1
Boaz Elgar Product ManagerNovember, 2002
Confidential, © Riverhead Networks, Inc., 2002 2
Agenda
Some known DDoS attacks
Types of DDoS attacks
Current measures for blocking DDoS
Riverhead Solution overview
Confidential, © Riverhead Networks, Inc., 2002 3
Riverhead Profile
Solution: Secure internet availability against
crippling DDoS cyber-attacks
Customers: Large enterprises, new media companies,
service providers and government
organizations
Investors:
HQ: Cupertino, California
Products: Riverhead Guard and Detector -
infrastructure security devices
Confidential, © Riverhead Networks, Inc., 2002 4
Overview of DDoS attacks
Confidential, © Riverhead Networks, Inc., 2002 5
DDoS Incidents Around The Globe
GlobalWorld Economic Forum's, CERT
Europe Deutsche Bank, Lufthansa, Firenet, Tiscali, edNET, TheDogmaGroup, DonHost, British telecom, Cloud9
US Amazon, Yahoo, CNN, e-Bay, e-Trade, Microsoft, White House NY Times, NASA, OZ.Net
ROW 200 small corporations, 30 educational organizations and 20 government systems (Korea),
St George Bank (Australia)
Confidential, © Riverhead Networks, Inc., 2002 6
Zombies on innocent computers
Distributed Denial of ServiceAn Upstream Issue
Server-level DDoS attacks
Infrastructure-level DDoS attacks
Bandwidth-level DDoS attacks
Confidential, © Riverhead Networks, Inc., 2002 7
Server-level DDoS attacks
Layer 4 attacks SYN receive Establish FIN_WAIT_1
DST SRC prtcl CRC Port SYN FIN SSL GET URL CGI www.victim.com….Port
Application layer attacks404 File Not Found FloodSSLCGIDNS Bogus requests attack
Confidential, © Riverhead Networks, Inc., 2002 8
TCP Level DDoS attacks
Confidential, © Riverhead Networks, Inc., 2002 9
TCP SYN floodSYN RQST
SYN ACKclient
server
• One of the first CERT DDoS advisories issued – 9/1996
• http://www.cert.org/advisories/CA-1996-21.html
Spoofed SYN RQST
zombie victim
Waiting buffer
overflowsZombies
SYN ACK
Confidential, © Riverhead Networks, Inc., 2002 10
TCP SYN Flood
Firenet MD Mr Castle also stated:"The list of attacks were Syn Flood attacks, Ip Spoofing the Lan interfaces, and Total Denial of service attacks. We had taken down the servers for 4 nights in a row, from 11oclock till 6.00 am daily and worked all through the night with BT fighting this hacker or hackers, and had stopped the problems on Wednesday night Thursday morning".
News - February 3,2002 Firenet ISP Suffers DoS Attack
Confidential, © Riverhead Networks, Inc., 2002 11
NAPHTA: TCP connections
Repeatedly establishing a connection and then abandoning it, an attacker can tie up resources. Fill up the TCP connections buffer.
Multiple FIN_WAIT_1 state in the servers http://people.internet2.edu/~shalunov/netkill
clients
SYN RQST
ACK
serverSYN ACK
HTTP request
FIN
Confidential, © Riverhead Networks, Inc., 2002 12
Half open Connections
Repeatedly establishing a connection Requesting a unfinished request GE. (GET) Server waits for the end of request Application layer saturation
syn rqst
synackclients
server
Confidential, © Riverhead Networks, Inc., 2002 13
HTTP attack tool
First came out in January 1999!
www.victim.com
www.proxyserver.com
Click to get latest victim
Where to attack
Control how fast to attack
Confidential, © Riverhead Networks, Inc., 2002 14
Client attack
URL attacks Repeated request Repeated REFRESH Random URL
• Avoids proxy• Works hard• Large log file
cgi, long forms, heavy search requests
http://all.net/journal/netsec/9512.html
victim
Confidential, © Riverhead Networks, Inc., 2002 15
Client attack on Lufthansa
“Wednesday morning, in a planned attack, demonstrators began accessing Lufthansa's Web site. Although demonstrators claim they knocked the site off-line for about 10 minutes, Lufthansa said the claim was untrue.”
