DDOS Attacks & Collateral Damage

Can we avoid it ?

Asraf Ali

Head – Security & Network Engineering

asraf.ali@tatacommunications.com

Tata Communications

Agenda

○ DDOS attacks – What ? How ? Who ? ○ The Impact – Direct & indirect victims ○ The Collateral Damage Problem ○ Global Industry Best Practices ○ How can Tata Communications help ? ○ Q & A

Attempt to consume FINITE resources, exploit WEAKNESS in design, lack of Infra CAPACITY.

Affects service AVAILABILITY, thereby Denial of Service to legitimate user traffic.

Sourced from BOTNETs but triggered by C&C Servers and almost always DISTRIBUTED for significant effect.

Broadly classified as, TCP State Exhaustion attacks – TCP SYN Floods Volumetric attacks – UDP packet floods on well known ports Reflective Amplification attacks – Based on DNS, NTP, SSDP… Application layer attacks – HTTP, SIP etc. caused by LOIC,

HOIC tool

DDOS Attacks – What ? How ?

DDOS Attacks – Classified• TCP State exhaustion

attacks− Exploits statefull behavior of

TCP protocol− Exhausts resources in servers,

reverse proxies, firewalls. − System runs out of

memory/sockets− SYN, FIN, RST Floods

• Volumetric attacks− Exploits stateless behavior of

UDP protocol− UDP based floods from spoofed

IPs generates heavy bps/pps traffic volume

− Takes out Infra capacity – routers, switches, servers

Clie

nt

Serv

er

SYN

SYNSYN/ACK

SYN/ACK

Repeated endlessly until the resources

exhaust...

DDOS Attacks – Classified• Reflective Amplification attacks

− Exploits amplification behavior of NTP, DNS, SSDP, SNMP protocols

− Reflection and Amplification makes is easy to execute.

− Impacts more than just the target

− DNS, NTP, SSDP are commonly used• Application layer attacks

− Low and Slow in nature, targets application instances and NOT Infra.

− Exploits scale and functionality of specific applications.

− HTTP GET/POST floods..− LOIC, HOIC, Slowloris, etc easily

available attack tools

REQ(spoofed)

RES(amplified)

Open DNS/NTP/SNMP/SSDPservices

Botnet

Targetvictim

DDOS Attacks - The Impact • InfoSec systems are built with a

goal of maintaining Confidentiality, Integrity and Availability (CIA).

• Confidentiality and Integrity is mostly addressed using Encryption in data security solutions.

• Availability is typically associated with eliminating points of failure in the design.

• DDoS attacks are targeted and

it directly affects ‘Availability’.

Service Availability Business Continuity

Maintaining availability in the face of an attack, proves the success of an Infosec program

An industry survey shows most organizations,• Do not have DDOS mitigation plans• Never stress-test their service stack to find shortcomings

Evolution of DDOS attacks

Source: Arbor Networks WISR

• DDoS attacks have evolved over two decades now• Peak attacks have grown 400% over the last couple of years• All of those largest observed attacks were caused by Reflective

Amplification

Reflective Amplification attacksA Closer look• Due to its high magnitude (scaling up to 300+ Gbps), affecting

millions of users, these attacks were reported often in the press.

• Requires ability to spoof the IP address of the target host/network

• Most Volumetric attacks generate high throughput (pps) but for Reflective amplification attacks bandwidth (bps) is the key to fill the pipes in transit, saturating network operator infra.

• Two main characteristics, • Reflection – Spoofed requests (with actual attack target) from a

botnet of hosts sent towards open abusable services in the Internet; an amplified response is reflected back on the attack target.

• Amplification – A relatively small request that generates a significantly large response.

Open DNS/NTP/SSDP servers

The Internet

Original VictimContent or Ecom Provider

Botnet

DDOS Attacks – Victims

Direct Victims:1. Content owner/provider

REQ with target spoofed as SRC IP

Amplified responseTargeting the victim

Open DNS/NTP/SSDP servers

DC or CloudSP

The Internet

Original VictimContent or Ecom Provider

Botnet

Local ISPsRegional

ISPs

Tier-I ISP

DDOS Attacks – Victims

Victims:1. Service Providers2. DC/Cloud Service provider3. Content owner/provider

REQ with target spoofed as SRC IP

Amplified responseTargeting the victim

Collateral Damage Problem

Peer-2

Peer-1

Peer-3

IXP-B

DCFacility

IXP-A

4GRAN

DC & CloudServices

Mobile BroadbandServices

• Converged Network Infrastructure• Supporting ISP, DC and Mobile broadband services

Peer-2

Peer-1

Peer-3

IXP-B

DCFacility

IXP-A

4GRAN

Collateral Damage Problem• Attack targeting a service hosted in DC facility• Impacts bystanders, other business

Reflective Amplification Protocols used as attack vectors• Many protocols can be leveraged by attackers

• DNS, NTP, SSDP, CHARGEN, SNMP are commonly-observed.

