Transcript Juniper Networks Customer Presentation

Strategies For Managing
Denial Of Service
Ian Quinn
APRICOT 2002
Bangkok, Thailand
Agenda
The Impact Of Denial of Service (DoS)
Issues Complicating DoS Management
Network Architecture
Proactive Measures
Detection & Management
Summary
What Are The
Threats To A Service Provider
 Disruption Of Customer Networks
 Desirable to be able to assist customer
 Consumption Of Bandwidth
 Lower bandwidth links susceptible
 Often a big problem in Asia Pacific
 Network Stability
 Frequently a problem for older platforms
 Related to additional workload, and
performance headroom
 All
Affect Service Delivered
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
3
Popular Points Of
Attack And Pressure
Data Center
Peering Points
Service Providers
&
Regional/National
backbones
Customers On
Access Circuits
Core
Infrastructure

Actual Targets




Customers
Datacenters
ISP servers
Infrastructure (eg routers)

Additional Pressure Points



Access circuits
Peering points
Low bandwidth core links
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
4
Specific Impact
Of DoS In Asia Pacific
Tier 1
Provider
United States
Tier 1
Provider
DoS Attack
Tier 1
Provider
Service
Provider 1
DoS
Attack
Asia Pacific
Service
Provider 2
Service
Provider 3
Asia Pacific
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
5
Impacts Of Security Incidents

Customer service levels
Internet access, web farms, ecommerce
 Especially if impact is repeated


Support overhead

Especially in isolating and blocking Denial of Service
(DoS) attacks
Service provider reputation
 Service Level Agreement (SLA) breaches

SLA increasingly being offered
 Multi-service networks change the game


Operations stress
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
6
Agenda
The Impact Of Denial of Service (DoS)
Issues Complicating DoS Management
Network Architecture
Proactive Measures
Detection & Management
Summary
Forged Source Address
Customer 1
(Victim)
Attacker
Forged Source
Addresses Include:
10.1.1.1
10.2.2.2
192.168.1.1
192.168.2.2


Customer 2
Customer 3
Prefixes Include:
Prefixes Include:
10.1.1.1
10.2.2.2
192.168.1.1
192.168.2.2
More difficult to isolate and trace back attack
Use of randomised source addresses prevents
identification of specific source / destination blocks
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
8
Distributed DoS Attacks
Peer 2
Peer 3
Peer 1


Attacker compromises hosts in multiple networks,
using them to launch a coordinated attack
Attack can’t simply be stopped at one point
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
9
Distinguishing DoS Traffic
Data Center
Service Providers
&
Regional/National
backbones


Attack traffic often looks like valid traffic
Blocking all traffic matching attack profile often
increases the impact
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
10
Asymmetric Routing
Peer 2
Peer 3
Peer 1

Even if the attack packet is not source spoofed, the
network’s path to a particular destination isn’t
necessarily how it came
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
11
Upstream Peers
Data Center
Service Providers
&
Regional/National
backbones


Traceback through peers is generally difficult
 Operational interfaces, upstream capabilities
Often necessary to relieve peering bandwidth
congestion
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
12
Agenda
The Impact Of Denial of Service (DoS)
Issues Complicating DoS Management
Network Architecture
Proactive Measures
Detection & Management
Summary
Proactive Measures
Data Center
Peering Points
Service Providers
&
Regional/National
backbones
Customers On
Access Circuits
Core
Infrastructure

Areas requiring attention




Core routers (protect)
Customers access links (protect, and protect from)
Datacenters & ISP servers (protect)
Peering (protect, and protect from)
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
14
Peering Points
Service Providers
Core
Infrastructure

Peering
Connections
&
Regional/National
backbones
Important point for enabling:
 Detecting changes in traffic, eg statistics
 Sampling of traffic
 Tracing back traffic to peers
 Blocking or rate limiting traffic
 Proactive measures, eg rate limit ICMP
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
15
Securing The Core Routers

Performance
headroom


What happens when the
going gets tough!
Core
Infrastructure
Protect the route
processing capability
Performance
 Authenticated protocols
 Services


Secure mgmt access
Authentication
 Private access
 Multi-level access
authorisation

Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
16
Protecting Data Center And Hosts
Core
Core

Permit only relevant traffic


Prevent traffic overwhelming server capacity


For example, http, https, icmp echo request
Drop traffic before it hits the server
Reactive filtering to limit impact of DoS

Detect, isolate and drop
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
17
Securing Customer Access Links
ATM/FR
T1
E1
DS1
OC-3
STM-1c

OC-3/12 ATM
DS1
OC-3
E1
ChDS3
ChOC-12
Optical Core
TDM Backhaul
Infrastructure
IP Core
Access Layer
Limit traffic coming into the network from
customers
Legitimate IP source addresses
 Legitimate route announcements
 Maybe rate limit ICMP


