DDoS Attacks: an End-to-End Mitigation
Nicolas Fevrier, Technical Leader Engineering, @CiscoIOSXREric Kostlan, Technical Marketing Engineer
• Introduction, DDoS Attacks Landscape
• Deployment Models
• Mitigation of
• Amplification Attacks and other L3 Stateless Attacks
• HTTP and SSL Volumetric Attacks
• Attacks on Application and Resources
• End-to-End Mitigation, Cisco Solutions
• Conclusion
Agenda
Introduction
• Audience: Service Providers and Enterprises
• Out of the scope of this session:
• hardening servers against DDoS attacks
• How do we define a DDoS ?
• Distributed: • Many sources
• Denial of Service: • Makes the resource unreachable
or out-of-service
• Many tools presented here,no “one-fit-all” solution
4
IntroductionDDoS Attacks Landscape
Introduction
• Do we still need to explain the risk in 2016 ?
• Distributed Denial of Service (DDoS) is a very lucrative activity for attackers
• Victims:• ISP, Hosting Services
• Governments, Education
• Enterprises
• Individuals
Everyone is at risk.
• Just scratching the surface, attacks complexity is increasing
• DDoS Mitigation is about business continuity
http://www.pcworld.com/article/3002356/protonmail-
recovers-from-ddos-punch-after-being-extorted.html
Where are they coming from?
• Compromised sources / botnets (zombies)
• Unpatched CMS (Content Management Systems)
• IAD (Home Routers) w/ old versions
• Unpatched internet services (DNS/NTP…)
• Cloud (booters or legitimate services)
• Sooner or later 4G/5G Mobiles handsets
• IoT (“Botnets of Things”)
Largest DDOS Attack in History
8
DDoS Failure Points Within the Network
Internet Pipe became the #1 failure point in 2014
• Extra-large attacks are seen on daily basis
• Attacks are targeting all types of organisations
• Enabled by “better” technology via reflective attacks, at attacker’s disposal
ATLAS Initiative: Attack Sizes
10
"Last year, we highlighted that 20 percent of respondents reported attacks over 50 Gbps … This year nearly one-quarter of respondents report peak attack sizes over 100 Gbps."
DDoS Mitigation
Black Holing is NOT DDoS Mitigation
• RTBH
• BGP dummy route advertised
• Route to null or route to a forensic probe
• Based on source or destination address
• Better granularity with FlowSpec
• All traffic (good and bad) dropped
• Limits collateral damages but attackers’ main objective attained
Victim
Victim
DDoS Mitigation
Mitigation implies business continuity
• Sink Holing to scrubbing device(s)
• Differentiation of legitimate and malicious traffic
• Victim’s services maintained
• Collateral damages avoided
But some types of traffic can only be malicious…
Victim
Victim
Different Business, Different TargetsEnterprise or Service Provider ?
The InternetFirewall
WebServer
WebCache
Database
PeeringTransit Core
DC
PE
DataCentre
Agg
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
Residential
Edge
LB/SSL
Different Business, Different TargetsDataCentre and Hosting
14
WebServer
WebCache
DatabaseCore
DC
DataCentre
EdgeThe Internet
!
! !
!
!
Firewall
!
PeeringTransit
• Volumetric attacks can saturate DC router link
• Sessions flood can overcome stateful firewall capacity
• HTTP attacks can exhaust web server and cache
• Queries attacks can exceed database capacity
• Slow pace attacks can consume resources in servers (stack, etc)
Different Business, Different TargetsEnterprise
Core
PE
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
EdgeThe Internet
!
!
PeeringTransit
! !
!
• Volumetric attacks PE router link
• Sessions flood can overcome stateful firewall or IDS capacity
• Slow pace attacks can consume resources in servers (TCP stack, Applications, etc)
LB/SSL
Different Business, Different TargetsResidential Service Provider
Core
Agg
Residential
EdgeThe Internet
PeeringTransit
!
!
!
! ! ! ! ! !
! ! ! ! ! !
! ! ! ! ! !
! ! ! ! !
