with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. - - PowerPoint PPT Presentation

with wanguard and more
SMART_READER_LITE
LIVE PREVIEW

with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. - - PowerPoint PPT Presentation

Jan 17, 2023 711 likes •996 views

Multi-stage DDoS filtering with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. www.itoro.com.pl About ITORO Tuning ing of servers an and Linux ux systems Wanguard implentations Full l su support rt before an and af after

slide-1
SLIDE 1

www.itoro.com.pl

Multi-stage DDoS filtering with Wanguard and more

PLONG 21, Kraków 1-2.10.2018 r.

slide-2
SLIDE 2

| PLNOG 21 | Kraków 1-2.10.2018 r. | 2

About ITORO

  • Huge experie

rience nce

  • Full

l su support rt before an and af after instal allati lation

  • n
  • Comprehe

hensiv nsive e servic ice an and ad advic ice

  • Support
  • rt for IT dept for smooth

integr grat ation ion of Wan anguard ard

  • Tuning

ing of servers an and Linux ux systems

  • We ar

are helpin ping to optimiz imize costs

  • Trai

ainin ning g on Wan anguard ard systems

  • The only

ly one

  • ne
  • Wanguard implentations

( protection agaist DDoS attacks )

slide-3
SLIDE 3

| PLNOG 21 | Kraków 1-2.10.2018 r. | 3

  • Port mirror
  • Active / Passive monitoring
  • sFLOW
  • Packet Sampling
  • NetFlow

What should be considered when choosing the best method:

  • Network infrastructure
  • Available protocols on routers
  • Limits on the performance of routers and software

Methods of collecting network traffic

slide-4
SLIDE 4

| PLNOG 21 | Kraków 1-2.10.2018 r. | 4

  • Competition ☺
  • Online Gaming
  • Preparation for another attack (except DDoS )
  • Fun with new botnet
  • Extortion / blackmail
  • Revenge for DDoS from Your network

Why we are under attack ?

slide-5
SLIDE 5

Who is the target of DDoS attacks?

Data centers (hosting) Government and financial institutions Internet Service Providers (ISP)

| PLNOG 21 | Kraków 1-2.10.2018 r.

Gambling and online gaming

| 5

slide-6
SLIDE 6

Good practices

Links

Bandwith capacity of foreign and peering links.

BGP Policy

BGP Import restrictions, anti spoofing, BGP BCOP 38.

DDoS / WAF protection

Active and automatic reaction to threats.

Monitoring

Network traffic monitoring from outside and within the company.

| PLNOG 21 | Kraków 1-2.10.2018 r.

Dispersion

Dividing the network into smaller segment, source filtering of traffic from EU / World / regions.

Anti DDoS action plan

Action plan and procedures Public relations – information about

  • utage / attack.

| 6

slide-7
SLIDE 7

| PLNOG 21 | Kraków 1-2.10.2018 r.

Services that use amplification

| 7

source: https://www.us-cert.gov/ncas/alerts/TA14-017A

10000-51000 557 358 140 28-54 56-70 30 7-28 6 4 Me Memcac mcached hed NTP P CharGEN arGEN QOTD DNS S C-LDAP LDAP SS SSDP P Po Portmap tmap SN SNMP MP NetBIO tBIOS 11211 11 123 123 19 19 17 17 53 53 389 389 1900 00 111 111 161 161 137,138,139 ,138,139 Amplification Protocol Po Port

slide-8
SLIDE 8

SSDP (UDP/1 P/1900) 900) NTP (UDP/1 P/123) 23) DNS (UDP/5 P/53) 3)

Country Total China 754,310 Russian Federation 478,475 Korea, Republic of 317,018 Venezuela 194,793 United States 169,473 Country Total China 1,263,833 United States 319,053 Korea, Republic of 164,772 Russian Federation 144,922 Taiwan 115,780 Country Total United States 738,940 Russian Federation 344,357 China 221,828 Brazil 158,221 Germany 139,066

Statistics – should I be scared?

| 8

slide-9
SLIDE 9

| PLNOG 21 | Kraków 1-2.10.2018 r.

