttacksSIP Attack

© 2008 Cisco Systems, Inc. All rights reserved. 18

Cisco Guard/Detector TCP

Zone(Destination)

Guard (Scrubber)Client(Source) (Destination)(Source)

IP 192.2.3.4 IP 192.2.3.4 Authenticated? NOGenerate Unique Cookie for IP 192.2.3.4

Cookie 유효 여부 Check,,Authenticate IP 192.2.3.4

IP 192.2.3.4 Authenticated? YES

© 2008 Cisco Systems, Inc. All rights reserved. 19

Cisco Guard/Detector

ADM AGM

Type

Service Module Service Module

Type

Physical Port 7600/6500 Channel 7600/6500 Channel

10

Static(RHI)

10

Static(RHI)

P f2Gbps 3Gbps

PerformanceClustering 16Gbps

Zone 500 Zone 500 Zone

50 Zone

Zombie X 10

X 1ms

© 2008 Cisco Systems, Inc. All rights reserved. 20

Real Case #1

게임아이템거래사이트, ‘DDoS 공격툴’에 휘둘렸다

지난달부터 DDoS 서버 공격으로 인해지난달부터 DDoS 서버 공격으로 인해정상적인 서비스를 제공하지 못했던 주요게임아이템 거래 웹사이트들의 서버다운원인이 정체 불명의 ‘DDoS 공격 툴’에의한 것으로 드러났다.

조선일보 2007.10.15

게임 아이템 거래 사이트 상위 2개사 Cisco Guard/Detector 솔루션 도입

2007.12 ~ 현재까지 UDP/TCP DDoS 공격 차단

© 2008 Cisco Systems, Inc. All rights reserved. 21

2007.12 현재까지 UDP/TCP DDoS 공격 차단

게임 아이템 거래 사이트 정상 서비스 재개 !!!

Real Case #2

서비스 유지하려면 돈내서비스 유지하려면 돈내

14일 업계에 따르면, 국내 중소규모사이트를 겨냥한 중국발 DDoS 공격이기승을 부리고 있다. 공격자들은 이들사이트를 겨냥해 해킹 공격을사이트를 겨냥해 DDoS 해킹 공격을시도해 서비스를 마비시킨 뒤 관리자에게메일을 보내 적게는 수백~수천만원 상당의돈을 입금시키지 않으면 아예 서비스를중단하겠다는 협박하고 있는 것으로중단하겠다는 협박하고 있는 것으로

전해졌다. 머니투데이2007.02.11

국내 대형 파일공유 사이트 Cisco Guard/Detector 솔루션 적용

TCP 80 포트 기반 Connection Oriented 공격 및 다양한 공격 차단

© 2008 Cisco Systems, Inc. All rights reserved. 22

TCP 80 포트 기반 Connection Oriented 공격 및 다양한 공격 차단

파일 공유 정상 서비스 재개 !!!

Real Case #3

Internet

Guard

Core Router

GuardHijacking

RouterInjection

Backbone Switch

공격발생시자동통지

공격발생시자동통지

FirewallPassive

MonitoringPassive

Monitoring

Detector DetectorServer Farm

Switch

© 2008 Cisco Systems, Inc. All rights reserved. 23

Real Case #4IDC Mgmd SVC –

Internet

Clean ZoneDist S.W

Core Backbone

가입자Network Guard & Detector

Cluster

가입자Network

가입자Network

© 2008 Cisco Systems, Inc. All rights reserved. 24

Real Case #4IDC Mgmd SVC –

Internet

Core Backbone

Dist S.W

가입자Network

가입자Network

Clean Pipe SystemACE ACE

Guard Detector

© 2008 Cisco Systems, Inc. All rights reserved. 25

Guard Cluster

DetectorCluster

Real Case #7ISP Mgmd SVC

국제G W타사 ISP

국제G.W

Peer Router Peer Router

Guard Cluster

Core Router

POP Router 가입자Detector

기업회선 Premium기업회선

© 2008 Cisco Systems, Inc. All rights reserved. 26

Why Cisco Guard&Detector…

DDoSDDoS

16G

( )

TCPUDP

DNS SIPActive/Active

Out of PathRouting

( ) DNS,SIP

DDoS© 2008 Cisco Systems, Inc. All rights reserved. 27

DDoS ….

DDoS

© 2008 Cisco Systems, Inc. All rights reserved. 28

Demo Topology

InternetBotnet 좀비 PC

Guard

Core Router

GuardHijacking

RouterInjection

Backbone Switch

공격발생시자동통지

공격발생시자동통지

FirewallPassive

MonitoringPassive

Monitoring

Detector DetectorServer Farm

Switch

© 2008 Cisco Systems, Inc. All rights reserved. 29

www.ciscofashion.com 쇼핑몰

Cisco Guard & DetectorCisco Guard & Detector DDoS

© 2008 Cisco Systems, Inc. All rights reserved. 30

…