29
DDOS MITIGATION
DDOS MITIGATION
I. DDoS Report
II. DDoS Mitigation techinques
III. Recommendations
Agenda
DDoS Reportsource:Worldwide DDoS Attacks & Protection Report - Neustar
DDoS Report
DDoS Report
DDoS Report
Mirai botnet: 608,083 unique IPs across 196 countries
Source:http://blog.netlab.360.com/a-quick-stats-on-the-608-083-mirai-ips-that-hit-our-honeypots-in-the-past-2-5-months/
DDoS ReportSource:http://blog.netlab.360.com/a-quick-stats-on-the-608-083-mirai-ips-that-hit-our-honeypots-in-the-past-2-5-months/
DDoS ReportSource:http://blog.netlab.360.com/a-quick-stats-on-the-608-083-mirai-ips-that-hit-our-honeypots-in-the-past-2-5-months/
DDoS Mitigation Techniques
Common types of DDoS attacks
Volumetric attacks Protocol attacks Application layer attacks
DDoS Mitigation Techniques
DDoS protection options Cloud service DDoS mitigation
CDN/DNS-based DDoS mitigation
In-house DDoS mitigation
Outsourced specialist DDoS protection
DDoS Mitigation Techniques
DDoS Mitigation
Monitor/Detection
Mitigation
DDoS Mitigation Techniques
DDoS Detection
Passive traffic flow infomation collection
Netflow, sFlow, IPFIX
Real-time analysis (faster)
Inline Appliance, Port mirroring, Network TAP
DDoS Mitigation Techniques
Detection Detects bandwidth-related traffic anomalies
Distributed Denial of Service (DDoS) attacks
Volumetric DoS attacks
NTP amplification attacks, generic UDP floods, ICMP floods, SMURF attacks
SYN floods, TCP/UDP port 0, LOIC, peer-to-peer attacks
DDoS Mitigation Techniques
Mitigation Discard (Blackhole/shinkhole)
Filtering (Scrubber)
DDoS Mitigation Techniques
Remotely Triggered Black Hole
D/RTBH: Blackhole basd on destination address
S/RTBH: Blackhole based on source address
DDoS Mitigation Techniques
S/RTBH
Use Unicast Reverse Path Forwarding (uRPF) filter
uRPF:loosing mode
DDoS Mitigation Techniques
Flowspec (RFC5575)Basic idea: Use BGP to distribute flow specification filters and dynamically filter on routers.
DDoS Mitigation Techniques
BGP Flowspec can include the following information:Type 1 - Destination PrefixType 2 - Source PrefixType 3 - IP ProtocolType 4 – Source or Destination PortType 5 – Destination PortType 6 - Source PortType 7 – ICMP TypeType 8 – ICMP CodeType 9 - TCP flagsType 10 - Packet lengthType 11 – DSCPType 12 - Fragment Encoding
Actions are defined using BGP Extended Communities:0x8006 – traffic-rate (set to 0 to drop all traffic)0x8007 – traffic-action (sampling)0x8008 – redirect to VRF (route target)0x8009 – traffic-marking (DSCP value)
BGP Flow Specification
DDoS Mitigation Techniques
DDoS Detection Vendors: Arbor Peakflow SP 3.5
Juniper DDoS Secure 5.14.2-0
Router Vendors: Alcatel-Lucent SR OS 9.0R1
Juniper JUNOS 7.3
Cisco 5.2.0 for ASR and CRS [6]
DDoS Mitigation Techniques
Filtering (Scrubber)
Software base fitler: netfilter
Hardware base filter (Appliance)
FPGA card (40-100Gbps)
NICs (10Gbps)
DDoS Mitigation Techniques
AntiDDoS
D/RTBH, S/RTBH
BGP off/on ramping
Nic Filtering
DDoS Mitigation Techniques
Collect data Flow
Impact hardware perfomance
Network Tap Tap insertion loss
Port Mirroring Limit session
Port mirroring and Tap
DDoS Mitigation Techniques
Network Tap
Split ratio Lost signal
DDoS Mitigation Techniques
Hardware Performance
Capture Backend PF_RING_ZC Netmap
Turning OS, Software
DDoS Mitigation Techniques
Hardware Performance Reduce Sampling rate
DDoS Mitigation Techniques
Network Policy and Action
International Upstream Services (Blackhole, Filter)
Domestic Upstream services: not widely support auto Blackhole/Filter
DDoS Mitigation Techniques
Domestic Attack
Delay to detect attack source to stop (DoS)
Not yet mechanisms to coordination between ISPs with each other and role of VNIX
Recommendations
DDoS is not only the concern of service provider but also of national security
ISPs need to more attention to issues and investment DDoS systems to prevent attacks
There should be closer coordination between ISP about preventing DDoS attacks
