Scalable DDoS mitigation. Peter Filo Senior Systems Engineer ALEF Distribution SK

Transcription

1 Scalable DDoS mitigation Peter Filo Senior Systems Engineer ALEF Distribution SK

2 Agenda Traditional DDoS Mitigation Remote Triggered Blackhole Filtering Scalable DDoS Mitigation BGP FlowSpec Cloud DDoS Protection F5 Silverline

3 DDoS Overview Distributed denial-of service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served Addressing DDoS attacks Detection Detect incoming fake requests Mitigation Diversion Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets Return Send back the clean traffic to the server

4 DDoS Detection NetFlow / IPFIX / sflow How many flows/sec can your routers meter, and how fast is your collector/analyzer? What are you going to look at? SNMP Are you looking at all the right values? Are you polling your devices every second, every minute, every hour? SYSLOG Need to set up proper rules to filter out the events you want to see RADIUS/TACACS+ logging Watch those authentication failures and changes to the nodes Packet capturing Do you use TAPs/Splitters?

5 Goals of DDoS Mitigation Stop the attack Drop only the DDoS traffic Application aware filtering, redirection, mirroring Dynamic and adaptive technology Simple to configure Easy to disseminate

6 Remote Triggered Black-Hole Filtering (RTBH) Once the attack has been detected, traffic related to the DDoS should be discarded on the edge of the service provider network BGP router (trigger) signals over BGP to the edge routers that traffic causing DDoS should be discarded (forwarded to null interface) Destination-based RTBH Traffic going to the IP addresses of the customer is discarded on the edge Source-based RTBH Traffic coming from the IP addresses of the attacker is discarded on the edge Uses strict urpf with BGP signalling

7 Destination-based RTBH PE1 router ip route Null0 interface Null0 no ip unreachables PE2 SP AS PE1 Gi0/0 Customer /24 Signalling router Signalling router router bgp redistribute static route-map static-to-bgp. route-map static-to-bgp permit 10 match tag 66 set ip next-hop set local-preference 200 set community no-export set origin igp route-map static-to-bgp permit 20 Attacker /24 Signalling router / adding a static route when under attack ip route Null0 Tag 66

8 Source-based RTBH PE1 router ip route Null0 interface Null0 no ip unreachables interface GigabitEthernet0/0/0 ip verify unicast source reachable-via rx PE2 SP AS PE1 Gi0/0/0 Customer /24 Signalling router Signalling router router bgp redistribute static route-map static-to-bgp. route-map static-to-bgp permit 10 match tag 66 set ip next-hop set local-preference 200 set community no-export set origin igp route-map static-to-bgp permit 20 Attacker /24 Signalling router / adding a static route when under attack ip route Null0 Tag 66

9 RTBH as a Service Ask your uplink providers for blackhole BGP community Provide blackhole BGP community to your customers web server /24 DDoS Traffic F0/0 BGP: /24 SP AS Internet CE BGP: /32 Com: 65535:666 PE2 PE /32 Discard CE router router bgp network mask redistribute static route-map static-to-bgp route-map static-to-bgp permit 5 match tag 666 set community additive 65535:666 ip route FastEthernet0/0 tag 666 PE2 router router bgp neighbor cust route-map from-customer in ip community-list standard BH permit 65535:666 route-map from-customer permit 10 match community BH set ip next-hop set local-preference 200 set community no-export route-map rm-community-in permit 20

10 Remote Triggered Black-Hole Filtering (RTBH) No more DDoS traffic on my web server But no more traffic at all on my webserver IP based solution only Is this the solution you were looking for?

11 Policy Based Routing? Identification of DDoS traffic based around conditions regarding MATCH statements Source/Destination address Protocol Packet Size Port Number Etc... Actions upon DDoS traffic Discard Rate Limiting Redirection Etc...No more DDoS traffic on my web server Does not this sound as a great solution?

12 Policy Based Routing? Good solution for Done with hardware acceleration for carrier grade routers Can provide very good precision of match statements and actions to impose But... Customer need to call its Service Provider Service Provider has to accept and run this filter on each of their peering routers Customers need to call the Service Provider and remove the rule after Not scalable...

