• Like

Distributed Denial of Service (DDoS) Mitigation Strategy and Overview

  • 4,252 views
Uploaded on

Detailed slides that provide a DDoS overview, trends, architecture overview, and BGP flowspec overview.

Detailed slides that provide a DDoS overview, trends, architecture overview, and BGP flowspec overview.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,252
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
204
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DDoS mitigation strategyBertrand Duvivierbduvivie@cisco.comBGP product manager © 2013 Cisco Systems, Inc. All rights reserved. 1
  • 2. DDoS Mitigation – a stepstone approach  Phase III IOS-XR 5.2.0 IOS-XE 3.1.2 Dynamic application aware redirection and traffic handling  Phase II Malicious traffic mitigation Cleaning of Malicious traffic IOS-XR 4.3.1 Dirty and clean traffic handling IOS-XE partial Usage of Multi-instance BGP  Phase I ACL RTBH PBR uRPF © 2013 Cisco Systems, Inc. All rights reserved. 2
  • 3. Agenda  DDoS trends  DDoS - Phase 2 – Architecture overview  DDoS - Phase 3 – BGP flowspec overview © 2013 Cisco Systems, Inc. All rights reserved. 3
  • 4.  Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served Addressing DDoS attacks ― Detection – Detect incoming fake requests ― Mitigation o  Diversion – Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets o  Return – Send back the clean traffic to the server © 2013 Cisco Systems, Inc. All rights reserved. 4
  • 5. DDOS impact on customer Business GOOD DDOS © 2013 Cisco Systems, Inc. All rights reserved. 5
  • 6. DDOS impact on customer Business  Enterprise customer can’t defend themselve, when DDoS hit the FW… it’s already too late.  SP could protect enterprise by cleaning DDoS traffic at ingress peering point.  New revenue for SP.  Mandated service to propose to Financial and visible customers. © 2013 Cisco Systems, Inc. All rights reserved. 6
  • 7. 2011 DDoS trends (Nanog source)  Any Internet Operator Can Be a Target for DDoSIdeologically-motivated Hacktivism and On-line vandalism DDoS attacks are the most commonly identified attack motivations  Size and Scope of Attacks Continue to Grow at an Alarming PaceHigh-bandwidth DDoS attacks are the new normal as over 40% of respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10GbpsIncreased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common  First-Ever Reports of IPv6 DDoS Attacks in the Wild on Production Networks © 2013 Cisco Systems, Inc. All rights reserved. 7
  • 8. DDoS mitigation architecture1. Detection (no DDoS) Scan Netflow data to detect DDOS attacks Security DDOS Analyser Server Netflow DDOS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 8
  • 9. DDoS mitigation architecture2. Detection (DDOS) Scan Netflow data Find DDOS signature Security DDOS Analyser Server Netflow DDOS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 9
  • 10. DDoS mitigation architecture3. Redirect traffic to DDOS scruber Scan Netflow data Find DDoS signature Security DDoS Analyser ServerBGP DDoS MitigationAction: redirect to DDoSscrubber DDoS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 10
  • 11. Agenda  DDoS trends  DDoS - Phase 2 – Architecture overview  DDoS - Phase 3 – BGP flowspec overview © 2013 Cisco Systems, Inc. All rights reserved. 11
