Defending the Network: Mitigating Attacks

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Defending the Network: Mitigating Attacks"

Transcription

1 Defending the Network: Mitigating Attacks Roland Dobbins Solutions Architect BKK mobile SIN mobile Arbor Public

2 Agenda Six Phases of Incident Response Reacting with the Data Plane Reacting with the Control Plane Using Dedicated Security Devices Page 2 - Arbor Public

3 Agenda Six Phases of Incident Response Reacting with the Data Plane Reacting with the Control Plane Using Dedicated Security Devices Page 3 - Arbor Public

4 Six Phases of Incident Response Page 4 - Arbor Public

5 Six Phases of Incident Response Post Mortem What was done? Can anything be done to prevent it? How can it be less painful in the future? Preparation Prep the Network Create Tools Test Tools Prep Procedures Train Team Practice Identification How do you know about the attack? What tools can you use? What s your process for communication? Reaction What options do you have to remedy? Which option is the best under the circumstances? Traceback Where is the attack coming from? Where and how is it affecting the network? What other current network problems are related? Classification What kind of attack is it? Page 5 - Arbor Public

6 Preparation Preparation Develop and Deploy a Solid Security Foundation Includes technical and non-technical components Encompasses best practices The hardest yet most important phase Without adequate preparation, you are destined to fail The midst of a large attack is not the time to be implementing foundational best practices and processes Page 6 - Arbor Public

7 Preparation Know the enemy Understand what drives the miscreants Understand their techniques Create the security team and plan Who handles security during an event; is it the security folks; the networking folks A good operational security professional needs to be a cross between the two: silos are useless Harden the devices Prepare the tools Network telemetry Reaction tools Page 7 - Arbor Public

8 Preparation Establish upstream/downstream contacts Understand their capabilities Establish a relationship and contact procedures An attack is no time to figure out how to contact an upstream or understand how they could potentially assist you Infrastructure security All of the techniques talked about today also assume that the infrastructure is available to route and forward packets! Page 8 - Arbor Public

9 Are You Pushing the Envelope? Know Your Equipment and Infrastructure: Know the performance envelope of all your equipment (routers, switches, workstation, etc.). You need to know what your equipment is really capable of doing. Know the capabilities of your network. If possible, test it. Surprises are not kind during a security incident. PPS vs. BPS and how enabling features impacts them Page 9 - Arbor Public

10 Are You Pushing the Envelope? Get Real! Operator, I tried to push my aircraft to 70,000 ft and it stalled. Vendor, But the aircraft was only designed for a 50,000 ft ceiling. Operator, I need it to go to 70,000 ft, so you should make that happen. Vendor, But that is not going to happen; 50,000 ft is the only thing it can do. You knew that when you bought it. Operator, Your equipment sucks if you cannot exceed you design specs. Page 10 - Arbor Public

11 Identification, Classification, and Traceback All of this assumes you can detect and understand the attack Reacting to attacks depends, in a lot of ways, on how you detect the attacks Time of reaction is often a critical factor Once stateful devices fail, the restoration path is usually a hard reboot Page 11 - Arbor Public

12 Reaction Many varying reaction mechanisms No one tool or technique is applicable in all circumstances Think toolkit Automate where possible Don t forget about the operational costs It is critical to identify and classify an attack so you can choose the most appropriate mitigation tool Every problem does not call for a hammer solution, simplicity is key Some solutions actually make the problem worse! Page 12 - Arbor Public

13 Attack Vectors Infrastructure attacks Attacks against vulnerability or protocol weakness (D)DoS attacks directed at infrastructure Downstream customer attacks Attack that only impacts target IP Attack that impacts downstream customer Attack where collateral damage impacts multiple customers Downstream customer sourced attacks Attacks that originate from your customers Page 13 - Arbor Public

14 Attack Vectors Infrastructure attacks Attacks against vulnerability or protocol weakness (D)DoS attacks directed at infrastructure Downstream customer attacks Attack that only impacts target IP Attack that impacts downstream customer Attack where collateral damage impacts multiple customers Downstream customer sourced attacks Attacks that originate from your customers Page 14 - Arbor Public

15 Post Mortem Post Mortem Analyzing What Just Happened. What Can Be Done to Build Resistance to the Attack Happening Again The step everyone forgets or doesn t make time to conduct What can you do to make it faster, easier, less painful in the future? Complete the loop Page 15 - Arbor Public

16 Agenda Six Phases of Incident Response Reacting with the Data Plane Reacting with the Control Plane Using Dedicated Security Devices Page 16 - Arbor Public

17 Reacting with the Data Plane Page 17 - Arbor Public

18 RFC3704/BCP84 Ingress Packet Filtering Packets should be sourced from valid, allocated address space, consistent with the topology and space allocation Our goal here is to bind the problem and reduce the requirements for implementing security No BCP84 means that: Devices can (wittingly or unwittingly) send traffic with spoofed and/or randomly changing source addresses out to the network Complicates trace back immensely Sending bogus traffic is not free! Attacks can be much more devious with spoofing Page 18 - Arbor Public

19 BCP 84 Packet Filtering Principles Filter as close to the edge as possible Filter as precisely as possible Filter both source and destination where possible Can be implemented in various ways Infrastructure ACLs (iacls) Unicast reverse path forwarding (urpf) Cable source verify DHCP IP source TMS/DHCP snooping Page 19 - Arbor Public

20 Where to React? Upstream A IXP-W Sinkhole Network Peer A Peer B Upstream A IXP-E Upstream B Upstream B Target POP NOC Page 20 - Arbor Public

21 Where to React? Upstream B IXP-W Sinkhole Network Peer A Peer B Upstream A IXP-E The Proper Reaction is the Easiest, Fastest, and Simplest One That Can Minimize the Collateral Damage Upstream B Target POP NOC Page 21 - Arbor Public

22 Reacting with the Data Plane: Access Control List (ACL) Page 22 - Arbor Public

23 Reacting to an Attack with ACLs Traditional method for stopping attacks Scaling issues encountered: Operational difficulties Changes on the fly Multiple ACLs per interface Performance concerns Page 23 - Arbor Public

24 ACLs: Deployment Considerations How does the ACL load into the router? Does it interrupt packet flow? How many ACEs can be supported in hardware? In software? How does ACL depth impact performance? How do multiple concurrent features affect performance? Page 24 - Arbor Public

25 Working the PPS Engineering 10,000,000 PPS Performance Envelope Packets per Second (pps) 1,000, ,000 10,000 1,000 1 Gbps 100 Mbps 10 Mbps CPU Limit 100 Performance Envelope w/features Packet Size (bytes) Page 25 - Arbor Public Basic Performance Envelope

26 ACL Update and Reaction Speed Internet speeds above the OC-12/48 range require specialized forwarding/feature ASICs to provide services at line rate ACLs loaded into these ASICs require special processing: Example: 100Kb file for 5,000-Line ACL 1. Load ACL into router from mgmt app or ftp server (transfer time for big ACLs) 2. Commit ACL to active 3. Pre-process (compile) ACL 4. Push to Line Card(s) (if distributed architecture) 5. Process for loading into Line Card ASIC 6. Load into Line Card ASIC and activate access speed- and memory carddependent, can be slow e.g., minutes small Can be lengthy: 10 s of seconds to min s msecs small Platform-dependent: usecs to mins Modular design, simplicity, and amplification effect principles apply to ACL design Page 26 - Arbor Public

27 Filtering Fragments Fragments can be explicitly denied Fragment handling is enabled via fragments keyword Default permit behavior permit fragments that match ACE L3 entries Denies fragments and classifies fragment by protocol: access-list 110 deny tcp any any fragments access-list 110 deny udp any any fragments access-list 110 deny icmp any any fragments Page 27 - Arbor Public

