Real-time DDoS Defense:A collaborative Approach at

Internet Scale

Agenda

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale2

Problem & Goal

Overview

Challenges

Implementation

Evaluation

Conclusion

Insight

Discussion

Problem & Goal

Problem

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale4

Source: https://www.youtube.com/watch?v=kBBIqKeVdDo

Problem

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale5

network-traffic

Problem

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale6

mitigation and reaction

Goal

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale7 Source: https://www.gallaudet.edu/rsia/world_deaf_information_resource.html

Ingredients

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale8

Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg

InsightOverview

ChallengesImplementation

Evaluation

Insight

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale9

RQ1: Is real-time and automatic mitigation at ISP level performed and if yes, how?

Insight

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale10

May – July 2014

Online

52 4256 47

November – December 2012

Source: http://www.pieuvre.ca/v2/wp-content/uploads/2010/01/survey.jpg

Real-time and automatic mitigation

Europe93%

North America

2%

Asia5%

Origin

0,00%

5,00%

10,00%

15,00%

20,00%

25,00%

30,00%

35,00%

Market segment and frequency

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach11

Real-time and automatic mitigation

• Process and involved third-parties

• ISPs and CSIRTs

• to aid NOC

• by email or telephone

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach12

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach13

Real-time and automatic mitigation

Real-time and automatic mitigation

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach14

Real-time and automatic mitigation

Yes37%

Unsure3% Agree

43%

Disagree17%

No60%

Use of automatic mitigation and response tools

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach15

Yes37%

Unsure3%

6%

31%

17%

6%

No60%

Plan of use of automatic mitigation and response tools

Yes, we are planning to do it We are looking into it

No, we will not make use of it I am not aware of it

Real-time and automatic mitigation

0

2

4

6

8

10

12

14

16

Rerouting traffic Change blocking/ filter

capabilities

Notification Rate limiting atingress

Exchange datawith trusted

partners

Quarantinemachines

Changing thetarget's IP

address

Other

Automatic actions of mitigation and response tools

Actions already performed Actions would like to use

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach16

Real-time and automatic mitigation

Yes48%No

52%

IP traffic filtering

Blacklists53%

Whitelists29%

Greylists18%

IP traffic filtering

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach17

Real-time and automatic mitigation

6

21

2 2

0

5

10

15

20

25

Netconf SNMP OpenFlow Other

Network configuration protocols

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach18

Yes29%

9%

39%

13%10%

No71%

Current technical ability to use OpenFlow / Plan to make use of

OpenFlow in 3 years

Yes, we are planning to do it We are looking into it

No, we will not make use of it I am not aware of it

Real-time and automatic mitigation

10

13

6

0

4

6

17

7 7

3

0

2

4

6

8

10

12

14

16

18

None Various CERTs or CSIRTs Law enforcement orgovernmental entities

Industry peers Only receive data

Sharing threat indicators or security events / incidents

Threat indicators Security events/incidents

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach19

Real-time and automatic mitigation

Strongly agree53%

Agree43%

Disagree4%

Collaboration improves mitigation and response capabilities

0

5

10

15

20

25

30

SCAP IDXP IDMEF IODEF x-arf

Exchange protocols / formats

Do or did use Know Heard of Unknown

16. February 2015 Jessica Steinberger: Give and Take - Mitigation and Response: A collaborative approach20

Ingredients

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale21

Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg

InsightOverview

ChallengesImplementation

Evaluation

Terminology

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale22

Format Protocol

vs.

Source: http://www.mifus.de/out/pictures/master/product/1/8000796013248_simba_sechs_sandformen.jpghttp://www.bluesource.at/2013/11/bluesource-enewsletter-november-2013/

Terminology

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale23

Security Event/Incident

Incident

Alert/Event

Alarm/

Warning

Terminology

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale24

Terminology

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale25

IncidentEvent

Chance Card

vs.

Source: http://www.hasbro.com/monopoly/de_DE/ Source: http://www.bitstorm.org/journaal/2005-6/grolsch.jpg

Application Domain

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale26

Source: http://makingsecuritymeasurable.mitre.org/about/index.html

Who is involved ?