• Amplification factors makes it lethal,

Protocol Ports Amplification factor

NTP UDP / 123 600xDNS UDP / 53 160xSSDP UDP / 1900 30xCHARGEN UDP / 19 18xSNMP UDP / 161 800x

What makes it possible ?• Failure to deploy network ingress filtering at the very edge – BCP 38, for anti-spoofing using ACLs or uRPF or IP Source verify.

• Abusable services in the open Internet running on servers, home CPE devices, routers, and other IoT devices.

• Low difficulty of execution of such attacks; readily available attack tools

• Network operators not utilizing the best practices• Not utilizing flow telemetry for collection and analysis to

detect attacks• Failure to proactively scan and remediate abusable services

• Failure to deploy DDOS attack detection, response and mitigation tools

• Source or Destination based RTBH, flowspec for mitigation • Subscribe to SP Cloud based DDOS attack detection and mitigation

service

Best Practices for Network OperatorsDon’t be a part of the problem

• Deploy anti-spoofing at network edges• uRPF loose and strict modes at peering and customer

aggregation• DHCP Snooping and IP Source Verify at DC LAN access edge• Suitable mechanisms for Cable, DOCSIS subscriber edges

• Don’t be a spoofing-friendly network, you will soon be blocked!.

• Proactively scan for and remediate abusable services and block them if necessary to take them offline.

• Check www.openntpproject.org and its equivalents to see if abusable services have been identified on your network and take suitable action.

• Do not give in for collateral damage, have a suitable process and system in place.

Building a DDoS attack defense systemDetection/Classification• Visibility is key for detection – You can only protect what you can

see

• Utilize flow telemetry exported from all network edges for attack detection and classification

• Deploy a suitable anomaly-based DDoS attack detection solution

• Monitor links across transit, peering, aggregation, service edge and DC access

• Deploy in-line or SPAN-based monitoring in front of critical services for fine-grained application aware visibility and detection

• Don’t have CAPex budget, subscribe to Carrier DDOS Protection services.

Building a DDoS attack defense systemMitigation Infra - Options• Flowspec – Utilize BGP to inject ACLs or routing policy to filter or

divert traffic.• Remote Triggered Blackholing - RTBH

• S/RTBH to block known bad sources• D/RTBH to blackhole the destination under attack as a last resort

• Deploy a commercial mitigation system to protect from any attacks

• Build minimum capacity within and subscribe to Carrier-based cloud mitigation services

• Planning mitigation capacity - Bandwidth• Ideal Mitigation capacity = Total Ingress network bandwidth• Minimum mitigation capacity = max attack size in the region, if the

network transport has room to carry• You can only Mitigate what you can carry on your network

• Planning mitigation capacity – Throughput• Volumetric attacks generate high rate of packets; consider hardware

architecture• Ensure 1 Million PPS capacity for every Gbps of mitigation capacity

Building a DDoS attack defense systemMitigation Infra – Planning and Scale-up• Build a distributed mitigation

systems.

• Stop attack traffic closer to source,

do not allow them to converge.• Leverage on botnet heat-maps for

planning your mitigation capacity globally.

• Utilize anycast routing to scrubbing farms for an effective mitigation

• If you are a regional or a local Network operator,

• Utilize carrier DDOS protection services

• Build minimal mitigation capacity for offering services for local enterprise market

What works well ?Attack type Impact on Network / DC

Service ProviderImpact on content owner

Effective Mitigation technique

TCP State exhaustion

• Limited or Nil High – Impacts all statefull devices in transit

• Arrested by SP Cloud Mitigation, if detected

• On-premise CPE solutions are proactive

Volumetric • Tier-1 operator – Nil or limited impact on rare occasions

• Other DC and Tier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage

High – Impact at the network edge to server edge – weakest link fails

• SP Cloud mitigation

Application layer

• Tier-1/2/3 operator - Limited or Nil impact

• DC Service provider services such as IaaS are impacted; design should adapt protection against noisy-neighbors (tenants)

High – weakest node breaks-down

• On-premise CPE solutions are effective

• Basic attacks are defended by SP Cloud mitigation techniques

Reflective Amplification

• Tier-1 operator – Nil or limited impact on rare occasions

• Other DC and Tier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage

High – Impact at the network edge to server edge – weakest link fails

• SP Cloud mitigation

HOW CAN TATA COMMUNICATIONS HELP?

