Detecting and
Mitigating Denial of
Service Attacks
BRKSEC-214
Peter Provart

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

1


HOUSEKEEPING
 We value your feedback, don’t forget to complete your online session
evaluations after each session and complete the Overall Conference
Evaluation which will be available online from Friday.
 Visit the World of Solutions on Level -01!
 Please remember this is a ‘No Smoking’ venue!
 Please switch off your mobile phones!
 Please remember to wear your badge at all times including the Party!
 Do you have a question? Feel free to ask them during the Q&A section or
write your question on the Question form given to you and hand it to the
Room Monitor when you see them holding up the Q&A sign.

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

2


Objectives and Assumptions
 How to detect and mitigate Denial of Services Attacks in a network.
 Explaining what kind of threats which we need to defend against.
 Explaining the various detection mechanisms which are available.
 Explaining the different mitigation techniques, how they are used and the
possible consequences of implementing them.
 The audience is assumed to consist of network architects, security officers
and project managers from SP and Large Enterprise customers.
 Assumtion : The audience has a basic knowledge of routing protocols and
a good and broad understanding of various security techniques and tools
used in large networks today.
 This session is related to sessions:
Network Core Infrastructure Protection: Best Practices (BRKSEC-2013)
Detecting Router Abuse (BRKSEC-2015)
Network-based Solutions for Broadband Residential Security (BRKSEC-2016)
The Techtorial Mitigating DoS Attacks (TECSEC-2003) also cover all those
techniques, so, if you attended the techtorial, there is no need to attend this
break-out session.
BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

3



Agenda
 Introduction : Threat Landscape
 Six Phases of Incident Reaction process
Planning, Detection, Classification, Traceback, Reaction, Post
Mortem

 Advanced Reaction Techniques

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

4


Introduction

Motivation and Trends

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

5



DDoS Attacks Are Here To Stay
 DoS attacks grow from 119
to 1500 per day in 2005- an
increase of 1200%
 Jan06-Jun06 : Avg 6110 Dos
Attacks per day an increase
of 600%
*Symantec Sept2006

 Large % of DDoS attacks are
motivated by extortion
demands
 50K Average Active Bots
 Attack size is in the 2-7 Gig
range

Symantec Internet Security
Report – March ‘06

 The DoS problem is not a
100 year flood anymore!

‘Zombie' ring allegedly hit 1.5 million computers
/>Dutch Internet provider XS4ALL identified the zombie network – “only a drop in the ocean."
BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.


Cisco Public

6


Threat Economy: In the Past
Writers

Asset

End Value

Tool and
Toolkit Writers

Compromise
Individual
Host or
Application

Fame

Malware Writers
Worms

Compromise
Environment

Viruses


Theft
Espionage
(Corporate/
Government)

Trojans

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

7


Threat Economy: Today
Writers

First Stage
Abusers

Tool and
Toolkit Writers

Hacker/Direct
Attack

Middle Men


Second Stage
Abusers

Fame

Compromised
Host and
Application

Theft

Malware Writers
Worms

Machine
Harvesting

Bot-Net Creation

End Value

Extortionist/
DDoS-for-Hire

Espionage
(Corporate/
Government)
Extorted Pay-Offs

Viruses


Bot-Net Management:

Trojans

For Rent, for Lease,
for Sale

Spyware

Information
Harvesting

Personal
Information

Spammer
Commercial Sales
Phisher

Pharmer/DNS
Poisoning

Information
Brokerage
Identity Theft

Internal Theft:
Abuse of
Privilege


Fraudulent Sales

Click-Through
Revenue
Financial Fraud

Electronic IP
Leakage

$$$ Flow of Money $$$
BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

8


Denial of Service Trends
 Multipath
Truly distributed
DNS servers, large botnets
Reflective

 Multivector
SYN AND UDP AND—

 Use of non-TCP/UDP/ICMP protocols

Get past ACLs
Increased awareness in community

 Target ISP Infrastructure
 Target Applications
SMTP reflective, VoIP
BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

9


Incident Response

How do you handle a DDOS attack?

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

10


Incident Response Methodology
for Worms and DoS

Imp
o

time critical

 Preparation:

rtan
t!!

