《Cisco安全技术交流胶片运营商的网络安全体系解决方案》由会员分享,可在线阅读,更多相关《Cisco安全技术交流胶片运营商的网络安全体系解决方案(70页珍藏版)》请在金锄头文库上搜索。
1、1 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID 运运营营商的网商的网络络安全体系解决方案之安全体系解决方案之 clean pipe service solution2 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID目目录录什么是什么是Clean pipeClean pipe 技技术实现术实现Clean pipe 部署模
2、式部署模式Clean pipe 服服务实务实例例3 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID目目录录什么是什么是Clean pipeClean pipe 技技术实现术实现Clean pipe 部署模式部署模式Clean pipe 服服务实务实例例4 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDInternet DD
3、oS 攻攻击击的最新的最新趋势趋势目前已有超目前已有超过过8亿亿人使用人使用internet. eCommerce使得使得对对互互联联网的前所未有的依网的前所未有的依赖赖性性宽带连宽带连接使越来越多的家庭接使越来越多的家庭PC上网上网, 而而这这些家庭些家庭PC缺缺少安全措施少安全措施, 容易被利用容易被利用大多数攻大多数攻击击同同时时来自多个国家来自多个国家, 更更难难以追以追查查和防范和防范.DDoS 影响着所有影响着所有类类型的网型的网络业务络业务: 银银行行业业, 医医疗疗, 政府政府, 制造制造业业, 零售零售, 度假休度假休闲闲, 体育网站体育网站, 网网络络游游戏戏用来用来进进行
4、勒索的攻行勒索的攻击击在增加在增加: 去年去年为为4%, 今年到了今年到了16%, 勒索的数勒索的数额额从从1万美元到数百万美元万美元到数百万美元5 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDBOTNETS 使使DDOS攻攻击击更容易更容易CECE 受攻受攻击设备击设备: 服服务务器器, 防火防火墙墙, 路由器路由器僵尸僵尸电脑电脑控制者控制者Last MileConnectionISP出租出租BOTNET!BOTNET 是一个由被入侵并控制是一个由被入
5、侵并控制了的了的僵尸僵尸电脑组电脑组成的网成的网络络, 在中央在中央控制控制电脑电脑的指的指挥挥下下, 能能对对任何目任何目标标发发起攻起攻击击.BOTNETs 能能发动发动多种多种DDOS攻攻击击: ICMP Attacks, TCP Attacks, and UDP Attacks, http overload 小的小的 BOTNET 大大约约控制上千台控制上千台电电脑脑, 大的可能控制多达数万台大的可能控制多达数万台.BOTNET的数量和的数量和规规模都在增加中模都在增加中.6 2005 Cisco Systems, Inc. All rights reserved.Cisco Conf
6、identialSession NumberPresentation_IDDDoS攻攻击击影响的网影响的网络层络层面面应应用用 /服服务务器器攻攻击击将耗尽将耗尽计计算机的算机的TCP/HTTP资资源源, 使使应应用停用停顿顿, 服服务务器停止器停止对对正常正常业业务务的响的响应应.带宽带宽攻攻击击流量将充流量将充满满网网络带宽络带宽从而阻从而阻挡挡了正常流量了正常流量 网网络络架构架构攻攻击击的目的目标标可能是网可能是网络络路由路由设备设备, DNS/DHCP 服服务务器等器等, 破坏网破坏网络连络连接接.间间接破坏接破坏被做被做为为攻攻击击源的主机也源的主机也间间接受到影响接受到影响7 2
7、005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID“是网是网络络安全防安全防护护系系统统的一部分的一部分, 能能够够在在发发生生DDOS攻攻击时击时, 保保证证正常正常业务业务和关和关键键部件的可用性部件的可用性”7 7 7 2003 Cisco Systems, Inc. All rights reserved.Presentation_IDClean Pipes: DDoS攻攻击击防防护护方案方案 Clean pipes 是一个保是一个保护护用用户户数据流和网
8、数据流和网络连络连接接, 防止受到防止受到DDoS攻攻击击的安全方案的安全方案, 其基本的目其基本的目标标是在是在应应用系用系统统受到安全威受到安全威胁时胁时去掉去掉恶恶意的攻意的攻击击流量流量, 只只传传送正常送正常应应用的流量用的流量. “Clean Pipes” 功能描述和定功能描述和定义义8 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDClean Pipes 的主要的主要环节环节InjectDivert防防卫卫学学习习DefenseLearning
9、攻攻击缓击缓解解Mitigate学学习习 阶阶段段基于基于CiscoNFP实现对实现对网网络络的数据的数据平面平面,控制平面的保控制平面的保护护.采用采用CiscoGuard对对数据流清数据流清洁洁采用采用CiscoNetflow或或Detector进进行主行主动动的的攻攻击检测击检测将出将出现现攻攻击击流量流量转转移到移到一个清一个清洁洁中心中心将将清清洁洁的流量重新注入的流量重新注入网网络络攻攻击检测击检测Detect9 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresenta
10、tion_ID阶阶段一段一 : 防防卫卫/学学习习Defense / LearningPeeringPointCore RouterEnterpriseHosting ProviderBGP securityRTBH, uRPFRTRL / QPPB学学习阶习阶段段策略建立策略建立PeeringPoint10 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID阶阶段二段二: 攻攻击检测击检测DetectionPeeringPointCore RouterEnte
