SlideShare a Scribd company logo

DeiC DDoS Prevention System - DDPS

Download as PPTX, PDF
Pavel Odintsov
Pavel Odintsov

DeiC DDoS Prevention System - DDPS by Niels Thomas Haugård, DeiC. See https://www.linkedin.com/in/uninth and https://www.deic.dk

Internet
1 of 45
29 May 2017 1 DeiC DDoS Prevention System - DDPS Niels Thomas Haugård, DeiC Consultant since 1995 in the security and network field See https://www.linkedin.com/in/uninth and https://www.deic.dk
29 May 2017 2 > About DeiC > Danish NREN > DeiC – Danish e-Infrastructure Cooperation has the stated aim of supporting the development of Denmark as an eScience nation through the delivery of e-infrastructure (computing, data warehousing, network connections and auxiliary services), guidance, and initiatives at national level. DeiC is a virtual unit under the Danish Ministry of Higher Education and Science and the result of an agreement concluded between the eight Danish universities and the Danish Agency for Science and Higher Education. For details, see www.deic.dk
29 May 2017 3 > Why present it > Benefit for others > Exchange of ideas never made something worse > Open source and on github:https://github.com/deic-dk/DDPS-documentation
29 May 2017 4 > The next 42 minutes > Why we made DDPS - A short description of DDoS attacks > How we designed it and why > What it looks like, how to handle failures etc. > Lessons learned > Current Status > Who made DDPS > Questions ?
29 May 2017 5 > Why do it - 20 years of DDoS history
29 May 2017 6 > akamai’s state of the internet / security Q2 2017 2017, Q1
29 May 2017 7 > State of Forskningsnet > Early warnings only > One small incident in the summer of 2016 > Attacking student dormitories in Ålborg (World of Warcraft) and Ålborg University > Not visible on traffic graphs > Our infrastructure attacked > Hosting Itslearning AS with national tests > Regular attacked
29 May 2017 8 > DDoS characteristic > Stateless connections (UDP, TCP syn, GRE, ICMP echo request) > Amplification attack with spoofed source addresses > Attack on kernel and network layer (Ping of Death, Teardrop osv.) > Application layer attack (Slowloris, R-U-Dead-Yet osv.) > Massive legitimate connections ISP focus area
29 May 2017 9 > DDoS mitigation challenges for ISP’s > Volumetric only - will / cannot take responsibility for application layer attacks > Attacker has more bandwidth than the target > Manual blocking is slow, labor intensive and error prone > The blocking usually takes place to late
29 May 2017 10 > DDoS mitigation ISP - customer expectations > Very short responce time > Mitigation must be implemented in uplink and peers > (as close as possible on the source) > ISP’s should cooperate
29 May 2017 11 > Mitigation methods > BGP based Blackhole routing: scarify attacked addresses (først RFC3882 fra 2004) > Predefined route communities (all, ISP, … ) > Described in rfc5635 og rfc7999 > BGP flowspec (RFC 5575 fra 2009) match/action firewall rules in edge routers > Attacked addresses not scarified: filtering on 12 network parameters > Implanted ca 2013 in Juniper routers, Cisco ca 2014 > See Nokia/Alcatel, Cisco, Huawei og Juniper: BGP Flow Specification: Multi Vendor and Inter AS Interoperability January 2, 2017 (https://www.nextlayer.at/flowspec- paper.pdf) - a sad and long story, but the most general option
29 May 2017 12 > Other methods > Loadshare > Cloudflare and others > Rewrite your application and hand over your SSL keys - not an option for all > Assumes service provider have more bandwidth than the attacker (usually they do) > Any cast > Multiple hosts one IP address - Service configured as a cluster > Our MX960’ers must filter differently on traffic from NORDunet and forskningsnet > Assumes attach only through NORDunet - wrong assumption
29 May 2017 13 > No matter the solution > Your investment in DDoS protection is worth nothing while you are not under attack > Defending is more expensive than attacking > Attacks never worsens over time > You cannot predict what kind of attack will be used next time > IPv6 not really supported see https://tools.ietf.org/html/draft-ietf-idr-flow-spec- v6-03 (2012)
29 May 2017 14 > Existing solutions > Onsite: Arbor Network, F5 m.fl.: > Expensive, proprietary, and will they fit our infrastructure and customers? > Cloud: Cloud Flare, incapsula m.fl. > Expensive cloud based load share, requires your SSL keys > Open source alternatives > FastNetMon > Firewall on Demand (grnet / GÉANT)
29 May 2017 15 > Firewall on Demand (grnet / GÉANT) > No longer maintained at the time we started the project > Configuration based on netconf - not used here > requires shibboleth for authentication while we would use WAYF — the digital recycling centre > Lack of automatic detection > A good source for inspiration
29 May 2017 16 > Mitigation Opportunities > Do not change existing customer infrastructure nor scarify hosts for the network > black hole > BGP flowspec > load share > multicast > Price, Performance (and maintainable code) > Commercial > Open source > Home grown
29 May 2017 17 > What we would like … > Existing services should not be changed to match a solution > BGP flowspec benefits: > May be implemented in existing (aka nor new) network equipment > No changes to services needed (unlike e.g. load share) > Builds on top of existing BGP peering > Requires > Manual changes implemented ahead of the attack > Automatic detection and mitigation
