Introduction
Firewalls, switches, Intrusion
Detection Systems (IDS), Intrusion Prevention Systems (IPS) have been
commonly used in the past as security perimeter appliances. A new
generation of attacks has now become common that cannot be stopped using
the above appliances. Distributed Denial of Service (DDoS) attacks have
become very common because of easy availability of botnets. New
techniques have evolved in the industry to thwart DDoS attacks. This
knol discusses the new and upcoming techniques.
SYN Proxy
This
is one of the earliest techniques to handle spoofed DDoS attacks.
During SYN flood, a few machines start spoofing IP addresses and start
sending SYN packets. When a server receives these connection requests,
it responds by sending TCP SYN/ACK packets and adding those connection
entries into its own connection table. Since these spoofed IP addresses
don't really exist, they don't respond to the SYN/ACK and thus the
connection table remains filled for a long duration. This effectively
denies the access to new and legitimate connections.
SYN
Proxy is a mechanism, usually done by intermediate appliances that sit
before the actual server and proxy the responses. Until the spoofed IP
or un-spoofed IPs respond with the ACK, the connection requests are not
forwarded.
This ensures that under SYN flood, all connection requests are screened and only those that are legitimate are forwarded.
Connection Limiting
Too
many connections can cause a server to be overloaded. By limiting the
number of new connection requests, you can temporarily give the server
respite. This is done by giving preference to existing connections and
limiting the new connection requests.
Aggressive Aging
Some
botnet attacks involve opening a legitimate connection and not doing
anything at all. Such idle connections fill up the connection tables in
firewall and servers. By aggressively aging such idle connections, you
can provide some relief to them. Aggressive aging involves removing
connections from the tables and may also involve sending a TCP RST
packet to the server/firewall.
Source Rate Limiting
When
a limited number of sources are available to a bot-master, he/she can
use them to aggressive send packets. These high rate packets can burden
the server. Multi-threaded attacks cause such patterns of attack. By
identifying outlier IP addresses that break norms, you can deny them
access to excessive bandwidth. Since IP addresses in such attacks are
not predictable, it is important to keep track of millions of IP
addresses and their behavior to isolate outliers. Such isolation can
only be done in silicon and it is difficult to achieve using software
only techniques due to excessive memory bandwidth requirements.
Dynamic Filtering
Static
filtering is a common technique in firewalls, switches and routers and
is usually achieved using Access Control Lists (ACLs). Dynamic filtering
is required when the attack and the attackers change constantly.
Dynamic filtering is done by identifying undisciplined behavior and
punishing that behavior for a short time by creating a short-span
filtering rule and removing that rule after that time-span.
Active Verification through Legitimate IP Address Matching
While
SYN Proxy is a great technique for anti-spoofing, everytime there is a
SYN flood, within a short duration, if the appliance keeps sending
SYN/ACK packets back, that would add too much outbound traffic. To avoid
such reverse flood, it is necessary to cache identified legitimate IPs
in to a memory table for a limited period of time and then letting them
go without the SYN proxy check. It is quite possible for the attackers
to misuse such holes, therefore it is necessary to have further checks
on legitimate IP addresses by rate limiting zombies which are able to
complete 3-way-handshakes.
Anomaly Recognition
Most
DDoS attacks are written using scripts which continuously vary a few
parameters in the network packets. By performing anomaly checks on
headers, state and rate, an appliance can filter out most attack packets
which otherwise would pass simple firewall rules.
Protocol Analysis
Similar
to header, state and rate anomalies, further protocol analysis can
bring out issues that would otherwise pass through a generic firewall.
Granular Rate Limiting
DDoS
attacks are unpredictable and usually managed using scripted BOTs. The
packets which reach the server are different from each other. There is
however some self-similarity among all attack packets in a single
attacks.
Granular Rate Limiting is a technique that identifies
rate violations from past behavior. Rate thresholds are set based on
past behavior set during a training session and adjusted adaptively over
time.
Granularity refers to various parameters
available in layer 3, layer 4 and layer 7 headers. These include packet
rates for source, destination, protocol, fragment, ports, and HTTP
methods, URLs, User-Agents, Cookie, Host, Referer etc.
Country Based Access Control Lists (ACL)
Most
botnet traffic originates from a limited number of countries. These
countries may not be the places from where you expect traffic. By
filtering traffic based on countries, you can reduce the traffic load
signficantly including the spoofed traffic. However, doing this in
software may have a lot of performance penalties. Look for hardware
logic implementation.
White-list, Black-list, Non-tracked Sources
In
any network, there will always be some IP addresses that you want to
deny or allow. White-listing and Black-listing capability are useful
during DDoS attack to ensure that such rules are honored despite rate
violations or in spite of rate-violations.
Since rate anomalies
are behavioral, all behaviors are learned from past. Therefore if you
don't want some behavior not to be learned, you must not track such
behavior by creating an exception. Such non-tracked sources include
backup IP machines etc. that do large amounts of IOs at specific times
or Content Data Network (CDN).
State Anomaly Recognition
TCP
is most commonly used protocol for web infrastructure. TCP is a
stateful protocol and follows certain rules. Since most bots are
scripted, many a times, they break these rules. A state anomaly
recognition engine looks for illegal TCP state transition anomalies,
foreign packets (packets in connections that are not properly
established) and TCP window-violations.
Stealth Attack Filtering
Before
an attack, there are precursors to attacks. These are in the form of
scans. Network scans to discover IP addresses in use are common and so
also Port Scans to discover TCP and UDP ports that respond to
connections. By identifying, such attacks and corresponding attackers,
you can take some precautions for a future full-blown attack.
Dark Address Scan Prevention
A Typical DDoS Mitigation Stack |
0 komentar:
Post a Comment