11、rpriseHosting providerBGP securityRTBH, uRPFRTRL / QPPBRACL, iACL, CoPPStack protection,Sink holesuRPF ingressAnd egress filteringDetectionPeeringPoint3rd party detector3rd party detectorDetectionDetectionNetflowNetflowNetflowNetflowNetflowNetflowIDS/IPSCiscoDetector11 2005 Cisco Systems, Inc. All r
12、ights reserved.Cisco ConfidentialSession NumberPresentation_ID阶阶段三段三: 攻攻击缓击缓解解 MitigationPeeringPointCore RouterEnterpriseHosting ProviderBGP securityRTBH, uRPFRTRL / QPPBRACL, iACL, CoPPStack protection,Sink holesuRPF ingressAnd egress filteringDetectionPeeringPointdetectordetecorDetectionDetection
13、NetflowNetflowNetflowNetflowNetflowCisco GuardPacket inspectionAnd cleaningTrafficRe-injectionIDS/IPSCiscoDetectorCleaningCenterTrafficdiversion12 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDClean pipe 操作流程操作流程主主动动的异常的异常监测监测流量异常流量异常? 学学习习正常流量特征正常流量特征,建
14、立策略基建立策略基础础将相关流量将相关流量转转移到移到清清洁洁中心中心是否是否为为合法合法数据数据丢丢弃弃将合法数据重新注入网将合法数据重新注入网络络Defend& LearnDetectionDiversionCleaningRe-InjectionYesYesNoNo13 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID目目录录什么是什么是Clean pipeClean pipe 技技术实现术实现Clean pipe 部署模式部署模式Clean pipe
15、服服务实务实例例14 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDClearn pipe: 网网络结络结构构Network Foundation ProtectionNetwork Management3rd party detectorIDS/IPS3rd party detectorCleaning Center 清清洁洁中心中心: 部署在运部署在运营营商的网商的网络络中中, 一一组组由由DDoS攻攻击缓击缓解解设备设备(CiscoGuard或或AGM
16、)组组成的成的, 专门对专门对需要的流量做正常需要的流量做正常业务业务的分辨和攻的分辨和攻击击的清除的服的清除的服务务中心中心3rd party detector15 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID一一: 防防护护/学学习阶习阶段段InjectDivertDefenseLearningMitigateDetect16 2005 Cisco Systems, Inc. All rights reserved.Cisco Confidential
17、Session NumberPresentation_IDDefense/Learning阶阶段段 Defense: 采用采用NFP, 保保护护网网络络基基础础架构架构.Learning: 是建立正常流量模型是建立正常流量模型, 其目的是需要知道其目的是需要知道:1) 对对于一个用于一个用户户来来说说, 什么是什么是好好的流量的流量2) 攻攻击击流量的特性流量的特性17 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDDefense 基基础础: Network
18、 Foundation Protection对对网网络络架架购购的保的保护护, 保保证业务证业务提供的提供的连续连续性性控制平面控制平面数据平面数据平面Defense-in-depth protection for routing control planeTechnologies: Receive ACLs, control plane policing, iACLs, neighbor authentication, BGP best practicesDetects traffic anomalies & respond to attacks in real-timeTechnologi
19、es: NetFlow, IP source tracker, ACLs, uRPF, RTBH, QoS toolsSecure and continuous management of Cisco IOS network infrastructureTechnologies: CPU & memory thresholding, dual export syslog, image verification, SSHv2, SNMPv3, security audit, CLI views管理平面管理平面在在执执行其他安全策略以前行其他安全策略以前, 网网络络架架构必构必须须得到很好的保得到
