Denial of Service Protection “Standardize Defense or Loose the War”
advertisement
Denial of Service Protection “Standardize Defense or Loose the War” ETSI Future Security Workshop: the threats, risk and opportunities 16th and 17th January 2006 Sophia-Antipolis, France By: Emir@cw.net Arslanagic Head of Security Engineering Cable and Wireless Future Security Workshop January 2006 1 Vulnerability Lifecycle Risk is ity bil ra d. lne ce al een Vu noun ritic ve b tect an me c s ha pro So tem d or sys tche pa anic tors p nd nistra Admi l systems a al patch FW and e Chang ing rules rk netwo Vulnerability has been discovered Intr u abo ders a r ut v ulne e learn rabi ing lity Admins did not have enough resources to patch everything. Intruders have GUI tools, and self propagating malicious code Time Presented by Emir Arslanagic @ INFORMATION SOCIETY – CONNECTING EUROPE, Ljubjana 2002 Future Security Workshop January 2006 2 08 November 2005 03:36 Subject: 6GB-20GB DDOS attack heading near you!!! ¾ 5pps DNS TXT queries size of 48 bytes are sent to a series of 100K+ DNS servers… ¾ Response packets are between 4059 and 4162 bytes in size ¾ POBLEM: miss configured DNS ¾ SOLUTION: stop allowing open recursive lookups from external sources US-CERT is working on a product for public release that will hopefully raise awareness on the dangers of DNS servers that permit open recursion… This is NOT new. There where a long running dns-smurf attacks in 2000!!! Future Security Workshop January 2006 3 What We Need??? “No matter how many times you save the Internet it always manages to get back in to jeopardy again” Future Security Workshop January 2006 4 Agenda What is dos Standardizations efforts to protect from dos Security and dos protection ¾ Dos tracking ¾ Black-holing ¾ Anti-spoofing Real DDoS protection ¾ How does it work ¾ DOS protection powered by ISP and ASP Where to go from here Future Security Workshop January 2006 5 What Is Denial of Service DoS is an incident in which a system is deprived of the resources it would normally have DoS is usually a target of choice risk, and very often related to extortion or racketeering DoS usually targets publicly available services that make money (extortion) , or other opinioned portals (political violence) Distributed DoS sometimes involves more then hundred thousands boots It’s estimate that close to 10 million networked computers are a potential source of DoS Future Security Workshop January 2006 6 Standardization Efforts IETF ¾ RFCs (denial of service has become serious consideration) • 3704 ingress filtering for Multihomed networks • 3882 configuring BGP to block denial-of-service attacks ¾ Drafts • Internet denial of service considerations (M. Handley, E. Rescorla ) • Protecting internet routing infrastructure from outsider dos attacks (Zinin) ITU ¾ Recognise spam as a threat to the internet ¾ No work has been done on DOS prevention and protection USA ¾ Government policy for cyber security relies on voluntary and cooperative action by the private sector and has, until now, explicitly rejected the use of mandate or regulation. (By James Andrew Lewis CSIS, Oct. 2005) ¾ Many informal information exchange means are established to facilitate cooperation ETSI ¾ Improving regulation related to NGN Future Security Workshop January 2006 7 Extraordinarily Complex Security •Security is currently where networking was 15 years ago •Multiple, complex components •Lack of expertise in the industry •No common GUIs •Lack of standards •Attacks are growing •Customers require security for business •Vulnerability Management is time consuming Source: Dr. Bill Hancock, Cable & Wireless Future Security Workshop January 2006 8 DDoS Protection History of DOS protection ¾ DOS tracker ¾ Black-holing ¾ Sinking Customer is impacted Inline protection is not sufficient Only solution is to stop attacks as close as possible to source ¾ uRPF ¾ Sound security practices Traffic cleaning Future Security Workshop January 2006 9 Current Issues Multiple groups are involved in extortion From 300 to 1mil.+ devices involved Sophisticated full spectrum attacks ¾ ¾ ¾ ¾ ¾ ¾ ¾ TCP connection attack; syn attack URL attack UDP flood ICMP flood TCP flood Malformed packets It is not getting better Future Security Workshop January 2006 10 DDoS Traffic Black-holing or Sinking When DOS is detected /32 routes is assign to BGP community that routes to null (black-holing) or to local server (sinking). Benefit: ¾ Remote ISPs that are paying high price for link to the upstream provider. Downside: ¾ Attacker has succeeded in their intent, victim IP is unreachable. Future Security Workshop January 2006 11 DDoS Traffic Black-holing or Sinking Attack Network Service Provider Attacker Network Switch Victim Network Attacker Network IP Network User Network NOC Attack Network Enterprise Future Security Workshop Network January 2006 12 DDoS Traffic Black-holing or Sinking Zombie Peers Zombie Switch 141.1.1.1/32 Community 1273:100 Victim Network Zombie 141.1.1.1 IP Network Peers NOC Customers Future Security WorkshopCustomers January 2006 13 DDOS-tracker DCU Approach When DDOS is detected /32 routes is assign to BGP community with instruction to count packets. Using SNMP or Syslog counts are presented to NOC. On interfaces with highest number of packets ACLs are manually applied to protect victim IP. Future Security Workshop January 2006 14 DDOS-tracker DCU Approach Zombie Peers Zombie Switch Victim Network Zombie IP Network Peers NOC Customers Future Security Workshop Customers January 2006 15 DDOS-tracker DCU Approach Zombie Peers Zombie Switch 141.1.1.1/32 Community 1273:31 Victim Network Zombie 141.1.1.1 IP Network Peers NOC Customers Future Security WorkshopCustomers January 2006 16 DDOS-tracker Screen Shot Future Security Workshop January 2006 17 Ingress Filtering Strict Reverse Path Forwarding ¾ Only symmetrical routing Feasible Path Reverse Path Forwarding ¾ alternative paths have been added and they are valid for consideration Loose Reverse Path Forwarding ¾ route presence check Why this does not work? ¾ Prevent only spoofed packets ¾ Not all ISPs are implementing it Future Security Workshop January 2006 18 Real DOS Protection Must be scalable Must be available to all customers Must protect backbone infrastructure Must let good packets trough Must detect bad sites Must NOT impact operation Must NOT add additional point of failure in the network Must be implemented globally Future Security Workshop January 2006 19 Real DOS Protection Zombie Peers Zombie Switch Victim Network Zombie IP Network Peers NOC Customers Future Customers Security Workshop January 2006 20 Real DOS Protection Zombie Peers Zombie Switch Victim Network Zombie IP Network Peers NOC Customers Future Customers Security Workshop January 2006 21 Things to Consider Does internet users have a right to expect only benign packets to be send to them??? Road and car analogy ¾ At the beginning was primary goal to increase road coverage and car speed. Passenger safety has not been consider seriously until seventies Moor’s law is working for us ¾ Or Is there another killer application that will eat all available bandwidth? Cleaning function in every switch ¾ Standardization will come when technology is ready Future Security Workshop January 2006 22 Real DOS Protection Where Is the Value? Education and Education If one customer in data center is target all customers are victims Bandwidth that we need for normal operation is not in any relation with bandwidth that we need for protection Targeted are usually content provider, enterprises and opinionated organizations Victims are all of us if there is no protection Insurance model is the closest, how much insurance you can afford Future Security Workshop January 2006 23 NGN VoIP Interconnects SBCs are becoming de-facto standards Should we demand packet inspection and cleaning? Is it to early? Can we be to late? Future Security Workshop January 2006 24 Questions emir@cw.net Future Security Workshop January 2006 25
