SlideShare a Scribd company logo

PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali

Download as PPTX, PDF
M
Marta Pacyga

PLNOG15 - DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali

Internet
1 of 27
DDOS Attacks & Collateral Damage Can we avoid it ? Asraf Ali Head – Security & Network Engineering asraf.ali@tatacommunications.com Tata Communications
Agenda  ○ DDOS attacks –What ? How ?Who ?  ○The Impact – Direct & indirect victims  ○The Collateral Damage Problem  ○ Global Industry Best Practices  ○ How canTata Communications help ?  ○ Q & A
 Attempt to consume FINITE resources, exploit WEAKNESS in design, lack of Infra CAPACITY.  Affects service AVAILABILITY, thereby Denial of Service to legitimate user traffic.  Sourced from BOTNETs but triggered by C&C Servers and almost always DISTRIBUTED for significant effect.  Broadly classified as,  TCP State Exhaustion attacks –TCP SYN Floods  Volumetric attacks – UDP packet floods on well known ports  Reflective Amplification attacks – Based on DNS, NTP, SSDP…  Application layer attacks – HTTP, SIP etc. caused by LOIC, HOIC tool DDOS Attacks – What ? How ?
DDOS Attacks – Classified • TCP State exhaustion attacks − Exploits statefull behavior ofTCP protocol − Exhausts resources in servers, reverse proxies, firewalls. − System runs out of memory/sockets − SYN, FIN, RST Floods • Volumetric attacks − Exploits stateless behavior of UDP protocol − UDP based floods from spoofed IPs generates heavy bps/pps traffic volume − Takes out Infra capacity – routers, switches, servers Client Server SYN SYN SYN/ACK SYN/ACK Repeated endlessly until the resources exhaust...
DDOS Attacks – Classified • Reflective Amplification attacks − Exploits amplification behavior of NTP, DNS, SSDP, SNMP protocols − Reflection and Amplification makes is easy to execute. − Impacts more than just the target − DNS, NTP, SSDP are commonly used • Application layer attacks − Low and Slow in nature, targets application instances and NOT Infra. − Exploits scale and functionality of specific applications. − HTTP GET/POST floods.. − LOIC, HOIC, Slowloris, etc easily available attack tools REQ (spoofed) RES (amplified) Open DNS/NTP /SNMP/SSDP services Botnet Target victim
DDOS Attacks -The Impact • InfoSec systems are built with a goal of maintaining Confidentiality, Integrity and Availability (CIA). • Confidentiality and Integrity is mostly addressed using Encryption in data security solutions. • Availability is typically associated with eliminating points of failure in the design. • DDoS attacks are targeted and it directly affects ‘Availability’. Service Availability  Business Continuity Maintaining availability in the face of an attack, proves the success of an Infosec program An industry survey shows most organizations, • Do not have DDOS mitigation plans • Never stress-test their service stack to find shortcomings
Evolution of DDOS attacks Source: Arbor Networks WISR • DDoS attacks have evolved over two decades now • Peak attacks have grown 400% over the last couple of years • All of those largest observed attacks were caused by ReflectiveAmplification
Reflective Amplification attacks A Closer look • Due to its high magnitude (scaling up to 300+ Gbps), affecting millions of users, these attacks were reported often in the press. • Requires ability to spoof the IP address of the target host/network • MostVolumetric attacks generate high throughput (pps) but for Reflective amplification attacks bandwidth (bps) is the key to fill the pipes in transit, saturating network operator infra. • Two main characteristics, • Reflection – Spoofed requests (with actual attack target) from a botnet of hosts sent towards open abusable services in the Internet; an amplified response is reflected back on the attack target. • Amplification – A relatively small request that generates a significantly large response.
Open DNS/NTP/SSDP servers The Internet Original Victim Content or Ecom Provider Botnet DDOS Attacks –Victims DirectVictims: 1. Content owner/provider REQ with target spoofed as SRC IP Amplified response Targeting the victim
Open DNS/NTP/SSDP servers DC or Cloud SP The Internet Original Victim Content or Ecom Provider Botnet DDOS Attacks –Victims Victims: 1. Service Providers 2. DC/Cloud Service provider 3. Content owner/provider REQ with target spoofed as SRC IP Amplified response Targeting the victim
Collateral Damage Problem Peer-2 Peer-1 Peer-3 IXP-B DC Facility IXP-A 4G RAN DC & Cloud Services Mobile Broadband Services • Converged Network Infrastructure • Supporting ISP, DC and Mobile broadband services
