DDoS Mitigation Deployment Architectures(喻超,CISCO).pdf

1? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 For Cisco Internal Use Only 喻超 思科北京公司 网络安全高级技术顾问 CCIE #5329 RS, Security CISSP ychao@ DDoS攻击防御技术 2? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 Agenda The Growing DDoS challenge Cisco Solution Overview Cisco Technical Overview 3? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 How do DDoS Attacks Start ? DNS Email ‘Zombies’ ‘Zombies’ Innocent PCs Servers turn into ‘Zombies’ 4? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 Types and Influence of DDoS Attacks Server-level DDoS attacks DNS Email Infrastructure-level DDoS attacks Attack ombies: ? Use valid protocols ? Spoof source IP ? Massively distributed ? Variety of attacks Bandwidth-level DDoS attacks 5? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 DDoS Problem Getting Worse ? Frequency of attacks is increasing – Only cyber attack to grow in 2003* – Second-most common security breach in 2003** – Matches intrusion as the greatest concern of security executives? ? Specific sites industries targeted to disrupt operations – E-commerce – Online gaming entertainment – Online retail – Service providers ? Power of attacks is unprecedented ─ Not just SYN floods anymore – Hybrid and dynamically morphing attacks – 100ks of Zombies * 2003 CSI/FBI Computer Crime Security Survey **InformationWeek U.S. Security Survey 2003 ?CSO Magazine Security Sensor III IV Research 6? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 传统的DDoS防范方法 ? 黑洞法“Black-holing” 丢弃所有针对受攻主机的流量保护其他主机的安全 ? 路由器ACL过滤 将正常流量和攻击流量一起阻拦 对虚假的和应用层的攻击无效 ? 串联的防火墙安全设备 很容易容量超载 不能保护上行的设备/缺乏扩展性 无法有效的保护面向用户的资源 7? 2004 Cisco Systems, Inc. All rights reserved.Infrastructure Security, 3/04 Backscatter 追踪技术实施 PE Router Advertises Bogus and unallocated networks Victim 0 Dos Attack starts1 All edge routers with static route Test-Net (