29 May 2017 18 > BGP flowspec as a security tool > eBGP: announce what network you would like to receive traffic for from a given peer > only as long as the BGP session is active (TCP) > BGP flowspec :Add discrimination to your eBGP announcement > Will receive traffic for our network > except traffic matching some criteria > Think of BGP flowspec as a transport protocol for firewall rules > Rules are implemented in the edge routers > Rules: closest match wins (cleanup not really required) > Add start and end time on top
29 May 2017 19 > Simple static filtering - not opt-in announce flow route default-discard-udp-fragments { match { ; protocol udp; fragment [ is-fragment first-fragment last-fragment ]; } then { discard } } announce flow route default-discard-ntp-amplification { match { ; protocol udp; source-port =123; packet-length =468; } then { discard } } announce flow route default-discard-dns-amplification { match { ; protocol udp; source-port =53; packet-length =512; } then { discard } } announce flow route default-discard-dns-amplification { match { ; protocol udp; source-port =19; } then { discard } } announce flow route default-discard-chargen { match { ; protocol udp; source-port =19; } then { discard } } announce flow route default-discard-chargen { match { ; protocol tcp; source-port =19; } then { discard } } announce flow route default-discard-QOTD { match { ; protocol udp; source-port =17; } then { discard } } announce flow route default-discard-QOTD { match { ; protocol tcp; source-port =17; } then { discard } } announce flow route default-discard-gre { match { ; protocol =47; source-port =17; } then { discard } } announce flow route default-ratelimit-SSDP { match { ; protocol udp; source-port =1900 } then { rate-limit 9600; } } announce flow route default-ratelimit-snmp { match { ; protocol udp; source-port =161&=162; } then { rate-limit 9600; } }
29 May 2017 20 > A better solution > Prefer BGP flowspec: integrates seamlessly with existing infrastructure and services > Opt-in: use on-site probe (FastNetMon) > Use WAYF for Web-UI authorization > Non commercial version of FastNetMon, home grown Web-UI, daemon etc > GUI and decentralized probes to inject rules in a central database > No direct database access, no fancy interface, use sftp and file upload > Access only granted through OpenVPN - with few exceptions (protecting the GUI) > Short-lived blocking only: Not first line firewall with permeant rules
29 May 2017 21 > Design principles > Precautionary principle: Opt-in > Both Self-service and Automatic mitigation > Least privilege / least authority: restrict rule creation to specific network(s) > Fail safe: do nothing on e.g data failure > Automatic remove access for administrators who are no longer employed > Automatic mitigation > Time critical, mitigation start time/end time, logging and status > Modular building blocks: software components should be replaceable > Limit hardware requirements > install on-site: On-site is 10Gb, core is 100Gb > 2 x interfaces: one for monitoring (mirror port) one for uplink (assume behind NAT)
29 May 2017 22 > Design > Redundancy where technical and economical feasible > Redundant functionality or fast recovery procedure elsewhere > Decentral probes based on FastNetMon > Central rule database with Web-UI etc. > ExaBGP hosts, firewalls, routers etc.
29 May 2017 23 > Components > FastNetMon host > Debian8, ixgbe and ixgbe drivers > 2 connections: mirror port and uplink: (out of band: ADSL/LTE/3G … - behind NAT) > FastNetMon, influxdb, notify_script, OpenVPN, ssh, configuration > Two way connections: VPN required for access to influxdb > DDPS host > OS, Ubuntu 16.04 > PostgresDB, daemon, > Web-UI, cli tools > tool to create ISO images for unattended installation (Debian and Ubuntu) > ExaBGP, routers etc.
29 May 2017 24 > FastNetMon > Hardware: Supermicro X10SLL-F with Intel NIC 82599 > Debian 8, looking at Ubuntu 16.04 / FreeBSD 11.1 / Debian 9 > Pktgen-DPDK > The latest version is located on dpdk.org at http://dpdk.org/download > Traffic generator powered by Intel's DPDK at 10Gbit wire rate traffic with 64 byte frames. > pkt-gen -i eth1 -z -f tx -n 500111222 -l 60 -d a.b.c.d:123 > Handles up to 14 million 64 bit UDP packets > Tested with FastNetMon / package generator host back-to-back on - Debian 8
29 May 2017 25 > FastNetMon > Commercial: all the nice options but license requires routable IANA address > Community edition: perl script, which execute git, cmake etc. > A new version each time some changes something on git > Looking at FreeBSD - is in ports together with netmap drivers > We use OpenBSD, Ubuntu and Debian (and GAiA and SPLAT) > Working towards compile once - use everywhere on similar OS > statical linking and cmake (not funny) > statifier fails (Kernel unble to load executable where phrs took more then PAGE_SIZE) > More work here
29 May 2017 26 > FastNetMon on Debian 9 > echo 'deb http://ftp.de.debian.org/debian sid main' > /etc/apt/sources.list.d/fastnetmon.list > apt-get -y update; apt-get -y upgrade; apt-get -y dist-upgrade > apt-get -y install fastnetmon > but for now drivers ixgbe and igb must be compiled from source each time the kernel is upgraded > Currently lack hardware to test: Comparison of performance and options Debian 9 Native Intel Pavel Odintsov’s patched igb ? ? ? ixgbe ? ? ?
29 May 2017 27 > Connections > FastNetMon mirror port, > FastNetMon alerts to database, > FastNetMon default gateway may be behind NAT / cellular uplink may have > Download limitations > Keep influxdb data with FastNetMon > Web-UI to influxdb > LAN VPN required