WE CAN HELP PROTECT YOUR NETWORKS & YOUR CUSTOMERS

AGAINST DDOS ATTACKS

SECURITY SERVICES AT TATA COMM

21

Multi-Platform Support

Security Operations Centers

Technology & Automation

Build and maintain a secure network

Protect Sensitive Data

Maintain a Vulnerability Management

ProgramImplement Strong

Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security

Policy

• DDoS Detection & Mitigation• Bluecoat Managed Proxy• Professional Security Services• Managed & Monitored Firewall-UTM• Managed & Monitored IDS/IPS• Log/Security Event Monitoring• Managed Strong Authentication• Network Based vUTM• Zscaler web security/virtual Proxy• Qualys Vulnerability Management• Email Secuirty & Postini Anti-Spam

Telephony Magazine

2014 – Leader for Network Services StrengthStrong range of network security services

Scalable & Multi-tenant

India – Singapore ISO 27001 CertifiedSAS-70 Type I/II auditedCisco MSCP Firewall - IDS - VPN

“Most Innovative Service Award”

Gartner Magic Quadrant

In +100 countries

22

INTEGRATED MDDOS D&M SERVICES POWERED BY TATA COMMUNICATIONS’ TIER 1 IP NETWORK

- 24% of the world’s Internet routes are on our network

- Only Tier 1 Provider to feature in the Top 5 in 5 continents

- 99.7% of the world’s GDP can be reached using the Tata Communications’ Global Network

DDOS SCRUBBING FARMGLOBAL DEPLOYMENT FOOTPRINT

DDoS scrubbing farmAmericas, EMEA & APAC

DDoS scrubbing farm(Proposed)

ON-NET SERVICEDetection• TATA SSOC

collecting/monitoring flow data 24/7 from within TATA network

Mitigation • SSOC analyst confirms attack,

contacts customer POC• Customer authorizes mitigation• TATA activates BGP session• Multi-Gb attack traffic routes

through TATA mitigation centers and scrubbed traffic returned to destination over dedicated TATA IP egress via GRE tunnel

• Customer confirms application availability

• Once attack traffic stops, original route is re-established & ticket closed

CE

Scrubbing Farm

CustomerData Center

TATARegional

Scrubbing Farms DDoS Attack

Flow Sensor

Public Internet

EdgeTATA SSOC

Clean TrafficInjection via GRE

TATA IP Transit Port

OFF-NET SERVICEDetection

• TATA SSOC collecting/monitoring flow data 24/7 (Assumes Flow Sensor, router, IPS, etc…)

Mitigation • SSOC analyst confirms attack,

contacts customer POC• Customer authorizes mitigation,

withdraws existing route for /24• TATA activates BGP session,

announces new route; customer sends /24;

• Multi-Gb attack traffic routes through TATA mitigation centers with scrubbed traffic returned to destination over 3rd party IP egress via GRE tunnel

• Customer confirms application availability

• Once attack traffic stops, original route is re-established & ticket is closed

3rd Party IP

Scrubbing Farm

CustomerData Center

TATARegional

Scrubbing Farms

DDoS Attack

Flow Sensor

Public Internet

EdgeTATA SSOC

Clean TrafficInjection via GRE

CE

DDoS attack Protection Services for Carriers Tata Communications’ offers detection of DDoS attacks On-net and Off-net. Detects DDoS attack traffic proactively and directs it to the nearest scrubbing farm. Scrubbing farms are deployed across the globe with high capacity nodes in regions

with heavy botnet activity; to mitigate attacks closer to source preventing an avalanche of attack traffic.

Clean traffic can be delivered on a secure on-net tunnel to carrier network edge *.

RegionalISP/IXP

RegionalISP/IXP

RegionalCarrier network

customer

customer

customer

GlobalInternet

TCL Network

DDOSdefense

Dropped attack trafficin the cloud

Clean traffic delivered

* - recommended option

Thank YouHave Questions ? Ask Now or Talk to our local

representativesMarcin Raczkiewicz Marcin.Raczkiewicz@tatacommunications.com

Director, Global Carrier Services, Tata Communications - Poland

Konrad Czubak Konrad.Czubak@tatacommunications.com

Sr. Solutions Architect, Tata Communications - Poland