V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Transcription

1 Enabling Precise Defense against New DDoS Attacks

2 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against these types of DDoS attacks. Executive Summary: The fast growing prosperity of cloud computing is accompanied by a surge in the provision of Internet as well as DDoS attacks and their variants. DDoS attacks are more prone to targeting the application layer especially WEB and DNS services, launched mainly out of malicious competition. Profitable online services are allegedly undergoing more and longer attacks, according to Huawei Cloud Security Center. Currently, various functional evasion techniques are used on botnets to keep them alive longer. Typical techniques used are the domain generation algorithm (DGA) and Fast-flux techniques, which quickly replace C&C server IP address. The common defensive measure of shutting down the C&C server (source of attacks) does not work effectively when dealing with DDoS attacks launched using botnets. Since traditional attack detection and defensive measures fail to defend against new types of DDoS attacks, there is rapidly growing demand for new defensive measures which provide accurate detection and correct identification of attacks.

3 Trend of DDoS Attacks 1. Application services are suffering more DDoS attacks with light traffic and low speed. Carrier networks and their basic architecture and infrastructure have historically been the target of DDoS attacks. In more recent times, internet applications and services, such as enterprise website, online shopping, streaming services, online gaming, DNS, and have increasingly become prime targets of DDoS attacks. Web-targeted DDoS attacks have accounted for over 87.11% DDoS attacks, according to the latest security report released by Huawei. Hackers have been seen to prefer more elusive attacks requiring lower bandwidth and lighter traffic because they can achieve their attack goals while maintaining low costs. By exploiting vulnerabilities of commonly-used flow detection techniques, applicationtargeted attacks that have light traffic and low bandwidth are prevailing. Packets have to be verified one by one to detect DDoS attacks at the application layer. 2. DDoS attacks are becoming increasingly complex. More simulated Http attacks: Before launching attacks, hackers usually select WEB servers and perform tests to discover their vulnerabilities. They proceed to exploit these vulnerabilities by repurposing ghost servers and resources to exhaust the system's computing resources. In the meantime of achieving attack effects, they hide the attack sources by instructing botnet computers to send normal-like requests to the WEB servers over proxy servers. Such attacks have a relatively low access rate but a sufficiently large volume of access requests will exhaust the server s computing resources, and consequently result in a denial of service. 2 Trends: 1) Application services are suffering more DDoS attacks with light traffic and low speed. 2) DoS attacks are becoming increasingly complex. Traditional defenses technologies such as source detection and proxies cannot effectively counter such attacks while a source reputation assessment system does, which is capable of handling such attacks with high efficiency and precision. Minnow-for-whale DNS Cache Miss attack: Second to WEB-targeted DDoS attacks in terms of popularity, DNS-targeted DDoS attacks are launched by sending a large volume of non-existing domain names to be queried to the DNS server aimed at increasing its workload. This prevents legitimate queries to the DNS Server from querying the cache preventing them from resolving domain names. DNS-targeted attacks are intended to hit authoritative DNS servers that are used by online services. Such attacks lead to online service failures and also bring down other Internet services that depend on domain name resolution. This form of attack encompasses the largest scope of impact, severely affecting services and infrastructure down to the most basic architecture of Internet. The Kmplayer event in 2009 is an example of typical of a DNS Cache Miss attack. To effectively defend against DNS-targeted attacks, both proactive and responsive countermeasures shall be taken such as attack detection and analysis based on source reputation, session reputation, and behavior analysis.

4 3 Insufficiency of traditional defenses technical: 1) Maintaining a good user experience while eliminating terminal misjudgment makes defense against Http attacks extremely difficult. 2) Identification of spoofing sources is hard for DNS Cache Miss attack defense. 2) Insufficient session techniques hardly detect light-traffic attacks. Insufficiency of traditional defenses against new DDoS attacks 1. Maintaining a good user experience while eliminating terminal misjudgment makes defense against Http attacks extremely difficult. Defending against Http attacks aimed at e-commerce websites must avoid terminal misjudgment while eliminating all impacts on user experience. Presently, techniques such as URL redirection and code verification are commonly used to defend against Http attacks. However, the web page displayed during verification cannot carry any information, which impacts user experience. Most importantly, many users access e-commerce systems using their smartphones as a result of their high mobility and availability. Smartphones, however, do not completely implement the HTTP application protocol stack and in most cases do not support redirection. This means that such a common defensive measure may interrupt or completely prevent the access of mobile terminal users. Being aware of such a prominent vulnerability, hackers may launch attacks by disguising themselves as mobile smart terminals with full knowledge that it would be harder to defend the DDoS attacks that target mobile web applications. To accurately identify Http attacks while maintaining a good user experience, other countermeasures like smart terminal identification, application-layer IP reputation, and session analysis must be implemented. 2. Identification of spoofing sources is hard for DNS Cache Miss attack defense. DNS querying is based on UDP protocol which is connectionless, thus presents a challenge in defending against DNS Cache Miss attacks. A common countermeasure taken to prevent DNS Cache Miss Attacks is to change UDP requests into TCP requests to verify the sources. However, as seen on live networks, most DNS clients do not support TCP, preventing this countermeasure from being physically applicable. If a hacker launches a Cache Miss attack at the DNS authorization server by simulating or using a

