DDoS Attacks: an End-to-End Mitigation

Nicolas Fevrier, Technical Leader Engineering, @CiscoIOSXREric Kostlan, Technical Marketing Engineer

• Introduction, DDoS Attacks Landscape

• Deployment Models

• Mitigation of

• Amplification Attacks and other L3 Stateless Attacks

• HTTP and SSL Volumetric Attacks

• Attacks on Application and Resources

• End-to-End Mitigation, Cisco Solutions

• Conclusion

Agenda

Introduction

• Audience: Service Providers and Enterprises

• Out of the scope of this session:

• hardening servers against DDoS attacks

• How do we define a DDoS ?

• Distributed: • Many sources

• Denial of Service: • Makes the resource unreachable

or out-of-service

• Many tools presented here,no “one-fit-all” solution

4

IntroductionDDoS Attacks Landscape

Introduction

• Do we still need to explain the risk in 2016 ?

• Distributed Denial of Service (DDoS) is a very lucrative activity for attackers

• Victims:• ISP, Hosting Services

• Governments, Education

• Enterprises

• Individuals

Everyone is at risk.

• Just scratching the surface, attacks complexity is increasing

• DDoS Mitigation is about business continuity

http://www.pcworld.com/article/3002356/protonmail-

recovers-from-ddos-punch-after-being-extorted.html

Where are they coming from?

• Compromised sources / botnets (zombies)

• Unpatched CMS (Content Management Systems)

• IAD (Home Routers) w/ old versions

• Unpatched internet services (DNS/NTP…)

• Cloud (booters or legitimate services)

• Sooner or later 4G/5G Mobiles handsets

• IoT (“Botnets of Things”)

Largest DDOS Attack in History

8

DDoS Failure Points Within the Network

Internet Pipe became the #1 failure point in 2014

• Extra-large attacks are seen on daily basis

• Attacks are targeting all types of organisations

• Enabled by “better” technology via reflective attacks, at attacker’s disposal

ATLAS Initiative: Attack Sizes

10

"Last year, we highlighted that 20 percent of respondents reported attacks over 50 Gbps … This year nearly one-quarter of respondents report peak attack sizes over 100 Gbps."

DDoS Mitigation

Black Holing is NOT DDoS Mitigation

• RTBH

• BGP dummy route advertised

• Route to null or route to a forensic probe

• Based on source or destination address

• Better granularity with FlowSpec

• All traffic (good and bad) dropped

• Limits collateral damages but attackers’ main objective attained

Victim

Victim

DDoS Mitigation

Mitigation implies business continuity

• Sink Holing to scrubbing device(s)

• Differentiation of legitimate and malicious traffic

• Victim’s services maintained

• Collateral damages avoided

But some types of traffic can only be malicious…

Victim

Victim

Different Business, Different TargetsEnterprise or Service Provider ?

The InternetFirewall

WebServer

WebCache

Database

PeeringTransit Core

DC

PE

DataCentre

Agg

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

Residential

Edge

LB/SSL

Different Business, Different TargetsDataCentre and Hosting

14

WebServer

WebCache

DatabaseCore

DC

DataCentre

EdgeThe Internet

!

! !

!

!

Firewall

!

PeeringTransit

• Volumetric attacks can saturate DC router link

• Sessions flood can overcome stateful firewall capacity

• HTTP attacks can exhaust web server and cache

• Queries attacks can exceed database capacity

• Slow pace attacks can consume resources in servers (stack, etc)

Different Business, Different TargetsEnterprise

Core

PE

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

EdgeThe Internet

!

!

PeeringTransit

! !

!

• Volumetric attacks PE router link

• Sessions flood can overcome stateful firewall or IDS capacity

• Slow pace attacks can consume resources in servers (TCP stack, Applications, etc)

LB/SSL

Different Business, Different TargetsResidential Service Provider

Core

Agg

Residential

EdgeThe Internet

PeeringTransit

!

!

!

! ! ! ! ! !

! ! ! ! ! !

! ! ! ! ! !

! ! ! ! !

