Juniper Networks Customer Presentation

Solutions For Denial of Service (DoS) Minimization

Ian QuinnAPRICOT 2001

Kuala Lumpur, Malaysia

The Impact Of Denial of Service (D0S)

Detecting And Minimising DoSSMURF AttacksSYN Attacks

Infrastructure RequirementsProactive Measures

Agenda

Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential 3

Popular Points OfAttack And Pressure

Service Providers Service Providers &&

Regional/National Regional/National backbonesbackbones

Customers Customers On Access On Access

CircuitsCircuits

Data CenterData CenterPeering Peering PointsPoints

Core Core InfrastructurInfrastructur

ee

Actual Targets Customers Datacenters ISP servers Infrastructure (eg routers)

Additional Pressure Points Access circuits Peering points Low bandwidth core

links


What Are The Threats To A Service Provider

Disruption Of Customer Networks Desirable to be able to assist customer

Consumption Of Bandwidth Lower bandwidth links susceptible Often a big problem in Asia Pacific

Network Stability Frequently a problem for older platforms Related to additional workload, and

performance headroomAll Affect Service Delivered


Emergence Of DistributedDenial Of Service (DDoS)

Targeted largely at servers Harnessed networks of compromised

machines


Specific ImpactOf DoS In Asia Pacific

ServiceServiceProvider 1Provider 1



Tier 1Tier 1ProviderProvider

AustraliaAustralia

New ZealandNew Zealand

United StatesUnited States

DoSDoSAttackAttack

DoS AttackDoS Attack




Impacts Of Security Incidents

Customer service levels Internet access, web farms, ecommerce Especially if impact is repeated

Support overhead Especially in isolating and blocking Denial of

Service (DoS) attacks Service provider reputation Service Level Agreement (SLA) breaches

SLA increasingly being offered Multi-service networks change the game

STRESS!!!




Agenda


Generic Approach To DoS Attacks

Use statistics to detect attack in progressUse sampling or logging to capture traffic

for analysis Isolate attack

Attack type Source (often difficult or impractical) Destination

Block or traceback the attack using filters Filter on destination and protocols Drop traffic or rate limit


Detecting AttacksSudden changes in traffic profiles

Average packet size changes Link utilisation increases Traffic by destination address

Source address normally forged or distributedGenerate alarms in response to changes

Alarm for closer human inspection Overview easily available for NOC staff Migrate to some level of automated response


Complicating Factors With DoSDistinguishing DoS traffic from normal

usageForged source address

More difficult to isolate and track attackDistributed attacks

Attack could enter from multiple points Difficult to track back and shut down

Blocking attacks that match valid traffic Disruption of normal service




Agenda


SMURF Attacks

The attacker sends a broadcast ping to an intermediary subnet using a forged source address

The forged source address belongs to the target of the attack

The result is an over-burdened CPU on the target server and over-utilized access trunks

Intermediary Hosts (Several on

Same Subnet)

Data Server

Attacker’s Work Station


Detection is achievedby using the countaction within firewall filters

The filtering is achieved by changing the accept to a discard

The log action assists in the tracing

Dealing With SMURF Attacks

term a { from { destination-address { 10.1.1.0/24; } protocol icmp; } then { count icmp-counter; log; accept; }}term b { then accept;}


Once the filter is applied to the interface, you can view the firewall counters

If the ICMP counter increments quickly, an attack is underway

unit 0 { family inet { filter { output count-icmp; } address 10.10.10.1/24; }}

root@ballpark> show firewall

Filter/Counter Packet count Byte countcount-icmpicmp-counter 78516 5025000

Dealing With SMURF Attacks


Stopping the attack is a matter of changing the accept action to a discard

Discarding all ICMP traffic to the targeted host at the router closest to that host is not most efficient

Bandwidth resources are still wastedAlso apply this filter at AS boundaries

where the targeted host resides

Dealing with SMURF Attacks


Where Did that SMURF Come From?

