SDN DDoS (whchoi@cisco.com) Cisco Systems Korea 2008 Cisco Systems, Inc. All rights reserved. 1
Cisco SDN 3.0 DDoS DDoS Cisco DDoS Real Demo 2008 Cisco Systems, Inc. All rights reserved. 2
Cisco SDN 3.0 DDoS 2008 Cisco Systems, Inc. All rights reserved. 3
Cisco SDN (Self Defending Network) Integrated Adaptive Collaborative Cisco Self Defending Network 2008 Cisco Systems, Inc. All rights reserved. 4
Cisco SDN 3.0 DDoS ẒᗦṖ Network Security ย ⑶ ᑺ ओ DDoS ধ ᕚ ओᔣ㉚ Cisco Guard&Detector 2008 Cisco Systems, Inc. All rights reserved. 5
DDoS 2008 Cisco Systems, Inc. All rights reserved. 6
DDoS 1 Changed 2008 Cisco Systems, Inc. All rights reserved. 7
DDoS 2,, / / UDP Traffic IT ( ) TCP Connection 2006 2H 2007 1H 2007 2H IT (TCP/UDP/ICMP/IGMP) 2008 1H. / TCP 2008 Cisco Systems, Inc. All rights reserved. 8
DDoS 2008 Cisco Systems, Inc. All rights reserved. 9
DDoS 2008 Cisco Systems, Inc. All rights reserved. 10
DDoS? DDoS Access-List Router & Switch Blackhole Routing Foundation Security Router & Switch Firewall & IPS Syn Cookie Proxy L7 Switch & Web Protection 2008 Cisco Systems, Inc. All rights reserved. 11
/ ACL (UDP,ICMP) ACL 수작업 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x xxxxhostxxxxeq80 x.x.x.x access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80 access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 80.. 전체 Subnet 영향 Committed Null Routing to Being a Key Partner in Saudi Arabia s Transformation into a Connected Kingdom 2008 Cisco Systems, Inc. All rights reserved. 12
Black hole & Sink hole routing / Routing Blackhole Routing ISP / IDC. Traffic. Major. Committed Blackhole to Being Trigger a Key Partner in Saudi Arabia s Transformation into a Connected Kingdom 2008 Cisco Systems, Inc. All rights reserved. 13
Firewall / IPS / /IPS.. (DDoS + IPS) DDoS. H.W / S.W (High CPU : 90 ~99%). 2008 Cisco Systems, Inc. All rights reserved. 14
L7 Switch / Web / DNS Proxy IP Core Router TCP Syn Backbone L7Switch Web Server S.W UDP / TCP Outgoing. DDoS... 2008 Cisco Systems, Inc. All rights reserved. 15
Cisco Guard&Detector DDoS Internet 4 Guard Core Router Guard 5 MVP 6 Backbone Switch 3 Host IP 2 1.. Detector Network Detector 1.. 2008 Cisco Systems, Inc. All rights reserved. 16
Cisco Guard/Detector Guard / Detector Out Of Path 16G - Active/Active. << Cisco Guard/Detector >> TCP/UDP/ICMP/DNS/SIP 2008 Cisco Systems, Inc. All rights reserved. 17
Cisco Guard/Detector DDoS. Flood Attacks TCP, UDP, ICMP SYN Flood SYN Flood UDP Flood FIN, SYNACK Flood (, ) Ping Flood Smurf Flood Combined UDP/TCP/ICMP Fragmentation Attacks IP/UDP IP/ICMP IP/TCP HTTP Attacks Connection Flood (Client attack) http errors 404 etc. http half connections BGP Attacks DNS Attacks SIP Attack 2008 Cisco Systems, Inc. All rights reserved. 18
Cisco Guard/Detector TCP Client (Source) Guard (Scrubber) Zone (Destination) IP 192.2.3.4 IP 192.2.3.4 Authenticated? NO Generate Unique Cookie for IP 192.2.3.4 Cookie 유효여부 Check, Authenticate IP 192.2.3.4 IP 192.2.3.4 Authenticated? YES 2008 Cisco Systems, Inc. All rights reserved. 19
Cisco Guard/Detector Type ADM Service Module AGM Service Module Physical Port 7600/6500 Channel 7600/6500 Channel Performance Zone 10 Static(RHI) 2Gbps 500 Zone 10 Static(RHI) 3Gbps Clustering 16Gbps 500 Zone 50 Zone Zombie X 10 X 1ms 2008 Cisco Systems, Inc. All rights reserved. 20
Real Case #1 게임아이템거래사이트, DDoS 공격툴 에휘둘렸다 지난달부터 DDoS 서버공격으로인해정상적인서비스를제공하지못했던주요게임아이템거래웹사이트들의서버다운원인이정체불명의 DDoS 공격툴 에의한것으로드러났다. 조선일보 2007.10.15 게임아이템거래사이트상위 2개사 Cisco Guard/Detector 솔루션도입 2007.12 ~ 현재까지 UDP/TCP DDoS 공격차단 게임아이템거래사이트정상서비스재개!!! 2008 Cisco Systems, Inc. All rights reserved. 21
Real Case #2 서비스유지하려면돈내 14일업계에따르면, 국내중소규모사이트를겨냥한중국발 DDoS 공격이기승을부리고있다. 공격자들은이들 사이트를겨냥해 DDoS 해킹공격을시도해서비스를마비시킨뒤관리자에게메일을보내적게는수백 ~ 수천만원상당의 돈을입금시키지않으면아예서비스를중단하겠다는협박하고있는것으로 전해졌다. 머니투데이 2007.02.11 국내대형파일공유사이트 Cisco Guard/Detector 솔루션적용 TCP 80 포트기반 Connection Oriented 공격및다양한공격차단 파일공유정상서비스재개!!! 2008 Cisco Systems, Inc. All rights reserved. 22
Real Case #3 Internet Guard Core Router Hijacking Injection Guard 공격발생시자동통지 Backbone Switch 공격발생시자동통지 Passive Monitoring Firewall Passive Monitoring Detector Server Farm Switch Detector 2008 Cisco Systems, Inc. All rights reserved. 23
Real Case #4 IDC Mgmd SVC Internet Core Backbone Dist S.W Clean Zone 가입자 Network 가입자 Network 가입자 Network Guard & Detector Cluster 2008 Cisco Systems, Inc. All rights reserved. 24
Real Case #4 IDC Mgmd SVC Internet Core Backbone Dist S.W 가입자 Network 가입자 Network ACE Clean Pipe System ACE Guard Detector Cluster Cluster 2008 Cisco Systems, Inc. All rights reserved. 25
Real Case #7 ISP Mgmd SVC 타사 ISP 국제GW G.W Peer Router Peer Router Guard Cluster Core Router POP Router 가입자 Detector 기업회선 Premium 기업회선 2008 Cisco Systems, Inc. All rights reserved. 26
Why Cisco Guard&Detector DDoS 16G TCP Out of Path UDP Active/Active Routing ( ) DNS,SIP SIP DDoS. 2008 Cisco Systems, Inc. All rights reserved. 27
DDoS 2008 Cisco Systems, Inc. All rights reserved. 28
Demo Topology Internet Botnet 좀비 PC Guard Core Router Hijacking Injection Guard 공격발생시자동통지 Backbone Switch 공격발생시자동통지 Passive Monitoring Firewall Passive Monitoring Detector Server Farm Switch Detector www.ciscofashion.com 쇼핑몰 2008 Cisco Systems, Inc. All rights reserved. 29
Cisco Guard & Detector DDoS 2008 Cisco Systems, Inc. All rights reserved. 30