October 30, 2003 Protection On-Demand: Ensuring Resource Availability Yehuda Afek CTO Riverhead Networks 1 Agenda • The problem • Existing approaches • Riverhead Solution • Experience 2 The Problem 3 How do DDoS Attacks Start ? 4 The Effects of DDoS Attacks " # $ % & ! ' & ! 5 What is DDoS ? • • DDoS - Distributed Denial-of-Service • DDoS attacks block network resources (Infrastructure, DNS, Mail, Web, and more…) • DDoS attacks block legitimate users from accessing network resources • DDoS attacks happen every day all around the Internet • DDoS attacks come from all directions DDoS attacks target any element with an IP address 6 The Growing DDoS Threat • Internet connection increasingly cited as point of attack (78%) vs. internal (30%) or dial-in * (18%) • Denial of service second-most expensive cyber crime, and the only one to * increase in 2003 * Source: 2003 CSI/FBI Computer Crime and Security Survey 7 More Reasons to Worry • DDoS was the second-most common security breach experienced by U.S. businesses in 2003 – InformationWeek U.S. Security Survey 2003 • DDoS matches intrusion as the greatest concern of security executives – CSO Magazine Security Sensor III & IV Research • “Key priorities for global carriers are to provide mitigation of denial of service attacks. Security from DoS attacks is of vital importance to almost every carrier surveyed.“ (attribution?) 8 Everybody is Vulnerable Enterprises: • Portals, search engines • Gaming, gambling and adult • Music and online media • Retail, auction • Brokerage and financial services • Government Service Providers • ISPs • Hosting centers 9 Statistics !" # " %&' # $ ( (#) * 10 DDoS Incidents Around The Globe • Global World Economic Forum's, CERT, Global root DNS servers (Oct. 2002) • Europe Inquirer, Deutsche Bank, Lufthansa, Firenet, Tiscali, edNET, TheDogmaGroup, DonHost, Cloud9 • US Amazon, Yahoo, CNN, eBay, eTrade, Microsoft, White House NY Times, NASA, OZ.Net, Weather.com, …….. • ROW 200 small corporations, 30 educational organizations and 20 government systems (Korea), St George Bank (Australia) 11 12 13 14 15 16 Existing Solutions 17 Blackholing 0 0 ,- , ,) ,* , , , , ./ " + " ) 18 At the Routers ,- , ,) 1, ,* " 1' , 2 1, 345#43, # ( ( 6 , , , ./ " + " ) 19 At the Edge / Firewalls ,- , ,) 17 ' ,* ( 1/ 18 1! , ( , (2( , , ./ 14 " + " ) 20 At the Back Bone ,- , ,) ,* 1' 18 , ( 13( ( , , , ./ " + " ) 21 Riverhead Solution 22 Upstream, Scalable & Distributed ,- , : : ( ( 119 9 ) ) 11! ! 11 118 8 11! ! ,) ,* ( ( ( ( , ( ( ( ( , 11" "( ( 11 , , ./ ( ( " + " ) 23 Riverhead uniqueness • Detects and mitigates attacks while letting legitimate transactions through • High performance architecture for infrastructure scalability and reliability • Ensures Business continuity helping providers win business and revenue 24 Riverhead 2.0 Products Riverhead Detector Riverhead Guard Attack mitigation Anomaly detection Diverts traffic for ondemand protection Monitors copy of traffic 89/: 6, # * 1 +* 1 2 1 ( ; +,.//0./// ! 3 2 4 .< =$&& 1 1 ./0.// 5 $ 3 5 1 6 1 % $ 7 ,' 25 Solution Overview BGP announcement Riverhead Guard :< +<" % #" 3 ! ! 0$ .< Riverhead Detector, Cisco IDS, Netflow ' ! ; 26 Solution Overview Riverhead Guard ' 4. Identify and filter the malicious 5 5. Forward the legitimate Riverhead Detector, 6. Non targeted traffic flows freely Cisco IDS, Netflow 1 3 ! ; 27 , : (;+ 8 ; % & > Dynamic Filters +8$3 ! %& ! ! B< 3< $ D & !! # %A & B 1 C < -11 C C < D ? &&%& ! @ 33 3 % ! ! & !3 AntiSpoofing Statistical Analysis Layer 7 Analysis Traffic Limiting & Shaping 28 Stopping 1 ; " # '48#9 8#< 48 = " ">!.( = ! ;" ">!.( = 9 8.( = .< !#">!34?.( " ! ; $ = 8 .( = " .( = 4 2 9 86 '486 < 48 1 ; 3 " – IP/UDP – IP/ICMP – IP/TCP 1 -11 " – Connection Flood (Client attack) – http errors 404 etc. – http half connections 1 1 1 , " " 7 " Tools Defeated: JOLT, WINNUKE, TRINOO, TFN, Targa3, Naphta, Trash, fawx,.. 29 Data Center Protection ISP 1 CISCOSYSTEMS ISP 2 PowerSupply0 PowerSupply1 GSR 12000 SD oweSu pl 0 CISCOSY TEM D o er Su ply 1 a l t 80 SEES Catalyst 8500 SERES Switch Processor Swi ch P o e so S C ta ys 5 0 I P S r p y P w p S RI t r c s r Guard Catalyst I CO SYS EM GEthernet I CO SYSTEM CS C S T S S Firewall Catalyst 3( I CO SYS EM I CO SYSTEM Internal network Customers’ Servers 30 Multi-Guard Topology ISP Upstream ISP Upstream Guard Router Guard Cluster hosts Riverhead Guards 31 ISP Perimeter Protection 32 ISP Perimeter Protection 33 Hosting Center/Enterprise Protection 34 Worm protection • Quick detection –Multi sensor detection network –Suggest ACLs if esoteric port –Guard cleaning if popular port (Road map) • Infected boxes listing Road map • Protect Enterprise outgoing link • LaBrea • Reset • Quick and automated worm analysis 35 Reliable Deployment Installation requires: • One port on a router or a switch • BGP peering with the Guard But: • No network reconfiguration • No dynamic router configuration • No router resources for filtering 36 Specifications Riverhead Guard / Detector Interfaces: Width: 2 x 100/1000 Base-T 1 x 10/100 Base-T (OOB management) ” rack mountable Height: 2U Operating System: Riverhead OS based on hardened Linux Kernel Management: CLI ”Cisco like” Web based SNMP 37 Customer Experiences 38 Riverhead: Market Traction • Operational installations at: - Service Providers - Internet Exchanges - Top online enterprises - Government agencies - Data Centers • Protecting: - Web Sites - IRC servers - DNS Servers - Routers 39 Real attack mitigation 40 Case 2: Internet SP Wins Customer With Riverhead Portal under DDoS for 7 days – April 2003 • • • Portal down for 2 days • • Riverhead protects and restores site access! • Day 2: Portal calls Riverhead Within two hours, moves traffic to “Riverhead Protected” backup ISP Day 4: Hackers change ammunition but fail to defeat protection Result: Portal switches business to Riverhead-protected ISP 41 Case 2: Attack Details 42 Case 3: Hosting Center Retains Customer With Riverhead Gambling site under DDoS every day, 2003 • • • • • Evicted from two prior hosting centers … Until, hosted by “Riverhead Protected” provider New attacks easily stopped by Riverhead Guard Customer insists on 24 x 7 protection Result: Gambling site stays at Riverhead protected provider 43 Summary Automates mitigation process Stops all types of attacks Adaptive filtering – only blocks bad traffic Off the critical path – not another point of failure Independent of Router’s Capabilities Processes only victims traffic Interoperates with other IDS’s Minimal false positives 44 ' @ 4 % A 45