“Lufthansa's servers got 67,004 hits per second at one point in the two-hour Web attack”
“The attack was planned to protest Lufthansa's contract with the German government to fly people who are denied asylum in Germany out of the country.”
Computerworld 6/21/01
Confidential, © Riverhead Networks, Inc., 2002 16
Client attack on WTO
Confidential, © Riverhead Networks, Inc., 2002 17
DNS attack
DNS request Spoofing Random requests Reflectors
DNS recursive requests Amplifications
www.bogus.com
DNS Server
UDP spoofed traffic
www.!@$$.com
www.bla-bla.com
www.*&^.com
Reply to recursive
Confidential, © Riverhead Networks, Inc., 2002 18
Bandwidth-level DDoS attacks
ICMP echo, unreachable UDP Flood Reflectors Smurf Flood
Bandwidth-level DDoS attacks
Confidential, © Riverhead Networks, Inc., 2002 19
Reflectors
victim
zombie
List:
Reflector-1
Reflector-2
Reflector-3
Reflector-4 ….
…
Proxy
Web server
DNS server
Sock proxy
Router
Confidential, © Riverhead Networks, Inc., 2002 20
Reflectors
victim
zombieProxy
Web server
DNS server
Sock proxy
Router
zombie
zombie
zombie
Confidential, © Riverhead Networks, Inc., 2002 21
Reflectors -> Bandwidth attack
Reflectors= returns a packet if one is sent Web servers, DNS servers and routers
• Returns SYNACK or RST in response to a SYN or other TCP packets with ACK
• ICMP Time Exceeded or Host Unreachable in response to particular IP packets
• Amplification if knowing the sequence number (FTP, streaming…)
• DNS replies
http://grc.com/dos/drdos.htm http://www.aciri.org/vern/papers/reflectors.CCR.01.pdf
Confidential, © Riverhead Networks, Inc., 2002 22
Smurf Amplification
victim
zombie
amp/255.255.255.0
500
victim amp.255 ping.rqst
src dst
1
Direct broadcast address
500500500500
•Jan 1998
•http://www.cert.org/advisories/CA-1998-01.html
Confidential, © Riverhead Networks, Inc., 2002 23
Smurf Tool
Came out in March 1999!
Set packet size from 10 to 1300 octets
Confidential, © Riverhead Networks, Inc., 2002 24
Smurf attackInternet attack slows Web to a crawl Assault on
Oz.net affects entire area
Tuesday, January 18, 2000
“The Seattle attack was most likely launched by a single person…”
an ISP serving 7,000 subscribers, is known to have been targeted in the so-called smurf attack in Seattle, the assault affected many, perhaps even most, of the Internet users in the Seattle area, said experts.
“… all the corporate or academic networks the smurf attacker used in the assault -- as many as 2,000 nationwide”
Confidential, © Riverhead Networks, Inc., 2002 25
Cisco – stopping Smurf
no ip directed-broadcast Translation of directed broadcast to
physical MAC broadcasts is disabled As of 12.0 this is the default
Confidential, © Riverhead Networks, Inc., 2002 26
Infrastructure-level DDoS attacks
Infrastructure-level DDoS attacks
BGP / OSPF / … attacks SYN flood TCP 179, SSH ICMP attack DNS attacks
Confidential, © Riverhead Networks, Inc., 2002 27
Attacks directly on routers
Attacks directed at routers can have broader impact than attacks directed at hosts
Packets directed at a router may be more CPU (slow path) consuming then packets transiting a router
Confidential, © Riverhead Networks, Inc., 2002 28
October 2002Massive attack on 13 DNS root servers
AS y
AS x
AS 56
DNS root servers
ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours)
Confidential, © Riverhead Networks, Inc., 2002 29
October 2002Massive attack on 13 DNS root servers
AS y
AS x
AS 56
DNS root servers
ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours)
Confidential, © Riverhead Networks, Inc., 2002 30
Attacks & Attack Tools examples TFN
Spoofed SYN Flood non-Spoofed SYN Flood UDP Flood FIN, SYNACK Flood
(Spoofed and non-spoofed)
Ping Flood Smurf Flood Combined UDP/TCP/ICMP
Targa3 Attack
Fragmentation Attack IP/UDP (jolt2) IP/ICMP (trash, and
fawx) IP/TCP
HTTP Connection Flood (Client
attack) http errors 404 etc. http half connections
DNS attacks BGP attacks on routers
Partial list of covered tools: JOLT, WINNUKE, TRINOO, TFN, Targa3, Naphta, Trash…
Confidential, © Riverhead Networks, Inc., 2002 31
How are DDoS handled?
