SlideShare a Scribd company logo
DDoS Mitigation
Tools and Techniques
Babak Farrokhi
MENOG 16
Introduction
What is a DDoS Attack?
• A distributed attack that makes your online infrastructure totally inaccessible
• Performed by a large number of infected hosts (zombies)
• Complicated to defend
Upstream
Provider
Your
Infrastructure
Your Connection
Bots
Bots
Users
Attack Types
Network Layer Attacks
Exhausting your uplink
Application Layer Attacks
Overloading your servers
Upstream
Provider
Your
Infrastructure
Your Connection
Upstream
Provider
L7 Requests
Your
Infrastructure
Your Connection
But I am not affected…
ATTACKED MORE
THAN ONCE
75%
ATTACKED ON A
WEEKLY BASIS
10%
ATTACKED IN PAST 12
MONTHS
91%
ORGANIZATIONS
ATTACKED
45%
Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
DDoS Attack Trends
• 2014 vs. 2013 : Number of Attacked Doubled
• Average DDoS Attack Size in 2014: 15Gbps
• Average Damage of DDoS Attack: $40,000 /hour
• Largest Application Layer Attack: ~180,000 RPS
Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
Where are we going?
• DDoS attacks may last for days or weeks
• Attacks usually reappear
• Network layer attacks are getting bigger (so, your
defense should scale proportionally)
• Operators should be equipped with appropriate
equipment (and knowledge)
How it affects operators
• Your customers cannot defend themselves (once attack
hits a customer’s firewall, its too late)
• Attack on one customer may affect the other customers, or
the whole infrastructure
• Loss of revenue
• Loss of reputation
• Legal Issues
• Service Level degradation, missing SLA targets
Dealing with DDoS
• Detection
• Tools and Techniques
• Mitigation
• Best Practices
Mitigation
Mitigation Best Practices
• S/RTBH [2] , D/RTBH [3]
• FlowSpec [4]
• Co-operative DDoS Mitigation [5] (IETF dots WG
draft)
• PBR
RTBH
• Remotely Triggered Blackhole
• D/RTBH: Based on destination address
• S/RTBH: Based on source address
• Widely in use by operators
• Injecting routes to edge routers using iBGP to discard
or redirect traffic to a sinkhole/scrubber
• Blackholes all incoming traffic for a given host/network
D/RTBH
• Victim’s (destination) address will be totally
unreachable during attack
• Makes victim unreachable to protect rest of the
infrastructure / customers
S/RTBH
• Uses uRPF (loose mode) to filter out traffic based
on source address
• Victim will be still reachable
• Only effective in case of DoS or DDoS with limited
number of source addresses
RTBH
Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
Trigger
Router NOC
RTBH
Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
Trigger
Router NOC
RTBH
Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
Trigger
Router NOC
iBGP Advertise
Blackhole
Prefixes
Where should attack traffic go?
• Discard
• null0 on edge routers
• Sinkhole
• For further analysis / forensics
• Scrubber
• Clean malicious traffic
RTBH Problems
• Discarding will keep target visible for local networks,
but will be unavailable for others
• Isn’t this what attackers wanted?
• Scrubbing as an alternative to black-holing
• It is usually done manually
BGP FlowSpec
• Defined in RFC 5575 (IPv4)
• Largely a work in progress - many extensions are proposed as IETF drafts
• IPv6 support is still in draft state [6] (IETF idr WG)
• Fairly new, not widely in use
• JunOS 7.3
• IOS 15.5 , XE 3.14
• Defines a new BGP NLRI (Network Layer Reachability Information) format
• Granular traffic flow matching based on L3/L4 information
FlowSpec use cases
• Traffic Filter List / ACL distribution
• Filtering harmful traffic based on Traffic Flow
information
• Replacement for classic S/RTBH and D/RTBH for
DDoS mitigation
Flow Specification criteria
• L3 Source / Destination Prefix
• L4 Protocol (e.g. TCP, UDP, etc)
• L4 Source / Destination Port
• ICMP Types and Codes
• TCP Flags
• Packet Length
• DSCP
• Fragment
Traffic Filtering Actions
• Defined as extended community attributes:
• 0x8006 - traffic-rate (Rate Limiting or Discarding)
• 0x8007 - traffic-action (Sampling)
• 0x8008 - redirect (Redirecting to a VRF)
• 0x8009 - traffic-marking (DSCP Tagging)
• Additional actions are proposed [7]:
• 0x8108 - redirect to IPv4
• 0x8208 - redirect to AS
ExaBGP
• Open Source BGP Swiss Army Knife [8]
• Supports many extensions, including IPv6, ASN4,
MPLS, BMP and FlowSpec
• Easy to use and extend (Show your Python / BASH
mastery!)
• Easily integrates with your existing tools/scripts
(e.g. FastNetMon) to automate route/policy injection
Detection
DDoS Detection
• Network Telemetry
• Passive traffic flow information collection
• NetFlow
• sFLOW
• IPFIX
• Real-time analysis
• Baselining
• Pattern Matching
Detection Toolbox
• Commercial (Arbor, Juniper, F5, RadWare,
Checkpoint, etc)
• OpenSource: FastNetMon [9]
FastNetMon
• Flow Data Analysis
• NetFlow (v5, v9)
• sFlow (v4, v5)
• IPFIX
• High Performance Traffic Capture
• PF_RING
• netmap
• SnabbSwitch
• Watches hosts for traffic anomalies
• High bits/second
• High packets/second
• High flows/second
• Runs External Trigger (e.g. custom script)
• Integration with ExaBGP (FlowSpec injection)
• Integration with GoBGP (Unicast announces)
• Custom thresholds
• L2TP Decapsulation
• MPLS untagging and VLAN processing
• Supports major network attack types (TCP SYN, UDP,
ICMP and IP Fragmentation floods)
• Write your own plugin!
Sample Configuration
## action in case of attack



