Beruflich Dokumente
Kultur Dokumente
Mini
Mini
1
2 3 4
DDoS Overview
DDoS Solutions
Fortinet DDoS Labs
An attack designed to take a resource, application or service and deny access to legitimate users
TERMINOLOGY
DoS Denial-of-Service DDoS Distributed Denial-of-Service LDoS Low-Rate Denial-of-Service PDoS Permanent Denial-of-Service PPS Packets Per Second
Example of attack
Web Server
Traffic
10000 1000 100 10 1
X
50 1
CPU/MEM
100
Deliberately avoid high bandwidth usage to keep low (and slow) Application based DDoS is on the increase accounting for a quarter of all attacks Continuously evolving to evade detection of the attack and protect the identity of the attacker
Type of Attack
Volumetric Attack Designed to consume available Internet bandwidth or overload server resources. Typical examples SYN Flood, UDP Flood, ICMP Flood, SMURF attacks. Application Layer Attacks More sophisticated, attractive to the attacker since they require less resource to carry out (botnet costs) Target vulnerabilities in applications to evade flood detection strategies Cloud Infrastructure Attacks Cloud solutions can turn the Internet in the Corporate WAN. Modern attackers target the full range of cloud infrastructure (firewall, mail & web servers) Mitigation can be complex and any attack can impact multiple customers
Spoofed Attacks
Fewer machines Limited Power
Bot Servers
More Power More Bandwidth Socially Engineered More with less
Whos likely to be interested in a DDoS? Companies that are/have been targets by Denial of Service attacks Hosting or Cloud provider services Ecommerce Online Gaming & Gambling Medium and larger Enterprises with an internet presences Any company that has recently been or is actively being attacked
SYN Flood
Targets connection table resources Layer 3 attack Target flooded with TCP SYN packets
UDP Flood
Targets CPU and Network traffic resources
Layer 3 attack
Flood server with random UDP connections
Layer 3 Attack
Consumes bandwidth One common method of combating a ping flood attack is to block ICMP traffic.
X-a
Myths about DDoS attacks It happens to others Software fixes can solve DDoS attack issues IPTABLES can stop DDoS attacks Webhost will take care of DDoS attacks ISPs of the world co-operate ACLs on switches/routers can stop DDoS attacks Pipes will fill any way whats the point Law enforcement is easy to approach in case of DDoS attacks
Scrubbing Service from Internet or Cloud Service Providers Model: Managed service subscription model. Usually separate detection and mitigation Pros: Easy sign up and deployment Cons: Expensive, inflexible, costs can rise during an attack
Firewall / IPS Model: Integrated device for FW/IPS and DDoS prevention Pros: Single device, simplified architecture, less units to manage
Dedicated Device Model: Inline detection, mitigation and reporting. Auto detection of a wide range of DDoS attacks Pros: Cost effective, no unpredictable or hidden charges. Multi-layer, accurate, fast, scalable and easy to deploy Cons: Additional network element
Cons: Not designed to detect/block sophisticated DDoS attacks; typically requires an update license,
How could I be infected with a botnet? Drive-by download: Simply visiting a malicious site with a PC that hasnt been kept current with security patches and antivirus can download and execute malware on the users PC, thus adding to that botnets ranks. Email: A more traditional yet still popular method of botnet infection is through a user opening email with malicious content, often sent by someone the user knows and trusts (whose system is likely infected with a botnet). Pirated software: Malware developers often hide malicious code inside a software download, which then installs itself on a victims machine when the user opens the executable.
Agenda
1
2 3 4
DDoS Overview
DDoS Solutions
Fortinet DDoS Labs
Anti DDoS appliances.. Carrier DDoS mitigation solutions Useful for global networks and carriers and ISPs
Based on IP flow-based and deep packet inspection technologies protecting the entire network
Solutions too expensive for individual IDCs (Internet Data Center), webhosts or web properties. Solutions designed around early 2000. cannot mitigate new generation od DDoS attacks which involve botnets that mimic legitimate clients.
Custom logic (FPGA or ASIC) based internet data center (IDC), web hosting and web property DDoS mitigation solutions
They work to protect one or several Internet links.