28 Packet Filtering Viewed Horizontally Spoofed Source Addresses Targeting the Infrastructure Packet Shield # 1 Application Filters Policy Enforcement Targeting the Customer Packet Shield # 2 Packet Shield # 3 Packet Shield # 4 Customer Traffic The best ACL may actually be multiple ACLs at possibly different locations Page 28 - Arbor Public

29 ACL Construction Most common problems: Poorly-constructed ACLs Ordering matters! Understand platform specifics (i.e., 6500/7600 LOUs, masks)! Scaling and maintainability issues with ACLs are commonplace Make your ACLs as modular and simple as possible Page 29 - Arbor Public

30 ACL Categories: Hybrid Philosophy Hybrid Permit/Deny Anti-spoofing Anti-bogon (source) Infrastructure Explicit deny specific L3 Explicit deny specific L4 Incident reaction Explicit permit L3 (good traffic) Explicit permit L4 (good traffic) Explicit deny everything else Page 30 - Arbor Public

31 Layered/Modular ACLs Hybrid Permit/Deny Anti-spoofing Anti-bogon (source) Infrastructure Explicit deny specific L3 Explicit deny specific L4 Incident reaction Explicit permit L3 (good traffic) Explicit permit L4 (good traffic) Explicit deny everything else Rarely Changes Rarely Changes Rarely Changes Sometimes Changes Sometimes Changes Changes Every Day Sometimes Changes Sometimes Changes Rarely Changes Page 31 - Arbor Public

32 Operational Cost Impact Hybrid Permit/Deny Anti-spoofing Anti-bogon (source) Infrastructure Explicit deny specific L3 Explicit deny specific L4 Incident reaction Explicit permit L3 (good traffic) Explicit permit L4 (good traffic) Explicit deny everything else More Static $ Rarely Changes Rarely Changes $$ Rarely Changes Sometimes Very Changes $$$$$$ Dynamic Sometimes Changes Changes Every Day $$ Sometimes Changes Sometimes Changes More Static $ Rarely Changes Page 32 - Arbor Public

33 ACL Summary ACLs are widely deployed as a primary containment tool Prerequisites: identification and classification need to know what to filter Apply as specific an ACL as possible ACLs are good for static attacks, not as effective for rapidly changing attack profiles Understand ACL performance limitations before an attack occurs Operational efficiencies are important scripted Page 33 - Arbor Public

34 The Pros and Cons of ACLs ACLs - key strengths: Detailed packet filtering (ports, protocols, ranges, fragments, etc.) Relatively static filtering environment Clear filtering policy ACLs can have issues when faced with: Dynamic attack profiles (different sources, different entry points, etc.) Frequent changes Quick, simultaneous deployment on a multitude of devices Operationally hard to remove Page 34 - Arbor Public

35 Reacting with the Data Plane: Committed Access Rate (CAR) Page 35 - Arbor Public

36 Reacting to an Attack with CAR The Internet Customers Layer-3 CAR Filter Layer-3 input and output rate limits specifically input rate limits Security filters use the input rate limit to drop packets before they are forwarded through the network Aggregate and granular limits Port, MAC address, IP address, application, precedence, QOS_ID Excess burst policies Page 36 - Arbor Public

37 A CAR Example: SMURF access-list 199 permit icmp any <target> echo-reply access-list 199 deny ip any any interface POS2/0 rate-limit output access-group conform-action transmit exceed-action drop Page 37 - Arbor Public

38 A Bad CAR Example: Syn-Flood access-list 199 permit tcp any <target> eq www syn access-list 199 deny ip any any interface POS2/0 rate-limit output access-group conform-action transmit exceed-action drop Syn-floods are generally high volume If attack is 99% of traffic, legitimate traffic has a small chance of making it through the rate-limit Are we really achieving anything? Page 38 - Arbor Public

39 Agenda Six Phases of Incident Response Reacting with the Data Plane Reacting with the Control Plane Using Dedicated Security Devices Page 39 - Arbor Public

40 Reacting with the Control Plane Page 40 - Arbor Public

41 Routers Drop Data, Often Scans, Backscatter, Other Garbage AS 100 AS C D G A 10.1/16 F /19 AS B /19 E H /19 An AS collects all the garbage (backscatter, scans, etc.) destined for /19, /19, and /17 addresses Routers that source those aggregates drop the data to unreachable parts of the networks, and are required to process data, send ICMP unreachables, etc. Page 41 - Arbor Public

42 Reacting with the Control Plane: Destination-Based Black Hole Filtering Page 42 - Arbor Public

43 Black Hole Filtering Black hole filtering or black hole routing forwards a packet to a router s bit-bucket Also known as route to Null0 Works only on destination addresses, since it is really part of the forwarding logic Forwarding ASICs are designed to work with routes to Null0 dropping the packet with minimal to no performance impact Used for years as a means to blackhole unwanted packets Page 43 - Arbor Public

44 Remotely Triggered Black Hole Filtering We will use BGP to trigger a network-wide response to an attack A simple static route and BGP will enable a network-wide destination address black hole as fast as ibgp can update the network (msecs) This provides a tool that can be used to respond to security-related events and forms a foundation for other remotely triggered uses Often referred to as RTBH Page 44 - Arbor Public

45 Remotely Triggered Black Hole (RTBH) Configure all edge routers with static route to Null0 (must use some reserved network) Configure trigger router Part of ibgp mesh Dedicated router recommended Activate black hole Redistribute host route for victim into BGP with next-hop set to Route is propagated using BGP to all BGP speakers and installed on routers with route All traffic to victim now sent to Null0 Page 45 - Arbor Public

46 Step 1: Prepare All the Routers with Trigger Select a small block that will not be used for anything other than black hole filtering; Test-Net ( /24) is optimal since it should not be in use Put a static route with Test-Net /24 to Null0 on every edge router on the network ip route Null0 Page 46 - Arbor Public

47 Step 1: Prepare All the Routers with Trigger Edge Router with Test-Net to Null0 IXP-W Peer A Edge Router with Test-Net to Null0 Peer B IXP-E Upstream A Sinkhole Network Upstream A Upstream B Upstream B /24 Target POP Edge Router with Test-Net to Null0 G NOC Page 47 - Arbor Public

48 Step 2: Prepare the Trigger Router The Trigger Router Is the Device that Will Inject the ibgp Announcement into the ISP s Network Should be part of the ibgp mesh but does not have to accept routes Can be a separate router (recommended) Can be a production router Can be a workstation with Zebra/Quagga (interface with Perl scripts and other tools) Can be Arbor Peakflow SP GUI interface, integrated with detection, cleanup timer, etc. Page 48 - Arbor Public

49 Trigger Router s Config Redistribute Static with a Route-Map Match Static Route Tag router bgp redistribute static route-map static-to-bgp! route-map static-to-bgp permit 10 match tag 66 set ip next-hop set local-preference 200 set community no-export set origin igp! route-map static-to-bgp permit 20 Set Next- Hop to the Trigger Set Local-Pref Page 49 - Arbor Public

50 Step 3: Activate the Black Hole Add a static route to the destination to be black holed; the static is added with the tag 66 to keep it separate from other statics on the router ip route null0 tag 66 BGP advertisement goes out to all BGP-speaking routers Routers receive BGP update and glue it to the existing static route; due to recursion, the next-hop is now Null0 Page 50 - Arbor Public

51 Step 3: Activate the Black Hole FIB Glues s Next-Hop to Null0, Triggering the Black Hole Filtering FIB FIB Best Path Selection (Unless Multipath) nexthop = BGP Best Path Selection BGP RIB AS s Routes AS s Routes AS s Routes OSPF/ISIS RIB nexthop = with no-export /32 = Null0 Static and Connected Routes /32 = Null0 Page 51 - Arbor Public

