Strategies to Protect Against Distributed Denial of Service (DD



Similar documents
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

co Characterizing and Tracing Packet Floods Using Cisco R

Firewalls and Intrusion Detection

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Implementing Secure Converged Wide Area Networks (ISCW)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Gaurav Gupta CMSC 681

Unicast Reverse Path Forwarding

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

Denial Of Service. Types of attacks

Denial of Service. Tom Chen SMU

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Cisco Configuring Commonly Used IP ACLs

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Distributed Denial of Service (DDoS)

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Acquia Cloud Edge Protect Powered by CloudFlare

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

CloudFlare advanced DDoS protection

SECURING APACHE : DOS & DDOS ATTACKS - II

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

DDoS Overview and Incident Response Guide. July 2014

Abstract. Introduction. Section I. What is Denial of Service Attack?

Yahoo Attack. Is DDoS a Real Problem?

Denial of Service (DoS) Technical Primer

Firewall Firewall August, 2003

Secure Software Programming and Vulnerability Analysis

SECURING APACHE : DOS & DDOS ATTACKS - I

Denial of Service (DoS)

Security Technology White Paper

Distributed Denial of Service Attack Tools

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Protecting Web Servers from DoS/DDoS Flooding Attacks A Technical Overview. Noureldien A. Noureldien College of Technological Sciences Omdurman, Sudan

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Queuing Algorithms Performance against Buffer Size and Attack Intensities

DDoS Protection Technology White Paper

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

How Cisco IT Protects Against Distributed Denial of Service Attacks

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

Modern Denial of Service Protection

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Denial of Service Attacks, What They are and How to Combat Them

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Frequent Denial of Service Attacks

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Chapter 7 Protecting Against Denial of Service Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks

A S B

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Network Security - DDoS

AN INFRASTRUCTURE TO DEFEND AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK. Wan, Kwok Kin Kalman

Cisco Configuring Basic MPLS Using OSPF

Security vulnerabilities in the Internet and possible solutions

Understanding the Various Types of Denial of Service Attack By Raja Azrina Raja Othman

Network/Internet Forensic and Intrusion Log Analysis

How To Block A Ddos Attack On A Network With A Firewall

DDoS attacks in CESNET2

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Announcements. No question session this week

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Safeguards Against Denial of Service Attacks for IP Phones

Bleeding Edge DDoS Mitigation Techniques for ISPs

Lab Characterizing Network Applications

LAB II: Securing The Data Path and Routing Infrastructure

How to launch and defend against a DDoS

Content Distribution Networks (CDN)

DNS amplification attacks

A Practical Method to Counteract Denial of Service Attacks

Security and Access Control Lists (ACLs)

CMPT 471 Networking II

Chapter 28 Denial of Service (DoS) Attack Prevention

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Firewalls. Chapter 3

Depth-in-Defense Approach against DDoS

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Overview. Firewall Security. Perimeter Security Devices. Routers

Denial of Service Attacks: Classification and Response

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Introduction of Intrusion Detection Systems

Seminar Computer Security

Firewalls. Network Security. Firewalls Defined. Firewalls

Architecture Overview

Configuring Denial of Service Protection

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

8 steps to protect your Cisco router

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Network Monitoring and Management NetFlow Overview

How To Protect A Dns Authority Server From A Flood Attack

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

NetFlow Subinterface Support

Transcription:

Strategies to Protect Against Distributed Denial of Service (DD

Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics of DDoS Attacks...1 Characteristics of Common Programs Used to Facilitate Attacks...2 Prevention...3 Capturing Evidence and Contacting Law Enforcement...5 Related Information...5 i

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate Attacks Prevention Capturing Evidence and Contacting Law Enforcement Related Information Introduction This white paper contains information to help you understand how DDoS attacks are orchestrated, recognize programs used to facilitate DDoS attacks, apply measures to prevent the attacks, gather forensic information if you suspect an attack, and learn more about host security. Understanding the Basics of DDoS Attacks Refer to the following illustration: Behind a Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that is running a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim. Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and Stacheldraht. In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which the attackers:

1. Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability. 2. Compromise the vulnerable hosts to gain access. 3. Install the tool on each host. 4. Use the compromised hosts for further scanning and compromises. Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour. Characteristics of Common Programs Used to Facilitate Attacks The following are common programs that hackers use to facilitate distributed denial of services attacks: Trinoo Communication between clients, handlers and agents use the following ports: 1524 tcp 27665 tcp 27444 udp 31335 udp Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed. TFN Communication between clients, handlers and agents use ICMP ECHO and ICMP ECHO REPLY packets. Stacheldraht Communication between clients, handlers and agents use the following ports: 16660 tcp 65000 tcp ICMP ECHO ICMP ECHO REPLY Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed. TFN2K Communication between clients, handlers and agents does not use any specific port (it may be supplied on run time or it will be chosen randomly by a program) but is a combination of UDP, ICMP and TCP packets. For a detailed analysis of DDoS programs, read the following articles. Note: The following links point to external web sites not maintained by Cisco Systems The DoS Project's "trinoo" distributed denial of service attack tool The "Tribe Flood Network" distributed denial of service attack tool

