DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT



Similar documents
How Cisco IT Protects Against Distributed Denial of Service Attacks

How To Block A Ddos Attack On A Network With A Firewall

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Cisco Network Foundation Protection Overview

Service Description DDoS Mitigation Service

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Service Provider Solutions. DDoS Protection Solution. Enabling Clean Pipes Capabilities

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Distributed Denial of Service protection

Acquia Cloud Edge Protect Powered by CloudFlare

TDC s perspective on DDoS threats

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

DEFENSE NETWORK FAQS DATA SHEET

Complete Protection against Evolving DDoS Threats

Cheap and efficient anti-ddos solution

Defeating DDoS Attacks

CloudFlare advanced DDoS protection

Automated Mitigation of the Largest and Smartest DDoS Attacks

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

Strategies to Protect Against Distributed Denial of Service (DD

CS 356 Lecture 16 Denial of Service. Spring 2013

FortiDDos Size isn t everything

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

DDoS attacks in CESNET2

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January Cristian Velciov. (+40)

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

A Layperson s Guide To DoS Attacks

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

DDoS Overview and Incident Response Guide. July 2014

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Stop DDoS Attacks in Minutes

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

The Expanding Role of Service Providers in DDoS Mitigation

Modern Denial of Service Protection

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Automated Mitigation of the Largest and Smartest DDoS Attacks

Distributed Denial of Service (DDoS)

Putting the Tools to Work DDOS Attack

Hunting down a DDOS attack

Security Toolsets for ISP Defense

Radware s Attack Mitigation Solution On-line Business Protection

Arbor s Solution for ISP

Denial of Service Attacks

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

CISCO DDOS PROTECTION SOLUTION DELIVERING CLEAN PIPES CAPABILITIES FOR SERVICE PROVIDERS AND THEIR CUSTOMERS

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Chapter 11 Cloud Application Development

Mitigating DDoS Attacks at Layer 7

/ Staminus Communications

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Secure Pipes with Network Security Technology Showcase

LoadMaster Application Delivery Controller Security Overview

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Stop DDoS Attacks in Minutes

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

DDoS Mitigation via Regional Cleaning Centers

Distributed Denial of Service Attack Tools

Quality Certificate for Kaspersky DDoS Prevention Software

Introducing FortiDDoS. Mar, 2013

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

Campus LAN at NKN Member Institutions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Approaches for DDoS an ISP Perspective.

DDoS Mitigation Techniques

SECURING APACHE : DOS & DDOS ATTACKS - I

Take the NetFlow Challenge!

Securing Your Business with DNS Servers That Protect Themselves

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Voice Over IP (VoIP) Denial of Service (DoS)

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Application DDoS Mitigation

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

NSFOCUS Anti-DDoS System White Paper

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

TLP WHITE. Denial of service attacks: what you need to know

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Transcription:

DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1

Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad range of spoofed addresses Solution: Deploy Cisco Guard at Cisco s Internet points of presence (POPs) and in the Internet cloud Results Successfully mitigate DDoS and other attacks Next Steps Work with service providers to offer Clean Pipes solution Cisco Guard at the service provider location to other enterprise customers 2

Challenge: Prevent DDoS Attacks Cisco IT uses multiple techniques to prevent network attacks Access control lists (ACLs) at network edge also called black holes coarsely filter traffic from servers spoofing Cisco addresses, or traffic to Windows control ports More granular ACLs protect Cisco Connection Online 3

Challenge: Prevent DDoS Attacks Cisco IT needed new techniques to prevent a new type of threat: low-bandwidth DoS attacks coming from a broad range of spoofed addresses ACLs would block legitimate traffic as well as malicious traffic With ACLs, IT would need to constantly shift the block as the apparent origin of the attack shifted ACLs lack the sophistication to deal with DoS attacks from sites using network address translation (NAT) 4

Challenge: Prevent DDoS Attacks Attack zombies: Use valid protocols Spoof source IP Are massively distributed Execute variety of attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks Data center DDoS and worm attacks 5

Solution: Cisco Guard Provides an added layer of protection for missioncritical servers, including e-commerce Deployed in Cisco s major ISP points of presence (POPs) around the world, as well as in the Internet cloud Sits on traffic path During ordinary operations, traffic follows its usual path through the network 6

Solution: Cisco Guard Process But when an attack begins Cisco IT learns of potential attacks in numerous ways, including notification by Arbor PeakFlow DoS system which analyzes Cisco NetFlow data Cisco IT decides which DDoS mitigation method to use: For small attacks from few IP addresses: black hole technology or shutting down specific devices For large attacks from many IP addresses: Cisco Guard or other methods 7

Solution: Cisco Guard Process Cisco Guard uses dynamic routing to divert traffic headed for protected properties It differentiates normal from malicious traffic by comparing it to normal traffic profile for the server Good traffic passed through Bad traffic dropped 8

Solution: Cisco Guard (steps 1-3) BGP announcement Cisco Guard 3. Divert only target s traffic 2. Activate: Automatic or manual Target 1. Detect Cisco Guard Detector, Cisco IDS, Cisco NetFlow system Non-targeted servers 9

Solution: Cisco Guard (steps 4-6) Traffic destined to the target Legitimate traffic to target Cisco Guard 4. Identify and filter the malicious 5. Forward the legitimate traffic 6. Nontargeted traffic flows freely Non-targeted servers Target Cisco Guard Detector, Cisco IDS, Cisco NetFlow system 10

Solution: Cisco Guard at ISP Cisco Guard is also deployed at Cisco ISPs around the world Cisco Guard in Cisco POPs Cisco Guard in Internet Cloud Protects Cisco servers from DDoS attacks originating from computers connected to Cisco network Protects Cisco servers and upstream bandwidth from large-scale DDoS attacks originating from locations outside the Cisco network 11

Results: Effective Mitigation of DDoS Attacks Using Cisco Guard, Cisco IT has successfully mitigated: Large-scale DDoS attacks SYN flood attacks ICMP attacks Other successes with Cisco Guard include: Ruling out a SYN flood attack Providing insurance that a potential attack could not disrupt quarter-end activities Preventing spamming of a customer Web site Preventing a DNS attack 12

Next Steps: Clean Pipes Solution for ISPs Cisco is working with service providers to offer Cisco Guard solution to other enterprise customers Goal: to contain DDoS attacks at the ISP site so that the attacks do not affect the target company s Internet connection 13

To read the entire case study, or for additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT www.cisco.com/go/ciscoit 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information