Cloud based mitigation is the ONLY way to fully mitigate DDoS/DoS attacks imho. It's smart, correct and superb when compared to legacy mitigation methods and devices ( ACL, IPS,FW-attach thresholds, FW DOS-anomaly engines,etc......)
Attempts at doing this mitigation locally ( at the customer edge ) is doomed to fail in most cases due to any of the following;
- hardware resources are over taxed
- even if your local router/firewall/ips blocks the attack traffic, your link is still over utilized and wasted bandwidth
- more man-power from your IT staff is required ( during the duration of the attack)
- your ISP links have no way to distribute the attack traffic
- your ISP can only contribute very little to no-Support in their effort to help you
- and it takes time for your ISP to place filters or policy rate limits
- you have no way to fully determine if the attack has really subsided until you lift the lid to peek " so-to-speak"
Okay so what's this tcp intercept thing?
Will if you are stuck on a a cisco and have no cloud DDoS mitigation provider, you have a limited means to protect against TCP- SYN-FLOODS ( aka half-opens )
The router is not the best approach for this, due to it's limited cpu/memory and in a hugh sustained attacked, your router could become it's own denial-of-service :). But for low volume or amateurish tcp-SYN floods, you can deploy the tcp intercept feature as provided in most all cisco router codes starting from ios12.3 and onwards.
In order to understand the tcp-intercept, we need to re-educated one's self on the 3-way tcp-hand-shake. This hand shakes happens every time & for all tcp-sessions, when a validate tcp-session is being requested.
The attacker community & underground, uses this knowledge to launch half-opens attacks, by not completing the third step of the 3way hand-shake.
Here's the tcp-handshake 3 steps;
1: client sends a SYN --------> to Server ( this is the 1st packet for tcp and holds the client SPORT, server DPORT, MSS value, and any tcp-options )
2: Server sends a SYN/ACK to the --------------> client ( server sends his tcp MSS, tcp-options in this port back and startng seq# )
3: client acks the SYN/ACK with a ack to ---------> the server ( the final steps before we can start sending data )
Step #3 is what DOES NOT happen when a syn-flood attack takes place. As a matter of fact, the sender is probably using a spoof'd & random addres.
So in this attack, you try to exhaust a server tcp-session table, which directly impacts memory consumption. As more and more half-open sessions are being handle, the server can ultimately come to it's knees, drop valid sessions, or worst of all CRASH and Burn :)
Okay so how do we mitigate this on a cisco router?
We use the tcp intercept feature. Here's the steps;
1: we craft a ACL. It's highly suggestive to always build a acl to protect just the server(s) and service(s) that you want DDoS mitigation for. A open "ANY ANY" or all, would cause intercept to take place for ALL tcp-sessions, which can drive the device CPU high, during the inspection process.
It's also ideal to place the trusted internal networks into a deny statement, before the final permits. For example, let's say you have a classic internal/dmz/external interfaces;
internal 172.18.0.0/24
dmz 172.19.0.0/24
external 7.7.7.0/30
You might want to or not want to inspect traffic from dmz to internal or internal to dmz. So a ACL could be drafted like this;
!
ip access-list extend DDOS-protect
remark ignore lan to dmz
deny tcp 172.18.0.0 0.0.0.255 172.19.0.0 0.0.0.255
remark ignore dmz to internal lan
deny tcp 172.19.0.0 0.0.0.255 172.18.0.0 0.0.0.255
remark okay now let's protect our servers in the DMZ
permit tcp any host 172.19.0.10 eq 80
permit tcp any host 172.19.0.11 eq 80
permit tcp any host 172.19.0.12 eq 80
permit tcp any host 172.19.0.13 eq 80
permit tcp any host 172.19.0.14 eq 80
permit tcp any host 172.19.0.15 eq 80
permit tcp any host 172.19.0.16 eq 25
!
!
Okay now on to step #2
Here we need to determine if we want intercept or watch mode.
The latter only watches for the step #3 of the tcp 3-way handshake, and if not completed, it jumps in and send a RST ( reset ) to the server by spoof'ing the source address of the attacker that send the invalid SYN to begin with.
tcp intercept mode intercept | watch
With intercept mode, the router is always in the middle and send a SYN/ACK back on behalf of the client while watching for the final ACK in t he 3rd step of the tcp 3-way handshake. If the client is validate, the router will allow the sessions to complete. The Intercept mode, is more proccess intensive on the router/firewall/mitigation gear.
