PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
1. DDOS Attacks & Collateral Damage
Can we avoid it ?
Asraf Ali
Head – Security & Network Engineering
asraf.ali@tatacommunications.com
Tata Communications
2. Agenda
○ DDOS attacks –What ? How ?Who ?
○The Impact – Direct & indirect victims
○The Collateral Damage Problem
○ Global Industry Best Practices
○ How canTata Communications help ?
○ Q & A
3. Attempt to consume FINITE resources, exploit WEAKNESS in
design, lack of Infra CAPACITY.
Affects service AVAILABILITY, thereby Denial of Service to
legitimate user traffic.
Sourced from BOTNETs but triggered by C&C Servers and
almost always DISTRIBUTED for significant effect.
Broadly classified as,
TCP State Exhaustion attacks –TCP SYN Floods
Volumetric attacks – UDP packet floods on well known ports
Reflective Amplification attacks – Based on DNS, NTP, SSDP…
Application layer attacks – HTTP, SIP etc. caused by LOIC, HOIC tool
DDOS Attacks – What ? How ?
4. DDOS Attacks – Classified
• TCP State exhaustion attacks
− Exploits statefull behavior ofTCP
protocol
− Exhausts resources in servers, reverse
proxies, firewalls.
− System runs out of memory/sockets
− SYN, FIN, RST Floods
• Volumetric attacks
− Exploits stateless behavior of UDP
protocol
− UDP based floods from spoofed IPs
generates heavy bps/pps traffic volume
− Takes out Infra capacity – routers,
switches, servers
Client
Server
SYN
SYN
SYN/ACK
SYN/ACK
Repeated endlessly until
the resources exhaust...
5. DDOS Attacks – Classified
• Reflective Amplification attacks
− Exploits amplification behavior of
NTP, DNS, SSDP, SNMP protocols
− Reflection and Amplification makes is
easy to execute.
− Impacts more than just the target
− DNS, NTP, SSDP are commonly used
• Application layer attacks
− Low and Slow in nature, targets
application instances and NOT Infra.
− Exploits scale and functionality of
specific applications.
− HTTP GET/POST floods..
− LOIC, HOIC, Slowloris, etc easily
available attack tools
REQ
(spoofed)
RES
(amplified)
Open DNS/NTP
/SNMP/SSDP
services
Botnet
Target
victim
6. DDOS Attacks -The Impact
• InfoSec systems are built with a goal of
maintaining Confidentiality, Integrity
and Availability (CIA).
• Confidentiality and Integrity is mostly
addressed using Encryption in data
security solutions.
• Availability is typically associated with
eliminating points of failure in the
design.
• DDoS attacks are targeted and it
directly affects ‘Availability’.
Service Availability Business Continuity
Maintaining availability in the face of an attack, proves the success of an Infosec program
An industry survey shows most organizations,
• Do not have DDOS mitigation plans
• Never stress-test their service stack to find
shortcomings
7. Evolution of DDOS attacks
Source: Arbor Networks WISR
• DDoS attacks have evolved over two decades now
• Peak attacks have grown 400% over the last couple of years
• All of those largest observed attacks were caused by ReflectiveAmplification
8. Reflective Amplification attacks
A Closer look
• Due to its high magnitude (scaling up to 300+ Gbps), affecting millions of users,
these attacks were reported often in the press.
• Requires ability to spoof the IP address of the target host/network
• MostVolumetric attacks generate high throughput (pps) but for Reflective
amplification attacks bandwidth (bps) is the key to fill the pipes in transit,
saturating network operator infra.
• Two main characteristics,
• Reflection – Spoofed requests (with actual attack target) from a botnet of hosts sent
towards open abusable services in the Internet; an amplified response is reflected
back on the attack target.
• Amplification – A relatively small request that generates a significantly large
response.
9. Open DNS/NTP/SSDP servers
The Internet
Original Victim
Content or Ecom Provider
Botnet
DDOS Attacks –Victims
DirectVictims:
1. Content owner/provider
REQ with target
spoofed as SRC IP
Amplified response
Targeting the victim
10. Open DNS/NTP/SSDP servers
DC or Cloud
SP
The Internet
Original Victim
Content or Ecom Provider
Botnet
DDOS Attacks –Victims
Victims:
1. Service Providers
2. DC/Cloud Service provider
3. Content owner/provider
REQ with target
spoofed as SRC IP
Amplified response
Targeting the victim
13. Reflective Amplification
Protocols used as attack vectors
• Many protocols can be leveraged by attackers
• DNS, NTP, SSDP,CHARGEN, SNMP are commonly-observed.
