JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

(1)

JUNOS DDoS SECURE

(2)

Biography

Nguyen Tien Duc

[email protected], +84 903344505

Consulting Engineer- Viet Nam

CISSP # 346725

CISA # 623462

(3)

SECURITY AT JUNIPER

Security innovation

& leadership

Customer segments

_{Service Providers, Enterprise}

Business segments

_{Routing, Switching, Security}

Invest more than 20% of revenue on R&D

Leader in high-end firewalls and remote access SSL VPN

Pioneer in Intrusion Deception technology

DDoS advanced technology

First to deliver purpose-built virtual firewall

SC Magazine 2014 best cloud, UTM and NAC solution

Tech Target’s 2013 reader’s choice gold awards for virtual

security, IDP

, and NAC

(4)

DDOS ATTACK VECTORS

VOLUMETRIC

• Easy to detect.

• Attacks are getting bigger in

size

• Frequency of attacks

increasing at a moderate

rate.

ANYTHING THAT MAKES

THE RESOURCES BUSY

• Flash mobs.

• Legitimate requests for a big

event available at one time.

SLOW AND LOW

• Growing faster than

volumetric – 25% of attacks

in 2013 (source: Gartner)

• More sophisticated

& difficult to detect

• Target back-end weaknesses

• Small volume of requests

can take out a large web

site.

(5)

5

(6)

LOW ION ORBIT CANNON (LOIC)

Flood any site

Easy to download

Simple to run

(7)

7

(8)

EVOLVING ATTACK COMPLEXITY

Signature-Based

Scrubbers

Thresholds &

Netflow Analysis

Emerging

Battleground

S

te

a

lt

h

Newness

Known

Unknown

V

o

lu

m

e

tr

ic

Low

-an

d

-sl

o

w

Challenge

: manual

management of IP

thresholds in

dynamic networks

Challenge

: Creating

signatures for new

attacks

(9)

9 THE GAPS THAT DDOS SECURE ADDRESSES

New attacks: before the signature exists

Low-and-slow application attacks

1

(10)

KEY CONCEPT: CHARM

Simple example: real human

traffic typically bursty and

irregular; machine/bot traffic is

regular

Algorithms updated regularly with

characteristics of new attacks

CHARM:

Real-time risk score for each source IP

0

100 Initial

50 Human-like

Machine-like

(11)

11 • DNS/URL Response Time

• URL Rate, Pending counts

• HTTP Server Error Codes

KEY CONCEPT: RESOURCE HEALTH

Resource health:

real-time view of status for every discrete “thing”

on protected interface, based on stateful analysis of source and

resource responsiveness

Internet Traffic

Resources

Internet Traffic

DDoS Secure

L7

• Backlog Queue (per resource, per port)

• TCP stats: SYN, SYN-ACK, CLS, RST, etc

L3-4

Ex

a

m

p

le

s

(12)

JUNOS DDoS SECURE RESOURCE MANAGEMENT

In this example, Resource

2’s response time starts to

degrade and the CHARM

pass threshold is increased

to start the process of rate

limiting the bad traffic.

At this point the good traffic

will continue to pass

unhindered whilst the

attackers will start to believe

their attack has been

successful

as their request fails.

Resource 1

Resource 2

Resource 3

Resource ‘N’

The attack traffic to Resource

2 reduces as the attackers

switch the attack to

Resource 3.

Once again, Junos DDoS

Secure responds

dynamically by increasing

the pass threshold for

Resource 3 Limiting bad

traffic.

(13)

13 JUNOS DDoS SECURE PACKET FLOW SEQUENCE

Drop Packet

IP Behavior Table

Resource

CHARM Threshold

Drop Packet

Packet

Enters

Syntax

Screener

OK

So Far

CHARM

Generator

With

CHARM

Value

CHARM

Screener

Packet

Exits

Validates data packet



Validates against defined filters



Validates packet against RFCs



Validates packet sequencing



TCP Connection state

1 Calculates CHARM value

for data packet



References IP behaviour table



Function of time and historical behaviour



Better behaved = better CHARM

2 Behaviour is

recorded



Supports up to

32M profiles



Profiles aged on least

used basis

3 Calculates

CHARM

Threshold



Responsiveness

of Resource

4 Allow or Drop



CHARM Threshold



CHARM value

5

(14)

HEURISTIC MITIGATION IN ACTION

Junos DDoS Secure

Heurisitc Analysis

DDoS Attack Traffic

Management PC

Normal Internet Traffic

DDoS Attack Traffic

Normal Internet Traffic

Resources

Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses

the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and

outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time,

with minimal (store and forward) latency.

(15)

15 LOW AND SLOW ATTACKS

What to say about DDoS Secure and Topology



DDoS Secure is an in-line device, usually deployed at the data center edge (behind

internet facing router, in front of firewall)



DDoS Secure performs real-time stateful analysis and heuristics of packets, both

inbound and outbound, as they pass



Source IP addresses are given a real-time “risk score” called CHARM



Resource health (web server, firewall, etc) is monitored and have a CHARM

threshold



Once resource starts to struggle, threshold is raised, and packets with a lower

CHARM score are rate limited



One website is in “logging” mode so we can see the results of the attack. The other