29 May 2017 28 > Automatic mitigation walk through > FastNetMon connected to mirror port detects abnormality > FastNetMon runs alert script > Alert script reads TCP dump from STDIN, creates an rulefile and uploads it to the database host with sftp through OpenVPN tunnel > Daemon on DDPS host reads rulefile and reduces it to one rule which is inserted in the database > Daemon on DDPS reads database and activate new rules and deactivate expired rules > ExaBGP announces rule changes to infrastructure
29 May 2017 29 > Automatic mitigation walk through - drawing
29 May 2017 30 > Implementation and security > Limit attack surface > Do not expose Web-UI unrestricted to the public > Place behind VPN to limit attach surface > Limit access to FastNetMon: no console / customer access > All (relevant) parameters available to customer through Web-UI
29 May 2017 31 > Security and Data validation > Hierarchy of customers, their administrator right and networks > FastNetMon: > Only upload valid data (rule files based on TCP dump output) > Web-UI: select from predefined choices > validate data in Web-UI > CLI: > Require SSH access, implements full flowspec, minimal sanity check > DDPS daemon > Validate data before inserting in database > Validate data from database before sending to ExaBGP > Last check: destination addresses must be ours
29 May 2017 32 > Rule file format > Originally based on tcpdump output from FastNetMon > Upload with sftp > Read literately or optimize before insert in database > format: > Header: > Lines .. > last-line
29 May 2017 33 > Rule optimization > Optimize output from FastNetMon (TCP dump): reduce to one rule > One stream one rule file > Find closest match for all non-null fields: > Don’t match on stateless spoofed sources > Do match on state full source (e.g established tcp connections) > Source and destination ports or port ranges > Package lengths: same or in a range > Match on fragment? > Match on TCP flags > Etc
29 May 2017 34 > Rule optimization cont. Attack type Mitigation Match on syn_flood rate-limit tcp option (syn) protocol, destination port, tcp flags, size, (ttl would be nice but is still in draft), size, and source any udp_flood rate-limit protocol and destination, size, host and port icmp flood discard protocol and destination ip_fragmentation_flood rate-limit protocol size, and destination DNS amplification rate-limit protocol, size, port and destination NTP amplification rate-limit protocol, size, port and destination SSDP amplification discard protocol, size, port 1900, source any SNMP amplification discard protocol, size, port, destination
29 May 2017 35 > How to handle failure and errors > Phone > Panic button: restart 2 x ExaBGP > Add more specific accept rule (cli only) > Expire rule(s) now (cli only)
29 May 2017 36 > ddpsrules (cli) /opt/db2dps/bin/ddpsrules [-v] add [-h] ... | del ... | active | log active: Print active rules with rule id's from database del: Set expire time to now for rule matching (list of) rule id(s) add: --blocktime|b minutes --dst|D destination: one cidr only (database type limitation) --src|S source: one cidr only (database type limitation) --protocol|P protocol: --dport|d destination port --sport|s source port --icmp_type|t icmp type --icmp_code|c icmp code --tcpflags|T TCP tcpflags --length|l package length --dscp|C DSCP flags --frag|f fragments --action|a action: accept discard or 'rate-limit 9600' flowspec syntax (exabgp) is accepted for all parameters but IP addresses e.g. Specify http and https only -P '=80 =443' Specify length: 3 specific all more than 300 or less than 302 -l '=205 =206 =207 >=300&<=302' Specify fragments and TCP tcpflags -f '[not-a-fragment dont-fragment is-fragment first-fragment last-fragment]' -T '[fin syn rst push ack urgent]'
29 May 2017 37 > Web-UI > All Rules Web-UI - connections etc.
29 May 2017 38 > Web-UI — see https://github.com/deic-dk/gossamer > Dashboard with the most relevant network information
29 May 2017 39 > Firewalls and VPN > OpenBSD cluster and OpenVPN in cluster > OpenVPN: > HMAC in first UDP packet > Re-establish a client session, after a disconnection > OpenVPN clients (FastNetMon) served DNS, info, internal authoritative domain > OpenVPN users: no DNS, split VPN > Unbound & nsd - recursive, and caching and authoritative DNS. > pf: force DNS and NTP to predefined servers (localhost), without the clients knowledge > Same time for all system components
29 May 2017 40 > ExaBGP, routers etc > Part of our network infrastructure > Configuration is memory only: deliberately designed not to survive restart
29 May 2017 41 > Deployment and development > GitHub > Unattended installation from ISO > FastNetMon, 10Gb drivers etc. customer specific OpenVPN configurations > DDPS database server, Web-UI and tools > Tool to modify ISO images
29 May 2017 42 > Status > Rough documentation and not everything on github > No code review yet: probably full of errors > GUI has missing parts > Web-UI / Web-server and database not yet cluster aware > (Probably something else I’ve forgot)
29 May 2017 43 > FastNetMon detection limitation > Only certain volumetric attacks > Not attacks masked as legitimate traffic > Not attacks on the application layer (expensive API calls, Slow Loris based attacks (sending a partial request filling the web-servers maximum concurrent connection pool) - one source many requests, small amount of data
29 May 2017 44 > Who made DDPS > Anders Mundt Due > Ashokaditya Mohanty > Kasper Sort > Nicolai Ernst > Niels Thomas Haugård > Tangui Coulouarn > Who made DDPS possible > Pavel Odintsov - FastNetMon - and a long list of the people who made postgres, languages, drivers and operating system
S29 May 2017 45 > Questions

