ftnt minixte13 -at fortiddos

7/22/2019 Ftnt Minixte13 -At Fortiddos

1/119

March 31, 2014

Fortinet PowerPoint Template

First Quarter, 2012

7thand 8thAugust 2013, Montevideo

Uruguay.

Mini


2/119

March 31, 2014

Xtreme Team 2013

FortiDDoS

Mini


3/119

DDoS Overview1

2 Fortinet DDoS3

Labs4

DDoS Solutions


4/119

Remembering the OSI Model....

The Open Systems Interconnection (OSI) modelis a conceptual model thatcharacterizes and standardizes the internal functions of a communications system by

partitioning it into abstraction layers.


5/119

What is a DoS Attack?

An attack designed to take a resource, application or

service and deny access to legitimate users

DoSDenial-of-Service

DDoSDistributed Denial-of-Service

LDoSLow-Rate Denial-of-Service

PDoSPermanent Denial-of-Service

PPSPacketsPer Second

TERMINOLOGY


6/119

Type of DoSDenial of Service

Denial-of-service attack(DoS attack) is an attempt to make a machine or networkresource unavailable to its intended users.

DDoSDistributed denial of service: occurs when multiple systems flood the

bandwidth or resources of a targeted system, usually one or more web servers

LDoSLow-Rate Denial of Service: LDoS attack exploits TCPs slow-time-scale

dynamics of retransmission time-out (RTO) mechanisms to reduce TCP throughput.

PDoSPermanent Denial of service:APDoS, is an attack that damages a

system so badly that it requires replacement or reinstallation of hardware. PDoSattack exploits security flaws which allow remote administration on the management

interfaces of the victim's hardware, such as routers, printers, or other networking

hardware.


7/119

1

10

100

10000Traffic

1000

X

1

50

100

CPU/MEM

Web Server

Example of attack


8/119

Target well known, and required services Email/SMTP, DNS, Web/HTTP, SQL, SSH

Require sophisticated tools able to update and adapt

These exist today

Deliberately avoid high bandwidth usage to keep low (and slow) Application based DDoS is on the increase accounting for a quarter of all

attacks

Continuouslyevolving to evade detection of the attack and protect the

identity of the attacker

Application Targeted DDoSL7


9/119

Volumetric Attack

Designed to consume

available Internet

bandwidth or overload

server resources.

Typical examples SYN

Flood, UDP Flood, ICMPFlood, SMURF attacks.

Application Layer

Attacks

More sophisticated,

attractive to the attacker

since they require less

resource to carry out

(botnet costs)

Target vulnerabilities in

applications to evade flood

detection strategies

Cloud Infrastructure

Attacks

Cloud solutions can turn

the Internet in the

Corporate WAN. Modern

attackers target the full

range of cloud

infrastructure (firewall,mail & web servers)

Mitigation can be complex

and any attack can impact

multiple customers

Type of Attack

SpoofedAttacks

Fewermachines

Limited Power

Non Spoofed BotClients

More machines

Higher Power

Bot Servers

More Power

More Bandwidth

SociallyEngineered

More with less


10/119

Whos likely to be interested in a DDoS?

Companies that are/have been targets by Denial of Service attacks Hosting or Cloud provider services

Ecommerce

Online Gaming & Gambling

Medium and larger Enterprises with an internet presencesAny company that has recently been or is actively being attacked


11/119

Some Traditional Attacks

SYN FloodTargets connection table resources

Layer 3 attack

Target flooded with TCP SYN packets

UDP Flood

Targets CPU and Network traffic resources

Layer 3 attack

Flood server with random UDP connections


12/119

ICMP Flood (SMURF, Ping Flood) SMURF

Packets sent with source being a false IP

Layer 3 Attack

Turns server into an Attacker and consumes resources

Some Traditional Attacks


13/119

Some traditional attacks

Ping Flood Echo requests sent without waiting for reply

Layer 3 Attack

Consumes bandwidth

One common method of combating a ping flood attack is to block ICMP traffic.


