s w g it p tandard ins lobal ower security functional ... · s w g it p security functional...
TRANSCRIPT
S W G IT P
Security Functional Requirements
StandardWins Global IT Power
Security Functional Requirements
for Anti-DDoS Products
Jun Woo Park
TTA, Korea
Global Leader of ICT Standardization & Certification
TTA, Korea
Introduction about DDoSⅠ
Security Functional RequirementsⅡ
I. Introduction about DDoS
StandardWins Global IT Power
I. Introduction about DDoS
01 Introduction about DDoS
02 DDoS Attack Process
03 Methods of DDoS Attack
04 Operating Environment 04 Operating Environment
StandardWins Global IT Power01. Introduction about DDoS
� DDoS(Distributed Denial of Service)
• Multiple systems flood the bandwidth or resources of a • Multiple systems flood the bandwidth or resources of a
target system
�Multiple systems(computers) attempt to access a particular �Multiple systems(computers) attempt to access a particular
server a lot at the same time
�The attack depletes resources of a target server or floods �The attack depletes resources of a target server or floods
the network bandwidth
• Symptoms• Symptoms
�Unusually slow network performance
– Opening files or accessing web sites– Opening files or accessing web sites
�Unavailability of particular web site
4267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power02. DDoS Attack Process
5267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power03. Methods of DDoS Attack
� The attacks are generally classified into flood and
application level.
Method DDoS AttackMethod DDoS Attack
Single
- TCP Syn Flood
- TCP Ack Flood
- ICMP Flood
- TCP Syn-Ack Flood
- TCP Fin Flood
Flood
Single- ICMP Flood
- TCP Multi-connection
- TCP Fin Flood
- UDP Flood
- ICMP+UDP Flood - ICMP+TCP Flood
Mixture - UDP+TCP Flood
- ICMP+UDP+TCP Flood
6267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power03. Methods of DDoS Attack
Method DDoS Attack
Single
- TCP Syn Flood
- TCP Ack Flood
- ICMP Flood
-TCP Syn-Ack Flood
- TCP Fin Flood
- UDP Flood
Flood- TCP Multi-connection
- UDP Flood
- ICMP+UDP Flood
- UDP+TCP FloodMixture
- UDP+TCP Flood
- ICMP+UDP+TCP
Flood
- ICMP+TCP Flood
- Valid HTTP GET Flood
Application Level
Single
- Valid HTTP GET Flood
- Invalid HTTP GET Flood
- CC(Cache Control)
- DNS Query FloodApplication Level - DNS Query Flood
- Low bandwidth HTTP DoS
Mixture - CC+TCP Flood
7267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
Mixture - CC+TCP Flood
StandardWins Global IT Power04. Operating Environment
� Inline(In-Path) Configuration
• Inline appliances are Generally deployed near the • Inline appliances are Generally deployed near the
network firewall and in the direct flow of network traffic.
• And also have the beneficial property of viewing all
inbound traffic perspective.inbound traffic perspective.
8267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power04. Operating Environment
� Out-of-Path Configuration
• Anti-DDoS is not in the direct path of the network traffic.• Anti-DDoS is not in the direct path of the network traffic.
• A network traffic redirection technique is used to forward
traffic to the appliance.
• Consist of mirroring device, detection sense, and
blocking device
9267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
II. Security Functional Requirements
StandardWins Global IT Power
II. Security Functional Requirements
01 Security Functional Requirements
02 Testing Anti-DDoS Products
03 Certified Products
StandardWins Global IT Power01. Security Functional Requirements
� Security Functions against DDoS attack
Security Functions ContentsSecurity Functions Contents
Detection/Block
- Countermeasure against the DDoS
attacks such as Flood , Fragmentation, Detection/Block attacks such as Flood , Fragmentation,
Application Level
- Audit generation of the detected and
blocked trafficTrace
blocked traffic
- Alarm
- Traffic monitoring
Identification & - Identification and authentication for an Identification &
Authentication
- Identification and authentication for an
administrator
Security Management - Policy setting and audit viewSecurity Management - Policy setting and audit view
11267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power02. Testing Anti-DDoS Products
� The throughput capacity should be considered unlike
other network security products.
• DDoS attack has properties of flooding network
bandwidth and depleting resources of a target system.
� The throughput capacity of the products has to be verified.
• Security functions are affected by the throughput.• Security functions are affected by the throughput.
� And also, security functions(Detecting and Blocking) have
to be tested.
12267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power02. Testing Anti-DDoS Products
� Testing traffic for throughput capacity of the product
Method Target Traffic LoadMethod Target Traffic Load
Normal Traffic Sever Fragmented UDP100% of the throughput
capacity
� Testing traffic for security functions(Detecting & Blocking)
Method Target Traffic LoadMethod Target Traffic Load
Attack Traffic VictimAll methods of DDoS
attack
90% of the throughput
capacityattack capacity
Checking
VictimVictim HTTP 1 tps
5~10% of the
Normal Traffic Server HTTP
5~10% of the
throughput capacity
13267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power02. Testing Anti-DDoS Products
� Test cases
Test Test Items
- Throughput
- Packet LatencyVerification of throughput
- Packet Latency
- Max Connection
- Packet Loss
- Detection time of attack packet
- Blocking time of attack packet
Detection / Block
- Blocking time of attack packet
- Blocking rate of attack packet
- Success rate of normal packet
- Connection with victim server
- Audit generation of detection & blocking
14267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power03. Certified Products
� Certified Products (Domestic)
Company Product EAL
Secui.com SECUI NXG D V1.0 EAL4Secui.com SECUI NXG D V1.0 EAL4
Nowcom
SNIPER DDX V5.0.xg EAL3
Nowcom
SNIPER DDX V5.1 EAL4
COMTRUE DDoSCop-v2.0 EAL2
COMTRUE
TechnologiesDDoSCop-v2.0 EAL2
15267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
StandardWins Global IT Power
Thank You
Global Leader of ICT Standardization & Certification
Thank You