Recommended

Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 

Recommended

Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMonPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
 
9534715
95347159534715
9534715Pavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentPavel Odintsov
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qosTeav Sovandara
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS FirewallBangladesh Network Operators Group
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressBangladesh Network Operators Group
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 

More Related Content

What's hot

Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentPavel Odintsov
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qosTeav Sovandara
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 

What's hot (20)

Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMon
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points
 
9534715
95347159534715
9534715
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environment
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qos
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
 

Similar to DeiC DDoS Prevention System - DDPS

Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future
SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future
SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future Herve Schweitzer
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7allanjude
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshopKathleen Ludewig Omollo
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle CloudSimon Haslam
 
Logging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed EnvironmentLogging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed EnvironmentAPNIC
 
Apricot2017 Request tracing in distributed environment
Apricot2017 Request tracing in distributed environmentApricot2017 Request tracing in distributed environment
Apricot2017 Request tracing in distributed environmentHieu LE ☁
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1GLC Networks
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateAPNIC
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715APNIC
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)iman darabi
 

Similar to DeiC DDoS Prevention System - DDPS (20)

Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future
SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future
SOUG Virtual Day 28 May Hervé Schweitzer - Back To The Future
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
MTCNA Show.pptx
MTCNA Show.pptxMTCNA Show.pptx
MTCNA Show.pptx
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Orascom-tehnical study final
Orascom-tehnical study finalOrascom-tehnical study final
Orascom-tehnical study final
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud
 
Logging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed EnvironmentLogging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed Environment
 
Apricot2017 Request tracing in distributed environment
Apricot2017 Request tracing in distributed environmentApricot2017 Request tracing in distributed environment
Apricot2017 Request tracing in distributed environment
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An Update
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 

More from Pavel Odintsov

Network telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationNetwork telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationPavel Odintsov
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedPavel Odintsov
 
Flowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoiseFlowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoisePavel Odintsov
 
Detectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOSDetectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOSPavel Odintsov
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flPavel Odintsov
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersPavel Odintsov
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
 
Containers in real world презентация
Containers in real world презентацияContainers in real world презентация
Containers in real world презентацияPavel Odintsov
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 

More from Pavel Odintsov (12)

Network telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationNetwork telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentation
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume Based
 
Flowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoiseFlowspec contre les attaques DDoS : l'expérience danoise
Flowspec contre les attaques DDoS : l'expérience danoise
 
Detectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOSDetectando DDoS e intrusiones con RouterOS
Detectando DDoS e intrusiones con RouterOS
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
SIG-NOC Tools Survey
SIG-NOC Tools SurveySIG-NOC Tools Survey
SIG-NOC Tools Survey
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner Maia
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddos
 
Containers in real world презентация
Containers in real world презентацияContainers in real world презентация
Containers in real world презентация
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the Cloud
 

