WHITE PAPER CISCO DDOS PROTECTION SOLUTION DELIVERING CLEAN PIPES CAPABILITIES FOR SERVICE PROVIDERS AND THEIR CUSTOMERS It is important for service providers and enterprises to understand how distributed-denial-of-service (DDoS) attacks operate and have the right technology in place to mitigate them. A failure to do so can be costly and result in an irretrievable loss of data. This document addresses the most important questions related to DDoS attacks and the best practices offered through the Cisco DDoS Protection solution. INTRODUCTION TO DDoS ATTACKS A DDoS attack is an attack on the end host system or the network infrastructure that disrupts service to the user. The disruption can come in many forms, including: Limiting the ability to access certain resources such as servers Slowing down network traffic In the worst case, choking the uplink to the Internet, denying all external access These disruptions can happen any time, any day, and without warning. DDoS attacks are rapidly moving from being merely random events to carefully planned criminal operations. Typically, the network resource under attack is overloaded with traffic much greater than it can manage. It may not take much to overwhelm a network resource. For example, to bring down a T3 uplink to the Internet, the attackers only need to generate traffic at 50 or 60 Mbps. This is fairly easy to do. Identifying, isolating, and mitigating a DDoS attack is a challenging task. Although traditional security mechanisms can perform some basic mitigation or detection, they are not sufficient for comprehensive protection against DDoS attacks, especially large-bandwidth attacks. Creation of DDoS Attacks A DDoS attack can be created by a botnet, typically a network of compromised machines, or bots, that is remotely controlled by an attacker. Due to their immense size (tens of thousands of systems have been known to be linked together), they can pose a severe threat to the Internetconnecting community. Before launching the DDoS attack, the attacker first compromises a number of hosts and installs a daemon on them. At a later time, the attacker instructs each daemon to begin flooding a target host with various types of packets. The ensuing massive stream of data overwhelms the target s hosts or routers, rendering them unable to provide service. Even a relatively small network of 1000 bots can cause a great deal of damage. These bots may have a combined bandwidth greater than that of most corporate systems. (Consider that 1000 home PCs with an average upstream bandwidth of 128 kbps can offer more than 100 Mbps.) The IP distribution of the bots makes it difficult to construct, maintain, and deploy ingress filters. Botnets can also avoid detection by sending small data streams from each compromised end host that add up to a sizable attack. In addition, incident response is hampered by the large number of separate organizations potentially involved in a distributed botnet. Some DoS attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an asymmetric attack. For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 1 of 16
DDoS Attack Trends DDoS attacks on businesses are growing at a troubling pace. The earliest DDoS attacks were random events created by hackers for simple notoriety. However, they have evolved into serious criminal operations that threaten to attack businesses for ransom just before major events or launches with significant financial stakes. Network security has become a critical part of business success. A secure infrastructure forms the foundation for service delivery for all businesses, big and small. For network service providers and carriers, network security has always been important, but today it influences network design considerations and technology purchasing decisions more than ever. Enterprises increasingly want their service providers to protect their network assets from large DDoS attacks. Industry experts have many documented cases of these attacks. The following are some examples: The explosion of botnets is a huge problem. You read what these guys post on their underground boards and they re claiming that all you need is 500 to 1000 machines in a botnet, and you can take out the average corporate network with a denial-of-service attack. Ken Dunham of idefense, a security intelligence firm, in TechWeb article, More than One Million Bots on the Attack, March 16, 2005. In the past year, the proliferation of e-mail borne viruses and auto-downloading Trojans has dramatically increased the number and size of botnets, which now have economic value as spam engines and tools in DDoS blackmail schemes. Compromised zombie machines were recently found on the networks of the U.S. Defense Department and Senate. From A Huge DDoS Attack Botnet of 10,000 Machines R.I.P., Addict3d, Sept. 19, 2004. Full article: http://addict3d.org/index.php?page=viewarticle&type=news&id=3031. The important thing to realize about DDoS attacks is that they are not going to go away, and there is no way of preventing them. They have been around for a very long time, and they are getting easier to carry out. That is because there are increasing numbers of poorly secured home PCs with always-on Internet connections just waiting to be discovered and taken over by hackers. From Distribute this Denial