14/119

The Slowloris Attack

Targets HTTP from a single client machine

Not new, dates from 2009

Opens a connection to a web server

Not all servers are vulnerable

Sends legitimate, but partial, never ending requests

Send something to prevent a timeout

Sockets held open

No more sockets no more service

GET

HEAD

POST

X-a


15/119

Myths about DDoS attacks

It happens to others Software fixes can solve DDoS attack issues

IPTABLES can stop DDoS attacks

Webhost will take care of DDoS attacks

ISPs of the world co-operate

ACLs on switches/routers can stop DDoS attacks

Pipes will fill any waywhats the point

Law enforcement is easy to approach in case of DDoS attacks


16/119

Scrubbing Service from

Internet or Cloud

Service Providers

Model: Managed service

subscription model.

Usually separate

detection and mitigation

Pros: Easy sign up and

deployment

Cons:Expensive,

inflexible, costs can rise

during an attack

Firewall / IPS

Model: Integrated device

for FW/IPS and DDoS

prevention

Pros:Single device,

simplified architecture,less units to manage

Cons: Not designed to

detect/block sophisticated

DDoS attacks; typically

requires an update

license,

Dedicated Device

Model: Inline detection,

mitigation and reporting.

Auto detection of a wide

range of DDoS attacks

Pros: Cost effective, nounpredictable or hidden

charges. Multi-layer,

accurate, fast, scalable

and easy to deploy

Cons:Additional network

element

DoS Protection Options


17/119

What about botnets....

In its most basic form, a botnet is a group of computers that have been infected withmalware that allows its controller (or master) to take some measure of control over

the infected machine.

Is used by its master to perform a range of unsavory activities without the knowledge

of the victim. Once infected with botnet malware, the computer becomes a mindlesszombieready to do the bidding of its master.


18/119

Cybercriminals use botnets to generate revenue in many

different ways:

DDoS attacks

Spamming

Financial Fraud

Search Engine Optimization (SEO) poisoning

Pay-per-Click (PPC) fraud

Bitcoin mining

Corporate and Industrial Espionage


19/119

How could I be infected with a botnet?

Drive-by download:Simply visiting a malicious site with a PC thathasnt been kept current with security patches and antivirus can

download and execute malware on the users PC, thus adding to that

botnets ranks.

Email:A more traditional yet still popular method of botnet infection is

through a user opening email with malicious content, often sent by

someone the user knows and trusts (whose system is likely infected

with a botnet).

Pirated software: Malware developers often hide malicious code

inside a software download, which then installs itself on a victimsmachine when the user opens the executable.


20/119

How to determinate an infection has occured

System running slower than usual

Hard drive LED is flashing wildly even though its in idle mode

Files and folders have suddenly disappeared or have been changed in some fashion

A friend or colleague has informed the user that they have received a spam email from their email account

A firewall on the computer informs the user that a program on the PC is trying to connect to the Internet

A launch icon from a program downloaded from the Internet suddenly disappears

More error messages than usual are popping up

An online bank is suddenly asking for personal information its never required before


21/119

Agenda

DDoS Overview1

2 Fortinet DDoS3

Labs4

DDoS Solutions


22/119

Anti DDoS appliances..

Carrier DDoS mitigation solutions

Useful for global networks and carriers and ISPs

Based on IP flow-based and deep packet inspection technologies

protecting the entire network

Solutions too expensive for individual IDCs (Internet Data Center),webhosts or web properties.

Solutions designed around early 2000. cannot mitigate new generation

od DDoS attacks which involve botnets that mimic legitimate clients.


23/119

Anti DDoS appliances

Custom logic (FPGA or ASIC) based internet data center(IDC), web hosting and web property DDoS mitigation

solutions

They work to protect one or several Internet links.

The behavioral solutions are implemented in custom hardware logic

and provideline rate performance for large attacks.

These solutions are cost-effective and effective for IDCs, webhosts

and web properties.


24/119

Anti DDoS appliances

Software based web property DDoS mitigation solutions

These solutions are useful for smaller web properties with very

minimal traffic.

The behavioral solutions are implemented in off-the-shelf CPUs and

have issues at large attack traffic volumes in terms of keeping up.

Some appliances have IPS functionality implemented in hardware

but have their DDoS mitigation logic in software and suffer from the

same issues.


25/119

Hardening from a DDoS point of view in enterprise

Firewalls, switches, Intrusion Detection Systems (IDS), IntrusionPrevention Systems (IPS) are not enough.

Upcoming techniques

SYN Proxy: SYN Proxy is a mechanism, usually done by intermediate appliances that

sit before the actual server and proxy the responses. Until the spoofed IP or un-

spoofed IPs respond with the ACK, the connection requests are not forwarded.


