Introduction about DDoS. Security Functional Requirements

Transcription

1 S W G IT P Security Functional Requirements for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr) TTA, Korea Global Leader of ICT Standardization & Certification

2 Ⅰ Introduction about DDoS Ⅱ Security Functional Requirements

3 I. Introduction about DDoS 01 Introduction about DDoS 02 DDoS Attack Process 03 Methods of DDoS Attack 04 Operating Environment

4 01. Introduction about DDoS DDoS(Distributed Denial of Service) Multiple systems flood the bandwidth or resources of a target system Multiple systems(computers) attempt to access a particular server a lot at the same time The attack depletes resources of a target server or floods the network bandwidth Symptoms Unusually slow network performance Opening files or accessing web sites Unavailability of particular web site 4

5 02. DDoS Attack Process 5

6 03. Methods of DDoS Attack The attacks are generally classified into flood and application level. Flood Method Single Mixture - TCP Syn Flood - TCP Ack Flood - ICMP Flood - TCP Multi-connection DDoS Attack - TCP Syn-Ack Flood - TCP Fin Flood - UDP Flood - ICMP+UDP Flood - ICMP+TCP Flood - UDP+TCP Flood - ICMP+UDP+TCP Flood 6

7 03. Methods of DDoS Attack Method DDoS Attack Flood Single - TCP Syn Flood - TCP Ack Flood - ICMP Flood - TCP Multi-connection -TCP Syn-Ack Flood - TCP Fin Flood - UDP Flood - ICMP+UDP Flood Mixture - UDP+TCP Flood - ICMP+UDP+TCP Flood - ICMP+TCP Flood Application Level Single Mixture - Valid HTTP GET Flood - Invalid HTTP GET Flood - CC(Cache Control) - DNS Query Flood - Low bandwidth HTTP DoS - CC+TCP Flood 7

8 04. Operating Environment Inline(In-Path) Configuration Inline appliances are Generally deployed near the network firewall and in the direct flow of network traffic. And also have the beneficial property of viewing all inbound traffic perspective. 8

9 04. Operating Environment Out-of-Path Configuration Anti-DDoS is not in the direct path of the network traffic. A network traffic redirection technique is used to forward traffic to the appliance. Consist of mirroring device, detection sense, and blocking device 9

10 II. Security Functional Requirements 01 Security Functional Requirements 02 Testing Anti-DDoS Products 03 Certified Products

11 01. Security Functional Requirements Security Functions against DDoS attack Security Functions Detection/Block Trace Identification & Authentication Security Management Contents - Countermeasure against the DDoS attacks such as Flood, Fragmentation, Application Level - Audit generation of the detected and blocked traffic - Alarm - Traffic monitoring - Identification and authentication for an administrator - Policy setting and audit view 11

12 02. Testing Anti-DDoS Products The throughput capacity should be considered unlike other network security products. DDoS attack has properties of flooding network bandwidth and depleting resources of a target system. The throughput capacity of the products has to be verified. Security functions are affected by the throughput. And also, security functions(detecting and Blocking) have to be tested. 12

13 02. Testing Anti-DDoS Products Testing traffic for throughput capacity of the product Method Target Traffic Load Normal Traffic Sever Fragmented UDP 100% of the throughput capacity Testing traffic for security functions(detecting & Blocking) Method Target Traffic Load Attack Traffic Victim Checking Victim All methods of DDoS attack 90% of the throughput capacity Victim HTTP 1 tps Normal Traffic Server HTTP 5~10% of the throughput capacity 13

14 02. Testing Anti-DDoS Products Test cases Test Test Items Verification of throughput - Throughput - Packet Latency - Max Connection - Packet Loss Detection / Block - Detection time of attack packet - Blocking time of attack packet - Blocking rate of attack packet - Success rate of normal packet - Connection with victim server - Audit generation of detection & blocking 14

15 03. Certified Products Certified Products (Domestic) Company Product EAL Secui.com SECUI NXG D V1.0 EAL4 Nowcom COMTRUE Technologies SNIPER DDX V5.0.xg SNIPER DDX V5.1 DDoSCop-v2.0 EAL3 EAL4 EAL2 15

16 Global Leader of ICT Standardization & Certification Thank You