of Service Checklist, Enterprise IT Planet.com, Aug. 27, 2004. Full article: http://www.enterpriseitplanet.com/security/features/article.php/3400861. Enterprises are willing to spend more money to protect their networks from attacks. They realize that it will be a lot less expensive to be prepared than to be attacked and then worry about protection. A recent Gartner study showed that network security breaches became the number-one concern among businesses in 2004, displacing operating costs. Impact of DDoS Attacks As more core business functions are conducted over the Internet and IP networks, a well-planned DDoS attack can bring any business to a halt. Today, most medium to large enterprises carry out a significant part of their transactions over the Internet. As voice over IP technology matures, they will be migrating to IP communication, and video over IP will add to the trend. These factors are leading to converged IP networks that will become a major part of all businesses. Any attack that results in downtime will have a negative effect on profits. Even if the direct impact of the attack on the network is insignificant, the perception of the network being vulnerable can have financial repercussions that are significant indeed. For example, consider a large financial organization that does most of its business online. A few minutes of downtime can cost millions of dollars in transactions, not to mention the expense associated with managing the negative press. DDoS attacks can degrade a business s network in several ways: By flooding a network, thereby preventing or delaying legitimate network traffic By disrupting connections between two routers or servers, thereby preventing access to a service All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 2 of 16
By preventing a particular end host from accessing a service By disrupting service to a specific system or person Victims of DDoS Attacks DDoS attacks on large enterprises are the ones that make the news, but many medium-sized and small businesses are targets too. While online businesses were the first targets, now financial, retail, media and entertainment, manufacturing, services, and government sectors are all potential victims. Even consumers are starting to be attacked. Broadband service providers must start paying closer attention to the mechanisms they have in place to protect their own and their customers networks. Any business using its Website as a main method to do business transactions is a target, especially during major events like new product launches or quarterly earnings conference calls. Attackers use these as opportunities to extort vulnerable businesses, which cannot afford to lose their credibility during these important events. A recent study found that 25 percent of senior IT security personnel at large U.K. companies consider DDoS attacks the single largest risk to their business (http://www.theregister.co.uk/2004/10/27/netsec_security_survey/). It seems that the Internet has changed from a place of implicit trust to one of pervasive distrust. DDoS attacks can target various elements of the network infrastructure: Application DDoS attacks use the behavior of protocols such as TCP and HTTP to tie up computational resources. These attacks may not consume all the shared resources entirely; thus, other applications can be still available. Host/Servers Attacks may aim to overload or crash a host machine. An example is a TCP SYN attack. These attacks can be minimized if protocols running on the host are properly patched. Bandwidth Attacks can saturate the incoming bandwidth of a target network by sending attack packets whose destination addresses are part of the target network s address space. Targeted routers, servers, and firewalls all of which have limited processing resources can be rendered unavailable to process valid transactions and can fail under the load. The most common form of bandwidth attack is a packetflooding attack, in which a large number of seemingly legitimate TCP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packets are directed to a specific destination. To make detection even more difficult, these attacks might also spoof the source address, misrepresenting the IP address that supposedly generated the request. Infrastructure Attacks may target network resources, such as DNS servers, VoIP softswitches, core routers, and bottleneck links, that are crucial to the operation of a particular network service or the entire network infrastructure. Collateral damage Collateral damage occurs in network elements that are not directly attacked but are affected by it. For example, a DDoS attack may be targeted at a host in a multihomed customer network containing a primary and backup link. When the attack is large enough to saturate the primary link, it causes the BGP session of the primary link to drop. It causes the DDoS traffic to shift to attack the host over the backup link. Now, the bandwidth saturation happens on the backup link and drops its BGP session, and the DDoS traffic goes back to the primary link to attack the host. This route flap is collateral damage from the DDoS attack targeted at the host. Given the impact the DDoS attacks can have, it is mandatory to have protection mechanisms in place to avoid being caught off guard. The total cost of ownership of these mechanisms can be much less than the cost of the damage they prevent. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 3 of 16