• Volumetric attacks on DSL/Cable subscriber
• Can saturate access and aggregation device
• Attack against an individual can impact all subscribers served by the same access device
Deployment Models
Deployment ModelsIn-the-Cloud / On-Premises Services
• In the Cloud services
• DNS-Based DDoS Protection
• BGP “inter-AS” based DDoS Protection
• ISP DDoS Mitigation
• On-Premises services
• Centralised
• Distributed
• Mixed
• In-line
In-the-Cloud ServicesDNS-based DDoS Protection
mysite.com
1.2.3.4
The Internet
DDoS Mitigation Service
Local
DNS
Where is
mysite.com ?
mysite.com
Is 1.2.3.4
mysite.com
Is 1.2.3.4
Scrubbing
device
Where is
mysite.com ?
• Free service offered by variouscompanies in the internet
• Based on DNS only
DNS
Traffic to
mysite.com
Attack traffic to
mysite.com
In-the-Cloud ServicesDNS-based DDoS Protection
mysite.com
1.2.3.4
The Internet
DDoS Mitigation Service
Local
DNS
Where is
mysite.com ?
mysite.com
Is 5.6.7.8
mysite.com
Is 5.6.7.8
Scrubbing
device
Where is
mysite.com ?
• Traffic is diverted by announcinga new DNS record
• Good traffic is send usingthe IP address
• Limits:Easy to bypass thisprotection when knowing the victim IP address
DNS
Traffic to
mysite.com
proxy
mysite.com
is now 5.6.7.8
Attack traffic to
mysite.com
Traffic to
1.2.3.4
In-the-Cloud Services
• Traffic to the victim is steered-upinto the DDoS protection service by advertising a /24 prefix ownedby the victim
• Similar as BGP hijacking
• Good traffic is filtered andtransmitted through a tunnel to the victim
BGP-based “inter-AS” DDoS Protection
mysite.com
1.2.3.4
The Internet
DDoS Mitigation Service
Scrubbing
device
BGP
1.2.0.0/16
Traffic to
1.2.3.4
Attack traffic to
1.2.3.4
In-the-Cloud Services
Limits
• Most specific prefix advertised in the internet: /24 attracts all traffic for the prefix, not only the victim
• Similar as BGP hijacking
• future adoption of BGP Origin Validation could make this approach challenging
BGP-based “inter-AS” DDoS Protection
mysite.com
1.2.3.4
The Internet
DDoS Mitigation Service
Scrubbing
device
BGP
1.2.0.0/16
1.2.3.0/24
1.2.3.0/24
Traffic to
1.2.3.4
Attack traffic
to 1.2.3.4
In-the-Cloud Services
• Final customers can buy services from their ISP and manage themselves their DDoS mitigation
DDoS Mitigation as a Service
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
Edge
The Internet
Scrubbing
device
Help!
In-the-Cloud Services
• Final customers can buy services from their ISP and manage themselves their DDoS mitigation
DDoS Mitigation as a Service
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
Edge
The Internet
Scrubbing
device
On-Premises: Centralised vs Distributed
• The Centralised approach: we have a dedicated part of the network for mitigation, the scrubbing centre
Transit
Peering
Core
Scrubbing Centre
Victim
On-Premises: Centralised vs Distributed
• The Centralised approach: we divert the traffic targeted to the victim via the scrubbing centre
Transit
Peering
Core
Scrubbing Centre
Victim
On-Premises: Centralised vs Distributed
• The Distributed approach: we install scrubbers at the edge of the backbone
Transit
Peering
Core
Victim
On-Premises: Centralised vs Distributed
• Mixed model: both distributed for the main scrubbing work and the scrubbing centre to handle the extra load is necessary
Transit
Peering
Core
Victim
Scrubbing Centre
Attack Detection: Sampling
• One approach consists in sampling packets and send statistics to a Netflowcollector
Transit
Peering
Core
VictimNetFlow
NetFlow
NetFlowAttack
detected
Problem: can not detect low speed attacks
Collector
Attack Detection: In-line Inspection
• The other approach consists in inspecting all packets, in both direction
• Can not be done in the core at several times 100Gbps
• Needs to be closer to the service platforms
• Can correlated traffic from both directions
WebServer
WebCache
Database
DC
DataCentre
FP9300
! !
!
