GÉANT Perspective on DDoS DDoS Mitigation in the NREN Environment Workshop

Size: px

Start display at page:

Download "GÉANT Perspective on DDoS DDoS Mitigation in the NREN Environment Workshop"

Dorcas Lindsey
9 years ago
Views:

1 GÉANT Perspective on DDoS DDoS Mitigation in the NREN Environment Workshop GEANT Information & Infrastructure Security Team Evangelos Spatharas DDoS Mitigation Workshop Vienna, November 10 th 2015

Infrastructure Security Team Evangelos Spatharas

2 INDEX DDoS Statistics How to Prevent Understand your Network Network Architecture - Zones Modular Firewall How to Detect NetFlow Monitoring and Alerting NetFlow Alternatives Log Monitoring How to Mitigate ACLs RTBH BGP Flowspec The Future of BGP Flowspec Firewall on Demand NSHaRP Fully Integration Q & A November 2015 June 2015 October 2014 May 2014 FoD Chain Firewall Architecture RTBH Patch Scanning System s Log Monitoring NSHaRP September 2010 February 2010

The Future of BGP Flowspec Firewall on Demand NSHaRP Fully Integration Q & A November 2015 June 2015 October 2014

3 Events seen per Month D(D)oS Not Just in Fiction Movies GÉANT DDoS Attacks ,862 1, Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 April October 2015 DNS, NTP, SMPT and other amplification attacks..

641 509 143 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15

4 How to Protect Against DDoS? Interconnect NREN Level3 4

5 Defending GÉANT 5

6 Defending GÉANT 6

7 Preventative Controls - Zones GÉANT GÉANT Ltd INTERNAL Protected External Internet EXTERNAL 7

8 Preventative Controls Deep Defence Protected-External IP prefix, protocol & port(s), spoof, smurf etc. filtering VLAN 100 Transport protocol(s)/port(s) filtering Basic Filtering Internet,NREN,IX etc. 8

9 Preventative Controls Patch Scanning and Management Number of Vulnerable System by OS Asset management Areas of attention Monthly scans Top 15 Vulnerable Systems for the current month By criticality Prioritize and remediate weakest ones first Monthly scans 9

Monthly scans Top 15 Vulnerable Systems for the current month By

10 Detection 10

11 Detective Controls NetFlow Monitoring 11

12 Detective Controls NetFlow Alerts 12

13 Detective Controls Login Rate Monitorin + Iptables + 1. index=nix_hosts_apache "Login failed for user*" stats count(src_ipv4) by host search count> iptables -I INPUT 5 -m limit --limit 10000/min -j LOG --log-prefix Possible DDoS: " --log-level 7 3. Nagios plugins? 13

count(src_ipv4) by host search count> 1000 2.

14 Mitigation 14

15 Mitigation Controls ACLs + RTBH + BGP Flowspec ACLs RTBH BGP Flowspec Doesn t scale Time consuming Granular Less coarse Service filtering Scalable Fast implementation No granularity Too coarse Wide support Scalable Fast implementation Granular Less coarse No support from older OSs 15

2009 Scalable Fast implementation No granularity Too coarse Wide support

16 ACLs Chain Architecture Chain architecture Head Middle Tail Auditing Troubleshooting Deployment 16

17 RTBH Statistics 6 RTBH-ed destinations 2+ billions of packets blocked Counters reset every month 17

18 BGP Flowspec - FoD fod.geant.net Developed and designed by

19 FoD WEB GUI 19

20 FoD WEB GUI 20

21 FoD How Does it Work? IX A Internet GÈANT NREN A Flowspe c FoD IX B NSHaRP 21

22 FoD How Do we Envision it to Work IX A Internet GÈANT NREN A Flowspe c FoD IX B NSHaRP 22

23 Demo Time! FoD Demo Time 23

24 What do YOU think? What do YOU think? 24

25 Q & A 25

26 Thank you GEANT Information & Infrastructure Security Team 26

Firewall on Demand Multidomain

Firewall on Demand Multidomain S E C U R I T Y V I A B G P F L O W S P E C & A W E B P L A T F O R M Leonidas Poulopoulos GRNET NOC Wayne Routly DANTE Jeffrey Haas JUNIPER Firewall on Demand Multidomain