Service Provider Solutions

DDoS Protection Solution

Enabling “Clean Pipes” Capabilities

June 2005

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 1
 Service Provider Security Highlights

• Security is the heart of internetworking’s future—A secure

infrastructure forms the foundation for service delivery
• We have moved from an Internet of implicit trust to an Internet
of pervasive distrust
• The Miscreant Economy is here to stay and has created a
damaging business opportunity of criminal intent
• All the other functionality of the router merges into a
pervasive policy enforcement model
QoS = Security
HA = Security
Edge Policy = Security
• We must improve reaction times, reduce windows of
vulnerability, and ensure service delivery across the network
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 2
 Macro Trends Fueling DDoS Attacks

• World Internet usage between 2000–2005 has grown 146.2% to 800+ million
• Broadband explosion has resulted in an increasing number of poorly secured home PCs with always-on
Internet connections just waiting to be discovered and taken over by miscreants
• eCommerce growth has made dependence on Internet more critical than ever
• Globalization due to the dot com explosion, outsourcing, and peer-to-peer applications has increased
international traffic exchange significantly
• Most attacks launched from multinational origins—very hard to isolate and take action on the extortionists

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 3
 Evolution of Threats and Exploits

BOT Ware and Sophistication

High
P80 Services of Tools
Packet Forging/Spoofing Blended Threats

Stealth Diagnostics Pulsing Zombies

Sniffers
Sweepers Root Kits
Hijacking Sessions
Back Doors
Exploiting Known Disabling Audits
Vulnerabilities

Password
Cracking
Self-Replicating Code
Technical
Password Guessing Knowledge
Required
Low
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 4
 BOTNETs—Making DDoS Attacks Easy
Extortionist 2-for-1 Special
• BOTNETs for Rent
• A BOTNET is comprised of computers
that have been broken into and planted
with programs (zombies) that can be
Zombies directed to launch attacks from a central
controller computer
• BOTNETs allow for all the types of DDOS
attacks: ICMP attacks, TCP attacks, UDP
attacks, and http overload
• Options for deploying BOTNETs are
extensive and new tools are created to
exploit the latest system vulnerabilities

ISP Edge Router

• A relatively small BOTNET with only 1000
zombies can cause a great deal of
damage
• For example: 1000 home PCs with an
Last-Mile average upstream bandwidth of 128
Connection kBps can offer more than 100 MBps
CE • Size of attacks are ever increasing
Customer Premise:
Server/FW/Switch/router
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 5
 Elements Impacted by DDoS

• Applications
Attacks will exploit the usage of TCP/HTTP to overwhelm the
computational resources
• Host/servers
Attacks will attempt to overload the resources using protocol
attacks—Critical servers will not respond to normal request
• Bandwidth
Attacks will saturate the bandwidth on IP data connections that
limit or block legitimate traffic flows
• Infrastructure
Attack target critical assets of network including routers,
DNS/DHCP servers, and others devices that deliver network
connections
• Collateral damage
Attacks that impact devices not originally targeted such as
computation overload by devices that carry the DDoS attack
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 6
 Impacts Caused by Denial of Service
Sabotage $871,000
System Penetration $901,500
Website Defacement $958,100
Misuse of Public Web App $2,747,000
Telecom Fraud $3,997,500
Unauthorized Access $4,278,205
Laptop Theft $6,734,500
Financial Fraud $7,670,500
Abuse of Wireless Network $10,159,250
Insider Network Abuse $10,601,055
Theft of Proprietary Info $11,460,000
Denial of Service $26,064,050
$55,053,900
Virus
0 10M 20M 30M 40M 50M 60M
Total Losses for 2004—$141,496,560
CSI/FBI 2004 Computer Crime and Security Survey
Source: Computer Security Institute 2004: 269 Respondents
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 7
 Quotes from the Industry

Extortion is “becoming more commonplace,” says

Ed Amoroso, chief information security officer at
AT&T. “It’s happening enough that it doesn’t even
raise an eyebrow anymore.”

“We’ve had [extortion attempts] happen to our

customers,” says Bruce Schneier, CTO at
managed security services provider
Counterpane Internet Security. “More often
than I’d like, they’re paying up.”

“Antidistributed DoS services cost around $12K

per month from carriers such as AT&T and MCI,”
says John Pescatore, Gartner security analyst. “The
most popular type of antidistributed DoS equipment
used by SPs is Cisco® Riverhead gear and Arbor
Networks’ detection tools. This equipment can
filter about 99% of the attack traffic.”
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 8
 The Risk to Your Business

• At risk: BOTNET
The network is at risk to extortion
Maintaining business availability
…
Preserving reputation and customer
retention
Internet
Regulatory obligations—
SOX, GLBA, …
Legal and service-level liabilities
• What can you do
Take a proactive stance Service
Plan and prepare for the Provider
worst case
Apply appropriate security
tools Î DDoS prevention solution
X
X

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 9
 What are Clean Pipes Capabilities?