26/119

More technics

Connection limiting: Too many connectionscan cause a server to be

overloaded. By limiting the number of new connection requests, you can

temporarily give the server respite.


27/119

Just one more......

Aggressive Aging:Some botnet attacks involve opening a

legitimate connection and not doing anything at all. Such idle

connections fill up the connection tables in firewall and servers. By

aggressively aging such idle connections, you can provide somerelief to them.


28/119

Attack Tools

Many and varied

Configurable Perl scripts,executables, JavaScript

Windows, OSX, Android

Distributed as

Stress Tester UtilitiesDevelopment Toolkits

Malware

Used to create

Individual attacksVoluntary hacktivist attacks

Botnet driven attacks booster scripts


29/119

Most popular toolLOIC (low Orbit Ion Cannon)

Low Orbit Ion Cannon(LOIC) is an open source network stresstesting and denial-of-service attack application, written in C#.


30/119

Software packet generators

Nemesis Hping

T50

Rude and crude

Scapy D-ITG

Pktgen

Packet generator

Packet excalibur

Packgen

and much more in this site http://www.protocog.com/trgen.html
http://www.protocog.com/trgen.htmlhttp://www.protocog.com/trgen.html


31/119

Type of testing attacks

Over the Internet, one can launch Layer 3, 4 or 7 attacks.

Example of Layer 3 attacks are protocol floods such as ICMP floods,

TCP floods,fragment floods.

Example of layer 4 floods are port floods (TCP or UDP).

Example of layer 7 floods are URL floods. In this attack, a single URL

is continuously attacked from multiple sources.


32/119

Agenda

DDoS Overview1

2 Fortinet DDoS3

Labs4

DDoS Solutions


33/119

Finally! Lets talk about FortiDDoS!!


34/119

Continuous andAdaptive Learning

Fort iDDoS Hands On!Value Proposit ion


35/119

Device information

Root access is not available for end-users and partners,SEs can get the password in specific use cases. Password

is stored based by serial number

Limited CLI available through Console or SSH

Default user account/password: fortiddos/rootpasswd


36/119

Behavioral Analysis and Rate Based System

No signatures!

Because the FortiDDoS uses behavior and rate-based analysis, it

provides positive security model for protection against attacks the

hackers havent even thought up yet. No administrative intervention isrequired, and the Intrusion Gateway is on guard 24/7, automatically

protecting your network systems and bandwidth.


37/119

Management

Data

PCI Bus

Overall System ArchitectureFDD100A

Data


38/119

Overall System ArchitectureFortiDDoS-300A

Management

Data

Data

DataData

Data

Data


39/119

FortiDDoS-100A

2U Applianceprovides dual link

protection

Specification

LAN 2 x 1G (copper and optical)

WAN 2 x 1G (copper and optical)

FortiASIC 2 x FortiASIC-TP1

RAM 4G

Storage 1TB HDD

Management 1 x RJ45 10/100/1000

Power Single AC

Protection 1Gbps full duplex

FortiDDoS-100A


40/119

FortiDDoS-200A

3U Applianceprovides protection for

up to 4 links

Specification




RAM 8G

Storage 2 x 1TB HDD RAID


Power Dual Redundant AC


FortiDDoS-200A


41/119

FortiDDoS-300A

4U Applianceprovides protection for

up to 6 links

FortiDDoS-300A

Specification




RAM 8G

Storage 2 x 1TB HDD RAID


Power Dual Redundant AC



42/119

Fort iDDoS = Cont inuo us Protect ion

24x7

365 days


43/119

Deployment Scenar ios


44/119

Traffic Bypass & FortiBridge


45/119

Virtual Partitions (VID) = multiple Protection Profiles


46/119

Deployment Scenarios (Contd.)


47/119

Internal vs. External Pairing

Network External Pairing

Requires external device is configured with a mirrored port

Load for copying packets is handled by external device

Internal Pairing

No External Configuration required

Load for copying packets is handled by FortiDDoS

Some bandwidth taken out in order to copy packets, 1.4 GBPS channel is new limit

if traffic exceeds about 700mbps(full duplex) it will be dropped


48/119

Setting up an Asymmetric Pair

InternetInternet

Network

A i P i


49/119

Asymmetric Pair

B li B ildi


50/119

Baseline Building

H D It W k?


51/119

How Does It Work?