5 real DNS buffer server, defending against such an attack will be extremely difficult. An effective source reputation mechanism is required such that source reputation is analyzed for an ongoing session to distinguish between unauthorized and authorized accesses. 3. Insufficient session techniques hardly detect light-traffic attacks. Among botnet based DDoS attacks, light-traffic attacks are the hardest to defend against. They usually carry genuine IP addresses and exploit application access vulnerabilities (after three handshakes with the application server). Such attacks can only be detected through ongoing session monitoring and user behavior analysis. Detecting and eliminating such attacks requires more precise defenses and better performance on security devices than common attacks. At this moment, no vendor provides sufficient session monitoring techniques capable of detecting and defending against light-traffic attacks. Huawei V-ISA Reputation Mechanism, a Powerful Technique to Defend Against New DDoS Attacks 4 Based on professional software and hardware platforms with traditional competitive edges, Huawei anti-ddos solution introduces the first V-ISA reputation security system in the industry and unique anti-ddos product featuring advanced detection mechanisms all while delivering over 100 Gbit/s of performance on a single device. This solution provides a powerful tool for carriers, enterprises, and data centers to accurately defend against new DDoS attacks. 1. Working mechanism of the V-ISA In most cases, the system learns the characteristics of Layer-3, Layer-4, and Layer-7 traffic and sets up service access models of the protected IP addresses, including service access models of sources. Then the system compares traffic statistics with the service models to detect anomalies. To prevent any impact on customer experiences, the system gives top N traffic with good reputations bonus points during traffic model learning. When a security event occurs, the solution ensures that access from users with a good reputation is permitted and reputation authentication, behavior analysis, and session reputation are implemented to identify suspicious sources that exceed the source access baseline. Identifiable attacks include the botnet attacks with forged or real sources and the lowrate attacks simulating access from legitimate users. With the V-ISA reputation security mechanism, no legitimate access is blocked and no attacks are permitted. Huawei V-ISA Reputation Mechanism: 1) Multi-tenant-based anti-ddos and operation. 2) IP reputation-based defense against DDoS launched by botnets. 3) Defense against Session reputation-based low-rate attacks. 4) Defense against Behavior reputationbased application attacks.