Peer-2 Peer-1 Peer-3 IXP-B DC Facility IXP-A 4G RAN Collateral Damage Problem • Attack targeting a service hosted in DC facility • Impacts bystanders, other business
Reflective Amplification Protocols used as attack vectors • Many protocols can be leveraged by attackers • DNS, NTP, SSDP,CHARGEN, SNMP are commonly-observed. • Amplification factors makes it lethal, Protocol Ports Amplification factor NTP UDP / 123 600x DNS UDP / 53 160x SSDP UDP / 1900 30x CHARGEN UDP / 19 18x SNMP UDP / 161 800x
What makes it possible ? • Failure to deploy network ingress filtering at the very edge – BCP 38, for anti- spoofing usingACLs or uRPF or IP Source verify. • Abusable services in the open Internet running on servers, home CPE devices, routers, and other IoT devices. • Low difficulty of execution of such attacks; readily available attack tools • Network operators not utilizing the best practices • Not utilizing flow telemetry for collection and analysis to detect attacks • Failure to proactively scan and remediate abusable services • Failure to deploy DDOS attack detection, response and mitigation tools • Source or Destination based RTBH, flowspec for mitigation • Subscribe to SP Cloud based DDOS attack detection and mitigation service
Best Practices for Network Operators Don’t be a part of the problem • Deploy anti-spoofing at network edges • uRPF loose and strict modes at peering and customer aggregation • DHCP Snooping and IP SourceVerify at DC LAN access edge • Suitable mechanisms for Cable, DOCSIS subscriber edges • Don’t be a spoofing-friendly network, you will soon be blocked!. • Proactively scan for and remediate abusable services and block them if necessary to take them offline. • Check www.openntpproject.org and its equivalents to see if abusable services have been identified on your network and take suitable action. • Do not give in for collateral damage, have a suitable process and system in place.
Building a DDoS attack defense system Detection/Classification • Visibility is key for detection –You can only protect what you can see • Utilize flow telemetry exported from all network edges for attack detection and classification • Deploy a suitable anomaly-based DDoS attack detection solution • Monitor links across transit, peering, aggregation, service edge and DC access • Deploy in-line or SPAN-based monitoring in front of critical services for fine- grained application aware visibility and detection • Don’t have CAPex budget, subscribe to Carrier DDOS Protection services.
Building a DDoS attack defense system Mitigation Infra - Options • Flowspec – Utilize BGP to inject ACLs or routing policy to filter or divert traffic. • RemoteTriggered Blackholing - RTBH • S/RTBH to block known bad sources • D/RTBH to blackhole the destination under attack as a last resort • Deploy a commercial mitigation system to protect from any attacks • Build minimum capacity within and subscribe to Carrier-based cloud mitigation services • Planning mitigation capacity - Bandwidth • Ideal Mitigation capacity =Total Ingress network bandwidth • Minimum mitigation capacity = max attack size in the region, if the network transport has room to carry • You can only Mitigate what you can carry on your network • Planning mitigation capacity –Throughput • Volumetric attacks generate high rate of packets; consider hardware architecture • Ensure 1 Million PPS capacity for every Gbps of mitigation capacity
Building a DDoS attack defense system Mitigation Infra – Planning and Scale-up • Build a distributed mitigation systems. • Stop attack traffic closer to source, do not allow them to converge. • Leverage on botnet heat-maps for planning your mitigation capacity globally. • Utilize anycast routing to scrubbing farms for an effective mitigation • If you are a regional or a local Network operator, • Utilize carrier DDOS protection services • Build minimal mitigation capacity for offering services for local enterprise market