• Volumetric attacks on DSL/Cable subscriber

• Can saturate access and aggregation device

• Attack against an individual can impact all subscribers served by the same access device

Deployment Models

Deployment ModelsIn-the-Cloud / On-Premises Services

• In the Cloud services

• DNS-Based DDoS Protection

• BGP “inter-AS” based DDoS Protection

• ISP DDoS Mitigation

• On-Premises services

• Centralised

• Distributed

• Mixed

• In-line

In-the-Cloud ServicesDNS-based DDoS Protection

mysite.com

1.2.3.4

The Internet

DDoS Mitigation Service

Local

DNS

Where is

mysite.com ?

mysite.com

Is 1.2.3.4

mysite.com

Is 1.2.3.4

Scrubbing

device

Where is

mysite.com ?

• Free service offered by variouscompanies in the internet

• Based on DNS only

DNS

Traffic to

mysite.com

Attack traffic to

mysite.com

In-the-Cloud ServicesDNS-based DDoS Protection

mysite.com

1.2.3.4

The Internet

DDoS Mitigation Service

Local

DNS

Where is

mysite.com ?

mysite.com

Is 5.6.7.8

mysite.com

Is 5.6.7.8

Scrubbing

device

Where is

mysite.com ?

• Traffic is diverted by announcinga new DNS record

• Good traffic is send usingthe IP address

• Limits:Easy to bypass thisprotection when knowing the victim IP address

DNS

Traffic to

mysite.com

proxy

mysite.com

is now 5.6.7.8

Attack traffic to

mysite.com

Traffic to

1.2.3.4

In-the-Cloud Services

• Traffic to the victim is steered-upinto the DDoS protection service by advertising a /24 prefix ownedby the victim

• Similar as BGP hijacking

• Good traffic is filtered andtransmitted through a tunnel to the victim

BGP-based “inter-AS” DDoS Protection

mysite.com

1.2.3.4

The Internet

DDoS Mitigation Service

Scrubbing

device

BGP

1.2.0.0/16

Traffic to

1.2.3.4

Attack traffic to

1.2.3.4

In-the-Cloud Services

Limits

• Most specific prefix advertised in the internet: /24 attracts all traffic for the prefix, not only the victim

• Similar as BGP hijacking

• future adoption of BGP Origin Validation could make this approach challenging

BGP-based “inter-AS” DDoS Protection

mysite.com

1.2.3.4

The Internet

DDoS Mitigation Service

Scrubbing

device

BGP

1.2.0.0/16

1.2.3.0/24

1.2.3.0/24

Traffic to

1.2.3.4

Attack traffic

to 1.2.3.4

In-the-Cloud Services

• Final customers can buy services from their ISP and manage themselves their DDoS mitigation

DDoS Mitigation as a Service

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

Edge

The Internet

Scrubbing

device

Help!

In-the-Cloud Services

• Final customers can buy services from their ISP and manage themselves their DDoS mitigation

DDoS Mitigation as a Service

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

Edge

The Internet

Scrubbing

device

On-Premises: Centralised vs Distributed

• The Centralised approach: we have a dedicated part of the network for mitigation, the scrubbing centre

Transit

Peering

Core

Scrubbing Centre

Victim

On-Premises: Centralised vs Distributed

• The Centralised approach: we divert the traffic targeted to the victim via the scrubbing centre

Transit

Peering

Core

Scrubbing Centre

Victim

On-Premises: Centralised vs Distributed

• The Distributed approach: we install scrubbers at the edge of the backbone

Transit

Peering

Core

Victim

On-Premises: Centralised vs Distributed

• Mixed model: both distributed for the main scrubbing work and the scrubbing centre to handle the extra load is necessary

Transit

Peering

Core

Victim

Scrubbing Centre

Attack Detection: Sampling

• One approach consists in sampling packets and send statistics to a Netflowcollector

Transit

Peering

Core

VictimNetFlow

NetFlow

NetFlowAttack

detected

Problem: can not detect low speed attacks

Collector

Attack Detection: In-line Inspection

• The other approach consists in inspecting all packets, in both direction

• Can not be done in the core at several times 100Gbps

• Needs to be closer to the service platforms

• Can correlated traffic from both directions

WebServer

WebCache

Database

DC

DataCentre

FP9300

! !

!

