8/2/2019 Cisco Guard Packet Analysis
1/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
DDoS: Anatomy of an AttackA Packet Flow Perspective
8/2/2019 Cisco Guard Packet Analysis
2/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Objective
This example follows an attack through the Cisco
Guard DDoS Mitigation Appliance process toexplain and simplify the following:
Understand the different modes, policies, and
filters that are used and created. Understand the different show reports that
could be used to explain how the flow of trafficties in with the protection cycle that is at play inthe guard module.
8/2/2019 Cisco Guard Packet Analysis
3/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Assumption
This example runs through a few simple attack
vectors so that a minimal number of policies aretriggered, making it easier to explain from apacket flow perspective.
The Cisco Guard DDoS Mitigation Appliance isin protect mode to begin with. (This exampledoes not include explanations of all the different
mechanisms available with the guard.)
8/2/2019 Cisco Guard Packet Analysis
4/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Denial-of-Service AttacksDoS and DDoS
Web Server
Web Server
mbehring
Denial-of-service (DoS) attacks are
meant to deny access to authorizedusers and consume enterpriseresources:
Bandwidth
CPU
Memory blocks
The hacker can use compromised
PCs and servers that becomezombies or bots to launch theattack (distributed DoS [DDoS]).
8/2/2019 Cisco Guard Packet Analysis
5/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
TYP SYN Flood Attack Vector
With the TCP SYN Flood attack, the attacker is hoping to:
Fill and overflow the TCP server queue (memory) so thatthe oldest SYN_RVCD entries are flushed.
Fill the TCP queue faster than the typical SYN + ACKround-trip time (RTT) so that valid customer SYN_RVCD
entries are crowded out.
8/2/2019 Cisco Guard Packet Analysis
6/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
TYP SYN Flood Attack (Spoofed)
Demo Lab Setup Used toGenerate the Attack Vectors
8/2/2019 Cisco Guard Packet Analysis
7/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
TCP SYN-Flood Pushing Out the Old EntriesSYN
Attacker
TCP Server
SYNSYNSYNSYNSYNSYNSYNSYNSYN
SYN_RCVDSYN_RCVD
SYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVD
SYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVD
drop
Server TCP TableFilling Faster than ItCan Execute FIFO
New SYN MessagesPush Out OldestSYN_RCVD Entries
8/2/2019 Cisco Guard Packet Analysis
8/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
TCP SYN-Flood SYN_RCVD Gets PushedSYN
Attacker
TCP Server
SYNSYNSYNSYNSYNSYNSYNSYNSYN
SYN_RCVDSYN_RCVD
SYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVD
SYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVDSYN_RCVD
drop
SYN
SYN / ACK
ACK ?
No SYN_RCVD
Waiting when theACK Gets Back
Valid User
Valid User Gets to theACK, but the ServerDoes Not Set Up
Data?
Silence
8/2/2019 Cisco Guard Packet Analysis
9/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Understanding Policy Types The CiscoGuard DDoS Mitigation Appliance has policy
templates that can be used to construct the policy. Policiescan even be constructed based on onsite learning.
There are several policy templates, including: Tcp_services (for non HTTP TCP services)
Udp_services (User Datagram Protocol [UDP] services)
http (HTTP that flows through port 80)
Dns_tcp (DNS-TCP protocol traffic) Tcp_connections (connection characteristics)
Tcp_ratio (ratios between different types such as syn vs fin/rst)
.
..
Other protocols (those not covered or learned explicitly by the guard)
8/2/2019 Cisco Guard Packet Analysis
10/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
TFN Attack Tool:
Configuration for ZoneDefault Zone Template thatDictates the Choice (Proxy orNo Proxy) Type ofProtection.Other Valid Choices are:GUARD_TCP_NO_PROXY
GUARD_VOIP
8/2/2019 Cisco Guard Packet Analysis
11/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
The Policy Templates thatAre Continuously Monitored
Based on Traffic ProtocolType
8/2/2019 Cisco Guard Packet Analysis
12/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Screen for Select TCPServices; Click to SeeDetails
8/2/2019 Cisco Guard Packet Analysis
13/29 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Details List the ParameterUsed to Analyze the Flow,such as dst_ip, src_ip etc.
8/2/2019 Cisco Guard Packet Analysis
14/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
se@GUARD-conf-zone-Demo>show policies | include tcp_services/any/analysis
Policy State IStatus Threshold Proxy List Action Timeout
tcp_services/any/analysis/pkts/dst_ip act a-accpt 100.00 - 0 to-user-filters 600tcp_services/any/analysis/pkts/dst_port act a-accpt 400.00 - 0 to-user-filters 600tcp_services/any/analysis/pkts/global act a-accpt 150.00 - 0 to-user-filters 600tcp_services/any/analysis/pkts/src_ip act a-accpt 200.00 - 0 to-user-filters 600tcp_services/any/analysis/reqs/dst_ip act a-accpt 100.00 - 0 to-user-filters 600
tcp_services/any/analysis/reqs/dst_port act a-accpt 250.00 - 0 to-user-filters 600tcp_services/any/analysis/reqs/global act a-accpt 150.00 - 0 to-user-filters 600tcp_services/any/analysis/reqs/src_ip act a-accpt 150.00 - 0 to-user-filters 600tcp_services/any/analysis/syns/dst_ip act a-accpt 50.00 - 0 to-user-filters 600tcp_services/any/analysis/syns/dst_port act a-accpt 150.00 - 0 to-user-filters 600tcp_services/any/analysis/syns/global act a-accpt 100.00 - 0 to-user-filters 600
tcp_services/any/analysis/syns/src_ip act a-accpt 150.00 - 0 to-user-filters 600
The same set of services when viewed through the CLI commands on the Cisco Guard DDoSMitigation Appliance; multiple elements of the same packet are analyzed (packets, registrations, synmessages, etc.) along with dst_ip, src_ip
All these services listed selectively apply to the traffic flows during the analysis mode; that is the firstmode the Cisco Guard DDoS Mitigation Appliance starts in.
