Scribd
Upload
56 views27 pages

DDoS Protection with Wanguard

The document discusses methods for protecting against DDoS attacks, including multi-stage filtering with Wanguard. It covers collecting network traffic via port mirroring, sFLOW, and packet sampling. Defense techniques include remotely triggered black hole routing, FlowSpec filtering rules injected into BGP, and traffic blocking or limiting via protocols like NTP, DNS, and SSDP that enable amplification attacks. Statistics show attacks most often originate from China and target DNS, NTP, and other services.

Uploaded by

raphaelrrl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views27 pages

DDoS Protection with Wanguard

The document discusses methods for protecting against DDoS attacks, including multi-stage filtering with Wanguard. It covers collecting network traffic via port mirroring, sFLOW, and packet sampling. Defense techniques include remotely triggered black hole routing, FlowSpec filtering rules injected into BGP, and traffic blocking or limiting via protocols like NTP, DNS, and SSDP that enable amplification attacks. Statistics show attacks most often originate from China and target DNS, NTP, and other services.

Uploaded by

raphaelrrl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Multi-stage DDoS filtering

with Wanguard, and more

PLONG 21, Kraków 1-2.10.2018 r.

www.itoro.com.pl
About ITORO

• Wanguard implementations • Tuning servers and Linux systems • Full support before and after
installation
(protection agaist DDoS attacks) • We are helping to optimize costs
• Comprehensive service and advice
• The only one • Training on Wanguard systems
• Support for IT dept for smooth
• Huge experience integration of Wanguard

| PLNOG 21 | Kraków 1-2.10.2018 r. | 2


Methods of collecting network traffic

• Port mirroring
• Active / Passive monitoring
• sFLOW
• Packet Sampling
• NetFlow

What should be considered when choosing the best method:


• Network infrastructure
• Available protocols on routers
• Limits on the performance of routers and software

| PLNOG 21 | Kraków 1-2.10.2018 r. | 3


Why are we under attack?

• Competition J

• Online gaming

• Preparation for another attack (except DDoS)

• Fun with new botnet

• Extortion / blackmail

• Revenge for DDoS from your network

| PLNOG 21 | Kraków 1-2.10.2018 r. | 4


Who is the target of DDoS attacks?

Data centers (hosting)

Internet Service Providers (ISP)

Government and financial institutions

Gambling and online gaming

| PLNOG 21 | Kraków 1-2.10.2018 r.


| 5
Good practices

Links DDoS / WAF protection


Bandwidth capacity of Automated reaction to threats.
upstream and peering links.

BGP Policy Monitoring


BGP Import restrictions, Network traffic monitoring
anti-spoofing, BGP BCOP 38. from outside and within the
company.

Dispersion Anti-DDoS action plan


Dividing the network into smaller Action plan and procedures.
segments, source filtering of traffic Public relations – information about an
from EU/World/Regions. outage/attack.

| PLNOG 21 | Kraków 1-2.10.2018 r. | 6


Services that use DDoS amplification
Amplification Protocol Port

10000-51000 Memcached 11211


557 NTP 123
358 CharGEN 19
140 QOTD 17
28-54 DNS 53
56-70 C-LDAP 389
30 SSDP 1900
7-28 Portmap 111
6 SNMP 161
4 NetBIOS 137,138,139

| PLNOG 21 | Kraków 1-2.10.2018 r. | 7

source: https://www.us-cert.gov/ncas/alerts/TA14-017A
Statistics – should I be scared?
Country Total
China 754,310
SSDP Russian Federation 478,475
(UDP/1900) Republic of Korea 317,018
Venezuela 194,793
United States 169,473

Country Total
United States 738,940
NTP Russian Federation 344,357
China 221,828
(UDP/123)
Brazil 158,221
Germany 139,066

Country Total
China 1,263,833
DNS United States 319,053
(UDP/53) Republic of Korea 164,772
Russian Federation 144,922
Taiwan 115,780

| 8
Share of attacks
Dystrybucja
ataków
DNS, NTP, C-LDAP
Layer 3 and 4 CharGEN, SSDP
UDP floods, SYN/ACK, ICMP
> 80 % attacks

Layer 5 and 6
DNS/SSL Flood

Layer 7
HTTP POST/GET

Layer 7
XML-RPC flood
< 20 % attacks XSS
| PLNOG 21 | Kraków 1-2.10.2018 r.
SQL INJECTION | 9
Attack speeds

5 - 10 Gb/s 3%

2 - 5 Gb/s 9%

1 - 2 Gb/s 9%

<1 Gb/s 11%

< 500 Mb/s 67%

0% 10% 20% 30% 40% 50% 60% 70% 80%


| PLNOG 21 | Kraków 1-2.10.2018 r. | 10
| 10
Summary for ISP
Comments

üAvg. duration of attacks: <30 seconds on subscribers

üAvg. duration of attacks on infrastucture: 1-6 hours

üMultiple attack vectors: NTP/DNS/SSDP/ICMP

üRTBH less effective, due to carpet bomb attacks

| PLNOG 21 | Kraków 1-2.10.2018 r. | 11


| 11
Important terms
Black Hole Routing (Remotely Triggered Black Hole Routing)
The incoming traffic is discarded before entering your network.

