plnog15 :ddos attacks & collateral damage. can we avoid it? asraf ali
TRANSCRIPT
DDOS Attacks & Collateral Damage
Can we avoid it ?
Asraf Ali
Head – Security & Network Engineering
Tata Communications
Agenda
○ DDOS attacks – What ? How ? Who ? ○ The Impact – Direct & indirect victims ○ The Collateral Damage Problem ○ Global Industry Best Practices ○ How can Tata Communications help ? ○ Q & A
Attempt to consume FINITE resources, exploit WEAKNESS in design, lack of Infra CAPACITY.
Affects service AVAILABILITY, thereby Denial of Service to legitimate user traffic.
Sourced from BOTNETs but triggered by C&C Servers and almost always DISTRIBUTED for significant effect.
Broadly classified as, TCP State Exhaustion attacks – TCP SYN Floods Volumetric attacks – UDP packet floods on well known ports Reflective Amplification attacks – Based on DNS, NTP, SSDP… Application layer attacks – HTTP, SIP etc. caused by LOIC,
HOIC tool
DDOS Attacks – What ? How ?
DDOS Attacks – Classified• TCP State exhaustion
attacks− Exploits statefull behavior of
TCP protocol− Exhausts resources in servers,
reverse proxies, firewalls. − System runs out of
memory/sockets− SYN, FIN, RST Floods
• Volumetric attacks− Exploits stateless behavior of
UDP protocol− UDP based floods from spoofed
IPs generates heavy bps/pps traffic volume
− Takes out Infra capacity – routers, switches, servers
Clie
nt
Serv
er
SYN
SYNSYN/ACK
SYN/ACK
Repeated endlessly until the resources
exhaust...
DDOS Attacks – Classified• Reflective Amplification attacks
− Exploits amplification behavior of NTP, DNS, SSDP, SNMP protocols
− Reflection and Amplification makes is easy to execute.
− Impacts more than just the target
− DNS, NTP, SSDP are commonly used• Application layer attacks
− Low and Slow in nature, targets application instances and NOT Infra.
− Exploits scale and functionality of specific applications.
− HTTP GET/POST floods..− LOIC, HOIC, Slowloris, etc easily
available attack tools
REQ(spoofed)
RES(amplified)
Open DNS/NTP/SNMP/SSDPservices
Botnet
Targetvictim
DDOS Attacks - The Impact • InfoSec systems are built with a
goal of maintaining Confidentiality, Integrity and Availability (CIA).
• Confidentiality and Integrity is mostly addressed using Encryption in data security solutions.
• Availability is typically associated with eliminating points of failure in the design.
• DDoS attacks are targeted and
it directly affects ‘Availability’.
Service Availability Business Continuity
Maintaining availability in the face of an attack, proves the success of an Infosec program
An industry survey shows most organizations,• Do not have DDOS mitigation plans• Never stress-test their service stack to find shortcomings
Evolution of DDOS attacks
Source: Arbor Networks WISR
• DDoS attacks have evolved over two decades now• Peak attacks have grown 400% over the last couple of years• All of those largest observed attacks were caused by Reflective
Amplification
Reflective Amplification attacksA Closer look• Due to its high magnitude (scaling up to 300+ Gbps), affecting
millions of users, these attacks were reported often in the press.
• Requires ability to spoof the IP address of the target host/network
• Most Volumetric attacks generate high throughput (pps) but for Reflective amplification attacks bandwidth (bps) is the key to fill the pipes in transit, saturating network operator infra.
• Two main characteristics, • Reflection – Spoofed requests (with actual attack target) from a
botnet of hosts sent towards open abusable services in the Internet; an amplified response is reflected back on the attack target.
• Amplification – A relatively small request that generates a significantly large response.
Open DNS/NTP/SSDP servers
The Internet
Original VictimContent or Ecom Provider
Botnet
DDOS Attacks – Victims
Direct Victims:1. Content owner/provider
REQ with target spoofed as SRC IP
Amplified responseTargeting the victim
Open DNS/NTP/SSDP servers
DC or CloudSP
The Internet
Original VictimContent or Ecom Provider
Botnet
Local ISPsRegional
ISPs
Tier-I ISP
DDOS Attacks – Victims
Victims:1. Service Providers2. DC/Cloud Service provider3. Content owner/provider
REQ with target spoofed as SRC IP
Amplified responseTargeting the victim
Collateral Damage Problem
Peer-2
Peer-1
Peer-3
IXP-B
DCFacility
IXP-A
4GRAN
DC & CloudServices
Mobile BroadbandServices
• Converged Network Infrastructure• Supporting ISP, DC and Mobile broadband services
Peer-2
Peer-1
Peer-3
IXP-B
DCFacility
IXP-A
4GRAN
Collateral Damage Problem• Attack targeting a service hosted in DC facility• Impacts bystanders, other business
Reflective Amplification Protocols used as attack vectors• Many protocols can be leveraged by attackers
• DNS, NTP, SSDP, CHARGEN, SNMP are commonly-observed.
