Why Teams call analytics are critical to your entire business
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
1. Understanding DDOS
Mitigation
Rishabh Dangwal
About me : Trivia geek, redbull addict &
Independent security enthusiastic, currently employed at Tulip Telecom
www.theprohack.com
2. DDOS Mitigation
Mitigation : mit·i·ga·tion. /ˌ ɪʃən/ Spelled[mit-i-
mɪtɪˌge
gey-shuhn] noun.
the act of lessening the force or intensity of something
• Understanding DDOS
• Countermeasures
• Mitigation
3. DOS
• Attack that makes a designated
service unavailable to the
targeted users
• Exploits limitations of the
system as an inherent universal
vulnerability
• Limitations :
CPU, Memory,Bandwidth
4. DDOS
• Distributed DOS
• A coordinated effort
• Botnets are in fashion
• Firewalls & IPS are NOT enough
• NO 100% solution present , so you can ONLY slow it down
8. Monitor
• Devices are generally added to monitoring
sensors/servers/software via SNMP polling/BGP peering
• Traffic thresholds are set
• Devices..are monitored
• Incase of trouble, alerts are generated
9. Identify
• Traffic is identified and profiled according to set
parameters, configurations and algorithms
• Once identified , identify type of attack
• Protocol misuse – DNS / ICMP /TCP Null / TCP RST
Flood, IP fragment
• Bandwidth misuse
10. Typical Parameters
• Advanced Boolean Match / AS Path Reg exp – by using Regular
expressing matching in traffic or on AS Path field of BGP
• CIDR – traffic identification using by network prefixes and
CIDR blocks
• BGP Communities – traffic identification using BGP
Communities.
• Physical Interfaces – traffic identification by monitoring
router’s physical interface through which the traffic is
passing.
• Peer ASNs & Local ASN/Sub AS – traffic identification by using
peer AS numbers field of BGP or by using Local or Sub AS
Numbers for the network.
13. Categorize and scrub traffic
• Custom Settings
• Traffic Filtering & Malformed DNS packets filtering
• DNS Authentication
• HTTP request limiting / object limiting
• Malformed HTTP & SIP packets filtering
• TCP Connection Reset & TCP SYN Authentication
• Zombie Removal
• Baseline Network Policy Enforcement
• Packet shaping
• Filter/Allow based on payload
• Signature based detection & Mitigation
14. Tada ..
• Once done, Clean traffic is sent to rightful customers
• Attack patterns are jotted down for future reference &
threat categorization
• More smiles, less caffeine