Infrastructure Protection

Protecting your Infrastructure

• This common practice

• Some protocols have no reason to cross your network boundaries

• Identify them, then filter or rate-limit them

• Examples (be careful, all networks are different):

• SSDP UDP 1900

• NetBIOS UDP 138

• NTP 123

• Chargen UDP 19

• Large TCP SYN packets (what is the maximum acceptable size for a SYN packet is a big debate)

• Fragments

• Know exactly what you do (controversial)

Infrastructure ACL / Rate-limiters

Protecting your Infrastructure

• UBRL is a feature available in:

• Catalyst 6500,

• Catalyst 4500

• ASR 9000

• Used in Enterprises environment, but also in

• Extends the QoS concepts to final users

• Instead of matching and rate-limiting a class of traffic per interface

• Allows policers per class of traffic per user

• Example:

• Rate-limit DNS for each user to 500Mbps

• Rate-limit NTP for each user in a particular range to 1Mbps

• Even more controversial, use only with perfect understanding of your traffic patterns

MicroFlow Policer or User-based Rate-Limiter

IntroducingBGP FlowSpec

Concept: BGP FlowSpec

• A powerful tool in the SP Security toolbox

• A controller programs remotely forwarding decisionin routers (clients)

• BGP is used to program remotely a rule made of:

• A traffic description

• An action to apply on this traffic

• Three elements:

• Controller

• Client

• Route-reflector (Optional)BGP FScontroller

BGP

BGP

BGP FlowSpec Matching Criteria and Action

• Traffic is described with L3 and L4 information

• Address

• Port

• ICMP type and code

• TCP flag

• Packet length

• Fragmentation flags

• Actions can be a mix of

• Rate-limit / Drop

• DSCP remarking

• NH modification (diversion)

• VRF leakingMore details? BRKSPG-3012: Leveraging BGP FlowSpec to protect your infrastructure

BGP FScontroller

CP

DP

CP

BGP FSclient

CP

DP

CP

DP

BGP FSclient

BGP FSclient

BGP FSRR

CP

Mitigation Strategies

Amplification Attacks

• Specific stateless attacks based on spoofed source addresses

• not using a full handshake, large answer is sent to the victim address

• Use vulnerable protocols on high bandwidth servers

2.1.1.1

Small requestSpoofed source

UDP traffic

Much larger reply

Amplification Attacks

• DNS

• NTP

• SSDP

• SNMP

• CharGen

• QOTD

And some more protocols discovered in 2015

• RIPv1

• Port Mapper (UDP 111)

Frequently seen with fragmented packets http://blog.level3.com/security/a-new-ddos-reflection-attack-

portmapper-an-early-warning-to-the-industry/

Mitigating Amplification AttacksService Provider Perspective

• No need to send it to a “smart” scrubbing system for mitigationA router will do the same job with much higher performance

• Identified by precisely matching traffic pattern and filtered at the edge router level, as close as possible from the internet via ACL or BGP FlowSpec

2.1.1.1

Small request

Much larger reply

2.1.1.1

Match: dest-IP: 2.1.1.1

+ src-port: 123

+ size <1000B

Action: rate-limit 0bpsBGP FScontroller

Mitigating Amplification AttacksEnterprise Perspective

• From a final customer or enterprise perspective, no mitigation possible

• Too late, PE router pipes are saturated

• Problem needs to be addressed earlier in the path

• Request assistance to the Service Provider (Portal, phone call, …)

• If possible, use BGP FlowSpec to signal a rule filtering the attack in the SP

• Use in-the-cloud mitigation services

PE

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

!

!

Small request

Much larger reply

Mitigating L3 / L4 Stateless Volumetric AttacksService Provider Perspective

• Generic family covering

• UDP Frag (could be the consequence an amp attack)

• ICMP Flood

• Ideally, must be filtered at the edge router via ACL or BGP FS

• Example with a fragmentation attack and BGP FlowSpec

Match: dest-IP: 2.1.1.1

+ frag field set

Action: rate-limit 0bps

2.1.1.12.1.1.1

BGP FScontroller

Mitigating L3 / L4 Stateless Volumetric AttacksEnterprise Perspective

• If the amount of attack traffic exceeds the PE links capacity, same situation than amplification attacks: Too late, needs to be addressed earlier in the path

• Similar situation than amplification attacks:

• Request assistance from SP, if possible use BGP FlowSpec or hire in-the-cloud service

PE

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

!

!

