{"id":1315,"date":"2018-10-10T18:18:53","date_gmt":"2018-10-10T11:18:53","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1315"},"modified":"2018-10-10T18:18:53","modified_gmt":"2018-10-10T11:18:53","slug":"a-cisco-guide-to-defending-against-distributed-denial-of-service-attacks","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1315","title":{"rendered":"A Cisco Guide to Defending Against Distributed Denial of Service Attacks"},"content":{"rendered":"\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Contents<\/b>
\nIntroduction: The Case for Securing Availability and the DDoS Threat<\/a>
\nCategorization of DDoS Attacks and Problems Caused<\/a>
\nDDoS Attack General Categories<\/a>
\nVolume-Based DDoS Attacks<\/a>
\nApplication DDoS Flood Attacks<\/a>
\nLow-Rate DoS Attacks<\/a>
\nDetailed Examples of DDoS Attacks and Tools<\/a>
\nInternet Control Message Protocol Floods<\/a>
\nSmurf Attacks<\/a>
\nSYN Flood Attacks<\/a>
\nUDP Flood Attacks<\/a>
\nTeardrop Attacks<\/a>
\nDNS Amplification Attacks<\/a>
\nSIP INVITE Flood Attacks<\/a>
\nEncrypted SSL DDoS Attacks<\/a>
\nSlowloris<\/a>
\nLow Orbit Ion Cannon and High Orbit Ion Canon<\/a>
\nZero-Day DDoS Attacks<\/a>
\nThe DDoS Lifecycle<\/a>
\nReconnaissance<\/a>
\nExploitation and Expansion<\/a>
\nCommand and Control<\/a>
\nTesting<\/a>
\nSustained Attack<\/a>
\nNetwork Identification Technologies<\/a>
\nUser\/Customer Call<\/a>
\nAnomaly Detection<\/a>
\nCisco IOS NetFlow<\/a>
\nPacket Capture<\/a>
\nACLs and Firewall Rules<\/a>
\nDNS<\/a>
\nSinkholes<\/a>
\nIntrusion Prevention\/Detection System Alarms<\/a>
\nASA Threat Detection<\/a>
\nModern Tendencies in Defending Against DDoS Attacks<\/a>
\nChallenges in Defending DDoS Attacks<\/a>
\nStateful Devices<\/a>
\nRoute Filtering Techniques<\/a>
\nUnicast Reverse Path Forwarding<\/a>
\nGeographic Dispersion (Global Resources Anycast)<\/a>
\nTightening Connection Limits and Timeouts<\/a>
\nReputation-Based Blocking<\/a>
\nAccess Control Lists<\/a>
\nDDoS Run Books<\/a>
\nManual Responses to DDoS Attacks<\/a>
\nTraffic Scrubbing and Diversion<\/a>
\nConclusion<\/a>
\nReferences<\/a>
\nNetFlow<\/a>
\nReputation Management Tools<\/a>
\nDDoS Run Book Case Study and Template<\/a><\/p>\n

Introduction: The Case for Securing Availability and the DDoS Threat<\/h1>\n

Denial of service (DoS) and distributed denial of service (DDoS) attacks have been quite the topic of discussion over the past year since the widely publicized and very effective\u00a0DDoS attacks on the financial services industry<\/a>\u00a0that came to light in\u00a0September and October 2012<\/a>\u00a0and resurfaced in\u00a0March 2013<\/a>.<\/p>\n

The purpose of this white paper is to provide a number of tools, some or all of which may apply to a customer’s environment, that can be part of an overall toolkit to help identify and mitigate potential\u00a0DDoS attacks<\/a>\u00a0on customer networks.<\/p>\n

The following quotes and excerpts are from several high-profile individuals and organizations that are focused on defending networks from these types of attacks:<\/p>\n

“…recent campaigns against a number of high-profile companies\u2014including U.S. financial institutions\u2014serve as a reminder that any\u00a0cyber security threat has the potential to create significant disruption, and even irreparable damage, if an organization is not prepared for it.<\/i>”<\/p>\n

Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point where the economic losses generated\u00a0<\/i>
\nby cybercrime are threatening to overwhelm the economic benefits\u00a0created by information technology. Clearly, we need new thinking and approaches to reducing the damage that cybercrime inflicts on the well-being of the world.<\/i>”<\/p>\n