  • 12. DDoS Mitigation: Architecture Considerations  Normal traffic flow when there is no attack  Redirect traffic from any edge PE to any specific DDoS scrubber ― Including the PE that is connected to the host network  Granular (prefix level/network) diversion ― Customers buy DDoS mitigation service for some prefixes ― Pre-provisioned DDoS service for those prefixes (using policy such as standard community flag)  Centralized controller that injects the diversion route  VPN based Labeled return path for the clean traffic ― To prevent routing loops  Sollution support redirection of BGP less/more specific prefixes or local originated prefixes (static route, redistributed route)  Support for multi-homed customers ― During attack, send clean traffic from DDOS scrubber to multiple PE s © 2013 Cisco Systems, Inc. All rights reserved. 12
  • 13. DDoS mitigation architectureStep 1: create Clean-VPN (off attack configuration)Clean VPN will transport clean traffic from scrubber back to customer next hop DDoS Security Analyser Server out in DDoS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 13
  • 14. DDoS mitigation architecture Step 2: inject customers prefixes to clean Clean-VPN (off attack)VRF dynamic route leaking function to inject VRF glogal prefix in VRF and VPN clean using route-map policy. DDoS Security Analyser Server out in DDoS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 14
  • 15. DDoS mitigation architecture Step 3: inject BGP redirection in DDoS control plane (under attack)Security server will inject BGP update with scrubber as next hop. DDoS Security Analyser Server BGP update NH: scrubber Prefix: purple out in DDoS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 15
  • 16. DDoS mitigation architectureTraffic flow under attack Traffic is redirect via DDoS scrubber. Loop free solution. DDoS Security Analyser Server DDoS scrubber © 2013 Cisco Systems, Inc. All rights reserved. 16
  • 17. Why injecting DDoS in separate BGP instance ?  Sollution support redirection of BGP less/more specific prefixes or local originated prefixes (static route, redistributed route)  Separate Inter-Domain control plane and DDoS plane No need to withdraw and re-signal Inter-Domain prefixes, keep internet route intacts in control plane. Easy to troubleshout © 2013 Cisco Systems, Inc. All rights reserved. 17
  • 18. Agenda  DDoS trends  DDoS - Phase 2 – Architecture overview  DDoS - Phase 3 – BGP flowspec overview © 2013 Cisco Systems, Inc. All rights reserved. 18
  • 19. XR 5.2.0 XE 3.12 Next-Gen BGP flowspec isRFC-5575 (aka BGP flowspec)+ IPv6 support (draft-ietf-idr-flow-spec-v6)+ Flowspec origin check relax (draft-djsmith-idr-flowspec-origin) + Extra redirection options (draft-simpson-idr-flowspec-redirect)+ Comprehensive CLI/XML to inject BGP flowspec updates+ Internet in VPN use-case+ Optimized flow based forwarding plane : E-PBR (specific to ASR9K/CRS) © 2013 Cisco Systems, Inc. All rights reserved. 19
  • 20. Next Gen BGP flowspec infrastructurephase 1 (XML/CLI model)Application VM ASR9K/CRS Application XML/CLI BGP Flow Spec XML/CLI Manager BGP BGP PBR ACL QoS flowspec XR-VR Flow forwarding © 2013 Cisco Systems, Inc. All rights reserved. 20
  • 21. Next Gen BGP flowspec infrastructurephase 2 (OnePK model)Application VM ASR9K/CRS ApplicationOnePK API/SDK BGP Flow Spec Flow OnePK Manager BGP BGP PBR ACL QoS flowspec XR-VR Flow forwarding © 2013 Cisco Systems, Inc. All rights reserved. 21
  • 22. NextGen BGP flowspec Flow encoding (phase 1)Type 1 Destination Prefix (mask) prefixType 2 Source Prefix (mask) prefixType 3 IP Protocol udp,tcp,icmp,…Type 4 PortType 5 Destination portType 6 Source portType 7 ICMP typeType 8 ICMP codeType 9 TCP flagsType 10 Packet lengthType 11 DSCPType 12 Fragment © 2013 Cisco Systems, Inc. All rights reserved. 22
