1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks.

1

Boaz Elgar Product ManagerNovember, 2002

Confidential, © Riverhead Networks, Inc., 2002 2

Agenda

Some known DDoS attacks

Types of DDoS attacks

Current measures for blocking DDoS

Riverhead Solution overview


Riverhead Profile

Solution: Secure internet availability against

crippling DDoS cyber-attacks

Customers: Large enterprises, new media companies,

service providers and government

organizations

Investors:

HQ: Cupertino, California

Products: Riverhead Guard and Detector -

infrastructure security devices


Overview of DDoS attacks


DDoS Incidents Around The Globe

GlobalWorld Economic Forum's, CERT

Europe Deutsche Bank, Lufthansa, Firenet, Tiscali, edNET, TheDogmaGroup, DonHost, British telecom, Cloud9

US Amazon, Yahoo, CNN, e-Bay, e-Trade, Microsoft, White House NY Times, NASA, OZ.Net

ROW 200 small corporations, 30 educational organizations and 20 government systems (Korea),

St George Bank (Australia)


Zombies on innocent computers

Distributed Denial of ServiceAn Upstream Issue

Server-level DDoS attacks

Infrastructure-level DDoS attacks

Bandwidth-level DDoS attacks


Server-level DDoS attacks

Layer 4 attacks SYN receive Establish FIN_WAIT_1

DST SRC prtcl CRC Port SYN FIN SSL GET URL CGI www.victim.com….Port

Application layer attacks404 File Not Found FloodSSLCGIDNS Bogus requests attack


TCP Level DDoS attacks


TCP SYN floodSYN RQST

SYN ACKclient

server

• One of the first CERT DDoS advisories issued – 9/1996

• http://www.cert.org/advisories/CA-1996-21.html

Spoofed SYN RQST

zombie victim

Waiting buffer

overflowsZombies

SYN ACK


TCP SYN Flood

Firenet MD Mr Castle also stated:"The list of attacks were Syn Flood attacks, Ip Spoofing the Lan interfaces, and Total Denial of service attacks. We had taken down the servers for 4 nights in a row, from 11oclock till 6.00 am daily and worked all through the night with BT fighting this hacker or hackers, and had stopped the problems on Wednesday night Thursday morning".

News - February 3,2002 Firenet ISP Suffers DoS Attack


NAPHTA: TCP connections

Repeatedly establishing a connection and then abandoning it, an attacker can tie up resources. Fill up the TCP connections buffer.

Multiple FIN_WAIT_1 state in the servers http://people.internet2.edu/~shalunov/netkill

clients

SYN RQST

ACK

serverSYN ACK

HTTP request

FIN


Half open Connections

Repeatedly establishing a connection Requesting a unfinished request GE. (GET) Server waits for the end of request Application layer saturation

syn rqst

synackclients

server


HTTP attack tool

First came out in January 1999!

www.victim.com

www.proxyserver.com

Click to get latest victim

Where to attack

Control how fast to attack


Client attack

URL attacks Repeated request Repeated REFRESH Random URL

• Avoids proxy• Works hard• Large log file

cgi, long forms, heavy search requests

http://all.net/journal/netsec/9512.html

victim


Client attack on Lufthansa

“Wednesday morning, in a planned attack, demonstrators began accessing Lufthansa's Web site. Although demonstrators claim they knocked the site off-line for about 10 minutes, Lufthansa said the claim was untrue.”

“Lufthansa's servers got 67,004 hits per second at one point in the two-hour Web attack”

“The attack was planned to protest Lufthansa's contract with the German government to fly people who are denied asylum in Germany out of the country.”

Computerworld 6/21/01


Client attack on WTO


DNS attack

DNS request Spoofing Random requests Reflectors

DNS recursive requests Amplifications

www.bogus.com

DNS Server

UDP spoofed traffic

www.!@$$.com

www.bla-bla.com

www.*&^.com

Reply to recursive



ICMP echo, unreachable UDP Flood Reflectors Smurf Flood



Reflectors

victim

zombie

List:

Reflector-1

Reflector-2

Reflector-3

Reflector-4 ….

…

Proxy

Web server

DNS server

Sock proxy

Router


Reflectors

victim

zombieProxy

Web server

DNS server

Sock proxy

Router

zombie

zombie

zombie


Reflectors -> Bandwidth attack

Reflectors= returns a packet if one is sent Web servers, DNS servers and routers

• Returns SYNACK or RST in response to a SYN or other TCP packets with ACK

• ICMP Time Exceeded or Host Unreachable in response to particular IP packets

• Amplification if knowing the sequence number (FTP, streaming…)

• DNS replies

http://grc.com/dos/drdos.htm http://www.aciri.org/vern/papers/reflectors.CCR.01.pdf


Smurf Amplification

victim

zombie

amp/255.255.255.0

500

victim amp.255 ping.rqst

src dst

1

Direct broadcast address

500500500500

•Jan 1998

•http://www.cert.org/advisories/CA-1998-01.html


Smurf Tool

Came out in March 1999!

