2. Agenda
• DoS and DDoS Attacks
• Colt Proposition: IP Guardian
• Technical View
2
3. DoS attack: definition
• A Denial of Service (DoS) attack is an explicit attempt by attackers to
prevent legitimate users from using that service. Examples include:
– Attempts to flood a network, thereby preventing legitimate network traffic
– Attempts to use all available processing power on the end system to prevent
regular users access
– Attempts to disrupt connections between two machines, preventing access
to a service
– Attempts to prevent a particular individual from accessing a service
– Attempts to disrupt service to a specific system or person
3
4. What is a Distributed Denial of Service Attack?
(1/2)
• A DDoS attack is the most prominent form of DoS attack
– The attacker scans millions of computers on the Internet to identify
unsecured hosts to be used as launch pads
– Then secretly installs software on a master computer and a collection of
compromised zombie computers
– The attacker hides their true identity and location by using these zombie
machines to launch the attacks
– The attack results in denial of service to legitimate users because their
infrastructure is overwhelmed with illegitimate requests, thereby choking off
the site's available bandwidth
4
5. What is a Distributed Denial of Service Attack?
(2/2)
Areas vulnerable to attack include: Zombies on
Zombies on
innocent computers
innocent computers
• Routers A A
S S
• Firewalls ISP Backbone
• Web servers
• DNS servers Infrastructure level
attacks
• Mail Servers
• VoIP gateways
Indirect victims, elements that share the
A
victims’ network (for example, otherS
Zombies on
servers in a server farm) innocent computers Bandwidth level attacks
Enterprise
Server level attacks
5
6. Real world proposals …
• Someone offers a DDoS service
-----Original Message-----
From: Martyn Clapham [mailto:DDoS1033er@caulf.freeserve.co.uk]
Sent: Friday, 16 May 2003 2:45 PM
To: ********************
Subject: Offer from irc.mad.pp.ru 2787!
Do you want to get rid of your competitors? Or blackmail your boss because he didn't pay you? We can help! Ddos
attack on any internet server. We pay admins of irc.icq.com for hosting so our bandwidth is huge and our knowledge of
such attacks allows us to fulfill any requirement. If you are in need of Ddos attacks, or simply looking for specific content
for your web site (like child porn or anything weird) - tell us and will give you what you need!
Our contacts are: irc.mad.pp.ru 2787
• Someone else offers protection you can’t refuse
(if you don’t pay, you will be attacked)
• So-called “cyber mafia” mainly based in Russia
and Eastern Europe
6
7. Typical Targets of a DDoS Attack
• Typical Targets of a DDoS attacks are:
– eCommerce
– On line banking
– On line trading
– iGaming
– iGambling
– Content Providers
– Governmental organizations
– ISPs
In general, all those companies that make business providing
online/Internet services
7
8. Agenda
• DoS and DDoS Attacks
• Colt Proposition: IP Guardian
• Technical View
8
9. Colt Proposition: IP Guardian
• Proposal
– Colt will protect the customer bandwidth by detecting attacks whilst still
within the Colt network
– Customer traffic is diverted only in case an attack is detected no impact
for customers during normal operations
• How?
