Internet Attack Mitigation at Spring ISD. CTO Clinic Presentation June 17-18, 2014

Transcription

1 Internet Attack Mitigation at Spring ISD CTO Clinic Presentation June 17-18, 2014

2 Timeline of Events - DDoS Attacks February March

3 Timeline of Events - continued April May

4 Spring ISD Internet Providers 3 Connections to the Internet Cogent mbps ICTX mbps AT&T mbps

5 communication to administrators The purpose of this communication is to inform you about the recent Internet outages that the school district has experienced. Starting on February 18th, we have been the target of deliberate, malicious acts to overload our Internet bandwidth. The Technology Department has been working to deflect the attacks. We have learned that similar attacks have occurred with other school districts in Texas. We have also received information from one of our education vendors that they were also targeted. We are working with our Internet Services Providers (ISPs) to detect and prevent the attacks. The attacks are a form of distributed denial of service attacks (DDoS), an attempt by hackers to disrupt our access to the Internet by overloading our Internet bandwidth. We have been able to limit the outages to short durations of time by making adjustments to drop the malicious incoming traffic. We want to assure you that at no time has our system been breached. District data remains safe and secure. We are continuing to work with our ISPs and other school districts to address the situation.

6 Understanding Denial of Service

7 What What is a Denial of Service attack? A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service Source

8 Why Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization.

9 How 3 basic modes of attack: consumption of scarce, limited, or non-renewable resources destruction or alteration of configuration information physical destruction or alteration of network components

10 How 3 basic modes of attack: consumption of scarce, limited, or non-renewable resources destruction or alteration of configuration information physical destruction or alteration of network components Network connectivity Using your own resources against you Bandwidth consumption Consumption of other resources

11 Types of DoS and DDoS attacks Protocol Attack Volumetric Attack Amplification Attack Reflection Attack Spoofed Attack Nuke Zero Day DDoS Chargen Attack Teardrop Attack UDP Flood SYN Flood Ping of Death (POD) Slowloris Application Level Attack

12 Types of DoS and DDoS attacks Protocol Attack Volumetric Attack Amplification Attack Reflection Attack Spoofed Attack Nuke Zero Day DDoS Chargen Attack Teardrop Attack UDP Flood SYN Flood Ping of Death (POD) Slowloris Application Level Attack

13 Identify an attack Intrusion Detection System aka IDS Intrusion Prevention System aka IPS Purpose built appliance Firewall

14 Identification of attack Intrusion Detection System aka IDS Intrusion Prevention System aka IPS Purpose built appliance **Firewall** Palo Alto Networks 5050

15 Mitigation of DDoS attack 3 main types: DNS redirect Internet service provider Scrubbing center

16 Our solution Purpose built appliance for attack traffic identification and local mitigation Scrubbing center

17 Our solution Purpose built appliance for attack traffic identification and local mitigation Radware DefensePro Scrubbing center Radware Defense Pipe

18 Radware DefensePro An on-premise attack mitigation system, effectively detects and blocks all varieties of DDoS attacks.

19 DefensePro Security Dashboard

20 DefensePro Traffic Monitoring

21 DefensePro Traffic Monitoring - UDP

22 DefensePro Geo Map

23 Mitigating Volumetric DDoS attacks

24 Mitigating Volumetric DDoS attacks What happens when an attack is based upon traffic volume? Internet pipe saturation can occur Rejecting this traffic at your border is not sufficient The intended effect of the attack - denial of service - is accomplished

25 DDoS Volumetric Attack

26 How do you mitigate such an attack? Typically not enough to ask your ISP to block source IP or port ranges - attackers will adapt - distributed botnets / source IP spoofing You must rely upon resources further upstream with enough capacity to absorb the attack

27 ISP-provided scrubbing service Your service provider scrubs traffic in-line, and only passes clean pipe traffic to your border.

28 Benefits Transparent process - typically requires no re-routing of traffic to a 3rd party Time needed to implement protection service may be shorter

29 Challenges Likely need to purchase this service per ISP If they offer multiple-isp protection, likely just reselling a scrubbing center service like Radware s solution Many smaller ISPs, or ISPs focused on low cost, will not provide this service - the only way to protect these connections is through a 3rd party service.

30 DefensePipe - 3rd-party scrubbing Ingress traffic is re-routed through a scrubbing center that can absorb the attack, filtering attack traffic, and only passing clean pipe traffic to your border

31 Mitigating Volumetric DDoS attacks

32 Mitigating Volumetric DDoS attacks

33 Mitigating Volumetric DDoS attacks

34 Mitigating Volumetric DDoS attacks

35 Mitigating Volumetric DDoS attacks

36 Benefits Can protect all of your ISP connections through a single service and contract - may be more cost effective Will provide DDoS protection, even when an ISP cannot Independent from your ISPs, avoiding ISP contract concerns (E-Rate, pricing leverage)

37 Challenges Diversion mechanism relies upon BGP - must set this up Traffic returning from scrubbing center makes use of a GRE tunnel - must set this up

38 BGP Pre-requisites Apply for an Autonomous System Number (ASN) through ARIN - American Registry for Internet Numbers Purchase BGP capable border router(s) Your public IPv4 blocks must be /24 or larger for BGP route advertisement IP block can be provider-assigned, but will need approval from ISP for diversion.

39 Considerations and Lessons Learned If you want the option of ISP-provided DDoS protection, include this as a factor in RFPs If you want the option of 3rd party scrubbing, implement BGP in advance If implementing BGP, load balancing mechanisms and quantity / size of public ip allocations are key considerations New solutions are arising, making use of SDN mechanisms like BGP Flowspec

40 Mitigating Volumetric DDoS attacks Questions? Link to presentation:

41 Appendix: BGP Diversion Methods Diversion Option 1 - Smaller prefix Advertise a /23 or larger prefix During attack, DefensePipe will advertise your IP block using smaller prefixes (example, 2x /24 networks) For route selection, more specific advertisements win, so traffic will follow. This option requires that you own or are allocated a contiguous /23 public IP block

42 Appendix: BGP Diversion Methods Diversion Option 2 - AS-path Prepend Route selection for traffic on the Internet is based upon shortest path through Autonomous Systems (AS-Path). Your BGP router can advertise a route with your ASN prepended multiple times to the AS-path, making the AS-path appear longer. During attack, DefensePipe will advertise a route to your IP block without any prepending, giving their advertisement a shorter AS-path than yours. A route with a shorter AS-path wins, so traffic will follow.

43 Appendix: BGP Diversion Methods Diversion Option 3 - Advertisement / Withdrawal Only recommended if other methods are not possible. You must manually withdraw BGP advertisements. Requires action on your part in order to activate protection. DefensePipe will advertise a route to your IP block, and traffic will follow.

44 Appendix: Return traffic - GRE tunnel Must set aside public IP that is not a part of the diverted IP block This IP will serve as an endpoint for a GRE tunnel. All scrubbed traffic is passed back to your border through this tunnel GRE encapsulation has an effect on MTU