IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Similar documents
Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

VALIDATING DDoS THREAT PROTECTION

TDC s perspective on DDoS threats

Firewall Defaults and Some Basic Rules

Denial Of Service. Types of attacks

Brocade NetIron Denial of Service Prevention

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

IxLoad-Attack: Network Security Testing

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Safeguards Against Denial of Service Attacks for IP Phones

Firewalls and Intrusion Detection

Firewall Firewall August, 2003

How To Block A Ddos Attack On A Network With A Firewall

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

No Cloud Allowed. Denying Service to DDOS Protection Services

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

Attack and Defense Techniques

Introduction of Intrusion Detection Systems

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

First Line of Defense

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Chapter 8 Security Pt 2

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

DDoS Overview and Incident Response Guide. July 2014

allow all such packets? While outgoing communications request information from a

Denial of Service Attacks

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Deployment Guide DDoS Protection for Web and DNS Servers

Security Technology White Paper

Wireless Networks: Network Protocols/Mobile IP

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

McAfee Network Security Platform [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013

Development of a Network Intrusion Detection System

CS5008: Internet Computing

Analysis of a DDoS Attack

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

How To Understand A Network Attack

The Transport Layer and Implica4ons for Network Monitoring. CS 410/510 Spring 2014

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

NetFlow/IPFIX Various Thoughts

CaptIO Policy-Based Security Device

Managing Latency in IPS Networks

Automated Mitigation of the Largest and Smartest DDoS Attacks

Abstract. Introduction. Section I. What is Denial of Service Attack?

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

IP Filter/Firewall Setup

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Cheap and efficient anti-ddos solution

Application DDoS Mitigation

A S B

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Introduction about DDoS. Security Functional Requirements

Chapter 28 Denial of Service (DoS) Attack Prevention

About Firewall Protection

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01

A Layperson s Guide To DoS Attacks

Distributed Denial of Service (DDoS)

1. Firewall Configuration

FortiDDos Size isn t everything

Introducing FortiDDoS. Mar, 2013

CS 356 Lecture 16 Denial of Service. Spring 2013

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Scalable DDoS mitigation using BGP Flowspec

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Distributed Denial of Service protection

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

First Line of Defense

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

co Characterizing and Tracing Packet Floods Using Cisco R

IDS / IPS. James E. Thiel S.W.A.T.

Arbor s Solution for ISP

BIG-IP Systems: DoS Protection and Protocol Firewall Implementations. Version 12.0

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

DDoS Mitigation Techniques

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Transport Layer Protocols

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Deployment of Snort IDS in SIP based VoIP environments

DDoS Protection Technology White Paper

Firewalls Netasq. Security Management by NETASQ

Vulnerabili3es and A7acks

Surviving DNS DDoS Attacks. Introducing self-protecting servers

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

AntiDDoS1000 DDoS Protection Systems

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Transcription:

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure Glen Turner Consul,ng Systems Engineer IPv6 Migra,on Technologies A10 Networks gturner@a10networks.com

DDoS A<ack Trends and Effects Q3 2010 Q4 2012 Q1 2013 Q1 2013 Q1 2014 PayPal Discloses cost of afack 3.5M (~$5.8 million) Bank of the West $900k stolen, DDoS as a distrac,on al Qassam Cyber Fighters 10-40 Gbps afacks target 9 major banks Credit Union Regulators Recommend DDoS protec,on to all members CloudFlare 400 Gbps NTP amplifica,on afack Q4 2013 Q4 2013 Q4 2013 Q4 2013 60 Gbps afacks regularly seen,100 Gbps not uncommon 26% YoY afack increase (17% L7, 28% L3-4) PPS reaches 35 million 6.8 million mobile devices are poten,al afackers High- bandwidth DDoS a<acks are becoming the new norm and will con0nue wreaking havoc on unprepared enterprises. Gartner Press Release, Gartner Says 25 Percent of Distributed Denial of Services A<acks in 2013 Will Be ApplicaDon- Based, February 21, 2013. h<p://www.gartner.com/newsroom/id/2344217

DDoS Threat Pyramid Applica0on Exploit A<acks Applica0on Resource A<acks Network Protocol A<acks Network Volumetric A<acks Exploit vulnerabili,es in the applica,on e.g., AFack amplifica,on (for NTP/DNS, etc.), buffer overflows, etc. Exhaust applica,on resources using traffic that seems legi,mate e.g., Slowloris, Slow READ, R.U.D.Y, Slow POST, HTTP GET afacks, etc. Targeted protocol afacks to exhaust specific resources e.g., TCP SYN Flood, Ping of Death, LAND afack, Fragmenta,on, etc. Consume targets bandwidth e.g., Large- scale network protocol afacks, including DNS/NTP Reflec,on afacks, UDP Flood, ICMP Flood, etc.

