with wanguard and more
play

with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. - PowerPoint PPT Presentation

Jan 17, 2023 •711 likes •993 views

Multi-stage DDoS filtering with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. www.itoro.com.pl About ITORO Tuning ing of servers an and Linux ux systems Wanguard implentations Full l su support rt before an and af after

  1. Multi-stage DDoS filtering with Wanguard and more PLONG 21, Kraków 1 -2.10.2018 r. www.itoro.com.pl

  2. About ITORO Tuning ing of servers an and Linux ux systems • Wanguard implentations • Full l su support rt before an and af after • instal allati lation on ( protection agaist DDoS attacks ) We ar are helpin ping to optimiz imize costs • Comprehe hensiv nsive e servic ice an and ad advic ice • The only ly one one Trai ainin ning g on Wan anguard ard systems • • Support ort for IT dept for smooth • Huge experie rience nce • integr grat ation ion of Wan anguard ard | PLNOG 21 | Kraków 1 -2.10.2018 r. | 2

  3. Methods of collecting network traffic • Port mirror • Active / Passive monitoring • sFLOW • Packet Sampling • NetFlow What should be considered when choosing the best method: Network infrastructure • Available protocols on routers • Limits on the performance of routers and software • | PLNOG 21 | Kraków 1 -2.10.2018 r. | 3

  4. Why we are under attack ? • Competition ☺ • Online Gaming • Preparation for another attack (except DDoS ) • Fun with new botnet • Extortion / blackmail • Revenge for DDoS from Your network | PLNOG 21 | Kraków 1 -2.10.2018 r. | 4

  5. Who is the target of DDoS attacks? Data centers (hosting) Internet Service Providers (ISP) Government and financial institutions Gambling and online gaming | PLNOG 21 | Kraków 1 -2.10.2018 r. | 5

  6. Good practices Links DDoS / WAF protection Bandwith capacity of foreign Active and automatic reaction to and peering links. threats. BGP Policy Monitoring BGP Import restrictions, Network traffic monitoring anti spoofing, BGP BCOP 38. from outside and within the company. Dispersion Anti DDoS action plan Dividing the network into smaller Action plan and procedures segment, source filtering of traffic from Public relations – information about EU / World / regions. outage / attack. | PLNOG 21 | Kraków 1 -2.10.2018 r. | 6

  7. Services that use amplification Port Po Amplification Protocol 11211 11 10000-51000 Memcac Me mcached hed 123 123 557 NTP P 19 19 358 CharGEN arGEN 17 17 140 QOTD 53 53 28-54 DNS S 389 389 56-70 C-LDAP LDAP 1900 00 30 SSDP SS P 111 111 7-28 Po Portmap tmap 161 161 6 SNMP SN MP 137,138,139 ,138,139 4 NetBIO tBIOS | PLNOG 21 | Kraków 1 -2.10.2018 r. | 7 source: https://www.us-cert.gov/ncas/alerts/TA14-017A

  8. Statistics – should I be scared? Country Total China 754,310 SSDP Russian Federation 478,475 (UDP/1 P/1900) 900) Korea, Republic of 317,018 Venezuela 194,793 United States 169,473 Country Total United States 738,940 NTP Russian Federation 344,357 China 221,828 (UDP/1 P/123) 23) Brazil 158,221 Germany 139,066 Country Total China 1,263,833 DNS United States 319,053 (UDP/5 P/53) 3) Korea, Republic of 164,772 Russian Federation 144,922 Taiwan 115,780 | 8

  9. Share of attacks Dystrybucja ataków DNS, NTP, C-LDAP Layer 3 i 4 CharGEN, SSDP UDP Floods, SYN/ACK, ICMP > 80 % at attac acks ks Layer 5 i 6 DNS/SSL Flood Layer 7 HTTP POST/GET Layer 7 XML-RPC Flood < 20 % at attac acks ks XSS SQL INJECTION | PLNOG 21 | Kraków 1 -2.10.2018 r. | 9