enable_ban = on

ban_time = 3600



## Different approaches to attack detection



ban_for_pps = on

ban_for_bandwidth = on

ban_for_flows = off



## Limits for Dos/DDoS attacks



threshold_pps = 20000

threshold_mbps = 1000

threshold_flows = 3500
Sample Configuration
## traffic capture method



mirror = off

mirror_netmap = off

pcap = off

netflow = on

sflow = on



netflow_port = 2055

netflow_host = 0.0.0.0



sflow_port = 6343

sflow_host = 0.0.0.0
Sample Configuration
## action !!!



notify_script_path = /usr/local/bin/ban.sh





# ExaBGP could announce blocked IPs with BGP



exabgp = on

exabgp_command_pipe = /var/run/exabgp/exabgp.cmd

exabgp_community = 65001:666

exabgp_next_hop = 10.0.3.114

exabgp_announce_whole_subnet = no

Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
NOCExaBGP FastNetMon
NetFlow/sFlow
Incoming DDoS
Upstream A Upstream B
IXP A
IXP B
Customer
Network
Target
NOC
iBGP
Advertise
Blackhole
Prefixes
ExaBGP FastNetMon
Block
FastNetMon at work
Questions?
References
• [1] http://lp.incapsula.com/ddos-report-2015.html
• [2] RFC 3882 - Configuring BGP to Block Denial-of-Service
Attacks
• [3] RFC 5635 - Remote Triggered Black Hole Filtering with
Unicast Reverse Path Forwarding (uRPF)
• [4] RFC 5575 - Dissemination of Flow Specification Rules
• [5] draft-reddy-dots-transport-00 - Co-operative DDoS
Mitigation
• [6] draft-ietf-idr-flow-spec-v6 - Dissemination of Flow
Specification Rules for IPv6
• [7] RFC 7674 - Clarification of the Flowspec
Redirect Extended Community
• [8] https://github.com/Exa-Networks/exabgp
• [9] https://github.com/pavel-odintsov/fastnetmon

More Related Content

What's hot

DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
Tudor Damian
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
Luthfi Widyanto
 
DMVPN
DMVPNDMVPN
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
Mostafa El Lathy
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Qos Quality of services
Qos   Quality of services Qos   Quality of services
Qos Quality of services
HayderThary
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpi
Mohammed Abdallah
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt.  by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt.  by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
Tarun Khaneja
 
