![Page 1: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/1.jpg)
Version 3.0
DEFCON 10
August 2002
Anatomy of Denial of Service
Mitigation Testing
![Page 2: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/2.jpg)
Version 3.0
Agenda
• Why Test?
• Methodology
• Challenges and Lessons Learned
• Findings
![Page 3: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/3.jpg)
Version 3.0DOS-3
Denial of Service
Mitigation Testing
![Page 4: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/4.jpg)
Version 3.0
WHY?
• Desire to Protect
Infrastructure
Data
Business Continuity
• Evaluate Emerging Technologies
• Problem is just getting worse
Many nasty DOS and DDOS tools in
the wild
![Page 5: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/5.jpg)
Version 3.0
2001 Survey Results
Results of the 2001
Information
Security Magazine
Industry Survey
shows increase in
Denial of Service
attacks
experienced by the
survey participants.
Source: Information Security Magazine, 2001 Industry Survey,
October 2001, pg 34-47.
![Page 6: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/6.jpg)
Version 3.0 DOS-6
2001 Survey Results
• System
unavailability is 4th
highest INFOSEC
concern
Source: Information Security Magazine, 2001 Industry Survey,
October 2001, pg 34-47.
![Page 7: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/7.jpg)
Version 3.0 DOS-7
2001 Survey Results
• Security and
Availability of
Websites 2nd most
important project
listed
Source: Information Security Magazine, 2001 Industry Survey,
October 2001, pg 34-47.
![Page 8: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/8.jpg)
Version 3.0 DOS-8
What We Were Looking For
• Infrastructure Protection
Minimum Gigabit Solutions (GigE and
Fiber)
OC48 and OC192 capability desired
• Customer Protection
Gigabit MM Fiber
GigE
10/100 Ethernet
Eventually OC48 and OC192
![Page 9: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/9.jpg)
Version 3.0 DOS-9
Products Tested
Passive “tapped” Solutions
• Arbor Networks
• Reactive Networks
• Mazu Networks
• Asta Networks
In-line Solutions
• Captus Networks
• Mazu Networks
• Basis of selection due to September 2001 Information Security Magazine Article, Denying Denial-of-Service.
![Page 10: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/10.jpg)
Version 3.0DOS-10
Methodology
![Page 11: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/11.jpg)
Version 3.0 DOS-11
Today’s DOS Prevention
• Reverse Path Filtering (deny invalid IPs)
• Allow only good traffic into your
network (ingress filtering)
• Allow only good traffic out of your
network (egress filtering)
• Stop directed broadcast traffic (to avoid
being an amplifier)
![Page 12: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/12.jpg)
Version 3.0
Methodology
• Imitate a customer hosting center
• Run real tests across the
infrastructure
• Test both network functionality and
the management interfaces
• Find solutions that will work
upstream instead of downstream
![Page 13: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/13.jpg)
Version 3.0 DOS-13
Test Environment
Architecture
![Page 14: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/14.jpg)
Version 3.0 DOS-14
Passive “Tapped” Testing
• No network side IP address
• Data mirroring
• Not a single point of failure on the
network
• Products recommend ACLs for the
routers
Automatic
Semi-Automatic
Report only
![Page 15: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/15.jpg)
Version 3.0 DOS-15
Reactive Network Solutions
FloodGuard
![Page 16: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/16.jpg)
Version 3.0 DOS-16
MAZU Networks
TrafficMaster
![Page 17: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/17.jpg)
Version 3.0 DOS-17
Asta Networks
Vantage
![Page 18: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/18.jpg)
Version 3.0 DOS-18
Arbor Networks
PeakFlow
![Page 19: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/19.jpg)
Version 3.0 DOS-19
In-Line Testing
• Boxes placed in the data stream
• Quicker response to attacks based
on implemented rules
• Interfaces visible on the network
![Page 20: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/20.jpg)
Version 3.0 DOS-20
Mazu Networks (inline)
![Page 21: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/21.jpg)
Version 3.0 DOS-21
Captus Networks
![Page 22: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/22.jpg)
Version 3.0 DOS-22
Types of Tests
• Baseline traffic generation to emulate a
web hosting center
