GÉANT Perspective on DDoS DDoS Mitigation in the NREN Environment Workshop GEANT Information & Infrastructure Security Team Evangelos Spatharas DDoS Mitigation Workshop Vienna, November 10 th 2015
INDEX DDoS Statistics How to Prevent Understand your Network Network Architecture - Zones Modular Firewall How to Detect NetFlow Monitoring and Alerting NetFlow Alternatives Log Monitoring How to Mitigate ACLs RTBH BGP Flowspec The Future of BGP Flowspec Firewall on Demand NSHaRP Fully Integration Q & A November 2015 June 2015 October 2014 May 2014 FoD Chain Firewall Architecture RTBH Patch Scanning System s Log Monitoring NSHaRP September 2010 February 2010
Events seen per Month D(D)oS Not Just in Fiction Movies GÉANT DDoS Attacks 6000 5000 4000 3000 2000 1000 0 4,862 1,877 81 183 641 509 143 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 April 2015 - October 2015 DNS, NTP, SMPT and other amplification attacks..
How to Protect Against DDoS? Interconnect NREN Level3 4
Defending GÉANT 5
Defending GÉANT 6
Preventative Controls - Zones GÉANT GÉANT Ltd INTERNAL Protected External Internet EXTERNAL 7
Preventative Controls Deep Defence Protected-External IP prefix, protocol & port(s), spoof, smurf etc. filtering VLAN 100 Transport protocol(s)/port(s) filtering Basic Filtering Internet,NREN,IX etc. 8
Preventative Controls Patch Scanning and Management Number of Vulnerable System by OS Asset management Areas of attention Monthly scans Top 15 Vulnerable Systems for the current month By criticality Prioritize and remediate weakest ones first Monthly scans 9
Detection 10
Detective Controls NetFlow Monitoring 11
Detective Controls NetFlow E-mail Alerts 12
Detective Controls Login Rate Monitorin + Iptables + 1. index=nix_hosts_apache "Login failed for user*" stats count(src_ipv4) by host search count> 1000 2. iptables -I INPUT 5 -m limit --limit 10000/min -j LOG --log-prefix Possible DDoS: " --log-level 7 3. Nagios plugins? 13
Mitigation 14
Mitigation Controls ACLs + RTBH + BGP Flowspec ACLs RTBH BGP Flowspec Doesn t scale Time consuming Granular Less coarse Service filtering 2004 2009 Scalable Fast implementation No granularity Too coarse Wide support Scalable Fast implementation Granular Less coarse No support from older OSs 15
ACLs Chain Architecture Chain architecture Head Middle Tail Auditing Troubleshooting Deployment 16
RTBH Statistics 6 RTBH-ed destinations 2+ billions of packets blocked Counters reset every month 17
BGP Flowspec - FoD fod.geant.net Developed and designed by
FoD WEB GUI 19
FoD WEB GUI 20
FoD How Does it Work? IX A Internet GÈANT NREN A Flowspe c FoD IX B NSHaRP 21
FoD How Do we Envision it to Work IX A Internet GÈANT NREN A Flowspe c FoD IX B NSHaRP 22
Demo Time! FoD Demo Time 23
What do YOU think? What do YOU think? 24
Q & A 25
Thank you GEANT Information & Infrastructure Security Team Evangelos.Spatharas@geant.org 26