Solutions For Denial of Service (DoS) MinimizationIan QuinnAPRICOT 2001Kuala Lumpur, Malaysia
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Popular Points OfAttack And PressureActual TargetsCustomersDatacentersISP serversInfrastructure (eg routers)
Service Providers &Regional/National backbonesCustomers On Access CircuitsData CenterPeering PointsCore InfrastructureAdditional Pressure PointsAccess circuitsPeering pointsLow bandwidth core links
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
What Are The Threats To A Service ProviderDisruption Of Customer NetworksDesirable to be able to assist customerConsumption Of BandwidthLower bandwidth links susceptibleOften a big problem in Asia PacificNetwork StabilityFrequently a problem for older platformsRelated to additional workload, and performance headroomAll Affect Service Delivered
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Emergence Of DistributedDenial Of Service (DDoS)Targeted largely at serversHarnessed networks of compromised machines
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Specific ImpactOf DoS In Asia Pacific
ServiceProvider 1ServiceProvider 2ServiceProvider 3Tier 1ProviderAustraliaNew ZealandUnited StatesDoSAttackDoS AttackTier 1ProviderTier 1Provider
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Impacts Of Security IncidentsCustomer service levelsInternet access, web farms, ecommerceEspecially if impact is repeatedSupport overheadEspecially in isolating and blocking Denial of Service (DoS) attacksService provider reputationService Level Agreement (SLA) breachesSLA increasingly being offeredMulti-service networks change the gameSTRESS!!!
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Generic Approach To DoS AttacksUse statistics to detect attack in progressUse sampling or logging to capture traffic for analysisIsolate attackAttack typeSource (often difficult or impractical)DestinationBlock or traceback the attack using filtersFilter on destination and protocolsDrop traffic or rate limit
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Detecting AttacksSudden changes in traffic profilesAverage packet size changesLink utilisation increasesTraffic by destination address Source address normally forged or distributedGenerate alarms in response to changesAlarm for closer human inspectionOverview easily available for NOC staffMigrate to some level of automated response
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Complicating Factors With DoSDistinguishing DoS traffic from normal usageForged source addressMore difficult to isolate and track attackDistributed attacksAttack could enter from multiple pointsDifficult to track back and shut downBlocking attacks that match valid trafficDisruption of normal service
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
SMURF AttacksThe attacker sends a broadcast ping to an intermediary subnet using a forged source addressThe forged source address belongs to the target of the attackThe result is an over-burdened CPU on the target server and over-utilized access trunks
Intermediary Hosts (Several on Same Subnet)Data ServerAttackers Work Station
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Dealing With SMURF AttacksDetection is achievedby using the countaction within firewall filtersThe filtering is achieved by changing the accept to a discardThe log action assists in the tracing
term a { from { destination-address { 10.1.1.0/24; } protocol icmp; } then { count icmp-counter; log; accept; }}term b { then accept;}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Dealing With SMURF AttacksOnce the filter is applied to the interface, you can view the firewall counters If the ICMP counter increments quickly, an attack is underway
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Dealing with SMURF AttacksStopping the attack is a matter of changing the accept action to a discardDiscarding all ICMP traffic to the targeted host at the router closest to that host is not most efficientBandwidth resources are still wastedAlso apply this filter at AS boundaries where the targeted host resides
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Where Did that SMURF Come From?Finding the bad guy is not easyView show firewall log to see source addresses of ICMP traffic; however, this step identifies only the intermediary, not the attackerContact the owner of the intermediary and ask him toDisable broadcast pingsTrack back the pings to the attacker
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
SYN AttacksThe attacker sends a stream of SYNs to the server under attack using a forged source addressThe forged source address is unused by anyoneThe result is over-burdened CPU and/or memory exhaustion on the target server and over-utilized access trunks
AttackerDataServer
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
SYN AttacksDuring a SYN attack, the SYN-ACK never reaches the clientSockets remain open on the serverThe result is over-burdened CPU and/or memory exhaustion on the target server, and over-utilized access trunks
Client ServerSYN--------------------> Correct Three-way Handshake
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Dealing With SYN AttacksDetection is achieved by configuring a firewall filter to count TCP versus SYN trafficTracing is achieved by leveraging the sampling capability to derive the incoming interface
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Details of the Detection ProcessOnce the filteris applied to the interface, you can view the counters
If the ratio of SYN to TCP is high (> 1:5), a SYN attack is underwayunit 0 { family inet { filter { output detect-syn-attack; } address 10.10.10.1/24; }
[email protected]# run show firewallFilter/Counter Packet count Byte countdetect-syn-attacktcp-packets 289144 86743200syn-packets 56388 16916640
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Dealing with SYN AttacksStopping the attack is usually not an option. If the attack is not distributed, you can change the accept action to discard and apply to the ingress of all AS boundary routersIf the attack is distributed, filtering SYNs also effectively shuts down the serverTracing the attack requires co-operation with peers of the network under attackExamining the sampled output reveals incoming interfaceRepeat this process until the source is found
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Infrastructure RequirementsSufficient forwarding capacity in times of stressLarge numbers of small packetsFiltering to detect and block attacksFilter on significant ICMP/IP/TCP/UDP fieldsImplement consistently on all interface types, including logical interfaces (eg VLAN)Sufficient performance to permit NOC to enableRate limitingRate limit based on significant ICMP/IP/TCP/UDP fieldsSufficient performance to permit NOC to enableSampling and logging for additional insight
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Pro-active ApproachesMore reliable and secure networkPolicy at AS boundaries detect and minimize the effects of DoS attacksWarn NOCs when thresholds are exceeded, and update configurations using scripts to discard the attack
SwitchHostAttack
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential
Proactive PlanningEstablish procedures for detecting security events
Pre-plan responseTechniques for isolating problem, tracking it through the network to a sourceStandard responses to alleviate impact to serviceTrain staff and practice
Document and update a security poli