DDoS A<ack Types Observed 19.9% HTTP GET Flood Source: Prolexic Q4 2013 16% Others 17.1% UDP Fragment 14.5% SYN Flood 9.7% DNS 9.7% ICMP 13.1% UDP Flood The largest afacks increase 33% 300 Gbps (Q2 2013) 400 Gbps (Q1 2014) 60 Gbps regularly seen, 100 Gbps not uncommon Average afack packets- per- second 35 million PPS

CGN Device Targeted DDoS A<acks Impact of A<acks Against NAT Infrastructure Source: Arbor Infrastructure Security Report CGN A<ack Vectors Volumetric State Exhaust 81% of total DDoS afacks Vulnerable to both internal and external afacks Internal afacks more difficult to mi,gate CGN Vulnerabili0es UDP/TCP State Exhaust Volumetric AFacks against NAT Pool Resources Excessive Client Port Alloca,on Requests Client session setup rate EIM/EIF session crea,on EIM/EIF session setup rate Indirectly affects logging infrastructure

Mi0ga0ng CGN Device DDoS A<acks Fundamental requirements for effec,ve mi,ga,on Packet Anomaly Check Network level packet sanity Ini,al scrubbing for common AFack signatures Session Setup Rate EIM/EIF Client Sessions Dynamic Blacklis,ng of NAT Pool Resources Network level high speed inspec,on and control External Interac,on Policy awareness Auto black- holing compromised resources Telemetry Traffic Rate Control Network and applica,on monitoring to rate limit traffic

CGN Security IP Anomaly Filter Detects and drops packets containing common afack signatures for all incoming ports Ensures properly formafed packets and adherence to standards and state machines Protects against afacks based upon known packet signatures Disrupts network reconnaissance afempts in which afackers may use protocol vulnerabili,es to gain target informa,on such as opera,ng system type and version ICMP Rate Limi0ng Mi,gates ICMP volumetric afacks Supports both IPv4 and IPv6 Provide watermarks for ICMP drop per second and lockup,me Lockup events logged

CGN Security IP Anomaly Filter Detects and drops packets containing common a<ack signatures for all incoming ports LAND AFack Bad IP Checksum TCP Fragmented Header Empty Fragment ICMP Ping of Death TCP Bad Checksum Micro Fragment TCP Bad Urgent Offset UDP Short Header IPv4_Op,ons TCP Short Header UDP Bad Length IP Fragment TCP Bad IP Length UDP Kerberos Frag Bad IP Header Length TCP Null Flags UDP Port Loopback Bad IP Flags TCP Null Scan UDP Bad Checksum Bad IP TTL TCP Syn & Fin Runt IP Header No IP Payload TCP XMAS Flags Runt TCP/UDP Header Oversize IP Payload TCP XMAS Scan IP Tunnel Mismatch Bad IP Payload Length TCP Syn Fragment Bad IP Fragment

CGN Device Targeted DDoS A<acks Target Compromised Enforcement of connec,ons setup rate for mi,ga,on of flood based afacks (e.g., TCP SYN, UDP, and ICMP flooding) Rate limits per source IP address Limits connec,on rate from both inside and outside origina,ng flows Applicable for EIF Sessions Maximum absolute inside/outside connec,ons capped by session- quota Maximum absolute inside connec,ons capped by user quota If CPS limit is exceeded, sessions are no longer created for the source IP address CPS limit will inhibit new session crea,on even if user/session quotas are not exceeded Policy aware traffic policing Support for hair- pinned sessions