It is important to understand the action to-user-filters, which specifies traffic to be directed to the user
filtersbefore
going on to the basic mode.The filter will live 600 sec (10 min) as long as there is no more activity.
8/2/2019 Cisco Guard Packet Analysis
15/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Traffic Could Get Directed tothe USER FILTERS as TheyGo Between the Analysisand Basic Modes.
8/2/2019 Cisco Guard Packet Analysis
16/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Show Counters Before theAttack
8/2/2019 Cisco Guard Packet Analysis
17/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
TFN Attack Tool
Launch the Spoofed TCPSYN Attack.
8/2/2019 Cisco Guard Packet Analysis
18/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Two Dynamic Filters AreAdded:The two flows under
Analysis mode aretriggered with thisattack.
Action is to-user filterskeying off protocol (6);
destination port (80).
Because it is higher thanthe thresholds (50 and150 as seen), the action
is to forward it off to theuser filters.
8/2/2019 Cisco Guard Packet Analysis
19/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Because there is no
legitimate traffic, all themalicious spoofed traffic iscaught by the user filters.
Almost allthe traffic iscaught by user filter.
8/2/2019 Cisco Guard Packet Analysis
20/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Graphical View of MaliciousTraffic
8/2/2019 Cisco Guard Packet Analysis
21/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Packet Flow Through the Defense Modules
Detection Passive copy of traffic monitoring
Analysis Diversion for more granular inline analysis
Flex filters, static filters, and bypass in operation All flows forwarded but analyzed for anomalies
Basic Protection Basic antispoofing applied
Analysis for continuing anomalies
Strong Protection Strong antispoofing (proxy) if needed Dynamic filtering of zombie sources
AnomalyVerified
AttackDetected
AnomalySourcesIdentified
Learning Periodic observation of patterns to automatically update baseline profiles
8/2/2019 Cisco Guard Packet Analysis
22/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Cisco DDoS Solution
Cisco Detector XT
Protected
Zone 1:Web
Protected Zone 2:Name ServersProtected Zone 3:E-Commerce Application
CiscoGuard XT
8/2/2019 Cisco Guard Packet Analysis
23/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Cisco DDoS Solution
1. Detect
Cisco Detector XT
Protected
Zone 1:Web
Protected Zone 2:Name ServersProtected Zone 3:E-Commerce Application
Cisco Guard XT
Target
8/2/2019 Cisco Guard Packet Analysis
24/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Cisco DDoS Solution
1. Detect
2. Activate: Auto/Manual
Cisco Detector XT
Protected
Zone 1:Web
Protected Zone 2:Name Servers
Protected Zone 3:E-Commerce Application
CiscoGuard XT
Target
8/2/2019 Cisco Guard Packet Analysis
25/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Cisco DDoS Solution
1. Detect
2. Activate: Auto/Manual
Cisco Detector XT
Protected
Zone 1:Web
Protected Zone 2:Name Servers
Protected Zone 3:E-Commerce Application
3. Divert Only Target Traffic
CiscoGuard XT
BGP Announcement
Target
8/2/2019 Cisco Guard Packet Analysis
26/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Cisco DDoS Solution
1. Detect
2. Activate: Auto/Manual
Cisco Detector XT
Protected
Zone 1:Web
Protected Zone 2:Name Servers
Protected Zone 3:E-Commerce Application
4. Identify and Filterthe Malicious Traffic
3. Divert Only Target Traffic
CiscoGuard XT
BGP Announcement
Target
Traffic Destinedto the Target
8/2/2019 Cisco Guard Packet Analysis
27/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Cisco DDoS Solution
1. Detect
2. Activate: Auto/Manual
Cisco Detector XT
Protected
Zone 1:Web
Protected Zone 2:Name Servers
Protected Zone 3:E-Commerce Application
4. Identify and Filterthe Malicious Traffic
LegitimateTraffic to
Target
3. Divert Only Target Traffic
CiscoGuard XT
BGP Announcement
5. Forward the Legitimate
Traffic
Traffic Destinedto the Target
Target
8/2/2019 Cisco Guard Packet Analysis
28/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Cisco DDoS Solution
1. Detect
2. Activate: Auto/Manual
Cisco Detector XT
Protected Zone 2:Name Servers
Protected Zone 3:E-Commerce Application
Protected
Zone 1:Web
4. Identify andFilter the MaliciousTraffic
LegitimateTraffic to
Target
6. Non-TargetedTrafficFlows
Freely
3. Divert Only Target Traffic
BGP Announcement
5. Forward the Legitimate
Traffic
Traffic Destinedto the Target
Target
CiscoGuard XT
8/2/2019 Cisco Guard Packet Analysis
29/29
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29