DDoS Threats Landscape : Countering Large-scale DDoS attacks
Post on 16-Jan-2017
1003 Views
Preview:
Transcript
DDoS Threat LandscapeCountering Large-scale DDoSAttacks
CF Chui, Arbor Networks
Who is Arbor Networks?
90%Percentage of world’s Tier 1 service providers who are Arbor customers
107Number of countries with Arbor products deployed
#1
Arbor market position in DDoS Mitigation Equipment in Carrier, Enterprise and Mobile markets [Infonetics Research, Dec. 2014]
Number of years Arbor has been delivering innovative security and network visibility technologies & products
14
$19B
2013 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing
Amount of global traffic monitored by the ATLAS security intelligence initiative!
120+ Tbps
We See Things Others Can’t
ATLAS Global Threat Analysis System
Attack Landscape seen by ATLAS
ATLAS Demographics
• ATLAS provides invaluable data to Arbor customers and the broader operational security community
• 330+ participating customers– 32% Europe– 24% North America– 17% Asia– 9% South America– 9% Global
• Tracking a peak of over 120Tbps
DDoS : Attack Types
0
10
20
30
40
50
60
70
2014
2015
2015
• Two-‐thirds of attacks are volumetric, up slightly– No surprise given reflection storm
• 90% of respondents report seeing application-‐layer attacks– 4% fall in proportion of application-‐layer attacks
2014
2014
DDoS Attack Types
Substantial Growth in Largest Attacks
• Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps, 200Gbps and 170Gbps
• Some saw multiple events above 100Gbps but only reported largest
Worldwide DDoS attacks trendPeriod AverageAttack size
(bps)Change(Q / Q)
Peak Attack Size(bps)
Change(Q / Q)
2014Q1 1.12Gbps -‐ 325.06Gbps -‐
2014 Q2 759.83Mbps -‐32.2% 154.69Gbps -‐52.4%
2014 Q3 858.98Mbps +13.05% 264.61Gbps +71.1%
2014 Q4 830.37Mbps -‐3.3% 267.21Gbps +1%
2015 Q1 804.12Mbps -‐3.1% 334.22Gbps +25%
2015 Q2 1.04Gbps +29.4% 196.35Gbps -‐41%
World 2015 Q1 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
World 2015 Q2 Size Break-‐Out,BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
§ Percentage of attacks over 1Gbps is growing strongly
§ 16% in 2014, 17.7% in Q1 ‘15, 20.8% in Q2.
§ Most Growth in the 2 – 10Gbps range
§ Attack PPS rates also on the rise§ 8.7% of attacks over 1Mpps in Q2, up from 5.7% in Q1 and 5.4% in 2014
Attacks size Analysis – Worldwide § Percentage of attacks over 10Gbps resumes growth.
§ 1.26% in 2014, 0.9% in Q1 ’15, 1.41% in Q2 ’15.
§ Big jump in 50-100Gbps attacks in June.
2014/2015 Event Size Break-‐Out Month-‐by-‐Month
0100200300400500
>50Gbps
>100Gbps0
100020003000400050006000
>10Gbps
>20Gbps
Reflection/Amplification attacks – Worldwide
§ Looking at attacks with source-ports of services used for reflection.
§ Q2 2015 shows number of SSDP attacks starting to fall back.
§ 84K in Q2, 126K in Q1 2015, 83K in Q4 ’14
§ 50% of reflection attacks in Q2 targeting UDP port 80 (HTTP/U)
§ Average attack sizes increase for all vectors except SNMP.
§ Average duration of reflection attack 20 mins in Q2 (19 mins in Q1).