Layer 3 i 4

UDP Floods, SYN/ACK, ICMP

Layer 5 i 6

DNS/SSL Flood

Layer 7

HTTP POST/GET

Layer 7

XML-RPC Flood XSS SQL INJECTION

> 80 % at attac acks ks < 20 % at attac acks ks

Dystrybucja ataków

DNS, NTP, C-LDAP CharGEN, SSDP

Share of attacks

| 9

slide-10
SLIDE 10

| PLNOG 21 | Kraków 1-2.10.2018 r. | 10

Attack speeds

67% 11% 9% 9% 3%

0% 10% 20% 30% 40% 50% 60% 70% 80%

< 50 < 500 M Mb/s b/s <1 G <1 Gb/s b/s 1 - 1 - 2 Gb/s 2 Gb/s 2 - 2 - 5 Gb/s 5 Gb/s 5 - 5 - 10 Gb 10 Gb/s /s

| 10

slide-11
SLIDE 11

| PLNOG 21 | Kraków 1-2.10.2018 r. | 11

Summary for ISP

✓Duration of attacks <30 seconds on subscribers ✓Time of attacks on infrastucture – longer : 1-6 hours ✓Multiple attack vectors ( NTP / DNS / SSDP / ICMP ) ✓RTBH less effective –due to Carpet Bomb attacks

Comments

| 11

slide-12
SLIDE 12

| PLNOG 21 | Kraków 1-2.10.2018 r.

Important terms

Black Hole Routing ( Remotely Triggered Black Hole Routing ) The incoming traffic is discarded before entering Your network. FlowSpec ( RFC 5575 ) Firewall filter rules are injected into BGP protocol. Allows for different actions :

  • drop / limit packets
  • redirect
  • setting of DSCP ( Differentiated Services ) used in QoS

| 12

slide-13
SLIDE 13

Internet Your network

Black Hole Routing

| PLNOG 21 | Kraków 1-2.10.2018 r. | 13

Firewall Black Hole Routing (RTBH) FlowSpec PE Router Switch

Traffic mirror BGP Update Black Hole IP

slide-14
SLIDE 14

| PLNOG 21 | Kraków 1-2.10.2018 r.

Possibilities of protection against DDoS attacks

Block traffic using Remotely Triggered Black Hole Routing (RTBH)

  • Black Hole of IP / Network class
  • Selective Black Hole routing ( World / Regions / Country / Peering )

Filtering Traffic:

  • Blocking or limiting protocols that use amplifications
  • Filtering on servers using network cards (hardware) or iptables
  • Filtering using FlowSpec on routers

| 14

slide-15
SLIDE 15

| PLNOG 21 | Kraków 1-2.10.2018 r. | 15

FlowSpec

FlowSpec rules :

  • Source / Destination IP
  • Source / Destination Port
  • Protocol
  • Packet lenght
  • TCP flags
  • IP fragmentation

FlowSpec actions:

  • Traffic limits ( example: 10 Mb/s or 0 )
  • Traffic marking - DSCP
  • Redirect - Target VRF ( Juniper & Cisco )
  • Redirect - IP NextHop ( Cisco )
slide-16
SLIDE 16

| PLNOG 21 | Kraków 1-2.10.2018 r.

FlowSpec

CISCO – Limit 3000 rules

ASR 1xxx ASR 9xxx CSR 1000v CRS-3 (Taiko) LC, CRS-X (Topaz) LC NCS 5500/6000 XRv 9000

Juniper – Limit 8000 rules

MX series PTX 10002 QFX 1000[2/8/16] SRX

Check if Your router supports FlowSpec!

| 16

slide-17
SLIDE 17

Internet Your network

Filtering – 3 stage

Inbound Traffic return

| PLNOG 21 | Kraków 1-2.10.2018 r. | 17

Firewall Black Hole Routing (RTBH) FlowSpec PE Router Switch

Scrubbing Center Traffic mirror BGP FlowSpec Drop

slide-18
SLIDE 18

Internet Your network

Inbound Traffic return

| PLNOG 21 | Kraków 1-2.10.2018 r. | 18

Firewall Black Hole Routing (RTBH) FlowSpec PE Router Switch

Scrubbing Center Traffic mirror

Filtering – 2 stage without FlowSpec

slide-19
SLIDE 19

| PLNOG 21 | Kraków 1-2.10.2018 r.