Finding the bad guy is not easy

View show firewall log to see source addresses of ICMP traffic; however, this step identifies only the intermediary, not the attacker

Contact the owner of the intermediary and ask him to

Disable broadcast pings Track back the pings to the

attacker




Agenda


SYN Attacks

The attacker sends a stream of SYNs to the server under attack using a forged source address

The forged source address is unused by anyone

The result is over-burdened CPU and/or memory exhaustion on the target server and over-utilized access trunks

Attacker

DataServer


SYN Attacks

During a SYN attack, the SYN-ACK never reaches the client

Sockets remain open on the server

The result is over-burdened CPU and/or memory exhaustion on the target server, and over-utilized access trunks

Client Server SYN--------------------> <--------------------SYN-ACK ACK-------------------->

Correct Three-way Handshake


Dealing With SYN Attacks

Detection is achieved by configuring a firewall filter to count TCP versus SYN traffic

Tracing is achieved by leveraging the sampling capability to derive the incoming interface

term a { from { protocol tcp; tcp-flags SYN; } then { count syn-packets; accept; }}term b { from { protocol tcp; } then { count tcp-packets; accept; }}


Details of the Detection Process

Once the filteris applied to the interface, you can view the counters

If the ratio of SYN to TCP is high (> 1:5), a SYN attack is underway

unit 0 { family inet { filter { output detect-syn-attack; } address 10.10.10.1/24; }

root@ballpark# run show firewall

Filter/Counter Packet count Byte countdetect-syn-attacktcp-packets 289144 86743200syn-packets 56388 16916640


Dealing with SYN Attacks

Stopping the attack is usually not an option. If the attack is not distributed, you can change the accept action to discard and apply to the ingress of all AS boundary routers

If the attack is distributed, filtering SYNs also effectively shuts down the server

Tracing the attack requires co-operation with peers of the network under attack

Examining the sampled output reveals incoming interface

Repeat this process until the source is found




Agenda


Infrastructure Requirements Sufficient forwarding capacity in times of

stress Large numbers of small packets

Filtering to detect and block attacks Filter on significant ICMP/IP/TCP/UDP fields Implement consistently on all interface types,

including logical interfaces (eg VLAN) Sufficient performance to permit NOC to enable

Rate limiting Rate limit based on significant ICMP/IP/TCP/UDP fields Sufficient performance to permit NOC to enable

Sampling and logging for additional insight




Agenda


Pro-active Approaches

More reliable and secure network Policy at AS boundaries detect and minimize

the effects of DoS attacks Warn NOCs when thresholds are exceeded,

and update configurations using scripts to discard the attack

Switch Host

AttackAttack


Proactive Planning

Establish procedures for detecting security events

Pre-plan response Techniques for isolating problem, tracking it

through the network to a source Standard responses to alleviate impact to service Train staff and practice

Document and update a security policy


Further References Juniper Networks Whitepapers

Rate-limiting and Traffic-policing Features Fortifying the Core Visibility into Network Operations Minimizing the Effects of DoS Attacks

Available from http://www.juniper.net/techcenter

Thank You

[email protected]://www.juniper.net

http://www.juniper.net/


Proactive Measures

Service Providers Service Providers &&

Regional/National Regional/National backbonesbackbones

Customers Customers On Access On Access

CircuitsCircuits

Data CenterData CenterPeering Peering PointsPoints

Core Core InfrastructurInfrastructur

ee

Areas requiring attention Core routers (protect) Customers access links (protect, and protect from) Datacenters & ISP servers (protect) Peering (protect, and protect from)


Securing The Core Routers

Performance headroom What happens when the

going gets tough! Protect the route

processing capability Performance Authenticated protocols Services

Secure mgmt access Authentication Private access Multi-level access

authorisation

Core Core InfrastructureInfrastructure


Protecting Data Center And Hosts

Permit only relevant traffic For example, http, https, icmp echo request

Prevent traffic overwhelming server capacity Drop traffic before it hits the server

Reactive filtering to limit impact of DoS Detect, isolate and drop

CoreCore

CoreCore


Securing Customer Access Links

Limit traffic coming into the network from customers Legitimate IP source addresses Legitimate route announcements Maybe rate limit ICMP

Reactive filtering to limit impact of DoS Detect, isolate and drop

Optical CoreOptical Core

IP CoreIP Core

Access LayerAccess Layer

TDM BackhaulTDM BackhaulInfrastructureInfrastructure

ATM/FRATM/FR

T1T1E1E1

DS1DS1OC-3OC-3

STM-1cSTM-1c

OC-3/12 ATMOC-3/12 ATMDS1DS1OC-3OC-3

E1E1ChDS3ChDS3

ChOC-12ChOC-12

Technology

Juniper Networks Customer Presentation