Mikrotik basic configuration
Mikrotik basic configurationMikrotik basic configuration
Mikrotik basic configuration
Tola LENG
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101
Rohan Reddy
 
Hping Kullanarak Ağ Keşif Çalışmaları
Hping Kullanarak Ağ Keşif ÇalışmalarıHping Kullanarak Ağ Keşif Çalışmaları
Hping Kullanarak Ağ Keşif Çalışmaları
BGA Cyber Security
 
Mpls Services
Mpls ServicesMpls Services
Mpls Services
Kristof De Brouwer
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 

What's hot (20)

DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
 
DMVPN
DMVPNDMVPN
DMVPN
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Qos Quality of services
Qos   Quality of services Qos   Quality of services
Qos Quality of services
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpi
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt.  by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt.  by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
Mikrotik basic configuration
Mikrotik basic configurationMikrotik basic configuration
Mikrotik basic configuration
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101
 
Hping Kullanarak Ağ Keşif Çalışmaları
Hping Kullanarak Ağ Keşif ÇalışmalarıHping Kullanarak Ağ Keşif Çalışmaları
Hping Kullanarak Ağ Keşif Çalışmaları
 
Mpls Services
Mpls ServicesMpls Services
Mpls Services
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
 

Viewers also liked

Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
Pavel Odintsov
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
Redge Technologies
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
Pavel Odintsov
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Pavel Odintsov
 

Viewers also liked (8)

Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
 

Similar to DDoS Mitigation Tools and Techniques

Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
Sagi Brody
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PROIDEA
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
PriyadharshiniHemaku
 
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PROIDEA
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
Logan Best
 
DDoS - unstoppable menace
DDoS - unstoppable menaceDDoS - unstoppable menace
DDoS - unstoppable menace
Aravind Anbazhagan
 
DDoS - unstoppable menace
DDoS - unstoppable menaceDDoS - unstoppable menace
DDoS - unstoppable menace
Aravind Anbazhagan
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PROIDEA
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
allanjude
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 -  DDoS attacks in an IPv6 WorldHKNOG 1.0 -  DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
 
Addios!
Addios!Addios!
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
ManageEngine, Zoho Corporation
 
Practice of large Hadoop cluster in China Mobile
Practice of large Hadoop cluster in China MobilePractice of large Hadoop cluster in China Mobile
Practice of large Hadoop cluster in China Mobile
DataWorks Summit
 

Similar to DDoS Mitigation Tools and Techniques (20)

Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
DDoS - unstoppable menace
DDoS - unstoppable menaceDDoS - unstoppable menace
DDoS - unstoppable menace
 
DDoS - unstoppable menace
DDoS - unstoppable menaceDDoS - unstoppable menace
DDoS - unstoppable menace
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 -  DDoS attacks in an IPv6 WorldHKNOG 1.0 -  DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Addios!
Addios!Addios!
Addios!
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
 
Practice of large Hadoop cluster in China Mobile
Practice of large Hadoop cluster in China MobilePractice of large Hadoop cluster in China Mobile
Practice of large Hadoop cluster in China Mobile
 

Recently uploaded

Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
Bangladesh Network Operators Group
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
Incident Identification Approach and Managment
Incident Identification Approach and ManagmentIncident Identification Approach and Managment
Incident Identification Approach and Managment
Gaali1
 
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
shamrisumri
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
VPN Server
 
Top 50 Data Science Jobs on LinkedIn.docx
Top 50 Data Science Jobs on LinkedIn.docxTop 50 Data Science Jobs on LinkedIn.docx
Top 50 Data Science Jobs on LinkedIn.docx
analyticsinsightmaga
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
exchangeid32
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
mahigarg2024#G05
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
Bangladesh Network Operators Group
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
OkgatoSemadi1
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
ธนาพัฒน์ ลิ้มสายพรหม
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
Edward Blurock
 
optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
ManojKumarr75
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)
Bangladesh Network Operators Group
 
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptxDraya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
ashishkumarrana9
 

Recently uploaded (20)

Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
Incident Identification Approach and Managment
Incident Identification Approach and ManagmentIncident Identification Approach and Managment
Incident Identification Approach and Managment
 