Wanguard - Filtering without FlowSpec

slide-20
SLIDE 20

| PLNOG 21 | Kraków 1-2.10.2018 r. | 20

Chain wanguard_4_2_0 (0 references) pkts bytes target prot opt in out source destination Chain wanguard_custom (1 references) pkts bytes target prot opt in out source destination 0 0 DROP udp

  • eth7 * 0.0.0.0/0 0.0.0.0/0

multiport sports 123 limit: above 500/sec burst 5 9399K 13G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Wanguard - Software filtering

slide-21
SLIDE 21

| PLNOG 21 | Kraków 1-2.10.2018 r.

Wanguard - Filtering

slide-22
SLIDE 22

| PLNOG 21 | Kraków 1-2.10.2018 r. | 22

#cat /sys/kernel/debug/cxgb4/0000\:05\:00.4/filters LE-TCAM Filters: [[Legend: '!' => locked; '+' => pending set; '-' => pending clear]] Idx Hits Hit-Bytes FCoE Port vld:iVLAN Prot MPS Frag LIP FIP LPORT FPORT Action 10 823481 0 0/0 0/0 0:0000/0:0000 11/ff 0/0 0/0 00000000/00000000 00000000/00000000 0000/0000 007b/ffff Drop

Wanguard - Hardware filtering

slide-23
SLIDE 23

| PLNOG 21 | Kraków 1-2.10.2018 r.

Wanguard - Filtering with FlowSpec !

slide-24
SLIDE 24

| PLNOG 21 | Kraków 1-2.10.2018 r. | 24

Wanguard - Hardware filtering using FlowSpec

mx80.lab> show firewall filter __flowspec_default_inet__ Filter: __flowspec_default_inet__ Counters: Name Bytes Packets *,1.1.1.1,proto=17,srcport=123 841816 5234116 mx80.lab> show route protocol bgp table inetflow.0 extensive inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) *,1.1.1.1,proto=17,srcport=123/term:2 (1 entry, 1 announced) TSI: KRT in dfwd; Action(s): routing-instance DIRTY-VRF,count *BGP Preference: 170/-101 Next hop type: Fictitious, Next hop index: 0 Next-hop reference count: 1 State: <Active Int Ext> Local AS: 65000 Peer AS: 65000 Age: 37 Task: BGP_65000.10.0.9.66 Announcement bits (1): 0-Flow AS path: I Communities: traffic-rate:0:1875 Accepted Localpref: 100 Router ID: 10.0.9.66

slide-25
SLIDE 25

Get Wanguard with FlowSpec now !

Instalation

  • One router is enough !
  • BGP configuration.
  • No loop thanks to FlowSpec !
  • We prefer VRF over GRE.

Filtering

  • Wanguard send FlowSpec rules.
  • Automatic filtering with available

anti DDoS rules.

Protection

| PLNOG 21 | Kraków 1-2.10.2018 r. | 25

  • Network monitotring.
  • After action reports on email.
slide-26
SLIDE 26

| PLNOG 21 | Kraków 1-2.10.2018 r.

Ways to effectively reduce DDoS attacks

  • Using ShadowServer or reginal CERT providers - n6 (Poland)
  • Blocking ports used in attacks
  • Blocking any spoofing from Your network (Spoofer / RPF) *
  • Active scans of Your network (np.: OpenVAS, Suricata)
  • Monitoring of outbound traffic

* https://www.caida.org/projects/spoofer/

slide-27
SLIDE 27

Piotr Okupski

| PLNOG 21 | Kraków 1-2.10.2018 r. | 27

itoro.com.pl