DDoS Mitigation for ISP subscribers Rajaram Pejaver November 23, 2010 De-DDoS.

DDoS Mitigation for ISP subscribers

Rajaram Pejaver

November 23, 2010

De-DDoS

November 23, 2010 © Rajaram Pejaver 2

Agenda• An introduction to DDoS• Solution Architecture• Operation

– Configuration and Provisioning– Mitigation Operation– Tear down

• Simple Questions™ • Product positioning• Conclusions

November 23, 2010 © Rajaram Pejaver 3

Introduction to DDoS

History & Motivation

DDoS attack structure

November 23, 2010 © Rajaram Pejaver 4

Architecture - 1

Attacked Site

AttackingHosts

Legitimate Host

ISP Infrastructure Router

ISP Infrastructure Router

Attack traffic

Good traffic

Unrelated traffic

ISP Peering points

Before Mitigation

Last hop router

November 23, 2010 © Rajaram Pejaver 5

Architecture - 2

Mitigation Service

Good traffic

Attack traffic

Attacked Site

AttackingHosts

Legitimate Host

Tunnel

Unrelated traffic

Good traffic inside Tunnel

Diverted Attack traffic

During Mitigation

GRE De-encapsulation

Good traffic

November 23, 2010 © Rajaram Pejaver 6

Configuration & ProvisioningSTART DDoS Attack

Observed

Engage Mitigation Service

Contract Terms

Configure Mitigation Service

Configuration data:- IP address- Service ports- Welcome banner- Initial WhiteList- SSL certs

Setup GRE Tunnel

Update Routing tables

Mitigation ServiceStarted

Alternate

November 23, 2010 © Rajaram Pejaver 7

Mitigation Operation - 1• What happens at the Mitigation Service?

• Mega service accepts ALL incoming connections. Consists of a cluster of powerful servers, load balanced.

• Responds to every HTTP request with a query. Humans can easily recognize and answer the query. Computer programs can’t.

• IP addresses of correct responders are White Listed. White Listed traffic is forwarded to subscriber via tunnel.

• Statistical sharing of Mitigation Service.• Only a few subscribers will be under attack at any one time.

Service needs to handle only a few simultaneous attacks. Capital costs are spread over entire subscriber base.

November 23, 2010 © Rajaram Pejaver 8

Mitigation Operation - 2

Source IP in WhiteList?

Forward good packet to Tunnel

Yes

No

New Connection

request?

Add to connection

table

Send connection response

Discard packet

Already in Connection

table?

Yes

No

No

Yes

1: Accept Connection

2: Setup SSL(if required)

3: Accept HTTP GET

4: Respond with query

5: Receive query

response

Yes

No

Processing State MachineInbound packets

Correct response?

Send HTTP Redirect

Add IP address to WhiteList

Remove from connection

table

Disconnect

November 23, 2010 © Rajaram Pejaver 9

Tear Down• Ending Mitigation Service is easy.

• Just restore normal routing to the subscriber’s IP address.• GRE tunnel can be left up for a bit (useful if attack resumes.)

• Final billing and usage statistics can include:• Mitigation duration, start & end times.• Connections permitted through & blocked.• Total packets (& bytes) permitted through & blocked.• Traffic rates to subscriber, before and during mitigation.• Final White List (useful if attack resumes.)• Geographic distribution of blocked IP addresses.

November 23, 2010 © Rajaram Pejaver 10

Simple Questions • Represents an improvement over CAPTCHA.

“Which letter follows D in the alphabet?” E “How much is five plus two?” 7

• CAPTCHA needs: Character recognition.

• Simple Questions needs: Character recognition. Sentence parsing. Semantic understanding. Common sense for response.

• Video nuCAPTCHA increases Bot work load.

November 23, 2010 © Rajaram Pejaver 11

Product Placement• Current products for DDoS infected subscribers:

• Constant Guard: List based infection notification.• AUPM: Acceptable use traffic monitoring.

Both limit damage done by infected subscribers.

• Proposal protects uninfected subscribers from attacks from everywhere around the world.• Premium service – for a fee.• Subscription or on-demand models.• Product differentiator from other ISPs.• Can be advertized as a “must have” for businesses.

November 23, 2010 © Rajaram Pejaver 12

Conclusions• A new & unique method of DDoS Mitigation.

• Distinguishes between Attack & Valid traffic. Acceptable to human users. Very reliable; very low false positive rates.

• Revenue Generator. • Product Differentiator.• A “must have” for today.• Possible patentable idea.

• Questions?