CISCO DDoS PROTECTION SOLUTION OVERVIEW The Cisco DDoS Protection solution delivers clean pipes capabilities that enable service providers to provide DDoS protection services to their customers and also protect their own networks. Cisco Systems defines clean pipes capabilities as a well-architected and systemvalidated solution set to protect from security threats the data pipe that delivers connectivity and services. The data pipe could mean different things depending on the customer type: Enterprise Last-mile data connection Federal Critical data connections Service provider All data connections that may be attacked (peering points, peering edges, data center) The most damaging types of security threats that could affect the data pipe include DDoS, worms, and viruses. The fundamental goal of the solution set providing clean pipes capabilities is to remove the malicious traffic from the data pipe and only deliver the legitimate traffic before the link is compromised. Protection Mechanism of the Solution What makes DDoS attacks so difficult to prevent is that illegitimate packets are indistinguishable from legitimate packets, making detection difficult. Network devices and traditional perimeter security technologies do not by themselves provide comprehensive DDoS protection. Many of these attacks also use spoofed source IP addresses, thereby eluding source identification by anomaly-based monitoring tools that look for unusually high volumes of traffic coming from specific origins. Defending against DDoS attacks requires a purpose-built architecture that includes the ability to specifically detect and defeat increasingly sophisticated, complex, and deceptive attacks. Unlike other DDoS defense techniques, the Cisco DDoS Protection solution can accurately distinguish good traffic from bad traffic destined for a mission-critical host or application. It not only detects the presence of an attack, but also filters out only the bad traffic, allowing good traffic to pass through, enabling business and service continuity. This solution offers three major functions that work toward protecting a network from DDoS attacks: Detection The fundamental premise of detecting attacks is to look for anomalies in traffic patterns compared with the baseline of normal traffic. Any differences in traffic patterns that exceed a threshold trigger an alarm. The Cisco Traffic Anomaly Detector XT, Cisco Traffic Anomaly Services Module for Cisco 7600 Series routers and Cisco Catalyst 6500 Series switches, and the Arbor Networks Peakflow SP are the product options available for anomaly detection in the solution. Mitigation Mitigation is the process in which attack traffic is scrubbed, that is, checking for antispoofing, anomaly recognition, packet inspection, and cleaning to drop bad traffic and allow legitimate traffic to the destination. The Cisco Guard XT and the Cisco Anomaly Guard Services Module for Cisco 7600 Series routers and Cisco Catalyst 6500 Series switches are the product options available for anomaly mitigation in the solution. Traffic diversion and injection Traffic diversion is the mechanism by which an upstream router in the core network is instructed to send suspect traffic (syn floods, spoofed packets, and so on) to the Cisco Guard XT. After scrubbing off anomalous packets, the Cisco Guard XT performs traffic injection to insert cleaned traffic back to the network. Solution Design Approach The Cisco DDoS Protection solution is not simply a collection of security point products, but a tightly integrated system ready for defending against today s most damaging DDoS attacks. Figure 1 depicts the architecture of this solution. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 4 of 16
Figure 1 The Cisco DDoS Protection Solution Architecture While encompassing an array of DDoS detection and mitigation products, the solution goes well beyond simply connecting these devices to routers. The solution serves as a robust, comprehensive architecture with the following advantages: It provides solution design practices on how to seamlessly integrate into a service provider s network with Cisco platforms such as the Cisco 12000 and 7600 Series routers and Cisco Catalyst 6500 Series switches. Based on lab tests and validations, Cisco provides recommendations of the best combinations of platform components that can scale to withstand the growing size of DDoS attacks. It provides proactive security best practices to harden the network for rapid response and maximum protection against different network threat types. It provides network management systems for reporting attacks to customers and network operation. It provides three specific service deployment models, along with design guidelines tailored for DDoS protection for different parts of the SP infrastructure and customer networks: Managed Network DDoS Protection Provides enterprise customers effective protection against DDoS attacks on their last-mile connections to service providers and internal infrastructures by subscribing to the Cisco DDoS Protection solution offered by service providers. Managed Hosting DDoS Protection Enables hosting providers to protect their hosting services from DDoS attacks. Peering Edge DDoS Protection Enables service providers to prevent bandwidth saturation by DDoS attacks against their peering points. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 5 of 16
