Click here to load reader

Juniper Networks Customer Presentation

  • View
    565

  • Download
    1

Embed Size (px)

Text of Juniper Networks Customer Presentation

  • Solutions For Denial of Service (DoS) MinimizationIan QuinnAPRICOT 2001Kuala Lumpur, Malaysia

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Popular Points OfAttack And PressureActual TargetsCustomersDatacentersISP serversInfrastructure (eg routers)

    Service Providers &Regional/National backbonesCustomers On Access CircuitsData CenterPeering PointsCore InfrastructureAdditional Pressure PointsAccess circuitsPeering pointsLow bandwidth core links

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • What Are The Threats To A Service ProviderDisruption Of Customer NetworksDesirable to be able to assist customerConsumption Of BandwidthLower bandwidth links susceptibleOften a big problem in Asia PacificNetwork StabilityFrequently a problem for older platformsRelated to additional workload, and performance headroomAll Affect Service Delivered

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Emergence Of DistributedDenial Of Service (DDoS)Targeted largely at serversHarnessed networks of compromised machines

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Specific ImpactOf DoS In Asia Pacific

    ServiceProvider 1ServiceProvider 2ServiceProvider 3Tier 1ProviderAustraliaNew ZealandUnited StatesDoSAttackDoS AttackTier 1ProviderTier 1Provider

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Impacts Of Security IncidentsCustomer service levelsInternet access, web farms, ecommerceEspecially if impact is repeatedSupport overheadEspecially in isolating and blocking Denial of Service (DoS) attacksService provider reputationService Level Agreement (SLA) breachesSLA increasingly being offeredMulti-service networks change the gameSTRESS!!!

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Generic Approach To DoS AttacksUse statistics to detect attack in progressUse sampling or logging to capture traffic for analysisIsolate attackAttack typeSource (often difficult or impractical)DestinationBlock or traceback the attack using filtersFilter on destination and protocolsDrop traffic or rate limit

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Detecting AttacksSudden changes in traffic profilesAverage packet size changesLink utilisation increasesTraffic by destination address Source address normally forged or distributedGenerate alarms in response to changesAlarm for closer human inspectionOverview easily available for NOC staffMigrate to some level of automated response

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Complicating Factors With DoSDistinguishing DoS traffic from normal usageForged source addressMore difficult to isolate and track attackDistributed attacksAttack could enter from multiple pointsDifficult to track back and shut downBlocking attacks that match valid trafficDisruption of normal service

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • SMURF AttacksThe attacker sends a broadcast ping to an intermediary subnet using a forged source addressThe forged source address belongs to the target of the attackThe result is an over-burdened CPU on the target server and over-utilized access trunks

    Intermediary Hosts (Several on Same Subnet)Data ServerAttackers Work Station

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Dealing With SMURF AttacksDetection is achievedby using the countaction within firewall filtersThe filtering is achieved by changing the accept to a discardThe log action assists in the tracing

    term a { from { destination-address { 10.1.1.0/24; } protocol icmp; } then { count icmp-counter; log; accept; }}term b { then accept;}

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Dealing With SMURF AttacksOnce the filter is applied to the interface, you can view the firewall counters If the ICMP counter increments quickly, an attack is underway

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Dealing with SMURF AttacksStopping the attack is a matter of changing the accept action to a discardDiscarding all ICMP traffic to the targeted host at the router closest to that host is not most efficientBandwidth resources are still wastedAlso apply this filter at AS boundaries where the targeted host resides

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Where Did that SMURF Come From?Finding the bad guy is not easyView show firewall log to see source addresses of ICMP traffic; however, this step identifies only the intermediary, not the attackerContact the owner of the intermediary and ask him toDisable broadcast pingsTrack back the pings to the attacker

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • SYN AttacksThe attacker sends a stream of SYNs to the server under attack using a forged source addressThe forged source address is unused by anyoneThe result is over-burdened CPU and/or memory exhaustion on the target server and over-utilized access trunks

    AttackerDataServer

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • SYN AttacksDuring a SYN attack, the SYN-ACK never reaches the clientSockets remain open on the serverThe result is over-burdened CPU and/or memory exhaustion on the target server, and over-utilized access trunks

    Client ServerSYN--------------------> Correct Three-way Handshake

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Dealing With SYN AttacksDetection is achieved by configuring a firewall filter to count TCP versus SYN trafficTracing is achieved by leveraging the sampling capability to derive the incoming interface

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Details of the Detection ProcessOnce the filteris applied to the interface, you can view the counters

    If the ratio of SYN to TCP is high (> 1:5), a SYN attack is underwayunit 0 { family inet { filter { output detect-syn-attack; } address 10.10.10.1/24; }

    [email protected]# run show firewallFilter/Counter Packet count Byte countdetect-syn-attacktcp-packets 289144 86743200syn-packets 56388 16916640

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Dealing with SYN AttacksStopping the attack is usually not an option. If the attack is not distributed, you can change the accept action to discard and apply to the ingress of all AS boundary routersIf the attack is distributed, filtering SYNs also effectively shuts down the serverTracing the attack requires co-operation with peers of the network under attackExamining the sampled output reveals incoming interfaceRepeat this process until the source is found

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Infrastructure RequirementsSufficient forwarding capacity in times of stressLarge numbers of small packetsFiltering to detect and block attacksFilter on significant ICMP/IP/TCP/UDP fieldsImplement consistently on all interface types, including logical interfaces (eg VLAN)Sufficient performance to permit NOC to enableRate limitingRate limit based on significant ICMP/IP/TCP/UDP fieldsSufficient performance to permit NOC to enableSampling and logging for additional insight

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • The Impact Of Denial of Service (D0S)Detecting And Minimising DoSSMURF AttacksSYN AttacksInfrastructure RequirementsProactive MeasuresAgenda

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Pro-active ApproachesMore reliable and secure networkPolicy at AS boundaries detect and minimize the effects of DoS attacksWarn NOCs when thresholds are exceeded, and update configurations using scripts to discard the attack

    SwitchHostAttack

    Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential

  • Proactive PlanningEstablish procedures for detecting security events

    Pre-plan responseTechniques for isolating problem, tracking it through the network to a sourceStandard responses to alleviate impact to serviceTrain staff and practice

    Document and update a security poli

Search related