Internet Attack Mitigation at Spring ISD. CTO Clinic Presentation June 17-18, 2014

Similar documents
Automated Mitigation of the Largest and Smartest DDoS Attacks

F5 Silverline DDoS Protection Onboarding: Technical Note

SecurityDAM On-demand, Cloud-based DDoS Mitigation

DDoS Mitigation Techniques

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Automated Mitigation of the Largest and Smartest DDoS Attacks

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

How Cisco IT Protects Against Distributed Denial of Service Attacks

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

How To Block A Ddos Attack On A Network With A Firewall

CS 356 Lecture 16 Denial of Service. Spring 2013

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

FortiDDos Size isn t everything

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

DDoS Mitigation Strategies

Practical Advice for Small and Medium Environment DDoS Survival

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Abstract. Introduction. Section I. What is Denial of Service Attack?

The Expanding Role of Service Providers in DDoS Mitigation

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Radware s Attack Mitigation Solution On-line Business Protection

Service Description DDoS Mitigation Service

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

DDoS Protection on the Security Gateway

/ Staminus Communications

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

TDC s perspective on DDoS threats

Secure Software Programming and Vulnerability Analysis

DDoS attacks in CESNET2

Why Is DDoS Prevention a Challenge?

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

A Study of DOS & DDOS Smurf Attack and Preventive Measures

DNS Best Practices. Mike Jager Network Startup Resource Center

SHARE THIS WHITEPAPER

DEFENSE NETWORK FAQS DATA SHEET

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

DDoS Overview and Incident Response Guide. July 2014

IxLoad-Attack: Network Security Testing

A Layperson s Guide To DoS Attacks

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

Acquia Cloud Edge Protect Powered by CloudFlare

Mitigating DDoS Attacks at Layer 7

Firewalls and Intrusion Detection

Strategies to Protect Against Distributed Denial of Service (DD

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

CloudFlare advanced DDoS protection

How To Protect A Dns Authority Server From A Flood Attack

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

Firewall Firewall August, 2003

DDoS Mitigation via Regional Cleaning Centers

Stop DDoS Attacks in Minutes

Implementing Secure Converged Wide Area Networks (ISCW)

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

Application DDoS Mitigation

Complete Protection against Evolving DDoS Threats

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

1. Firewall Configuration

IDG Connect DDoS Survey

Security Toolsets for ISP Defense

DDoS Mitigation Solutions

DDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques

10 Configuring Packet Filtering and Routing Rules

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

Global DDoS Prevention Market

Stop DDoS Attacks in Minutes

co Characterizing and Tracing Packet Floods Using Cisco R

DDoS Protection Technology White Paper

IP TRANSIT SERVICE SCHEDULE - Australia - (Including VOCUS INTERNET EXPRESS)

The OpenDNS Global Network Delivers a Secure Connection Every Time. Everywhere.

Denial of Service Attacks

Approaches for DDoS an ISP Perspective.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

VERISIGN DDOS PROTECTION SERVICES IN-THE-CLOUD SOLUTION FOR SCALABLE, RELIABLE, AND FLEXIBLE DDOS MONITORING AND MITIGATION

Firewall Defaults and Some Basic Rules

Cloud Security In Your Contingency Plans

A S B

How To Prevent DoS and DDoS Attacks using Cyberoam

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

NSFOCUS Web Application Firewall White Paper

Transcription:

Internet Attack Mitigation at Spring ISD CTO Clinic Presentation June 17-18, 2014

Timeline of Events - DDoS Attacks February 3 4 5 6 7 10 11 12 13 14 17 18 19 20 21 24 25 26 27 28 3 4 5 6 7 10 11 12 13 14 17 18 19 20 21 24 25 26 27 28 March

Timeline of Events - continued April 1 2 3 4 7 8 9 10 11 14 15 16 17 18 21 22 23 24 25 28 29 30 1 2 5 6 7 8 9 12 13 14 15 16 19 20 21 22 23 26 27 28 29 30 May

Spring ISD Internet Providers 3 Connections to the Internet Cogent - 600 mbps ICTX - 500 mbps AT&T - 100 mbps

Email communication to administrators The purpose of this communication is to inform you about the recent Internet outages that the school district has experienced. Starting on February 18th, we have been the target of deliberate, malicious acts to overload our Internet bandwidth. The Technology Department has been working to deflect the attacks. We have learned that similar attacks have occurred with other school districts in Texas. We have also received information from one of our education vendors that they were also targeted. We are working with our Internet Services Providers (ISPs) to detect and prevent the attacks. The attacks are a form of distributed denial of service attacks (DDoS), an attempt by hackers to disrupt our access to the Internet by overloading our Internet bandwidth. We have been able to limit the outages to short durations of time by making adjustments to drop the malicious incoming traffic. We want to assure you that at no time has our system been breached. District data remains safe and secure. We are continuing to work with our ISPs and other school districts to address the situation.

Understanding Denial of Service

What What is a Denial of Service attack? A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service Source www.cert.org

Why Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization.

