Ip Guardian customer presentation
-
Upload
acaiani -
Category
Technology
-
view
793 -
download
4
description
Transcript of Ip Guardian customer presentation
© 2010 Colt Technology Services Group Limited. All rights reserved.
Colt IP Guardian
2
Agenda
• DoS and DDoS Attacks
• Colt Proposition: IP Guardian
• Technical View
3
DoS attack: definition
• A Denial of Service (DoS) attack is an explicit attempt by attackers to prevent legitimate users from using that service. Examples include:– Attempts to flood a network, thereby preventing legitimate network traffic
– Attempts to use all available processing power on the end system to prevent regular users access
– Attempts to disrupt connections between two machines, preventing access to a service
– Attempts to prevent a particular individual from accessing a service
– Attempts to disrupt service to a specific system or person
4
What is a Distributed Denial of Service Attack? (1/2)• A DDoS attack is the most prominent form of DoS attack
– The attacker scans millions of computers on the Internet to identify unsecured hosts to be used as launch pads
– Then secretly installs software on a master computer and a collection of compromised zombie computers
– The attacker hides their true identity and location by using these zombie machines to launch the attacks
– The attack results in denial of service to legitimate users because their infrastructure is overwhelmed with illegitimate requests, thereby choking off the site's available bandwidth
5
What is a Distributed Denial of Service Attack? (2/2)Areas vulnerable to attack include:
• Routers
• Firewalls
• Web servers
• DNS servers
• Mail Servers
• VoIP gateways
Indirect victims, elements that share the victims’ network (for example, other servers in a server farm)
AS
ISP Backbone
AS
AS
Enterprise
Zombies on innocent computers
Zombies on innocent computers
Zombies on innocent computers
Server level attacks
Bandwidth level attacks
Infrastructure level attacks
6
Real world proposals …
• Someone offers a DDoS service-----Original Message-----
From: Martyn Clapham [mailto:[email protected]]
Sent: Friday, 16 May 2003 2:45 PM
To: ********************
Subject: Offer from irc.mad.pp.ru 2787!
Do you want to get rid of your competitors? Or blackmail your boss because he didn't pay you? We can help! Ddos attack on any internet server. We pay admins of irc.icq.com for hosting so our bandwidth is huge and our knowledge of such attacks allows us to fulfill any requirement. If you are in need of Ddos attacks, or simply looking for specific content for your web site (like child porn or anything weird) - tell us and will give you what you need!
Our contacts are: irc.mad.pp.ru 2787
• Someone else offers protection you can’t refuse (if you don’t pay, you will be attacked)
• So-called “cyber mafia” mainly based in Russia and Eastern Europe
7
Typical Targets of a DDoS Attack
• Typical Targets of a DDoS attacks are:– eCommerce
– On line banking
– On line trading
– iGaming
– iGambling
– Content Providers
– Governmental organizations
– ISPs
In general, all those companies that make business providing online/Internet services
8
Agenda
• DoS and DDoS Attacks
• Colt Proposition: IP Guardian
• Technical View
9
Colt Proposition: IP Guardian
• Proposal– Colt will protect the customer bandwidth by detecting attacks whilst still
within the Colt network
– Customer traffic is diverted only in case an attack is detected no impact for customers during normal operations
• How?– By expanding the existing state of the art platform built using Arbor Peakflow
monitors and Arbor TMS (Threat Management System) and locating them throughout Colt’s Tier1 pan-European network
10
Service Variants
• Continuous – Automatic redirection/mitigation if anomaly detected
– Reports via customer portal
• On-Demand – Customer control via portal
– alerts via email/SMS,
– customer reviews anomaly on Colt portal
– triggers mitigation if it is deemed to be an attack
• Emergency Implementation – Set up temporary IPG service in midst of attack
– No baselining, default profile
– Can migrate to full service (Continuous or On-Demand)
11
Benefits of the IP Guardian Service
• “In the cloud” DDoS protection– DDoS protection on site can be useless – attacks can flood the pipe however good
the mitigation devices are. IP Guardian stops the attack before it can reach you
• Anomaly monitoring– Constant monitoring of Netflow telemetry data to ensure rapid detection of any
abnormal activity
• Resiliency– Protection deployed at multiple strategic locations throughout Colt global network to
ensure near continuous uptime of the IP Guardian service and the best possible round trip time (RTT) in case traffic needs to be diverted
• Productivity– Avoid downtime – you can carry on working as normal if the attack is successfully
mitigated
• Flexibility– New ‘On Demand’ Variant provides more customer control to avoid false positives
12
IP Guardian: how it works (1/3)
– IP Guardian is a dedicated service in which the customer traffic is continuously monitored ensuring that the customer is continually prepared to react against DDoS attacks
– The traffic to the customer is constantly monitored while it follows its path in the network. The Arbor Peakflow SP Collectors gather traffic statistics (network telemetry data) from all peering and transit routers, which it constantly analyzes to construct a network-wide view of possible traffic and network anomalies
Colt Backbone
Public Internet
Arbor Peakflow SP
Arbor TMS
Arbor SP constantly monitors traffic destined
to the customer
Customer Network
13
IP Guardian: how it works (2/3)
– An alert is generated if the behaviour is found to be abnormal.