• Amplification factors makes it lethal,
Protocol Ports Amplification factor
NTP UDP / 123 600xDNS UDP / 53 160xSSDP UDP / 1900 30xCHARGEN UDP / 19 18xSNMP UDP / 161 800x
What makes it possible ?• Failure to deploy network ingress filtering at the very edge – BCP 38, for anti-spoofing using ACLs or uRPF or IP Source verify.
• Abusable services in the open Internet running on servers, home CPE devices, routers, and other IoT devices.
• Low difficulty of execution of such attacks; readily available attack tools
• Network operators not utilizing the best practices• Not utilizing flow telemetry for collection and analysis to
detect attacks• Failure to proactively scan and remediate abusable services
• Failure to deploy DDOS attack detection, response and mitigation tools
• Source or Destination based RTBH, flowspec for mitigation • Subscribe to SP Cloud based DDOS attack detection and mitigation
service
Best Practices for Network OperatorsDon’t be a part of the problem
• Deploy anti-spoofing at network edges• uRPF loose and strict modes at peering and customer
aggregation• DHCP Snooping and IP Source Verify at DC LAN access edge• Suitable mechanisms for Cable, DOCSIS subscriber edges
• Don’t be a spoofing-friendly network, you will soon be blocked!.
• Proactively scan for and remediate abusable services and block them if necessary to take them offline.
• Check www.openntpproject.org and its equivalents to see if abusable services have been identified on your network and take suitable action.
• Do not give in for collateral damage, have a suitable process and system in place.
Building a DDoS attack defense systemDetection/Classification• Visibility is key for detection – You can only protect what you can
see
• Utilize flow telemetry exported from all network edges for attack detection and classification
• Deploy a suitable anomaly-based DDoS attack detection solution
• Monitor links across transit, peering, aggregation, service edge and DC access
• Deploy in-line or SPAN-based monitoring in front of critical services for fine-grained application aware visibility and detection
• Don’t have CAPex budget, subscribe to Carrier DDOS Protection services.
Building a DDoS attack defense systemMitigation Infra - Options• Flowspec – Utilize BGP to inject ACLs or routing policy to filter or
divert traffic.• Remote Triggered Blackholing - RTBH
• S/RTBH to block known bad sources• D/RTBH to blackhole the destination under attack as a last resort
• Deploy a commercial mitigation system to protect from any attacks
• Build minimum capacity within and subscribe to Carrier-based cloud mitigation services
• Planning mitigation capacity - Bandwidth• Ideal Mitigation capacity = Total Ingress network bandwidth• Minimum mitigation capacity = max attack size in the region, if the
network transport has room to carry• You can only Mitigate what you can carry on your network
• Planning mitigation capacity – Throughput• Volumetric attacks generate high rate of packets; consider hardware
architecture• Ensure 1 Million PPS capacity for every Gbps of mitigation capacity
Building a DDoS attack defense systemMitigation Infra – Planning and Scale-up• Build a distributed mitigation
systems.
• Stop attack traffic closer to source,
do not allow them to converge.• Leverage on botnet heat-maps for
planning your mitigation capacity globally.
• Utilize anycast routing to scrubbing farms for an effective mitigation
• If you are a regional or a local Network operator,
• Utilize carrier DDOS protection services
• Build minimal mitigation capacity for offering services for local enterprise market
What works well ?Attack type Impact on Network / DC
Service ProviderImpact on content owner
Effective Mitigation technique
TCP State exhaustion
• Limited or Nil High – Impacts all statefull devices in transit
• Arrested by SP Cloud Mitigation, if detected
• On-premise CPE solutions are proactive
Volumetric • Tier-1 operator – Nil or limited impact on rare occasions
• Other DC and Tier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage
High – Impact at the network edge to server edge – weakest link fails
• SP Cloud mitigation
Application layer
• Tier-1/2/3 operator - Limited or Nil impact
• DC Service provider services such as IaaS are impacted; design should adapt protection against noisy-neighbors (tenants)
High – weakest node breaks-down
• On-premise CPE solutions are effective
• Basic attacks are defended by SP Cloud mitigation techniques
Reflective Amplification
• Tier-1 operator – Nil or limited impact on rare occasions
• Other DC and Tier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage
High – Impact at the network edge to server edge – weakest link fails
• SP Cloud mitigation
HOW CAN TATA COMMUNICATIONS HELP?