Protocol UDP Source Port
Max Size Q2 ‘15
Average Size
Q2 ‘15SNMP 161 10.95bps 1.06Gbps
Chargen 19 44.9Gbps 2.2Gbps
DNS 53 120.3Gbps 2.78Gbps
SSDP 1900 144.91Gbps
2.42Gbps
NTP 123 185.94Gbps
2.75Gbps
Reflection Mechanism as % of Overall Attacks
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
16.00%
2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2
SSDP
NTP
DNS
Chargen
MSSQL
SNMP
Period AverageAttack size (bps)
Change(Q / Q)
Average Attack duration
Change(Q / Q)
2014Q1 579.99Mbps -‐ 28m 58s -‐
2014 Q2 530.51Mbps -‐8.5% 29m +0%
2014 Q3 588.74Mbps +11% 31m 8s +7.3%
2014 Q4 500.68Mbps -‐15% 41m 10s +32%
2015 Q1 483.65Mbps -‐4.4% 46m 11s +12%
2015 Q2 800.01Mbps +65.4% 39m 53s -‐14%
Attack traffic size -‐ APAC Q2 2015>20Gbps10-‐20Gbps5-‐10Gbps2-‐5Gbps1-‐2Gbps500Mbps-‐1Gbps<500Mbps
Attack duration -‐ APAC Q2 2015>24 hours12-‐24 hours6-‐12 hours3-‐6 hours1-‐3 hours30 mins-‐1 hour<30 mins
APAC DDoS attacks trend
Large DDoS attacks seen in 2015 APACPeak Attack Growth trend in Gbps
0
50
100
150
200
250
300
350
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
88.3166.63
235.6
127.16
76.29 83.44 76.75 77.25 98.89 113.18
61.15
117.15
334.22
94.13
51.25
136.91
100.99144.91
Q1 14 Q2 14 Q3 14 Q4 14 Q1 15 Q2 15
235Gbps/63Mpps to India, NTP
reflection attack, 21 min 23 sec
127Gbps/34Mpps to Malaysia , NTP reflection attack, 29 min
99Gbps/26Mpps to India, NTP
reflection attack, 31 min
117Gbps/31Mpps to India, NTP reflection attack, 15 min 37 sec
334.22Gbps/29.13Mpps to
India, reflection attack, 6 min 45
sec
144.91Gbps/53.62Mpps to China, SSDP reflection attack, 10 min 32
sec
Large Attacks Analysis§ Number of attacks > 10Gbps increases significantly in Q2 2015. § Number of attacks > 50Gbps jump from 12 in Q1 2015 to 80 in Q2 2015
Large DDoS attacks analysis – APAC
0
200
400
600
800
1000
1200
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
no of events of attack sizes > 10Gbps
§ 99% of the attacks < 1Gbps
§ 95% of attacks last less than 1 hour
DDoS attacks target Malaysia H1 2015
Peak attack size Avg attack size Avg duration
Q1 15 94.13 Gbps/18.73 Mpps UDP flooding attack 80.94 Mbps/17.93 Kpps
42 min 32 sec
Q2 15 27.90 Gbps/2.41 Mpps UDP flooding attack 72.71 Mbps/11.99 Kpps
30 min 3 sec
Attack traffic size -‐ MY Q2 2015
>20Gbps
10-‐20Gbps
5-‐10Gbps
2-‐5Gbps
1-‐2Gbps
500Mbps-‐1Gbps
<500Mbps
Attack duration -‐ MY Q2 2015
>24 hours
12-‐24 hours
6-‐12 hours
3-‐6 hours
1-‐3 hours
30 mins-‐1 hour
<30 mins
Average attack sizes – Malaysia
139.05
114.6119.8
65 64.46
147.51
128.46
209.25
80.94
72.71
0
50
100
150
200
250
Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015
Average attack traffic size (Mbps) per Quarter
Peak attack sizes – Malaysia
69.69
10.96 7.47
124.77
20.49
127.16
58.33
91.294.13
27.9
0
20
40
60
80
100
120
140
Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015
Peak attack traffic size (Gbps) per Quarter
Number of attacks – Malaysia
23561179 1493
21361
25844
30147 30957
28036
42428
34605
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015
No of attacks per Quarter
Average attack duration – Malaysia
4740
1984
1471741
1470
21461917
29012552
1803
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015
Average attack duration (sec) per Quarter
Reflection/Amplification attacks
Attacker-Reflector Leg Attacker-Victim Leg
SOURCE: Data sourced from tenth Annual Worldwide Infrastructure Security Report and ATLAS data
Anatomy of an NTP Reflection AttackSource: ATLAS Data
(
(
(
(
VictimAttacker
Unsecured NTP Servers(http://openntpproject.org)Used to reflect and amplify
NTP Monlist Request (small)Src IP: Spoofed (Victim’s IP)
Dest IP: Unsecured NTP ServerSrc Port: 80, Dest Port: 123
NTP Monlist Request (large)Src IP: Unsecured NTP Server
Dest IP: VictimSrc Port: 123, Dest Port: 80
NTP reflection attack was responsible for the largest monitored attack
by ATLAS in 2014
325Gbps
89 NTP attacks over
50Gbpsincluding 5
attacks over
200Gbps
Industry Best Current Practices (BCPs)
• BCPs are industry best practices for locking down a network • Deploy these as policy to limit the exposure of your network
Network Infrastructure BCPs• Separation of control plane from data plane
• Interface ACLs (iACLs)• Source based remote triggered blackhole S/RTBH
• Destination based remote triggered blackhole D/RTBH
• Flowspec• uRPF
Host Based BCPs
• OS Hardening• Access control• Antivirus• Patching/Version Control• Application Tuning
Mitigation Architecture – Options available
tACLs – block all unnecessary protocols/ports at network ingress – protect critical resourcesFlowspec – BGP-based injections of ACLs or routing policy to filter or divert traffic S/RTBH – Source based remote triggered blackhole can be used to block known bad sourcesD/RTBH – Destination based remote triggered blackhole can be used as a method of last resort to protect the network IDMS – Intelligent DDoS mitigation to protect everything else
How Can ISPs Defend Against These Attacks?