13 Solution: BGP FlowSpec Makes static PBR a dynamic solution Allows to propagate PBR rules Existing control plane communication channel is used Uses your existing MP-BGP infrastructure

14 RFC5575 Dissemination of Flow Specification Rules Published in August 2009 New Flow Specification NLRI type encoded using MP_REACH_NLRI/MP_UNREACH_NLRI Inter-domain support Point-to-multipoint with Route-Reflectors Networking engineers and architects understand perfectly BGP Capability to send via a BGP address Family Match criteria (NLRI) Action criteria (Extended communities) Three elements Controller Client Route-reflector (optional)

15 BGP FlowSpec Components Controller Injects rules remotely in the clients Needs to implement at the minimum the Control Path Examples of BGP FS Controllers: Router (ASR9K, CRS, NCS6000, XR12000) Server (ExaBGP, Arbor PeakFlow SP Collector Platform) Virtual router (XRv) Client Receives rules from Controller(s) and programs the match/action in hw Needs to implement both Control Plane and Data Plane Examples of BGP FS Clients: Router (ASR9K, ASR1K) Route-Reflector (optional) Receives rules from Controller(s) and distributes them to Clients Examples of BGP FS Route-Reflectors: ASR9K; CRS; NCS6000 or XRv

16 RFC5575 Dissemination of Flow Specification Rules New NLRI defined (AFI=1, SAFI=133) to describe the traffic of interest 1. Destination IP Address (1 component) 2. Source IP Address (1 component) 3. IP Protocol (+1 component) 4. Port (+1 component) 5. Destination port (+1 component) 6. Source port (+1 component) 7. ICMP Type 8. ICMP code 9. TCP Flags 10. Packet length 11. DSCP 12.Fragment Address Family Identifier (2 octets) Subsequent Address Family Identifier (1 octet) Length of Next Hop Network Address (1 octet) Network Address of Next Hop (variable) Reserved (1 octet) Network Layer Reachability Information (variable) The MP_REACH_NLRI RFC 4760 Notice from the RFC: Flow specification components must follow strict type ordering. A given component type may or may not be present in the specification, but if present, it MUST precede any component of higher numeric type value.

17 RFC5575 Dissemination of Flow Specification Rules Traffic Action is defined in extended communities (RFC4360) Type high Type low(*) Value Type Description Encoding 0x8006 Traffic-rate 2bytes ASN; 4 bytes as float 0x8007 Traffic-action Bitmask 0x8008 Redirect 6 bytes RT (Route Target) 0x8009 Traffic-marking DSCP value

18 Cisco IOS XR Routers BGP FS Implementation Platform Hardware Control Plane Support Data Plane Support ASR9K Typhoon LC ASR9K Thor LC ASR ASR9K Tomahawk Target 5.3.x Target 5.3.x CRS Taiko LC CRS Topaz LC Target XRv N/A C12K Not planned NCS6000 Target 5.2.3/5.2.4 Target 5.2.3/5.2.4 In Cisco IOS 15.5(S) release, BGP flow specification is supported only on a route reflector. IOS XE software supports BGP flow specification client function and does not support BGP flow specification controller function. Mixing of address family matches and actions is not supported in flow spec rules. For example, IPv4 matches cannot be combined with IPv6 actions and vice versa.

19 Cisco IOS XR Routers BGP FS Implementation NLRI type Match fields Value input method Type 1 IPv4 Destination address XR PI ASR9K CRS NCS6000 Prefix length Type 2 IPv4 Source address Prefix length Type 3 IPv4 protocol Multi value range Type 4 Type 5 IPv4 source or destination port IPv4 destination port Multi value range Multi value range Type 6 IPv4 source port Multi value range Type 7 IPv4 ICMP type Multi value range Type 8 IPv4 ICMP code Multi value range Type 9 IPv4 TCP flags Bit mask Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Type 10 IPv4 packet length Multi value range Type 11 IPv4 DSCP Multi value range Type 12 IPv4 fragmentation bits Bit mask Only indication of fragment

