© 2010 Colt Technology Services Group Limited. All rights reserved.

Colt IP Guardian

2

Agenda

• DoS and DDoS Attacks

• Colt Proposition: IP Guardian

• Technical View

3

DoS attack: definition

• A Denial of Service (DoS) attack is an explicit attempt by attackers to prevent legitimate users from using that service. Examples include:– Attempts to flood a network, thereby preventing legitimate network traffic

– Attempts to use all available processing power on the end system to prevent regular users access

– Attempts to disrupt connections between two machines, preventing access to a service

– Attempts to prevent a particular individual from accessing a service

– Attempts to disrupt service to a specific system or person

4

What is a Distributed Denial of Service Attack? (1/2)• A DDoS attack is the most prominent form of DoS attack

– The attacker scans millions of computers on the Internet to identify unsecured hosts to be used as launch pads

– Then secretly installs software on a master computer and a collection of compromised zombie computers

– The attacker hides their true identity and location by using these zombie machines to launch the attacks

– The attack results in denial of service to legitimate users because their infrastructure is overwhelmed with illegitimate requests, thereby choking off the site's available bandwidth

5

What is a Distributed Denial of Service Attack? (2/2)Areas vulnerable to attack include:

• Routers

• Firewalls

• Web servers

• DNS servers

• Mail Servers

• VoIP gateways

Indirect victims, elements that share the victims’ network (for example, other servers in a server farm)

AS

ISP Backbone

AS

AS

Enterprise

Zombies on innocent computers

Zombies on innocent computers

Zombies on innocent computers

Server level attacks

Bandwidth level attacks

Infrastructure level attacks

6

Real world proposals …

• Someone offers a DDoS service-----Original Message-----

From: Martyn Clapham [mailto:DDoS1033er@caulf.freeserve.co.uk]

Sent: Friday, 16 May 2003 2:45 PM

To: ********************

Subject: Offer from irc.mad.pp.ru 2787!

Do you want to get rid of your competitors? Or blackmail your boss because he didn't pay you? We can help! Ddos attack on any internet server. We pay admins of irc.icq.com for hosting so our bandwidth is huge and our knowledge of such attacks allows us to fulfill any requirement. If you are in need of Ddos attacks, or simply looking for specific content for your web site (like child porn or anything weird) - tell us and will give you what you need!

Our contacts are: irc.mad.pp.ru 2787

• Someone else offers protection you can’t refuse (if you don’t pay, you will be attacked)

• So-called “cyber mafia” mainly based in Russia and Eastern Europe

7

Typical Targets of a DDoS Attack

• Typical Targets of a DDoS attacks are:– eCommerce

– On line banking

– On line trading

– iGaming

– iGambling

– Content Providers

– Governmental organizations

– ISPs

In general, all those companies that make business providing online/Internet services

8

Agenda

• DoS and DDoS Attacks

• Colt Proposition: IP Guardian

• Technical View

9

Colt Proposition: IP Guardian

• Proposal– Colt will protect the customer bandwidth by detecting attacks whilst still

within the Colt network

– Customer traffic is diverted only in case an attack is detected no impact for customers during normal operations

• How?– By expanding the existing state of the art platform built using Arbor Peakflow

monitors and Arbor TMS (Threat Management System) and locating them throughout Colt’s Tier1 pan-European network

10

Service Variants

• Continuous – Automatic redirection/mitigation if anomaly detected

– Reports via customer portal

• On-Demand – Customer control via portal

– alerts via email/SMS,

– customer reviews anomaly on Colt portal

– triggers mitigation if it is deemed to be an attack

• Emergency Implementation – Set up temporary IPG service in midst of attack

– No baselining, default profile

– Can migrate to full service (Continuous or On-Demand)

11

Benefits of the IP Guardian Service

• “In the cloud” DDoS protection– DDoS protection on site can be useless – attacks can flood the pipe however good

the mitigation devices are. IP Guardian stops the attack before it can reach you

• Anomaly monitoring– Constant monitoring of Netflow telemetry data to ensure rapid detection of any

abnormal activity

• Resiliency– Protection deployed at multiple strategic locations throughout Colt global network to

ensure near continuous uptime of the IP Guardian service and the best possible round trip time (RTT) in case traffic needs to be diverted