The "stacheldraht" distributed denial of service attack tool Additional information regarding DDoS tools and their variants can be found at the Packet Storm web site's Index of Distributed Attack Tools. Prevention The following are suggested methods to prevent distributed denial of service attacks. 1. Use the ip verify unicast reverse path interface command on the input interface on the router at the upstream end of the connection. This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet. The effect of Unicast RPF is that it stops SMURF attacks (and other attacks that depend on source IP address spoofing) at the ISP's POP (lease and dial up). This protects your network and customers, as well as the rest of the Internet. To use unicast RPF, enable "CEF switching" or "CEF distributed switching" in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes. RPF is an input side function that enabled on an interface or sub interface and operates on packets received by the router. It is very important for CEF to be turned on in the router. RPF will not work without CEF. Unicast RPF is not supported in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that support CEF, including the AS5800. Hence, unicast RFP can be configured on the PSTN/ISDN dial up interfaces on the AS5800. 2. Filter all RFC1918 address space using access control lists. 3. interface xy ip access group 101 in access list 101 deny ip 10.0.0.0 0.255.255.255 any access list 101 deny ip 192.168.0.0 0.0.255.255 any access list 101 deny ip 172.16.0.0 0.15.255.255 any access list 101 permit ip any any Apply ingress and egress filtering (see RFC 2267) using ACL. { ISP Core } ISP Edge Router Customer Edge Router { Customer network } The ISP edge router should only accept traffic with source addresses belonging to the customer network. The customer network should only accept traffic with source addresses other than the customer network block. The following is a sample ACL for an ISP edge router: access list 190 permit ip {customer network} {customer network mask} any access list 190 deny ip any any [log] interface {ingress interface} {interface #} ip access group 190 in

4. The following is a sample ACL for a customer edge router: access list 187 deny ip {customer network} {customer network mask} any access list 187 permit ip any any access list 188 permit ip {customer network} {customer network mask} any access list 188 deny ip any any interface {egress interface} {interface #} ip access group 187 in ip access group 188 out If you are able to turn on Cisco Express Forwarding (CEF), the length on the ACLs can be substantially reduced and thus increase performance by enabling unicast reverse path forwarding. In order to support unicast reverse path forwarding, you only need to be able to enable CEF on the router as a whole; the interface on which the feature is enabled does not need to be a CEF switched interface. Use CAR to rate limit ICMP packets. interface xy rate limit output access group 2020 3000000 512000 786000 conform action transmit exceed action drop access list 2020 permit icmp any any echo reply For more information, refer to IOS Essential Features. 5. Configure rate limiting for SYN packets. interface {int} rate limit output access group 153 45000000 100000 100000 conform action transmit exceed action drop rate limit output access group 152 1000000 100000 100000 conform action transmit exceed action drop access list 152 permit tcp any host eq www access list 153 permit tcp any host eq www established In the above example, replace: 45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate limit command to display the conformed and exceeded rates for the interface. Your objective is to rate limit the SYNs as little as necessary to get things working again. Warning: It is recommended that you first measure amount of SYN packets during normal state (before attacks occur) and use those values to limit. Review the numbers carefully before deploying this measure.

If an SYN attack is aimed against a particular host, consider installing an IP filtering package on that host. One such package is IP Filter. Refer to IP Filter Examples for implementation details. Capturing Evidence and Contacting Law Enforcement If possible, capture packet sample for analysis. It is recommended that you use a SUN workstation or a Linux box on a fast Pentium machine to capture the packet sample. For capturing, use the tcp dump program (Linux or SUN) or snoop (SUN only). The command syntax is: tcpdump i interface s 1500 w capture_file snoop d interface o capture_file s 1500 The MTU size in this example is 1500; change this parameter if the MTU is greater than 1500. Preserve these logs as evidence for law enforcement. If you want to involve law enforcement and you are within the United States, contact your local FBI field office. More information is available at the National Infrastructure Protection Center web site. If you are located in Europe, no single point of contact exists. Contact your local law enforcement agency and ask for assistance. CISCO CANNOT CONTACT LAW ENFORCEMENT AGENCIES ON YOUR BEHALF. The Cisco PSIRT team can work with law enforcement once you have made the initial contacts. For general host security material, read information provided at the CERT/CC web page. Related Information Characterizing and Tracing Packet Floods Using Cisco Routers Improving Security on Cisco Routers Cisco Product Security Incident Response Technical Support Cisco Systems All contents are Copyright 1992 2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information