Packets/Source/Second

SYN Packet/Second Connection Establishments/second

SYN Packets/Source/Second

Connections/Second

Concurrent Connections/Source

Concurrent Connections/Destination Packets/Port/Second

Fragmented packets/second

Protocol packets/second

Same URL/second

Same User-Agent/Host/Referer/Cookie/Second

Same User-Agent, Host, Cookie,Referer/Second

Anti-Spoofing checks

Associated URLs heuristics

Too many hoops to cross

before a set of malicious

packets can go through.

Prevent Rate, Policy,

State violations, Stealth,

Slow, Fast Attacks

Quick blocking (< 15s),

unblocking andrevaluation (every

packet) to avoid false

positives

Can reset server

connections uponoverload

FortiASIC-Traffic Processor (TP)


52/119

Virtualization

Decision

MultiplexerInbound and

outbound

packetsAllowed

packets

Dropped packets

SNMP Traps/MIBs,

Syslog, Event

Notifications

FortiASIC Traffic Processor (TP)

Control and Statistics

Network, Transport,

Application Layer Rate

Anomaly Prevention

Dark Address, Geo-

location, IP Reputation

Network, Transport,

Application Layer

Access Control Lists

Anti-spoofing

Network, Transport,

Application Layer

Header Anomaly

Prevention

State Anomaly

Prevention

Application Layer

Heuristics

Source Tracking

Event/ Traffic

Statistics, Graphs

Threshold Wizard,

Continuous Adaptive

Threshold Estimation

Policy Configuration,

Archive, Restore

No CPU in the path of the packets

No fast or slow path

No IP/MAC address in the path of the

packets


53/119

DDoS Overview1

2 Fortinet DDoS3

Labs4

DDoS Solutions

LAB F tiDD kb k i t ll ti G id


54/119

LAB FortiDDoscookbook installation Guide

The objetive of this lab its to be like a cookbook - first FortiDDoSinstallation .

We now not all partners have an ITF FortiDDoS, so we want to

help in a possible first implementation or PoC.

Labs components:

1 x FortiDDoS 200. firmware version: 3.2.1.108

1 x ubuntu web server (target) 1 x backtrack host (hacker)

1 x windows (management host)

L b Di


55/119

Lab Diagram

Web Server

10.1.1.0 /24

200.1.1.0/ 24

.30WAN 1

LAN 1

St


56/119

Steps:

Required information before start!

IP Management workstation Address: 192.168.1.xx/24 connected in the

management port.

GUI Password Recovery Procedure


57/119

GUI - Password Recovery Procedure

Connect to Console and login using default user (fortiddos) and its

correct password (new password if changed from default)

Fortiddos is OS user, new admins are considered GUI users

Issue CLI command: resetguipasswords

Connect ing to the Fort iDDoS GUI Management


58/119

Connect ing to the Fort iDDoS GUIManagement

Access

DEFAULTS ONLY via dedicated Management Port

IP:192.168.1.1 (Factory Default)

Access: HTTPS(443), (NO HTTP option)

Username: fddroot

Password: rootpasswd

HTTPS://192.168.1.1

https://192.168.1.1

User: fddrootPassword: rootpasswd

Update the appl iance w ith the last available version in
https://192.168.1.1/https://192.168.1.1/


59/119

Update the appl iance w ith the last available version in

the support FTP

Upgrad ing dev ice


60/119

Upgrad ing dev ice......

Click on manage-> upgrade system

Search for the .img file downloaded

from the support FTP

Execute a ful l factory r eset in the Appl iance


61/119

Execute a ful l factory reset in the Appl iance

Take care with time, this step could take up to 2.5 hours!! This step will not be required if its a new box.

Manage-> Global -> Factory Defaults

Click on manage-> Global -> Factory Reset

Select what do you want to reset. Look

at the warning notification!

Graphical User interface (GUI)


62/119

Graphical User interface (GUI)

Configuration- all changes to security settings are there

ManageFirst time setup / IP addresses, time, users etc. ShowAll reports can be found here

ManageEvent information is found here, not used a lot

Current logged user

S/N and license statusTime periodSelect a VID

Less options that in a Fortigate

GUI - CONFIGURE


63/119

GUI - CONFIGURE

Configuration menu is split in two sections:

CURRENT VID and GLOBAL

When configuring the VID section make sure to select

the correct VID

Each section is split up in the to different

protection features allow for granular application Layer 3, 4 and 7

Configure -> Current VID

Configure -> global

System date


64/119

System date

Manage -> Global -> Device Configuration -> system date

Management IP Address


65/119

Management IP Address

Manage -> Global -> Device Configuration -> IP Address

Creat ing ro les: adm inistrator


66/119

Creat ing roles: adm inistrator

Manage ->configuration-> roles

Creating roles: Operator


67/119

Creating roles: Operator

BEST PRACTICE: create operator users for each VID

administrator

Creating roles: Super user


68/119

Creating roles: Super_user

Creating users


69/119

Creating users

How it looks create user

Checking physical ports!