Mitigating L3 / L4 Stateless Volumetric AttacksEnterprise Perspective

If the amount of attack traffic does NOT exceed the PE links capacity

• Inline mitigation solution can be used

• Several security services can be collapsed in FirePower 9300, including NGFW and DDoS mitigation

PE

Enterprise

DNS, Mail,ERP, SAN, …

DPI

TCP SYN, HTTP, SSL and SIP Volumetric Attacks

• More advanced attacks using Botnets or even real users (LOIC) needs to be addressed differently by a specific scrubbing device. Examples:

• SYN floods: usually spoofed sources

• HTTP: bots mimicking the behaviour of a real web browser

• SSL

• SIP

2.1.1.1

Requests

Replies

Mitigating SYN floods, HTTP, SSL and SIP Attacks

SP/Datacentre Perspective

• Stateful attacks requiring to be challenged by advanced countermeasures

• Traffic targeted to the victim needs to be diverted to a scrubbing device

• Locally for distributed architecture

• Remotely for centralised architecture (traffic re-injection is a topic by itself)

2.1.1.1

Match: dest-IP: 2.1.1.1

+ dest-port: 80

Action: NH @TMS

Mitigating SYN Floods, HTTP, SSL and SIP AttacksSP/Datacentre Perspective

WebServer

WebCache

Database

Core

DC

DataCentre

EdgeThe Internet

!

! !

!

!

Firewall

!

PeeringTransit

WebServer

WebCache

Database

Core

DC

DataCentre

EdgeThe Internet

FirewallPeeringTransit

Mitigating SYN floods, HTTP, SSL and SIP AttacksSP/Datacentre Perspective

• The closer to the internet, the better

• Diversion can be done in many different ways, and it will have a direct influence on the re-injection strategy too

• BGP FlowSpec

• More specific route injection

• VRF leaking (VRF Clear / VRF Dirty)

• Use Arbor TMS Software in ASR9000 VSM card

• Rich set of countermeasures

• High performance boosted by the Dynamic Black-List Offload feature

Mitigating SYN floods, HTTP, SSL and SIP AttacksEnterprise Perspective

• If the PE capacity (in bandwidth and PPS) is not exceeded, the Firewall is the first stage of the security infrastructure hit by TCP SYN floods attacks

• Servers resources can be impacted by SYN Floods too

PE

Enterprise

DNS, Mail,ERP, SAN, …

Fw IPS/IDS

DPI

!

!

Mitigating SYN Floods, HTTP and SSLEnterprise Perspective

• If replacing the in-site security infrastructure is not possible

• Request assistance from SP or hire in-the-cloud service

• Inline mitigation solution should be used

• Radware DefencePro solution used in FirePower 9300 can be used to protect the firewall

PE

Enterprise

DNS, Mail,ERP, SAN, …

DPI

Particular Case of Residential SubscriberService Provider Perspective

Core

Agg

Residential

EdgeThe Internet

PeeringTransit

!

• Volumetric attacks on DSL/Cable subscriber create a lot of collateral damages

• Victims can be easily identified based on their IP address blocks

• Attacks are detected instantly• A 25Mbps DSL subscriber can not receive

multiple Gbps

• Auto-mitigation presents no fault-positive risk in this case

Particular Case of Residential SubscriberService Provider Perspective

Core

Agg

Residential

EdgeThe Internet

PeeringTransit

• Auto-mitigation is triggered and traffic for this host is diverted to the local or centralised scrubbing system

• Service for the subscriber is restored

• But more important, collateral damages are no longer present

Slow Pace Attacks

• Attacks against servers resources

• Can not be detected by traffic sampling, requires inline system(s)

• Low and Slow attacks: Slowloris

• HTTP Floods

• SSL Floods

• SQL Injections

• XSS, CSRF

• Brute Force

• App Misuse

PE

DNS, Mail,ERP, SAN, …

FW IPS/IDS

DPI

!

LB/SSL

Slow Pace AttacksDC and Enterprise Perspective

Core

PE

Enterprise

DNS, Mail,ERP, SAN, …

EdgeThe Internet

PeeringTransit

!

Service Provider doesn’thave any visibility on these attacks

Can only be detected

• On the victim

• With a device in-line

WebServer

WebCache

Database

DC

DataCentre

FP9300

! !

!