• Amplification factors makes it lethal,
Protocol Ports Amplification factor
NTP UDP / 123 600x
DNS UDP / 53 160x
SSDP UDP / 1900 30x
CHARGEN UDP / 19 18x
SNMP UDP / 161 800x
14. What makes it possible ?
• Failure to deploy network ingress filtering at the very edge – BCP 38, for anti-
spoofing usingACLs or uRPF or IP Source verify.
• Abusable services in the open Internet running on servers, home CPE devices,
routers, and other IoT devices.
• Low difficulty of execution of such attacks; readily available attack tools
• Network operators not utilizing the best practices
• Not utilizing flow telemetry for collection and analysis to detect attacks
• Failure to proactively scan and remediate abusable services
• Failure to deploy DDOS attack detection, response and mitigation tools
• Source or Destination based RTBH, flowspec for mitigation
• Subscribe to SP Cloud based DDOS attack detection and mitigation service
15. Best Practices for Network Operators
Don’t be a part of the problem
• Deploy anti-spoofing at network edges
• uRPF loose and strict modes at peering and customer aggregation
• DHCP Snooping and IP SourceVerify at DC LAN access edge
• Suitable mechanisms for Cable, DOCSIS subscriber edges
• Don’t be a spoofing-friendly network, you will soon be blocked!.
• Proactively scan for and remediate abusable services and block them if
necessary to take them offline.
• Check www.openntpproject.org and its equivalents to see if abusable services
have been identified on your network and take suitable action.
• Do not give in for collateral damage, have a suitable process and system in
place.
16. Building a DDoS attack defense system
Detection/Classification
• Visibility is key for detection –You can only protect what you can see
• Utilize flow telemetry exported from all network edges for attack detection and
classification
• Deploy a suitable anomaly-based DDoS attack detection solution
• Monitor links across transit, peering, aggregation, service edge and DC
access
• Deploy in-line or SPAN-based monitoring in front of critical services for fine-
grained application aware visibility and detection
• Don’t have CAPex budget, subscribe to Carrier DDOS Protection services.
17. Building a DDoS attack defense system
Mitigation Infra - Options
• Flowspec – Utilize BGP to inject ACLs or routing policy to filter or divert traffic.
• RemoteTriggered Blackholing - RTBH
• S/RTBH to block known bad sources
• D/RTBH to blackhole the destination under attack as a last resort
• Deploy a commercial mitigation system to protect from any attacks
• Build minimum capacity within and subscribe to Carrier-based cloud mitigation
services
• Planning mitigation capacity - Bandwidth
• Ideal Mitigation capacity =Total Ingress network bandwidth
• Minimum mitigation capacity = max attack size in the region, if the network
transport has room to carry
• You can only Mitigate what you can carry on your network
• Planning mitigation capacity –Throughput
• Volumetric attacks generate high rate of packets; consider hardware architecture
• Ensure 1 Million PPS capacity for every Gbps of mitigation capacity
18. Building a DDoS attack defense system
Mitigation Infra – Planning and Scale-up
• Build a distributed mitigation systems.
• Stop attack traffic closer to source,
do not allow them to converge.
• Leverage on botnet heat-maps for
planning your mitigation capacity
globally.