70/119

Checking physical ports!

In case, the fortiDDoS its a 200 or 300, we must need to set fiber

or copper. By default its copper.

Important: WAN1 and LAN1 must be the same type. (both on fiber

or copper), could not be possible protect the same link with two

types in the FortiDDoS.

Configure -> Interface settings

Always the same

type of interface in

the same pair

Management Path Failure


71/119

Management Path Failure

Emergency Bypass


72/119

Emergency Bypass

Impo rtant to know !!!


73/119

Impo rtant to know !!!

Block dark addresses by default

But what it means dark addresses? : all unreachable network

hosts on the Internet

Configure -> current VID -> dark address

configure -> current VID -> dark address

1 means enable

0 means disable

Check the operation mode.


74/119

Check the operation mode.

It must be in detection mode the first time (unchecked on the all

VIDs).

Setup the configuration mode in learning mode at least 2 days, an

ideal period could be 15 days with normal traffic. (the longer the

better!!)

Keep monitoring during this period!

Clicking in the checkbox enable automatically the

prevention mode

My Lists


75/119

y

The My Lists feature helps users to define a list of most common ports

(TCP / UDP) or Protocols

Default sets are available

Setting the My Lists based on immediate past traffic is the easiest way

to begin. FortiDDoS provides you with an easy wizard.

Configure > Current VID > My Lists > Auto Configure

Configuring Virtual Identifiers (Protection Profiles)


76/119

g g ( )

Enable this option, depending on thethreshold, the FortiDDoS could change

the VID

Defining the subnet per VID

Starting the wizard! Baseline report


77/119

g p

You need to have a traffic report in place to start the wizard

Show > Current VID > Reports > Traffic Statistics

The configured lists are utilized in two places in the user interface:

While configuring thresholds

While showing traffic graphs.

Max of 512 objects per list

Show -> current VID -> reports traffic

history

After the baseline report (evaluation

time) the FortiDDoS have parameters

for autoconfigure the thresholds

Adaptive Learning and My Lists


78/119

p g y

While FortiDDoS continuous collects traffic statistics for each and

every TCP, UDP port and ICMP type/code, it also limits the number of

ports for the adaptive threshold estimations to 512 each (per each

VID).

The 512 port limit for the periodic estimated thresholds that the

FortiDDoS device computes are restricted to the TCP/UDP ports listed

within the My Lists.

Minimum thresholds for TCP/UDP ports not listed on the My Lists are

not adjusted by the Adaptive Learning Engine.

Blocking by suspicious countries!


79/119

g y p

Blocking by geo-location

Configure -> Global -> Access control list -> layer 3 -> Geo-Location

Deny/Allow sources


80/119

y

If we know a suspicious IP address, it could be a best practice blocked

since the beginning.

configure-> Access Control list -> layer 3 -

> Deny/allow sources.

If you have IPs blocked in the firewall

because of a strange behavior in the past,

you could put it here!

IP Reputation


81/119

p

It could be possible to enable a web reputation service based on the

fortiguard lists.

Configure -> GLOBAL -> Access Control List -> layer 3 -> IP Reputaiton

This service its optional and need to be licensed separated

SKU: FC-10-01H00-140-02-DD

Enable IP reputation for all VIDs

Proxy IPs


82/119

Configure -> Access control list -> proxy ID

Allows to detect proxy servers and prevents

access at all blocking that source.

IPv6 Inspection


83/119

Configure -> Global -> operating mode

IPv6 ready!

Enables dual stack

Best practices!:Advanced Options.


84/119

Configure -> Current VID -> Advanced Options -> Feature Controls ->

Layer 4 -> TCP State Machine

Session feature controls:

Foreign Packet Validation: prevent spoof packet

Aggressive Aging Feature Control

Slow data transfer TCP: helps to prevent slowloris and similar attacks

Age old TCP Connections Inbound: the FortiDDoS will age out the idle

connections protecting memory resources from the internal target.

