ANCP anti-attacks extension - PowerPoint PPT Presentation

About This Presentation
Title:

ANCP anti-attacks extension

Description:

... port scanning, tracert, etc.) malformed packet (ping of death, teardrop, etc.) control message flood towards NAS (PPP/DHCP protocol control message, ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 10
Provided by: iet51
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: ANCP anti-attacks extension


1
ANCP anti-attacks extension
  • draft-fan-ancp-network-anti-attack-00
  • IETF 77th , March. 22-27, 2010
  • Bo Wu (ZTE corporation.)
  • Liang Fan (ZTE corporation )
  • Bo Yuan (ZTE corporation)

2
Problems statement
  • There are widespread attacks launched (whether
    actively or passively) by a large number of
    subscribers at the same time on the broadband
    network.
  • The attacking methods include
  • denial of service (SYN flood, fraggle, smurf,
    etc.)
  • scanning and snooping (address scanning, port
    scanning, tracert, etc.)
  • malformed packet (ping of death, teardrop, etc.)
  • control message flood towards NAS (PPP/DHCP
    protocol control message, etc.
  • Attacking towards both the NAS and the network
    behind it.

3
Current Solution
  • Traditionally, network attacks from subscribers
    are detected at NAS site (with or without
    additional device, such as Firewall box).
  • All the anti-attack policies will be enforced on
    NAS site. It means
  • the illegal upstream flows are transmitted in the
    access network (from AN to NAS) without any
    limitation
  • the NAS should have high performance hardware to
    implementing all the anti-attack policies

Centralized attacking detection policy
enforcement
4
Motivation
  • This document specifies an extension of Access
    Node Control Protocol to enforce security policy
    for network anti-attacking.
  • Applications
  • Attacks towards NAS
  • Attacks towards network behind NAS
  • The solution is a kind of enhancement to current
    anti-attack solution which is based on NAS site
    detection and policy enforcement. With the
    enhancement, it becomes a centralized detection
    and distributed enforcement solution.

Notesthe corresponding general contribution has
been accepted by BBF WT-207.
5
Message Flow
Subscriber
AN
NAS
Attacking flow
Detection
Anti-attack control
Anti-attack policy enforcement
Control response
Attacking flow
Anti-attack release
Anti-attack policy release
Control response
6
New Message suggested
  • Policy Configuration
  • Configuration Response
  • Policy Release
  • Release Response

7
New TLVs suggested
  • Command TLV for Policy Configuration and Policy
    Release Message
  • Command Code
  • 0x01 - Add (here means add to MAC Black/White
    List)
  • 0x02 - Delete (here means delete in MAC
    Black/White List)
  • 0x03 - Delete All (here means delete all in MAC
    Black/white List)
  • 0x07 - Update (here means update MAC Table Size
    Limitation / Rate Limitation)
  • 0x08 - Disable (here means disable MAC Table Size
    Limitation / Rate Limitation)
  • 0x09 - Shut Down the Target
  • 0x0a - Activate the Target
  • MAC-Black-List sub-TLV
  • MAC-White-List sub-TLV
  • MAC-Table-Size sub-TLV
  • Target-Rate-Limitation sub-TLV

8
Current Status Next Step
  • 00-version individual draft
  • Next step
  • Look for comments/ feedback from WG.

9
Thanks!
Write a Comment
User Comments (0)
About PowerShow.com