– By expanding the existing state of the art platform built using Arbor Peakflow
monitors and Arbor TMS (Threat Management System) and locating them
throughout Colt’s Tier1 pan-European network
9
10. Service Variants
• Continuous
– Automatic redirection/mitigation if anomaly detected
– Reports via customer portal
• On-Demand
– Customer control via portal
– alerts via email/SMS,
– customer reviews anomaly on Colt portal
– triggers mitigation if it is deemed to be an attack
• Emergency Implementation
– Set up temporary IPG service in midst of attack
– No baselining, default profile
– Can migrate to full service (Continuous or On-Demand)
10
11. Benefits of the IP Guardian Service
• “In the cloud” DDoS protection
– DDoS protection on site can be useless – attacks can flood the pipe however good
the mitigation devices are. IP Guardian stops the attack before it can reach you
• Anomaly monitoring
– Constant monitoring of Netflow telemetry data to ensure rapid detection of any
abnormal activity
• Resiliency
– Protection deployed at multiple strategic locations throughout Colt global network to
ensure near continuous uptime of the IP Guardian service and the best possible round
trip time (RTT) in case traffic needs to be diverted
• Productivity
– Avoid downtime – you can carry on working as normal if the attack is successfully
mitigated
• Flexibility
– New ‘On Demand’ Variant provides more customer control to avoid false positives
11
12. IP Guardian: how it works (1/3)
– IP Guardian is a dedicated service in Arbor TMS
which the customer traffic is
Arbor Peakflow SP
continuously monitored ensuring that
the customer is continually prepared to
react against DDoS attacks
– The traffic to the customer is constantly Public
Colt
monitored while it follows its path in the Internet
Backbone
network. The Arbor Peakflow SP
Collectors gather traffic statistics
(network telemetry data) from all
peering and transit routers, which it
Arbor SP constantly
constantly analyzes to construct a monitors traffic destined
network-wide view of possible traffic to the customer
and network anomalies
Customer Network
12
13. IP Guardian: how it works (2/3)
– An alert is generated if the behaviour is Arbor TMS TMS is
found to be abnormal. triggered
Arbor Peakflow
– When an attack is detected by Arbor SP
Peakflow SP, traffic is automatically
diverted to Arbor TMS, which mitigates Public BGP
the attack based on traffic patterns Internet Announcement
learnt by Arbor Peakflow SP
Arbor SP constantly
monitor traffice detined
to the customer
Customer Network
Malicious Traffic
Cleaned Traffic
13
14. IP Guardian: how it works (3/3)
– The customer never feels the full
Arbor TMS
impact of an attack as their
circuit is being continually Arbor Peakflow SP
monitored and protection
triggered automatically by the Public Colt
platform Internet Backbone
– Only the cleaned traffic flows
toward the customer, which will
be provided with high levels of
protection Whenever an attack
occurs, traffic is
reqdirected to Arbor TMS,
the attack mitigated and
cleaned traffic only flows
to the customer
Customer Network
Malicious Traffic
Cleaned Traffic
14
15. IP Guardian: Proactive eMail Alerting
• In case an attack is detected, an email is sent to the customer
• Another email is sent once the attack is mitigated
• The structure of such emails is provided below as an example.
– From: "Peakflow SP" traffic@peakflow.oss.colt.net
– Date: date/time
– To: Customer’s Address (this address shall be reachable in case of attacks)
– Subject: [Peakflow SP] Bandwidth attack #[Attack ID] Incoming to [Customer] Done
– Type: (Bandwidth, Protocol)
– ID: a number identifying the attack
– Resource: Customer’s name
– Severity: high
– Started: date/time (UTC) referred to the attack beginning
– Ended: date/time (UTC) referred to the attack mitigation
– Link rate: traffic (in Mbps) related to the attack
– Router: Colt peering router and interfaces involved
– Input If: Input Interface
– Output If: Output Interface
– URL: www.colt.net
15
17. Agenda
• DoS and DDoS Attacks
• Colt Proposition: IP Guardian
• Technical View
17
18. IP Guardian: Platform Deployment
Controller
8x
CPH
STO
BHX
Collector DUB AMS CGN DUS
HAM
LON
HAJ
BRU
TMS PAR
FRK
STR FRK
BER
BAS
NYC
ZUR
GEN
PARTUR
MIL
LIS MAD BCN VIE MUN
ROM
MIL
MAD
18
19. Technicalities
• The service is available to customers with a service bandwidth of at least
10Mbps and 30/40% of spare bandwidth (recommended)
• Traffic content is not monitored or stored: IP Guardian is not what is known as
“Deep Packet Inspection”
• The maximum number of packets that can be dealt with is 1 Million packets
per second
• Maximum bandwidth up to 2Gbps per TMS – this means a maximum of
2Gbps in case of a DoS attack managed by one TMS or Nx2Gbps DDoS
attack through multiple entry points (N=6, the number of TMS installed)
• Simultaneous TCP connections during a SYN attack per device: 100,000
• Source and destination HTTP host pairs per device: 1 Million
• Zombies per device: 20,000
19