What works well ? Attack type Impact on Network / DC Service Provider Impact on content owner Effective Mitigation technique TCP State exhaustion • Limited or Nil High – Impacts all statefull devices in transit • Arrested by SP Cloud Mitigation, if detected • On-premise CPE solutions are proactive Volumetric • Tier-1 operator – Nil or limited impact on rare occasions • Other DC andTier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage High – Impact at the network edge to server edge – weakest link fails • SP Cloud mitigation Application layer • Tier-1/2/3 operator - Limited or Nil impact • DC Service provider services such as IaaS are impacted; design should adapt protection against noisy-neighbors (tenants) High – weakest node breaks- down • On-premise CPE solutions are effective • Basic attacks are defended by SP Cloud mitigation techniques Reflective Amplification • Tier-1 operator – Nil or limited impact on rare occasions • Other DC andTier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage High – Impact at the network edge to server edge – weakest link fails • SP Cloud mitigation
HOW CANTATA COMMUNICATIONS HELP? WE CAN HELP PROTECTYOUR NETWORKS &YOUR CUSTOMERS AGAINST DDOS ATTACKS
SECURITY SERVICES ATTATA COMM 21 Multi-Platform Support Security Operations Centers Technology & Automation Build and maintain a secure network Protect Sensitive Data Maintain aVulnerability Management Program Implement Strong Access Control Measures Regularly Monitor andTest Networks Maintain an Information Security Policy • DDoS Detection & Mitigation • Bluecoat Managed Proxy • Professional Security Services • Managed & Monitored Firewall-UTM • Managed & Monitored IDS/IPS • Log/Security Event Monitoring • Managed Strong Authentication • Network Based vUTM • Zscaler web security/virtual Proxy • Qualys Vulnerability Management • Email Secuirty & Postini Anti-Spam Telephony Magazine 2014 – Leader for Network Services Strength Strong range of network security services Scalable & Multi-tenant India – Singapore ISO 27001 Certified SAS-70 Type I/II audited Cisco MSCP Firewall - IDS - VPN “Most Innovative Service Award” Gartner Magic Quadrant In +100 countries
INTEGRATED MDDOS D&M SERVICES POWERED BYTATA COMMUNICATIONS’TIER 1 IP NETWORK 22 - 24% of the world’s Internet routes are on our network - Only Tier 1 Provider to feature in theTop 5 in 5 continents - 99.7% of the world’s GDP can be reached using the Tata Communications’ Global Network
DDOS SCRUBBING FARM GLOBAL DEPLOYMENT FOOTPRINT DDoS scrubbing farm Americas, EMEA & APAC DDoS scrubbing farm (Proposed)
ON-NET SERVICE Detection • TATA SSOC collecting/monitoring flow data 24/7 from withinTATA network Mitigation • SSOC analyst confirms attack, contacts customer POC • Customer authorizes mitigation • TATA activates BGP session • Multi-Gb attack traffic routes through TATA mitigation centers and scrubbed traffic returned to destination over dedicated TATA IP egress via GRE tunnel • Customer confirms application availability • Once attack traffic stops, original route is re-established & ticket closed CE Scrubbing Farm Customer Data Center TATA Regional Scrubbing Farms DDoS Attack Flow Sensor Public Internet Edge TATA SSOC Clean Traffic Injection via GRE TATA IPTransit Port
OFF-NET SERVICE Detection • TATA SSOC collecting/monitoring flow data 24/7 (Assumes Flow Sensor, router, IPS, etc…) Mitigation • SSOC analyst confirms attack, contacts customer POC • Customer authorizes mitigation, withdraws existing route for /24 • TATA activates BGP session, announces new route; customer sends /24; • Multi-Gb attack traffic routes through TATA mitigation centers with scrubbed traffic returned to destination over 3rd party IP egress via GRE tunnel • Customer confirms application availability • Once attack traffic stops, original route is re-established & ticket is closed 3rd Party IP Scrubbing Farm Customer Data Center TATA Regional Scrubbing Farms DDoS Attack Flow Sensor Public Internet EdgeTATA SSOC Clean Traffic Injection via GRE CE
DDoS attack Protection Services for Carriers  Tata Communications’ offers detection of DDoS attacks On-net and Off-net.  Detects DDoS attack traffic proactively and directs it to the nearest scrubbing farm.  Scrubbing farms are deployed across the globe with high capacity nodes in regions with heavy botnet activity; to mitigate attacks closer to source preventing an avalanche of attack traffic.  Clean traffic can be delivered on a secure on-net tunnel to carrier network edge *. Regional ISP/IXP Regional ISP/IXP Regional Carrier network customer customer customer Global Internet TCL Network DDOS defense Dropped attack traffic in the cloud Clean traffic delivered * - recommended option
Thank You Have Questions ? Ask Now or Talk to our local representatives Marcin Raczkiewicz Marcin.Raczkiewicz@tatacommunications.com Director, Global Carrier Services, Tata Communications - Poland Konrad Czubak Konrad.Czubak@tatacommunications.com Sr. Solutions Architect, Tata Communications - Poland