– When an attack is detected by Arbor Peakflow SP, traffic is automatically diverted to Arbor TMS, which mitigates the attack based on traffic patterns learnt by Arbor Peakflow SP
PublicInternet
BGP Announcement
Malicious Traffic
Cleaned Traffic
Arbor TMS TMS is triggered
Arbor Peakflow SP
Arbor SP constantly monitor traffice detined
to the customer
Customer Network
14
IP Guardian: how it works (3/3)
– The customer never feels the full impact of an attack as their circuit is being continually monitored and protection triggered automatically by the platform
– Only the cleaned traffic flows toward the customer, which will be provided with high levels of protection
PublicInternet
Colt Backbone
Malicious Traffic
Cleaned Traffic
Arbor TMS
Arbor Peakflow SP
Whenever an attack occurs, traffic is
reqdirected to Arbor TMS, the attack mitigated and cleaned traffic only flows
to the customerCustomer Network
15
IP Guardian: Proactive eMail Alerting
• In case an attack is detected, an email is sent to the customer
• Another email is sent once the attack is mitigated
• The structure of such emails is provided below as an example.
– From: "Peakflow SP" [email protected]– Date: date/time– To: Customer’s Address (this address shall be reachable in case of attacks)– Subject: [Peakflow SP] Bandwidth attack #[Attack ID] Incoming to [Customer] Done– Type: (Bandwidth, Protocol)– ID: a number identifying the attack– Resource: Customer’s name– Severity: high– Started: date/time (UTC) referred to the attack beginning– Ended: date/time (UTC) referred to the attack mitigation– Link rate: traffic (in Mbps) related to the attack– Router: Colt peering router and interfaces involved– Input If: Input Interface– Output If: Output Interface– URL: www.colt.net
16
Customer Portal
• View traffic profiles
• View anomalies
• Trigger mitigation (On-Demand Only)
17
Agenda
• DoS and DDoS Attacks
• Colt Proposition: IP Guardian
• Technical View
18
IP Guardian: Platform Deployment
MAD
PAR
MIL
NYC
Controller
Collector
TMS
MAD BCNLIS
PAR
DUB
ROM
MIL
TUR
ZURGEN
BAS
FRK
BRU
AMSHAM
STOCPH
HAJ
BER
MUN
STR
DUSCGN
VIE
FRK
LON
BHX
8x
19
Technicalities
• The service is available to customers with a service bandwidth of at least 10Mbps and 30/40% of spare bandwidth (recommended)
• Traffic content is not monitored or stored: IP Guardian is not what is known as “Deep Packet Inspection”
• The maximum number of packets that can be dealt with is 1 Million packets per second
• Maximum bandwidth up to 2Gbps per TMS – this means a maximum of 2Gbps in case of a DoS attack managed by one TMS or Nx2Gbps DDoS attack through multiple entry points (N=6, the number of TMS installed)
• Simultaneous TCP connections during a SYN attack per device: 100,000
• Source and destination HTTP host pairs per device: 1 Million
• Zombies per device: 20,000