52 Step 3: Activate the Black Hole BGP Sent Next-Hop = Static Route in Edge Router = Null = = Null0 Next-Hop of Is Now Equal to Null0 Page 52 - Arbor Public

53 Step 3: Activate the Black Hole IXP-W Peer A A Peer B IXP-E Upstream A B Upstream A C D Upstream B Target E Upstream B ibgp Advertises List of Black Holed Prefixes F POP G NOC Page 53 - Arbor Public

54 Customer Is DOSed (After) Packet Drops Pushed to the Edge IXP-W Peer A A Peer B IXP-E Upstream A B Upstream A C D Upstream B E Upstream B Target ibgp Advertises List of Blackholed Prefixes F POP G NOC Page 54 - Arbor Public

55 Trigger Router Config Can use multiple tags One tag to redirect attack to sinkhole Another tag to redirect attack to anycast sinkhole Multiple tags to black hole for different reasons Tag #1 is for ongoing (d)dos attack Tag #2 is for black holing botnet command and control Tag #3 is for phishing site Tag #4 is for SPAM Makes tracking easier. Can usually figure out which group to contact about black hole (i.e. NOC, abuse, security, etc.) just by looking at trigger router configuration. Page 55 - Arbor Public

56 An Alternative: Community-Based Trigger BGP community-based triggering allows for more fine-tuned control over where you drop the packets Three parts to the trigger: Static routes to Null0 on all the routers Trigger router sets the community Reaction router (on the edge) matches community and sets the next-hop to the static route to Null0 Page 56 - Arbor Public

57 Why Community-Based Triggering? Allows for More Control on the Attack Reaction Trigger community #1 can be for all routers in the network Trigger community #2 can be for all peering routers; no customer routers allows for customers to talk to the DOSed customer within your AS Trigger community #3 can be for all customers; used to push a inter- AS traceback to the edge of your network Trigger communities per ISP peer can be used to only black hole on one ISP peer s connection; allows for the DOSed customer to have partial service Trigger communities per geographic region can be used Page 57 - Arbor Public

58 Trigger Router Config (Community-Based Approach) Redistribute Static with a Route-Map Match Static Route Tag router bgp redistribute static route-map static-to-bgp! route-map static-to-bgp permit 10 match tag 123 set community 65535:123 set local-preference 200 set community no-export set origin igp! route-map static-to-bgp permit 20 match tag 124 set community 65535:124 set local-preference 200 set community no-export set origin igp Set Community Set Local-Pref Page 58 - Arbor Public

59 Drop Router Config (Community-Based Approach) This Router Drops Community 123 router bgp neighbor <ibgp peer> route-map ibgp-peers in!my Region ip community-list 1 permit 65535:123!Other region ip community-list 2 permit 65535:124! route-map ibgp-peers permit 10 match community 1 set ip next-hop set local-preference 200 set community no-export set origin igp! route-map static-to-bgp deny 20 match community 2! route-map static-to-bgp permit 30 Set Next-Hop to trigger This router does not drop community 124 Page 59 - Arbor Public

60 Two RTBH Approaches Tag-based approach: Concentrates configuration complexity on one trigger router Edge devices require simple static route to Null0 Monitoring (OpEx) Prefixes which are being dropped (and why) best viewed on trigger router (e.g., show run include tag ) Community-based approach: Configuration complexity spread equally to all devices Allows greater flexibility for drop control (e.g., regional) Monitoring (OpEx) Prefixes which are being dropped on a particular device (and why) can be determined by reviewing the output of sh ip bgp community on that device Page 60 - Arbor Public

61 Reacting with the Control Plane: Service Provider Support for Customer Initiated Destination- Based Black Hole Filtering Page 61 - Arbor Public

62 Customer-Initiated RTBH Many service providers offer their customers a customer triggered version of RTBH We ll accept /32s with community <AS>:666 and we ll black hole them in our network for you It s critical to understand which of your upstream/ peers support this How many prefixes will they accept? What community triggers it? Are you going to support it for your customers? Page 62 - Arbor Public

63 Customer-Initiated RTBH Config router bgp neighbor <customer> route-map customer-rtbh in neighbor <customer> prefix-list customera-filter in! ip community-list 1 permit 65535:666! route-map customer-rtbh permit 10 match community 1 set ip next-hop set local-preference 200 set community no-export set origin igp! route-map customer-rtbh deny 20!Deny BOGONs! route-map customer-rtbh permit 20 Page 63 - Arbor Public

64 Customer-Initiated RTBH Issues: Must ensure prefix-list-based filtering We wouldn t want your customers to be able to black hole some important website, now would we? Restrict the black hole to the PE router only with no-advertise, restrict to network only with noexport, or pass along to peers and upstreams? Use the same ebgp session to customers or build a dedicated ebgp session If using the same session, be careful with maxprefix Page 64 - Arbor Public

65 Reacting with the Control Plane: Source- and Destination-Based Black Hole Filtering Page 65 - Arbor Public

66 S/RTBH: Triggered Source Drops Dropping on destination is very important Dropping on source is often what we really need Reacting using source address provides some interesting options: Stop the attack without taking the destination offline Filter command and control servers Filter (contain) infected end stations Must be rapid and scalable Leverage pervasive BGP signaling again! Page 66 - Arbor Public

67 Strict urpf Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast source reachable-via rx i/f 1 S D Data i/f 2 i/f 3 i/f 1 S D Data i/f 2 i/f 3 FIB:... S -> i/f x... FIB:... S -> i/f 2... Same i/f: Forward Other i/f: Drop Page 67 - Arbor Public

68 Loose urpf Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast source reachable-via any i/f 1 S D Data i/f 2 i/f 3 i/f 1 S D Data i/f 2 i/f 3 Any i/f: Forward FIB:... S -> i/f x... FIB:....?..... Not in FIB or Route Null0: Drop Page 68 - Arbor Public

69 Source-Based Remotely-Triggered Black Hole Filtering (S/RTBH) Uses the same architecture as destination-based filtering and Unicast RPF Edge routers must have static in place They also require Unicast RPF BGP trigger sets next-hop in this case the victim is the source we want to drop Page 69 - Arbor Public

70 Source-Based Remotely Triggered Black Hole Filtering What do we have? Black Hole Filtering if the destination address equals Null0, we drop the packet Remotely Triggered trigger a prefix to equal Null0 on routers across the network at ibgp speeds urpf Loose Check if the source address equals Null0, we drop the packet Put them together and we have a tool to trigger a drop for any packet coming into the network whose source or destination equals Null0 Page 70 - Arbor Public

71 Customer Is DOSed (After) Packet Drops Pushed to the Edge Edge Routers Drop Incoming Packets Based A on Their Source Address IXP-W Peer A Peer B Edge Routers Drop Incoming Packets Based on Their Source Address IXP-E Upstream A Upstream A Upstream B Upstream B Target F POP NOC ibgp Advertises List of Black Holed Prefixes Based on Source Addresses Page 71 - Arbor Public

72 Source-Dropping Caution Caution: you will drop all packets with that source and/or destination Remember spoofing! Don t let the attacker spoof the true target and trick you into black holing it for them Whitelist important sites which should never be blocked (i.e., root & TLD nameservers, etc.) via prefix-lists Page 72 - Arbor Public