• A solution set to protect against security threats on the data pipe

that are critical to deliver connectivity and services
• The data pipe choke point could be:
Enterprise/SMB/Consumer—Last-mile data connection
Federal—Data connections accessing critical information
Service Provider—All data connections (i.e., Peering Points, Peering
Edges, Data Center…)
• Most damaging types of threats that reside on the data pipe:
Distributed Denial of Service (DDoS)
Worms
Viruses
• Goal is to remove the malicious traffic from the data pipe and only
deliver the legitimate traffic before the link is compromised
• Service providers can protect themselves from attacks and can
deliver security services for protection
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 10
 DDoS Protection Solution Overview
Network Management

Network Foundation Protection

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 11
 DDoS Protection Models
DDoS Protection
Core Function(s) Key Capabilities
Model
Managed Network Last-mile bandwidth • New SP revenue model
DDoS Protection protection for the • Primary function to enhance business
service provider continuance for customers
customers
• Protection of critical last-mile bandwidth
• Ensure the continual delivery of enhanced
services offered over data connections
Managed Hosting Protection of data • New SP revenue model
DDoS Protection center assets hosted • Ensure uptime of critical assets hosted by the
by the provider service provider
• Differentiation of the hosting service
Managed Peering Provide DDoS-free • New SP revenue model
Point DDoS wholesale • Provide clean wholesale connections
Protection connections for
downstream ISPs • Better promote a DDoS-free environment

DDoS Infrastructure Protection model for • Protect critical assets in the data center
Protection the service provider • Mitigate attacks on critical routing infrastructure
to defend their (Peering Points, Provider Edges and Core routers)
networks and protect
service delivery • Reduce OPEX by reduction of unwanted traffic
across expensive transoceanic links
• Reduce collateral damage impacts
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 12
 Managed Service
DDoS Protection
Solution Architecture Infrastructure Security

Hosting DDoS Protection Infrastructure DDoS Protection

Internet Transoceanic
Peer

ASBR
Server
Farms ASBR ASBR
Netflow Netflow ASBR

RR

Guard XT/AGM Service Guard XT/AGM

Netflow Provider Netflow

Cleaning Center 2
Cleaning Center 1
PE ASBR
Arbor Peakflow SP
SP NOC ASBR
CE Out-
Out-of-
of- Downstream
Customer Cisco band
ISP
Detector

Network DDoS Protection Peering Point DDoS Protection

DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 13
 Lifecycle of DDoS Protection

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 14
 Detection Process
Steps
1. Attacks are launched
by extortionist via
BOTNETS.
2a. Cisco® Detector on the
customer premise can
precisely detect when
the customer is under
attack.
2b. Netflow statistics from
Cisco routers are
exported to Arbor
Peakflow SP for
correlation. Anomalies
are inspected for
unexpected traffic
behavior.
2c. The Detector or Arbor
Peakflow SP indicates
to the Guard that an
attack has commenced.
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 15
 Diversion and Mitigation Process
Steps
3a. A BGP announcement is
the mechanism used to
divert traffic to the
Cisco® Guard.
3b. All traffic (malicious
and legitimate) to the
attacked destination is
redirected to the Guard.
4. The Cisco Guard
drops the DDoS
anomalies and allows
only the legitimate
traffic to continue.
5. Cleaned traffic is
injected back to the
data path to reach the
actual destination.
Traffic is continually
monitored by Netflow
and the Cisco Detector.

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 16
 Network Foundation Protection
Protects infrastructure, enables continuous service delivery
• Detects traffic anomalies and responds to attacks in realtime
Data Plane • Technologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH, QoS tools

• Defense-in-depth protection for routing control plane

Control Plane
• Technologies: Receive ACLs, control plane policing, routing protection

• Secure and continuous management of Cisco® IOS® network infrastructure

Management
• Technologies: CPU and memory thresholding, dual export syslog,
Plane encrypted access, SNMPv3, security audit

NetFlow, IP source Internet NetFlow, IP

tracker, ACLs, uRPF, source tracker,
RTBH, QoS tools, ACLs, uRPF,
PE-PE encryption RTBH, QoS tools
NetFlow, ASBR ASBR
ACLs, uRPF
Customer
Service
CE PE Provider
Core
Control Plane and Management Plane Protection
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 17
 Cisco Traffic Anomaly Detector
Detecting and Defeating Complex DDoS Attacks

Programmable Element Enabling: Delivering:

• Sophisticated behavior-based • Highly accurate identification of all types
anomaly detection of known and Day Zero attacks
• Granular, per-connection state • Fast and thorough detection of the most
analysis of all packets elusive and sophisticated attacks
• Behavioral recognition engine eliminates • Elimination of the need to continually
the need to continually update profiles update profiles
• Session-state context recognizes • Reduced number of alerts and
validated session traffic false positives common with static
signature-based approaches