The behavioral solutions are implemented in custom hardware logic and provideline rate performance for large attacks.
These solutions are cost-effective and effective for IDCs, webhosts and web properties.
Some appliances have IPS functionality implemented in hardware but have their DDoS mitigation logic in software and suffer from the same issues.
Hardening from a DDoS point of view in enterprise Firewalls, switches, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) are not enough. Upcoming techniques
SYN Proxy: SYN Proxy is a mechanism, usually done by intermediate appliances that sit before the actual server and proxy the responses. Until the spoofed IP or unspoofed IPs respond with the ACK, the connection requests are not forwarded.
More technics
Connection limiting: Too many connections can cause a server to be overloaded. By limiting the number of new connection requests, you can temporarily give the server respite.
Aggressive Aging: Some botnet attacks involve opening a legitimate connection and not doing anything at all. Such idle connections fill up the connection tables in firewall and servers. By aggressively aging such idle connections, you can provide some relief to them.
Attack Tools
Many and varied
Configurable Perl scripts, executables, JavaScript
Distributed as
Stress Tester Utilities Development Toolkits Malware
Used to create
Individual attacks
Most popular tool LOIC (low Orbit Ion Cannon) Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#.
Software packet generators Nemesis Hping T50 Rude and crude Scapy D-ITG Pktgen Packet generator Packet excalibur Packgen and much more in this site http://www.protocog.com/trgen.html
Type of testing attacks Over the Internet, one can launch Layer 3, 4 or 7 attacks. Example of Layer 3 attacks are protocol floods such as ICMP floods, TCP floods,fragment floods. Example of layer 4 floods are port floods (TCP or UDP). Example of layer 7 floods are URL floods. In this attack, a single URL is continuously attacked from multiple sources.
Agenda
1
2 3 4
DDoS Overview
DDoS Solutions
Fortinet DDoS Labs
Device information
Root access is not available for end-users and partners, SEs can get the password in specific use cases. Password is stored based by serial number Limited CLI available through Console or SSH
Default user account/password:
fortiddos/rootpasswd
Behavioral Analysis and Rate Based System No signatures! Because the FortiDDoS uses behavior and rate-based analysis, it provides positive security model for protection against attacks the hackers havent even thought up yet. No administrative intervention is required, and the Intrusion Gateway is on guard 24/7, automatically protecting your network systems and bandwidth.
Data
Data
PCI Bus
Management
Management
FortiDDoS-100A
2U Appliance provides dual link protection
Specification
LAN WAN FortiASIC RAM Storage 2 x 1G (copper and optical) 2 x 1G (copper and optical) 2 x FortiASIC-TP1 4G 1TB HDD
FortiDDoS-100A
Management
Power Protection
1 x RJ45 10/100/1000
Single AC 1Gbps full duplex
FortiDDoS-200A
3U Appliance provides protection for up to 4 links
Specification
LAN WAN FortiASIC RAM Storage 4 x 1G (copper and optical) 4 x 1G (copper and optical) 4 x FortiASIC-TP1 8G 2 x 1TB HDD RAID
FortiDDoS-200A
Management
Power Protection
1 x RJ45 10/100/1000
Dual Redundant AC 2Gbps full duplex
FortiDDoS-300A
4U Appliance provides protection for up to 6 links
Specification
LAN WAN FortiASIC RAM Storage 6 x 1G (copper and optical) 6 x 1G (copper and optical) 6 x FortiASIC-TP1 8G 2 x 1TB HDD RAID
FortiDDoS-300A
Management
Power Protection
1 x RJ45 10/100/1000
Dual Redundant AC 3Gbps full duplex
Deployment Scenarios
Network Requires external device is configured with a mirrored port Load for copying packets is handled by external device
Internal Pairing
No External Configuration required Load for copying packets is handled by FortiDDoS
Some bandwidth taken out in order to copy packets, 1.4 GBPS channel is new limit
Network
Internet
Internet
Asymmetric Pair
Baseline Building
Too many hoops to cross before a set of malicious packets can go through.