Recommended

DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 

Recommended

DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PROIDEA
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
What’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesWhat’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product Launches
Cloudflare
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Cloudflare
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Denial of Service
Denial of ServiceDenial of Service
Denial of Service
MarketingArrowECS_CZ
 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
Laura L. Adams
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
PLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz Jedynak
PLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz JedynakPLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz Jedynak
PLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz Jedynak
PROIDEA
 
Computer crime and internet crime privacy
Computer crime and internet crime privacyComputer crime and internet crime privacy
Computer crime and internet crime privacy
GouthamXander
 

More Related Content

What's hot

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PROIDEA
 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
Laura L. Adams
 

What's hot (20)

DNS Security
DNS SecurityDNS Security
DNS Security
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
What’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesWhat’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product Launches
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Denial of Service
Denial of ServiceDenial of Service
Denial of Service
 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 

Viewers also liked

An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
Rollingsherman
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
Aeman Khan
 

Viewers also liked (10)

PLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz Jedynak
PLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz JedynakPLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz Jedynak
PLNOG16: Transport ruchu klientów - MPLS L2 i L3, Tomasz Jedynak
 
Computer crime and internet crime privacy
Computer crime and internet crime privacyComputer crime and internet crime privacy
Computer crime and internet crime privacy
 
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securityCe hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional security
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer Crimes
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 

Similar to PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali

Rethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security EnforcementRethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security Enforcement
Corsa Technology
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
Raleigh ISSA
 
bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...
bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...
bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...
Sergiy Pitel
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Emulex Corporation
 

Similar to PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali (20)

DETENIENDO LOS ATAQUES DDOS CON NSFOCUS
DETENIENDO LOS ATAQUES DDOS CON NSFOCUSDETENIENDO LOS ATAQUES DDOS CON NSFOCUS
DETENIENDO LOS ATAQUES DDOS CON NSFOCUS
 
Rethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security EnforcementRethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security Enforcement
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...
bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...
bestpracticesforusingyournetworkandtheciscoasr9kforddos-150603185523-lva1-app...
 
SecurityDAM - Hybrid DDoS Protection for MSSPs and Enterprises (Infosecurity ...
SecurityDAM - Hybrid DDoS Protection for MSSPs and Enterprises (Infosecurity ...SecurityDAM - Hybrid DDoS Protection for MSSPs and Enterprises (Infosecurity ...
SecurityDAM - Hybrid DDoS Protection for MSSPs and Enterprises (Infosecurity ...
 
DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.
 
Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)
 
Corsa Giga Filter
Corsa Giga FilterCorsa Giga Filter
Corsa Giga Filter
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
 
Addios!
Addios!Addios!
Addios!
 