Recently uploaded

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 

DeiC DDoS Prevention System - DDPS

  • 1. 29 May 2017 1 DeiC DDoS Prevention System - DDPS Niels Thomas Haugård, DeiC Consultant since 1995 in the security and network field See https://www.linkedin.com/in/uninth and https://www.deic.dk
  • 2. 29 May 2017 2 > About DeiC > Danish NREN > DeiC – Danish e-Infrastructure Cooperation has the stated aim of supporting the development of Denmark as an eScience nation through the delivery of e-infrastructure (computing, data warehousing, network connections and auxiliary services), guidance, and initiatives at national level. DeiC is a virtual unit under the Danish Ministry of Higher Education and Science and the result of an agreement concluded between the eight Danish universities and the Danish Agency for Science and Higher Education. For details, see www.deic.dk
  • 3. 29 May 2017 3 > Why present it > Benefit for others > Exchange of ideas never made something worse > Open source and on github:https://github.com/deic-dk/DDPS-documentation
  • 4. 29 May 2017 4 > The next 42 minutes > Why we made DDPS - A short description of DDoS attacks > How we designed it and why > What it looks like, how to handle failures etc. > Lessons learned > Current Status > Who made DDPS > Questions ?
  • 5. 29 May 2017 5 > Why do it - 20 years of DDoS history
  • 6. 29 May 2017 6 > akamai’s state of the internet / security Q2 2017 2017, Q1
  • 7. 29 May 2017 7 > State of Forskningsnet > Early warnings only > One small incident in the summer of 2016 > Attacking student dormitories in Ålborg (World of Warcraft) and Ålborg University > Not visible on traffic graphs > Our infrastructure attacked > Hosting Itslearning AS with national tests > Regular attacked
  • 8. 29 May 2017 8 > DDoS characteristic > Stateless connections (UDP, TCP syn, GRE, ICMP echo request) > Amplification attack with spoofed source addresses > Attack on kernel and network layer (Ping of Death, Teardrop osv.) > Application layer attack (Slowloris, R-U-Dead-Yet osv.) > Massive legitimate connections ISP focus area
  • 9. 29 May 2017 9 > DDoS mitigation challenges for ISP’s > Volumetric only - will / cannot take responsibility for application layer attacks > Attacker has more bandwidth than the target > Manual blocking is slow, labor intensive and error prone > The blocking usually takes place to late
  • 10. 29 May 2017 10 > DDoS mitigation ISP - customer expectations > Very short responce time > Mitigation must be implemented in uplink and peers > (as close as possible on the source) > ISP’s should cooperate
  • 11. 29 May 2017 11 > Mitigation methods > BGP based Blackhole routing: scarify attacked addresses (først RFC3882 fra 2004) > Predefined route communities (all, ISP, … ) > Described in rfc5635 og rfc7999 > BGP flowspec (RFC 5575 fra 2009) match/action firewall rules in edge routers > Attacked addresses not scarified: filtering on 12 network parameters > Implanted ca 2013 in Juniper routers, Cisco ca 2014 > See Nokia/Alcatel, Cisco, Huawei og Juniper: BGP Flow Specification: Multi Vendor and Inter AS Interoperability January 2, 2017 (https://www.nextlayer.at/flowspec- paper.pdf) - a sad and long story, but the most general option
  • 12. 29 May 2017 12 > Other methods > Loadshare > Cloudflare and others > Rewrite your application and hand over your SSL keys - not an option for all > Assumes service provider have more bandwidth than the attacker (usually they do) > Any cast > Multiple hosts one IP address - Service configured as a cluster > Our MX960’ers must filter differently on traffic from NORDunet and forskningsnet > Assumes attach only through NORDunet - wrong assumption
  • 13. 29 May 2017 13 > No matter the solution > Your investment in DDoS protection is worth nothing while you are not under attack > Defending is more expensive than attacking > Attacks never worsens over time > You cannot predict what kind of attack will be used next time > IPv6 not really supported see https://tools.ietf.org/html/draft-ietf-idr-flow-spec- v6-03 (2012)
  • 14. 29 May 2017 14 > Existing solutions > Onsite: Arbor Network, F5 m.fl.: > Expensive, proprietary, and will they fit our infrastructure and customers? > Cloud: Cloud Flare, incapsula m.fl. > Expensive cloud based load share, requires your SSL keys > Open source alternatives > FastNetMon > Firewall on Demand (grnet / GÉANT)
  • 15. 29 May 2017 15 > Firewall on Demand (grnet / GÉANT) > No longer maintained at the time we started the project > Configuration based on netconf - not used here > requires shibboleth for authentication while we would use WAYF — the digital recycling centre > Lack of automatic detection > A good source for inspiration
  • 16. 29 May 2017 16 > Mitigation Opportunities > Do not change existing customer infrastructure nor scarify hosts for the network > black hole > BGP flowspec > load share > multicast > Price, Performance (and maintainable code) > Commercial > Open source > Home grown
  • 17. 29 May 2017 17 > What we would like … > Existing services should not be changed to match a solution > BGP flowspec benefits: > May be implemented in existing (aka nor new) network equipment > No changes to services needed (unlike e.g. load share) > Builds on top of existing BGP peering > Requires > Manual changes implemented ahead of the attack > Automatic detection and mitigation
