Transcript Juniper Networks Customer Presentation

Solutions For Denial of
Service (DoS) Minimization
Ian Quinn
APRICOT 2001
Kuala Lumpur, Malaysia
Agenda
The Impact Of Denial of Service
(D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Popular Points Of
Attack And Pressure
Data Center
Peering Points
Service Providers
&
Regional/National
backbones
Customers On
Access Circuits
Core
Infrastructure

Actual Targets




Customers
Datacenters
ISP servers
Infrastructure (eg routers)

Additional Pressure Points



Access circuits
Peering points
Low bandwidth core links
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
3
What Are The
Threats To A Service Provider
 Disruption Of Customer Networks
 Desirable to be able to assist customer
 Consumption Of Bandwidth
 Lower bandwidth links susceptible
 Often a big problem in Asia Pacific
 Network Stability
 Frequently a problem for older platforms
 Related to additional workload, and
performance headroom
 All
Affect Service Delivered
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
4
Emergence Of Distributed
Denial Of Service (DDoS)
Targeted largely at servers
 Harnessed networks of compromised machines

Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
5
Specific Impact
Of DoS In Asia Pacific
Tier 1
Provider
United States
Tier 1
Provider
DoS Attack
Tier 1
Provider
Service
Provider 1
DoS
Attack
Australia
Service
Provider 2
Service
Provider 3
New Zealand
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
6
Impacts Of Security Incidents

Customer service levels
Internet access, web farms, ecommerce
 Especially if impact is repeated


Support overhead

Especially in isolating and blocking Denial of Service
(DoS) attacks
Service provider reputation
 Service Level Agreement (SLA) breaches

SLA increasingly being offered
 Multi-service networks change the game


STRESS!!!
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
7
Agenda
The Impact Of Denial of Service
(D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Generic Approach To DoS Attacks
 Use
statistics to detect attack in progress
 Use sampling or logging to capture traffic
for analysis
 Isolate attack
 Attack
type
 Source (often difficult or impractical)
 Destination
 Block or traceback the attack using
 Filter on destination and protocols
 Drop traffic or rate limit
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
9
filters
Detecting Attacks
 Sudden
changes in traffic profiles
 Average
packet size changes
 Link utilisation increases
 Traffic by destination address
 Source
 Generate
address normally forged or distributed
alarms in response to changes
 Alarm
for closer human inspection
 Overview easily available for NOC staff
 Migrate to some level of automated response
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
10
Complicating Factors With DoS
 Distinguishing
DoS traffic from normal
usage
 Forged source address
 More
difficult to isolate and track attack
 Distributed
attacks
 Attack
could enter from multiple points
 Difficult to track back and shut down
 Blocking
attacks that match valid traffic
 Disruption
of normal service
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
11
Agenda
The Impact Of Denial of Service
(D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
SMURF Attacks
The attacker sends a
broadcast ping to an
intermediary subnet using
a forged source address
 The forged source address
belongs to the target of
the attack
 The result is an
over-burdened CPU on the
target server and overutilized access trunks

Intermediary Hosts
(Several on
Same Subnet)
Data Server
Attacker’s Work Station
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
13
Dealing With SMURF Attacks

Detection is achieved
by using the count
action within firewall
filters

The filtering is
achieved by changing
the accept to a
discard

The log action assists
in the tracing
term a {
from {
destination-address {
10.1.1.0/24;
}
protocol icmp;
}
then {
count icmp-counter;
log;
accept;
}
}
term b {
then accept;
}
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
14
Dealing With SMURF Attacks

Once the filter is
applied to the
interface, you can
view the firewall
counters

If the ICMP
counter
increments
quickly, an attack
is underway
unit 0 {
family inet {
filter {
output count-icmp;
}
address 10.10.10.1/24;
}
}
root@ballpark> show firewall
Filter/Counter Packet count
Byte count
count-icmp
icmp-counter
78516
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
5025000
15
Dealing with SMURF Attacks
 Stopping
the attack is a matter of
changing the accept action to a discard
 Discarding
all ICMP traffic to the targeted
host at the router closest to that host is
not most efficient

Bandwidth resources are still wasted
 Also
apply this filter at AS boundaries
where the targeted host resides
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
16
Where Did that SMURF Come From?