73 Source-Based RTBH - S/RTBH Advantages: No ACL update No change to the router s configuration Drops happen in the forwarding path Frequent changes when attacks are dynamic (for multiple attacks on multiple customers) Limitations: Source detection and enumeration Attack termination detection (reporting) Resource utilization: finite resources Effects all traffic, on all triggered interfaces, regardless of actual intent Peakflow SP can serve as the GUI-based trigger for S/RTBH supports communities, timers, etc. Makes triggering/blocking easy! Page 73 - Arbor Public

74 Agenda Six Phases of Incident Response Reacting with the Data Plane Reacting with the Control Plane Using Dedicated Security Devices Page 74 - Arbor Public

75 Using Dedicated Security Devices Page 75 - Arbor Public

76 Given Everything Said, What Remains? We have discussed techniques that are very effective at limiting the collateral damage Raise the bar; stop only bad traffic In asymmetric environments, especially across peers, packet spoofing is still problematic Detection of exactly who is attacking is problematic Doing all this in the core requires specialized hardware, which has scaling and availability problems Page 76 - Arbor Public

77 Network IDS/ IPS Terminology False positives: system mistakenly reports certain benign activity as malicious; also called false alarms False negatives: system does not detect and report actual malicious activity False positives, performance, need for traffic symmetry, and increased risk of DDoS due to capacity/state are the banes of IDS technology! Additionally, you require a signature in order to stop the attack what if this is a new attack? Page 77 - Arbor Public

78 Modern Stateful Firewalls: The Inadequate Security Default What It Is Sometimes called a hybrid Combines features of other firewall approaches such as: Access control lists Application-specific proxies/inspections Stateful inspection Plus features of other devices: Web (HTTP) cache Specialized servers SSH, SOCKS, NTP Most include VPN, some include IDS/ IPS Pros and Cons Pro: Maintains most of the speed advantage of a simple stateful firewall Pro: Application layer gateway services provide application security while resolving the NAT issue Con: Does not provide complete session termination, as would a full proxy Con: Actively tracks the state of incoming connections a DoS issue Con: Performance a DoS issue Con: Inspectors are an attack surface Page 78 - Arbor Public

79 Formal Requirements for a Core Security Device Need to avoid state Constant state tracking leaves us vulnerable to DDoS attacks Doesn t rely on signatures If I get an attack with no signature, I cannot block it Possibly can use signature-like filters, however, after the fact Doesn t have to be in-line when it isn t needed Scales easily Doesn t require traffic symmetry The Internet is a very asymmetrical place! Page 79 - Arbor Public

80 Firewalls and IDS/ IPS don t help! It s time to put the firewall and IDS/ IPS myth to rest! Firewalls are policy-enforcement devices they can t help with DDoS, and in most cases, the policies applied to the firewalls have been devised with no visibility into network traffic, so the firewall rules bear little relation to what should actually be permitted and denied. IDS/ IPS are by definition always behind the attackers in order to have a signature for something, you must have seen it before. IDS/ IPS have proven to be totally ineffective at dealing with application-layer compromises, which is how most hosts are botted and used for DDoS, spam, corporate espionage, identity theft, theft of intellectual property, etc. Firewalls & IDS/ IPS output reams of syslog which lacks context, and which nobody analyzes. It is almost impossible to relate this syslog output to network behaviors. End-customers subscribe to traditional managed security services based on firewalls and IDS/ IPS, and still get compromised! Firewall & IDS/ IPS deployments cause performance & usability problems, and don t scale, shouldn t be deployed in front of servers! Page 80 - Arbor Public

81 Core Design Philosophies Scale by using traffic shunting Core packet cleaning requirements 1) Validate incoming traffic to make sure it comes from the source IPs that are in the SRC IP field of the packet 2) Evaluate these validated sources against a baseline and then recommend either further processing or dropping for sources that misbehave Don t need to stop every bad packet instead, focus on not stopping any good packets Pad thresholds to reduce likelihood of false positives Have very high defaults so in a non-profiled environment you won t block good traffic Page 81 - Arbor Public

82 Packet Cleaning Issues Shunting the Packets Cleaning the Packets Page 82 - Arbor Public

83 Traffic Shunts Intercept and shunt traffic to the mitigation device the scrubber Return good traffic back to the customer Need to avoid forwarding loops means some sort of tunneling Page 83 - Arbor Public

84 Arbor DDoS Solution: Diversion/Offramping Arbor TMS NetFlow to Arbor Peakflow SP Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 84 - Arbor Public

85 Arbor DDoS Solution: Diversion/Offramping Arbor TMS NetFlow to Arbor Peakflow SP 1. Detect Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 85 - Arbor Public

86 Arbor DDoS Solution: Diversion/Offramping Arbor TMS 2. Activate: Auto/Manual NetFlow to Arbor Peakflow SP 1. Detect Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 86 - Arbor Public

87 Arbor DDoS Solution: Diversion/Offramping BGP Announcement 3. Divert Only Target s Traffic Arbor TMS 2. Activate: Auto/Manual NetFlow to Arbor Peakflow SP 1. Detect Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 87 - Arbor Public

88 Arbor DDoS Solution: Diversion/Offramping BGP Announcement Traffic Destined to the Target 4. Identify and Filter the Malicious 3. Divert Only Target s Traffic Arbor TMS 2. Activate: Auto/Manual NetFlow to Arbor Peakflow SP 1. Detect Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 88 - Arbor Public

89 Arbor DDoS Solution: Diversion/Offramping BGP Announcement Traffic Destined to the Target Legitimate Traffic to Target 4. Identify and Filter the Malicious 2. Activate: Auto/Manual 1. Detect 3. Divert Only Target s Traffic Arbor TMS NetFlow to Arbor Peakflow SP Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 89 - Arbor Public 5. Forward the Legitimate

90 Arbor DDoS Solution: Diversion/Offramping 6. Non- Targeted Traffic Flows Freely BGP Announcement Traffic Destined to the Target Legitimate Traffic to Target 4. Identify and Filter the Malicious 3. Divert Only Target s Traffic Arbor TMS 2. Activate: Auto/Manual NetFlow to Arbor Peakflow SP 1. Detect Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Page 90 - Arbor Public 5. Forward the Legitimate

91 Design Considerations Network chokepoints Back haul attack traffic across potential costly or congested links. SLA s being offered Availability Guaranteed mitigation capacity Provisioning and Operation Simpler is better Existing Networking technology Often limited by what capabilities exist in the network today Number of mitigation devices and capacity Redundancy What happens in a failure scenario? Page 91 - Arbor Public

92 Deployment strategies Distributed mitigation Regional deployment strategy Per PoP or per Peering center location Internet PEERING PEERING P1 P2 P1 P2 Peakflow SP TMS Peakflow SP TMS L3 Switch S1 S2 S1 S2 POP A POP B CORE CORE C1 C2 C1 C2 Core Customer CPE Page 92 - Arbor Public

93 Distributed Mitigation Benefits Keeps attack traffic at edge Limited backhauling of attack traffic Limits exposure of Internal infrastructure Easier Capacity planning Not as worried about how much attack traffic would have to be backhauled Good shared mitigation capability Geographical redundancy Drawbacks Power and Space Requirements Scalability - How much mitigation capacity can you add at each location Harder to dedicate mitigation capacity per-customer Potentially more equipment to purchase upfront Potential to backhaul Customer to Customer attack traffic Multiple scrubbers involved in every single mitigation Page 93 - Arbor Public

94 Distributed Mitigation Bottom line This can be a workable strategy for Tier-Two, -Three, and MSOs Strategically-consolidated Internet access points. Backbone capacity is already focused on these locations. Customer-to-customer attacks are likely to be small in size. Not many large-bandwidth customers. Backbone capacity and infrastructure likely to be vulnerable to large scale attacks. Better ROI to keep attack traffic off of backbone. Fewer business customers likely to pay for dedicated mitigation capacity. Page 94 - Arbor Public