20 Cisco IOS XR Routers BGP FS Implementation NLRI type Match fields Value input method XR PI ASR9K CRS NCS6000 Type 1 IPv6 Destination address Prefix length Type 2 IPv6 Source address Prefix length Type 3 IPv6 Next header Multi value range Type 4 Type 5 IPv6 source or destination port IPv6 destination port Multi value range Multi value range Type 6 IPv6 source port Multi value range Type 7 IPv6 ICMP type Multi value range Type 8 IPv6 ICMP code Multi value range Type 9 IPv6 TCP flags Bit mask Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Type 10 IPv6 packet length Multi value range Type 11 IPv6 Traffic class Multi value range Type 12 Reserved N/A N/A N/A N/A N/A Type 13 IPv6 Flow Based Multi value range x x x x

21 Configuring BGP FlowSpec on IOS XR Routers Signalisation: Use of a new Address-family flowspec Controller Client router bgp1 bgprouter-id address-family ipv4 flowspec neighbor-group ibgp-flowspec remote-as 1 update-source loopbook0 address-family ipv4 flowspec neighbor use neighbor-group ibgp-flowspec neighbor use neighbor-group ibgp-flowspec flowspec address-family ipv4 service-policy type pbr FS router bgp1 bgprouter-id address-family ipv4 flowspec neighbor-group ibgp-flowspec remote-as 1 update-source loopback0 address-family ipv4 flowspec neighbor use neighbor-group ibgp-flowspec flowspec local-install interface-all Advertise policy FS Install all rules on all interfaces

22 Configuring BGP FlowSpec on IOS XR Routers Verifying the Session Establishment (on Client) RP/0/RP0/CPU0:Client#sh bgp ipv4 flowspec summary BGP router identifier , local AS number 1 BGP generic scan interval 60 secs Non-stop routing is enabled BGP table state: Active Table ID: 0x0 RD version: 7072 BGP main routing table version 7072 BGP NSR Initial initsyncversion 0 (Reached) BGP NSR/ISSU Sync-Group versions 7072/0 BGP scan interval 60 secs BGP is operating in STANDALONE mode. Process RcvTblVer brib/rib LabelVer ImportVer SendTblVer StandbyVer Speaker Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd w1d 1001 RP/0/RP0/CPU0:Client#

23 Configuring BGP FlowSpec on IOS XR Routers Configuring Rules on the Controller In many aspects, the rules configuration on the controller is similar to the MQC (Modular QoS Configuration) Rules are defined in Cisco Common Classification Policy Language (C3PL) format: Traffic Matching is defined in class-map Action is defined in a policy-map and refers a class-map This policy-map is advertised by the service-policy type pbr

24 Configuring BGP FlowSpec on IOS XR Routers Configuring Rules on the Controller class-map type traffic match-all match-udp53 match destination-port 53 match protocol udp end-class-map class-map type traffic match-all match-src-ipv4-addr match destination-address ipv end-class-map policy-map type pbr FS class type traffic match-src-ipv4-addr police rate bps class type traffic match-udp53 redirect next class type traffic class-default end-policy-map flowspec address-family ipv4 service-policy type pbr FS

25 Configuring BGP FlowSpec on IOS XR Routers Configuring Rules on the Controller class-map type traffic match-all MATCH-UDP123 match destination-port 123 match protocol udp end-class-map class-map type traffic match-all MATCH-SRCv4 match destination-address ipv /24 end-class-map policy-map type pbr FS1 class type traffic MATCH-SRCv4 police rate bps end-policy-map policy-map type pbr FS2 class type traffic MATCH-UDP123 redirect nexthop end-policy-map flowspec address-family ipv4 service-policy type pbr FS1 service-policy type pbr FS2 class-map type traffic match-all MATCH-UDP123 match destination-port 123 match protocol udp end-class-map class-map type traffic match-all MATCH-SRCv4 match destination-address ipv /24 end-class-map policy-map type pbr FS class type traffic MATCH-SRCv4 police rate bps class type traffic MATCH-UDP123 redirect nexthop end-policy-map flowspec address-family ipv4 service-policy type pbr FS