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
 
Top 50 Data Science Jobs on LinkedIn.docx
Top 50 Data Science Jobs on LinkedIn.docxTop 50 Data Science Jobs on LinkedIn.docx
Top 50 Data Science Jobs on LinkedIn.docx
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
 
optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)
 
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptxDraya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
 

DDoS Mitigation Tools and Techniques

  • 1. DDoS Mitigation Tools and Techniques Babak Farrokhi MENOG 16
  • 3. What is a DDoS Attack? • A distributed attack that makes your online infrastructure totally inaccessible • Performed by a large number of infected hosts (zombies) • Complicated to defend Upstream Provider Your Infrastructure Your Connection Bots Bots Users
  • 4. Attack Types Network Layer Attacks Exhausting your uplink Application Layer Attacks Overloading your servers Upstream Provider Your Infrastructure Your Connection Upstream Provider L7 Requests Your Infrastructure Your Connection
  • 5. But I am not affected… ATTACKED MORE THAN ONCE 75% ATTACKED ON A WEEKLY BASIS 10% ATTACKED IN PAST 12 MONTHS 91% ORGANIZATIONS ATTACKED 45% Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
  • 6. DDoS Attack Trends • 2014 vs. 2013 : Number of Attacked Doubled • Average DDoS Attack Size in 2014: 15Gbps • Average Damage of DDoS Attack: $40,000 /hour • Largest Application Layer Attack: ~180,000 RPS Source: Imperva Q2 2015 DDoS Threat Landscape Report [1]
  • 7. Where are we going? • DDoS attacks may last for days or weeks • Attacks usually reappear • Network layer attacks are getting bigger (so, your defense should scale proportionally) • Operators should be equipped with appropriate equipment (and knowledge)
  • 8. How it affects operators • Your customers cannot defend themselves (once attack hits a customer’s firewall, its too late) • Attack on one customer may affect the other customers, or the whole infrastructure • Loss of revenue • Loss of reputation • Legal Issues • Service Level degradation, missing SLA targets
  • 9. Dealing with DDoS • Detection • Tools and Techniques • Mitigation • Best Practices
  • 11. Mitigation Best Practices • S/RTBH [2] , D/RTBH [3] • FlowSpec [4] • Co-operative DDoS Mitigation [5] (IETF dots WG draft) • PBR
  • 12. RTBH • Remotely Triggered Blackhole • D/RTBH: Based on destination address • S/RTBH: Based on source address • Widely in use by operators • Injecting routes to edge routers using iBGP to discard or redirect traffic to a sinkhole/scrubber • Blackholes all incoming traffic for a given host/network
  • 13. D/RTBH • Victim’s (destination) address will be totally unreachable during attack • Makes victim unreachable to protect rest of the infrastructure / customers
  • 14. S/RTBH • Uses uRPF (loose mode) to filter out traffic based on source address • Victim will be still reachable • Only effective in case of DoS or DDoS with limited number of source addresses
  • 15. RTBH Upstream A Upstream B IXP A IXP B Customer Network Target Trigger Router NOC
  • 16. RTBH Upstream A Upstream B IXP A IXP B Customer Network Target Trigger Router NOC
  • 17. RTBH Upstream A Upstream B IXP A IXP B Customer Network Target Trigger Router NOC iBGP Advertise Blackhole Prefixes
  • 18. Where should attack traffic go? • Discard • null0 on edge routers • Sinkhole • For further analysis / forensics • Scrubber • Clean malicious traffic
  • 19. RTBH Problems • Discarding will keep target visible for local networks, but will be unavailable for others • Isn’t this what attackers wanted? • Scrubbing as an alternative to black-holing • It is usually done manually
  • 20. BGP FlowSpec • Defined in RFC 5575 (IPv4) • Largely a work in progress - many extensions are proposed as IETF drafts • IPv6 support is still in draft state [6] (IETF idr WG) • Fairly new, not widely in use • JunOS 7.3 • IOS 15.5 , XE 3.14 • Defines a new BGP NLRI (Network Layer Reachability Information) format • Granular traffic flow matching based on L3/L4 information
  • 21. FlowSpec use cases • Traffic Filter List / ACL distribution • Filtering harmful traffic based on Traffic Flow information • Replacement for classic S/RTBH and D/RTBH for DDoS mitigation
  • 22. Flow Specification criteria • L3 Source / Destination Prefix • L4 Protocol (e.g. TCP, UDP, etc) • L4 Source / Destination Port • ICMP Types and Codes • TCP Flags • Packet Length • DSCP • Fragment
  • 23. Traffic Filtering Actions • Defined as extended community attributes: • 0x8006 - traffic-rate (Rate Limiting or Discarding) • 0x8007 - traffic-action (Sampling) • 0x8008 - redirect (Redirecting to a VRF) • 0x8009 - traffic-marking (DSCP Tagging) • Additional actions are proposed [7]: • 0x8108 - redirect to IPv4 • 0x8208 - redirect to AS
  • 24. ExaBGP • Open Source BGP Swiss Army Knife [8] • Supports many extensions, including IPv6, ASN4, MPLS, BMP and FlowSpec • Easy to use and extend (Show your Python / BASH mastery!) • Easily integrates with your existing tools/scripts (e.g. FastNetMon) to automate route/policy injection
  • 26. DDoS Detection • Network Telemetry • Passive traffic flow information collection • NetFlow • sFLOW • IPFIX • Real-time analysis • Baselining • Pattern Matching
  • 27. Detection Toolbox • Commercial (Arbor, Juniper, F5, RadWare, Checkpoint, etc) • OpenSource: FastNetMon [9]
  • 28. FastNetMon • Flow Data Analysis • NetFlow (v5, v9) • sFlow (v4, v5) • IPFIX • High Performance Traffic Capture • PF_RING • netmap • SnabbSwitch
  • 29. • Watches hosts for traffic anomalies • High bits/second • High packets/second • High flows/second • Runs External Trigger (e.g. custom script)
  • 30. • Integration with ExaBGP (FlowSpec injection) • Integration with GoBGP (Unicast announces) • Custom thresholds • L2TP Decapsulation • MPLS untagging and VLAN processing • Supports major network attack types (TCP SYN, UDP, ICMP and IP Fragmentation floods) • Write your own plugin!
  • 31. Sample Configuration ## action in case of attack
 