The preceding quotes from\u00a0John Stewart<\/a>, Cisco Senior Vice President and Chief Security Officer are eye opening considering that the miscreants are using the network infrastructure to financially impact organizations and diminish the purpose of this infrastructure.<\/p>\n

The bottom line is that unfortunately, no organization is immune to a data breach in this day and age…<\/i>”<\/p>\n

We have the tools today to combat cybercrime, but it’s really all about selecting the right ones and using them in the right way.<\/i>”<\/p>\n

In other words, understand your adversary — know their motives and methods, and prepare your defenses accordingly and always keep your guard up…<\/i>”<\/p>\n

These quotes from the\u00a0Verizon 2013 Data Breach Investigations Report<\/a>\u00a0(PDF) speak to the point that organizations are befuddled with the number of technologies, features, and processes available to help defend their networks. There is no one-size-fits-all approach. Each entity must determine which solutions meet its requirements and which help mitigate the threats that concern it.<\/p>\n

“The number of DDoS attacks in Q1 2013 increased by 21.75 percent over the same period of last year.”<\/i><\/p>\n

“Attacks targeting the infrastructure layer represented more than a third of all attacks observed during the first three months of 2013.”<\/i><\/p>\n

What defined this quarter (Q1 2013) was an increase in the targeting of Internet Service Provider (ISP) and carrier router infrastructures…<\/i>”<\/p>\n

While the preceding statements from\u00a0Prolexic<\/a>\u00a0are certainly keeping service providers’ (SP) network security experts awake at night, it is a legitimate fear that everyone should possess. If the core of the Internet is impacted by a malicious attack or inadvertent outage, we will all suffer because the Internet has become our lifeblood in terms of how we work, live, play, and learn.<\/p>\n

While the actual DDoS attacks garner the headlines, it is imperative that organizations also fully understand the impact of inadvertent, unmalicious outages. Two recent examples of unintentional events are the\u00a0GoDaddy DNS Infastructure outage<\/a>\u00a0that took place in September 2012 and the\u00a0CloudFlare outage<\/a>\u00a0that occurred in March 2013. Although the details of each event differ, the key message is that each outage occurred on a production network, adversely impacted resources that thousands\u2014if not millions\u2014of people used, and was initially reported in the press as an “attack.”<\/p>\n

At the heart of many customers’ concerns is the ability to protect against DDoS attacks. The focus may revolve around customers’ own networks and data, network and data services that customers provide to their own customers, or a combination.<\/p>\n

While the network landscape and the nature of the assets that require protection will vary among customers and verticals, the general approach to mitigating DDoS attacks should be relatively similar across every environment. This approach should consist of, at a minimum, developing and deploying a solid security foundation that incorporates general best practices to detect the presence of outages and attacks and obtain details about them.<\/p>\n

At Cisco we have been espousing the following six-phase methodology to customers and at training conferences, Cisco Live, Black Hat, CanSecWest, and other venues.<\/p>\n

Figure 1. Six-Phase Methodology<\/b><\/p>\n<\/div>\n<\/div>\n

\n

\"The<\/p>\n<\/div>\n

\n
\n

The\u00a0Service Provider Security<\/i>\u00a0white paper provides more information about the\u00a0six-phase methodology<\/a>.<\/p>\n

Categorization of DDoS Attacks and Problems Caused<\/h2>\n

DDoS attacks have become a “Swiss army knife” for hacktivists, cyber criminals, and cyber terrorists, and in some cases used in nation-state attacks.<\/p>\n

These attackers and their campaigns are becoming sophisticated. Attackers are using evasion techniques outside of the typical volume-based attacks to avoid detection and mitigation, including “low and slow” attack techniques and SSL-based attacks. They are deploying multivulnerability attack campaigns that target every layer of the victim’s infrastructure, including the network infrastructure devices, firewalls, servers, and applications.<\/p>\n

In the following subsections, we cover the types of DDoS attacks, common methodologies and tools used, and the impact of each attack.<\/p>\n

DDoS Attack General Categories<\/h2>\n

There are three different general categories of DDoS attacks:<\/p>\n