95 Deployment Strategies Centralized mitigation AKA Cleaning Center Peers Transit P1 P2 IP Core Data D1 D2 C2 C2 S1 S2 Cleaning Center POP B Customer Aggregation A1 S1 A2 S2 Peakflow SP TMS Customer CPE Page 95 - Arbor Public

96 Centralized Mitigation Benefits Can start small 2 TMS devices for redundancy Can be located where power and space allow easy growth Possibly fits in more with other hosted service offerings Easier to troubleshoot You know where traffic should go to and from Drawbacks Back haul attack traffic Potential for backbone infrastructure to be impacted by attack traffic Must plan for capacity How much attack traffic potentially could customers pull to Cleaning Center Limited topological/ geographical diversity regional Cleaning Centers are the answer Page 96 - Arbor Public

97 Centralized Mitigation Bottom Line This is a good strategy for most deployments Very distributed Peering locations and limited or no purchased Transit. Customer-to-customer attacks can be quite large. Think of a MSO-based zombie attacking large Bank. Many large-bandwidth customers. Backbone and Internet Data Center capacity readily available. More business customers likely to pay for dedicated mitigation capacity because they have higher-bandwidth demands. Easy to scale capacity more TMSes per cluster, multiple clusters Page 97 - Arbor Public

98 Offramping/Diversion Goal Get attack traffic to correct TMS and Port BGP Next-hop Anycast Get attack traffic to closest TMS Load balance distributed attacks geographically Built-in redundancy by leveraging routing protocols ECMP (Equal Cost Multi-Path) Multiple equal routes pointing to same advertised TMS BGP next-hop IP to achieve multi-gigabit performance CEF-based load-leveling is Cisco terminology SLA-based Next-hops or Communities Provide dedicated mitigation ports and capacity to meet customer SLA Page 98 - Arbor Public

99 BGP Next-hop Anycast 1.TMS advertises off ramp (victim) prefix w/ next hop of TMS L0 (virtual IP) Internet 2. P1 and P2 do a recursive lookup on TMS L0 which matches static route to directly connected interface/s PEERING S1 P1 P2 P1 P2 S2 POP A 3. Since victim prefix and nexthop is learned in both PoP-A and PoP-B Attack traffic is sent to closest TMS POP B S1 S2 PEERING Peakflow SP TMS CORE CORE C1 C2 C1 C2 Other option: Use same Off-ramp Pt2Pt for all TMS off-ramp ports announce bgp next-hop to be TMS Pt2Pt. Eliminates static routes IP Core Customer CPE Note: Allow Victim Prefix to be propagated and redistribute Static or Pt2Pts in IGP for failover Page 99 - Arbor Public

100 ECMP (Equal Cost Multi-Path) PEERING 1.TMS advertises off ramp (victim) prefix w/ next hop of Equal static routes to (BGP Nexthop) load balances off ramp across two or more ports Peakflow SP TMS POP B CORE Note: You can also use port bonding (logical ports) to treat multiple ports as one. Customer CPE BGP announce Direct Off-Ramp Direct On-Ramp Page Arbor Public

101 SLA-based Dedicated Mitigation Capacity 2. Router s BGP policy takes customer specific community and changes nexthop to dedicated PEERING pt 2 pt interface or recursive lookup match ECMP routes to multiple ports POP B CORE Note: You can just different next-hops but communities allow you to set up shared mitigation, dedicated mitigation, and overflow of dedicated to shared Customer CPE Peakflow SP TMS 1.TMS advertises offramp prefix w/ next hop of and customer specific off-ramp community BGP announce Direct Off-Ramp Direct On-Ramp Page Arbor Public

102 Off-ramping/Diversion Bottom Line Use lessons learned from Sinkhole and Blackhole usage. Keep it simple with next-hop changes or add granularity by utilizing BGP communities, multiple next-hops and ECMP routes to next-hops. To achieve multi-gigabit mitigation capability, traffic must transit multiple TMS ports. Think about where routes are being heard and how. Then run through failure scenarios. Is attack traffic still going to make it to a TMS or will it go to customer dirty? Page Arbor Public

103 On-Ramping/Re-injection Goal Avoid Routing loops GRE/mGRE Tunnels Routing loop avoided by forwarding decision being performed on tunnel endpoint VRF VPN Avoid routing loop by utilizing non-global route table L2 Forwarding Routing loops avoided by selective route advertisement and distribution control. Requires hierarchical logical network design. Page Arbor Public

104 Tunnel GRE (Generic Route Encapsulation) TMS advertises victim prefix which is propagated throughout network. One to one mapping of off-ramp port to on-ramp port Peakflow SP TMS POP B L3 Switch CORE Customer CPE processes GRE packet on Tunnel interface and forwards original packet to victim IP Customer CPE To avoid routing loop, TMS encapsulates packet in GRE packet with tunnel Source and Destination IP BGP announce Direct Off-Ramp Direct On-Ramp Clean Traffic Page Arbor Public

105 On-Ramping/Re-injection via GRE/mGRE Benefits Easy to avoid routing loops Redundant tunnels can be configured Proven On-Ramping method Drawbacks per-customer mitigation prefix configuration (not dynamic) Provisioning Engineers / Systems must touch Peakflow system Per-TMS tunnel configuration (more work for distributed model) Page Arbor Public

106 VRF - VPN TMS advertises victim prefix which is propagated throughout network. VRF VRF One to one mapping of off-ramp port to on-ramp port Peakflow SP TMS MPLS/IP Core Customer Aggregation VRF VRF Routing loop is avoided because traffic is being forwarded inside VPN/ Label switched BGP announce Static route to customer s protected CIDR is preconfigured and redistributed into VPN Customer CPE Direct Off-Ramp Direct On-Ramp Clean Traffic Page Arbor Public

107 On-Ramping/Re-injection via VRF-VPN Benefits Easy to avoid routing loops Leverages built in network redundancy Simple static route required for each protected customer prefix. Most provisioners know how to do this. Drawbacks Per-customer mitigation prefix configuration MPLS must be used throughout network Multiple technologies in use could cause operational issues. Page Arbor Public

108 Direct L2 Onramping/Re-injection TMS advertises victim prefix which is propagated throughout network. Off-ramp and On-ramp routers must be different L3 devices Peakflow SP TMS POP B L3 Switch CORE Customer CPE processes GRE packet on Tunnel interface and forwards original packet to victim IP Customer CPE To avoid routing loop, you restrict the more specific victim prefix to only specific routers BGP announce Direct Off-Ramp Direct On-Ramp Clean Traffic Page Arbor Public

109 On-Ramping/Re-Injection via Direct L2 Benefits Leverages built in network redundancy No special router configurations New protected customer prefixes can be dynamically on-ramped. No new configuration required. Drawbacks Harder to avoid routing loops. Special care of BGP announcements and route distribution is required. Difficult to mitigate customer to customer attacks especially if both customers are on same router. Static in nature, not easily re-configured/scaled Page Arbor Public

110 Shunts in the Data Center All devices on the same subnet Either TMS-driven or configured in router May use remotely-triggered shunt trick All traffic in core to target goes to the TMS Optionally, you can use VLANs to avoid loops Bypassing the modified router is trivial with VLANS and.1q trunking Page Arbor Public

111 I C S T S t y s S S R I t r c s r C S S S Hosting/SP Data Center Backbone Cisco IOS Router Backbone P r p y P w p C a 5 0 Arbor TMS Cisco Catalyst Switch GEnet Arbor TMS Alert Arbor Peakflow SP Firewalls Switches Target Internal Network Web, Chat, , etc. DNS Servers Page Arbor Public

