s w g it p tandard ins lobal ower security functional ... · s w g it p security functional...

S W G IT P

Security Functional Requirements

StandardWins Global IT Power

Security Functional Requirements

for Anti-DDoS Products

Jun Woo Park

([email protected])

TTA, Korea

Global Leader of ICT Standardization & Certification

TTA, Korea

Introduction about DDoSⅠ

Security Functional RequirementsⅡ

I. Introduction about DDoS


I. Introduction about DDoS

01 Introduction about DDoS

02 DDoS Attack Process

03 Methods of DDoS Attack

04 Operating Environment 04 Operating Environment

StandardWins Global IT Power01. Introduction about DDoS

� DDoS(Distributed Denial of Service)

• Multiple systems flood the bandwidth or resources of a • Multiple systems flood the bandwidth or resources of a

target system

�Multiple systems(computers) attempt to access a particular �Multiple systems(computers) attempt to access a particular

server a lot at the same time

�The attack depletes resources of a target server or floods �The attack depletes resources of a target server or floods

the network bandwidth

• Symptoms• Symptoms

�Unusually slow network performance

– Opening files or accessing web sites– Opening files or accessing web sites

�Unavailability of particular web site

4267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238

Copyright 2010 TTA All Rights Reserved.

StandardWins Global IT Power02. DDoS Attack Process



StandardWins Global IT Power03. Methods of DDoS Attack

� The attacks are generally classified into flood and

application level.

Method DDoS AttackMethod DDoS Attack

Single

- TCP Syn Flood

- TCP Ack Flood

- ICMP Flood

- TCP Syn-Ack Flood

- TCP Fin Flood

Flood

Single- ICMP Flood

- TCP Multi-connection

- TCP Fin Flood

- UDP Flood

- ICMP+UDP Flood - ICMP+TCP Flood

Mixture - UDP+TCP Flood

- ICMP+UDP+TCP Flood



StandardWins Global IT Power03. Methods of DDoS Attack

Method DDoS Attack

Single

- TCP Syn Flood

- TCP Ack Flood

- ICMP Flood

-TCP Syn-Ack Flood

- TCP Fin Flood

- UDP Flood

Flood- TCP Multi-connection

- UDP Flood

- ICMP+UDP Flood

- UDP+TCP FloodMixture

- UDP+TCP Flood

- ICMP+UDP+TCP

Flood

- ICMP+TCP Flood

- Valid HTTP GET Flood

Application Level

Single

- Valid HTTP GET Flood

- Invalid HTTP GET Flood

- CC(Cache Control)

- DNS Query FloodApplication Level - DNS Query Flood

- Low bandwidth HTTP DoS

Mixture - CC+TCP Flood



Mixture - CC+TCP Flood

StandardWins Global IT Power04. Operating Environment

� Inline(In-Path) Configuration

• Inline appliances are Generally deployed near the • Inline appliances are Generally deployed near the

network firewall and in the direct flow of network traffic.

• And also have the beneficial property of viewing all

inbound traffic perspective.inbound traffic perspective.



StandardWins Global IT Power04. Operating Environment

� Out-of-Path Configuration

• Anti-DDoS is not in the direct path of the network traffic.• Anti-DDoS is not in the direct path of the network traffic.

• A network traffic redirection technique is used to forward

traffic to the appliance.

• Consist of mirroring device, detection sense, and

blocking device



II. Security Functional Requirements


II. Security Functional Requirements

01 Security Functional Requirements

02 Testing Anti-DDoS Products

03 Certified Products

StandardWins Global IT Power01. Security Functional Requirements

� Security Functions against DDoS attack

Security Functions ContentsSecurity Functions Contents

Detection/Block

- Countermeasure against the DDoS

attacks such as Flood , Fragmentation, Detection/Block attacks such as Flood , Fragmentation,

Application Level

- Audit generation of the detected and

blocked trafficTrace

blocked traffic

- Alarm

- Traffic monitoring

Identification & - Identification and authentication for an Identification &

Authentication

- Identification and authentication for an

administrator

Security Management - Policy setting and audit viewSecurity Management - Policy setting and audit view



StandardWins Global IT Power02. Testing Anti-DDoS Products

� The throughput capacity should be considered unlike

other network security products.

• DDoS attack has properties of flooding network

bandwidth and depleting resources of a target system.

� The throughput capacity of the products has to be verified.

• Security functions are affected by the throughput.• Security functions are affected by the throughput.

� And also, security functions(Detecting and Blocking) have

to be tested.




� Testing traffic for throughput capacity of the product

Method Target Traffic LoadMethod Target Traffic Load

Normal Traffic Sever Fragmented UDP100% of the throughput

capacity

� Testing traffic for security functions(Detecting & Blocking)

Method Target Traffic LoadMethod Target Traffic Load

Attack Traffic VictimAll methods of DDoS

attack

90% of the throughput

capacityattack capacity

Checking

VictimVictim HTTP 1 tps

5~10% of the

Normal Traffic Server HTTP

5~10% of the

throughput capacity




� Test cases

Test Test Items

- Throughput

- Packet LatencyVerification of throughput

- Packet Latency

- Max Connection

- Packet Loss

- Detection time of attack packet

- Blocking time of attack packet

Detection / Block

- Blocking time of attack packet

- Blocking rate of attack packet

- Success rate of normal packet

- Connection with victim server

- Audit generation of detection & blocking



StandardWins Global IT Power03. Certified Products

� Certified Products (Domestic)

Company Product EAL

Secui.com SECUI NXG D V1.0 EAL4Secui.com SECUI NXG D V1.0 EAL4

Nowcom

SNIPER DDX V5.0.xg EAL3

Nowcom

SNIPER DDX V5.1 EAL4

COMTRUE DDoSCop-v2.0 EAL2

COMTRUE

TechnologiesDDoSCop-v2.0 EAL2




Thank You

Global Leader of ICT Standardization & Certification

Thank You

s w g it p tandard ins lobal ower security functional ... · s w g it p security functional...

Documents