Prevent Rate, Policy, State violations, Stealth, Slow, Fast Attacks Quick blocking (< 15s), unblocking and revaluation (every packet) to avoid false positives
Anti-spoofing
Virtualization
Decision Multiplexer
Dropped packets
Allowed packets
Source Tracking
1
2 3 4
DDoS Overview
DDoS Solutions
Fortinet DDoS Labs
LAB FortiDDos cookbook installation Guide The objetive of this lab its to be like a cookbook - first FortiDDoS installation . We now not all partners have an ITF FortiDDoS, so we want to help in a possible first implementation or PoC. Labs components:
1 x FortiDDoS 200. firmware version: 3.2.1.108 1 x ubuntu web server (target)
Lab Diagram
Web Server
.30
WAN 1 LAN 1
200.1.1.0/ 24
10.1.1.0 /24
Connect to Console and login using default user (fortiddos) and its correct password (new password if changed from default)
Fortiddos is OS user, new admins are considered GUI users
HTTPS://192.168.1.1
User: fddroot Password: rootpasswd
Update the appliance with the last available version in the support FTP
Upgrading device......
Search for the .img file downloaded from the support FTP
Execute a full factory reset in the Appliance Take care with time, this step could take up to 2.5 hours!! This step will not be required if its a new box. Manage-> Global -> Factory Defaults
Configuration - all changes to security settings are there Manage First time setup / IPoptions addresses, time, users etc. Less that in a Fortigate Show All reports can be found here Manage Event information is found here, not used a lot
Select a VID
GUI - CONFIGURE
Configure -> Current VID
Each section is split up in the to different protection features allow for granular application
System date
Management IP Address
Creating users
Checking physical ports! In case, the fortiDDoS its a 200 or 300, we must need to set fiber or copper. By default its copper.
Always the same type of interface in the Important: WAN1 and LAN1 must be the same type. (both onsame fiber pair
or copper), could not be possible protect the same link with two types in the FortiDDoS. Configure -> Interface settings
Emergency Bypass
Important to know!!! Block dark addresses by default But what it means dark addresses? : all unreachable network hosts on the Internet Configure -> current VID -> dark address
configure -> current VID -> dark address 1 means enable 0 means disable
Check the operation mode. It must be in detection mode the first time (unchecked on the all VIDs). Setup the configuration mode in learning mode at least 2 days, an ideal period could be 15 days with normal traffic. (the longer the better!!) Keep monitoring during this period!
My Lists The My Lists feature helps users to define a list of most common ports (TCP / UDP) or Protocols Default sets are available Setting the My Lists based on immediate past traffic is the easiest way to begin. FortiDDoS provides you with an easy wizard.
Configure > Current VID > My Lists > Auto Configure
Enable this option, depending on the threshold, the FortiDDoS could change the VID
Adaptive Learning and My Lists While FortiDDoS continuous collects traffic statistics for each and every TCP, UDP port and ICMP type/code, it also limits the number of ports for the adaptive threshold estimations to 512 each (per each VID). The 512 port limit for the periodic estimated thresholds that the FortiDDoS device computes are restricted to the TCP/UDP ports listed within the My Lists. Minimum thresholds for TCP/UDP ports not listed on the My Lists are not adjusted by the Adaptive Learning Engine.
Deny/Allow sources If we know a suspicious IP address, it could be a best practice blocked since the beginning.
configure-> Access Control list -> layer 3 > Deny/allow sources. If you have IPs blocked in the firewall because of a strange behavior in the past, you could put it here!
IP Reputation It could be possible to enable a web reputation service based on the fortiguard lists. Configure -> GLOBAL -> Access Control List -> layer 3 -> IP Reputaiton This service its optional and need to be licensed separated
SKU: FC-10-01H00-140-02-DD Enable IP reputation for all VIDs
Proxy IPs
Configure -> Access control list -> proxy ID Allows to detect proxy servers and prevents access at all blocking that source.