• Utilize anycast routing to scrubbing farms
for an effective mitigation
• If you are a regional or a local Network
operator,
• Utilize carrier DDOS protection services
• Build minimal mitigation capacity for
offering services for local enterprise
market
19. What works well ?
Attack type Impact on Network / DC Service
Provider
Impact on
content owner
Effective Mitigation
technique
TCP State
exhaustion
• Limited or Nil High – Impacts all
statefull devices in
transit
• Arrested by SP Cloud
Mitigation, if detected
• On-premise CPE
solutions are proactive
Volumetric • Tier-1 operator – Nil or limited impact on
rare occasions
• Other DC andTier-2/3 operators – Causes
bandwidth choke-points based on capacity;
leading to collateral damage
High – Impact at
the network edge
to server edge –
weakest link fails
• SP Cloud mitigation
Application layer • Tier-1/2/3 operator - Limited or Nil impact
• DC Service provider services such as IaaS
are impacted; design should adapt
protection against noisy-neighbors
(tenants)
High – weakest
node breaks-
down
• On-premise CPE
solutions are effective
• Basic attacks are
defended by SP Cloud
mitigation techniques
Reflective
Amplification
• Tier-1 operator – Nil or limited impact on
rare occasions
• Other DC andTier-2/3 operators – Causes
bandwidth choke-points based on capacity;
leading to collateral damage
High – Impact at
the network edge
to server edge –
weakest link fails
• SP Cloud mitigation
21. SECURITY SERVICES ATTATA COMM
21
Multi-Platform Support
Security Operations Centers
Technology & Automation
Build and maintain a
secure network
Protect Sensitive Data
Maintain aVulnerability
Management Program
Implement Strong Access
Control Measures
Regularly Monitor andTest
Networks
Maintain an Information
Security Policy
• DDoS Detection & Mitigation
• Bluecoat Managed Proxy
• Professional Security Services
• Managed & Monitored Firewall-UTM
• Managed & Monitored IDS/IPS
• Log/Security Event Monitoring
• Managed Strong Authentication
• Network Based vUTM
• Zscaler web security/virtual Proxy
• Qualys Vulnerability Management
• Email Secuirty & Postini Anti-Spam
Telephony Magazine
2014 – Leader for Network Services
Strength
Strong range of network security services
Scalable & Multi-tenant
India – Singapore
ISO 27001 Certified
SAS-70 Type I/II audited
Cisco MSCP Firewall - IDS - VPN
“Most Innovative Service Award”
Gartner Magic Quadrant
In +100 countries
22. INTEGRATED MDDOS D&M SERVICES
POWERED BYTATA COMMUNICATIONS’TIER 1 IP NETWORK
22
- 24% of the world’s
Internet routes are on
our network
- Only Tier 1 Provider to
feature in theTop 5 in 5
continents
- 99.7% of the world’s GDP
can be reached using the
Tata Communications’
Global Network
24. ON-NET SERVICE
Detection
• TATA SSOC collecting/monitoring
flow data 24/7 from withinTATA
network
Mitigation
• SSOC analyst confirms attack,
contacts customer POC
• Customer authorizes mitigation
• TATA activates BGP session
• Multi-Gb attack traffic routes through
TATA mitigation centers and scrubbed
traffic returned to destination over
dedicated TATA IP egress via GRE
tunnel
• Customer confirms application
availability
• Once attack traffic stops, original
route is re-established & ticket closed
CE
Scrubbing
Farm
Customer
Data Center
TATA
Regional Scrubbing
Farms
DDoS Attack
Flow Sensor
Public Internet
Edge
TATA SSOC
Clean Traffic
Injection via GRE
TATA IPTransit Port
25. OFF-NET SERVICE
Detection
• TATA SSOC collecting/monitoring flow
data 24/7 (Assumes Flow Sensor, router,
IPS, etc…)
Mitigation
• SSOC analyst confirms attack, contacts
customer POC
• Customer authorizes mitigation,
withdraws existing route for /24
• TATA activates BGP session, announces
new route; customer sends /24;
• Multi-Gb attack traffic routes through
TATA mitigation centers with scrubbed
traffic returned to destination over 3rd
party IP egress via GRE tunnel
• Customer confirms application availability
• Once attack traffic stops, original route is
re-established & ticket is closed
3rd Party IP
Scrubbing
Farm
Customer
Data Center
TATA
Regional Scrubbing
Farms
DDoS Attack
Flow Sensor
Public Internet
EdgeTATA SSOC
Clean Traffic
Injection via GRE
CE
26. DDoS attack Protection Services for Carriers
Tata Communications’ offers detection of DDoS attacks On-net and Off-net.
Detects DDoS attack traffic proactively and directs it to the nearest scrubbing farm.
Scrubbing farms are deployed across the globe with high capacity nodes in regions
with heavy botnet activity; to mitigate attacks closer to source preventing an
avalanche of attack traffic.
Clean traffic can be delivered on a secure on-net tunnel to carrier network edge *.
Regional
ISP/IXP
Regional
ISP/IXP
Regional
Carrier network
customer
customer
customer
Global
Internet
TCL
Network
DDOS
defense
Dropped attack traffic
in the cloud
Clean traffic
delivered
* - recommended option
27. Thank You
Have Questions ? Ask Now or Talk to our local
representatives
Marcin Raczkiewicz Marcin.Raczkiewicz@tatacommunications.com
Director, Global Carrier Services, Tata Communications - Poland
Konrad Czubak Konrad.Czubak@tatacommunications.com
Sr. Solutions Architect, Tata Communications - Poland