  • 18. 29 May 2017 18 > BGP flowspec as a security tool > eBGP: announce what network you would like to receive traffic for from a given peer > only as long as the BGP session is active (TCP) > BGP flowspec :Add discrimination to your eBGP announcement > Will receive traffic for our network > except traffic matching some criteria > Think of BGP flowspec as a transport protocol for firewall rules > Rules are implemented in the edge routers > Rules: closest match wins (cleanup not really required) > Add start and end time on top
  • 19. 29 May 2017 19 > Simple static filtering - not opt-in announce flow route default-discard-udp-fragments { match { ; protocol udp; fragment [ is-fragment first-fragment last-fragment ]; } then { discard } } announce flow route default-discard-ntp-amplification { match { ; protocol udp; source-port =123; packet-length =468; } then { discard } } announce flow route default-discard-dns-amplification { match { ; protocol udp; source-port =53; packet-length =512; } then { discard } } announce flow route default-discard-dns-amplification { match { ; protocol udp; source-port =19; } then { discard } } announce flow route default-discard-chargen { match { ; protocol udp; source-port =19; } then { discard } } announce flow route default-discard-chargen { match { ; protocol tcp; source-port =19; } then { discard } } announce flow route default-discard-QOTD { match { ; protocol udp; source-port =17; } then { discard } } announce flow route default-discard-QOTD { match { ; protocol tcp; source-port =17; } then { discard } } announce flow route default-discard-gre { match { ; protocol =47; source-port =17; } then { discard } } announce flow route default-ratelimit-SSDP { match { ; protocol udp; source-port =1900 } then { rate-limit 9600; } } announce flow route default-ratelimit-snmp { match { ; protocol udp; source-port =161&=162; } then { rate-limit 9600; } }
  • 20. 29 May 2017 20 > A better solution > Prefer BGP flowspec: integrates seamlessly with existing infrastructure and services > Opt-in: use on-site probe (FastNetMon) > Use WAYF for Web-UI authorization > Non commercial version of FastNetMon, home grown Web-UI, daemon etc > GUI and decentralized probes to inject rules in a central database > No direct database access, no fancy interface, use sftp and file upload > Access only granted through OpenVPN - with few exceptions (protecting the GUI) > Short-lived blocking only: Not first line firewall with permeant rules
  • 21. 29 May 2017 21 > Design principles > Precautionary principle: Opt-in > Both Self-service and Automatic mitigation > Least privilege / least authority: restrict rule creation to specific network(s) > Fail safe: do nothing on e.g data failure > Automatic remove access for administrators who are no longer employed > Automatic mitigation > Time critical, mitigation start time/end time, logging and status > Modular building blocks: software components should be replaceable > Limit hardware requirements > install on-site: On-site is 10Gb, core is 100Gb > 2 x interfaces: one for monitoring (mirror port) one for uplink (assume behind NAT)
  • 22. 29 May 2017 22 > Design > Redundancy where technical and economical feasible > Redundant functionality or fast recovery procedure elsewhere > Decentral probes based on FastNetMon > Central rule database with Web-UI etc. > ExaBGP hosts, firewalls, routers etc.
  • 23. 29 May 2017 23 > Components > FastNetMon host > Debian8, ixgbe and ixgbe drivers > 2 connections: mirror port and uplink: (out of band: ADSL/LTE/3G … - behind NAT) > FastNetMon, influxdb, notify_script, OpenVPN, ssh, configuration > Two way connections: VPN required for access to influxdb > DDPS host > OS, Ubuntu 16.04 > PostgresDB, daemon, > Web-UI, cli tools > tool to create ISO images for unattended installation (Debian and Ubuntu) > ExaBGP, routers etc.
  • 24. 29 May 2017 24 > FastNetMon > Hardware: Supermicro X10SLL-F with Intel NIC 82599 > Debian 8, looking at Ubuntu 16.04 / FreeBSD 11.1 / Debian 9 > Pktgen-DPDK > The latest version is located on dpdk.org at http://dpdk.org/download > Traffic generator powered by Intel's DPDK at 10Gbit wire rate traffic with 64 byte frames. > pkt-gen -i eth1 -z -f tx -n 500111222 -l 60 -d a.b.c.d:123 > Handles up to 14 million 64 bit UDP packets > Tested with FastNetMon / package generator host back-to-back on - Debian 8
  • 25. 29 May 2017 25 > FastNetMon > Commercial: all the nice options but license requires routable IANA address > Community edition: perl script, which execute git, cmake etc. > A new version each time some changes something on git > Looking at FreeBSD - is in ports together with netmap drivers > We use OpenBSD, Ubuntu and Debian (and GAiA and SPLAT) > Working towards compile once - use everywhere on similar OS > statical linking and cmake (not funny) > statifier fails (Kernel unble to load executable where phrs took more then PAGE_SIZE) > More work here
  • 26. 29 May 2017 26 > FastNetMon on Debian 9 > echo 'deb http://ftp.de.debian.org/debian sid main' > /etc/apt/sources.list.d/fastnetmon.list > apt-get -y update; apt-get -y upgrade; apt-get -y dist-upgrade > apt-get -y install fastnetmon > but for now drivers ixgbe and igb must be compiled from source each time the kernel is upgraded > Currently lack hardware to test: Comparison of performance and options Debian 9 Native Intel Pavel Odintsov’s patched igb ? ? ? ixgbe ? ? ?
  • 27. 29 May 2017 27 > Connections > FastNetMon mirror port, > FastNetMon alerts to database, > FastNetMon default gateway may be behind NAT / cellular uplink may have > Download limitations > Keep influxdb data with FastNetMon > Web-UI to influxdb > LAN VPN required