Deploying Network Infrastructure Security with Network Foundation Protection The Cisco DDoS Protection solution provides a comprehensive solution for delivering clean pipes capabilities, but service providers are strongly recommended to also implement a list of security techniques known as Network Foundation Protection (NFP). NFP hardens the data plane, control plane, management plane, and service plane against various security threats. The advantages of deploying NFP include the following: It provides network devices protection not only from DDoS attacks but also threat vectors like reconnaissance, network device break-ins, and threat of service. It minimizes vulnerability of critical network services, such as DNS, e-mail, Web, and VoIP, due to network attacks, thus helping to maximize their availability to customers. It makes use of network telemetry, such as NetFlow, to study traffic patterns in real time, create traffic baselines, detect anomalies and miscues, and characterize affected interfaces, severity, and so on. Anomalies are then compared across the network to provide traceback and determine the point of ingress of an attack. It complements the Cisco DDoS Protection solution. NFP mitigates primitive DDoS attack types, thus freeing up the capacity of the Cisco Guard XT to fight against more sophisticated anomaly attacks. The following is a sample list of NFP features commonly implemented by service providers: Infrastructure ACL (iacl) Applied to the edge of the service provider network, including the peering edge and provider edge, to protect the management plane of the router. Receive ACL (racl) Specifies which packets are permitted to reach the router CPU based on source IP address, destination IP address, protocol, or port number. Anycast An IP addressing technique that is based on advertising nonunique IP addresses from multiple points of origin and then using dynamic routing to deliver anycast traffic to the nearest instance, from reachability perspective, of the service in the network topology. Unicast Reverse Path Forwarding (urpf) Mitigates problems due to spoofed IP source addresses by discarding packets that lack a verifiable source IP address. Remote Triggered Blackhole (RTBH) A filtering method for dropping malicious traffic at the peering edge of the network. Quality-of-Service Policy Propagation with BGP (QPPB)/Remote Triggered Rate Limiting (RTRL) QPPB, also known as RTRL, classifies malicious packets based on access lists, BGP community lists, and BGP autonomous system (AS) paths, which are sent by a triggering device. Control Plane Policing (CoPP) This feature allows users to classify packets directed to the CPU and allows rate limiting of the classified traffic to manage the traffic flow. This allows control plane packets to protect the control plane of equipment running Cisco IOS Software against reconnaissance and DDoS attacks. For more information about NFP, visit: http://www.cisco.com/warp/public/732/tech/security/infrastructure/. CISCO DDoS PROTECTION SOLUTION OPERATION The Cisco DDoS Protection solution encompasses multiple security components, including the Cisco Guard XT, Cisco Traffic Anomaly Detector XT, and Arbor Networks Peakflow SP. Figure 2 summarizes the actions taken by the various components over time. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 6 of 16
Figure 2 Timeline for DDoS Protection Solution in Action The following steps describe how the Cisco DDoS Protection solution protects a zone, or portion of a network, against DDoS attacks in chronological order: from the time before a DDoS attack occurs, to the time when the attack occurs, to the time when the attack has terminated. Note that the Cisco Traffic Anomaly Detector XT and Peakflow SP, as anomaly detection devices, are not mutually exclusive. However, there are some deployment models that work better with certain detection methods. These deployment options are described later in this paper. Step 1 Baseline Learning. When DDoS is not occurring, the components of the Cisco DDoS Protection solution build a traffic baseline database with normal traffic patterns for a zone so that they can identify anomalous traffic patterns when a DDoS attack takes place. In the scenario where Peakflow SP and Cisco Guard XT are deployed, the devices learn traffic patterns independently. The Peakflow SP models the normal traffic patterns by receiving NetFlow statistics, and the Cisco Guard XT learns normal traffic patterns of a zone by diverting traffic from upstream to create policies for traffic flows of different services to the zone (traffic diversion is explained in Step 3). If an attack occurs during the learning process, the Cisco Guard XT stops learning and switches to protection mode. In the scenario where the Cisco Traffic Anomaly Detector XT and Cisco Guard XT are deployed, the Cisco Traffic Anomaly Detector XT creates the zone configuration and learning results of normal traffic patterns. These configurations may be uploaded to the Cisco Guard XT. In other words, the Cisco Guard