DDoS Mitigation Tools and Techniques
•
12 likes•2,248 views
This document discusses techniques for mitigating distributed denial of service (DDoS) attacks, including remotely triggered black hole filtering (RTBH) and BGP FlowSpec. It provides an overview of DDoS attack trends, types, and impacts. It also introduces the open-source FastNetMon tool for DDoS detection using network telemetry and introducing mitigation actions like flow blocking through integration with tools like ExaBGP.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (8)
Similar to DDoS Mitigation Tools and Techniques
Similar to DDoS Mitigation Tools and Techniques (20)
Recently uploaded
Recently uploaded (9)
DDoS Mitigation Tools and Techniques
- 1. DDoS Mitigation Tools and Techniques Babak Farrokhi MENOG 16
- 2. Introduction
- 3. What is a DDoS Attack? • A distributed attack that makes your online infrastructure totally inaccessible • Performed by a large number of infected hosts (zombies) • Complicated to defend Upstream Provider Your Infrastructure Your Connection Bots Bots Users
- 4. Attack Types Network Layer Attacks Exhausting your uplink Application Layer Attacks Overloading your servers Upstream Provider Your Infrastructure Your Connection Upstream Provider L7 Requests Your Infrastructure Your Connection
- 5. But I am not affected… ATTACKED MORE THAN ONCE 75% ATTACKED ON A WEEKLY BASIS 10% ATTACKED IN PAST 12 MONTHS 91% ORGANIZATIONS ATTACKED 45% Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
- 6. DDoS Attack Trends • 2014 vs. 2013 : Number of Attacked Doubled • Average DDoS Attack Size in 2014: 15Gbps • Average Damage of DDoS Attack: $40,000 /hour • Largest Application Layer Attack: ~180,000 RPS Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
- 7. Where are we going? • DDoS attacks may last for days or weeks • Attacks usually reappear • Network layer attacks are getting bigger (so, your defense should scale proportionally) • Operators should be equipped with appropriate equipment (and knowledge)
- 8. How it affects operators • Your customers cannot defend themselves (once attack hits a customer’s firewall, its too late) • Attack on one customer may affect the other customers, or the whole infrastructure • Loss of revenue • Loss of reputation • Legal Issues • Service Level degradation, missing SLA targets
- 9. Dealing with DDoS • Detection • Tools and Techniques • Mitigation • Best Practices
- 10. Mitigation
- 11. Mitigation Best Practices • S/RTBH [2] , D/RTBH [3] • FlowSpec [4] • Co-operative DDoS Mitigation [5] (IETF dots WG draft) • PBR
- 12. RTBH • Remotely Triggered Blackhole • D/RTBH: Based on destination address • S/RTBH: Based on source address • Widely in use by operators • Injecting routes to edge routers using iBGP to discard or redirect traffic to a sinkhole/scrubber • Blackholes all incoming traffic for a given host/network
- 13. D/RTBH • Victim’s (destination) address will be totally unreachable during attack • Makes victim unreachable to protect rest of the infrastructure / customers
- 14. S/RTBH • Uses uRPF (loose mode) to filter out traffic based on source address • Victim will be still reachable • Only effective in case of DoS or DDoS with limited number of source addresses
- 15. RTBH Upstream A Upstream B IXP A IXP B Customer Network Target Trigger Router NOC
- 16. RTBH Upstream A Upstream B IXP A IXP B Customer Network Target Trigger Router NOC
- 17. RTBH Upstream A Upstream B IXP A IXP B Customer Network Target Trigger Router NOC iBGP Advertise Blackhole Prefixes
- 18. Where should attack traffic go? • Discard • null0 on edge routers • Sinkhole • For further analysis / forensics • Scrubber • Clean malicious traffic
- 19. RTBH Problems • Discarding will keep target visible for local networks, but will be unavailable for others • Isn’t this what attackers wanted? • Scrubbing as an alternative to black-holing • It is usually done manually