How 3 basic modes of attack: consumption of scarce, limited, or non-renewable resources destruction or alteration of configuration information physical destruction or alteration of network components

How 3 basic modes of attack: consumption of scarce, limited, or non-renewable resources destruction or alteration of configuration information physical destruction or alteration of network components Network connectivity Using your own resources against you Bandwidth consumption Consumption of other resources

Types of DoS and DDoS attacks Protocol Attack Volumetric Attack Amplification Attack Reflection Attack Spoofed Attack Nuke Zero Day DDoS Chargen Attack Teardrop Attack UDP Flood SYN Flood Ping of Death (POD) Slowloris Application Level Attack

Types of DoS and DDoS attacks Protocol Attack Volumetric Attack Amplification Attack Reflection Attack Spoofed Attack Nuke Zero Day DDoS Chargen Attack Teardrop Attack UDP Flood SYN Flood Ping of Death (POD) Slowloris Application Level Attack

Identify an attack Intrusion Detection System aka IDS Intrusion Prevention System aka IPS Purpose built appliance Firewall

Identification of attack Intrusion Detection System aka IDS Intrusion Prevention System aka IPS Purpose built appliance **Firewall** Palo Alto Networks 5050

Mitigation of DDoS attack 3 main types: DNS redirect Internet service provider Scrubbing center

Our solution Purpose built appliance for attack traffic identification and local mitigation Scrubbing center

Our solution Purpose built appliance for attack traffic identification and local mitigation Radware DefensePro Scrubbing center Radware Defense Pipe

Radware DefensePro An on-premise attack mitigation system, effectively detects and blocks all varieties of DDoS attacks.

DefensePro Security Dashboard

DefensePro Traffic Monitoring

DefensePro Traffic Monitoring - UDP

DefensePro Geo Map

Mitigating Volumetric DDoS attacks

Mitigating Volumetric DDoS attacks What happens when an attack is based upon traffic volume? Internet pipe saturation can occur Rejecting this traffic at your border is not sufficient The intended effect of the attack - denial of service - is accomplished

DDoS Volumetric Attack

How do you mitigate such an attack? Typically not enough to ask your ISP to block source IP or port ranges - attackers will adapt - distributed botnets / source IP spoofing You must rely upon resources further upstream with enough capacity to absorb the attack

ISP-provided scrubbing service Your service provider scrubs traffic in-line, and only passes clean pipe traffic to your border.

Benefits Transparent process - typically requires no re-routing of traffic to a 3rd party Time needed to implement protection service may be shorter

Challenges Likely need to purchase this service per ISP If they offer multiple-isp protection, likely just reselling a scrubbing center service like Radware s solution Many smaller ISPs, or ISPs focused on low cost, will not provide this service - the only way to protect these connections is through a 3rd party service.

DefensePipe - 3rd-party scrubbing Ingress traffic is re-routed through a scrubbing center that can absorb the attack, filtering attack traffic, and only passing clean pipe traffic to your border

Mitigating Volumetric DDoS attacks

Mitigating Volumetric DDoS attacks

Mitigating Volumetric DDoS attacks

Mitigating Volumetric DDoS attacks

Mitigating Volumetric DDoS attacks

Benefits Can protect all of your ISP connections through a single service and contract - may be more cost effective Will provide DDoS protection, even when an ISP cannot Independent from your ISPs, avoiding ISP contract concerns (E-Rate, pricing leverage)

Challenges Diversion mechanism relies upon BGP - must set this up Traffic returning from scrubbing center makes use of a GRE tunnel - must set this up

BGP Pre-requisites Apply for an Autonomous System Number (ASN) through ARIN - American Registry for Internet Numbers Purchase BGP capable border router(s) Your public IPv4 blocks must be /24 or larger for BGP route advertisement IP block can be provider-assigned, but will need approval from ISP for diversion.

Considerations and Lessons Learned If you want the option of ISP-provided DDoS protection, include this as a factor in RFPs If you want the option of 3rd party scrubbing, implement BGP in advance If implementing BGP, load balancing mechanisms and quantity / size of public ip allocations are key considerations New solutions are arising, making use of SDN mechanisms like BGP Flowspec

Mitigating Volumetric DDoS attacks Questions? Link to presentation: http://goo.gl/3brplz

Appendix: BGP Diversion Methods Diversion Option 1 - Smaller prefix Advertise a /23 or larger prefix During attack, DefensePipe will advertise your IP block using smaller prefixes (example, 2x /24 networks) For route selection, more specific advertisements win, so traffic will follow. This option requires that you own or are allocated a contiguous /23 public IP block

Appendix: BGP Diversion Methods Diversion Option 2 - AS-path Prepend Route selection for traffic on the Internet is based upon shortest path through Autonomous Systems (AS-Path). Your BGP router can advertise a route with your ASN prepended multiple times to the AS-path, making the AS-path appear longer. During attack, DefensePipe will advertise a route to your IP block without any prepending, giving their advertisement a shorter AS-path than yours. A route with a shorter AS-path wins, so traffic will follow.

Appendix: BGP Diversion Methods Diversion Option 3 - Advertisement / Withdrawal Only recommended if other methods are not possible. You must manually withdraw BGP advertisements. Requires action on your part in order to activate protection. DefensePipe will advertise a route to your IP block, and traffic will follow.

Appendix: Return traffic - GRE tunnel Must set aside public IP that is not a part of the diverted IP block This IP will serve as an endpoint for a GRE tunnel. All scrubbed traffic is passed back to your border through this tunnel GRE encapsulation has an effect on MTU

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information