Recent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondRecent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respond
 
ONF & iSDX Webinar
ONF & iSDX WebinarONF & iSDX Webinar
ONF & iSDX Webinar
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
DDoS Mitigation Techniques for Your Enterprise IT Network
DDoS Mitigation Techniques for Your Enterprise IT NetworkDDoS Mitigation Techniques for Your Enterprise IT Network
DDoS Mitigation Techniques for Your Enterprise IT Network
 
Network Bandwidth management - Mumbai Seminar
Network Bandwidth management - Mumbai SeminarNetwork Bandwidth management - Mumbai Seminar
Network Bandwidth management - Mumbai Seminar
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
 

More from Marta Pacyga

More from Marta Pacyga (7)

PLNOG15 :Assuring Performance, Scalability and Reliability in NFV Deployments...
PLNOG15 :Assuring Performance, Scalability and Reliability in NFV Deployments...PLNOG15 :Assuring Performance, Scalability and Reliability in NFV Deployments...
PLNOG15 :Assuring Performance, Scalability and Reliability in NFV Deployments...
 
C pop plnog_v7.1
C pop plnog_v7.1C pop plnog_v7.1
C pop plnog_v7.1
 
Prezentacja witruallizacja dc 1.3
Prezentacja witruallizacja dc 1.3Prezentacja witruallizacja dc 1.3
Prezentacja witruallizacja dc 1.3
 
Plnog15 paweł wachelka - sieć oraz bezpieczeństwo w chmurze
Plnog15 paweł wachelka - sieć oraz bezpieczeństwo w chmurzePlnog15 paweł wachelka - sieć oraz bezpieczeństwo w chmurze
Plnog15 paweł wachelka - sieć oraz bezpieczeństwo w chmurze
 
Plnog klaudyna busza
Plnog klaudyna buszaPlnog klaudyna busza
Plnog klaudyna busza
 
Inter vrf leaking w środowisku sieci enterprise wan
Inter vrf leaking w środowisku sieci enterprise wanInter vrf leaking w środowisku sieci enterprise wan
Inter vrf leaking w środowisku sieci enterprise wan
 
Dane osobowe nowe możliwosci i zagrozenia
Dane osobowe nowe możliwosci i zagrozeniaDane osobowe nowe możliwosci i zagrozenia
Dane osobowe nowe możliwosci i zagrozenia
 

Recently uploaded

PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 

Recently uploaded (20)

PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 

PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali

  • 1. DDOS Attacks & Collateral Damage Can we avoid it ? Asraf Ali Head – Security & Network Engineering asraf.ali@tatacommunications.com Tata Communications
  • 2. Agenda  ○ DDOS attacks –What ? How ?Who ?  ○The Impact – Direct & indirect victims  ○The Collateral Damage Problem  ○ Global Industry Best Practices  ○ How canTata Communications help ?  ○ Q & A
  • 3.  Attempt to consume FINITE resources, exploit WEAKNESS in design, lack of Infra CAPACITY.  Affects service AVAILABILITY, thereby Denial of Service to legitimate user traffic.  Sourced from BOTNETs but triggered by C&C Servers and almost always DISTRIBUTED for significant effect.  Broadly classified as,  TCP State Exhaustion attacks –TCP SYN Floods  Volumetric attacks – UDP packet floods on well known ports  Reflective Amplification attacks – Based on DNS, NTP, SSDP…  Application layer attacks – HTTP, SIP etc. caused by LOIC, HOIC tool DDOS Attacks – What ? How ?
  • 4. DDOS Attacks – Classified • TCP State exhaustion attacks − Exploits statefull behavior ofTCP protocol − Exhausts resources in servers, reverse proxies, firewalls. − System runs out of memory/sockets − SYN, FIN, RST Floods • Volumetric attacks − Exploits stateless behavior of UDP protocol − UDP based floods from spoofed IPs generates heavy bps/pps traffic volume − Takes out Infra capacity – routers, switches, servers Client Server SYN SYN SYN/ACK SYN/ACK Repeated endlessly until the resources exhaust...
  • 5. DDOS Attacks – Classified • Reflective Amplification attacks − Exploits amplification behavior of NTP, DNS, SSDP, SNMP protocols − Reflection and Amplification makes is easy to execute. − Impacts more than just the target − DNS, NTP, SSDP are commonly used • Application layer attacks − Low and Slow in nature, targets application instances and NOT Infra. − Exploits scale and functionality of specific applications. − HTTP GET/POST floods.. − LOIC, HOIC, Slowloris, etc easily available attack tools REQ (spoofed) RES (amplified) Open DNS/NTP /SNMP/SSDP services Botnet Target victim
  • 6. DDOS Attacks -The Impact • InfoSec systems are built with a goal of maintaining Confidentiality, Integrity and Availability (CIA). • Confidentiality and Integrity is mostly addressed using Encryption in data security solutions. • Availability is typically associated with eliminating points of failure in the design. • DDoS attacks are targeted and it directly affects ‘Availability’. Service Availability  Business Continuity Maintaining availability in the face of an attack, proves the success of an Infosec program An industry survey shows most organizations, • Do not have DDOS mitigation plans • Never stress-test their service stack to find shortcomings
  • 7. Evolution of DDOS attacks Source: Arbor Networks WISR • DDoS attacks have evolved over two decades now • Peak attacks have grown 400% over the last couple of years • All of those largest observed attacks were caused by ReflectiveAmplification
  • 8. Reflective Amplification attacks A Closer look • Due to its high magnitude (scaling up to 300+ Gbps), affecting millions of users, these attacks were reported often in the press. • Requires ability to spoof the IP address of the target host/network • MostVolumetric attacks generate high throughput (pps) but for Reflective amplification attacks bandwidth (bps) is the key to fill the pipes in transit, saturating network operator infra. • Two main characteristics, • Reflection – Spoofed requests (with actual attack target) from a botnet of hosts sent towards open abusable services in the Internet; an amplified response is reflected back on the attack target. • Amplification – A relatively small request that generates a significantly large response.
  • 9. Open DNS/NTP/SSDP servers The Internet Original Victim Content or Ecom Provider Botnet DDOS Attacks –Victims DirectVictims: 1. Content owner/provider REQ with target spoofed as SRC IP Amplified response Targeting the victim
  • 10. Open DNS/NTP/SSDP servers DC or Cloud SP The Internet Original Victim Content or Ecom Provider Botnet DDOS Attacks –Victims Victims: 1. Service Providers 2. DC/Cloud Service provider 3. Content owner/provider REQ with target spoofed as SRC IP Amplified response Targeting the victim
  • 11. Collateral Damage Problem Peer-2 Peer-1 Peer-3 IXP-B DC Facility IXP-A 4G RAN DC & Cloud Services Mobile Broadband Services • Converged Network Infrastructure • Supporting ISP, DC and Mobile broadband services