IPv6 Inspection
Configure -> Global -> operating mode IPv6 ready! Enables dual stack
Best practices!:Advanced Options. Configure -> Current VID -> Advanced Options -> Feature Controls -> Layer 4 -> TCP State Machine
Configure -> Current VID -> Advanced Options -> Feature Controls -> Layer 4 -> TCP State Machine
Best Practices: Advanced Options (2) Configure -> Current VID -> Advanced Options -> Feature Controls -> Layer 7 -> Sequential Access
relates to the feature which ensures that no single IP address retrieves same URL Configure -> Current VID -> is Advanced Options -> back to back without accessing any other URLs. This a normal scripted access Feature Controls -> Layer 7 -> Sequential Access behavior and shows anomalous behavior. It helps identifying bots. URLs Per Source: relates to the feature which ensures that no single IP address retrieves more URLs/observation period than defined under HTTP Advanced menu. Mandatory HTTP Headers: relates to the feature which ensures that certain HTTP Headers are always present in a GET access to the URL. These headers are further defined in the HTTP Advanced menu.
Enabling prevention mode - blocking! Once the learning period is over and you are satisfied with the threshold settings, set the system to Prevention mode. main menu, select Configure > Global > Operating Mode.
One click adjustment FortiDDoS have 4 possible options to adjust and configure all the parameters.
Factory results Adjust minimum Easy setup
System reccomended
One click adjustment Configure-> CURRENT VID -> Blocking Threshold -> layer 7 -> One click Adjustment Factory defaults: This option allows you to set the thresholds in a VID to factory defaults which is the line rate value. Adjust Minimum thresholds: You can adjust the minimum thresholds up or down by a certain percentage. Easy Setup: This option is useful when the appliance has to be deployed in an unknown environment without much time left for training the appliance. System Recommended Thresholds: This is the most common and recommended way to set the appliance threshold. The system recommended values are based on Traffic Statistics Report generated as part of the base-lining process.
Prevention/Detection Mode
Operating Mode
Deploy the unit. Best practice: Continue running in detection mode while monitoring the thresholds If the system selects packets to drop that are legitimate, adjust the thresholds/check ACLs and feature controls. If the system reports passing packets that should have been dropped, lower the thresholds or check ACLs and feature controls.
Thats it with the configuration! And now lets the FortiDDoS learning and us we are going to know more about forti-best practices!
Baseline Monitor Period Learning should be done on typical traffic for at least one week (7 Days).
Note: The FortiDDoS never stops learning traffic patterns and continuously adjusts traffic profiles using an Adaptive Learning Engine. The initial learning period should be attack-free, and should be long enough to be a representative period of normal network activity and should be long enough to encompass both seasons of high and low activity. Seven days will often provide a reasonable profile of normal traffic.
500
400
Fixed Minimum Threshold
Traffic
Observation
300
Forecast Threshold
200
Fixed Threshold
100
0
3 n04 4 5 n06 6 n07 7 8 n09 9 n10 0 n03 n05 n08 n11 l-0 l-0 l-0 l-0 l-0 l-0 l-0 l-1 Ju Ju Ju Ju Ju Ju Ju Ju Ja Ja Ja Ja Ja Ja Ja Ja Ja Ju l-1 1
Month
Adaptive Thresholds Adapative Thresholds fine tunes/automatically adjusts configured minimum thresholds over time by predicting traffic flows based on current and past statistics Adaptive Threshold Limit resticts the theshold adjustments to a set maximum percent (default 150%) above the set mininum threshold value
Or Here?
400
350
300
Here Here
250
Mbps
200 150 100 50 0 Apr-01
Sep-02
Jan-04
May-05
Oct-06
Feb-08
Jul-09
Nov-10
Apr-12
Aug-13
Month
400
350
300
250
Mbps
200 150 100 50 0 Apr-01
Sep-02
Jan-04
May-05
Oct-06
Feb-08
Jul-09
Nov-10
Apr-12
Aug-13
Month
Simple Exponential Smoothing does not allow you to predict the future accurately.
Must be adapted for data series which exhibit a definite trend Must be further adapted for data series which exhibit seasonal patterns
SYN FLOOD PREVENTION - 1 SYN flood thresholds are bi-directional and on a per VID basis as well as per destination (corresponding to the most active destination). You can control these individually. FortiDDoS store non-spoofed IP addresses that have done a threeway handshake successfully in a large table called Legitimate IP (LIP) Address table. This table retires entries every 5 minutes. Therefore this table has IP addresses which have recently connected successfully. Under SYN flood situation, i.e. when the SYN flood threshold is crossed, the LIP table is used to validate new connections. If the new connection request is from an address in this table it is allowed otherwise it is denied.
