all accustomed to the fact that from time to time there are DoS and DDoS-attack. What to do with them?
Resource owners and admins Corporate networks are trying to protect themselves. Any IDS, IPS, PIX, ASA, Netscreen, and many other buzzwords. This approach is logical, but has the obvious drawback: if the attack had put border router, or scored a channel to the ISP, located inside the means of detecting and preventing attacks are useless, you need to assist ISP.
What do ISP, how to protect customers? After all, his task - to transmit IP-traffic to the maximum quality (reliable, fast and lossless), filtration of its functions is not included. On traffic volumes ISP filtering (IPS) will cost unreasonable, customers simply do not need such a service for the money. Yes, and setting filters - the process is time consuming and individual, every client has their own needs and idiosyncrasies.
reaction ISP need only if the attack had put a channel, or border router client. Otherwise, the client has the opportunity filter itself, and to shift this function to the ISP makes no sense. Automatic filtering on the ISP side can be harmful. For example, the traffic is quite legitimate video can be mistakenly regarded as a DoS (big stream of UDP) and filtered, which obviously will not thank the customer.
One of reasonable and common solutions - BGP blackhole (rfc3882). It allows the customer to independently filter the traffic to the attacked IP from upstream, as it proannonsirovav / 32 with a pre-specified community. Even if the client from the attack fell router, BGP-Announcing the target network stops, no traffic, BGP can rise again, but with a blackhole-announcement attacked host. If a customer had to determine which host is being attacked. The downside is that it is a rough filtering, blocked all traffic on the specified IP-address, regardless of source, protocol, etc. Attacked host is sacrificed in order to not suffer more. Dignity - something that does not need assistance from personnel upstream.
The result is that the ISP should not automatically filter DoS-attacks on clients, but must have information about the attacks on both his clients and from them (Botnet) in order to be able, if necessary (if the attack is completely packed the client or the client's request) to quickly filter out the attack, even if the client does not know where from and where it goes. Since the attack often leads to an interruption of service (actually, this is its purpose), it is desirable to have information quickly and most detailed (some kind of attack, the intensity of that in the client, as they feel its routers, etc.) in order to make the decision (to filter and inform the client, not to filter out and tell your customer, ignore). In this case, the ISP has value only rude attack (pps, cps), and content analysis (viruses, hacking activity, even syn flood) - this is something with which a client can fight alone. Under this scheme, we are working on more than one year, we like customers, like, too. :-)
More details about implementation.
on external links removed sampled netflow. As practice shows, rate 8192 is sufficient to detect attacks. This flow remains at some time (a couple of hours, not more) through the flow-tools, in addition, goes to the processing of special daemon dds (samopisnomu), which deals with the detection of attacks. In case of abnormal activity (eg, from host xxxx on the client host yyyy udp stream detected with 40 Kpps) runs a script that includes alarm on monitorilke for a duty shift, and also wrote a letter in which:
- information about the attacked host (which AS and which client it belongs);
- as currently seems to mtr this host (as far as live routers along the way and he attacked host);
- listing related to this anomaly and traffic in the last 5 minutes of the saved in flow-tools. This
enough information for a person to be able, without undue delay and research to decide what to do. Flow can be seen from the listing, with which and to which ports the traffic comes as he looks like a legitimate. From mtr - how the client is suffering from this attack. Technically, one could, under certain conditions and automatically filter the attack, but I personally scary automate these actions, moreover, on the side of ISP.
Demon dds can get a team "
cvs-d: pserver: cvs@happy.kiev.ua: / cvs co dds ". When processing ~ 20G traffic sampled rate 8192 he otzhiraet ~ 30M of memory and ~ 0.2% cpu load. Btw, I have long wondered how people are struggling with the DoS-attacks without dds? If there is an attack, a router poplohelo - as it turns out, which host is attacked, and from what source? Are there any similar utilities?
0 comments:
Post a Comment