  • 12. Peer-2 Peer-1 Peer-3 IXP-B DC Facility IXP-A 4G RAN Collateral Damage Problem • Attack targeting a service hosted in DC facility • Impacts bystanders, other business
  • 13. Reflective Amplification Protocols used as attack vectors • Many protocols can be leveraged by attackers • DNS, NTP, SSDP,CHARGEN, SNMP are commonly-observed. • Amplification factors makes it lethal, Protocol Ports Amplification factor NTP UDP / 123 600x DNS UDP / 53 160x SSDP UDP / 1900 30x CHARGEN UDP / 19 18x SNMP UDP / 161 800x
  • 14. What makes it possible ? • Failure to deploy network ingress filtering at the very edge – BCP 38, for anti- spoofing usingACLs or uRPF or IP Source verify. • Abusable services in the open Internet running on servers, home CPE devices, routers, and other IoT devices. • Low difficulty of execution of such attacks; readily available attack tools • Network operators not utilizing the best practices • Not utilizing flow telemetry for collection and analysis to detect attacks • Failure to proactively scan and remediate abusable services • Failure to deploy DDOS attack detection, response and mitigation tools • Source or Destination based RTBH, flowspec for mitigation • Subscribe to SP Cloud based DDOS attack detection and mitigation service
  • 15. Best Practices for Network Operators Don’t be a part of the problem • Deploy anti-spoofing at network edges • uRPF loose and strict modes at peering and customer aggregation • DHCP Snooping and IP SourceVerify at DC LAN access edge • Suitable mechanisms for Cable, DOCSIS subscriber edges • Don’t be a spoofing-friendly network, you will soon be blocked!. • Proactively scan for and remediate abusable services and block them if necessary to take them offline. • Check www.openntpproject.org and its equivalents to see if abusable services have been identified on your network and take suitable action. • Do not give in for collateral damage, have a suitable process and system in place.
  • 16. Building a DDoS attack defense system Detection/Classification • Visibility is key for detection –You can only protect what you can see • Utilize flow telemetry exported from all network edges for attack detection and classification • Deploy a suitable anomaly-based DDoS attack detection solution • Monitor links across transit, peering, aggregation, service edge and DC access • Deploy in-line or SPAN-based monitoring in front of critical services for fine- grained application aware visibility and detection • Don’t have CAPex budget, subscribe to Carrier DDOS Protection services.
  • 17. Building a DDoS attack defense system Mitigation Infra - Options • Flowspec – Utilize BGP to inject ACLs or routing policy to filter or divert traffic. • RemoteTriggered Blackholing - RTBH • S/RTBH to block known bad sources • D/RTBH to blackhole the destination under attack as a last resort • Deploy a commercial mitigation system to protect from any attacks • Build minimum capacity within and subscribe to Carrier-based cloud mitigation services • Planning mitigation capacity - Bandwidth • Ideal Mitigation capacity =Total Ingress network bandwidth • Minimum mitigation capacity = max attack size in the region, if the network transport has room to carry • You can only Mitigate what you can carry on your network • Planning mitigation capacity –Throughput • Volumetric attacks generate high rate of packets; consider hardware architecture • Ensure 1 Million PPS capacity for every Gbps of mitigation capacity
  • 18. Building a DDoS attack defense system Mitigation Infra – Planning and Scale-up • Build a distributed mitigation systems. • Stop attack traffic closer to source, do not allow them to converge. • Leverage on botnet heat-maps for planning your mitigation capacity globally. • Utilize anycast routing to scrubbing farms for an effective mitigation • If you are a regional or a local Network operator, • Utilize carrier DDOS protection services • Build minimal mitigation capacity for offering services for local enterprise market