Infrastructure Protection
Protecting your Infrastructure
• This common practice
• Some protocols have no reason to cross your network boundaries
• Identify them, then filter or rate-limit them
• Examples (be careful, all networks are different):
• SSDP UDP 1900
• NetBIOS UDP 138
• NTP 123
• Chargen UDP 19
• Large TCP SYN packets (what is the maximum acceptable size for a SYN packet is a big debate)
• Fragments
• Know exactly what you do (controversial)
Infrastructure ACL / Rate-limiters
Protecting your Infrastructure
• UBRL is a feature available in:
• Catalyst 6500,
• Catalyst 4500
• ASR 9000
• Used in Enterprises environment, but also in
• Extends the QoS concepts to final users
• Instead of matching and rate-limiting a class of traffic per interface
• Allows policers per class of traffic per user
• Example:
• Rate-limit DNS for each user to 500Mbps
• Rate-limit NTP for each user in a particular range to 1Mbps
• Even more controversial, use only with perfect understanding of your traffic patterns
MicroFlow Policer or User-based Rate-Limiter
IntroducingBGP FlowSpec
Concept: BGP FlowSpec
• A powerful tool in the SP Security toolbox
• A controller programs remotely forwarding decisionin routers (clients)
• BGP is used to program remotely a rule made of:
• A traffic description
• An action to apply on this traffic
• Three elements:
• Controller
• Client
• Route-reflector (Optional)BGP FScontroller
BGP
BGP
BGP FlowSpec Matching Criteria and Action
• Traffic is described with L3 and L4 information
• Address
• Port
• ICMP type and code
• TCP flag
• Packet length
• Fragmentation flags
• Actions can be a mix of
• Rate-limit / Drop
• DSCP remarking
• NH modification (diversion)
• VRF leakingMore details? BRKSPG-3012: Leveraging BGP FlowSpec to protect your infrastructure
BGP FScontroller
CP
DP
CP
BGP FSclient
CP
DP
CP
DP
BGP FSclient
BGP FSclient
BGP FSRR
CP
Mitigation Strategies
Amplification Attacks
• Specific stateless attacks based on spoofed source addresses
• not using a full handshake, large answer is sent to the victim address
• Use vulnerable protocols on high bandwidth servers
2.1.1.1
Small requestSpoofed source
UDP traffic
Much larger reply
Amplification Attacks
• DNS
• NTP
• SSDP
• SNMP
• CharGen
• QOTD
And some more protocols discovered in 2015
• RIPv1
• Port Mapper (UDP 111)
Frequently seen with fragmented packets http://blog.level3.com/security/a-new-ddos-reflection-attack-
portmapper-an-early-warning-to-the-industry/
Mitigating Amplification AttacksService Provider Perspective
• No need to send it to a “smart” scrubbing system for mitigationA router will do the same job with much higher performance
• Identified by precisely matching traffic pattern and filtered at the edge router level, as close as possible from the internet via ACL or BGP FlowSpec
2.1.1.1
Small request
Much larger reply
2.1.1.1
Match: dest-IP: 2.1.1.1
+ src-port: 123
+ size <1000B
Action: rate-limit 0bpsBGP FScontroller
Mitigating Amplification AttacksEnterprise Perspective
• From a final customer or enterprise perspective, no mitigation possible
• Too late, PE router pipes are saturated
• Problem needs to be addressed earlier in the path
• Request assistance to the Service Provider (Portal, phone call, …)
• If possible, use BGP FlowSpec to signal a rule filtering the attack in the SP
• Use in-the-cloud mitigation services
PE
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
!
!
Small request
Much larger reply
Mitigating L3 / L4 Stateless Volumetric AttacksService Provider Perspective
• Generic family covering
• UDP Frag (could be the consequence an amp attack)
• ICMP Flood
• Ideally, must be filtered at the edge router via ACL or BGP FS
• Example with a fragmentation attack and BGP FlowSpec
Match: dest-IP: 2.1.1.1
+ frag field set
Action: rate-limit 0bps
2.1.1.12.1.1.1
BGP FScontroller
Mitigating L3 / L4 Stateless Volumetric AttacksEnterprise Perspective
• If the amount of attack traffic exceeds the PE links capacity, same situation than amplification attacks: Too late, needs to be addressed earlier in the path
• Similar situation than amplification attacks:
• Request assistance from SP, if possible use BGP FlowSpec or hire in-the-cloud service
PE
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
!
!