112 Shunts in the Data Center Arbor Peakflow SP IDC Edge ISP A IDC Edge ISP B Arbor TMSs (Cleaning Server Center) Farms Access Aggregation Core Edge BGP Peering for Diversion Dirty Traffic Clean Traffic NetFlow Page Arbor Public

113 Shunts in the IP Core: GRE Injection Core routes target IP to the TMS Either TMS-driven or configured in router May use remotely triggered shunt trick All traffic in core to target goes to the TMS Injection into GRE tunnel Bypassing the modified core routing GRE starts on TMS-attached router, terminates on CPE, which has clean routing to target Page Arbor Public

114 Shunts in the IP Core: GRE Injection Attack 1. BGP: I m next-hop for Rerouting to Redistribution into Core TMS ( ) 4. Injection to Target GRE (Preconfigured) Target ( ) Page Arbor Public

115 Shunts with MPLS VPNs Easy to deploy: Core remains untouched, injection VPN preconfigured VPN invisible to core No performance impact No need to touch CPE But: MPLS VPN required on core Page Arbor Public

116 MPLS VPN Shunt Attack 1. BGP: I m next-hop for Rerouting to Redistribution into Core TMS ( ) VPN 4. Injection to VPN MPLS VPN (Preconfigured) VPN Target ( ) Page Arbor Public

117 Packet Cleaning Issues Shunting the Packets Cleaning the Packets Page Arbor Public

118 Packet Cleaning in the Core: The Cleaning Center Arbor TMS (Customer A) Arbor TMS (Customer B) Cleaning Center NOC SP Core Core ASBR Peering SP1 Core Core Arbor Peakflow SP PE Peering SP2 NetFlow PE Dirty Traffic Clean Traffic CE Customer A Out-of-Band WAN Connection CE Customer B Page Arbor Public

119 Scaling a Cleaning Center: Clustering Topology with ECMP/CEF Load-leveling Attack Load-Leveling Router up to 16 TMSes, 160gb/sec w/n7k TMS TMS TMS TMS Mitigation Cluster TMS TMS Target host TMS Arbor TMS IDMSes Multiple Cleaning Centers via Anycast Page Arbor Public

120 Backbone Option: Cleaning Centers Question is: how many? Most national providers have decided to start with two Geographic redundancy Adequate incoming bandwidth in key locations Limit the backhaul of traffic across expensive links Once you decide on where, then the hard part! Page Arbor Public

121 Packet Spoofing What can be spoofed? IP Any field in a packet header (well, almost) Spoofing most often happens in combinations with several fields being spoofed Spoofing is used to: Hide the source so the attacker or resource is not revealed Bypass security masquerading as valid packets Spoofing the real target getting others to take out the target TCP HTTP DST SRC Prtcl CRC Port Port SYN FIN SSL GET URL CGI Page Arbor Public

122 TMS Mitigation Processing DDoS attacks consist of undesirable traffic mixed in with some amount of desirable traffic Undesirable traffic may come in large quantities or it could come shaped in a way designed to disrupt normal processing The TMS allows desirable traffic through while lowering the impact of undesirable traffic The TMS uses various countermeasures defense mechanisms to target and remove the most egregious attack traffic to allow the network to continue operating Different countermeasures are designed to stop different types of attack traffic The countermeasures as a whole provide defense in depth mitigation Page Arbor Public

123 DDoS Attacks DDoS attacks can consist of just about anything Large quantities of raw traffic designed to overwhelm a resource or infrastructure Application specific traffic designed to overwhelm a particular service sometimes stealthy in nature Traffic formatted in such a way to disrupt a host from normal processing Traffic reflected and/or amplified through legitimate hosts Traffic from compromised sources or from spoofed IP addresses Pulsed attacks start/stop attacks DDoS attacks can be broken out by category Page Arbor Public

124 TCP Stack Flood Attacks Description Flood a certain aspect of the TCP connection process to keep the host from being able to respond to legitimate connections May be spoofed or non spoofed Peakflow SP Detection Capabilities Misuse TCP SYN, RST, Total Traffic detection Peakflow TMS Mitigation Countermeasures TCP SYN authentication, zombie army, white list/ black list Common names TCP SYN, TCP FIN, TCP RST, TCP Flags Page Arbor Public

125 Generic Flood Attacks Description Flood of traffic for one or more protocols or ports Designed to look like normal traffic Reflection attacks May be spoofed or non spoofed Peakflow SP Detection Capabilities Misuse UDP, ICMP, Total Traffic detection Profiled anomaly detection for managed object Peakflow TMS Mitigation Countermeasures White list/blacklist, zombie army, baseline enforcement, rate limiting, payload filtering Common names Ping Attack, Smurf Attack, reflection attacks, UDP flood, Stream, dc++, blackenergy Page Arbor Public

126 Fragmentation Attacks Description A flood of TCP or UDP fragments are sent to a victim overwhelming the victim s ability to re-assemble the streams and severely reducing performance Fragments may also be malformed in some way May be a result of a network mis-configuration Peakflow SP Detection Capabilities Misuse IP Fragment detection Peakflow TMS Mitigation Capabilities White list/blacklist, zombie army Common names Teardrop, Targa3, Jolt2, Nestea Page Arbor Public

127 Application Attacks Description Attacks designed to overwhelm components of specific applications Commonly seen against HTTP, DNS and SIP in particular May be stealthy by mixing with a much higher traffic volume on the same protocol/port Peakflow SP Detection Capabilities Requires TMS systems deployed in span mode doing appid and feeding SP systems with application level managed objects defined. Peakflow TMS Mitigation Countermeasures HTTP malformed, HTTP rate limiting, HTTP payload filtering, SIP malformed, SIP request rate limiting, DNS authentication, DNS malformed, Payload regex filtering, Regex filtering Common names HTTP GET floods, SIP Invite floods, DNS amplification attacks, Page Arbor Public

128 Connection Attacks Description Attacks that maintain a large number of either ½ open TCP connections or fully open idle connections with the victim impeding new connections from forming Peakflow SP Detection Capabilities Limited Peakflow TMS Mitigation Capabilities TCP syn authentication, TCP Idle Reset Common names TCP Idle attack Page Arbor Public

129 Vulnerability Exploit Attacks Description Attacks designed to exploit a vulnerability in the victim s operating system Some are single packet or very low level attacks Many of these are obsolete in modern operating systems Peakflow SP Detection Capabilities Limited: ATF based fingerprint detection Peakflow TMS Mitigation Capabilities Limited: Malformed HTTP, SIP, DNS, White list/blacklist The most effective method of stopping these attacks is to patch hosts on your network Common names Most Worms and Trojans, Land, Xmas Tree, Ping of Death, Targa3, Kiss of Death, Nuke Page Arbor Public

130 Putting All This Together to Stop DDoS The Core Functional Components of an Anti-DDoS Packet Scrubber: Destination detection Source verification (via anti-spoofing) Source detection (via anomalies) Source/attack blocking/filtering Attack termination detection Page Arbor Public

131 Packet Cleaning via Shunts Advantages: Not on critical path during normal operation Anomaly-based detection with baselining Optimized for high-performance blocking Is resistant to state limitations of most other devices Limitations: Not designed to stop single-packet exploits, but regexp countermeasure can be used if the exploit packet signature is known Inherent assumption of a destination to be protected i.e., a server Resource utilization: finite resources in the scrubber complex (160gb/sec max per cluster with Cisco CEF-based load-leveling of 16 paths w/n7k multiple clusters via IPv4 anycast addressing) Requires up-front network engineering to implement Page Arbor Public