XT does not need to use traffic diversion in this case. This upload operation can be done every 24 hours to ensure that both devices have the latest traffic baseline. If an attack occurs during the learning process, the Cisco Traffic Anomaly Detector XT switches to protection mode. Step 2 Detection. Upon completing the learning process for a zone, the Cisco Traffic Anomaly Detector XT and Peakflow SP monitor ongoing traffic, flagging an alert or activating the Cisco Guard XT when an anomaly is detected. The Cisco Traffic Anomaly Detector XT continuously monitors mirrored traffic from the wire. If it senses abnormal or malicious traffic, it dynamically configures a set of filters (dynamic filters) to record the event and triggers an alarm to network staff. If the staff find that the anomaly is genuine, they can manually activate the Cisco Guard XT to put the attacked zone into the protection mode. Alternatively, the Cisco All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 7 of 16
Traffic Anomaly Detector XT, upon detection of a DDoS attack, can be set up to automatically establish a Secure Shell (SSH) Protocol connection to activate a remote Cisco Guard (Figure 3). The Arbor Peakflow SP collector device receives NetFlow statistics collected from various routers in the service provider network. When the device identifies an abnormal traffic pattern, it alerts the Peakflow SP Leader device by sending it the fingerprints of the abnormality for further analysis. The Leader device then continues to monitor the alert. If it exceeds a user-defined threshold, the Arbor Peackflow SP Leader classifies it as a high-importance red alert. At this point, network staff can respond to the attack by choosing a preconfigured mitigation device, which is the Cisco Guard XT or Cisco Anomaly Guard Services Module, to filter out the malicious traffic. The Cisco Guard XT establishes an SSH connection and instructs the device to put the zone under attack into the protection mode. Figure 3 DDoS-Attacked Zone Detected by Cisco Traffic Anomaly Detector XT/Arbor Peakflow SP Step 3 Diversion. After receiving the request to put the attacked zone in protection mode, the Cisco Guard XT sends a BGP announcement to an upstream router, changing the next-hop address to that of the Cisco Guard XT. A network operator may also order this diversion manually. In either method, the upstream router installs this BGP announcement into its routing table and forwards dirty traffic as well as clean traffic to the Cisco Guard XT. Traffic flows to other destinations remain in their same data paths without getting diverted. See Figure 4. Step 4 Scrubbing. The Cisco Guard XT analyzes the diverted zone traffic in search of anomalies. It identifies an anomaly when the flow violates the policy threshold. At that point, the Cisco Guard analyzes results and creates a set of dynamic filters that continuously adapt to the zone traffic and type of attack. The initial dynamic filter directs the traffic to the user filters until the Cisco Guard finishes analyzing the flow and creating more dynamic filters to handle the anomaly. The dynamic filters and the user filters feed their results into a comparator, which All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 8 of 16
chooses the most severe protection measure suggested, then directs the traffic to the relevant protection module for authentication. The module drops unauthenticated traffic, then the Cisco Guard XT passes the traffic to the rate limiter, which drops traffic that exceeds the defined rate. Step 5 Injection. The cleaned traffic from the Cisco Guard XT is injected back to the zone. There are multiple injection methods available, depending on whether the core network topology is Layer 2 or Layer 3. They ensure that injected traffic does not get looped back to the Cisco Guard XT. Examples of methods include Policy Based Routing (PBR), Virtual Routing/Forwarding (VRF), generic routing encapsulation (GRE), and Multiprotocol Label Switching (MPLS) VPN. Figure 4 DDoS Attack Against Zone Mitigated by Cisco Guard XT Step 6 Completion of Traffic Scrubbing. Dynamic filters on the Cisco Guard XT have a limited lifespan and are erased after the DDoS attack has terminated. By default, the Cisco Guard XT remains in protect mode until the user deactivates it, but it can be set to deactivate protection if no dynamic filters are in use and no new dynamic filter has been added over a predefined period of time. The Cisco Guard XT retracts the previous BGP announcement, and traffic resumes on the regular data path. If Peakflow SP or a trigger router is used for traffic diversion, the BGP announcement for the traffic diversion needs to be removed manually. CISCO DDoS PROTECTION SOLUTION COMPONENTS Cisco Guard XT Appliance and Cisco Anomaly Guard Services Module The Cisco Guard XT 5650 DDoS mitigation appliance and Cisco Anomaly Guard Services Module deliver a powerful and extensive DDoS protection system. For more information about the Cisco Guard XT, visit: http://www.cisco.com/en/us/products/ps5888/index.html. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 9 of 16