Best Practices / planning

 Detection:

Something is wrong

 Classification:

What is wrong

 Traceback:

Find infection vector

Find ingress path

 Reaction:

De-worming


Counter measures

Mbehring

- Contain

- ACLs upstream

- Quarantine - Re-direction
- Inoculate

 Post Mortem

- SP trace back

Review

worm specific

DoS specific
common

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

11



Six Phases of Incident Response
Preparation
Post Mortem
What was done?
Can anything be done to
prevent it?
How can it be less
painful in the future?

Prep the Network
Create Tools
Test Tools
Prep Procedures
Train Team
Practice

Reaction
What options do you
have to remedy?
Which option is the
best under the
circumstances?

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Detection
How do you know

about the attack?
What tools can
you use?
What’s your process
for communication?

Classification
Traceback

What kind of
attack is it?

Where is the attack coming
from?
Where and how is it
affecting the network?
What other current
network problems are
related?
Cisco Public

12


Preparation
Preparation—Develop and Deploy a Solid
Security Foundation
 Includes technical and non-technical components
 Encompasses best practices
 The hardest yet most important phase

 Without adequate preparation, you are
destined to fail
 The midst of a large attack is not the time to be
implementing foundational best practices and
processes

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

13


Preparation
 Know the enemy
Understand what drives the miscreants
Understand their techniques

 Create the security team and plan
Who handles security during an event; is it the security folks; the
networking folks
A good operational security professional needs to be a cross
between the two: silos are useless

 Harden the devices
 Prepare the tools
Network telemetry
Reaction tools


BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

14


Detection
Detection —How Do You Know You or
Your Customer Is Under Attack?
 It is more than just waiting for your customers to
scream or your network to crash
 What tools are available?
 What can you do today on a tight budget?

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

15


Detection —Ways to Detect
 Customer call
“The Internet is down”


 Unexplained changes in network baseline
SNMP: line/CPU overload, drops
Bandwidth
NetFlow






BRKSEC-2014

ACLs with logging
Backscatter
Packet capture
Network IDS
Anomaly detection
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

16


Detection —Network Baselines
 NMS baselines
 Unexplained changes in link utilization
Worms can generate a lot of traffic, sudden changes
in link utilization can indicate a worm


 Unexplained changes in CPU utilization
Worm scans can affect routers/switches resulting in increased
CPU both process and interrupt switched

 Unexplained syslog entries
 These are examples
Changes don’t always indicate a security event
Must know what’s normal in order to identify
abnormal behavior
BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

17


Classification
 Classification—understand the details and
scope of the attack
Identification is not sufficient; once an attack
is identified, details matter
Guides subsequent actions

 Identification and classification are often simultaneous

BRKSEC-2014


© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

18


Classification
 Qualify and quantify the attack without jeopardizing
services availability (e.g., crashing a router):
What type of attack has been identified?
What’s the effect of the attack on the victim(s)?
What next steps are required (if any)?

 At the very least:
Source and destination address
Protocol information
Port information

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

19


Traceback
 Traceback—what are the sources of the attack?

How to trace to network ingress points
Your Internet connection is not the only vector
Understand your topology

 Traceback to network perimeter
NetFlow
Backscatter
Packet accounting

 Retain attack data
Use to correlate interdomain traceback
Required for prosecution
Deters future attacks
Clarify billing and other disputes
Post mortem analysis

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

20


Reaction
Reaction—Do Something to Counter the Attack
 Should you mitigate the attack?
Where? How?


 No reaction is a valid form of reaction in certain
circumstances
 Reaction often entails more than just throwing an ACL
onto a router

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

21


Post Mortem
Post Mortem—Analyze the Event
 The step everyone forgets

 What worked? What didn’t? How can we improve?
 Protect against repeat occurrences?
 Was the DoS attack you handled the real threat?
Or was it a smoke screen for something else that just
happened?
 What can you do to make it faster, easier, less painful
in the future?
 Metrics are important
Resources, headcount, etc.

BRKSEC-2014


© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

22


Preparation and
Detection

Preparing your infrastructure and systems to detect and react to
DDOS attacks.

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

23


Preparation
 Visibility of Infrastructure traffic
 Creation of Reaction mechanisms
 Procedures to follow during attack.
 Rehearsal of DDOS attack
 Reporting and Post Mortem process’s

BRKSEC-2014


© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

24


Visibility via Network Telemetry
 SNMP
 NetFlow
 RMON
 BGP
 Syslog
 Packet capture
 Others

BRKSEC-2014

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

25