Confidential, © Riverhead Networks, Inc., 2002 32
Built-in and distributed but…
• Blocks good with bad
• Ineffective against random spoofing
and application level attacks
• Potential performance degradation
• Manually intensive process
Built-in and distributed but…
• Blocks good with bad
• Ineffective against random spoofing
and application level attacks
• Potential performance degradation
• Manually intensive process
Router Filtering
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
ACLs, CARs
1
Confidential, © Riverhead Networks, Inc., 2002 33
Cisco ACLs - 1
Use ACL to determine which interface is being attacked and characteristics of attack Initial ACL to determine what type of attackaccess-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply log-input
access-list 101 permit udp any any
access-list 101 permit tcp any any
access-list 101 permit ip any any
interface serial 1/1
ip access-group 101 out
! Wait 10 seconds
no ip access-group 101 out
Confidential, © Riverhead Networks, Inc., 2002 34
Cisco ACLs - 2
sh access-l 101
Extended IP access list 101permit icmp any any echo (2 matches)permit icmp any any echo-reply (21374 matches)permit udp any any (18 matches)permit tcp any any (123 matches)permit ip any any (5 matches)
• Indications are that there is some sort of ICMP attack• Need to place ACL on each successive
router in upstream path
Confidential, © Riverhead Networks, Inc., 2002 35
Cisco ACLs - 3
Next use ‘log-input’ to determine from where – via ‘sho logging’:%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.1.1 (Serial1/1) -> 128.139.19.5 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 101 permit icmp 172.17.3.34 (Serial1/1) -> 128.139.11.2 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.2.15 (FastEthernet1/0/0) -> 128.139.6.1 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.3.4 (Serial1/1) -> 128.139.6.1 (0/0), 1 packet
Serial 1/1 is our prime suspect!Link: http://www.cisco.com/warp/public/707/22.html
Confidential, © Riverhead Networks, Inc., 2002 36
Cisco CAR
CAR – Committed Access Rateinterface ATM1/1/0.21 point-to-point
rate-limit input access-group 180 96000 24000 32000 conform-action continue exceed-action drop
rate-limit input access-group 190 128000 30000 30000 conform-action transmit exceed-action drop
!
access-list 180 deny icmp 128.139.252.0 0.0.0.255 any
access-list 180 permit icmp any any
access-list 190 deny tcp any any established
access-list 190 permit tcp any any
Normal Burst in bytes
b/w
MaxBurst
in bytes
No one really understands “burst” – best to read: http://www.nanog.org/mtg-9811/ppt/witt/index.htm
Confidential, © Riverhead Networks, Inc., 2002 37
Cisco uRPFRouter A Router B
Pkt w/ source comes in
Path back on this line?
Accept pkt
Path via different interface?
Reject pkt
Does routing back to the source gothrough same interface ?
Check source in routing table
Confidential, © Riverhead Networks, Inc., 2002 38
Cisco uRPF - 1
Unicast Reverse Path Forwarding Requires CEF Available starting in 11.1(17)CC, and
12.0• Not available in 11.2 or 11.3 images
Cisco interface command: ip verify unicast rpf
Confidential, © Riverhead Networks, Inc., 2002 39
Blackholing
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
= Disconnecting the
customer
= Disconnecting the
customer
Confidential, © Riverhead Networks, Inc., 2002 40
Null0 routing
Works only on destination addresses
Simple blackhole:ip route 191.1.1.1 255.255.255.255 null0 Caveat: routers can forward faster than
they can drop packets Blackholes good packets with bad
packets
Confidential, © Riverhead Networks, Inc., 2002 41
Router Capabilities ACLs
Manual process Performance impact on some routers
CAR Performance impact on some routers Also limits good traffic
uRPF Not enforced, limited attacks protection
Issue: •Too coarse – affects good as well as bad traffic•Router CPU/ASIC limitations – impacts performance •Ineffective on several different attacks
Issue: •Too coarse – affects good as well as bad traffic•Router CPU/ASIC limitations – impacts performance •Ineffective on several different attacks
Blocks good along with the
bad
Confidential, © Riverhead Networks, Inc., 2002 42
Low cost and simple deployment, but…
• Upstream ingress still choked
• Device itself becomes point of failure
• Doesn’t scale –requires many
•Easy to overwhelm a FW
Low cost and simple deployment, but…
• Upstream ingress still choked
• Device itself becomes point of failure
• Doesn’t scale –requires many
•Easy to overwhelm a FW
In-line Mitigation: Edge Device
Server1 Victim Server2
....