Set packet size from 10 to 1300 octets


Smurf attackInternet attack slows Web to a crawl Assault on

Oz.net affects entire area

Tuesday, January 18, 2000

“The Seattle attack was most likely launched by a single person…”

an ISP serving 7,000 subscribers, is known to have been targeted in the so-called smurf attack in Seattle, the assault affected many, perhaps even most, of the Internet users in the Seattle area, said experts.

“… all the corporate or academic networks the smurf attacker used in the assault -- as many as 2,000 nationwide”


Cisco – stopping Smurf

no ip directed-broadcast Translation of directed broadcast to

physical MAC broadcasts is disabled As of 12.0 this is the default




BGP / OSPF / … attacks SYN flood TCP 179, SSH ICMP attack DNS attacks


Attacks directly on routers

Attacks directed at routers can have broader impact than attacks directed at hosts

Packets directed at a router may be more CPU (slow path) consuming then packets transiting a router


October 2002Massive attack on 13 DNS root servers

AS y

AS x

AS 56

DNS root servers

ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours)


October 2002Massive attack on 13 DNS root servers

AS y

AS x

AS 56

DNS root servers

ICMP floods 150K PPS (primitive attack) Took down 7 root servers (two hours)


Attacks & Attack Tools examples TFN

Spoofed SYN Flood non-Spoofed SYN Flood UDP Flood FIN, SYNACK Flood

(Spoofed and non-spoofed)

Ping Flood Smurf Flood Combined UDP/TCP/ICMP

Targa3 Attack

Fragmentation Attack IP/UDP (jolt2) IP/ICMP (trash, and

fawx) IP/TCP

HTTP Connection Flood (Client

attack) http errors 404 etc. http half connections

DNS attacks BGP attacks on routers

Partial list of covered tools: JOLT, WINNUKE, TRINOO, TFN, Targa3, Naphta, Trash…


How are DDoS handled?


Built-in and distributed but…

• Blocks good with bad

• Ineffective against random spoofing

and application level attacks

• Potential performance degradation

• Manually intensive process

Built-in and distributed but…

• Blocks good with bad

• Ineffective against random spoofing

and application level attacks

• Potential performance degradation

• Manually intensive process

Router Filtering

Server1 Victim Server2

....

....

R3

R1

R2

R5R4

RR R

1000 1000

FE

peering

100

ACLs, CARs

1


Cisco ACLs - 1

Use ACL to determine which interface is being attacked and characteristics of attack Initial ACL to determine what type of attackaccess-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply log-input

access-list 101 permit udp any any

access-list 101 permit tcp any any

access-list 101 permit ip any any

interface serial 1/1

ip access-group 101 out

! Wait 10 seconds

no ip access-group 101 out


Cisco ACLs - 2

sh access-l 101

Extended IP access list 101permit icmp any any echo (2 matches)permit icmp any any echo-reply (21374 matches)permit udp any any (18 matches)permit tcp any any (123 matches)permit ip any any (5 matches)

• Indications are that there is some sort of ICMP attack• Need to place ACL on each successive

router in upstream path


Cisco ACLs - 3

Next use ‘log-input’ to determine from where – via ‘sho logging’:%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.1.1 (Serial1/1) -> 128.139.19.5 (0/0), 1 packet

%SEC-6-IPACCESSLOGDP: list 101 permit icmp 172.17.3.34 (Serial1/1) -> 128.139.11.2 (0/0), 1 packet

%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.2.15 (FastEthernet1/0/0) -> 128.139.6.1 (0/0), 1 packet

%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.3.4 (Serial1/1) -> 128.139.6.1 (0/0), 1 packet

Serial 1/1 is our prime suspect!Link: http://www.cisco.com/warp/public/707/22.html


Cisco CAR

CAR – Committed Access Rateinterface ATM1/1/0.21 point-to-point

rate-limit input access-group 180 96000 24000 32000 conform-action continue exceed-action drop

rate-limit input access-group 190 128000 30000 30000 conform-action transmit exceed-action drop

!

access-list 180 deny icmp 128.139.252.0 0.0.0.255 any

access-list 180 permit icmp any any

access-list 190 deny tcp any any established

access-list 190 permit tcp any any

Normal Burst in bytes

b/w

MaxBurst

in bytes

No one really understands “burst” – best to read: http://www.nanog.org/mtg-9811/ppt/witt/index.htm


Cisco uRPFRouter A Router B

Pkt w/ source comes in

Path back on this line?