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale27

• US governments Defense Advance Research Projects Agency (DARPA)

• TERENA• IETF Incident Handling• Stuttgart University‘s CERT• IETF IDWG• MITRE• IETF MARF• Eco – Association of the German

Internet Industry

Source: http://m.crosstalkonline.org/media/cache/54/c8/54c83f7398d4ee4bece7c84e899c8a64.jpg

Timeline

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale28

1997CISL

DARPA

2001IODEF

TERENA

2002IODEF

IETF INCH

2003FINE

IETF INCH

2003IODEF

IETF INCH2002CAIF

University Stuttgart CERT

2003IDMEF

IETF IDWG

2009CEE

MITRE

2005ARF

MAAWG

2007ARF

IETF MARF

2012x-arf

Eco-Association of the German Internet Industry

2013x-xarf

Kohlrausch & Übelacker

2013Project DMTF Cloud Audit

or Project Lumberjack

Exchange formats

CISL IODEF CAIF IDMEF CEE ARF x-arf/x-xarf syslog

Language S-expressions XML XML XML XML, JSON MIME MIME Text/XML

Content Events, Attacks,Responses

Events,Incidents

Problem, Vulnerability, Exposure

Alerts, Alive messages

Events Spam Incidents, Attacks

Events

Producer Machine Human Human Machine Machine Machine Machine Machine

Consumer Machine Human Human Machine Human Machine/Human

Machine/Human Machine/Human

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale29

IODEF vs. IDMEF

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale30

ARF vs. x-xarf

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale31

Exchange formats and protocolsProtocol OSI layer Format Security

CIDF Transport CISL message SymmetricCryptography

RID Application IODEF TLS

XEP-0268 Application IODEF TLS

IDXP Application IDMEF TLS

CLT Transport CEE Provided by syslog(RFC 5425)

SMTP Application CAIFARFx-arf

NoneS/MIMEMultipart/SignedMultipart/Encrypted

Syslog (RFC 3164) Transport Syslog (RFC 3164) None

Syslog (RFC 5425) Transport Syslog (RFC 5424) TLS

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale32

Evaluation results

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale33

XML

MIME

Ingredients

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale34

Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg

InsightOverview

ChallengesImplementation

Evaluation

Challenges

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale35

„rogue ISPs“ Quantifying cost/benefit

FPRisk

Source: http://www.lowcarb-ernaehrung.info/

Source: http://whiteboard-ratgeber.de/wp-content/uploads/2013/04/digitales-whiteboard-vs-tafel.jpg

Ingredients

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale36

Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg

InsightOverview

ChallengesImplementation

Evaluation

Framework

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale37

Inference Engine (PHREAK)

Mitigation and Response System

Production Memory (rules)

Working Memory (facts)

Pattern Matcher Agenda

Event producer

sends consumes publishes

subscribes

delivers

Incident consumer

38

Pattern Matcher

Mitigation and Response System

Event Processing Response Selection

39

Reaction Execution

Knowledge Base

Event Processing

Mitigation and Response System

Normalization Aggregation / Correlation

40

Event Pattern Frequency of event in a time window

Geolocation IP Filtering Lists Confidence

Response Selection

Mitigation and Response System

Comparison Prioritation

41

Previous Reactions Potential damage

Benefit Risk CVSS Event profiles

Reaction Execution

Mitigation and Response System

Notification

42

Configuration Exchange formats

Email Pub/Sub Consumer

Flow-based Event Exchange Format (FLEX)

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale43

Ingredients

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale44

Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg

InsightOverview

ChallengesImplementation

Evaluation

Evaluation Methodology

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale45

Source: http://www.microgen.com/uk-en/products/microgen-aptitude/v4/microgen-aptitude-business-it-collaboration

Ingredients

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale46

Source: http://www.mitnatur.com/wp-content/uploads//2013/11/Kochen.jpg

InsightOverview

ChallengesImplementation

Evaluation

Conclusion

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale47

• insight into processes, structures and capabilities

• a hands-on for network operators

Conclusion

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale48

• FLEX

• framework

Discussion

3rd July 2015 Jessica Steinberger: Real-time DDoS Defense: A collaborative Approach at Internet Scale49

Source: http://www.prosperitycometh.com/wp-content/uploads/2012/11/business_conference_1600_clr_3835.png