FP9300

Cisco Partnerships

Partnership

• Cisco established partnership with two major actors in this industry

• Arbor Networks

• Radware

• Different products for different positions / roles

• SP edge / scrubbing centre based on traffic diversion

• DC and enterprise in-line analysis

• Arbor products are used in ASR9000

• Radware products are used in FirePower 9300

Cisco PartnershipsArbor Networks

Arbor Peakflow SP solution

Arbor Networks offers a variety of products to address DDoS attacks detection and mitigation

• Peakflow SP (formerly known as Collector Platform CP)

• Collects Flow records

• Detects abnormal network behaviour and trigger alerts

• Can influence the routing, injecting BGP routes in the network

• Supports BGP FlowSpec as a Controller

• Sets up and monitors the TMS remotely

• Software can run in a virtual machine

• Orderable in Cisco Price List

Portfolio

Arbor Peakflow SP Solution

Arbor Networks offers a variety of products to address DDoS attacks detection and mitigation

• Peakflow SP Threat Management System (TMS)

• Configured by SP, receives diverted traffic and proceeds to in-depth packet analysis

• Discards the attack packets and transmits the legit ones

• Provides real-time monitoring info to operators

• Software running in ASR9000 VSM line card

Portfolio

Arbor Peakflow SP Solution

• Supported with

• RSP440 onwards (not RSP2)

• All 9000 chassis except 9001

• Multi-purpose service card

• CGN

• DDoS Mitigation

• KVM virtualised environment based on Wind River distribution

• 40Gbps of mitigation, PAYG model with 10G/20G/40G licenses

Integration in ASR9000 Virtual Service Module Line Card

Arbor Peakflow SP Solution

• A countermeasure is activatedand detects an offender

• TMS instructs the ASR9000 via OpenFlow program an ACL for the src-@ or the pair src-@+dst-@

For one minute

• After 1min, the ACL is removed. If the offender is seen by the countermeasure again, ACL will be programmed for 5min, and then 5 min, again and again

Dynamic Black-list Offload Feature

Match: src-IP: 2.1.1.1

Action: drop

src-@ dst-@

offender victim1

23

1

2

3

Arbor Peakflow SP Solution

• Used in internet border routers in distributed architecture

• Used in scrubbing centres in centralised architecture

• Traffic is diverted with route injection or VRF route leaking

• BGP FlowSpec used to program border routers

Deployment and Use-cases

Arbor Peakflow SP Solution

• Mitigation in 4 seconds, Auto-mitigation

• Flood Attacks

• (TCP, UDP, ICMP, DNS, SSDP, NTP, SNMP, SQL RS, Chargen Amplification, DNS Amplification, Microsoft SQL Resolution Service Amplification, NTP Amplification, SNMP Amplification, SSDP Amplification)

• Fragmentation Attacks

• (Teardrop, Targa3, Jolt2, Nestea), TCP Stack Attacks (SYN, FIN, RST, SYN ACK, URG-PSH, TCP Flags), Application Attacks (HTTP GET floods, SIP Invite floods, DNS attacks, HTTPS protocol attacks), DNS Cache Poisoning, Vulnerability attacks, Resource exhaustion attacks (Slowloris, Pyloris, LOIC, etc.).

• Flash crowd protection. IPv4 and IPv6 attacks hidden in SSL encrypted packets

Features

For Reference

Demo

Arbor Peakflow SP SolutionRecorded Demo

Cisco PartnershipsRadware DefencePro

Radware DefencePro

• Provides protection against application layer attacks and state-table exhaustion attacks

• Primarily deployed to protect the firewall itself and the application servers behind it

• In phase 1, FirePower 9300 supports the following modules• Behavioral protections

• Challenge response

• Signature Protection

Available

Service

NetworkServerApplication

Behavioral HTTP Flood

Protection

Server Cracking

Signature ProtectionConnection PPS Limit

Anti-Scan

Connection Limit

DNS Protection Behavioral DoS

SYN Protection

BL/WL

Out-Of-State

SYN Protection

Connection PPS Limit

Connection Limit

BL/WL

Out-Of-State

Signature Protection

Server Cracking

Anti-Scan

Behavioral DoS DNS ProtectionBehavioural HTTP

Flood Protection

Understand 9300 Radware DDoS Solution Components

• Cisco FirePower 9300 is a scalable, carrier & enterprise-grade, multi-service security appliance featuring:

• Cisco ASA firewall

• Radware DDoS Mitigation (OEM)

• What is required?

