DDoS Mitigation Strategies



Similar documents
DDoS Mitigation Techniques

DDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Approaches for DDoS an ISP Perspective.

F5 Silverline DDoS Protection Onboarding: Technical Note

The Value of Flow Data for Peering Decisions

Hunting down a DDOS attack

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

DNS Best Practices. Mike Jager Network Startup Resource Center

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Security Toolsets for ISP Defense

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

Automated Mitigation of the Largest and Smartest DDoS Attacks

DDoS attacks in CESNET2

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Cisco IOS Flexible NetFlow Technology

Service Description DDoS Mitigation Service

Firewall on Demand Multidomain

Cisco Network Foundation Protection Overview

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Network provider filter lab

Analysis of a DDoS Attack

SolarWinds Log & Event Manager

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Practical Advice for Small and Medium Environment DDoS Survival

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

A10 Thunder TPS Hybrid DDoS Protection Deployment with Verisign OpenHybrid

Exterior Gateway Protocols (BGP)

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

BT Assure DoS Mitigation UK

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Routing Protocols (RIP, OSPF, BGP)

How To Set Up Foglight Nms For A Proof Of Concept

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

BGP as an IGP for Carrier/Enterprise Networks

TDC s perspective on DDoS threats

Cheap and efficient anti-ddos solution

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Technical White Paper

DDoS Overview and Incident Response Guide. July 2014

and reporting Slavko Gajin

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Automated Mitigation of the Largest and Smartest DDoS Attacks

ΕΠΛ 674: Εργαστήριο 5 Firewalls

DEFENSE NETWORK FAQS DATA SHEET

Reducing the impact of DoS attacks with MikroTik RouterOS

Report of Independent Auditors

/ Staminus Communications

Testing Network Security Using OPNET

Question 1. [7 points] Consider the following scenario and assume host H s routing table is the one given below:

Community tools to fight against DDoS

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Protection Solution. Strategic White Paper

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Mitigating DDoS Attacks at Layer 7

IDG Connect DDoS Survey

media network & internet access

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DDoS Mitigation Solutions

Restorable Logical Topology using Cross-Layer Optimization

Outline. Outline. Outline

Internet Traffic Trends A View from 67 ISPs

Security and Access Control Lists (ACLs)

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

DDoS detection & mitigation

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

FIREWALL AND NAT Lecture 7a

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Network Performance Monitoring at Minimal Capex

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Page 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

State of Texas. TEX-AN Next Generation. NNI Plan

BB2798 How Playtech uses predictive analytics to prevent business outages

1. Firewall Configuration

Firewalls Netasq. Security Management by NETASQ

Chapter 11 Cloud Application Development

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

Implementing Secure Converged Wide Area Networks (ISCW)

SolarWinds Certified Professional. Exam Preparation Guide

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Traffic Monitoring : Experience

GregSowell.com. Mikrotik Security

Chapter 4 Restricting Access From Your Network

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

21.4 Network Address Translation (NAT) NAT concept

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Transcription:

DDoS Mitigation Strategies Internet2 Security Working Group 23 Feb 2016 Mark Beadles Information Security Officer mbeadles@oar.net Kevin Nastase Network Security Engineer knastase@oar.net www.oar.net Slide 1

About OARnet Created in 1987 by Ohio Board of Regents A division of Ohio Department of Higher Education Serves Ohio s education, research, health care, public broadcasting and government communities 100Gb network backbone 2200+ miles of fiber in 6 rings 90 higher education clients 700 K-12 districts via 32 technology centers 750+ State government locations Slide 2

Slide 3

Denial of Service Background Statistics 3.6 events per day, 25.3 events per week, 110 events per average month event here is an anomalous UDP flow 79 Unique clients have seen events Targeted vs 267 different IP s Average event size: 2.454 Gb (1.686 Gb UDP, 0.761 Gb TCP) Largest event size: 17.867 Gb (17.653 Gb UDP,.213 Gb TCP) Data collected 3/15-2/16 Slide 4

Denial of Service Characteristics 1900/ssdp 41% 123/ntp 27% 53/dns 15% 520/rip 2% 161/snmp 1% 19/chargen 1% 80 36% 4444 8% 53 3% 443 1% 3074 1% (also src prt 0) Slide 5

Denial of Service Measures Monitoring Alerting Visualization Escalation Proactive DNS Targeted policing Reactive RTBH Hybrid DDoS Mitigation Slide 6

Denial of Service Measures: Alerting Sample Alert Suspected UDP (D)DoS Attack - Client: <redacted> Service: INTERNET, Router: <redacted> - xe-1/0/0.395, ifindex: 504 UDP: 16.15 Gbps, TCP: 424.44 Mbps, Total: 16.57 Gbps UDP Src Port: 0 53, UDP Dest Port: 0 4444, Destination IP: 64.247.117.58 Statseeker Utilization Graph: <link> Netflow Reports: Top IP Protocols - <link> Top UDP Source Ports- <link> Top UDP Destination Ports - <link> Slide 7

Denial of Service Measures: Visualization Slide 8

Slide 9

Denial of Service Measures: Escalation Plan your incident response and escalation paths ahead of time Both technical and business DDoS is service affecting! Know who the right contacts are Practice & overcommunicate client NOC (24x7) Tier2 Engineering (on call) Security (on call) Slide 10

Denial of Service Measures: DNS DNS is both a target and a source of DDoS activity OARnet DNS 8 servers, 2 different OS s (secure64 + FreeBSD) ½ recursive, ½ authoritative Blind-master setup Slide 11

Denial of Service Measures: Targeted Policing Large proportion of DDoS activity has a profile that lends itself to straightforward policing UDP traffic in particular E.g.: why does 1900/udp need to be sent over the Internet? Considerations: Mission to deliver all the bits, fast Potential to disrupt applications ( 80/udp & Google) Manageability of multiple custom policers Slide 12

Denial of Service Measures: RTBH (aka BGP Null Route) Mechanism: Remotely triggered black hole Client sends specific host /32 route to OARnet tagged with appropriate BGP community value nnn:nn for Internet mmmm:mm for Internet2 OARnet backbone router sets next hop to discard Once BGP policy is configured, client can send prefixes without escalating to OARnet Slide 13

Denial of Service Measures: RTBH (aka BGP Null Route) Considerations: Target IP will not be able to communicate with Internet. (Yes, this may have been the intent...) However, this may allow the rest of your network to stay up during the attack! Strongly encouraging clients to set up RTBH for use when needed mab@yyyyy-r0a> show configuration policy-options policy-statement MMM-ASnnnnn-IN term CANDIDATE-NULL { from { community AS600-NULL; route-filter 64.113.176.0/20 prefix-length-range /32-/32; route-filter 208.108.232.0/23 prefix-length-range /32-/32; } then { next-hop discard; accept; } } Slide 14

Denial of Service Measures: Hybrid Mitigation Deployed for K12 networks in Ohio 28 locations serving 700 districts Vendor-based Hybrid architecture: CPE device to filter, detect anomalies, trigger alert Cloud scrubbing service for larger events Manual intervention to approve BGP swing to cloud OARnet provided addresses outside allocated IP space for GRE tunnel termination & management Slide 15

Concluding thoughts Many DDoS events aren t volumetric pipe-filling attacks but instead target weak points @CPE, in particular firewalls Education and communication with clients cannot be overemphasized Consider different solutions to protect different resources: e.g. protect a web site by outsourcing to a CDN Slide 16

Thank you www.oar.net Slide 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information