  10. Attack speeds 5 - 10 Gb 5 - 10 Gb/s /s 3% 2 - 2 - 5 Gb/s 5 Gb/s 9% 1 - 2 Gb/s 1 - 2 Gb/s 9% <1 G <1 Gb/s b/s 11% < 50 < 500 M Mb/s b/s 67% 0% 10% 20% 30% 40% 50% 60% 70% 80% | PLNOG 21 | Kraków 1 -2.10.2018 r. | 10 | 10

  11. Summary for ISP Comments ✓ Duration of attacks <30 seconds on subscribers ✓ Time of attacks on infrastucture – longer : 1-6 hours ✓ Multiple attack vectors ( NTP / DNS / SSDP / ICMP ) ✓ RTBH less effective – due to Carpet Bomb attacks | PLNOG 21 | Kraków 1 -2.10.2018 r. | 11 | 11

  12. Important terms Black Hole Routing ( R emotely T riggered B lack H ole R outing ) The incoming traffic is discarded before entering Your network. FlowSpec ( RFC 5575 ) Firewall filter rules are injected into BGP protocol. Allows for different actions : - drop / limit packets - redirect - setting of DSCP ( Differentiated Services ) used in QoS | PLNOG 21 | Kraków 1 -2.10.2018 r. | 12

  13. Black Hole Routing Your network Internet BGP Update Black Hole IP Traffic mirror Firewall FlowSpec PE Router Switch Black Hole Routing (RTBH) | PLNOG 21 | Kraków 1 -2.10.2018 r. | 13

  14. Possibilities of protection against DDoS attacks Block traffic using R emotely T riggered B lack H ole Routing (RTBH) Black Hole of IP / Network class • Selective Black Hole routing ( World / Regions / Country / Peering ) • Filtering Traffic: Blocking or limiting protocols that use amplifications • Filtering on servers using network cards (hardware) or iptables • Filtering using FlowSpec on routers • | PLNOG 21 | Kraków 1 -2.10.2018 r. | 14

  15. FlowSpec FlowSpec rules : Source / Destination IP • Source / Destination Port • Protocol • Packet lenght • TCP flags • IP fragmentation • FlowSpec actions: Traffic limits ( example: 10 Mb/s or 0 ) • Traffic marking - DSCP • Redirect - Target VRF ( Juniper & Cisco ) • Redirect - IP NextHop ( Cisco ) • | PLNOG 21 | Kraków 1 -2.10.2018 r. | 15

  16. FlowSpec CISCO – Limit 3000 rules ASR 1xxx ASR 9xxx CSR 1000v CRS-3 (Taiko) LC, CRS-X (Topaz) LC NCS 5500/6000 Check if Your router supports XRv 9000 FlowSpec! Juniper – Limit 8000 rules MX series PTX 10002 QFX 1000[2/8/16] SRX | PLNOG 21 | Kraków 1 -2.10.2018 r. | 16

  17. Filtering – 3 stage Your network Internet Traffic return Inbound BGP FlowSpec Drop Traffic mirror Firewall FlowSpec PE Router Switch Black Hole Routing (RTBH) Scrubbing Center | PLNOG 21 | Kraków 1 -2.10.2018 r. | 17

  18. Filtering – 2 stage without FlowSpec Your network Internet Inbound Traffic return Traffic mirror Firewall FlowSpec PE Router Switch Black Hole Routing (RTBH) Scrubbing Center | PLNOG 21 | Kraków 1 -2.10.2018 r. | 18

  19. Wanguard - Filtering without FlowSpec | PLNOG 21 | Kraków 1 -2.10.2018 r.

  20. Wanguard - Software filtering Chain wanguard_4_2_0 (0 references) pkts bytes target prot opt in out source destination Chain wanguard_custom (1 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- eth7 * 0.0.0.0/0 0.0.0.0/0 multiport sports 123 limit: above 500/sec burst 5 9399K 13G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 | PLNOG 21 | Kraków 1 -2.10.2018 r. | 20