 enable_ban = on
 ban_time = 3600
 
 ## Different approaches to attack detection
 
 ban_for_pps = on
 ban_for_bandwidth = on
 ban_for_flows = off
 
 ## Limits for Dos/DDoS attacks
 
 threshold_pps = 20000
 threshold_mbps = 1000
 threshold_flows = 3500
  • 32. Sample Configuration ## traffic capture method
 
 mirror = off
 mirror_netmap = off
 pcap = off
 netflow = on
 sflow = on
 
 netflow_port = 2055
 netflow_host = 0.0.0.0
 
 sflow_port = 6343
 sflow_host = 0.0.0.0
  • 33. Sample Configuration ## action !!!
 
 notify_script_path = /usr/local/bin/ban.sh
 
 
 # ExaBGP could announce blocked IPs with BGP
 
 exabgp = on
 exabgp_command_pipe = /var/run/exabgp/exabgp.cmd
 exabgp_community = 65001:666
 exabgp_next_hop = 10.0.3.114
 exabgp_announce_whole_subnet = no

  • 34. Upstream A Upstream B IXP A IXP B Customer Network Target NOCExaBGP FastNetMon NetFlow/sFlow Incoming DDoS
  • 35. Upstream A Upstream B IXP A IXP B Customer Network Target NOC iBGP Advertise Blackhole Prefixes ExaBGP FastNetMon Block
  • 39. • [1] http://lp.incapsula.com/ddos-report-2015.html • [2] RFC 3882 - Configuring BGP to Block Denial-of-Service Attacks • [3] RFC 5635 - Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF) • [4] RFC 5575 - Dissemination of Flow Specification Rules • [5] draft-reddy-dots-transport-00 - Co-operative DDoS Mitigation • [6] draft-ietf-idr-flow-spec-v6 - Dissemination of Flow Specification Rules for IPv6
  • 40. • [7] RFC 7674 - Clarification of the Flowspec Redirect Extended Community • [8] https://github.com/Exa-Networks/exabgp • [9] https://github.com/pavel-odintsov/fastnetmon