ldgen with replayed traffic
• Attack Traffic (DOS and DDOS)
TCP SYN
TCP ACK
UDP, ICMP, TCP floods
Fragmented Packets
IGMP flood
Spoofed and un-spoofed
![Page 23: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/23.jpg)
Version 3.0DOS-23
Lesson Learned
![Page 24: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/24.jpg)
Version 3.0 DOS-24
Network
• Baseline Traffic must be stateful (TCP
3-way handshake must be complete)
![Page 25: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/25.jpg)
Version 3.0 DOS-25
Routes
• Bad Routes will kill your network and
make you unemployed
Thank God we were in the lab
• Be sure to isolate your management
network from the attack network ON
EVERY BOX
![Page 26: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/26.jpg)
Version 3.0 DOS-26
Attack Network
• Different tools on different systems
Linux 6.2 and Linux 7.2
Open BSD
Solaris
• Mix of 10/100 and Gig Interfaces needed
to push the traffic levels
![Page 27: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/27.jpg)
Version 3.0 DOS-27
Tools Utilized
• DOS/DDOS Tools
Vendor provided
• Arbor TrafGen
Open source
• stream
• litestorm
• rc8.o
• f__kscript
• slice3
![Page 28: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/28.jpg)
Version 3.0 DOS-28
Victim Network
• Monitoring Tools
Lebrea
Snort
• Manual Checks
Simple Pings
CPU usage monitoring
![Page 29: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/29.jpg)
Version 3.0 DOS-29
Flow Sampling
• Netflow/Cflowd from Cisco and Juniper
Sampling rates must match in both the
router and the DDOS mitigation device
Juniper had more consistent flow
characteristics and reported faster
Flow sampling has many value adds
• Traffic characterization
• Customer billing
• And DOS/DDOS detection
![Page 30: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/30.jpg)
Version 3.0 DOS-30
SNMP Communications
• SNMP is used to monitor the status of
the routers and providing alerts when an
attack is underway.
• Connectivity is necessary for proper
operation.
• SNMP community stream required for
proper communications (NOT PUBLIC)
![Page 31: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/31.jpg)
Version 3.0DOS-31
FINDINGS
![Page 32: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/32.jpg)
Version 3.0 DOS-32
What Vendors Did Well!
• Monitor baseline traffic
• Detect changes in traffic patterns away
from baseline
• Alerting and Alarming when thresholds
or statistics were exceeded
![Page 33: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/33.jpg)
Version 3.0 DOS-33
What wasn’t so Good
• Protection of the management
interfaces
• Implementing warning banners and
account lockouts
• Port lockdown on the management
interfaces
![Page 34: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/34.jpg)
Version 3.0DOS-34
Solutions
![Page 35: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/35.jpg)
Version 3.0 DOS-35
Large Enterprise
• Passive Solutions best
• Mix of flow collectors and packet collectors that can visualize your entire network
• Centralize the management consoles into a security operations center of NOC
• Products:
Arbor
Asta
Reactive
![Page 36: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/36.jpg)
Version 3.0 DOS-36
Smaller Enterprise
• In-Line Solutions worth considering
• Combination firewall/DOS solutions
• Combination IDS/DOS solutions
Captus
Mazu
Recourse (not tested)
![Page 37: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/37.jpg)
Version 3.0 DOS-37
Resources
• www.sans.org/ddos_roadmap.htm
• www.sans.org/dosstep/index.htm
• www.nipc.gov
• staff.washington.edu/dittrich/misc/ddos
• www.cert.org
![Page 38: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/38.jpg)
Version 3.0 DOS-38
Conclusions
• Technology still evolving
• Integrated products likely the future
(DOS combined with IDS or Firewall)
• Positive strides toward solutions
![Page 39: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/39.jpg)
Version 3.0 DOS-39
Questions ?
![Page 40: Anatomy of Denial of Service Mitigation Testing · PDF file · 2009-11-30Denial of Service Mitigation Testing. ... important project listed Source: Information Security Magazine,](https://reader031.vdocuments.us/reader031/viewer/2022022502/5aac90d27f8b9a2e088d2746/html5/thumbnails/40.jpg)
Version 3.0
Greg Miles, Ph.D., CISSP
• CIO – Security Horizon Inc.
• Information Technology – 15 Years
• Information Security – 11 Years
• e-mail: [email protected]
• Web: www.securityhorizon.com