• 9300 Chassis

• DDoS License (vDP)

• Vision Management Software

• Optional: DefencePipe Cloud Protection

DDoS FW NGIPS

Introducing the FirePower 9300

Security Modules

• Embedded packet/flow classifier and crypto hardware

• Cisco (ASA, NGFW) and third-party (DDoS, load-balancer) applications

• Standalone or clustered within and across chassis

Supervisor

• Application deployment and orchestration

• Network attachment and traffic distribution

• Clustering base layer for ASA/NGFW

Network Modules

• 10GE/40GE and future 100GE

• Hardware bypass for NGIPS

Security Services Architecture on Firepower 9300

Supervisor

Ethernet 1/1-8 Ethernet 2/1-8

ASA ClusterSecurity Module 1

Ethernet 3/1-4

Security Module 2 Security Module 3

Application

Image Storage

PortChannel1

DDoS DDoS DDoS

Ethernet1/7

(Management)

Data

External

Connector

Primary

Application

Decorator

Application

On-board 8x10GE

interfaces

8x10GE NM

Slot 1

4x40GE NM

Slot 2

ASA ASA ASA

Packet

Flow

Mitigation on FP 9300 with Radware vDP

Behavioural DOS – Network Baselining and Response

Behavioural DoS

• Detects and prevents zero-day DoS/DDoS flood attacks

• Establishes a baseline

• Automatically detects traffic anomalies

• Adapts footprint to new traffic pattern

• No manual tuning

• Low false positive rate

• Passes legitimate traffic

• While under attack

• Protects against all kinds of flooding attacks

72

BDOS Detection and Mitigation of a DNS Attack

Internet

Public DNS Servers

DoS Bot

(Infected host)

DoS Bot

(Infected host)

Attacker

BOT

Command

IRC Server

DoS Bot

(Infected host)

DoS Bot

(Infected host)

Behavioural Pattern Detection (1)

Detect rate increase of DNS requests

Real Time Signature:

Block DNS requests

matching specific packet

parameters (e.g., DNS query

name,...)

Behavioural Pattern Detection (2)

Identify abnormal ratio of DNS request to other

protocols

Configuration

Define Global Options

• Learning

• Strictness

Create Profile

• Name

• Protection Options

• Bandwidth and Traffic Quotas

Add Profile to Policy and

Update Policies

Slide 74

Day, Week, Month

Low, Medium, High

74

BDOS ProfileThree main tabs –

• Flood Protection Settings

• Bandwidth Settings

• Quota Settings

Slide 75

75

DNS Protection escalates

• DNS-Flood Attacks

‒ Detects when an attack has started

Advantages

‒ Implements mitigation in escalating order

‒ When enabled, protects at first sign of attack

Disadvantages

‒ Escalation period to mitigate successfully

‒ May drop legitimate traffic

• More-severe mitigation limits DNS queries

76

DNS Mitigation Attack Escalation

Behavioural RT

signature technology

Real-Time

signature created

RT signature scope protection

per query type

DNS query

challenge

Query rate

limit

X

?

Collective query

challenge

X

?

Attack

Detection

Collective scope protection

per query Type

Botnet is identified

(suspicious traffic is

detected per query type)

Collective query

rate limit

X

?

SYN Flood Protection is Adaptive

Uses SYN cookies

SYN Flood Attacks‒ Aimed as specific servers

• Intends to consume server resources

‒ A type of DoS attack used to overflow server session table

Large volume SYN packets (cookies) generated

Typical SYN Attacks:‒ Incomplete TCP 3-way handshakes

‒ Untraceable packets

• random source addresses

‒ Fully-open connections

‒ Large volume of victimised participants

• bot or zombie systems

78

SYN Cookies• TCP SYN Cookie

• Inserts hash of date/time for ISN • No connection maintained until client is validated• Only in symmetric environments

• TCP Challenge• At high volume SYN, DefencePro issues Safe-Reset

• Safe-reset has invalid ACK packet• Client sends RESET (RST) packet; then sends SYN packet• DefencePro places client in Safe-sender list

• No need for SYN cookies or delayed bind for this operation. • Works in asymmetric environments

