Ddos Mitigation And Analysis At The Infrastructure Level

No ratings

Presented at Blackhat Europe 2003 by

Denial of Service attacks are shifting from end systems towards the core devices of large (Cisco) networks. Even if these devices are designed to forward a large number of PPS (packets per second), they usually tend to be much more sensible to high rates of packets or attacks targeted at the router itself. We will look at how to prepare the core to make it more attack resistant so that when an end system is under attack the impact on the transit network is reduced: "ACLs in the core" 101 and the new IP receive ACL feature Packet queueing strategy Software (CPU) vs hardware (ASIC) path for packets Engines, etc. To detect attacks, most of the deployments rely on Netflow data. We'll look at alternatives like in-line devices (infrastructure vs data center approach), how to improve Netflow scalability by using sampled data, and also pros and cons of Netflow depending on the hardware in use. After looking at the routers as targets, we'll look at router misuses to launch attacks. Cisco router forensics (and vulnerabilities) are becoming more and more important, and forensic readiness for these devices is key for traces availability. We'll go through the preparations steps, analysis steps and which evidence to look for. Nicolas Fischbach is a Senior Manager, in charge of the European IP Security Engineering team at COLT Telecom, a leading provider of high bandwidth data, Internet and voice services in Europe. He also manages the Swiss IP Engineering team, and after participating to the deployment of the Swiss IP network and Internet Solution Center, he helped to create the security and network unit of the Professional Services departement. He holds an Engineer degree in Networking and Distributed Computing. Nicolas is also co-founder of Sécurité.Org a French speaking portal on computer and network security. He's a frequent speaker at technical and security conferences, teaches networking and security courses at various universities and engineering schools, and also publishes articles. More details and contact information on his homepage.