Mitigating L3 / L4 Stateless Volumetric AttacksEnterprise Perspective
If the amount of attack traffic does NOT exceed the PE links capacity
• Inline mitigation solution can be used
• Several security services can be collapsed in FirePower 9300, including NGFW and DDoS mitigation
PE
Enterprise
DNS, Mail,ERP, SAN, …
DPI
TCP SYN, HTTP, SSL and SIP Volumetric Attacks
• More advanced attacks using Botnets or even real users (LOIC) needs to be addressed differently by a specific scrubbing device. Examples:
• SYN floods: usually spoofed sources
• HTTP: bots mimicking the behaviour of a real web browser
• SSL
• SIP
2.1.1.1
Requests
Replies
Mitigating SYN floods, HTTP, SSL and SIP Attacks
SP/Datacentre Perspective
• Stateful attacks requiring to be challenged by advanced countermeasures
• Traffic targeted to the victim needs to be diverted to a scrubbing device
• Locally for distributed architecture
• Remotely for centralised architecture (traffic re-injection is a topic by itself)
2.1.1.1
Match: dest-IP: 2.1.1.1
+ dest-port: 80
Action: NH @TMS
Mitigating SYN Floods, HTTP, SSL and SIP AttacksSP/Datacentre Perspective
WebServer
WebCache
Database
Core
DC
DataCentre
EdgeThe Internet
!
! !
!
!
Firewall
!
PeeringTransit
WebServer
WebCache
Database
Core
DC
DataCentre
EdgeThe Internet
FirewallPeeringTransit
Mitigating SYN floods, HTTP, SSL and SIP AttacksSP/Datacentre Perspective
• The closer to the internet, the better
• Diversion can be done in many different ways, and it will have a direct influence on the re-injection strategy too
• BGP FlowSpec
• More specific route injection
• VRF leaking (VRF Clear / VRF Dirty)
• Use Arbor TMS Software in ASR9000 VSM card
• Rich set of countermeasures
• High performance boosted by the Dynamic Black-List Offload feature
Mitigating SYN floods, HTTP, SSL and SIP AttacksEnterprise Perspective
• If the PE capacity (in bandwidth and PPS) is not exceeded, the Firewall is the first stage of the security infrastructure hit by TCP SYN floods attacks
• Servers resources can be impacted by SYN Floods too
PE
Enterprise
DNS, Mail,ERP, SAN, …
Fw IPS/IDS
DPI
!
!
Mitigating SYN Floods, HTTP and SSLEnterprise Perspective
• If replacing the in-site security infrastructure is not possible
• Request assistance from SP or hire in-the-cloud service
• Inline mitigation solution should be used
• Radware DefencePro solution used in FirePower 9300 can be used to protect the firewall
PE
Enterprise
DNS, Mail,ERP, SAN, …
DPI
Particular Case of Residential SubscriberService Provider Perspective
Core
Agg
Residential
EdgeThe Internet
PeeringTransit
!
• Volumetric attacks on DSL/Cable subscriber create a lot of collateral damages
• Victims can be easily identified based on their IP address blocks
• Attacks are detected instantly• A 25Mbps DSL subscriber can not receive
multiple Gbps
• Auto-mitigation presents no fault-positive risk in this case
Particular Case of Residential SubscriberService Provider Perspective
Core
Agg
Residential
EdgeThe Internet
PeeringTransit
• Auto-mitigation is triggered and traffic for this host is diverted to the local or centralised scrubbing system
• Service for the subscriber is restored
• But more important, collateral damages are no longer present
Slow Pace Attacks
• Attacks against servers resources
• Can not be detected by traffic sampling, requires inline system(s)
• Low and Slow attacks: Slowloris
• HTTP Floods
• SSL Floods
• SQL Injections
• XSS, CSRF
• Brute Force
• App Misuse
PE
DNS, Mail,ERP, SAN, …
FW IPS/IDS
DPI
!
LB/SSL
Slow Pace AttacksDC and Enterprise Perspective
Core
PE
Enterprise
DNS, Mail,ERP, SAN, …
EdgeThe Internet
PeeringTransit
!
Service Provider doesn’thave any visibility on these attacks
Can only be detected
• On the victim
• With a device in-line
WebServer
WebCache
Database
DC
DataCentre
FP9300
! !
!