Foreign Packet Validation When enabled TCP state machine will ensure that foreign TCP packets without an existing TCP connection entry will be dropped (disabled by default to prevent issues when box is first deployed (wait for an hour after deployment before enabling this). Some reasons you will have high numbers:
Detection Mode: Box thinks it dropped packets and therefore removed session
Time Out Differences between Servers and IG appliance: TCP time out on DDOS is mostly lower then configured on servers. Most of the time the dropped packets are just reset, so can be ignored
HTTP Browser Behavior: people surfing from one site to another doesnt close the session to the server (only after closing browser)
Analyzing Attacks The first indication of that an attack has been detected will be the event monitor. If you email event notifications are enabled, you can receive a summary of events to on your PC, workstation, PDA or even your cell phone. The event notice summarizes the type of attack and the number of dropped packets to indication of the attack size/scope. Attacks lasting for 5 minutes or more will be represented as spikes in a graphical reports within the GUI. Examples:
Show > Aggregate Drops lists packets dropped at each layer allowing you to further refine your search to Layer 3, Layer 4 or Layer 7. Show > Reports > All lists a dashboard like summary of all Tops Attack Types
This graph shows the aggregate dropped traffic and gives you visibility into excess traffic thats getting filtered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages.
Legend Type Layer Layer Layer Layer 2 3 4 7 Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 0 0 71,796,072 0 375,005,802 300 303 0 Average 0 21,262,421 5,899,631 1 Total Packets Dropped 0 5,273,080,458 1,463,108,503 304
Legend Type Protocols TOS IPv4 Options Fragmented Packets L3 Anomalies Source Flood Misc. Source Flood Destination Flood Misc. Destination Flood Dark Address Scan Network Scan
Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 8,225,652 0 0 0 0 0 1,157 0 11,870,534 0 57,013,194 0 289,674 0 2,441,260 0 0 0 0 0 0 0
This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.
Legend Type TCP Options SYN Packets L4 Anomalies TCP Ports UDP Ports ICMP Types/Codes Port Scan Misc. Drops for Port Scan Packets Per Connection Misc. Connection Flood Zombie Flood SYN Packets Per Source Excessive Concurrent Connections Per Source Excessive Concurrent Connections Per Destination TCP Packets Per Destination
Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 0 0 278,119,806 0 12,549,983 300 7,194,921 0 27,297 0 0 0 0 0 0 0 71,585 13,368,886 36,527,319 109 0 0 0 0 0 0 0 0 0 0
This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period.
Average 0 5,034,862 54,866 165,534 908 0 0 0 0 6,992 93,770 234,548 0 0 0 Total Packets Dropped 0 1,248,645,939 13,606,809 41,052,592 225,429 0 0 0 0 1,734,081 23,254,968 58,168,070 110 0 0
And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.
This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. The appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excesses in any one of the dimensions.
Average 1 0 0
FortiDDoS appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.
These two graphs here depict the daily traffic over a months period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks.
The purpose of the appliance is to maintain the normal traffic and only pass whats legitimate. Thats what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). Whats being allowed is the blue area.
This maroon line shows whats incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack thats getting dropped.
This graph shows the second link on the same device. This link has larger and continuous attacks over the months period. As you can see the appliance maintains the normal behavior and drops excessive packets.
This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.
This graph shows the number of established TCP connections. Since there is no obvious peak here, and the previous graph of count of unique sources had a large peak, it means the attackers were primarily spoofed IPs.
This graph shows the number of established TCP connections that any single source made. The appliance monitors up to 1 million sources. These are clipped to a certain threshold based on past behavior.
Lets play! Hping commands! UDP Flood (bandwith) hping3 --flood --udp -p 80 -d 14 200. 200.1.1.2 SYN Flood (TCP 80) hping3 --flood -S -p 80 200.1.1.2
More commands
Another attack
THANKS!!!!!