26 Configuring BGP FlowSpec on IOS XR Routers Configuring Type 1 match Destination IP RP/0/0/CPU0:Ctrl(config)#class-map type traffic match-all MATCHING-RULE RP/0/0/CPU0:Ctrl(config-cmap)#match destination-address ipv /24 RP/0/0/CPU0:Ctrl(config-cmap)# RP/0/RP0/CPU0:Client#sh flowspec ipv4 detail AFI: IPv4 Flow :Dest: /24 Actions :Traffic-rate: bps (bgp.1) Statistics (packets/bytes) Matched : 0/0 Transmitted : 0/0 Dropped : 0/0 RP/0/RP0/CPU0:Client#sh flowspec ipv4 nlri AFI: IPv4 NLRI (Hex dump) : 0x011851fdc1 Actions :Traffic-rate: bps (bgp.1) RP/0/RP0/CPU0:Client# Type Prefix length Prefix 1 byte 1 byte Variable 1 / x01 0x18 0x51 fd c1 0x011851fdc1

27 Cisco IOS XR Routers BGP FS Implementation NLRI type Match fields Value input method Type 1 IPv4 Destination address XR PI ASR9K CRS NCS6000 Prefix length Type 2 IPv4 Source address Prefix length Type 3 IPv4 protocol Multi value range Type 4 Type 5 IPv4 source or destination port IPv4 destination port Multi value range Multi value range Type 6 IPv4 source port Multi value range Type 7 IPv4 ICMP type Multi value range Type 8 IPv4 ICMP code Multi value range Type 9 IPv4 TCP flags Bit mask Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Only lower Byte reserved and NS bit not supported Type 10 IPv4 packet length Multi value range Type 11 IPv4 DSCP Multi value range Type 12 IPv4 fragmentation bits Bit mask Only indication of fragment

28 Configuring BGP FlowSpec on IOS XR Routers Mixing several matching statements class-map type traffic match-all MATCHING-RULE1 match source-port match protocol udp match dscp ef match packet length match destination-port 80 match destination-address ipv end-class-map RP/0/RSP0/CPU0:Client#sh flowspec afi-all detail AFI: IPv4 Flow :Dest: /24,Proto:=17,DPort:=80,SPort:=10 =20 >=30&<=40 >=50&<=52 >=60&<=70,Length:>=10&<=100 >= 102&<=200 >=202&<=400 >=402&<=1500,DSCP:=46 Actions :Traffic-rate: bps (bgp.1) Statistics (packets/bytes) Matched : 0/0 Dropped : 0/0 RP/0/RSP0/CPU0:Client#sh flowspec afi-all nlri AFI: IPv4 NLRI (Hex dump) : 0x01180bc a e cc5460a030a c803ca d505dc0b812e Actions :Traffic-rate: bps (bgp.1) RP/0/RSP0/CPU0:Client#

29 Configuring BGP FlowSpec on IOS XR Routers We can mix several Actions: Rate-limit + Redirect VRF/IP Rate-limit + DSCP Marking Redirect VRF/IP + DSCP Marking Rate-limit + Redirect VRF/IP + DSCP Marking It s not possible to mix: Redirect VRF + Redirect NH IP Redirect NH IP@A + Redirect NH IP@B Rate limit DSCP marking Redirect RP/0/RP0/CPU0:Client#sh flowspec ipv4 detail AFI: IPv4 Flow :Dest: /32,Proto:=17,Length:>=500&<=1550 Actions :Traffic-rate: bps DSCP: ef Nexthop: (bgp.1) Statistics (packets/bytes) Matched : / Dropped : / RP/0/RP0/CPU0:Client#