132 Q&A Page Arbor Public

133 Thank You Roland Dobbins Solutions Architect BKK mobile SIN mobile

Hunting down a DDOS attack

Hunting down a DDOS attack 2006-10-23 1 Hunting down a DDOS attack By Lars Axeland +46 70 5291530 lars.axeland@teliasonera.com 2006-10-23 What we have seen so far What can an operator do to achieve core security What solution can

More information

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Distributed Denial of Service (DDoS) Attacks DDoS attack traffic consumes

More information

TDC s perspective on DDoS threats

TDC s perspective on DDoS threats TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)

More information

Putting the Tools to Work DDOS Attack

Putting the Tools to Work DDOS Attack Putting the Tools to Work DDOS Attack 1 DDOS = SLA Violation! Hacker ISP CPE Target What do you tell the Boss? SP s Operations Teams have found that they can express DDOS issues as SLA violations, which

More information

Approaches for DDoS an ISP Perspective. barry@null0.net ognian.mitev@viawest.com

Approaches for DDoS an ISP Perspective. barry@null0.net ognian.mitev@viawest.com Approaches for DDoS an ISP Perspective barry@null0.net ognian.mitev@viawest.com Home School How everyone starts It s all up to you It s inexpensive (compared to other forms of education) Quality may not

More information

Sink Holes. A Swiss Army Knife ISP Security Tool. Version 1.5. Barry Raveendran Greene -- bgreene@cisco.com Danny McPherson -- danny@arbor.

Sink Holes. A Swiss Army Knife ISP Security Tool. Version 1.5. Barry Raveendran Greene -- bgreene@cisco.com Danny McPherson -- danny@arbor. Sink Holes A Swiss Army Knife ISP Security Tool Version 1.5 Barry Raveendran Greene -- bgreene@cisco.com Danny McPherson -- danny@arbor.net Context ISP Security Real World Techniques endeavor to share

More information

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

DDoS Mitigation Techniques

DDoS Mitigation Techniques DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet

More information

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.2: Configure an access-list to block all networks addresses that is commonly used to hack SP networks. Task 20.3:

More information

Arbor s Solution for ISP

Arbor s Solution for ISP Arbor s Solution for ISP Recent Attack Cases DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard

More information

Securing a Core Network

Securing a Core Network Securing a Core Network Manchester, 21 Sep 2004 Michael Behringer Christian Panigl Session Number Presentation_ID 325_mbehring 2001, 2003 Cisco Systems, Inc. All

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

Cisco Network Foundation Protection Overview

Cisco Network Foundation Protection Overview Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and

More information

Campus LAN at NKN Member Institutions

Campus LAN at NKN Member Institutions Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

Radware s Attack Mitigation Solution On-line Business Protection

Radware s Attack Mitigation Solution On-line Business Protection Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...

More information

DDoS Overview and Incident Response Guide. July 2014

DDoS Overview and Incident Response Guide. July 2014 DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding Unicast Reverse Path Forwarding This feature module describes the Unicast Reverse Path Forwarding (RPF) feature, which helps to mitigate problems caused by malformed or forged IP source addresses passing

More information

DDoS Mitigation via Regional Cleaning Centers

DDoS Mitigation via Regional Cleaning Centers SPRINT ATL RESEARCH REPORT RR04-ATL-013177 - JANUARY 2004 1 DDoS Mitigation via Regional Cleaning Centers Sharad Agarwal Travis Dawson Christos Tryfonas University of California, Berkeley Sprint ATL Kazeon

More information

2. Are explicit proxy connections also affected by the ARM config?

2. Are explicit proxy connections also affected by the ARM config? Achieving rapid success with WCCP and Web Security Gateway October 2011 Webinar Q/A 1. What if you are already using WCCP for Cisco waas on the same routers that you need to use WCCP for websense? Using

More information

LAB II: Securing The Data Path and Routing Infrastructure

LAB II: Securing The Data Path and Routing Infrastructure LAB II: Securing The Data Path and Routing Infrastructure 8. Create Packet Filters a. Create a packet filter which will deny packets that have obviously bogus IP source addresses but permit everything

More information

FortiDDos Size isn t everything

FortiDDos Size isn t everything FortiDDos Size isn t everything Martijn Duijm Director Sales Engineering April - 2015 Copyright Fortinet Inc. All rights reserved. Agenda 1. DDoS In The News 2. Drawing the Demarcation Line - Does One

More information

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS Threat Report Insights on Finding, Fighting, and Living with DDoS Attacks v1.1 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News - 2014 DDoS Trends

More information

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia Tutorial: Options for Blackhole and Discard Routing Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia Caveats and Assumptions The views presented here are those of the authors and they do not

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

NetFlow/IPFIX Various Thoughts

NetFlow/IPFIX Various Thoughts NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application

More information

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

More information

DDoS attacks in CESNET2

DDoS attacks in CESNET2 DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities

More information

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER Sarita Sharma 1, Davender Saini 2 1 Student M. Tech. ECE (2013-2015) Gurgaon Institute of Technology Management (M.D.U)

More information

Advanced BGP Policy. Advanced Topics

Advanced BGP Policy. Advanced Topics Advanced BGP Policy George Wu TCOM690 Advanced Topics Route redundancy Load balancing Routing Symmetry 1 Route Optimization Issues Redundancy provide multiple alternate paths usually multiple connections

More information

Securing Business-Critical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks www.foundrynet.

Securing Business-Critical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks www.foundrynet. Securing BusinessCritical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks www.foundrynet.com Agenda Security Market and Solutions Overview New NetworkBased Security

More information

Service Description DDoS Mitigation Service

Service Description DDoS Mitigation Service Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Brocade NetIron Denial of Service Prevention

Brocade NetIron Denial of Service Prevention White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

IINS Implementing Cisco Network Security 3.0 (IINS)

IINS Implementing Cisco Network Security 3.0 (IINS) IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using

More information

Netflow Overview. PacNOG 6 Nadi, Fiji

Netflow Overview. PacNOG 6 Nadi, Fiji Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools

More information

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

Understanding Virtual Router and Virtual Systems

Understanding Virtual Router and Virtual Systems Understanding Virtual Router and Virtual Systems PAN- OS 6.0 Humair Ali Professional Services Content Table of Contents VIRTUAL ROUTER... 5 CONNECTED... 8 STATIC ROUTING... 9 OSPF... 11 BGP... 17 IMPORT

More information

Introducing FortiDDoS. Mar, 2013

Introducing FortiDDoS. Mar, 2013 Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Securing Networks with Mikrotik Router OS Speaker: Tom Smyth, CTO Wireless Connect Ltd. Location: Dubai Date:

Securing Networks with Mikrotik Router OS Speaker: Tom Smyth, CTO Wireless Connect Ltd. Location: Dubai Date: 1 Securing Networks with Mikrotik Router OS Speaker: Tom Smyth, CTO Wireless Connect Ltd. Location: Dubai Date: 28-08-2012 2 Wireless Connect Ltd. Irish Company Incorporated in 2006 Operate an ISP in the

More information

In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing

In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing protection) How the different Inter-AS and Carrier s Carrier

More information

Yahoo Attack. Is DDoS a Real Problem?

Yahoo Attack. Is DDoS a Real Problem? Is DDoS a Real Problem? Yes, attacks happen every day One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are few good existing mechanisms to stop them

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Reacting to Security Incidents

Reacting to Security Incidents C H A P T E R 5 Reacting to Security Incidents Reacting to security incidents can be an overwhelming and difficult task if you are not prepared. This chapter covers several best practices, techniques,

More information

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001 The leading edge in networking information White Paper Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM March 30, 2001 Abstract: The purpose of this white paper is to present discussion

More information

BGP DDoS Mitigation. Gunter Van de Velde. Sr Technical Leader NOSTG, Cisco Systems. May 2013. 2012 Cisco and/or its affiliates. All rights reserved.