- 20. BGP FlowSpec • Defined in RFC 5575 (IPv4) • Largely a work in progress - many extensions are proposed as IETF drafts • IPv6 support is still in draft state [6] (IETF idr WG) • Fairly new, not widely in use • JunOS 7.3 • IOS 15.5 , XE 3.14 • Defines a new BGP NLRI (Network Layer Reachability Information) format • Granular traffic flow matching based on L3/L4 information
- 21. FlowSpec use cases • Traffic Filter List / ACL distribution • Filtering harmful traffic based on Traffic Flow information • Replacement for classic S/RTBH and D/RTBH for DDoS mitigation
- 22. Flow Specification criteria • L3 Source / Destination Prefix • L4 Protocol (e.g. TCP, UDP, etc) • L4 Source / Destination Port • ICMP Types and Codes • TCP Flags • Packet Length • DSCP • Fragment
- 23. Traffic Filtering Actions • Defined as extended community attributes: • 0x8006 - traffic-rate (Rate Limiting or Discarding) • 0x8007 - traffic-action (Sampling) • 0x8008 - redirect (Redirecting to a VRF) • 0x8009 - traffic-marking (DSCP Tagging) • Additional actions are proposed [7]: • 0x8108 - redirect to IPv4 • 0x8208 - redirect to AS
- 24. ExaBGP • Open Source BGP Swiss Army Knife [8] • Supports many extensions, including IPv6, ASN4, MPLS, BMP and FlowSpec • Easy to use and extend (Show your Python / BASH mastery!) • Easily integrates with your existing tools/scripts (e.g. FastNetMon) to automate route/policy injection
- 25. Detection
- 26. DDoS Detection • Network Telemetry • Passive traffic flow information collection • NetFlow • sFLOW • IPFIX • Real-time analysis • Baselining • Pattern Matching
- 27. Detection Toolbox • Commercial (Arbor, Juniper, F5, RadWare, Checkpoint, etc) • OpenSource: FastNetMon [9]
- 28. FastNetMon • Flow Data Analysis • NetFlow (v5, v9) • sFlow (v4, v5) • IPFIX • High Performance Traffic Capture • PF_RING • netmap • SnabbSwitch
- 29. • Watches hosts for traffic anomalies • High bits/second • High packets/second • High flows/second • Runs External Trigger (e.g. custom script)
- 30. • Integration with ExaBGP (FlowSpec injection) • Integration with GoBGP (Unicast announces) • Custom thresholds • L2TP Decapsulation • MPLS untagging and VLAN processing • Supports major network attack types (TCP SYN, UDP, ICMP and IP Fragmentation floods) • Write your own plugin!
- 31. Sample Configuration ## action in case of attack enable_ban = on ban_time = 3600 ## Different approaches to attack detection ban_for_pps = on ban_for_bandwidth = on ban_for_flows = off ## Limits for Dos/DDoS attacks threshold_pps = 20000 threshold_mbps = 1000 threshold_flows = 3500
- 32. Sample Configuration ## traffic capture method mirror = off mirror_netmap = off pcap = off netflow = on sflow = on netflow_port = 2055 netflow_host = 0.0.0.0 sflow_port = 6343 sflow_host = 0.0.0.0
- 33. Sample Configuration ## action !!! notify_script_path = /usr/local/bin/ban.sh # ExaBGP could announce blocked IPs with BGP exabgp = on exabgp_command_pipe = /var/run/exabgp/exabgp.cmd exabgp_community = 65001:666 exabgp_next_hop = 10.0.3.114 exabgp_announce_whole_subnet = no
- 34. Upstream A Upstream B IXP A IXP B Customer Network Target NOCExaBGP FastNetMon NetFlow/sFlow Incoming DDoS
- 35. Upstream A Upstream B IXP A IXP B Customer Network Target NOC iBGP Advertise Blackhole Prefixes ExaBGP FastNetMon Block
- 37. Questions?
- 38. References
- 39. • [1] http://lp.incapsula.com/ddos-report-2015.html • [2] RFC 3882 - Configuring BGP to Block Denial-of-Service Attacks • [3] RFC 5635 - Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF) • [4] RFC 5575 - Dissemination of Flow Specification Rules • [5] draft-reddy-dots-transport-00 - Co-operative DDoS Mitigation • [6] draft-ietf-idr-flow-spec-v6 - Dissemination of Flow Specification Rules for IPv6
- 40. • [7] RFC 7674 - Clarification of the Flowspec Redirect Extended Community • [8] https://github.com/Exa-Networks/exabgp • [9] https://github.com/pavel-odintsov/fastnetmon