Author: Ben
附圖:Cisco Guard XT 5650-B 阻斷式攻擊防禦設備
Preface
February 7, 2000 9:15 a.m. AT&T researcher Steve Bellovin was giving a talk “How a relatively unknown type of attack couldn’t be stopped by current technology” in North American Network Operators’ Group. One hour later, the second major world website “Yahoo” disappeared from Internet. Two days later, other famous websites such as eBay, Amazon, Buy.com, ZDNet, CNN.com, Etrade and MSN also joined the team of victims. Meanwhile, they had stopped their external service for several hours!
The criminal is exactly DoS (Denial of Service) & DDoS (Distributed Denial of Service) attack, which will completely consume external bandwidth of company network or paralyze server service (web page and E-mail) and important device (router and switch) so that the external connection is nearly interrupted.
Such attack has never stopped and situation seems even worse and worse because the attack tool is easily obtained and used conveniently. In addition, the attack source is hardly found and attacker is also hardly detected even we find attack source. Also the increasing bandwidth becomes a quite significant target to attack. So it attracts many network users to utilize these attack tools to proceed with DDoS attack.
About DDoS
We can easily understand DDoS from the figure above. Here some terminologies need to be addressed:
| Terminology | Explanation |
|---|---|
| AS (Autonomous System) | AS is a collection of connected IP routing prefixes controlled by network operators that presents a clearly defined routing policy to the Internet. Some ISPs (Internet Service Provider) such as AT&T and Chunghwa Telecom or large organization like Cisco have officially registered Autonomous System Number (ASN) for differentiation among different AS and exchange of Exterior Routing Information. |
| Zombie | The surface meaning is “revived corpse”. Here it metaphorically refers to the innocent hosts which are implanted client program of DDoS attack tool and controlled by hacker program to randomly attack target. The host users would never know their hosts have been implanted DDoS program. |
As we can see in this figure, Zombies can be deployed in different AS areas. It means every host on Internet could possibly become a Zombie. We can image these Zombies can be distributed in Africa, Asia, America and even all over the world. Thus, in today’s developed Internet, DDoS sometimes can assemble hundreds of thousands of Zombies to proceed with attacks simultaneously. Image one host can issue 64kb/s attacking traffic. It is quite horrible that 100,000 Zombies can issue one enormous attacking traffic in 64kb/s x 100,000 = 6.4Gb/s. How many enterprises or government agencies are able to afford such malicious traffic? The answer may be a little bit pessimistic. Of course, issuing 6.4Gb/s attacking traffic in current Internet is not so much heavy. However, issuing 500Mb/s attacking traffic is quite general and relatively easy. We still believe most large enterprises also cannot afford it.
Besides, DDoS attack type is also changing very fast. In addition to increase numbers of Zombie, hackers can also simultaneously produce attacking packet and normal access packet in confusing current prevention. Additionally, as a new prevention mechanism appears, a new attack strategy is instantly produced and attack tools are also readily available. So DDoS seems to be impossibly defended.
Disadvantage of general DDoS resolution
Blackholes–
When attack occurs, such strategy will direct all packets sent to destination IP address into null device of router. Though it can efficiently deny attacks, it will also drop normal packets so they can never reach the destination.
Router ACL –
Issuing ACL command on router cannot instantly respond to large attacks. Image how much time it takes when we issue ten ACL command lines on thousands of routers! It also possesses Blackholes disadvantage.
Firewall –
Firewall’s prevention toward DDoS is quite weak. Though many manufacturers claim their Firewalls can block DDoS attack, actually it can only block the smallest part of DDoS but unable to deny medium & large scale or latest attacks. According to our experience in industry, Firewall is often destroyed by DDoS attacks.
IPS –
IPS efficiency is even weaker than Firewall. Though it can differentiate more attacks, it has to depend on virus signature matching toward attacking packets but unable to differentiate latest attack. It not only limits DDoS prevention but possibly results in crash.
Cisco Guard XT 5650-B resolution
The traditional resolutions introduced in previous section all have their merits. The positive side is successfully denying attacking packets whereas the negative side is either blocking normal access packets or resulting in crash. Besides, they also have to depend on a list of virus signature definition to detect attacking packets. Thus, nothing is perfect!
Notice: the same property of DDoS attack is the degree of attacking traffic. If attacking traffic is not enough, it is even not an attack to influence bandwidth or network service. Therefore, when we promote this new product throughout Asia, we often remind all the engineers that we have to always consider device’s affordable traffic of both protectors and protectees so that we can design the best network environment.
Next, let’s see Cisco resolution toward DDoS attack.
First, taking enterprise DDoS prevention as our example, as we can see the figure above, enterprise internal network comprises three separate servers: Web Server (Protected Zone 1), Name Servers (Protected Zone 2) and E-commerce Application (Protected Zone 3). Now E-commerce Application is the attacking target.
As the second step in the figure above shows, when Cisco Traffic Anomaly Detector detects malicious traffic, i.e. E-commerce Application is under DDoS attack, we can inform Cisco Guard that something abnormal happens either in Manual mode or in Auto mode.
The third step tells us Cisco Guard will issue BGP announcement toward router when receiving Detector’s notification. Router will route the traffic whose destination IP address is E-commerce Application to Cisco Guard. Either this amount of BGP routing is Host routing or Network routing is depending on internal configuration of Cisco Guard.
The thick dotted line in this figure represents that the original network traffic toward E-Commerce Application is diverted to Cisco Guard because of the additional BGP routing rule. Thus, Cisco Guard begins its filter function.
The fourth step shows its capability of differentiating traffic. Either attacking or normal access packets toward E-Commerce Application will be checked by MVP (Multiple Verification Process) to deny attacks. The result is shown in the fifth step. Cisco Guard will transmit normal packet to E-Commerce Application.
In the sixth step, as Cisco Guard is proceeding with packet filtering, the access toward the other two servers is not affected. With Cisco Guard protection, the other general users can normally access E-Commerce application even it is under attacks.
Conclusion
In the previous issues, we have introduced Firewall and IPS deployment, in which Firewall should be deployed in front of IPS. After our explanation in this document, every reader should realize DDoS defensive system has to be deployed in front of Firewall. According to our experience of project planning and implementation in recent years, we prove that DDoS defensive system indeed efficiently protect Firewall and IPS.
In the next issue, we will introduce how Cisco Guard utilizes DDoS behavior to filter packets in achieving the purpose of continuous service.