Configure -> Current VID -> Advanced Options -> Feature

Controls -> Layer 4 -> TCP State Machine

Best Practices: Advanced Options (2)


85/119

Configure -> Current VID -> Advanced Options -> Feature Controls ->

Layer 7 -> Sequential Access

relates to the feature which ensures that no single IP address retrieves same URL

back to back without accessing any other URLs. This is a normal scripted access

behavior and shows anomalous behavior. It helps identifying bots.

URLs Per Source: relates to the feature which ensures that no single IP address

retrieves more URLs/observation period than defined under HTTP Advanced

menu.

Mandatory HTTP Headers: relates to the feature which ensures that certain HTTP

Headers are always present in a GET access to the URL. These headers are

further defined in the HTTP Advancedmenu.

Configure -> Current VID -> Advanced Options ->

Feature Controls -> Layer 7 -> Sequential Access

Enabling prevention mode - blocking!


86/119

Once the learning period is over and you are satisfiedwith the

threshold settings, set the system to Prevention mode.

main menu, select Configure > Global > Operating Mode.

One click adjustment


87/119

FortiDDoS have 4 possible options to adjust and configure all the

parameters.

Factory results

Adjust minimum

Easy setup

System reccomended

Lets undestand the 4 options!



88/119

Configure-> CURRENT VID -> Blocking Threshold -> layer 7 -> One click

Adjustment

Factory defaults: This option allows you to set the thresholds in a VID to

factory defaults which is the line rate value.

Adjust Minimum thresholds: You can adjust the minimum thresholds up or

down by a certain percentage.

Easy Setup:This option is useful when the appliance has to be deployed in

an unknown environment without much time left for training the appliance.

System Recommended Thresholds: This is the most common and

recommended way to set the appliance threshold.

The system recommended values are based on Traffic Statistics Report

generated as part of the base-lining process.



89/119

Mitigating attacks in

just one click

Prevention/Detection Mode


90/119

Passive Detection and Active Prevention


91/119

Operating Mode


92/119

Deploy the unit.


93/119

Best practice: Continue running in detection mode while monitoring the

thresholds

If the system selects packets to drop that are legitimate, adjust the

thresholds/check ACLs and feature controls. If the system reports passing

packets that should have been dropped, lower the thresholds or check

ACLs and feature controls.

Thats it with the configuration!


94/119

And now lets the FortiDDoS learning and us we are going to know

more about forti-best practices!

Baseline Monitor Period


95/119

Learning should be done on typical traffic for at least one week (7

Days).

Note:The FortiDDoS never stops learning traffic patterns and continuously

adjusts traffic profiles using an Adaptive Learning Engine. The initial

learning period should be attack-free, and should be long enough to be arepresentative period of normal network activity and should be long enough

to encompass both seasons of high and low activity. Seven days will often

provide a reasonable profile of normal traffic.

Adapt ive Threshold Est imation Set it and Forget It


96/119

Set it and Forget It

Port 80 Traffic in Mbps

0

100

200

300

400

500

600

Jan-03

Jul-0

3

Jan-04

Jul-0

4

Jan-05

Jul-0

5

Jan-06

Jul-0

6

Jan-07

Jul-0

7

Jan-08

Jul-0

8

Jan-09

Jul-0

9

Jan-10

Jul-1

0

Jan-11

Jul-1

1

Month

Traffic Observation

Forecast

Threshold

Fixed Minimum Threshold

Adaptive Threshold

Uppermost Threshold

Fixed Threshold

Typical Attack

Not an attack

due to

gradual

increase

In traffic due

to a trend!!

24x7365

days

IntruGuard Devices confidential and proprietary

Adaptive Thresholds


97/119

Adapative Thresholdsfine tunes/automatically adjusts configured

minimum thresholds over time by predicting traffic flows based oncurrent and past statistics

Adaptive Threshold Limitresticts the theshold adjustments to a set

maximum percent (default 150%) above the set mininum threshold

value

.

Where should the Threshold be to detect floods?


98/119


0

50

100

150

200

250

300

350

400

450

Apr-01 Sep-02 Jan-04 May-05 Oct-06 Feb-08 Jul-09 Nov-10 Apr-12 Aug-13

Month

Mbps

Here

Here

Or Here?