6 2. Components of the V-ISA reputation security system In Huawei V-ISA reputation detection system V, short for Virtual, indicates that Huawei anti- DDoS system can implement security protection and operation in cloud computing multi-tenant scenario; I, short for IP, indicates that the system provides IP reputationbased botnet defense; S, short for Session, indicates that the system provides session reputation-based low-rate attack defense; A, short for Application, indicates that the system provides behavior reputation-based application attack defense. Multi-tenant-based anti-ddos and operation: The Zone concept of Huawei anti- DDoS system echoes with the tenant concept of cloud computing. The system provides customized defense policies, defense thresholds, and reports, supports the regular sending of customized reports, and provides a report self-service portal. IP reputation-based defense against DDoS launched by botnets: Based on botnet detecting technologies and anti-ddos blacklists, the system generates a "zombie" IP address database. From the active time of IP addresses, the system can tell zombie activation time. Then the system adds the active IP addresses to the address list to filter malicious traffic. This technology filters out malicious traffic without source authentication to prevent authentication impacts on legitimate services. In addition, the direct filtering technology provides a vantage point from which it is possible to defend against mobile botnets since the traditional authentication scheme is in adequate. To prevent detrimental impacts on customer experience, Huawei anti- DDoS system employs a customer reputation mechanism. Before attacks are launched, the system adds the IP addresses of customers with large volumes of traffic and legitimate behaviors to an IP reputation list to ensure that traffic generated by these customers is rapidly forwarded. If used for mobile application and e-commerce website protection in case of mobile terminal access, this technology not only improves the defense efficiency but also lowers the number of false positives to the lowest extent possible today. Defense against Session reputation-based low-rate attacks: Low-rate attacks target at TCP applications. This type of attacks are launched by a massive number of zombies, each equipped with small volume of traffic, resulting in low traffic rates which are uneasy to detected. Typical representatives include SSL-DoS/DDoS, HTTP slow headers/post attack, HTTP retransmission, and Sockstress attacks. Huawei anti-ddos system sets up a session table for all suspicious sources that pass source authentication and are excluded from forged sources, records session indicators for these sources, analyzes abnormal behavior statistics, and proceeds to block packets from these sources if their anomaly counts exceed the predefined limit. This anti-ddos system features accurate differentiation between infected traffic and legitimate traffic without returning any false positives or false negatives, unlikely to be detected by competing vendors. Huawei is one of the few vendors that provide a complete session defense mechanism capable of detecting can detect anomalies in ongoing sessions. Defense against Behavior reputation-based application attacks: This behavior-based defense technology works by analyzing and comparing patterns generated by user and zombie behaviors. The resources accessed by legitimate users have no specific order and the access frequency is random. However, zombie behaviors are designed, ordered and have specific targets. Therefore, the accessed resources and access frequency are fixed. Although the rate of a single source may be low, the QPS is high. Whitelist & blacklist First packet drop Source authentication Portion statistics Session reputation Whitelist Blacklist No match Operation by list Client AntiDDoS Client AntiDDoS 1 st SYN SYN SYN ACK 2 nd SYN wrong SEQ RST No reply Client AntiDDoS SYN/ACK/RST N link Data transfer N link Normal = N data Over high N data Client AntiDDoS TCP handshake Data transfer Session record List out of session reputation and source authentication results Drops the first SYN packet and records simple info Cookie bounce, verifying the source Statistics on the portion of packets for session to packets data trams mission Whitelist generated for Top N sessions Off previously identified attack packets Off 80% fake source attack packets Off 10% repeated fake source attack packets Off 10% true source attack packets Session credits generated High performance Avoiding full traffic bounce authentication, saving bandwidth Behavior analysis + session reputation, complete and effective

7 As long as the model is correct, the behavior analysis technology does not have any adverse impact user experience. In most cases, behavior analysis is used with session reputation and source authentication to enhance defense accuracy. For example, behavior analysis can detect attack sources that pass the transport-layer source authentication but have abnormal TCP packet rates. To protect the HTTP server on a fixed network, source behavior analysis can be configured to redirect the packets that exceed the source access baseline. Similarly, in the DNS defense scenario, behavior analysis can be configured to detect DNS servers under attack and function with source authentication on the suspicious sources to minimize impact on legitimate user accesses. In conclusion, a complete behavior analysis involves multi-dimensional analysis and usually needs to function with source authentication. Consequently, this has high requirements on device performance. Due to high costs of development and limited security capabilities, most security vendors are unable to produce anti-ddos products capable of conducting fine-tuned behavior analysis, preventing them from conducting a world class defense against attacks. Huawei anti-ddos devices, employs the industry-leading distributed multi-core architecture, integrate four high-performance CPUs on each SPU to deliver 10 Gbit/s application-layer behavior analysis capabilities, which set it in a class of its own, delivering a world class, complete anti-ddos defense suite. Conclusion Empowered by the V-ISA reputation detection system, Huawei anti-ddos solution provides powerful and intelligent defense mechanisms with seven protection layers specific to each of the seven OSI layers for a complete anti-ddos defense: deformed packet filtering, by-feature packet filtering, application-layer source authentication, source authentication, session analysis, behavior analysis, and smart rate limiting. Deformed packet filtering: filters non-standard packets. By-feature packet filtering: identifies attack traffic (by analyzing for its unique fingerprint using Huawei-proprietary fingerprint learning and comparing algorithm), and filters packets by customized attributes such as IP addresses and ports. Application-layer source authentication and source authentication: verify the source IP address and the intention of access. Session analysis and behavior analysis: check for features of DDoS attacks targeting TCP connections and applications. DDoS attacks usually have a light traffic, constant access frequency, and same destination resource. The analysis techniques effectively defend against botnet DDoS attacks that are usually undercovered by means of evasion. Smart rate limiting: limits and controls access to heavy traffic to ensure availability of servers. 5 In all, Huawei anti-ddos solution provides complete DDoS defense by cleansing traffic layer by layer while maintaining consistent quality of user access. References: 2013 Botnets and DDoS Attacks Report.pdf Huawei AntiDDoS Solution

8 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen , P.R. China Tel: Version No.: M C-1.0