• Detects per-flow deviations

Traffic Anomaly Detector XT 5600
• Identifies anomalous behavior
• Responds based on user
preference
Traffic Anomaly Detector Module
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 18
 Cisco Guard
Detecting and Defeating Complex DDoS Attacks

Programmable Element Enabling: Delivering:

• Detailed, granular, per-flow analysis • Precision traffic protection, while allowing
and blocking legitimate transactions to flow
• Integrated dynamic filtering and active • Rapid, auto protection against all types of
verification technologies assaults, even Day Zero attacks
• Protocol analysis and rate limiting • Admission of only traffic volumes that will
• Intuitive, Web-based GUI simplifies not overwhelm downstream devices
policy definition, operational • Identification/blocking all sizes of attacks,
monitoring, and reporting including those launched by distributed
zombie hosts

Helps ensure uninterrupted

Traffic Anomaly Guard XT 5650
business operations from even
the most malicious assaults

Traffic Anomaly Guard Module

DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 19
 Cisco IOS NetFlow
• NetFlow is a standard for acquiring
IP network and operational data
• Benefits
Understand the impact of network
changes and services
Improve network usage and
application performance
Reduce IP service and
application costs
Optimize network costs
Detect and classify security agents

Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco
800 1700/1800 2600/2800 3600/ 4500/ 5300/ 7200/ 4500 6500/ 10000/
3700/ 4700 5400/ 7300/ ASIC 7600 12000
3800 5800 7400/ ASIC CRS-1
7500
Supported Platforms
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 20
 Day Zero Attack Detection with NetFlow
Benefits:
• Monitor traffic for anomalies
• Identify and classify the attack
• Trace attack to its source

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 21
 References
Product and Technology Enablers

• NetFlow IOS® on Cisco® Routers

http://www.cisco.com/go/netflow
• Network Foundation Protection
http://www.cisco.com/go/nfp
• Cisco Guard XT Appliance and Cisco Anomaly Guard Service Module
http://www.cisco.com/en/US/products/ps5888/index.html
http://www.cisco.com/en/US/products/ps6235/index.html
• Cisco Traffic Anomaly Detector XT Appliance and Cisco Traffic
Anomaly Detector Service Module
http://www.cisco.com/en/US/products/ps5887/index.html
http://www.cisco.com/en/US/products/ps6236/index.html
• Router Security
http://www.cisco.com/go/security
• Arbor Networks (a Cisco Partner)
http://www.arbor.net/products_sp.php

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 22
 Conclusion

• DDoS is a real and growing threat that

can impact your business delivery and
business reputation
• Take a proactive approach to handling
security on your network
• DDoS protection is a managed security
service opportunity
• Protect your infrastructure with DDoS
protection and NFP
• Cisco® has the leading products and
solutions to address the security threats
• Contact your sales contact to find out
more today

DDoS Protection Solution

May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 23
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 24
 Network Foundation Protection
Features and Benefits
Plane Cisco IOS Services Benefits
• Macro-level anomaly-based DDoS detection; provides rapid confirmation and
NetFlow
isolation of attack
IP source tracker • Quickly and efficiently pinpoints the source interface an attack is coming from
Access control lists • Protect edge routers from malicious traffic; explicitly permit the legitimate traffic
(ACLs) that can be sent to the edge router’s destination address
Data Plane Unicast reverse path • Mitigates problems caused by the introduction of malformed or spoofed IP
forwarding (uRPF) source addresses into either the service provider or customer network
• Drops packets based on source IP address; filtering is at line rate on most
Remotely triggered
capable platforms. Hundreds of lines of filters can be deployed to multiple
black holing (RTBH)
routers even while the attack is in progress.
• Protects against flooding attacks by defining QoS policies to limit bandwidth or
QoS tools
drop offending traffic (identify, classify, and rate limit)
PE-to-PE encryption • Provides strong encryption within service provider network
Receive ACLs • Control the type of traffic that can be forwarded to the processor
• Provides QoS control for packets destined to the control plane of the routers;
Control plane policing
ensures adequate bandwidth for high-priority traffic such as routing protocols
Control Plane
• MD5 neighbor authentication protects routing domain from spoofing attacks
Routing protection • Redistribution protection safeguards network from excessive conditions
• Overload protection (e.g., prefix limits) enhances routing stability
CPU and memory
• Protects CPU and memory resources of IOS device against DoS attacks
thresholding
Management Dual export syslog • Syslog exported to dual collectors for increased availability
Plane Encrypted access • Encryption access for users (SSHv2, SSL) and management applications
SNMPv3 • Secure SNMP management for third-party or custom-built applications
Security audit • Provides audit trail of configuration changes
DDoS Protection Solution
May 2005 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 25