  21. Wanguard - Filtering | PLNOG 21 | Kraków 1 -2.10.2018 r.

  22. Wanguard - Hardware filtering #cat /sys/kernel/debug/cxgb4/0000\:05\:00.4/filters LE-TCAM Filters: [[Legend: '!' => locked; '+' => pending set; '-' => pending clear]] Idx Hits Hit-Bytes FCoE Port vld:iVLAN Prot MPS Frag LIP FIP LPORT FPORT Action 10 823481 0 0/0 0/0 0:0000/0:0000 11/ff 0/0 0/0 00000000/00000000 00000000/00000000 0000/0000 007b/ffff Drop | PLNOG 21 | Kraków 1 -2.10.2018 r. | 22

  23. Wanguard - Filtering with FlowSpec ! | PLNOG 21 | Kraków 1 -2.10.2018 r.

  24. Wanguard - Hardware filtering using FlowSpec mx80.lab> show firewall filter __flowspec_default_inet__ Filter: __flowspec_default_inet__ Counters: Name Bytes Packets *, 1.1.1.1 ,proto= 17 ,srcport= 123 841816 5234116 mx80.lab> show route protocol bgp table inetflow.0 extensive inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) *, 1.1.1.1 ,proto= 17 ,srcport= 123 /term:2 (1 entry, 1 announced) TSI: KRT in dfwd; Action(s): routing-instance DIRTY-VRF,count *BGP Preference: 170/-101 Next hop type: Fictitious, Next hop index: 0 Next-hop reference count: 1 State: <Active Int Ext> Local AS: 65000 Peer AS: 65000 Age: 37 Task: BGP_65000.10.0.9.66 Announcement bits (1): 0-Flow AS path: I Communities: traffic-rate:0:1875 Accepted | PLNOG 21 | Kraków 1 -2.10.2018 r. | 24 Localpref: 100 Router ID: 10.0.9.66

  25. Get Wanguard with FlowSpec now ! Instalation Filtering Protection • One router is enough ! • Wanguard send FlowSpec rules. • Network monitotring. • BGP configuration. • Automatic filtering with available • After action reports on email. • No loop thanks to FlowSpec ! anti DDoS rules. • We prefer VRF over GRE. | PLNOG 21 | Kraków 1 -2.10.2018 r. | 25

  26. Ways to effectively reduce DDoS attacks • Using ShadowServer or reginal CERT providers - n6 (Poland) • Blocking ports used in attacks • Blocking any spoofing from Your network (Spoofer / RPF) * • Active scans of Your network (np.: OpenVAS, Suricata) • Monitoring of outbound traffic * https://www.caida.org/projects/spoofer/ | PLNOG 21 | Kraków 1 -2.10.2018 r.

  27. Piotr Okupski itoro.com.pl | PLNOG 21 | Kraków 1 -2.10.2018 r. | 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
September 2014 Investor Presentation Cautionary Statements And Risk Factors That May Affect

September 2014 Investor Presentation Cautionary Statements And Risk Factors That May Affect

September 2014 Investor Presentation Cautionary Statements And Risk Factors That May Affect Future Results Any statements made herein about future operating and/or financial results and/or other future events are forward-looking statements

680 views • 64 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas &amp; Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides
Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for Artificial Intelligence Dept. of Computer Science &amp; Technology Tsinghua University 1 Background Artificial intelligence (AI) is a

917 views • 63 slides
POMPE DISEASE MY JOURNEY - BY SAM MURDUCK GOSH GLYCOGEN DAY 2 FEBRUARY 2011 Background 1978 -

POMPE DISEASE MY JOURNEY - BY SAM MURDUCK GOSH GLYCOGEN DAY 2 FEBRUARY 2011 Background 1978 -

POMPE DISEASE MY JOURNEY - BY SAM MURDUCK GOSH GLYCOGEN DAY 2 FEBRUARY 2011 Background 1978 - Born. Normal Milestones. Active, sporty childhood o 1992 - Teenage years still very active (ballet, sailing) but tired all o the time,

224 views • 7 slides
B-S hoe Technologies Ltd. Balancing S hoe for Regaining Balance and Avoiding Falls November

B-S hoe Technologies Ltd. Balancing S hoe for Regaining Balance and Avoiding Falls November