The Cisco Guard XT, featuring two Gigabit Ethernet interfaces, can process attack traffic at line rates as high as a full gigabit per second (1 Gbps). The Cisco Anomaly Guard Services Module is an integrated services module for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers that can receive up to 1 Gbps Ethernet traffic. These devices can work together in multiples to incrementally scale to support multi-gigabit rates, forming a cluster called the cleaning center. Thus Cisco can deliver an extensible solution that easily adapts to large and growing service provider and enterprise environments. The Cisco Guard XT platform that incorporates these devices is one part of a complete detection and mitigation solution that protects enterprises, hosting centers, government agencies, and service provider environments from DDoS attacks. Combined with anomaly detection devices that detect attacks, the Cisco Guard XT performs the detailed attack analysis, identification, and mitigation services required to block attack traffic and prevent it from disrupting network operations. For more information about the Cisco Anomaly Guard Services Module, visit: http://www.cisco.com/en/us/products/ps6235/index.html. In general, both the Cisco Guard XT and Cisco Anomaly Guard Services Module should be placed as far upstream from the protected zones and as close to the source of the attack traffic as possible. This allows the device to protect the greatest number of downstream resources from DDoS attack traffic. The Cisco Anomaly Guard Services Module must also be placed upstream of a firewall, to process traffic before any Network Address Translation (NAT) processing occurs, and to protect the firewall from becoming a victim of a DDoS attack. Cisco Traffic Anomaly Detector XT and Cisco Traffic Anomaly Detector Services Module The Cisco Traffic Anomaly Detector XT 5600 is a high-performance, standalone DoS detection device. It receives a copy of traffic to a protected zone either by using the port mirroring feature, such as Switched Port Analyzer (SPAN), of a switch, or by means of splitting. The Cisco Traffic Anomaly Detector Services Module is an integrated services module for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers. It receives a copy of traffic to a zone by using the SPAN or VLAN Access Control List (VACL) feature. Based on patented multiverification process (MVP) architecture, both platforms use the latest behavioral analysis and attack recognition technology to proactively detect and identify all types of assaults. By constantly monitoring traffic destined for a protected device, such as a Web or e-commerce application server, the Cisco Traffic Anomaly Detector XT compiles detailed profiles that indicate how individual devices behave under normal operating conditions. When it detects any deviations from the profile, the detector responds based on user preference: by sending an operator alert to initiate a manual response, by triggering an existing management system, or by launching the Cisco Guard XT or Cisco Anomaly Guard Services Module to immediately begin mitigation and remove malicious attack flows, helping to deliver robust protection to networks and business-critical traffic. The Cisco Traffic Anomaly Detector XT uses a Web-based GUI that displays information in a simple, intuitive manner to simplify configuration, operation, and attack identification and analysis. Both the Cisco Traffic Anomaly Detector XT and Cisco Traffic Anomaly Detector Services Module are placed logically downstream from the Cisco Guard XT and Cisco Anomaly Guard Services Module, but upstream of any firewall. During peacetime periods, the detector devices see all inbound and outbound traffic destined for the protected zone. During an attack where the guard devices have diverted traffic from the targeted zone for mitigation, the detector device sees only the cleaned traffic leaving the guard device destined for the zone. For more information about the Cisco Traffic Anomaly Detector XT, visit: http://www.cisco.com/en/us/products/ps5887/index.html. For more information about the Cisco Traffic Anomaly Detector Services Module, visit: http://www.cisco.com/en/us/products/ps6236/index.html. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 10 of 16
Cisco NetFlow NetFlow is the most widely deployed DDoS identification and network traffic flow analysis technology for IP networks. NetFlow is supported by almost all service provider routers running Cisco IOS Software, some high-end switching platforms running Cisco Catalyst OS, and lately even in hardware through ASICs. It provides valuable information about traffic characteristics, link usage, and traffic profiling on the network. NetFlow classifies packets by way of flows. Each flow is defined by its unique seven-key characteristics: Ingress interface IP protocol type Type-of-service (ToS) byte Source IP address Destination IP address Source port number Destination port number This level of flow granularity allows a NetFlow collector to easily handle large-scale traffic monitoring. The NetFlow classification yields enough data for baseline profiling and determining the specifics of network traffic. A network traffic anomaly is an event or condition characterized by a statistical abnormality compared to typical traffic patterns. NetFlow allows users to identify anomalies by producing detailed accounting of traffic flows. Deviations can be an early sign of potential attacks. NetFlow