FP9300
Cisco Partnerships
Partnership
• Cisco established partnership with two major actors in this industry
• Arbor Networks
• Radware
• Different products for different positions / roles
• SP edge / scrubbing centre based on traffic diversion
• DC and enterprise in-line analysis
• Arbor products are used in ASR9000
• Radware products are used in FirePower 9300
Cisco PartnershipsArbor Networks
Arbor Peakflow SP solution
Arbor Networks offers a variety of products to address DDoS attacks detection and mitigation
• Peakflow SP (formerly known as Collector Platform CP)
• Collects Flow records
• Detects abnormal network behaviour and trigger alerts
• Can influence the routing, injecting BGP routes in the network
• Supports BGP FlowSpec as a Controller
• Sets up and monitors the TMS remotely
• Software can run in a virtual machine
• Orderable in Cisco Price List
Portfolio
Arbor Peakflow SP Solution
Arbor Networks offers a variety of products to address DDoS attacks detection and mitigation
• Peakflow SP Threat Management System (TMS)
• Configured by SP, receives diverted traffic and proceeds to in-depth packet analysis
• Discards the attack packets and transmits the legit ones
• Provides real-time monitoring info to operators
• Software running in ASR9000 VSM line card
Portfolio
Arbor Peakflow SP Solution
• Supported with
• RSP440 onwards (not RSP2)
• All 9000 chassis except 9001
• Multi-purpose service card
• CGN
• DDoS Mitigation
• KVM virtualised environment based on Wind River distribution
• 40Gbps of mitigation, PAYG model with 10G/20G/40G licenses
Integration in ASR9000 Virtual Service Module Line Card
Arbor Peakflow SP Solution
• A countermeasure is activatedand detects an offender
• TMS instructs the ASR9000 via OpenFlow program an ACL for the src-@ or the pair src-@+dst-@
For one minute
• After 1min, the ACL is removed. If the offender is seen by the countermeasure again, ACL will be programmed for 5min, and then 5 min, again and again
Dynamic Black-list Offload Feature
Match: src-IP: 2.1.1.1
Action: drop
src-@ dst-@
offender victim1
23
1
2
3
Arbor Peakflow SP Solution
• Used in internet border routers in distributed architecture
• Used in scrubbing centres in centralised architecture
• Traffic is diverted with route injection or VRF route leaking
• BGP FlowSpec used to program border routers
Deployment and Use-cases
Arbor Peakflow SP Solution
• Mitigation in 4 seconds, Auto-mitigation
• Flood Attacks
• (TCP, UDP, ICMP, DNS, SSDP, NTP, SNMP, SQL RS, Chargen Amplification, DNS Amplification, Microsoft SQL Resolution Service Amplification, NTP Amplification, SNMP Amplification, SSDP Amplification)
• Fragmentation Attacks
• (Teardrop, Targa3, Jolt2, Nestea), TCP Stack Attacks (SYN, FIN, RST, SYN ACK, URG-PSH, TCP Flags), Application Attacks (HTTP GET floods, SIP Invite floods, DNS attacks, HTTPS protocol attacks), DNS Cache Poisoning, Vulnerability attacks, Resource exhaustion attacks (Slowloris, Pyloris, LOIC, etc.).
• Flash crowd protection. IPv4 and IPv6 attacks hidden in SSL encrypted packets
Features
For Reference
Demo
Arbor Peakflow SP SolutionRecorded Demo
Cisco PartnershipsRadware DefencePro
Radware DefencePro
• Provides protection against application layer attacks and state-table exhaustion attacks
• Primarily deployed to protect the firewall itself and the application servers behind it
• In phase 1, FirePower 9300 supports the following modules• Behavioral protections
• Challenge response
• Signature Protection
Available
Service
NetworkServerApplication
Behavioral HTTP Flood
Protection
Server Cracking
Signature ProtectionConnection PPS Limit
Anti-Scan
Connection Limit
DNS Protection Behavioral DoS
SYN Protection
BL/WL
Out-Of-State
SYN Protection
Connection PPS Limit
Connection Limit
BL/WL
Out-Of-State
Signature Protection
Server Cracking
Anti-Scan
Behavioral DoS DNS ProtectionBehavioural HTTP
Flood Protection
Understand 9300 Radware DDoS Solution Components
• Cisco FirePower 9300 is a scalable, carrier & enterprise-grade, multi-service security appliance featuring:
• Cisco ASA firewall
• Radware DDoS Mitigation (OEM)
• What is required?