  • 28. 29 May 2017 28 > Automatic mitigation walk through > FastNetMon connected to mirror port detects abnormality > FastNetMon runs alert script > Alert script reads TCP dump from STDIN, creates an rulefile and uploads it to the database host with sftp through OpenVPN tunnel > Daemon on DDPS host reads rulefile and reduces it to one rule which is inserted in the database > Daemon on DDPS reads database and activate new rules and deactivate expired rules > ExaBGP announces rule changes to infrastructure
  • 29. 29 May 2017 29 > Automatic mitigation walk through - drawing
  • 30. 29 May 2017 30 > Implementation and security > Limit attack surface > Do not expose Web-UI unrestricted to the public > Place behind VPN to limit attach surface > Limit access to FastNetMon: no console / customer access > All (relevant) parameters available to customer through Web-UI
  • 31. 29 May 2017 31 > Security and Data validation > Hierarchy of customers, their administrator right and networks > FastNetMon: > Only upload valid data (rule files based on TCP dump output) > Web-UI: select from predefined choices > validate data in Web-UI > CLI: > Require SSH access, implements full flowspec, minimal sanity check > DDPS daemon > Validate data before inserting in database > Validate data from database before sending to ExaBGP > Last check: destination addresses must be ours
  • 32. 29 May 2017 32 > Rule file format > Originally based on tcpdump output from FastNetMon > Upload with sftp > Read literately or optimize before insert in database > format: > Header: > Lines .. > last-line
  • 33. 29 May 2017 33 > Rule optimization > Optimize output from FastNetMon (TCP dump): reduce to one rule > One stream one rule file > Find closest match for all non-null fields: > Don’t match on stateless spoofed sources > Do match on state full source (e.g established tcp connections) > Source and destination ports or port ranges > Package lengths: same or in a range > Match on fragment? > Match on TCP flags > Etc
  • 34. 29 May 2017 34 > Rule optimization cont. Attack type Mitigation Match on syn_flood rate-limit tcp option (syn) protocol, destination port, tcp flags, size, (ttl would be nice but is still in draft), size, and source any udp_flood rate-limit protocol and destination, size, host and port icmp flood discard protocol and destination ip_fragmentation_flood rate-limit protocol size, and destination DNS amplification rate-limit protocol, size, port and destination NTP amplification rate-limit protocol, size, port and destination SSDP amplification discard protocol, size, port 1900, source any SNMP amplification discard protocol, size, port, destination
  • 35. 29 May 2017 35 > How to handle failure and errors > Phone > Panic button: restart 2 x ExaBGP > Add more specific accept rule (cli only) > Expire rule(s) now (cli only)
  • 36. 29 May 2017 36 > ddpsrules (cli) /opt/db2dps/bin/ddpsrules [-v] add [-h] ... | del ... | active | log active: Print active rules with rule id's from database del: Set expire time to now for rule matching (list of) rule id(s) add: --blocktime|b minutes --dst|D destination: one cidr only (database type limitation) --src|S source: one cidr only (database type limitation) --protocol|P protocol: --dport|d destination port --sport|s source port --icmp_type|t icmp type --icmp_code|c icmp code --tcpflags|T TCP tcpflags --length|l package length --dscp|C DSCP flags --frag|f fragments --action|a action: accept discard or 'rate-limit 9600' flowspec syntax (exabgp) is accepted for all parameters but IP addresses e.g. Specify http and https only -P '=80 =443' Specify length: 3 specific all more than 300 or less than 302 -l '=205 =206 =207 >=300&<=302' Specify fragments and TCP tcpflags -f '[not-a-fragment dont-fragment is-fragment first-fragment last-fragment]' -T '[fin syn rst push ack urgent]'
  • 37. 29 May 2017 37 > Web-UI > All Rules Web-UI - connections etc.
  • 38. 29 May 2017 38 > Web-UI — see https://github.com/deic-dk/gossamer > Dashboard with the most relevant network information
  • 39. 29 May 2017 39 > Firewalls and VPN > OpenBSD cluster and OpenVPN in cluster > OpenVPN: > HMAC in first UDP packet > Re-establish a client session, after a disconnection > OpenVPN clients (FastNetMon) served DNS, info, internal authoritative domain > OpenVPN users: no DNS, split VPN > Unbound & nsd - recursive, and caching and authoritative DNS. > pf: force DNS and NTP to predefined servers (localhost), without the clients knowledge > Same time for all system components
  • 40. 29 May 2017 40 > ExaBGP, routers etc > Part of our network infrastructure > Configuration is memory only: deliberately designed not to survive restart
  • 41. 29 May 2017 41 > Deployment and development > GitHub > Unattended installation from ISO > FastNetMon, 10Gb drivers etc. customer specific OpenVPN configurations > DDPS database server, Web-UI and tools > Tool to modify ISO images
  • 42. 29 May 2017 42 > Status > Rough documentation and not everything on github > No code review yet: probably full of errors > GUI has missing parts > Web-UI / Web-server and database not yet cluster aware > (Probably something else I’ve forgot)
  • 43. 29 May 2017 43 > FastNetMon detection limitation > Only certain volumetric attacks > Not attacks masked as legitimate traffic > Not attacks on the application layer (expensive API calls, Slow Loris based attacks (sending a partial request filling the web-servers maximum concurrent connection pool) - one source many requests, small amount of data
  • 44. 29 May 2017 44 > Who made DDPS > Anders Mundt Due > Ashokaditya Mohanty > Kasper Sort > Nicolai Ernst > Niels Thomas Haugård > Tangui Coulouarn > Who made DDPS possible > Pavel Odintsov - FastNetMon - and a long list of the people who made postgres, languages, drivers and operating system
  • 45. S29 May 2017 45 > Questions