Flood Threshold Detection Needs


99/119

Determine a trend over time

E.g. gradual increase in Web traffic over a two month period due to increasein subscribers

Determine a seasonal trend or cycle E.g. web traffic increases in the morning hours, peaks in the afternoon and

declines late at night

Determine seasonal variability E.g. web traffic fluctuates more during peak hours but are hardly vary at all

during night

Determine aberrant behavior E.g. web traffic is too deviant from its normal and forecasted traffic

Types of Forecasting Models


100/119

Types and Methods of Forecasting Native Methods eye-balling the numbers;

Based on experience, judgmentQualitative

Formal Methods --- systematicallyreduce forecasting errors;

time series models (e.g. exponentialsmoothing);

causal models (e.g. regression).

Quantitativebased on data, statistics.

Focus here on Time Series Models

Assumptions of Time Series Models There is information about the past;

The pattern of the past will continueinto the future.


0

50

100

150

200

250

300

350

400

450

Apr-01 Sep-02 Jan-04 May-05 Oct-06 Feb-08 Jul-09 Nov-10 Apr-12 Aug-13

Month

Mbps

Complicating Factors with Simple Smoothing


101/119

Simple Exponential Smoothing does not allow you to

predict the future accurately.

Must be adapted for data series which exhibit a definite trend

Must be further adapted for data series which exhibit seasonalpatterns

SYN FLOOD PREVENTION - 1


102/119

SYN flood thresholds are bi-directional and on a per VID basis as well

as per destination (corresponding to the most active destination). Youcan control these individually.

FortiDDoS store non-spoofed IP addresses that have done a three-

way handshake successfully in a large table called Legitimate IP (LIP)Address table. This table retires entries every 5 minutes. Therefore

this table has IP addresses which have recently connected

successfully. Under SYN flood situation, i.e. when the SYN flood

threshold is crossed, the LIP table is used to validate new connections.If the new connection request is from an address in this table it is

allowed otherwise it is denied.

Foreign Packet Validation


103/119

When enabled TCP state machine will ensure that foreign TCP packets

without an existing TCP connection entry will be dropped (disabled bydefault to prevent issues when box is first deployed (wait for an hour

after deployment before enabling this).

Some reasons you will have high numbers:

Detection Mode: Box thinks it dropped packets and therefore removed session Time Out Differences between Servers and IG appliance: TCP time out on DDOS is

mostly lower then configured on servers. Most of the time the dropped packets are

just reset, so can be ignored

HTTP Browser Behavior: people surfing from one site to another doesnt close the

session to the server (only after closing browser)

Because number is high, source IP info is not stored!

Analyzing Attacks


104/119

The first indication of that an attack has been detected will be the

event monitor. If you email event notifications are enabled, you canreceive a summary of events to on your PC, workstation, PDA or even

your cell phone. The event notice summarizes the type of attack and

the number of dropped packets to indication of the attack size/scope.

Attacks lasting for 5 minutes or morewill be represented as spikesin a graphical reports within the GUI.

Examples:

Show > Aggregate Dropslists packets dropped at each layer allowing you to

further refine your search to Layer 3, Layer 4 or Layer 7. Show > Reports > All lists a dashboard like summary of all Tops Attack Types

Aggregate Drop Traffic


105/119

This graph showsthe aggregate

dropped traffic and

gives you visibility

into excess traffic

thats getting

filtered by the

appliance.

Packets are dropped due to multiple reasons and are shown in different colors.

These are drilled down further in subsequent graphs on subsequent pages.Summary Over 1 month

Packets Dropped/3 HoursLegend TypeMaximum Minimum Average

Total PacketsDropped

Layer 2 0 0 0 0 Layer 3 71,796,072 0 21,262,421 5,273,080,458 Layer 4 375,005,802 300 5,899,631 1,463,108,503 Layer 7 303 0 1 304

Packets Dropped at Layer 3


106/119

This graphshows the

dropped traffic

due to certain

Layer 3reasons which

are shown in

the table

below.

