Bonjour,
Hier au cours d'une réunion de l'OSSIR (www.ossir.org) j'ai entendu parler d'une présentation sur les différents outils de filtrage/détection des attaques DoS/DDoS. Et puisque, à ma connaissance, c'est la première fois qu'une telle étude est faite (par autre chose qu'un magazine réseau a trois francs), il me semblait intéressant que nous puissions en avoir un aperçu... Hors, mauvaise nouvelle, cette étude n'est pas publique, seule la présentation l'est. Ce sujet "chaud" étant tout de même très intéressant, il me semble quand même important de publier les slides de cette présentation. Voici donc le contenu (version texte) de la présentation du Dr Gregory S. Miles (DOC) lors de DEFCON 10 (www.defcon.org). Et puisque j'ai l'autorisation de publier la présentation et que DEFCON ne l'à pas encore fait, là voici au format powerpoint (avec les schémas) : http://docs:[EMAIL PROTECTED]/docs/Miles_DC10_2002_V3.ppt Merci à Yann Berthier, HSC et l'OSSIR pour le compte-rendu des conférences blackhat et defcon. Cordialement, Philippe Bourcier --------------------------------------------------------------------------------------------- Anatomy of DOS and DDOS Mitigation Testing DEFCON 0A August 2002 Greg Miles DOC This Presentation is NOT! * An advertisement * An endorsement * A Claim I know anything about writing DOS and DDOS attacks ----------------- Agenda ----------------- * Why Test? * Methodology * Challenges and Lessons Learned * Findings ----------------- WHY? ----------------- * Desire to Protect - Infrastructure - Data - Business Continuity * Evaluate Emerging Technologies * Problem is just getting worse - Many nasty DOS and DDOS tools in the wild 2001 Survey Results Results of the 2001 Information Security Magazine Industry Survey shows increase in Denial of Service attacks experienced by the survey participants. Source: Information Security Magazine, 2001 Industry Survey, October 2001, pg 34-47. 2001 Survey Results (graphiques) What We Were Looking For * Infrastructure Protection - Minimum Gigabit Solutions (GigE and Fiber) - OC48 and OC192 capability desired * Customer Protection - Gigabit MM Fiber - GigE - 10/100 Ethernet - Eventually OC48 and OC192 ----------------- Products Tested ----------------- Passive (tapped) Solutions * Arbor Networks * Reactive Networks * Mazu Networks * Asta Networks In-line Solutions * Captus Networks * Mazu Networks (Basis of selection due to September 2001 Information Security Magazine Article, Denying Denial-of-Service.) ----------------- Methodology ----------------- Today's DOS Prevention * Reverse Path Filtering (deny invalid IPs) * Allow only good traffic into your network (ingress filtering) * Allow only good traffic out of your network (egress filtering) * Stop directed broadcast traffic (to avoid being an amplifier) * Go back to pen and paper (except I can't find any) Methodology * Imitate a customer hosting center * Run real tests across the infrastructure * Test both network functionality and the management interfaces * Find solutions that will work upstream instead of downstream Test Environment Architecture (schéma) Passive (Tapped) Testing (schéma) Reactive Network Solutions FloodGuard (schéma) MAZU Networks TrafficMaster (schéma) Asta Networks Vantage (schéma) Arbor Networks PeakFlow (schéma) In-Line Testing Mazu Networks (schéma) Captus Networks (schéma) Types of Tests * Baseline traffic generation to emulate a web hosting center - ldgen with replayed traffic * Attack Traffic (DOS and DDOS) - TCP SYN - TCP ACK - UDP, ICMP, TCP floods - Fragmented Packets - IGMP flood - Spoofed and un-spoofed ----------------- Lesson Learned ----------------- Network * Baseline Traffic must be stateful (TCP 3-way handshake must be complete) * Control the lab if you can. Routes * Bad Routes will kill your network and make you unemployed - Thank God we were in the lab * Be sure to isolate your management network from the attack network ON EVERY BOX Attack Network * Different tools on different systems - Linux 6.2 and Linux 7.2 - Open BSD - Solaris * Mix of 10/100 and Gig Interfaces needed to push the traffic levels Tools Utilized * DOS/DDOS Tools - Vendor provided * Arbor TrafGen - Open source * stream * litestorm * rc8.o * f__kscript * slice3 Victim Network * Monitoring Tools - Lebrea - Snort * Manual Checks - Simple Pings - CPU usage monitoring Flow Sampling * Netflow/Cflowd from Cisco and Juniper - Sampling rates must match in both the router and the DDOS mitigation device - Juniper had more consistent flow characteristics and reported faster - Flow sampling has many value adds * Traffic characterization * Customer billing * And DOS/DDOS detection SNMP Communications * SNMP is used to monitor the status of the routers and providing alerts when an attack is underway. * Connectivity is necessary for proper operation. * SNMP community stream required for proper communications (NOT PUBLIC) ----------------- FINDINGS ----------------- What Vendors Did Well! * Monitor baseline traffic * Detect changes in traffic patterns away from baseline * Alerting and Alarming when thresholds or statistics were exceeded What wasn't so Good * Protection of the management interfaces * Implementing warning banners and account lockouts * Port lockdown on the management interfaces ----------------- Solutions ----------------- Large Enterprise * Passive Solutions best * Mix of flow collectors and packet collectors that can visualize your entire network * Centralize the management consoles into a security operations center of NOC * Products: - Arbor - Asta - Reactive Smaller Enterprise * In-Line Solutions worth considering * Combination firewall/DOS solutions * Combination IDS/DOS solutions - Captus - Mazu ----------------- Conclusions ----------------- * Technology still evolving * Integrated products likely the future (DOS combined with IDS or Firewall) * Positive strides toward solutions ----------------- Resources ----------------- * www.sans.org/ddos_roadmap.htm * www.sans.org/dosstep/index.htm * www.nipc.gov * staff.washington.edu/dittrich/misc/ddos * www.cert.org ---------------------------- Liste de diffusion du FRnOG http://www.frnog.org/ ----------------------------------------------- Archives : http://www.frnog.org/archives.php -----------------------------------------------