• Deploy antispoofing at all network edges.– uRPF Loose-Mode at the peering edge– uRPF Strict Mode at customer aggregation edge– ACLs at the customer aggregation edge– uRPF Strict-Mode and/or ACLs at the Internet Data Center (IDC) aggregation edge
– DHCP Snooping (works for static addresses, too) and IP Source Verify at the IDC LAN access edge
– PACLs & VACLs at the IDC LAN access edge– Cable IP Source Verify, etc. at the CMTS– Other DOCSIS & DSL mechanisms
Customer 1
Downstream ISP
Internet
Data Center 1
Service ProviderData Center 2
Customer 2
RegionalBroadband
• Utilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported from all network edges for attack detection/classification/traceback– Open-source flow telemetry collection/analysis tools allow basic visibility;; can be sufficient for high-volume attacks, once impact is evident
– Arbor Peakflow SP, which provides automated detection/classification/traceback and alerting of DDoS attacks via anomaly-detection technology
Pervasive Detection – The Attack Surface
Mitigation – IDMS
Peer B
Peer A
Upstream
Upstream
IXP-W
Upstream
IXP-E
Upstream
IDMS
Mitigation High Availability
• Network-Based Redundancy– Regional redundancy using BGP anycast to mitigate traffic at the nearest location
– Appliances or blades in a router
• Scrubbing Center Redundancy– Multiple TMS appliances in a single scrubbing center– Use of Equal Cost Multipath (ECMP) between appliances
• Link Redundancy in Datacenter– Deploy APS appliances in redundant datacenter paths– Manually fail over to backup path if system fails into bypass
BGP Anycast Mitigation Redundancy
Peakflow SP TMS
CustomerAggregation
IP Core
Scrubbing Center 1 POP
B
D1 D2
P1
A2A1
S1
Peers
Customer CPE
S1S2
P2
C2C2
S2S1
Peakflow SP TMS
Scrubbing Center 2
D1 D2
S1S1S2
Transit
Mitigation Center Redundancy - CEF/ECMP
CEF/ECMP load balancing between TMS appliances in a mitigation center
Arbor TMS IDMSes
TMS MitigationCluster
Attack
Regional Mitigation Center
IDC
On-Premise APS Link Redundancy
Pravail 1
Since each APS port-‐pair can also offer hardware bypass, single box failures do not require re-‐convergence.
Internet
Pravail 2
Scaling Mitigation Capacity
• Currently-shipping largest-capacity Intelligent DDoS Mitigation System (IDMS) – 40gb/sec
• 16-IDMS (CEF/ECMP limit) = 640gb/sec per cluster• Multiple clusters can be anycasted• Largest number of IDMSes per deployment currently 100 = 4tb/sec of mitigation capacity per deployment, 10x more than largest DDoS to date.
• Deploy IDMSes in mitigation centers at edges - in/out of edge devices.• Deploy IDMSes in regional or centralized mitigation centers with dedicated, high-capacity OOB diversion/re-injection links. Sufficient bandwidth for diversion/re-injection is key!
• S/RTBH & flowspec leverage router/switch hardware, hundreds of mpps, gb/sec. Leveraging network infrastructure is required due to ratio of attack volumes to peering and core link capacities!
• The Flow specification can match on the following criteria:– Source / Destination Prefix– IP Protocol (UDP, TCP, ICMP, etc.)– Source and/or Destination Port– ICMP Type and Code – TCP Flags– Packet Length– DSCP (Diffserv Code Point)– Fragment (DF, IsF, FF, LF)
• Actions are defined using Extended Communities:– 0x8006: traffic-rate (rate 0 discards all traffic for the flow)– 0x8007: traffic-action (sample)– 0x8008: redirect to VRF– 0x8009: traffic-marking (DSCP value )
DDoS Mitigation – BGP Flowspec
• ACLs are still the most widely used tool to mitigate DDoSattacks– But…ACLs are demanding in configuration & maintenance.