  • 23. Next-Gen BGP flowspecAction encoding (phase 1)Ext Community Action Data0x8006 traffic-rate (bw zero) BW or Drop0x8007 traffic-action: (bit 7) Terminal action0x8008 Redirect (VRF) 6-byte Route Targetidr-flowspec-redirect Redirect (IP/MPLS) Next Hop © 2013 Cisco Systems, Inc. All rights reserved. 23
  • 24. Summary  DDOS mitigation is a Mandatory service.  DDOS phase 2 provides optimized architecture  DDOS phase 3 provides flow base mitigation granularityFor more details, contact bduvivie@cisco.com © 2013 Cisco Systems, Inc. All rights reserved. 24
  • 25. THANKS © 2013 Cisco Systems, Inc. All rights reserved. 25
  • 26. DDoS phase 2Technical details © 2013 Cisco Systems, Inc. All rights reserved. 26
  • 27. Architecture based on BGP multi-instance Internet RR DDOS RR Normal Diversion routes routes BGP BGP Default DDosInstance Instance PE-C  Two planes based on multi-instance BGP ― The default BGP instance for creating normal routing and the return path of the clean traffic ― The DDoS instance for injecting the diversion route in the routers © 2013 Cisco Systems, Inc. All rights reserved. 27
  • 28. BGP ddos instance Creation of DDoS BGP instancerouter bgp 99 instance ddos bgp router-id 3.3.3.3 © 2013 Cisco Systems, Inc. All rights reserved. 28
  • 29. VPN RRArchitecturedetails @ RRX/Y PE-C DDOS RR PE-S BGP BGP BGP BGP Default DDos DDos Default Instance Instance Instance Instance CleanC Dirty VRF RIB RIB VRF RIB RIB CGSE Scrubber VRF FIB FIB VRF FIB FIB VRF Clean VRF default VRF default VRF Clean  The default BGP instance uses a VRF, Clean , to setup the return path  On the scrubber PE, the clean traffic enters via the VRF Clean interface © 2013 Cisco Systems, Inc. All rights reserved. 29
  • 30. BGP read-onlyrouter bgp 99 instance ddos bgp router-id 3.3.3.3 bgp read-only bgp read-only •  Allows config of 2th IPv4 or IPv6 instance •  Suppresses BGP Update Generation © 2013 Cisco Systems, Inc. All rights reserved. 30
  • 31. VPN RRRoute setup @ RRX/Y DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C Instance Instance Instance C VRF RIB RIB VRF RIB RIB CGSE Scrubber VRF FIB FIB VRF FIB FIB VRF Clean VRF default VRF default VRF Clean C sends X/Y to the default-VRF of the default instance of PE-C © 2013 Cisco Systems, Inc. All rights reserved. 31
  • 32. VPN RRRoute setup @ RRX/Y DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C Instance Instance Instance X/Y->CC VRF X/Y->C RIB RIB VRF RIB RIB CGSE Scrubber VRF FIB FIB VRF FIB FIB VRF Clean VRF default VRF default VRF Clean PE-C imports X/Y to VRF Clean PE-C downloads X/Y->C to RIB © 2013 Cisco Systems, Inc. All rights reserved. 32
  • 33. VRF dynamic route leaking Importing selected global route’s in the clean VRF vrf clean address-family ipv4 unicast import from default-vrf route-policy ddos advertise-as-vpn export route-target 111:1 // ddos policy = match community-string 100:123 © 2013 Cisco Systems, Inc. All rights reserved. 33
  • 34. X/Y->PE-C VPN RRRoute setup X/Y->PE-C @ RRX/Y DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C Instance Instance Instance X/Y->CC VRF X/Y->C RIB RIB VRF RIB X/Y->C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->C FIB VRF Clean VRF default VRF default VRF Clean  PE-C advertises X/Y to @ RR (as IPv4) and VPN RR (as VPNv4)  PE-C RIB downloads X/Y->C to FIB © 2013 Cisco Systems, Inc. All rights reserved. 34