....
R3
R1
R2
R5R4
RR R
1000 1000
FE
peering
100
Confidential, © Riverhead Networks, Inc., 2002 43
Protects all resources
• No point of failure or latency
on critical path
• No router impact
• Scales via sharing
• Dynamic and precise filtering
Protects all resources
• No point of failure or latency
on critical path
• No router impact
• Scales via sharing
• Dynamic and precise filtering
Guard
Guard
R4
Server1 Victim Server2
....
....
R3
R1
R2
R5
RR R
1000 1000
100
Diversion and Precise Filtering
Confidential, © Riverhead Networks, Inc., 2002 44
Solution Overview
Victim
Non-victimized servers
DDoS Detection= Riverhead Detector
DDoS Protection=Riverhead Guard
Upstream = Not on the Critical Path
Confidential, © Riverhead Networks, Inc., 2002 45
Solution Overview
Riverhead Guard
Victim
Non-victimized servers
BGP announcement
1. Detect
2. Activate: Auto/Manual
3. Divert only victim’s traffic
Activate
Riverhead Detector
OR IDS system Firewall Health checks
Confidential, © Riverhead Networks, Inc., 2002 46
Solution Overview
Riverhead Guard
Victim
Non-victimized servers
Traffic destined to the victim
Legitimate traffic to victim
“No Dynamic configuration”
Inject= GRE, VRF, VLAN, FBF, PBR…
Hijack traffic = BGP
Confidential, © Riverhead Networks, Inc., 2002 47
Adaptive and Dynamic Filtering
Static &Dynamic
Filters
Anti spoofing Statistical analysis
Rate-limiting& DDoS Traffic Shaping
Layer 7httpsmtp
1 to 100s of
dynamic filters by
flow, protocol,
…
Per flow queues
and aggregate rates
Confidential, © Riverhead Networks, Inc., 2002 48
ISP Perimeter Protection
Confidential, © Riverhead Networks, Inc., 2002 49
ISP Perimeter Protection
Confidential, © Riverhead Networks, Inc., 2002 50
ISP Edge Protection
Confidential, © Riverhead Networks, Inc., 2002 51
IDC Enterprise Protection
Confidential, © Riverhead Networks, Inc., 2002 53
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Actual Production Network
SD
Catalyst8500
Power Supply 0CISCO YSTEMSS Power Supply 1
SwitchProcessor
SERES
GSR 12000
D
a l t8 0
owe Su pl 0CISCO Y TEMS o erSu ply1
Swi chP o e so
SEES
I CO SYS EMCatalyst I CO SYSTEM
Firewall
Internal network
ISP 1 ISP 2
GEthernet Riverhead Guard
Catalyst IDS
IDS
Customers’ Servers
I CO SYS EMI CO SYSTEM
Juniper Foundry,etc
Cisco,Foundry
Riverhead,Other detectors
Alert
Confidential, © Riverhead Networks, Inc., 2002 54
Live Data Center Test
A
A
A
CC
User experience
Netax, Philadelphia
Victim & Guard:
Actual Hosting Center
`
Attackers:Mercury
Interactive
Confidential, © Riverhead Networks, Inc., 2002 55
Real World Results
Confidential, © Riverhead Networks, Inc., 2002 56
100
1000
10000
time
Late
ncy
( usec
)
Latency to Victim Latency to Non-Victim
normal Attack Attack + diversion
usec
Detailed EffectVictim vs Non-victim