30 Benefits of DDoS Mitigation with BGP FS Single point of control to program rules in many clients Allows a very precise description/matching of the attack traffic Can be used for both mitigation and diversion of the attack traffic, without impact the course of the rest of the traffic targeted to the victim Filtering stateless attacks on the edge route permits mitigation of millions of PPS of dirty traffic while liberating precious CPU cycle on the scrubbing device for more advanced mitigation needs The Cisco ASR9000 supports Arbor Peakflow SP TMS software on the VSM service card XRv can be used as a controller Free to test with CCO account

31 DDoS Mitigation on ASR9K Virtualised Service Module Cisco/Arbor Partnership Peakflow SP TMS embedded on VSM Supported with RSP440 onwards (not RSP2) All 9000 chassis except 9001 Multi-purpose service card CGN IPSec Mobile GW DPI ASAv DDoS Mitigation Service chaining KVM virtualised environment

32 F5 Silverline DDOS protection - Global Coverage SOC 24/7 Support F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes - Seattle, WA US Global Coverage Fully redundant and globally distributed data centers world wide in each geographic region - San Jose, CA US - Ashburn, VA US - Frankfurt, DE - Singapore, SG Industry-Leading Bandwidth Scrubbing capacity of over 2.0 Tbps Guaranteed bandwidth with Tier 1 carriers

33 F5 Silverline DDOS protection Service Options Always on Primary protection as the first line of defense The Always On service stops bad traffic from ever reaching your network by continuously processing all traffic through the cloud-scrubbing service and returning only legitimate traffic through your website. Always available Primary protection available on-demand The Always Available service runs on stand-by and can be initiated when under a DDoS attack. F5 Silverline will being mitigation as soon as your traffic is sent to us.

34 F5 Silverline DDOS protection Two Ways to Direct Traffic to Silverline Scrubbing Centers Multiple Ways to Return Clean Traffic GRE TUNNELS BGP (BORDER GATEWAY PROTOCOL) ROUTED MODE L2VPN / VIRTUAL ETHERNET SERVICE IP REFLECTION EQUINIX CLOUD EXCHANGE DNS PROXY MODE PROXY

35 Routed Configuration BGP Route Advertisement: F5 route for /24 becomes preferred TCP Connection: SYN-ACK SRC: :80 DST: :27182 Data Center TCP Connection: SYN SRC: :27182 DST: :80 F5 Router F5 Silverline DDoS Protection F5 Router Internet GRE Tunnel ISP Router Customer Router TCP Connection: SRC: :4243 DST: :80 Clean traffic is returned via GRE Tunnel to customer s data center BGP Configuration Change: withdraw advertisement for /24 Customer Admin

36 Proxy Configuration DNS Configuration Change # Customer Admin DNS Query: DNS Query: DNS Query: Data Center DNS Response: Local DNS DNS Response: TCP Connection: SRC: :27182 DST: :80 TCP Connection: SRC: :4243 DST: :80 Public DNS Servers F5 Silverline DDoS Protection Proxy DNS Response: NAT Pool /24 TCP Connection: SRC: :31415 DST: :80 ISP Router Customer Router Authoritative DNS TCP Connection: SRC: :4242 DST: :80 ISP Router ACL permit: / /32 deny: any /32

37 DDoS Architecture Scrubbing Center Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects blackhole routes and steers traffic Flow collection aggregates attack data from all sources Portal provides realtime reporting and configuration Scrubbing Center Inspection Plane Cloud Inspection Toolsets Traffic Actioner Route Management Flow Collection Visibility Portal Signaling Management Cloud Scrubbing Service Copied traffic for inspection BGP signaling Netflow Data Plane Netflow GRE Tunnel Proxy IP Reflection Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Switching Routing/ACL Network Mitigation Proxy Mitigation Routing (Customer VRF) X-Connect Customer Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and blackholes traffic Network Mitigation removes advanced L4 attacks Proxy Mitigation removes L7 Application attacks Egress Routing returns good traffic back to customer

38 Summary Traditional DDoS Mitigation Remote Triggered Blackhole Filtering Scalable DDoS Mitigation BGP FlowSpec Cloud DDoS Protection F5 Silverline

39 Thank you