CGN Security- NAT Pool Resource Protec0on Provides device protec,on from volumetric afacks targe,ng NAT pool resources by dropping packets early in data path prior to reaching L4- L7 processes Target Denied Allowed Operator defined threshold can be set for IP, TCP, UDP If thresholds are violated, 2- tuple entry for NAT IP/ Port wrifen into soqware/hardware tables Packets that match table entries exceeding thresholds are dropped Entries age out within 10secs aqer falling below threshold

CGN Security- Telemetry and Analy0cs Global Sta0s0cs TCP Received TCP Out of Order Timer Expired TCP Out of Order TCP RetransmiFed FIN TCP RetransmiFed PSH TCP RetransmiFed RST TCP Retransmission TCP RST TCP SYN Received TCP SYNs per second TCP established HTTP too many headers HTTP Header name too long HTTP 1.0 HTTP 1.1 HTTP Get HTTP Head HTTP Post HTTP Trace HTTP Op,ons HTTP Connec,on HTTP Delete HTTP Unknown HTTP request line too long HTTP request length too long HTTP par,al header HTTP Slow Post HTTP Bad Chunk HTTP Chunk < 512 HTTP Chunk < 1k HTTP Chunk < 2k HTTP Chunk < 4k HTTP chunk > 4k HTTP response chunk HTTP parse request failure HTTP request HTTP Client RST HTTP Request retransmit HTTP request out of order HTTP invalid header HTTP payload too small HTTP des,na,on request rate exceeded HTTP source request rate exceeded HTTP packets processed HTTP out of order queue exceeded 73567367 367367 373 54737 4645 3456345 2356 34563 534563 345634563 345634 34563456 66565 54564 34735 367567 43676 467567 675676 345645 45643 34565 456454 4574 47454 4767 45645 47457 675675 47457 457457 45745 67567 457457 454 67457 47567 6756 457454 235 4574 4574 457474 457454 457454 sflow using mul,ple extensions IPFix Common Event Format Logging On box packet captures xflow Collec0on Infrastructure Per IP Sta0s0cs 131.107.4.2 131.107.2.4 131.17.17.8 TCP packets 343452345 23452345 526256 UDP packets 262346 646 457 ICMP packets 5 5775 4574 IPv6 packets 775 6456456 34665 IPSec packets 575 3564574574 34644 IGMP packets 575 477754 5575 "Other IP Protocols" 678 4776 55453 TCP SYN 678 7676 343 TCP SYN/Ack 9777 25 1222 TCP Fin 679 35645 232 TCP RST 69 4574 780 TCP URG 568 45353 568586 Total Packets 5666 45745 45345 concurrent HTTP connec,ons 56856 6865 566 New HTTP connec,ons 566776 675 56856 Avg between request and response 56765 5866 5665 total ingress/egress bandwidth 5676 568568 56865 Number of occurrence of each method 5676 3434 34643 blocked packets due to countermeasures 56756 677 34646 US conns 346345 343 343 FR conns 345 53454 34545 CN conns 3453 345 223

CGN Security- Implementa0on Guidelines Access Control Lists for device- wide permissions and OAM access Configure the CGN device to drop all subscriber packets from source IP addresses not explicitly defined. Add 0.0.0.0/0 to the client policy list and explicitly drop this traffic Disabling inbound- refresh can provide protec,on against malicious applica,ons and DDoS afacks Implement a TCP SYN defense method Op,mize subscriber port alloca,ons (aka user- quota) Disable ICMP Ping response for NAT pool addresses Disable unused ALG and secure ALG in use

CGN Security- Implementa0on Guidelines Limit EIM/EIF afack vectors Operators should set session quotas to limit fullcone NAT sessions Set STUN,mers in accordance with network applica,on requirements Use connec,on rate limi,ng to limit full- cone session crea,on, configure per- protocol full- cone behavior, and limit full cone sessions per port Expedite log correla,on by explicitly configuring logging (syslog/traffic logging) to include subscriber informa,on such as client source IP address and other user afributes provided through custom Radius afributes (e.g., MSISDN/IMSI, user name) DDoS afacks could exceed trigger thresholds for mul,ple mi,ga,on techniques. Understand your CGN device s architecture to determine the most efficient mi,ga,on strategy that op,mizes opera,onal behavior

Ques0ons? Glen Turner gturner@a10networks.com

Thank You Glen Turner gturner@a10networks.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information