Core Protection, DDoSDetection

1
Core Protection,DDoS-Detection -Mitigation
Experience_at_ACOnet

• CEENet / Nato Workshop
• Ohrid, June 27, 2005
• Harald Michl michl_at_cc.univie.ac.at

2
Agenda

• Who is ACOnet
• Layer2 Protection Methods
• IP inbound Filtering
• BGP Filtering
• DDoS Protection
• Selected Products
• Experience Lessons Learned
• Future
• Demonstration

3
Who is ACOnet

• Austrias NREN http//www.ACO.net/
• Connecting Universities,
• regional School Networks,
• Research Institutes,
• governmental Departments
• Switched/Layer2 GbEthernet Core
• (AT-wide)
• Routed/Layer3 Global Connectivity Service
• Operated by UniVie and operations partners at
  universities hosting a POP

4
ACOnet Topology
5
ACOnet Core Vienna
6
ACOnet Core Equipment

• Vienna
• Cat6509/SUP2/FlexWAN(ATM)/OSMs
• IOS12.1(26)E
• Regional POPs
• Cat3750G-12S-Stacks
• Cisco7507 (for serialATM)
• GigabitEthernet Core
• Alcatel/ADVA-DWDM
• operated by Telekom Austria

7
Layer2 Protection

• Reason primarily protect against (customer)
  configuration mistakes and asymmetric DWDM
  transmission failures
• Global config Level
• UDLD enable
• errdisable detect recovery
• VLAN Level STP (pvst mode)
• Interface Level
• storm-control broadcast ( multicast)
• spanning-tree guard root

8
IP inbound Filtering

• From Upstreams, Customers Peers
• deny RFC1918
• deny Bogon Sourceshttp//www.cymru.com/Bogons/
• From Customers (not yet implemented)
• strict uRPF (single homed)
• Caution with diverted Prefixes !
• prefix-based (dual-homed)

9
BGP inbound Filtering

• From Customers and small Peers
• prefix-based (auto-generated from RIPE-DB)
• From larger Peers
• AS-Path depth
• max-prefix
• From Upstreams
• deny Bogon Prefixes

10
Why DDoS Protection ?

• Regular attacks experienced since 2001
  specifically towards IRC servers (at universities
  in Linz, Graz, Vienna)
• Attacks have been affecting POP infrastructure
  and customers
• UniVie technically responsible for
• .AT-ccTLD nameservers
• No 7x24 staffed NOC

11
Why Riverhead Guard ?

• Scaling well for our network size and topology
• Diversion model instead of in-line
• Self removing in case of failure
• Excellent helpful staff cooperation during test
  installation and early production phase
• Good understanding of customer needs
• Fast and flexible with implementation of
  improvements
• In 2004 Riverhead bought by Cisco and product now
  named Cisco Guard XT http//www.cisco.com/en/US/p
  roducts/ps5894/

12
How is it deployed in ACOnet

• Currently one Guard XT in Vienna
• Dedicated VLAN, with Guard and all POP routers
  directly connected (easy Layer2 forwarding)
• BGP/diversion only with Vienna core ?
• Policy route-maps (PBR forwarding) needed for
  Vienna customers only

13
Cisco Guard simple view
14
Cisco Guard Diverting traffic
more specific announcement
15
Cisco Guard Reinject traffic (1)
more specific announcement
next hop
16
Cisco Guard Reinject traffic (2)
more specific announcement
next hop
17
Cisco Guard Reinject traffic (3)
more specific announcement
next hop
18
Cisco Guard Attention!
DO NOT USE STRICT URPF !!!
more specific announcement
19
What it protects

• Permanently
• IRC Servers in Linz, Graz and Vienna
• Selected FTP/WWW Servers
• Selected .AT-ccTLD Server(s)
• On-Demand
• Profiled / baselined Customer Hosts and Subnets
• Parts of Core Infrastructure when under attack
• On-The-Fly
• Any ACOnet Customer asking for ad-hoc protection

20
What is missing

• ACOnet investigating/implementing
• per zone/customer reporting
• Automatic Protection (using Peakflow SP/CP)
• and other new features in R3/XT
• Cisco Guard
• Overlapping Zones
• Securing customer support quality

21
Why Arbor Peakflow ?

• Complementary tool needed for Anomaly Detection
  in the core
• Neither Cisco Detector nor IDS generally suited
  for anomaly detection in the core
• Looking for Netflow based analyzer
• Talking to other Riverhead users
• Testing Arbor Peakflow/DoS Traffic
• Promise to integrate consolidate and to
  directly interface with Cisco Guard
• Peakflow SP/CP http//www.arbor.net/products_sp.p
  hp

22
How is Arbor Peakflow used?

• Intended to use mainly for Anomaly Detection
• Great functionality of traffic-module
• analysis of traffic flow
• (getting back) peering statistics
• traffic statistic of/for customers
• AS-Explorer

23
Arbor Peakflow _at_ ACOnet
24
Experience Lessons Learned

• Generally good experience with both products,
  however
• Peakflow quality highly depends on Netflow
  quality, which hasnt been as good as expected on
  our Cat6k5
• No TCP flags (not supported on any current
  PFCs/ASICs)
• Severe Netflow hashing problems (bug) on SUP2 /
  IOS12.2(18)SXD gt now back to 12.1(26)E
• Cisco Support
• Cumbersome to get priority and engineering focus
• Learning curve longer than expected on Arbor
  products

25
Future

• Upgrading Core to SUP720-3B(XL) and 12.2S
• Deploy CoPP (Control Plane Policing / Protection)
• Infrastructure ACLs (partial / on-demand ?)
• Still working on migration to consolidated Arbor
  platform (Peakflow SP/CP)
• Integration with Cisco Guard
• Cooperation with upstreams and peers
• Fingerprint Sharing
• Keeping our minds open for other / complementary
  solutions
• And then IPv6 !?!?!?

26
Live Show!fasten your seatbelt ?
Peakflow reports attack
Guards cleans traffic
27
Questions ?