• Web Cookie Redirect (HTTP Redirect)• Issues 302 to client with a cookie

• If client doesn’t return correct cookie -- session is dropped

• JavaScript Redirect• Issues a cookie in the JavaScript

• If clients doesn’t return correct cookie – session is dropped

79

SYN

SYN-ACK <cookie>

ACK <Cookie>

SYN

SYN-ACK <Bad>

RST

SYN

Demo

Conclusion

Cisco DDOS Offerings

Arbor TMS on ASR9k• DDOS target is bandwidth

• Volumetric attacks

• Part of SP Clean Pipes solution

• Traffic diverted to scrubber within router backplane

• Clean traffic re-injected locally

• Additional Arbor products can protect enterprise assets

Radware vDP on FP9300

• DDOS target is firewall and devices behind it, NOT bandwidth

• vDP sits inline and sees all traffic going to firewall

• Other Radware capabilities in the cloud can help with bandwidth-based attacks

82

End-to-End Mitigation Summary

The Internet

PeeringTransit Core

DC

DataCentre

Edge

Fw IPS/IDSDPI

Amplification Attacks

Handled at the Edge router

level with BGP FlowSpec

• Amplification Attacks

• NTP, DNS, SSDP, CharGen, SNMP, RIPv1, Port Mapper, …

FP9300

End-to-End Mitigation Summary

The Internet

Core

DCEdge

Fw IPS/IDSDPI

Stateless Attacks

Handled at the Edge router

level with BGP FlowSpec

• Stateless Protocols Attacks

• ICMP floods, UDP Frag, etc

DataCentre

FP9300

PeeringTransit

End-to-End Mitigation Summary

The Internet

Core

DCEdge

Fw IPS/IDSDPI

Stateful Attacks

Traffic is diverted to a scrubbing

device, local or centralised

• Stateful Protocols Attacks

• SYN Flood, HTTP based, SSL, SIP, …

PeeringTransit

DataCentre

FP9300

End-to-End Mitigation Summary

The Internet

Core

DCEdge

IPS/IDS

Application Misuse

Low and Slow attacks are

handled in-line in FP9300

• Application and Slow Pace Attacks

• Slowloris, Brute Force, SQL injections, XSS, …

PeeringTransit

DataCentre

FP9300

End-to-End Mitigation

• Cisco offers products covering security, routing and switching

• The Router and the Switch can be leveraged as the first layer of defence

• Partnership has been established with two major actors of the DDoS mitigation

• Not a one-fit-all solution, but a case-by-case approach

• Different attacks should be handled by different products at different places

Q & A

88

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.– Directly from your mobile device on the Cisco Live

Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

Thank you

90

VSM Internal Architecture

Fabric

ASIC 0

Ivy

Bridge

B

A

C

K

P

L

A

N

E

32GB

DDR3

48

ports

10GE

Application Processor Module (APM) Service Infra Module (SIM)

Typhoon

NPU

Fabric

ASIC 1

Typhoon

NPU

Niantic

Niantic

Niantic

Niantic

Niantic

Niantic

Niantic

Ivy

Bridge

Ivy

Bridge

Ivy

Bridge

32GB

DDR3

32GB

DDR3

32GB

DDR3

Quad

PHY

SFP+

SFP+

SFP+

SFP+

Crypto/DPI

Assist

Crypto/DPI

Assist

Crypto/DPI

Assist

Crypto/DPI

Assist

XAUI

PCIe

93

94

Internet Perimeter

ADCFirePower 9300

Solution highlights

• Network and Application DDoS

attacks protection

• Most accurate detection & mitigation

• Shortest time to mitigate

Web

Portals

Mail

CRM

BI

Unified

communi

cations

Data Centre

FirePower 9300 Solution highlights:

• Integrated multi-service security

platform

• Closes security and visibility gaps

• High performance and scalability

Enterprise Perimeter Protection Use Case

94

95

Internet Perimeter

ADCFirePower 9300

Solution highlights

• Network and Application DDoS

attacks protection

• Most accurate detection & mitigation

• Shortest time to mitigate

Web

Portals

Mail

CRM

BI

Unified

communi

cations

Data Centre

Defence Messaging

• Volumetric attacks

mitigation in the cloud

• No protection gap

Enterprise Use Case with Cloud Mitigation

95

96

Internet Perimeter

ADCFirePower 9300

DDoS Protection solution highlights:

• Network and Application DDoS

attacks protection

• Most accurate detection & mitigation

• Shortest time to mitigate

Hosted

Customer

2

Hosted

Customer

1

Web

CDN

DNS

AAA

LAN

FirePower 9300 Solution highlights:

• Integrated multi-service security platform

• Closes security and visibility gaps

• High performance and scalability

• Elasticity – add mitigation capacity on

demand

Service Provider: Service Centre DC Protection

96

97

Internet Perimeter LAN

ADCFirePower 9300

Defence Messaging

• Volumetric attacks

mitigation in the cloud

• No protection gap

Solution highlights

• Network and Application DDoS

attacks protection

• Most accurate detection & mitigation

• Shortest time to mitigate

Service Provider: Service Centre with Cloud Mitigation

97

Web

CDN

DNS

AAA

Hosted

Customer

1

Hosted

Customer

2