Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | april-potter |
View: | 216 times |
Download: | 2 times |
Matt Sheely
Devrin Lewis
UC IT DDoS Prevention Research Project
Overview• History• Problem Statement• Hardware/Software Requirements• Design Protocol• Demo• Testing• Risk Management• Budget• Conclusion
History
• UC IT Attack– Distributed Denial of Service (DDoS)– Crippled UC network– Problem compounded: Blackboard services
• Outcome– DDoS prevention architecture: NetZentry
• NetZentry no longer supported – Outdated definition files in use
Problem Statement
Currently, the UC IT department is looking for a new, non service based DDoS prevention architecture, either a hardware or software implementation, which performs to and/or exceeds the existing DDoS prevention architecture NetZentry.
Hardware/Software Requirements• Vendor Supplied DDoS hardware
– IntruGuard IG2000 (fiber)– Radware DefensePro x20– Radware Absolute Insite ManagePro
• Cisco Catalyst 6500 Router• Cisco 3750G PoE switch• Radware Raptor Attack Tool• Windows Server 2003 Machine (Management Console)• Test Laptops
Design Protocol
Internet
Isolated UC Attack Test Lab
UC Production Network
Cisco Catalyst 6500 Router
LAN 36 V
Radware InsiteManagePro
Radware DefensePro
IntruGuard IG2000
Tx Mirrored Traffic
Management Link Between Radware DefensePro and
Insite ManagePro
IntruGuard Management
Link
Radware Management
Link
Radware Filtered Rx Traffic
Rx Mirrored Traffic
UC Production Traffic
Key
ManagementConsole
VLAN 36
Management console
Cisco 3750G
DDoS Attack Host
Attack Traffic
Rx Mirrored Traffic and Mirrored
Attack Taffic
Demo
TestingWeighted Value Chart
Test Stage Multiplier Value Description of Multiplier Value
Configuration Testing
1.667 Configuration testing was deemed lowest importance and will be used in case of a
tie between vendor hardware.
Baseline Testing
5.000 Baseline testing was deemed highest importance in order
to maintain legitimate network connectivity.
AttackTesting
3.333 Attack testing was deemed the second highest
importance in order to maintain legitimate network
connectivity.
Configuration Results Parameters Poor
(1)Average
(2)Excellent
(3)
Difficulty of Vendor Supplied Documentation x
User Interfaces for Management xVendor Availability xOverall configuration xParameters Poor
(1)Average
(2)Excellent
(3)
Difficulty of Vendor Supplied Documentation x
User Interfaces for Management xVendor Availability xOverall configuration x
Radware
IntruGuard
Baseline ResultsParameter Vendor Blocks
legitimate traffic (0)
Fairly certain blocks legitimate traffic
(1)
Equal to be blocking as not blocking legitimate traffic
(2)
Fairly certain does not block legitimate traffic
(3)
Does not block legitimate traffic
(6)
Certainty of legitimate traffic not being blocked
Radware xIntruGuard x
Attack ResultsAttack Type Pass (1) Failed (0)
Radware IntruGuardSingle Source, Non-spoofed TCP SYN Attack(21/04/09 14:36/12:18)
1 1
Single Source, Non- spoofed TCP RST Attack(21/04/09 14:46/12:27)
1 1
Multi-source, Spoofed TCP SYN attack (22/04/09 1:14) 0 (1) 1
Multi-source, Spoofed TCP RST attack (22/04/09 1:37) 1 1
Single source, Non-spoofed UDP data flood (22/04/09 1:48) 1 1
Single source, Non-spoofed UDP RTP flood (22/04/09 2:00)(ICMP 8)
1 1
Multi-source, Spoofed UDP Data flood (22/04/09 2:14) 1 1
Multi-source, Spoofed UDP RTP flood (22/04/09 2:24)(ICMP 8)
1 1
Single source Non-spoofed ICMP echo request (27/04/09 1:20) (ICMP 8)
1 1
Single source Non-spoofed ICMP timestamp flood (27/04/09 1:20)(ICMP 8)
1 1
Multi-source Spoofed ICMP echo request (27/04 2:00)(ICMP 8)
1 1
Multi-source Spoofed ICMP timestamp flood (27/04 1:20)(ICMP 8)
1 1
Total attack testing score: 11 12
Risk ManagementRisk Risk Level Mitigation
Vendor hardware delay and/ hardware failure High
Maintain contact with vendors in order to anticipate hardware
delay, and then have alternative procedures in order to maintain
test schedule
Vendor decision to withdraw from project. High
Retain project with updated scope to compare two vendor hardware
setups instead of three
Test lab configuration ModerateRun preliminary DDoS test on test
network before beginning trial tests of hardware
Test lab software ModerateBack up plans for test software
including vendor supplied testing software
Lab hardware failure Moderate Spare parts on hand to replace faulty hardware components.
Over extending timeline ModerateDevelop multiple plans based on 3
or 4 week testing
BudgetProduct Retail Cost Our Cost Provider
Lab Resources
Two Laptop Computers $2100 + (2*$900) = $3900 $2,100 UC Lab/Personal
Radware Raptor Attack Tool 0 0 Vendor Cisco 3750G PoE Switch $5,049.00 0 UC Network Operations
Cabling $1.04 x 250ft = $260 0 UC LabVendor Hardware ~$20,000 0 Vendor
Visio $559.95 0 MSDN Office 2007 $164.94 $10 Student Book Store
Windows Server 2K3 Machine $500.00 0 UC Network OperationsLabor $40 per hour 0
Research hours 30h x 2 = 60h 0
Hardware installation 5h x 3 x 2 = 30h 0
Initial Lab setup 10h x 2 = 20h 0DDoS Testing 5h x 3 x 2 = 30h 0
Recommedation report 10h x 2 = 20h 0
Total hours 160h 0Labor costs 160h x $40 = $6400 0
Total cost ~$36,833.89 $2,110
ConclusionTest Radware/IntruGuard Multiplier Weighted Total
Configuration 9/9 1.667 15.003/15.003Baseline 3/12 5 15/36Attack 11/12 3.333 36.63/39.96Complete Total 66.633/90.963
The IntruGuard IG2000 receives the recommendation to UCit based on the results of the test parameters as well as the fact that the Radware DefensePro requirement of downgrading to Java Run Time Environment 5.5 could be prohibitive to UCit.
Questions?
Configuration Screens
User Profile
• Network Administrator– Advanced network and security knowledge– Extensive knowledge of current UC network– Strong troubleshooting skills
Deliverables
• Installation and configuration process
• Documentation of configuration
• Analysis and performance report
• Recommendation report
For Vendor Responses refer to appropriate attached word documents:
Radware_Response
IntruGuard_Response