  • 35. X/Y->PE-C VPN RRRoute setup X/Y->PE-C @ RRX/Y DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C Instance Instance X/Y->PE-C X/Y->PE-C Instance X/Y->C X/Y->PE-CC VRF X/Y->C RIB RIB X/Y->PE-C VRF RIB X/Y->C X/Y->PE-C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->C X/Y->PE-C X/Y->PE-C FIB VRF Clean VRF default VRF default VRF Clean  @ RR advertises X/Y to default VRF of PE-S and VPN RR advertises X/Y to default-VRF as a VPN route. Then the route is downloaded to RIB and FIB of default VRF and VRF Clean © 2013 Cisco Systems, Inc. All rights reserved. 35
  • 36. X/Y->PE-C VPN RRAttack scenario X/Y->PE-C @ RRX/Y X/Y->S DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C Instance Instance X/Y->PE-C X/Y->PE-C Instance X/Y->C X/Y->PE-CC VRF X/Y->C RIB RIB X/Y->PE-C VRF RIB X/Y->C X/Y->PE-C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->C X/Y->PE-C X/Y->PE-C FIB VRF Clean VRF default VRF default VRF Clean  Arbor detects X/Y under DDoS attack  Arbor injects diversion route X/Y to nexthop S on the DDoS RR © 2013 Cisco Systems, Inc. All rights reserved. 36
  • 37. X/Y->PE-C VPN RRAttack scenario X/Y->PE-C @ RRX/Y X/Y->S DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C X/Y->S Instance Instance X/Y->S X/Y->PE-C X/Y->PE-C Instance X/Y->C X/Y->PE-CC VRF X/Y->C RIB RIB X/Y->PE-C VRF RIB X/Y->C X/Y->PE-C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->C X/Y->PE-C X/Y->PE-C FIB VRF Clean VRF default VRF default VRF Clean  DDoS RR advertises X/Y->S to the DDoS instances on PE-C and PE-S © 2013 Cisco Systems, Inc. All rights reserved. 37
  • 38. X/Y->PE-C VPN RRAttack scenario X/Y->PE-C @ RRX/Y X/Y->S DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C X/Y->S Instance Instance X/Y->S X/Y->PE-C X/Y->PE-C Instance X/Y->C X/Y->S X/Y->PE-C X/Y->SC VRF X/Y->C RIB RIB X/Y->PE-C VRF RIB X/Y->C ->S ->S X/Y->PE-C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->C X/Y->PE-C X/Y->PE-C FIB VRF Clean VRF default VRF default VRF Clean  DDoS instance downloads diversion route to RIB. RIB now has two paths for X/Y © 2013 Cisco Systems, Inc. All rights reserved. 38
  • 39. BGP install diversion bgp install diversion Triggers BGP ddos instance to installrouter bgp 99 instance ddos diversion path to RIB, so that the paths are bgp router-id 3.3.3.3 pushed down to FIB bgp read-only bgp install diversion © 2013 Cisco Systems, Inc. All rights reserved. 39
  • 40. X/Y->PE-C VPN RRAttack scenario X/Y->PE-C @ RRX/Y X/Y->S DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C X/Y->S Instance Instance X/Y->S X/Y->PE-C X/Y->PE-C Instance X/Y->C X/Y->S X/Y->PE-C X/Y->SC VRF X/Y->C RIB RIB X/Y->PE-C VRF RIB X/Y->C ->S ->S X/Y->PE-C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->S X/Y->S X/Y->PE-C FIB VRF Clean VRF default VRF default VRF Clean RIB downloads the diversion route to FIB ―  Based on special flags and/or admin distance © 2013 Cisco Systems, Inc. All rights reserved. 40
  • 41. X/Y->PE-C VPN RRAttack scenario X/Y->PE-C @ RRX/Y X/Y->S DDoS RR PE-C PE-S BGP BGP BGP BGP Default DDos DDos Default Instance X/Y->C X/Y->C X/Y->S Instance Instance X/Y->S X/Y->PE-C X/Y->PE-C Instance X/Y->C X/Y->S X/Y->PE-C X/Y->SC VRF X/Y->C RIB RIB X/Y->PE-C VRF RIB X/Y->C ->S ->S X/Y->PE-C RIB CGSE Scrubber VRF FIB FIB VRF FIB X/Y->C X/Y->S X/Y->S X/Y->PE-C FIB VRF Clean VRF default VRF default VRF Clean  IP traffic enters PE-C (or any other PE) and finds X/Y->S in default VRF. Goes to S.  Clean traffic from S finds X/Y->PE-C in VRF clean and returns to PE-C  On PE-C, the VPN label asks the packet to do IP lookup in VRF Clean . Goes to C. © 2013 Cisco Systems, Inc. All rights reserved. 41