Reactive filtering to limit impact of DoS

Detect, isolate and drop
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
18
Operational

Establish procedures for detecting security
events

Pre-plan response
Techniques for isolating problem, tracking it through
the network to a source
 Standard responses to alleviate impact to service
 Train staff and practice


Document and update a security policy
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
19
Agenda
The Impact Of Denial of Service (DoS)
Issues Complicating DoS Management
Network Architecture
Proactive Measures
Detection & Management
Summary
Generic Approach To DoS Attacks
Use statistics to detect attack in progress
 Use sampling or logging to capture traffic for
analysis
 Isolate attack

Attack type
 Source (often difficult or impractical)
 Destination


Minimise the impact of the attack
Filter on destination and protocols
 Drop traffic or rate limit
 Carry traffic with a lower class of service

Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
21
Detecting Attacks

Customer logging fault call


Historically most often detected this way
Sudden changes in traffic profiles
Average packet size changes
 Link utilisation increases
 Traffic by destination address
 Source address normally forged or distributed

Packet inspection
 Generate alarms in response to changes

Alarm for closer human inspection
 Overview easily available for NOC staff
 Migrate to some level of automated response

Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
22
Isolating Attack

Filters allow
Concentrate on packets of interest
 Destination address useful
 Incoming interface allows traceback through network


Automate isolation from sampled traffic
Sampled traffic files
 Cflow/Netflow
 Mirror to interface connected to analyser / probe

scapshaw@ballpark> file show /var/tmp/sampled-pkts
Time
Dest
Src
Dest
Src Proto
addr
addr
port
port
flags
Sept 27 5:48:54 192.168.9.194 192.168.9.195 1075
999
1
Sept 27 15:48:55 192.168.9.194 192.168.9.195 1075
999
1
Sept 27 15:48:56 192.168.9.194 192.168.9.195 1075
999
1
Sept 27 15:48:57 192.168.9.194 192.168.9.195 1075
999
1
Sept 27 15:48:58 192.168.9.194 192.168.9.195 1075
999
1
TOS
Pkt
len
Intf
num
IP
frag
TCP
0x0
0x0
0x0
0x0
0x0
84
84
84
84
84
8
8
8
8
8
0x0
0x0
0x0
0x0
0x0
0x2
0x2
0x2
0x2
0x2
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
23
Dropping Attack Traffic
Peer 2
Peer 3
Peer 1
 Blocking
traffic often increases the
impact on target
 Reduces
damage to other customers
 Blocking closer to the source minimises impact
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
24
Rate Limiting
Peer 2
Peer 3
Peer 1

Rate limit traffic matching attack profile
Reduces congestion
 Still affects some valid traffic
 Best implemented as close to source as possible
 Ensures some level of service is still provided (some
packets get through)

Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
25
Class Of Service
Peer 2
Peer 3
Peer 1

Lower the Class of Service for traffic matching
attack profile
Manages service levels during congestion
 Still affects some valid traffic
 Best implemented as close to source as possible
 Delivers as much matching traffic as possible, while
minimising impact on others

Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
26
Infrastructure Requirements

Filtering, Rate Limiting, Sampling, Class of
Service
Enable without compromising throughput
 Consistent capability across all interfaces
 Wide range of filter match options
 No inherent limitations (eg terms per filter)

Easy access to statistics and configuration
 Be able to implement throughout network



Peering, customer access, datacenter, core
Router itself must be hardened from attack
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
27
Additional Steps
Detection
Probe
Specialised
Management
Service Providers
&
Regional/National
backbones



Probes potentially allow higher level of traffic
inspection
Specialised management tools can correlate statistics
from multiple sources and highlight single event
Both reduce overhead managing attacks
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
28
Agenda
The Impact Of Denial of Service (DoS)
Issues Complicating DoS Management
Network Architecture
Proactive Measures
Detection & Management
Summary
Summary - The Benefits

Improved customer service levels
Alarms for notification
 Ability to respond


Reduced support overhead

Lower costs, easier staff retention
Improved reputation
 Ability to offer Service Level Agreement (SLA)
with confidence

Competitive position, esp. against those that can’t
 Multi-service core networks


Less stress (mgmt, NOC staff)
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
30
Further References
 Juniper
Networks Whitepapers
 Rate-limiting
and Traffic-policing Features
 Fortifying the Core
 Visibility into Network Operations
 Minimizing the Effects of DoS Attacks
 Available
from
http://www.juniper.net/techcenter
Juniper Networks, Inc. Copyright © 2002 - Proprietary & Confidential
31
Thank You
[email protected]
http://www.juniper.net