FlowSpec (RFC 5575)


Firewall filter rules are injected into BGP protocol.
Many actions possible:
- drop / limit packets
- redirect
- DSCP (Differentiated Services) used in QoS

| PLNOG 21 | Kraków 1-2.10.2018 r. | 12


Black Hole Routing
Internet Your network

BGP Update
Black Hole IP
Traffic mirroring
Firewall

PE Router FlowSpec

Switch Black Hole Routing (RTBH)

| PLNOG 21 | Kraków 1-2.10.2018 r. | 13


Possibilities of protection against DDoS attacks
Block traffic using Remotely Triggered Black Hole Routing (RTBH)
• Black Hole of IP / Network class.
• Selective Black Hole routing (World/Regions/Country/Peering).

Filtering Traffic:
• Blocking or limiting protocols that use amplifications.
• Filtering on servers using network cards (hardware) or iptables.
• Filtering using FlowSpec on routers.

| PLNOG 21 | Kraków 1-2.10.2018 r. | 14


FlowSpec
FlowSpec rules :
• Source / Destination IP
• Source / Destination Port
• Protocol
• Packet length
• TCP flags
• IP fragmentation

FlowSpec actions:
• Traffic limits (example: 10 Mb/s or 0)
• Traffic marking - DSCP
• Redirect - Target VRF (Juniper & Cisco)
• Redirect - IP NextHop (Cisco)

| PLNOG 21 | Kraków 1-2.10.2018 r. | 15


FlowSpec Limitations
CISCO – Maxium 3000 rules

ASR 1xxx
ASR 9xxx
CSR 1000v
CRS-3 (Taiko) LC, CRS-X (Topaz) LC
NCS 5500/6000
XRv 9000 Check if your router supports
BGP FlowSpec!
Juniper – Maximum 8000 rules

MX series
PTX 10002
QFX 1000[2/8/16]
SRX

| PLNOG 21 | Kraków 1-2.10.2018 r. | 16


Filtering in 3 stages
Internet Your network

Traffic
return
Inbound BGP FlowSpec Drop

Traffic mirroring
Firewall

PE Router FlowSpec

Switch Black Hole Routing (RTBH)

Scrubbing Center
| PLNOG 21 | Kraków 1-2.10.2018 r. | 17
Filtering in 2 stages without FlowSpec
Internet Your network

Inbound Traffic return

Traffic mirroring
Firewall

PE Router FlowSpec

Switch Black Hole Routing (RTBH)

Scrubbing Center
| PLNOG 21 | Kraków 1-2.10.2018 r. | 18
Wanguard - Filtering without FlowSpec

| PLNOG 21 | Kraków 1-2.10.2018 r.


Wanguard - Software-based filtering
Chain wanguard_4_2_0 (0 references)
pkts bytes target prot opt in out source destination

Chain wanguard_custom (1 references)


pkts bytes target prot opt in out source destination
0 0 DROP udp -- eth7 * 0.0.0.0/0 0.0.0.0/0
multiport sports 123 limit: above 500/sec burst 5
9399K 13G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

| PLNOG 21 | Kraków 1-2.10.2018 r. | 20


Wanguard - Filtering

| PLNOG 21 | Kraków 1-2.10.2018 r.


Wanguard - Hardware-based filtering
#cat /sys/kernel/debug/cxgb4/0000\:05\:00.4/filters
LE-TCAM Filters:

[[Legend: '!' => locked; '+' => pending set; '-' => pending clear]]
Idx Hits Hit-Bytes FCoE Port vld:iVLAN Prot MPS Frag
LIP FIP LPORT FPORT Action
10 823481 0 0/0 0/0 0:0000/0:0000 11/ff 0/0 0/0
00000000/00000000 00000000/00000000 0000/0000 007b/ffff Drop

| PLNOG 21 | Kraków 1-2.10.2018 r. | 22


Wanguard - Filtering with FlowSpec !

| PLNOG 21 | Kraków 1-2.10.2018 r.


Wanguard - FlowSpec-based filtering
mx80.lab> show firewall filter __flowspec_default_inet__

Filter: __flowspec_default_inet__
Counters:
Name Bytes Packets
*,1.1.1.1,proto=17,srcport=123 841816 5234116

mx80.lab> show route protocol bgp table inetflow.0 extensive

inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)


*,1.1.1.1,proto=17,srcport=123/term:2 (1 entry, 1 announced)
TSI:
KRT in dfwd;
Action(s): routing-instance DIRTY-VRF,count
*BGP Preference: 170/-101
Next hop type: Fictitious, Next hop index: 0
Next-hop reference count: 1
State: <Active Int Ext>
Local AS: 65000 Peer AS: 65000
Age: 37
Task: BGP_65000.10.0.9.66
Announcement bits (1): 0-Flow
AS path: I
Communities: traffic-rate:0:1875
Accepted
Localpref: 100
Router ID: 10.0.9.66

| PLNOG 21 | Kraków 1-2.10.2018 r. | 24


Get Wanguard with FlowSpec now!

Installation Filtering Protection


• One router is enough! • Wanguard sends FlowSpec rules. • Network monitoring.
• BGP configuration. • Automatic filtering with the available • Detailed reports via email.
• No loops thanks to FlowSpec! anti DDoS rules.
• We prefer VRF over GRE.

| PLNOG 21 | Kraków 1-2.10.2018 r. | 25


Ways to effectively reduce DDoS attacks

• Using ShadowServer or regional CERT providers - n6 (Poland)

• Blocking ports used in attacks

• Blocking any spoofing from your network (Spoofer / RPF) *

• Active scans of your network (np.: OpenVAS, Suricata)

• Monitoring of outbound traffic

* https://www.caida.org/projects/spoofer/

| PLNOG 21 | Kraków 1-2.10.2018 r.


Piotr Okupski

itoro.com.pl
| PLNOG 21 | Kraków 1-2.10.2018 r. | 27

You might also like