1
Yehuda Afek, Tel-Aviv University / WANWall Ltd.
Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou
WANWall Ltd.
Diversion & Sieving Techniques to Defeat DDoS
2
DDoS protection, Where & How?
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
3
At the Routers
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Rand. Spoofing
•Throws good with bad
•Router degradation
ACLs, CARs, null/rt.
1
4
At the Edge
Server1 Victim Server2
2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
•Chocked
•Point of failure
•Not scalable
5
At the Back Bone
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering3
100
•Throughput
•Point of failure
•All suffer
6
Diversion
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering44
100
•Not on critical path
•Router route
•Upstream
•Sharing
•Dynamic
8
Basic Concepts
1. Divert victim’s traffic
2. Sieve
3. Legitimate traffic
continues on its
route
Database
Victim traffic
Victimclean traffic
Maliciouspackets
R
10
Sieving Malicious traffic
Packet filtering Anti
spoofing
Learning & Statistical
analysis
OutputHTTP Analysis &
Authentication
11
Sieving techniquesFilters: IP's, ports, flags, etc.
Anti-spoofing: TCP Other
Recognition: Statistical Analysis Layers 3-7
High-level Protocols: HTTP specific (recognize anomalous behavior) Other
12
Diversion
1. Divert
2. Return good traffic
Without looping !
Victim traffic
Victimclean traffic
Maliciouspackets
Database
R
13
Diversion: BGP + next L31. Divert:
BGP
announce a /32 from the box
no_export and no_advertise
community
2. Return:
Next layer 3 device
Victim traffic
Victimclean traffic
Maliciouspackets
L2 device
L3
R
14
1. Divert: BGP
2. Return: GRE
GRE de-cap increases VIP load < 20%
[Wessels & Hardie,
NANOG19, Albuquerque]
RVictim traffic
Victimclean traffic
Maliciouspackets
BGP
GRE
Diversion: BGP + GRE
R
15
Diversion testA A C
R
X
V I
Gig
100BT
W
Phase 1: Normal traffic
victim Non-victim
R
X
Phase 2: Attack + Normal traffic
Phase 2: Attack + Normal traffic
Phase 3: Attack + Normal traffic + Diversion
Gig
16
100
1000
10000
time
Lat
ency
( use
c
)
Latency to Victim Latency to Non-Victim
Diversion effect
normal Attack Attack + diversion
usec
17
Diversion WCCP v2
Web Cache Coordination Protocol v2
[IETF internet draft draft-wilson-wrec-wccp-v2-00.txt]
remote diversion
Protocol, no dynamic config.
Current Status
Available on 6500, 7200, 7500, 7600SR,
from IOS 12.0(3)T and 12.0(11)S with dCEF
Other vendors?
Victim traffic
Victimclean traffic
Maliciouspackets
R WCCP
18
Diversion PBR / FBF
1. Divert: Policy Based Routing Filter Based Forwarding
2. Return: Normal Route Table
Victim traffic
Victimclean traffic
Maliciouspackets
RPBR
19
Diversion: BGP + PBR
1. Divert: BGP
2. Return: PBR
guard’s Interface card
Victim traffic
Victimclean traffic
Maliciouspackets
R PBR
BGP
20
PBR
Dynamic configuration
adding access list on demand
CPU load:
VIP or RSP CPU load
Juniper FBF dedicated processor, Internet proc II (from JunOS 4.4)
Victim traffic
Victimclean traffic
Maliciouspackets
R PBR
21
PBR Warts12.1(8a)E4 and 12.0(18)S and 12.2(2)T with
“distributed cef” will not PBR properly! BUG ID: cscdp78100
all packets diverted - rather than what is matched but “ip cef” works properly tested on 7513 on FE as well as GE (GEIP+)
ip access-list extended WW33 permit ip any victim-ip victim-mask
route-map WWMap permit 33 match ip address WW33 set ip next-hop Guard-guard-IP end
interface GigabitEthernet0/0/0 ip policy route-map WWMap
22
Diversion Double Addressing
1. Divert: BGP
2. Return: Double
addressing
victim with private IP
address, routed only
internally
Victim traffic
Victimclean traffic
Maliciouspackets
R
BGP
26
Diversion for DDoS Summary
Maximize goodput to victim
Leave data path free
Let routers route
Protect any device
Sharing a large resouce on demand
Upstream (ala push back)