is usually deployed across the edge of a service provider s network to monitor inbound traffic on edge and peer interfaces, as these are the typical ingress points for most attacks. The router maintains a live NetFlow cache in Cisco IOS Software to track the current flows. IP flow information can be exported from the NetFlow cache to an external collector for further analysis. Flow data from multiple collectors can be mapped to identify the network nodes under DDoS attack and also to determine the attack characteristics. An example of such collector applications is the Arbor Networks Peakflow SP, a GUI-based tool that can enforce DDoS protection techniques such as ingress access control lists (ACLs), Network-Based Application Recognition (NBAR), Unicast Reverse Path Forwarding (urpf), and activation of the Cisco Guard XT. For more information about NetFlow, visit: http://www.cisco.com/warp/public/732/tech/nmp/netflow/. Arbor Networks Peakflow SP Arbor Networks Peakflow SP consists of three elements: Managed Services, Infrastructure Security, and Traffic and Routing. The Managed Services features enable service providers to offer their enterprise customers scalable DDoS protection and traffic management tools. Its Infrastructure Security features provide network operators with the ability to proactively detect and mitigate networkwide anomalies, such as DDoS attacks and worms. The Traffic and Routing features model traffic on the network, enabling operators to make informed business decisions about routing, transit, partners, and customers. For the Cisco DDoS Protection solution, Peakflow SP offers a streamlined approach to DDoS attack detection, traceback, and mitigation. It first builds a model of normal behavior based on flow data available from the network routers. In contrast to inline data collection methods, Peakflow SP collects NetFlow statistics out-of-band from Cisco routers, thus it does not impose a performance or reliability penalty upon the network. In real time, the system compares traffic against this baseline, flagging and characterizing anomalies. Anomalies are then compared across the network to provide traceback and determine the point of ingress. Finally, based on the anomaly s specific characteristics, Peakflow SP recommends the appropriate mitigation measure to maintain service. When working in conjunction with the Cisco Guard XT for DDoS All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 11 of 16
protection, upon receiving an anomaly fingerprint for a zone from a collector, Peakflow SP establishes an SSH connection to activate the Cisco Guard XT to put the zone under attack in protection mode. Peakflow SP identifies attacks using the two most effective methods available: signature analysis and dynamic profiling. Signature analysis, or misuse detection, looks for predefined deviations that are telltale signs of a DDoS attack, such as a very large number of ICMP requests in a short period of time. Dynamic profiling is based on Peakflow SP s dynamic, networkwide profiles of normal behavior against which current traffic can be compared. These profiles incorporate both temporal and topological components to produce sophisticated models of network behavior. Then the Peakflow SP system applies custom real-time algorithms to distinguish legitimate normal traffic from DDoS attacks. For more information about the Arbor Networks Peakflow SP, visit: http://arbor.net/products_sp.php. CISCO DDoS PROTECTION SOLUTION DEPLOYMENT MODELS The goal of the Cisco DDoS Protection solution is to take its capabilities, integrate them with network infrastructure products and infrastructure security best practices, and come up with system-tested design guidelines for the deployment models that service providers can provide as a service to their enterprise customers. Many of the techniques discussed in this section can also be used by service providers to protect their own networks from attack. Managed Network DDoS Protection This service model allows service providers to mitigate DDoS attacks from the Internet to business customers networks. These attacks not only affect the host machines and their applications but also, more harmfully, saturate the bandwidth of the link between the service provider and the customer network. For financial and e-commerce customers, this kind of attack can result in loss of customers, damage to reputation, and other liabilities. DDoS attacks can be mitigated most effectively if they are detected at the earliest time and stopped as far upstream in the network as possible. In general, the service provider can offer DDoS protection to business customers as shown in Figure 5, using the Cisco DDoS Protection solution, at two service levels: Dedicated service This premium service is suitable for customers whose online services are crucial to the sustainability of their businesses. The service is to provide committed traffic-cleaning capacity, policy learning and customization, and optional DDoS detection and cleaning activation capabilities on customer premises equipment (CPE). Shared service This service is offered to other business customers whose needs are not as demanding. In return, the service provides besteffort traffic-cleaning capacity, shared by other customers using the service, up to a limit, standard policy for DDoS detection, and no CPEbased DDoS detection and cleaning activation capabilities. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 12 of 16
