Matt Sheely

Devrin Lewis

UC IT DDoS Prevention Research Project

Overview• History• Problem Statement• Hardware/Software Requirements• Design Protocol• Demo• Testing• Risk Management• Budget• Conclusion

History

• UC IT Attack– Distributed Denial of Service (DDoS)– Crippled UC network– Problem compounded: Blackboard services

• Outcome– DDoS prevention architecture: NetZentry

• NetZentry no longer supported – Outdated definition files in use

Problem Statement

Currently, the UC IT department is looking for a new, non service based DDoS prevention architecture, either a hardware or software implementation, which performs to and/or exceeds the existing DDoS prevention architecture NetZentry.

Hardware/Software Requirements• Vendor Supplied DDoS hardware

– IntruGuard IG2000 (fiber)– Radware DefensePro x20– Radware Absolute Insite ManagePro

• Cisco Catalyst 6500 Router• Cisco 3750G PoE switch• Radware Raptor Attack Tool• Windows Server 2003 Machine (Management Console)• Test Laptops

Design Protocol

Internet

Isolated UC Attack Test Lab

UC Production Network

Cisco Catalyst 6500 Router

LAN 36 V

Radware InsiteManagePro

Radware DefensePro

IntruGuard IG2000

Tx Mirrored Traffic

Management Link Between Radware DefensePro and

Insite ManagePro

IntruGuard Management

Link

Radware Management

Link

Radware Filtered Rx Traffic

Rx Mirrored Traffic

UC Production Traffic

Key

ManagementConsole

VLAN 36

Management console

Cisco 3750G

DDoS Attack Host

Attack Traffic

Rx Mirrored Traffic and Mirrored

Attack Taffic

Demo

TestingWeighted Value Chart

Test Stage Multiplier Value Description of Multiplier Value

Configuration Testing

1.667 Configuration testing was deemed lowest importance and will be used in case of a

tie between vendor hardware.

Baseline Testing

5.000 Baseline testing was deemed highest importance in order

to maintain legitimate network connectivity.

AttackTesting

3.333 Attack testing was deemed the second highest

importance in order to maintain legitimate network

connectivity.

Configuration Results Parameters Poor

(1)Average

(2)Excellent

(3)

Difficulty of Vendor Supplied Documentation x

User Interfaces for Management xVendor Availability xOverall configuration xParameters Poor

(1)Average

(2)Excellent

(3)

Difficulty of Vendor Supplied Documentation x

User Interfaces for Management xVendor Availability xOverall configuration x

Radware

IntruGuard

Baseline ResultsParameter Vendor Blocks

legitimate traffic (0)

Fairly certain blocks legitimate traffic

(1)

Equal to be blocking as not blocking legitimate traffic

(2)

Fairly certain does not block legitimate traffic

(3)

Does not block legitimate traffic

(6)

Certainty of legitimate traffic not being blocked

Radware xIntruGuard x

Attack ResultsAttack Type Pass (1) Failed (0)

Radware IntruGuardSingle Source, Non-spoofed TCP SYN Attack(21/04/09 14:36/12:18)

1 1

Single Source, Non- spoofed TCP RST Attack(21/04/09 14:46/12:27)

1 1

Multi-source, Spoofed TCP SYN attack (22/04/09 1:14) 0 (1) 1

Multi-source, Spoofed TCP RST attack (22/04/09 1:37) 1 1

Single source, Non-spoofed UDP data flood (22/04/09 1:48) 1 1

Single source, Non-spoofed UDP RTP flood (22/04/09 2:00)(ICMP 8)

1 1

Multi-source, Spoofed UDP Data flood (22/04/09 2:14) 1 1

Multi-source, Spoofed UDP RTP flood (22/04/09 2:24)(ICMP 8)

1 1

Single source Non-spoofed ICMP echo request (27/04/09 1:20) (ICMP 8)

1 1

Single source Non-spoofed ICMP timestamp flood (27/04/09 1:20)(ICMP 8)

1 1

Multi-source Spoofed ICMP echo request (27/04 2:00)(ICMP 8)

1 1

Multi-source Spoofed ICMP timestamp flood (27/04 1:20)(ICMP 8)

1 1

Total attack testing score: 11 12

Risk ManagementRisk Risk Level Mitigation

Vendor hardware delay and/ hardware failure High

Maintain contact with vendors in order to anticipate hardware

delay, and then have alternative procedures in order to maintain

test schedule

Vendor decision to withdraw from project. High

Retain project with updated scope to compare two vendor hardware

setups instead of three

Test lab configuration ModerateRun preliminary DDoS test on test

network before beginning trial tests of hardware

Test lab software ModerateBack up plans for test software

including vendor supplied testing software

Lab hardware failure Moderate Spare parts on hand to replace faulty hardware components.

Over extending timeline ModerateDevelop multiple plans based on 3

or 4 week testing

BudgetProduct Retail Cost Our Cost Provider

Lab Resources

Two Laptop Computers $2100 + (2*$900) = $3900 $2,100 UC Lab/Personal

Radware Raptor Attack Tool 0 0 Vendor Cisco 3750G PoE Switch $5,049.00 0 UC Network Operations

Cabling $1.04 x 250ft = $260 0 UC LabVendor Hardware ~$20,000 0 Vendor

Visio $559.95 0 MSDN Office 2007 $164.94 $10 Student Book Store

Windows Server 2K3 Machine $500.00 0 UC Network OperationsLabor $40 per hour 0

Research hours 30h x 2 = 60h 0

Hardware installation 5h x 3 x 2 = 30h 0

Initial Lab setup 10h x 2 = 20h 0DDoS Testing 5h x 3 x 2 = 30h 0

Recommedation report 10h x 2 = 20h 0

Total hours 160h 0Labor costs 160h x $40 = $6400 0

Total cost ~$36,833.89 $2,110

ConclusionTest Radware/IntruGuard Multiplier Weighted Total

Configuration 9/9 1.667 15.003/15.003Baseline 3/12 5 15/36Attack 11/12 3.333 36.63/39.96Complete Total 66.633/90.963

The IntruGuard IG2000 receives the recommendation to UCit based on the results of the test parameters as well as the fact that the Radware DefensePro requirement of downgrading to Java Run Time Environment 5.5 could be prohibitive to UCit.

Questions?

Configuration Screens

User Profile

• Network Administrator– Advanced network and security knowledge– Extensive knowledge of current UC network– Strong troubleshooting skills

Deliverables

• Installation and configuration process

• Documentation of configuration

• Analysis and performance report

• Recommendation report

For Vendor Responses refer to appropriate attached word documents:

Radware_Response

IntruGuard_Response