  • 19. What works well ? Attack type Impact on Network / DC Service Provider Impact on content owner Effective Mitigation technique TCP State exhaustion • Limited or Nil High – Impacts all statefull devices in transit • Arrested by SP Cloud Mitigation, if detected • On-premise CPE solutions are proactive Volumetric • Tier-1 operator – Nil or limited impact on rare occasions • Other DC andTier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage High – Impact at the network edge to server edge – weakest link fails • SP Cloud mitigation Application layer • Tier-1/2/3 operator - Limited or Nil impact • DC Service provider services such as IaaS are impacted; design should adapt protection against noisy-neighbors (tenants) High – weakest node breaks- down • On-premise CPE solutions are effective • Basic attacks are defended by SP Cloud mitigation techniques Reflective Amplification • Tier-1 operator – Nil or limited impact on rare occasions • Other DC andTier-2/3 operators – Causes bandwidth choke-points based on capacity; leading to collateral damage High – Impact at the network edge to server edge – weakest link fails • SP Cloud mitigation
  • 20. HOW CANTATA COMMUNICATIONS HELP? WE CAN HELP PROTECTYOUR NETWORKS &YOUR CUSTOMERS AGAINST DDOS ATTACKS
  • 21. SECURITY SERVICES ATTATA COMM 21 Multi-Platform Support Security Operations Centers Technology & Automation Build and maintain a secure network Protect Sensitive Data Maintain aVulnerability Management Program Implement Strong Access Control Measures Regularly Monitor andTest Networks Maintain an Information Security Policy • DDoS Detection & Mitigation • Bluecoat Managed Proxy • Professional Security Services • Managed & Monitored Firewall-UTM • Managed & Monitored IDS/IPS • Log/Security Event Monitoring • Managed Strong Authentication • Network Based vUTM • Zscaler web security/virtual Proxy • Qualys Vulnerability Management • Email Secuirty & Postini Anti-Spam Telephony Magazine 2014 – Leader for Network Services Strength Strong range of network security services Scalable & Multi-tenant India – Singapore ISO 27001 Certified SAS-70 Type I/II audited Cisco MSCP Firewall - IDS - VPN “Most Innovative Service Award” Gartner Magic Quadrant In +100 countries
  • 22. INTEGRATED MDDOS D&M SERVICES POWERED BYTATA COMMUNICATIONS’TIER 1 IP NETWORK 22 - 24% of the world’s Internet routes are on our network - Only Tier 1 Provider to feature in theTop 5 in 5 continents - 99.7% of the world’s GDP can be reached using the Tata Communications’ Global Network
  • 23. DDOS SCRUBBING FARM GLOBAL DEPLOYMENT FOOTPRINT DDoS scrubbing farm Americas, EMEA & APAC DDoS scrubbing farm (Proposed)
  • 24. ON-NET SERVICE Detection • TATA SSOC collecting/monitoring flow data 24/7 from withinTATA network Mitigation • SSOC analyst confirms attack, contacts customer POC • Customer authorizes mitigation • TATA activates BGP session • Multi-Gb attack traffic routes through TATA mitigation centers and scrubbed traffic returned to destination over dedicated TATA IP egress via GRE tunnel • Customer confirms application availability • Once attack traffic stops, original route is re-established & ticket closed CE Scrubbing Farm Customer Data Center TATA Regional Scrubbing Farms DDoS Attack Flow Sensor Public Internet Edge TATA SSOC Clean Traffic Injection via GRE TATA IPTransit Port
  • 25. OFF-NET SERVICE Detection • TATA SSOC collecting/monitoring flow data 24/7 (Assumes Flow Sensor, router, IPS, etc…) Mitigation • SSOC analyst confirms attack, contacts customer POC • Customer authorizes mitigation, withdraws existing route for /24 • TATA activates BGP session, announces new route; customer sends /24; • Multi-Gb attack traffic routes through TATA mitigation centers with scrubbed traffic returned to destination over 3rd party IP egress via GRE tunnel • Customer confirms application availability • Once attack traffic stops, original route is re-established & ticket is closed 3rd Party IP Scrubbing Farm Customer Data Center TATA Regional Scrubbing Farms DDoS Attack Flow Sensor Public Internet EdgeTATA SSOC Clean Traffic Injection via GRE CE
  • 26. DDoS attack Protection Services for Carriers  Tata Communications’ offers detection of DDoS attacks On-net and Off-net.  Detects DDoS attack traffic proactively and directs it to the nearest scrubbing farm.  Scrubbing farms are deployed across the globe with high capacity nodes in regions with heavy botnet activity; to mitigate attacks closer to source preventing an avalanche of attack traffic.  Clean traffic can be delivered on a secure on-net tunnel to carrier network edge *. Regional ISP/IXP Regional ISP/IXP Regional Carrier network customer customer customer Global Internet TCL Network DDOS defense Dropped attack traffic in the cloud Clean traffic delivered * - recommended option
  • 27. Thank You Have Questions ? Ask Now or Talk to our local representatives Marcin Raczkiewicz Marcin.Raczkiewicz@tatacommunications.com Director, Global Carrier Services, Tata Communications - Poland Konrad Czubak Konrad.Czubak@tatacommunications.com Sr. Solutions Architect, Tata Communications - Poland