Summary Over 1 month

Packets Dropped/3 HoursLegend Type

Maximum Minimum Average

Total Packets

Dropped

Protocols 8,225,652 0 637,875 158,193,111 TOS 0 0 0 0 IPv4 Options 0 0 0 0 Fragmented Packets 1,157 0 7 1,873 L3 Anomalies 11,870,534 0 79,834 19,798,847 Source Flood 57,013,194 0 20,532,304 5,092,011,434 Misc. Source Flood 289,674 0 1,168 289,675 Destination Flood 2,441,260 0 11,231 2,785,518

Misc. Destination

Flood0 0 0 0

Dark Address Scan 0 0 0 0 Network Scan 0 0 0 0



107/119




Total Packets

Dropped

TCP Options 0 0 0 0 SYN Packets 278,119,806 0 5,034,862 1,248,645,939 L4 Anomalies 12,549,983 300 54,866 13,606,809 TCP Ports 7,194,921 0 165,534 41,052,592 UDP Ports 27,297 0 908 225,429 ICMP Types/Codes 0 0 0 0 Port Scan 0 0 0 0

Misc. Drops for Port

Scan0 0 0 0

Packets Per Connection 0 0 0 0 Misc. Connection Flood 71,585 0 6,992 1,734,081 Zombie Flood 13,368,886 0 93,770 23,254,968 SYN Packets Per Source 36,527,319 0 234,548 58,168,070

Excessive Concurrent

Connections Per Source109 0 0 110

Excessive Concurrent

Connections Per

Destination

0 0 0 0

TCP Packets Per

Destination0 0 0 0

This graph shows thedropped traffic due to

certain Layer 4 reasons

which are shown in the

table below.

More than 1 billion

packets were dropped

due to SYN flood duringthis period.

And over 58 million

packets dropped due to

few specific IPs sending

too many SYN

packets/second.



108/119




Total Packets

Dropped

Opcode Flood 303 0 1 304

HTTP Anomalies 0 0 0 0 URL Flood 0 0 0 0

This graph showsthe dropped traffic

due to certain Layer

7 reasons which

are shown in the

table below.

The appliances

monitor HTTP

opcodes, URLs and

anomalies and can

pinpoint the

excesses in any

one of the

dimensions.

Top Attacks and Top Attacker Repo rts


109/119

FortiDDoS

appliances give you

a visibility into the

Top Attacks, Top

Attackers, Top

AttackedDestinations, etc.

for the last 1 hour,

1 day, 1 week, 1

month, 1 Year.

These IPs are

obfuscated.

Overall View Over a Month


110/119

These two graphs heredepict the daily traffic

over a months period in

terms of packet rate and

Mbps respectively. The

upper half is outbound

traffic and the lower half

(in negative) is the

inbound traffic. You can

see two peaks which

correspond to two large

inbound attacks.

The purpose of the appliance is to maintain the normal traffic and only pass whats legitimate.

Thats what it is doing here by dropping the excess packets (shown as white ear under the

maroon lines). Whats being allowed is the blue area.

View of another link


111/119

This graph showsthe second link on

the same device.

This link has larger

and continuous

attacks over the

months period.As you can see the

appliance maintains

the normal behavior

and drops

excessive packets.

This maroon line shows whats incoming and

the blue and green lines show what gets out

of the appliance after DDoS mitigation based

on behavioral analysis. The white envelope is

the attack thats getting dropped.

Count of Unique Sources


112/119

This graph gives youa visibility into count

of unique sources

coming to your

network.

As you can see here,

there is a large peak

during Week 21 which

corresponds to an

attack. The number of

unique sources

almost reached 1

million. These couldbe spoofed IP

addresses too.

Number of Established TCP Connections


113/119

This graph showsthe number of

established TCP

connections. Since

there is no obvious

peak here, and the

previous graph ofcount of unique

sources had a large

peak, it means the

attackers were

primarily spoofed

IPs.

Application Targeted DDoS


114/119

This graph showsthe number of

established TCP

connections that

any single source

made. The

appliance monitorsup to 1 million

sources. These are

clipped to a certain

threshold based on

past behavior.

Lets play!


115/119

Hping commands!

UDP Flood (bandwith)

hping3 --flood --udp -p 80 -d 14 200. 200.1.1.2

SYN Flood (TCP 80)

hping3 --flood -S -p 80 200.1.1.2

More commands

hping3qnSw 64p 80 --flood (--fast orfaster) -rand-source

Useful link! http://wiki.hping.org/94

Sending the attack
http://wiki.hping.org/94http://wiki.hping.org/94


116/119

Another attack


117/119


118/119


119/119

THANKS!!!!!

ftnt minixte13 -at fortiddos

Documents