• BGP Flowspec leverages the BGP Control Plane to simplify the distribution of ACLs, greatly improving operations:– Inject new filter rules to all routerssimultaneously without changing configuration.
– Reuse existing BGP operational knowledge & and best practices.
• Improve response time to mitigate mitigate DDoS attacks!
Why Use BGP For ACLs?
BGP Flowspec Mitigation
IPS/IDS
Enterprise or IDC
Victim
Service Provider Network
Router
Flowspec filter applied on the external interfaces, only traffic matching that flow is discarded.
SP Portal initiates BGP update with ACL filter to be applied at the edge
router external interfaces (in theory the customer could also
initiate it).
Firewall
Botnet
Legitimate Users
Router
Good trafficAttack trafficBGP Announcement
FLOWFLOW
• BGP Flowspec route validation performed for eBGPsessions only.
Edge routers configured with BGP flowspec sessions,
and flowspec filtering enabled on external peering
interfaces.
BGP Flowspec Traffic Redirection
DDoSScrubber
Detection& Control
Good trafficAttack trafficBGP Flowspec Diversion
Internet
Internet
Scrubbing Center
“Dirty” VRF
IPS/IDS
Enterprise or IDC
Victim
Router
Firewall
Router
Traffic Reinjection
BGP Flowspec filter to redirect only specified traffic that matches
rule
FLOW
Diverted traffic is a subset of all traffic destined to victim
BGP Flowspec – Vendors• Router vendors supporting BGP Flowspec:
– Cisco IOS XR 5.2.0 & XE 3.14– Alcatel-Lucent 7750 SROS 9.0R1– Juniper JunOS 7.3
• DDoS mitigation vendors:– Arbor Peakflow SP >5.8
• BGP Tools:– ExaBGP Injector
Mitigation – S/RTBH or Flowspec
Peer B
Peer A
Upstream
Upstream
IXP-W
Upstream
IXP-E
Upstream
Peakflow SP advertises list of blackholedprefixes based on source or destination addresses, or layer-‐4 flowspec classifier
Edge routers drop attack traffic packets based on source or destinationaddress, or layer-‐4 classifier (flowspec)
Edge routers drop attack traffic packets based on source or destinationaddress, or layer-‐4 classifier (flowspec)
SDN Illustrated
Northbound API (REST)
ControllerSouthbound API
Northbound API (REST)
ControllerSouthbound API
WB API
Logical View Physical View
Controller
Policy
OpenFlow
NFV Illustrated
Internet
Router ArborAPS
FW IPS LBWebservers
Internet
vRouter
vAPS
vFW
vIPS
vLB
Logical View
Physical View
Web VMs
Where SDN Could be Ideal
• Meter traffic conditions, application and user behavior
• Match those conditions against a set of pre-defined criteria (policy)
• Act on the match according to a policy (control behavior)
Northbound API (REST)
ControllerSouthbound API
Northbound API (REST)
ControllerSouthbound API
WB API
OpenFlow
Where SDN Could be Ideal
• Meter traffic conditions, application and user behavior
• Match those conditions against a set of pre-defined criteria (policy)
• Act on the match according to a policy (control behavior)
Northbound API (REST)
ControllerSouthbound API
Northbound API (REST)
ControllerSouthbound API
WB API
OpenFlow
Provider B
Provider A
Data Center
TMS
GOOD TRAFFICBAD TRAFFIC
X
X X OPENFLOW
TMS Blacklist Offload via OpenFlow
• Offloads traffic filtering from TMS to the network fabric via SDN protocol for greater scale and performance
• Integrates 3rd party SDN controller ‘speaking’ OpenFlow• Similar/extensible to other policy-based protocols: BGP, FlowSpec, NETCONF, etc.
Mitigation – OpenFlow
Peer B
Peer A
Upstream
Upstream
IXP-W
Upstream
IXP-E
Upstream
TMS
Summary -Detection/Classification/Traceback/Mitigation• Utilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported from all network edges for attack detection/classification/traceback– Many open-source tools available as well
• Enforce standard network access policies in front of servers/services via stateless ACLs in hardware-based routers/layer-3 switches.
• Ensure recursive DNS servers are not queryable from the public Internet – only from your customers/users.
• Ensure SNMP is disabled/blocked on public-facing infrastructure/servers.
• Disallow level-6/-7 NTP queries from the public Internet.• Disable all unnecessary services such as chargen.• Regularly audit network infrastructure and servers/services.
Arbor Networks’ Product Portfolio
Thank You
top related