Finding the bad guy is not easy

View show firewall log to
see source addresses of ICMP
traffic; however, this step
identifies only the
intermediary, not the attacker

Contact the owner of the
intermediary and ask him to
 Disable
broadcast pings
 Track
back the pings to the
attacker
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
17
Agenda
The Impact Of Denial of Service
(D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
SYN Attacks
Attacker

The attacker sends a
stream of SYNs to the
server under attack
using a forged source
address

The forged source address
is unused by anyone

The result is over-burdened
CPU and/or memory
exhaustion on the target
server and over-utilized
access trunks
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
Data
Server
19
SYN Attacks



During a SYN attack, the
Correct Three-way Handshake
SYN-ACK never reaches
the client
Sockets remain open
on the server
Client
Server
SYN-------------------->
The result is
<--------------------SYN-ACK
over-burdened CPU
and/or memory
ACK-------------------->
exhaustion on the target
server, and over-utilized
access trunks
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
20
Dealing With SYN Attacks


Detection is achieved
by configuring a
firewall filter to count
TCP versus SYN traffic
Tracing is achieved by
leveraging the
sampling capability to
derive the incoming
interface
term a {
from {
protocol tcp;
tcp-flags SYN;
}
then {
count syn-packets;
accept;
}
}
term b {
from {
protocol tcp;
}
then {
count tcp-packets;
accept;
}
}
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
21
Details of the Detection Process

Once the filter
is applied to the
interface, you
can view the
counters
 If the ratio of
SYN to TCP is
high (> 1:5), a
SYN attack is
underway
unit 0 {
family inet {
filter {
output detect-syn-attack;
}
address 10.10.10.1/24;
}
root@ballpark# run show firewall
Filter/Counter
detect-syn-attack
tcp-packets
syn-packets
Packet count
Byte count
289144
56388
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
86743200
16916640
22
Dealing with SYN Attacks





Stopping the attack is usually not an option.
If the attack is not distributed, you can
change the accept action to discard and
apply to the ingress of all AS boundary
routers
If the attack is distributed, filtering SYNs also
effectively shuts down the server
Tracing the attack requires co-operation
with peers of the network under attack
Examining the sampled output reveals
incoming interface
Repeat this process until the source is found
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
23
Agenda
The Impact Of Denial of Service
(D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Infrastructure Requirements

Sufficient forwarding capacity in times of stress


Large numbers of small packets
Filtering to detect and block attacks
Filter on significant ICMP/IP/TCP/UDP fields
 Implement consistently on all interface types, including
logical interfaces (eg VLAN)
 Sufficient performance to permit NOC to enable


Rate limiting
Rate limit based on significant ICMP/IP/TCP/UDP fields
 Sufficient performance to permit NOC to enable


Sampling and logging for additional insight
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
25
Agenda
The Impact Of Denial of Service
(D0S)
Detecting And Minimising DoS
SMURF Attacks
SYN Attacks
Infrastructure Requirements
Proactive Measures
Pro-active Approaches
Attack
Switch

Host
More reliable and secure network


Policy at AS boundaries detect and minimize the
effects of DoS attacks
Warn NOCs when thresholds are exceeded, and
update configurations using scripts to discard the
attack
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
27
Proactive Planning

Establish procedures for detecting security
events

Pre-plan response
Techniques for isolating problem, tracking it through
the network to a source
 Standard responses to alleviate impact to service
 Train staff and practice


Document and update a security policy
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
28
Further References
 Juniper
Networks Whitepapers
 Rate-limiting
and Traffic-policing Features
 Fortifying the Core
 Visibility into Network Operations
 Minimizing the Effects of DoS Attacks
 Available
from
http://www.juniper.net/techcenter
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
29
Thank You
[email protected]
http://www.juniper.net
Proactive Measures
Data Center
Peering Points
Service Providers
&
Regional/National
backbones
Customers On
Access Circuits
Core
Infrastructure

Areas requiring attention




Core routers (protect)
Customers access links (protect, and protect from)
Datacenters & ISP servers (protect)
Peering (protect, and protect from)
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
31
Securing The Core Routers

Performance headroom


What happens when the
going gets tough!
Protect the route
processing capability
Core
Infrastructure
Performance
 Authenticated protocols
 Services


Secure mgmt access
Authentication
 Private access
 Multi-level access
authorisation

Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
32
Protecting Data Center And Hosts
Core
Core

Permit only relevant traffic


Prevent traffic overwhelming server capacity


For example, http, https, icmp echo request
Drop traffic before it hits the server
Reactive filtering to limit impact of DoS

Detect, isolate and drop
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
33
Securing Customer Access Links
ATM/FR
T1
E1
DS1
OC-3
STM-1c

OC-3/12 ATM
DS1
OC-3
E1
ChDS3
ChOC-12
Optical Core
TDM Backhaul
Infrastructure
IP Core
Access Layer
Limit traffic coming into the network from
customers
Legitimate IP source addresses
 Legitimate route announcements
 Maybe rate limit ICMP


Reactive filtering to limit impact of DoS

Detect, isolate and drop
Juniper Networks, Inc. Copyright © 2000 - Proprietary & Confidential
34