WE CAN HELP PROTECT YOUR NETWORKS & YOUR CUSTOMERS
AGAINST DDOS ATTACKS
SECURITY SERVICES AT TATA COMM
21
Multi-Platform Support
Security Operations Centers
Technology & Automation
Build and maintain a secure network
Protect Sensitive Data
Maintain a Vulnerability Management
ProgramImplement Strong
Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security
Policy
• DDoS Detection & Mitigation• Bluecoat Managed Proxy• Professional Security Services• Managed & Monitored Firewall-UTM• Managed & Monitored IDS/IPS• Log/Security Event Monitoring• Managed Strong Authentication• Network Based vUTM• Zscaler web security/virtual Proxy• Qualys Vulnerability Management• Email Secuirty & Postini Anti-Spam
Telephony Magazine
2014 – Leader for Network Services StrengthStrong range of network security services
Scalable & Multi-tenant
India – Singapore ISO 27001 CertifiedSAS-70 Type I/II auditedCisco MSCP Firewall - IDS - VPN
“Most Innovative Service Award”
Gartner Magic Quadrant
In +100 countries
22
INTEGRATED MDDOS D&M SERVICES POWERED BY TATA COMMUNICATIONS’ TIER 1 IP NETWORK
- 24% of the world’s Internet routes are on our network
- Only Tier 1 Provider to feature in the Top 5 in 5 continents
- 99.7% of the world’s GDP can be reached using the Tata Communications’ Global Network
DDOS SCRUBBING FARMGLOBAL DEPLOYMENT FOOTPRINT
DDoS scrubbing farmAmericas, EMEA & APAC
DDoS scrubbing farm(Proposed)
ON-NET SERVICEDetection• TATA SSOC
collecting/monitoring flow data 24/7 from within TATA network
Mitigation • SSOC analyst confirms attack,
contacts customer POC• Customer authorizes mitigation• TATA activates BGP session• Multi-Gb attack traffic routes
through TATA mitigation centers and scrubbed traffic returned to destination over dedicated TATA IP egress via GRE tunnel
• Customer confirms application availability
• Once attack traffic stops, original route is re-established & ticket closed
CE
Scrubbing Farm
CustomerData Center
TATARegional
Scrubbing Farms DDoS Attack
Flow Sensor
Public Internet
EdgeTATA SSOC
Clean TrafficInjection via GRE
TATA IP Transit Port
OFF-NET SERVICEDetection
• TATA SSOC collecting/monitoring flow data 24/7 (Assumes Flow Sensor, router, IPS, etc…)
Mitigation • SSOC analyst confirms attack,
contacts customer POC• Customer authorizes mitigation,
withdraws existing route for /24• TATA activates BGP session,
announces new route; customer sends /24;
• Multi-Gb attack traffic routes through TATA mitigation centers with scrubbed traffic returned to destination over 3rd party IP egress via GRE tunnel
• Customer confirms application availability
• Once attack traffic stops, original route is re-established & ticket is closed
3rd Party IP
Scrubbing Farm
CustomerData Center
TATARegional
Scrubbing Farms
DDoS Attack
Flow Sensor
Public Internet
EdgeTATA SSOC
Clean TrafficInjection via GRE
CE
DDoS attack Protection Services for Carriers Tata Communications’ offers detection of DDoS attacks On-net and Off-net. Detects DDoS attack traffic proactively and directs it to the nearest scrubbing farm. Scrubbing farms are deployed across the globe with high capacity nodes in regions
with heavy botnet activity; to mitigate attacks closer to source preventing an avalanche of attack traffic.
Clean traffic can be delivered on a secure on-net tunnel to carrier network edge *.
RegionalISP/IXP
RegionalISP/IXP
RegionalCarrier network
customer
customer
customer
GlobalInternet
TCL Network
DDOSdefense
Dropped attack trafficin the cloud
Clean traffic delivered
* - recommended option
Thank YouHave Questions ? Ask Now or Talk to our local
representativesMarcin Raczkiewicz [email protected]
Director, Global Carrier Services, Tata Communications - Poland
Konrad Czubak [email protected]
Sr. Solutions Architect, Tata Communications - Poland