Editor's Notes

  1. Hello and well come My name is Thomas, I’m from DEIC and is here to tell about a system we are working on to mitigate DDoS attacks
  2. DeiC is the Danish NREN housed on DTU (other locations as well)
  3. Why present it here: DDoS prevention required cooperation
  4. This is what I’ll talk about for the rest of the presentation
  5. Graph from Arbor networks Attacks never worsens over time General increases in bandwidth and better connected and controlled BOT net enables larger DDoS attacks Cant find a graph showing the average bandwith growth for the same timespan
  6. Not the most sophisticated attack, but stateless attacks does not require thoughtful preparation From https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q1-2017-state-of-the-internet-security-report.pdf page 4 Looks like stateless attack strategies are preferred, small difference between Q1 and Q2 CLDAP (Connection-less Lightweight Directory Access Protocol ) is most commonly encountered on Microsoft Active Directory networks where clients use it to retrieve server information. This particular operation is described in MS documentation as an "AD ping" but is perhaps more formally described as a RootDSE query for the Netlogon attribute. port 389, see https://www.bleepingcomputer.com/news/security/cldap-protocol-allows-ddos-attacks-with-70x-amplification-factor/
  7. 40 min left Early warnings we are puzzled about the lack of massive attacks
  8. Either go for an L7 attack or flood with stateless packages L7 require in general more knowledge of the target while flooding can be conducted success fully if you have more bandwidth than the target You may patch your application/kernel/ … but no defence against flooding with stateless packages You won the popularity contest
  9. The rest focuses on ISP mitigation areas paralysis of infrastructure not just one or more servers the attacked equipment not nesseserry the one most affected No local solutions Attack on one institution may effect others as well
  10. Customers correctly expect ISP to fix what they cannot handle them self
  11. Our existing equipment ca 2016 could not do flowspec only blackhole routing se https://www.nextlayer.at/flowspec-paper.pdf Flowspec introduceret i Cisco IOS XR Software Release 5.2.0 for Cisco ASR 9000 Series Routers Please hand over your SSL keys …
  12. Please hand over your SSL keys - trust the vendor - any cast wrong assumptions https://blog.cloudflare.com/a-brief-anycast-primer/ The Maginot Line in WW1 - wrong assumption …
  13. 35 min left In opposition to most other IT investments Claud flare protects DDoS as-a-service services (!sic) Software available on github (!sic) No hassle: Google stresser booter and select your service provider (!sic) or be selfhosted if preferred Attack method may be changed on-the-fly, try this try that etc. https://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/ Flowspec og IPv6: IPv6 er ikke understøttet godt nok - se https://tools.ietf.org/html/draft-ietf-idr-flow-spec-v6-03 (2012)
  14. Would like a general solution Existing services should not be changed to match a solution BGP flowspec benefits: May be implemented in existing (aka nor new) network equipment No changes to services needed (unlike e.g. load share) Builds on top of existing BGP peering Requires Manual changes implemented ahead of the attack Automatic detection and mitigation And on black-hole - Hugge has some interesting solutions based on distance and reputation: don’t announce our networks futher than xxx km and / or not to AS / ISP’s with poor reputations (no attacks from google apple or facebook e.g)
  15. No changes to customer services No assumptions on attack
  16. Transport mechanism for rules
  17. 30 min left Drop the Opt-in clause: How far can we get with static filtering and BGP flowspec? Pretty far, I think Does not work with our at the time then Cisco equipment refer to script which we don’t use but others has adopted the idea
  18. Most suitable choices
  19. Don’t mess with other peoples network Think in large replaceable building blocks: Leave current position: automatically loose acces rights as it is based on WAYFF
  20. 2 is one and 1 is none - redundant functionality and ease of restore
  21. Uplink unknown: may have data limitations so keep influxdb time serial data locally until needed by GUI not nesseserry the internet connection could be DMZ
  22. Asid test: handle 10Gb traffic with 64bit packages - roughly 14 million packages a minute
  23. Select FastNetMon version … We started when the community version was the only option. May change in the future Prefer same version everywhere rather than different versions for each installation Commercial and community edition not comparable, like a version 2 and version 1
  24. Pretty easy to install just need to test the driver and performance
  25. 25 minutes left Administrator: must have OpenVPN credentials to access the network and WAYF credentials to access the system, KEY DISTRIBUTION cumbersome looking at GEANT project for that FastNetMon: unique OpNVPN and SSH keys, any network will do, listens on mirror port Internal systems: all virtual shielded from both internal and external access WAYF credentials not shown
  26. Detection -> Trigger script: check parameters (OpenVPN) -> sftp -> daemon -> database -> in / out -> ExaBGP -> routers
  27. 20 min left
  28. Customers created with one dbadmin which can create other admins, split assigned networks and create rules Currently cumbersome and labor intensive to create admins and customers
  29. Different formats: Do optimize when creating rule based on info, don’t optimize but take rule file literally Different versions: prepare for having the misfortune of working with different versions of the format For now: only FNM, Do optimize and don’t optimize CERT working on a project using Cisco Netflow data for mitigation
  30. One FastNetMon stream => one rule Random source = spoofed source Rule files which should be optimized - how to do that
  31. The table may not be entirely correct as FastNetMon may not always provide enough data SSDP - Simple Service Discovery Protocol (see draft-cai-ssdp-v1-03 does not belong on a WAN anyway? It is used for UPnP discovery. The same goes for TCP / UDP port 1 - 19. SNMP does to my best understanding not pass the boundaries of a company network, even not protocol version 3. And sacrificing monitoring data for the sake of the network is fine with me. Sometimes FastNetMon does not provide enough data, then don't match on the missing information (e.g. icmp code and type). With e.g. ICMP flooding use the fact that ICMP is not a critical protocol like e.g. HTTP or TCP SYN.
  32. 15 min left Phone - no longer the customers problem but ours Panic button, specific pass rule, expire rule Require CLI access to database server
  33. What does it look like With a wonderful syntax like: port =0 =21 =23 =25 =26 =27 >=30&<=32 >=33&<=35 >=37&<=39 =65535 or port=0-19 protocol =0 =1 =3 =5 =6 =7 >=10&<=12 >=13&<=15 >=17&<=19 =255 icmp-type =0 =1 =3 =5 =6 =7 >=10&<=12 >=13&<=15 >=17&<=19 =255 icmp-code =0 =10 =21 =23 =25 =26 =27 >=30&<=32 >=33&<=35 >=37&<=39 =255 tcp-flags [fin syn rst push ack urgent] packet-length =0 =40 =46 =201 =203 =205 =206 =207 >=300&<=302 >=303&<=305 >=307&<=309 =65535 dscp =0 =1 =3 =5 =6 =7 >=10&<=12 >=13&<=15 >=17&<=19 =48 =63 fragment [ not-a-fragment dont-fragment is-fragment first-fragment last-fragment ] NOC only
  34. View rules: automatic and manuel
  35. Dashboard: current state (data from influx db)
  36. accessing and protecting the system carp Not on git yet - but should be straight forward to implement
  37. No boot CD images as they are created using ansible but should also be straight forward to install
  38. github same version, boot CD image no configuration management system required
  39. Won the popularity contest - not attacked rate limiting doesn’t help here Other methods of mitigation: black-home based on router distance or AS reputation Next version of DDPS: an API for adding rules based on honey pots etc
  40. 10