1 Denial of Service Mitigation Russell Lahti Director of Technology & Systems, Comlink
2 Who I Am Russell Lahti Director of Technology & Systems Great Lakes Comnet / Comlink CISSP Research and Development on new platforms and technologies *inux and Windows Systems Administration Develop in Perl, PHP, Python, JS, others VoIP: Hosted PBX, SIP, MGCP, SBC, Proxy Network: Cisco, Juniper, Force10, others. T1-DWDM Figuring things out
3 What is a DoS (Denial of Service) Attack? One basic purpose: Make something or someone go offline Covers a wide variety of attack vectors, but most mainly focus on two approaches 1. Use all available bandwidth 2. Use all of the processing power or memory
4 Common Attack Targets Users of IRC (Internet Relay Chat) Probably still the most common Online message forums and their users Anyone hosting or distributing objectionable content ranging from a picture someone doesn t like to copyright infringing material
5 Less Common Attack Targets The ones you actually hear about Operation Payback Anonymous and Wikileaks DDoS attacks against PayPal, the Swiss bank PostFinance and the Swedish Prosecution Authority. MasterCard and Visa websites taken down Sony PlayStation Network DoS
6 Why Should You Care? Who needs Internet? Can you still operate without it? Many components now rely on the Internet connectivity including BYOB / collapsed network VoIP. Ticket Handling, Credit Card Processing, medical records, and even desktop access.
7 DoS Incredibly Easy Point-and-click tools for common DoS attacks, more available daily DoS attacks for-hire, rent a botnet Little barrier to entry for someone looking to be destructive A single computer can quickly launch a sustained 10Gbps+ DDoS attack
8 Service Providers We commonly see several Gbps of DoS traffic at a time, several times a day Most networks try to police the users Follow the money Who pays? DoS attacks are expensive Even DoS attacks are billable usage Common Solution: Get rid of the problem users
9 PPS: By The Numbers 1Gbps / 84 * 8 = 1,488,095 PPS (64 bytes + 20 byte IG) 1Gbps / 1538 * 8 = 81,275 PPS (1518 bytes + 20 IG) Note: 100GBASE-LR4 - Single CFP Optic Down in price to: $100K each (10KM)
10 PPS: Routers While 1.44M PPS may seem like a lot for a 1Gbps interface, most routers can not sustain even ½ that load Check your router data sheets Other devices: switches, firewalls, in-line IDS, load balancers Test your performance with ACLs applied Don t forget to test endpoints!
11 Large Packet Fill the pipes Difficult to defend against without support from your ISP(s) DDoS: Even harder Larger packets, easier to deal with (processing)
13 Layer-7 DoS Eat all available resources, renders content unavailable Many tools available, minimal resources used in attack Emulate real connections, take advantage of default timeouts and partial connections
14 Apache: Options Start by setting config files correctly tweaking StartServers, MinSpareServers, MaxSpareServers, MaxClients, ServerLimit, MaxRequestsPerChild, to meet your platform specs mod_security offers many great options if configured correctly
15 DNS Amplification Attacks Still HUGE Spoofed UDP queries, floods victim Becoming easier to find and attack with Please, don t run an open recursive DNS!