BGP DDoS Mitigation. Gunter Van de Velde. Sr Technical Leader NOSTG, Cisco Systems. May 2013. 2012 Cisco and/or its affiliates. All rights reserved. BGP DDoS Mitigation Gunter Van de Velde Sr Technical Leader NOSTG, Cisco Systems May 2013 2012 Cisco and/or its affiliates. All rights reserved. 1 A simple DDoS mitigation mechanism explained Bertrand

More information

Service Provider Solutions. DDoS Protection Solution. Enabling Clean Pipes Capabilities

Service Provider Solutions. DDoS Protection Solution. Enabling Clean Pipes Capabilities Service Provider Solutions Enabling Clean Pipes Capabilities June 2005 1 Service Provider Security Highlights Security is the heart of internetworking s future A secure infrastructure forms the foundation

More information

Denial of Service Mitigation. Russell Lahti Director of Technology & Systems, Comlink

Denial of Service Mitigation. Russell Lahti Director of Technology & Systems, Comlink Denial of Service Mitigation Russell Lahti Director of Technology & Systems, Comlink Who I Am Russell Lahti Director of Technology & Systems Great Lakes Comnet / Comlink CISSP rlahti@comlink.net Research

More information

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap Outline Network Virtualization and Data Center Networks 263-3825-00 DC Virtualization Basics Part 2 Qin Yin Fall Semester 2013 More words about VLAN Virtual Routing and Forwarding (VRF) The use of load

More information

Implementing Cisco IOS Network Security

Implementing Cisco IOS Network Security Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles

More information

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

Mitigating DDoS Attacks at Layer 7

Mitigating DDoS Attacks at Layer 7 Mitigating DDoS Attacks at Layer 7 Detect, Localize and Mitigate using DNS GSLB Allan Jude ScaleEngine Inc. Introductions Allan Jude 12 Years as FreeBSD Server Admin Architect of the ScaleEngine CDN (HTTP

More information

Introducing Basic MPLS Concepts

Introducing Basic MPLS Concepts Module 1-1 Introducing Basic MPLS Concepts 2004 Cisco Systems, Inc. All rights reserved. 1-1 Drawbacks of Traditional IP Routing Routing protocols are used to distribute Layer 3 routing information. Forwarding

More information

APNIC elearning: BGP Basics. Contact: training@apnic.net. erou03_v1.0

APNIC elearning: BGP Basics. Contact: training@apnic.net. erou03_v1.0 erou03_v1.0 APNIC elearning: BGP Basics Contact: training@apnic.net Overview What is BGP? BGP Features Path Vector Routing Protocol Peering and Transit BGP General Operation BGP Terminology BGP Attributes

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

Reducing the impact of DoS attacks with MikroTik RouterOS

Reducing the impact of DoS attacks with MikroTik RouterOS Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP

More information

Course Contents CCNP (CISco certified network professional)

Course Contents CCNP (CISco certified network professional) Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,

More information

Firewalls P+S Linux Router & Firewall 2013

Firewalls P+S Linux Router & Firewall 2013 Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0 COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Introduction to Firewalls

Introduction to Firewalls Introduction to Firewalls Today s Topics: Types of firewalls Packet Filtering Firewalls Application Level Firewalls Firewall Hardware/Software IPChains/IPFilter/Cisco Router ACLs Firewall Security Enumeration

More information

anti IP spoofing technique

anti IP spoofing technique anti IP spoofing technique MATSUZAKI maz Yoshinobu Copyright (C) 2006 Internet Initiative Japan Inc. 1 ip spoofing creation of IP packets with source addresses other than those assigned

More information

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

VALIDATING DDoS THREAT PROTECTION

VALIDATING DDoS THREAT PROTECTION VALIDATING DDoS THREAT PROTECTION Ensure your DDoS Solution Works in Real-World Conditions WHITE PAPER Executive Summary This white paper is for security and networking professionals who are looking to

More information

Introduction to Cisco IOS Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity

More information

MPLS-based Layer 3 VPNs

MPLS-based Layer 3 VPNs MPLS-based Layer 3 VPNs Overall objective The purpose of this lab is to study Layer 3 Virtual Private Networks (L3VPNs) created using MPLS and BGP. A VPN is an extension of a private network that uses

More information

Configuring Denial of Service Protection

Configuring Denial of Service Protection 24 CHAPTER This chapter contains information on how to protect your system against Denial of Service (DoS) attacks. The information covered in this chapter is unique to the Catalyst 6500 series switches,

More information

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This

More information

BGP Support for IP Prefix Import from Global Table into a VRF Table

BGP Support for IP Prefix Import from Global Table into a VRF Table BGP Support for IP Prefix Import from Global Table into a VRF Table The BGP Support for IP Prefix Import from Global Table into a VRF Table feature introduces the capability to import IPv4 unicast prefixes

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Application DDoS Mitigation

Application DDoS Mitigation Application DDoS Mitigation Revision A 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Volumetric vs. Application Denial of Service Attacks... 3 Volumetric DoS Mitigation...

More information

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE)

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE) IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE) COURSE OVERVIEW: Implementing Cisco IP Routing (ROUTE) v2.0 is an instructor-led five day training course developed to help students prepare for Cisco CCNP _

More information

Why Is MPLS VPN Security Important?

Why Is MPLS VPN Security Important? MPLS VPN Security An Overview Monique Morrow Michael Behringer May 2 2007 Future-Net Conference New York Futurenet - MPLS Security 1 Why Is MPLS VPN Security Important? Customer buys Internet Service :

More information

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Denial of Service Attacks, What They are and How to Combat Them

Denial of Service Attacks, What They are and How to Combat Them Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different

More information

642 523 Securing Networks with PIX and ASA

642 523 Securing Networks with PIX and ASA 642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall

More information

Enterprise Data Center Topology

Enterprise Data Center Topology CHAPTER 2 This chapter provides a detailed description on how to harden and modify enterprise data center topologies for data center security. It includes the following sections: Overview Network Design

More information

IPv6 Security Best Practices. Eric Vyncke evyncke@cisco.com Distinguished System Engineer

IPv6 Security Best Practices. Eric Vyncke evyncke@cisco.com Distinguished System Engineer IPv6 Best Practices Eric Vyncke evyncke@cisco.com Distinguished System Engineer security 2007 Cisco Systems, Inc. All rights reserved. Cisco CPub 1 Agenda Shared Issues by IPv4 and IPv6 Specific Issues

More information

UNICAST REVERSE PATH FORWARDING ENHANCEMENTS FOR THE INTERNET SERVICE PROVIDER INTERNET SERVICE PROVIDER NETWORK EDGE

UNICAST REVERSE PATH FORWARDING ENHANCEMENTS FOR THE INTERNET SERVICE PROVIDER INTERNET SERVICE PROVIDER NETWORK EDGE WHITE PAPER UNICAST REVERSE PATH FORWARDING ENHANCEMENTS FOR THE INTERNET SERVICE PROVIDER INTERNET SERVICE PROVIDER NETWORK EDGE HIGHLIGHTS New additions to Unicast Reverse Path Forwarding (urpf) that

More information

State of Danger: Eliminating Excessive State in Network, Application, & Services Architectures as a DDoS Defense Strategy

State of Danger: Eliminating Excessive State in Network, Application, & Services Architectures as a DDoS Defense Strategy State of Danger: Eliminating Excessive State in Network, Application, & Services Architectures as a DDoS Defense Strategy Roland Dobbins Solutions Architect +66-83-266-6344 BKK mobile

More information

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei Firewall

More information