B-S hoe Technologies Ltd. Balancing S hoe for Regaining Balance and Avoiding Falls November 2016 PROPRIETAR Y Elderly Falls We're All Getting There Falls Huge S ocial and Economic Burden $75B annual cost of elderly falls in the

185 views • 15 slides
Earnings Presentation 3 rd Quarter 2019 1 Disclaimer This presentation contains, or may be deemed

Earnings Presentation 3 rd Quarter 2019 1 Disclaimer This presentation contains, or may be deemed

Earnings Presentation 3 rd Quarter 2019 1 Disclaimer This presentation contains, or may be deemed to contain, forward -looking statements . By their nature, forward looking statements involve risks and uncertainties because they relate to

466 views • 14 slides
First Quarter 2019 Financial Results May 7, 2019 First Quarter 2019 Results May 7, 2019

First Quarter 2019 Financial Results May 7, 2019 First Quarter 2019 Results May 7, 2019

First Quarter 2019 Financial Results May 7, 2019 First Quarter 2019 Results May 7, 2019 Non-GAAP Financial Measures SemGroups non-GAAP measures, Adjusted EBITDA, Cash Available for Dividends (CAFD) and Total Segment Profit, are not GAAP

359 views • 21 slides
4/20/18 Safety &amp; Security in Chesterfield School Board Safety Task Force - April 24, 2018

4/20/18 Safety &amp; Security in Chesterfield School Board Safety Task Force - April 24, 2018

4/20/18 Safety &amp; Security in Chesterfield School Board Safety Task Force - April 24, 2018 Donald R. Green, CPP Safety &amp; Security Manager Schools are Safe School mass violence attacks are very rare: Extremely Low Probability -

517 views • 4 slides
Hiding TCP Traffic: Nadpis 1 Threats and Countermeasures Nadpis 2 Nadpis 3 Libor Polk,

Hiding TCP Traffic: Nadpis 1 Threats and Countermeasures Nadpis 2 Nadpis 3 Libor Polk,

Hiding TCP Traffic: Nadpis 1 Threats and Countermeasures Nadpis 2 Nadpis 3 Libor Polk, Radek Hranick, Petr Matouek Jmno Pjmen Vysok uen technick v Brn, Fakulta informanch technologi v Brn Brno University of

318 views • 27 slides
Continuity and Recovery Planning Continuity and Recovery Planning Continuity and Recovery

Continuity and Recovery Planning Continuity and Recovery Planning Continuity and Recovery

Continuity and Recovery Planning Continuity and Recovery Planning Continuity and Recovery Planning Continuity and Recovery Planning When a drop When a drop When a drop When a drop becomes a becomes a becomes a becomes a flood

748 views • 22 slides
Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study

Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study

Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study KarthikPattabiraman Farid Molazem Tabrizi, Maryam Raiyat, Abraham Chan, Ivan Beschastnikh University of British Columbia (UBC) My Research Building

693 views • 51 slides
Investor Presentation Review of FY2019 Version 1.0 This Investor Presentation should be read

Investor Presentation Review of FY2019 Version 1.0 This Investor Presentation should be read

Investor Presentation Review of FY2019 Version 1.0 This Investor Presentation should be read in conjunction with the JKH Annual Report 2018/19 to obtain a more comprehensive understanding of the drivers and strategies of our businesses John

744 views • 49 slides
DDOS Adventures A UGA Story Saturday 02/13/2016 01:30 to 02:30

DDOS Adventures A UGA Story Saturday 02/13/2016 01:30 to 02:30

DDOS Adventures A UGA Story Saturday 02/13/2016 01:30 to 02:30 attack on www.uga.edu Sunday 03/37/2016 18:13 to 22:00 attack on athena.uga.edu Sunday 04/24/2016 02:00

1.08k views • 36 slides
Results Presentation FY 2016 28 November 2016 Disclaimer This document does not constitute or

Results Presentation FY 2016 28 November 2016 Disclaimer This document does not constitute or

Results Presentation FY 2016 28 November 2016 Disclaimer This document does not constitute or form part of any purchase, sales or exchange offer, nor is it an invitation to draw up a purchase sales or exchange offer, or advice on any stock issued

729 views • 35 slides
Investor Presentation A u g u s t 2 0 1 6 HollyFrontier Corporation Disclosure Statement

Investor Presentation A u g u s t 2 0 1 6 HollyFrontier Corporation Disclosure Statement

Investor Presentation A u g u s t 2 0 1 6 HollyFrontier Corporation Disclosure Statement Statements made during the course of this presentation that are not historical facts are forward looking statements within the meaning of the U.S.