• Productivity– Avoid downtime – you can carry on working as normal if the attack is successfully

mitigated

• Flexibility– New ‘On Demand’ Variant provides more customer control to avoid false positives

12

IP Guardian: how it works (1/3)

– IP Guardian is a dedicated service in which the customer traffic is continuously monitored ensuring that the customer is continually prepared to react against DDoS attacks

– The traffic to the customer is constantly monitored while it follows its path in the network. The Arbor Peakflow SP Collectors gather traffic statistics (network telemetry data) from all peering and transit routers, which it constantly analyzes to construct a network-wide view of possible traffic and network anomalies

Colt Backbone

Public Internet

Arbor Peakflow SP

Arbor TMS

Arbor SP constantly monitors traffic destined

to the customer

Customer Network

13

IP Guardian: how it works (2/3)

– An alert is generated if the behaviour is found to be abnormal.

– When an attack is detected by Arbor Peakflow SP, traffic is automatically diverted to Arbor TMS, which mitigates the attack based on traffic patterns learnt by Arbor Peakflow SP

PublicInternet

BGP Announcement

Malicious Traffic

Cleaned Traffic

Arbor TMS TMS is triggered

Arbor Peakflow SP

Arbor SP constantly monitor traffice detined

to the customer

Customer Network

14

IP Guardian: how it works (3/3)

– The customer never feels the full impact of an attack as their circuit is being continually monitored and protection triggered automatically by the platform

– Only the cleaned traffic flows toward the customer, which will be provided with high levels of protection

PublicInternet

Colt Backbone

Malicious Traffic

Cleaned Traffic

Arbor TMS

Arbor Peakflow SP

Whenever an attack occurs, traffic is

reqdirected to Arbor TMS, the attack mitigated and cleaned traffic only flows

to the customerCustomer Network

15

IP Guardian: Proactive eMail Alerting

• In case an attack is detected, an email is sent to the customer

• Another email is sent once the attack is mitigated

• The structure of such emails is provided below as an example.

– From: "Peakflow SP" traffic@peakflow.oss.colt.net– Date: date/time– To: Customer’s Address (this address shall be reachable in case of attacks)– Subject: [Peakflow SP] Bandwidth attack #[Attack ID] Incoming to [Customer] Done– Type: (Bandwidth, Protocol)– ID: a number identifying the attack– Resource: Customer’s name– Severity: high– Started: date/time (UTC) referred to the attack beginning– Ended: date/time (UTC) referred to the attack mitigation– Link rate: traffic (in Mbps) related to the attack– Router: Colt peering router and interfaces involved– Input If: Input Interface– Output If: Output Interface– URL: www.colt.net

16

Customer Portal

• View traffic profiles

• View anomalies

• Trigger mitigation (On-Demand Only)

17

Agenda

• DoS and DDoS Attacks

• Colt Proposition: IP Guardian

• Technical View

18

IP Guardian: Platform Deployment

MAD

PAR

MIL

NYC

Controller

Collector

TMS

MAD BCNLIS

PAR

DUB

ROM

MIL

TUR

ZURGEN

BAS

FRK

BRU

AMSHAM

STOCPH

HAJ

BER

MUN

STR

DUSCGN

VIE

FRK

LON

BHX

8x

19

Technicalities

• The service is available to customers with a service bandwidth of at least 10Mbps and 30/40% of spare bandwidth (recommended)

• Traffic content is not monitored or stored: IP Guardian is not what is known as “Deep Packet Inspection”

• The maximum number of packets that can be dealt with is 1 Million packets per second

• Maximum bandwidth up to 2Gbps per TMS – this means a maximum of 2Gbps in case of a DoS attack managed by one TMS or Nx2Gbps DDoS attack through multiple entry points (N=6, the number of TMS installed)

• Simultaneous TCP connections during a SYN attack per device: 100,000

• Source and destination HTTP host pairs per device: 1 Million

• Zombies per device: 20,000