Accept pkt

Path via different interface?

Reject pkt

Does routing back to the source gothrough same interface ?

Check source in routing table


Cisco uRPF - 1

Unicast Reverse Path Forwarding Requires CEF Available starting in 11.1(17)CC, and

12.0• Not available in 11.2 or 11.3 images

Cisco interface command: ip verify unicast rpf


Blackholing


....

....

R3

R1

R2

R5R4

RR R

1000 1000

FE

peering

100

= Disconnecting the

customer

= Disconnecting the

customer


Null0 routing

Works only on destination addresses

Simple blackhole:ip route 191.1.1.1 255.255.255.255 null0 Caveat: routers can forward faster than

they can drop packets Blackholes good packets with bad

packets


Router Capabilities ACLs

Manual process Performance impact on some routers

CAR Performance impact on some routers Also limits good traffic

uRPF Not enforced, limited attacks protection

Issue: •Too coarse – affects good as well as bad traffic•Router CPU/ASIC limitations – impacts performance •Ineffective on several different attacks

Issue: •Too coarse – affects good as well as bad traffic•Router CPU/ASIC limitations – impacts performance •Ineffective on several different attacks

Blocks good along with the

bad


Low cost and simple deployment, but…

• Upstream ingress still choked

• Device itself becomes point of failure

• Doesn’t scale –requires many

•Easy to overwhelm a FW

Low cost and simple deployment, but…

• Upstream ingress still choked

• Device itself becomes point of failure

• Doesn’t scale –requires many

•Easy to overwhelm a FW

In-line Mitigation: Edge Device


....

....

R3

R1

R2

R5R4

RR R

1000 1000

FE

peering

100


Protects all resources

• No point of failure or latency

on critical path

• No router impact

• Scales via sharing

• Dynamic and precise filtering

Protects all resources

• No point of failure or latency

on critical path

• No router impact

• Scales via sharing

• Dynamic and precise filtering

Guard

Guard

R4


....

....

R3

R1

R2

R5

RR R

1000 1000

100

Diversion and Precise Filtering


Solution Overview

Victim

Non-victimized servers

DDoS Detection= Riverhead Detector

DDoS Protection=Riverhead Guard

Upstream = Not on the Critical Path


Solution Overview

Riverhead Guard

Victim


BGP announcement

1. Detect

2. Activate: Auto/Manual

3. Divert only victim’s traffic

Activate

Riverhead Detector

OR IDS system Firewall Health checks


Solution Overview

Riverhead Guard

Victim


Traffic destined to the victim

Legitimate traffic to victim

“No Dynamic configuration”

Inject= GRE, VRF, VLAN, FBF, PBR…

Hijack traffic = BGP


Adaptive and Dynamic Filtering

Static &Dynamic

Filters

Anti spoofing Statistical analysis

Rate-limiting& DDoS Traffic Shaping

Layer 7httpsmtp

1 to 100s of

dynamic filters by

flow, protocol,

…

Per flow queues

and aggregate rates

IT

How about "Multistage Adaptive Filtering"?


ISP Perimeter Protection


ISP Perimeter Protection


ISP Edge Protection


IDC Enterprise Protection


I

S

C ta ys5 0

P r p y S S P w p

tr c s r

RI

C S T S

C S S

Actual Production Network

SD

Catalyst8500

Power Supply 0CISCO YSTEMSS Power Supply 1

SwitchProcessor

SERES

GSR 12000

D

a l t8 0

owe Su pl 0CISCO Y TEMS o erSu ply1

Swi chP o e so

SEES

I CO SYS EMCatalyst I CO SYSTEM

Firewall

Internal network

ISP 1 ISP 2

GEthernet Riverhead Guard

Catalyst IDS

IDS

Customers’ Servers

I CO SYS EMI CO SYSTEM

Juniper Foundry,etc

Cisco,Foundry

Riverhead,Other detectors

Alert


Live Data Center Test

A

A

A

CC

User experience

Netax, Philadelphia

Victim & Guard:

Actual Hosting Center

`

Attackers:Mercury

Interactive


Real World Results


100

1000

10000

time

Late

ncy

( usec

)

Latency to Victim Latency to Non-Victim

normal Attack Attack + diversion

usec

Detailed EffectVictim vs Non-victim


Thank you!

Comments:

[email protected]

1 Boaz Elgar Product Manager November, 2002. Confidential, © Riverhead Networks, Inc., 2002 2 Agenda l Some known DDoS attacks l Types of DDoS attacks.

Documents

riverhead networks

syn flood attacks

overview of ddos attacks

types of ddos attacks

known ddos attacks

tcp level ddos attacks

riverhead guard

riverhead profile