And finally we monitor the tcp intercept connection and statistic tables. Here's a snippet of those tables;
ccie01#show tcp intercept connections
Incomplete:
Client Server State Create Timeout Mode
212.145.60.80:2262 8.8.8.2:22 SYNRCVD 00:00:10 00:00:04 I
244.215.180.20:2257 8.8.8.2:22 SYNRCVD 00:00:11 00:00:03 I
25.101.177.222:2229 8.8.8.2:22 SYNRCVD 00:00:14 00:00:00 I
252.125.104.173:2266 8.8.8.2:22 SYNRCVD 00:00:10 00:00:04 I
228.17.28.163:2233 8.8.8.2:22 SYNRCVD 00:00:13 00:00:01 I
192.209.96.45:2251 8.8.8.2:22 SYNRCVD 00:00:11 00:00:03 I
205.165.88.134:2323 8.8.8.2:22 SYNRCVD 00:00:03 00:00:03 I
234.143.146.118:2261 8.8.8.2:22 SYNRCVD 00:00:10 00:00:04 I
205.180.125.38:2236 8.8.8.2:22 SYNRCVD 00:00:13 00:00:01 I
17.116.9.244:2269 8.8.8.2:22 SYNRCVD 00:00:09 00:00:05 I
37.36.172.101:2331 8.8.8.2:22 SYNRCVD 00:00:02 00:00:00 I
148.50.177.94:2336 8.8.8.2:22 SYNRCVD 00:00:02 00:00:00 I
163.156.87.76:2206 8.8.8.2:22 SYNRCVD 00:00:16 00:00:14 I
139.219.70.132:2320 8.8.8.2:22 SYNRCVD 00:00:04 00:00:02 I
98.252.142.24:2223 8.8.8.2:22 SYNRCVD 00:00:14 00:00:00 I
148.53.60.231:2199 8.8.8.2:22 SYNRCVD 00:00:17 00:00:13 I
142.30.63.115:2348 8.8.8.2:22 SYNRCVD 00:00:01 00:00:01 I
125.229.73.124:2274 8.8.8.2:22 SYNRCVD 00:00:09 00:00:05 I
224.86.164.142:2211 8.8.8.2:22 SYNRCVD 00:00:16 00:00:14 I
10.233.170.98:2300 8.8.8.2:22 SYNRCVD 00:00:06 00:00:00 I
164.143.165.192:2342 8.8.8.2:22 SYNRCVD 00:00:01 00:00:01 I
19.36.6.77:2307 8.8.8.2:22 SYNRCVD 00:00:05 00:00:01 I
27.143.231.45:2249 8.8.8.2:22 SYNRCVD 00:00:11 00:00:03 I
196.25.239.187:1993 8.8.8.2:22 SYNRCVD 00:00:27 00:00:03 I
48.164.49.213:2325 8.8.8.2:22 SYNRCVD 00:00:03 00:00:03 I
177.164.197.252:2246 8.8.8.2:22 SYNRCVD 00:00:12 00:00:02 I
195.94.219.45:2281 8.8.8.2:22 SYNRCVD 00:00:08 00:00:06 I
200.162.177.58:2317 8.8.8.2:22 SYNRCVD 00:00:04 00:00:02 I
247.19.102.167:2339 8.8.8.2:22 SYNRCVD 00:00:02 00:00:00 I
4.96.45.248:2313 8.8.8.2:22 SYNRCVD 00:00:04 00:00:02 I
252.249.176.142:2278 8.8.8.2:22 SYNRCVD 00:00:08 00:00:06 I
10.164.115.63:2330 8.8.8.2:22 SYNRCVD 00:00:03 00:00:03 I
102.60.7.145:2350 8.8.8.2:22 SYNRCVD 00:00:00 00:00:00 I
211.127.67.63:2243 8.8.8.2:22 SYNRCVD 00:00:12 00:00:02 I
249.147.125.213:2297 8.8.8.2:22 SYNRCVD 00:00:06 00:00:00 I
10.239.19.75:2332 8.8.8.2:22 SYNRCVD 00:00:02 00:00:00 I
152.10.124.67:2288 8.8.8.2:22 SYNRCVD 00:00:07 00:00:07 I
156.223.156.199:2227 8.8.8.2:22 SYNRCVD 00:00:14 00:00:00 I
58.136.190.247:2264 8.8.8.2:22 SYNRCVD 00:00:10 00:00:04 I
12.17.9.234:2343 8.8.8.2:22 SYNRCVD 00:00:01 00:00:01 I
229.63.9.68:2215 8.8.8.2:22 SYNRCVD 00:00:15 00:00:15 I
231.136.194.117:2353 8.8.8.2:22 SYNRCVD 00:00:00 00:00:00 I
and
ccie01#show tcp intercept statistics
Intercepting new connections using access-list DDOS-protect
205 incomplete, 0 established connections (total 205)
141 connection requests per minute
Notice the counters named incomplete? That will increase for every sessions that has been mitigated by the router.
Things to keep in mind;
1: the router can only handle so much traffic ( half-opens ) and could fail-open if the number of sessions exceed it's hardware limit
2: this is best effort only , and with a high PEAKs based attack and 500K plus random sources, the router CPU could climb & cause other issues
3: cisco provides very limited tweaking in regards to this imho , once again best-effort
Okay you want to see how easy it is to launch a tcp syn-flood using 2 of my favorite attack tools :)
(hping)
hping -S --rand_source -p 80 -p 10255 "victims ip_address or hostname here "
(mausezahn)
mz vic0 -c 0 -d=100msec -A rand -B "victims ip_address|hostname here" -c 0 -t tcp "sp=1233,dp=80, flags=syn"
I hope you found this post useful
Ken Felix
Your Freelance Network and Security Engineer
kfelix "at/@" hyperfeed.com
The ddos attacks have been evolved from brute force attacks at the layer of networking which is very sophisticated, very hard to detect at the layer of application. Attackers must always learn the threshold of activity that is acceptable for the individual. After that it should be able to sneak inside an unperceived increase in trafficking of network. In the whole of context of network, the boosted traffic is not some issue but if the application that is targeted has very little tolerance, then the attack will be able to take the application down. http://psychzz.weebly.com/
ReplyDeleteSo true but the traffic can be inspected to determine anomalies. DDoS providers like Prolexic have sensors and tools to inspect for this in all layers from OSI layer3 to 7. Then we have the ability to stack proxies to further mitigate traffic that's deemed unwanted.
ReplyDeleteIn case, the traffic and anomalies can easily be tracked and mitigated with the right sensors and tools.
I find your opinion quite interesting thanks for posting,please visit once at https://www.ddoscube.com.
ReplyDelete