Transcript PowerPoint from Presentation File

Fighting Malicious Intent
How Washington’s K-20 Network is responding to
denial of service attacks on school networks
2017 NCCE CONFERENCE
Fighting malicious intent: How Washington’s K-20 Network is responding to denial of service attacks on
school networks by OSPI is licensed under a Creative Commons Attribution 4.0 International License.
Based on a work at http://edtech.ospi.k12.wa.us/course/view.php?id=13.
Today’s presenters
Moderator: Dennis Small, Educational Technology Director, OSPI
Doug Mah, Outreach Coordinator, K-20 Program Office
Noah Pitzer, K-20 Operations Manager
Schyler Batey, UW/K-20 Network Architect
Agenda for Today
Brief Background on K-20 Network
K-20 and DDoS Mitigation
Q&A
What is the K-20 Education Network?
Established in State law in 1996 and operational in 1997
• Nation’s first statewide broadband education network connecting
higher education and K-12 schools.
• Operates under a hybrid provisioning model, where approximately
75% of the services and equipment are outsourced to the private
sector.
• Established a State revolving fund, where all revenues are deposited
and from which are expenses are paid.
• Utilizes a funding model to include a state appropriation and a
customer co-pay model.
What are the strategic imperatives?
•Provide Broadband Access to Education Institutions Statewide
•Meet State Technology Standards
•Meet education service requirements
•Shared services governance
•Funding Model - State and local contribution
•Utilize Private Sector/Competitive Procurements
• Telecommunications Services
• Equipment
Over 400 K-20 Sites Connected
K-12 District/ESD
Whatcom
San Juan
Pend
Oreille
Okanogan
Skagit
Island
Clallam
Ferry
Stevens
Community/Technical
College
Public College/
University
Snohomish
Chelan
Public Library
Jefferson
Douglas
Lincoln
Kitsap
Mason
Telemedicine Site
King
Spokane
Grays Harbor
Tribal Education Center/
Tribal College
Kittitas
Grant
Adams
Pierce
Thurston
Whitman
Lewis
Pacific
Independent College/
University
Garfield
Yakima
Benton
Franklin
TVW
Columbia
Wahkiakum
Cowlitz
Walla Walla
Skamania
Asotin
Washington State
Historical Society
Klickitat
Clark
•
•
•
Roughly 280 K-12 districts and Educational Service Districts
More than 2,000 K-12 schools and 57,000 classrooms
Over 1.5 million students
K-20 40G Network: Gen 3
(2016)
Network Responsibilities
K-20 Network Control
(KOCO)
District/Campus
Routers
Institution
Router
K-20 Data
Equipment
K-20 Network
District/Campus
Video Equipment
Codec & Video
Equipment
INSTITUTION ON-GOING
COSTS
• Video maintenance &
depreciation
• PCs & LANs
• Training
• Intra-district
infrastructure
• ISP
K-20 ON-GOING COSTS
•
•
•
•
Transport
Operations
Maintenance
Depreciation
Current K-20 Add-On Services
• K-20 public IP addressing (IPv4 and IPv6)
• Access to Internet2
• K-20 MCU based H.323 video conferencing
service
• DNS hosting at no additional cost
New K-20 Services
• MPLS based services
• Layer 3 VPN’s
• Virtual Circuits
• New video conferencing services
• Self-scheduling/ad-hoc conferencing
• Enhanced desktop/mobile support
• Enhanced DDoS mitigation services
K-20 and DDoS Mitigation
•What is DDoS?
•Types of attacks
•Mitigation Methods
•What is K-20 doing?
Definitions
Denial of Service (DoS) - an interruption in an authorized
user’s access to a computer network, typically one caused
with malicious intent.
Distributed Denial of Service (DDoS) - an interruption in
an authorized user’s access to a computer network,
typically one caused with malicious intent sourced from
many locations.
Common Attack Types
•Exploits
•Protocol based attacks
•Volume based attacks
Exploits
•Attacks that take advantage of software bugs to gain access
to a system, or cause it to crash and become unusable
•Mitigation methods: patching, server hardening, IDS or IPS
•Impact is limited to the service targeted
Protocol based Attacks
•SYN floods
•Fills server/firewall state table to prevent new connections
from occurring
•Mitigation methods: firewalls, load balancers
•Impact to the service and possibly other services on the
local network
Normal TCP Operation
TCP SYN Flood
Volumetric Attacks
•Some botnet attacks
•Reflection attacks
•Fills up the pipe to prevent access to your network
from outside
•Can affect multiple adjacent and upstream
networks
Reflection Attack
Distributed Reflection Attack
Botnet Attack
Mitigating Volume-based DDoS attacks
•Networks such as K-20 typically focus on mitigating volumebased attacks since these cannot be addressed by the end
user
•Mitigation can done through a local appliance (in-line or
side-car) or a cloud based service
•These methods can sometimes be used on protocol-based
attacks
Volume Attack against K20 network
What does K-20 do Today?
•Users contact K-20 NOC to report a problem
•K-20 NOC determines DDoS is in progress
•Flow Analysis tools are used to characterize the attack
•K-20 engineers apply a traffic filter on the customer’s port
to drop attack traffic
What’s next for K-20
•Continue to mitigate volumetric attacks using manual flow
analysis combined with router access lists
•Evaluating appliance-based mitigation tools, both in-line
and redirect
•In-line device affected valid traffic – testing suspended
•Redirect-based products in testing now
•Production implementation planned for June 2017
Comparison of Methods
In-line
Redirect
External
Time to Mitigation
Seconds
1-2 minutes
10-15 minutes or
more
Scale
Must match ISP
bandwidth
Flexible
Huge
Complexity
Simple
Fairly complex
Fairly simple
Initial capex
High
High
Low
Ongoing opex
Low
Moderate
Possibly huge
In-line Mitigation
•All traffic is sent through a mitigation appliance
•As attacks are identified, rules are put in place to drop attack packets
and allow normal traffic to flow through unimpeded
•Can be effective against protocol-based attacks as well as volumebased
•Device capacity must match bandwidth to ISP
•Failure or misbehavior affects all production traffic
•“Plug and Play” – as long as it works
DDoS Mitigation with Inline Device
Detection/Redirection to an Appliance
•Attacks are detected through traffic analysis via flow exports or network
taps
•When an attack is detected, the IP being attacked is redirected to a local
appliance
•“Clean” traffic is forwarded on to the customer – can add network
complexity
•Capacity can be scaled to the expected size of an attack, with alternate
methods for attacks beyond that scale
•Failure reduces ability to mitigate, but otherwise allows traffic to flow
DDoS Mitigation with Redirection
DDoS Mitigation with Redirection
DDoS Mitigation with Redirection
DDoS Mitigation with Redirection
External Mitigation as a Service
•aka “in the Cloud”
•Customer’s traffic is redirected to a remote data center
•“Clean” traffic is returned via a dedicated circuit or tunnel
•Typically used only for volumetric attacks
•Costs can escalate with attack volume/frequency
•Several services charge by total IP space – bad model for
education community, especially universities
DDoS Mitigation – Cloud Service
Q&A
THANK YOU!
Q & A / Contact Information
 Dennis Small, OSPI, [email protected]
 Doug Mah, K-20, [email protected]
 Noah Pitzer, UW KOCO, [email protected]
 Schyler Batey, UW KOCO, [email protected]