16 Start With Your Network! Know what urpf (Unicast Reverse Path Forwarding) is, and implement it where appropriate Please, don t run an open recursive DNS! mod_security is your friend (once you get to know him) Actively monitor bandwidth, PPS, CPU, MEM, Flows all easily done The obvious: Patch, upgrade, and patch again, it never ends Don t let a system on your network be a member of the next botnet or DDoS attack
17 Mitigating PPS Attacks Check your router spec sheet for PPS, make sure it can handle at least the capacity of your connectivity If conditions are right, null route the target IP both locally, and in coordination with your upstream provider(s) Otherwise, wait for it to end
18 Mitigating Large Packet DoS Similar to PPS attacks, but your router will likely still be responsive Remote Triggered Blackhole Filtering with urpf can work very well against these attacks as long as all bandwidth is not consumed Coordination with your service provider is critical, some have options available
19 Custom Development Monitors packets on SPAN/Mirror port Calculates PPS for all traffic at regular intervals When set interval is reached, targeted IP automatically nullrouted locally and at all upstream network edges, and alerts No DoS traffic hits the uplink, no other customers impacted
20 Future Development Monitoring of passive Netflow/sFlow data Higher data rates and port speeds Threshold setting PPS and signature attacks Merge urpf and BGP Nullroute Functions Web configuration, control, and reporting interface for easier management
21 Questions? Russell Lahti Director of Technology & Systems, Comlink
VoIP Security Methodology and Results Barrie Dempster - email@example.com An NGSSoftware Insight Security Research (NISR) Publication 2007 Next Generation Security Software Ltd http://www.ngssoftware.com
Network Monitoring with Xian Network Manager Did you ever got caught by surprise because of a network problem and had downtime as a result? What about monitoring your network? Network downtime or network
WHITE PAPER Introduction... 2 Reduce Tool and Process Sprawl... 2 Control Virtual Server Sprawl... 3 Effectively Manage Network Stress... 4 Reliably Deliver Application Services... 5 Comprehensively Manage
DDoS SURVIVAL HANDBOOK The Ultimate Guide to Everything You Need To Know About DDoS Attacks How to:» Identify Attack Types and Understand Their Effects» Recognize Attack Tools» Protect Your Organization
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
VoIP 101: An introduction to the basics of Voice over Internet Protocol How to guide Introduction You may have heard of VoIP that it s the future of telephone service, and that you can save a lot of money
VoIP Solutions Guide Everything You Need to Know Simplify, Save, Scale VoIP: The Next Generation Phone Service Ready to Adopt VoIP? 10 Things You Need to Know 1. What are my phone system options? Simplify,
ZyWALL 5 Internet Security Appliance Support Notes Version 4.02 Dec. 2006 INDEX Application Notes...12 Seamless Incorporation into your network...12 Using Transparent (Bridge Mode) Firewall...12 Internet
95 95 9. Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule The main objective of the exercise is to teach incident handlers the key information and actions
Log Correlation Engine Best Practices August 14, 2012 (Revision 3) Copyright 2012. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable
Best Practices for Securing Privileged Accounts 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Risk management 2 2.1 Baseline risks............................................
STATE OF DNS AVAILABILITY REPORT VOLUME 1 ISSUE 1 APRIL 2011 WEB SITES AND OTHER ONLINE SERVICES ARE AMONG THE MOST IMPORTANT OPERATIONAL AND REVENUE GENERATING TOOLS FOR BUSINESSES OF ALL SIZES AND INDUSTRIES.
The 3CX IP PBX Tutorial Matthew M. Landis Robert A. Lloyd Chapter No. 5 "Trunks Connecting to the Outside World" In this package, you will find: A Biography of the authors of the book A preview chapter
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
1 A Complete Guide To: VOIP Phone Solutions, Broadband & Must Know Business Technology About This Guide. This guide aims to give you the key facts about our hosted VOIP solution as well as impartial, factual
3. The Environment Surrounding DNS DNS is used in many applications, serving as an important Internet service. Here we discuss name collision issues that have arisen with recent TLD additions, and examine
1. Introduction Network monitoring is the use of logging and analysis tools to accurately determine trafc fows, utilisation, and other performance indicators on a network. Good monitoring tools give you
Firebird Conference Prague 2005 The Power of Firebird Events Milan Babuškov http://fbexport.sf.net About the author Education: 2001 - B.Sc. In Business Information System Engineering 2003 - M.Sc. In Internet
This guide is designed to provide some insight in to managing your Hosted PBX account. The topics in this guide are as follows: Your Role Contacting BullsEye An Overview of Hosted PBX functionality istrative
3CX Phone System Cloud Server Administration Manual Copyright 2013 2014, 3CX Ltd. http://www.3cx.com E mail: firstname.lastname@example.org Information in this document is subject to change without notice. Companies names
Solving the Firewall/NAT Traversal Issue of SIP: Who Should Control Your Security Infrastructure? Ingate Systems www.ingate.com 1 1 Executive Summary...3 2 SIP, NATs and Enterprise Firewalls...4 3 Methods
SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION
Selecting a Voice Solution Hosted VoIP vs. PBX VoIP Contents Introduction The Traditional Solution Why VoIP? The Primary Tradeoffs Today Hosted VoIP Today s PBX Latest Features of VoIP Managing Costs What
Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Authors: Martin Žádník March 2010 TERENA 2010. All rights reserved.
1 DDoS Attack and Defense: Review of Some Traditional and Current Techniques Muhammad Aamir and Mustafa Ali Zaidi SZABIST, Karachi, Pakistan Abstract Distributed Denial of Service (DDoS) attacks exhaust