462 views • 30 slides
4/14/2016 Non-Emergency Medical Transportation Presentation Learning Objectives Identify

4/14/2016 Non-Emergency Medical Transportation Presentation Learning Objectives Identify

4/14/2016 Non-Emergency Medical Transportation Presentation Learning Objectives Identify general Medicaid-covered non-emergency medical transportation (NEMT) benefits Identify methods States can use to authorize available NEMT options

677 views • 10 slides
MAPS CAS Protocol Emulator (Channel Association Signalling (CAS) Emulation) 818 West Diamond

MAPS CAS Protocol Emulator (Channel Association Signalling (CAS) Emulation) 818 West Diamond

MAPS CAS Protocol Emulator (Channel Association Signalling (CAS) Emulation) 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 MAPS

1.12k views • 43 slides
MCPS School Safety and Security Presentation 1 Wheaton Woods Elementary School 2

MCPS School Safety and Security Presentation 1 Wheaton Woods Elementary School 2

MCPS School Safety and Security Presentation 1 Wheaton Woods Elementary School 2 School-based Security Staffing Security assistants are assigned to every secondary school. Security team leaders are assigned to every high school and

650 views • 17 slides
OSHT 2320 (Safety Training Presentation) Syllabus Faculty Information Name: Adefela Ogunkeyede

OSHT 2320 (Safety Training Presentation) Syllabus Faculty Information Name: Adefela Ogunkeyede

OSHT 2320 (Safety Training Presentation) Syllabus Faculty Information Name: Adefela Ogunkeyede E-Mail: aogunkeyede@odessa.edu Phone: 432-335-6883 Office: Sedate Hall (SH) Building, Floor 2 room 222. Odessa College, 201 West University, Odessa TX

679 views • 23 slides
INTRODUCTION Andi Liebenbaum Judicial Council of California Governmental Affairs 2 San Diego

INTRODUCTION Andi Liebenbaum Judicial Council of California Governmental Affairs 2 San Diego

Revenue Distribution Training Spring 2017 Presented by the Judicial Council of California and the State Controllers Office 1 INTRODUCTION Andi Liebenbaum Judicial Council of California Governmental Affairs 2 San Diego Opening Remarks

1.04k views • 65 slides
ARC Grant Funds 2018 Meadville, PA Brownfield 101 Meadville, PA Stephanie Branche US EPA Region

ARC Grant Funds 2018 Meadville, PA Brownfield 101 Meadville, PA Stephanie Branche US EPA Region

EPA Brownfields ARC Grant Funds 2018 Meadville, PA Brownfield 101 Meadville, PA Stephanie Branche US EPA Region III 10 July 2018 Brownfields Grant Types 2 EPA Brownfields Funding Types of Funding A ssessment R evolving Loan Fund

454 views • 24 slides
Fish Health Management Matt Rogge, Ph.D. Department of Biology University of Wisconsin-Stevens

Fish Health Management Matt Rogge, Ph.D. Department of Biology University of Wisconsin-Stevens

Fish Health Management Matt Rogge, Ph.D. Department of Biology University of Wisconsin-Stevens Point Overview of Talk Introduction to fish health Types of disease Dietary Water Quality Infectious Signs of disease

498 views • 22 slides
The Fundamentals of Predictive Maintenance: Finding Problems Before You See Smoke Thursday,

The Fundamentals of Predictive Maintenance: Finding Problems Before You See Smoke Thursday,

8/8/2019 The Fundamentals of Predictive Maintenance: Finding Problems Before You See Smoke Thursday, August 8, 2019 1:00 3:00 PM ET 1 8/8/2019 How to Participate Today Audio Modes Listen using Mic &amp; S peakers Or,

575 views • 42 slides

More recommend