• 9300 Chassis
• DDoS License (vDP)
• Vision Management Software
• Optional: DefencePipe Cloud Protection
DDoS FW NGIPS
Introducing the FirePower 9300
Security Modules
• Embedded packet/flow classifier and crypto hardware
• Cisco (ASA, NGFW) and third-party (DDoS, load-balancer) applications
• Standalone or clustered within and across chassis
Supervisor
• Application deployment and orchestration
• Network attachment and traffic distribution
• Clustering base layer for ASA/NGFW
Network Modules
• 10GE/40GE and future 100GE
• Hardware bypass for NGIPS
Security Services Architecture on Firepower 9300
Supervisor
Ethernet 1/1-8 Ethernet 2/1-8
ASA ClusterSecurity Module 1
Ethernet 3/1-4
Security Module 2 Security Module 3
Application
Image Storage
PortChannel1
DDoS DDoS DDoS
Ethernet1/7
(Management)
Data
External
Connector
Primary
Application
Decorator
Application
On-board 8x10GE
interfaces
8x10GE NM
Slot 1
4x40GE NM
Slot 2
ASA ASA ASA
Packet
Flow
Mitigation on FP 9300 with Radware vDP
Behavioural DOS – Network Baselining and Response
Behavioural DoS
• Detects and prevents zero-day DoS/DDoS flood attacks
• Establishes a baseline
• Automatically detects traffic anomalies
• Adapts footprint to new traffic pattern
• No manual tuning
• Low false positive rate
• Passes legitimate traffic
• While under attack
• Protects against all kinds of flooding attacks
72
BDOS Detection and Mitigation of a DNS Attack
Internet
Public DNS Servers
DoS Bot
(Infected host)
DoS Bot
(Infected host)
Attacker
BOT
Command
IRC Server
DoS Bot
(Infected host)
DoS Bot
(Infected host)
Behavioural Pattern Detection (1)
Detect rate increase of DNS requests
Real Time Signature:
Block DNS requests
matching specific packet
parameters (e.g., DNS query
name,...)
Behavioural Pattern Detection (2)
Identify abnormal ratio of DNS request to other
protocols
Configuration
Define Global Options
• Learning
• Strictness
Create Profile
• Name
• Protection Options
• Bandwidth and Traffic Quotas
Add Profile to Policy and
Update Policies
Slide 74
Day, Week, Month
Low, Medium, High
74
BDOS ProfileThree main tabs –
• Flood Protection Settings
• Bandwidth Settings
• Quota Settings
Slide 75
75
DNS Protection escalates
• DNS-Flood Attacks
‒ Detects when an attack has started
Advantages
‒ Implements mitigation in escalating order
‒ When enabled, protects at first sign of attack
Disadvantages
‒ Escalation period to mitigate successfully
‒ May drop legitimate traffic
• More-severe mitigation limits DNS queries
76
DNS Mitigation Attack Escalation
Behavioural RT
signature technology
Real-Time
signature created
RT signature scope protection
per query type
DNS query
challenge
Query rate
limit
X
?
Collective query
challenge
X
?
Attack
Detection
Collective scope protection
per query Type
Botnet is identified
(suspicious traffic is
detected per query type)
Collective query
rate limit
X
?
SYN Flood Protection is Adaptive
Uses SYN cookies
SYN Flood Attacks‒ Aimed as specific servers
• Intends to consume server resources
‒ A type of DoS attack used to overflow server session table
Large volume SYN packets (cookies) generated
Typical SYN Attacks:‒ Incomplete TCP 3-way handshakes
‒ Untraceable packets
• random source addresses
‒ Fully-open connections
‒ Large volume of victimised participants
• bot or zombie systems
78
SYN Cookies• TCP SYN Cookie
• Inserts hash of date/time for ISN • No connection maintained until client is validated• Only in symmetric environments
• TCP Challenge• At high volume SYN, DefencePro issues Safe-Reset
• Safe-reset has invalid ACK packet• Client sends RESET (RST) packet; then sends SYN packet• DefencePro places client in Safe-sender list
• No need for SYN cookies or delayed bind for this operation. • Works in asymmetric environments
• Web Cookie Redirect (HTTP Redirect)• Issues 302 to client with a cookie
• If client doesn’t return correct cookie -- session is dropped
• JavaScript Redirect• Issues a cookie in the JavaScript