Figure 5 Managed Network DDoS Protection Service The architectural design for the dedicated service has Cisco Guard XT appliances or Cisco Anomaly Guard Services modules, each dedicated to a single customer, in the cleaning center in the service provider network. The number of these devices depends on the size of the largest DDoS attack that the customer wishes to be protected from. The service provider may have more than one cleaning center, depending on how many peering points the service provider connects to other parts of the Internet and how far they are separated. The design goal is to mitigate attack traffic as far upstream possible, whichever peering point the attack comes from. For DDoS detection, the dedicated service can deploy the Cisco Traffic Anomaly Detector XT at the customer premise, Peakflow SP in the service provider network to receive NetFlow statistics from the core routers, or both. Installing the Cisco Traffic Anomaly Detector XT provides customers flexibility to customize their policies on the device. In the design for the shared service, the cleaning center contains Cisco Guard XT appliances or Cisco Anomaly Guard Services modules shared by multiple customers. Because the service offers only best-effort DDoS scrubbing, the service provider cannot accept additional DDoS mitigation requests when all the appliances are at full capacity for mitigating existing attacks. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 13 of 16
Deploying Peakflow SP alone is the preferred approach for DDoS detection in the shared service. Peakflow SP is a scalable detection option because it concurrently collects NetFlow statistics from multiple routers to identify anomalies. It is an economical option because customers do not need to purchase on-premise detection devices if they do not require granular DDoS detection. For both levels of service, the activation of the Cisco Guard XT can be activated, either manually or automatically, for zone protection upon detection of a DDoS attack. The manual activation allows the service provider or customer to validate an attack before activating zone protection on behalf of the customer. Managed Hosting DDoS Protection This service model allows hosting providers to provide DDoS protection for customers using their managed Web hosting and application models. The service is offered as a value-added enhancement to the provider s existing hosting services (Figure 6). It is a best-effort DDoS protection offering with default policy templates for detection and mitigation, similar to the shared service in the managed network DDoS protection service described previously. Figure 6 Managed Hosting DDoS Protection Service The architectural design includes either the Cisco Traffic Anomaly Detector XT or Peakflow SP, but not both, for DDoS detection. For DDoS mitigation, shared Cisco Guard XT appliances or Cisco Anomaly Guard Services modules are placed in a cleaning center close to the peering point of the hosting provider network to prevent attack traffic from saturating its core network bandwidth. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 14 of 16
Peering Point DDoS Protection This service model prevents bandwidth saturation by DDoS attacks at service providers peering points or network access points (Figure 7). Without the Cisco DDoS Protection solution, a DDoS attack can disrupt traffic between peering points. This service can be offered either as a managed DDoS protection service or as an effective system for DDoS protection of the service provider s infrastructure. As a managed service, for instance, it could include protection of links to downstream ISPs. A service provider could use it internally to protect links between two areas in a hierarchy network, transoceanic links between autonomous systems, or links connecting two disparate autonomous systems owned by the same service provider. Figure 7 Peering Point DDoS Protection Service for Transoceanic Links In the design for the model, the Peakflow SP provides a scalable DDoS detection approach, acting as a centralized platform to aggregate NetFlow statistics from routers at different peering points. For DDoS mitigation, the cleaning center should be placed near the source peering point so that DDoS attack packets can be filtered out before they can saturate the connection to the destination peering point. If DDoS protection is required for traffic in both directions across the link between two peering points, separate cleaning centers are installed on each side of the network. All contents are Copyright 1992 2005 All rights reserved. Important Notices and Privacy Statement. Page 15 of 16
Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe All contents are Copyright 1992 2005 All rights reserved. Catalyst, Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property Cisco of their Systems, respective Inc. owners. The use of the word partner does not imply a partnership relationship between Cisco All and contents any other are company. Copyright (0502R) 1992 2005 All rights reserved. Important Notices and Privacy Statement. DM/LW8609 06/05 Printed in USA Page 16 of 16