• If clients doesn’t return correct cookie – session is dropped
79
SYN
SYN-ACK <cookie>
ACK <Cookie>
SYN
SYN-ACK <Bad>
RST
SYN
Demo
Conclusion
Cisco DDOS Offerings
Arbor TMS on ASR9k• DDOS target is bandwidth
• Volumetric attacks
• Part of SP Clean Pipes solution
• Traffic diverted to scrubber within router backplane
• Clean traffic re-injected locally
• Additional Arbor products can protect enterprise assets
Radware vDP on FP9300
• DDOS target is firewall and devices behind it, NOT bandwidth
• vDP sits inline and sees all traffic going to firewall
• Other Radware capabilities in the cloud can help with bandwidth-based attacks
82
End-to-End Mitigation Summary
The Internet
PeeringTransit Core
DC
DataCentre
Edge
Fw IPS/IDSDPI
Amplification Attacks
Handled at the Edge router
level with BGP FlowSpec
• Amplification Attacks
• NTP, DNS, SSDP, CharGen, SNMP, RIPv1, Port Mapper, …
FP9300
End-to-End Mitigation Summary
The Internet
Core
DCEdge
Fw IPS/IDSDPI
Stateless Attacks
Handled at the Edge router
level with BGP FlowSpec
• Stateless Protocols Attacks
• ICMP floods, UDP Frag, etc
DataCentre
FP9300
PeeringTransit
End-to-End Mitigation Summary
The Internet
Core
DCEdge
Fw IPS/IDSDPI
Stateful Attacks
Traffic is diverted to a scrubbing
device, local or centralised
• Stateful Protocols Attacks
• SYN Flood, HTTP based, SSL, SIP, …
PeeringTransit
DataCentre
FP9300
End-to-End Mitigation Summary
The Internet
Core
DCEdge
IPS/IDS
Application Misuse
Low and Slow attacks are
handled in-line in FP9300
• Application and Slow Pace Attacks
• Slowloris, Brute Force, SQL injections, XSS, …
PeeringTransit
DataCentre
FP9300
End-to-End Mitigation
• Cisco offers products covering security, routing and switching
• The Router and the Switch can be leveraged as the first layer of defence
• Partnership has been established with two major actors of the DDoS mitigation
• Not a one-fit-all solution, but a case-by-case approach
• Different attacks should be handled by different products at different places
Q & A
88
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration
Thank you
90
VSM Internal Architecture
Fabric
ASIC 0
Ivy
Bridge
B
A
C
K
P
L
A
N
E
32GB
DDR3
48
ports
10GE
Application Processor Module (APM) Service Infra Module (SIM)
Typhoon
NPU
Fabric
ASIC 1
Typhoon
NPU
Niantic
Niantic
Niantic
Niantic
Niantic
Niantic
Niantic
Ivy
Bridge
Ivy
Bridge
Ivy
Bridge
32GB
DDR3
32GB
DDR3
32GB
DDR3
Quad
PHY
SFP+
SFP+
SFP+
SFP+
Crypto/DPI
Assist
Crypto/DPI
Assist
Crypto/DPI
Assist
Crypto/DPI
Assist
XAUI
PCIe
93
94
Internet Perimeter
ADCFirePower 9300
Solution highlights
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
Web
Portals
CRM
BI
Unified
communi
cations
Data Centre
FirePower 9300 Solution highlights:
• Integrated multi-service security
platform
• Closes security and visibility gaps
• High performance and scalability
Enterprise Perimeter Protection Use Case
94
95
Internet Perimeter
ADCFirePower 9300
Solution highlights
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
Web
Portals
CRM
BI
Unified
communi
cations
Data Centre
Defence Messaging
• Volumetric attacks
mitigation in the cloud
• No protection gap
Enterprise Use Case with Cloud Mitigation
95
96
Internet Perimeter
ADCFirePower 9300
DDoS Protection solution highlights:
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
Hosted
Customer
2
Hosted
Customer
1
Web
CDN
DNS
AAA
LAN
FirePower 9300 Solution highlights:
• Integrated multi-service security platform
• Closes security and visibility gaps
• High performance and scalability
• Elasticity – add mitigation capacity on
demand
Service Provider: Service Centre DC Protection
96
97
Internet Perimeter LAN
ADCFirePower 9300
Defence Messaging
• Volumetric attacks
mitigation in the cloud
• No protection gap
Solution highlights
• Network and Application DDoS
attacks protection
• Most accurate detection & mitigation
• Shortest time to mitigate
Service Provider: Service Centre with Cloud Mitigation
97
Web
CDN
DNS
AAA
Hosted
Customer
1
Hosted
Customer
2