20、很好的保护护 18 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDlearning: 流量特征的学流量特征的学习习和策略建立和策略建立 对对网网络络正常流量的了解是正常流量的了解是检测检测攻攻击击的基的基础础, 通通过对过对网网络络流量的学流量的学习习建建立了正常流量的模型立了正常流量的模型. 一个异常事件的一个异常事件的发发生是指与正常流量不同的流生是指与正常流量不同的流量特征出量特征出现现. 步步骤骤1, 建立策略建立策略. 此步此步骤骤是是对对基本的服
21、基本的服务类务类型做出型做出检测检测, 并决定并决定调调用用哪些策略哪些策略, 大大约约需要需要1个小个小时时左右左右. 步步骤骤2: 设设置置门门限限. 基于基于调调用的策略用的策略, 根据用根据用户户的流量特征的流量特征设设置置阀值阀值, 也就是定也就是定义义流量的流量的门门限限. 这这个个过过程一般需要程一般需要24小小时时.19 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDInjectDivertDefendDetectMitigateProact
22、ively looking for traffic anomalies二二: 攻攻击检测阶击检测阶段段20 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID检测阶检测阶段段1.BOTNET发动了DDOS攻击.2a. 在被攻击客户端的Detector 能立刻发现网络的异常流量, 发现攻击.2b. 在CISCO路由器上的Netflow 的流量统计转发到Arbor等netflow分析设备, 不正常流量被发现.2c. Cisco的Detector 或者Arbor 向G
23、uard 报告发现了攻击并启动Guard.步步骤骤3rd party Detector21 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID检测 DoS 攻攻击的多种手段的多种手段1.Cisco Detector2.通通过NetFlow收集和分析收集和分析设备3.通通过IDS/IPS系系统发现攻攻击4.通通过网网络安全信息管理系安全信息管理系统发现攻攻击5.通通过SNMP对被保被保护目目标的的监测: 如如CPU overload6.用用户发现/被被动方式方式目
24、前主要方式目前主要方式22 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID1. 采用采用Cisco Detector 监测监测攻攻击击可以是独立的硬件可以是独立的硬件设备设备或或6500/7600的模的模块块. 一般与防攻一般与防攻击设备击设备Guard配合使用配合使用.采用流量采用流量镜镜像或分光器等将像或分光器等将监监控流量复制到控流量复制到detector. 根据用根据用户户或服或服务类务类型分型分为为多个区域多个区域(zone).当当detector
25、发现发现攻攻击击后后, 能自能自动动启启动动guard做攻做攻击击防防护护.23 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID什么是什么是zone?Zone 是一个被是一个被监测监测/保保护护目目标标的的单单位位, 可以是一个服可以是一个服务务器器, 一一组组服服务务器器, 一个子网一个子网/网网络络Zone 一般是一个用一般是一个用户户, 或一个用或一个用户户的相同的相同业务业务的服的服务务器器的集合的集合. 多个多个zone可以被同可以被同时监测时监测
26、, 只要地址不重复只要地址不重复.24 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID监测监测攻攻击击当学当学习阶习阶段完成后段完成后, 被保被保护护区域区域进进入入监测阶监测阶段段.监测监测策略会策略会检查检查流量的异常情况流量的异常情况.一个流量异常会触一个流量异常会触发发guard启启动动保保护护.也可以人工定也可以人工定义义是否要触是否要触发发guard保保护护, 还还是是发发送送log或或notify.25 2005 Cisco Systems,
27、Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDDetector 的流量的流量过滤过滤Server Farm Zone Under detectionSyslog Server26 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID启启动动 Guard防防护护GuardDetectorLogin via SSHGenerate SSH KeyIssue Protect
28、 CommandSession Terminated21341SSH Key is a one time exchange between the detector and the guard. One key per guard.2The Detector logs into every guard specified in configuration. Order is determined by CLI entry.3The Detector issues the protect command for the zone under attack. It will try every g
29、uard in the list.27 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID2. 采用采用Netflow做攻做攻击检测击检测Netflow包含了包含了对对网网络络流量流量详细详细的的记录记录. 根据源根据源/目目标标地址地址, 端口号端口号, 包大小包大小, 流量等特征流量等特征,可以可以发现发现流量的异常状况流量的异常状况.目前有第三方厂家以目前有第三方厂家以Netflow为为基基础础开开发发攻攻击检测击检测系系统统, 并能自并能自动动启启动动G
30、uard 防防护护.由于由于Netflow不分析所有的数据不分析所有的数据, 只只记录记录包包头头情况情况, 有很有很好的好的扩扩展性展性, 可以用于大流量的骨干网可以用于大流量的骨干网络络.28 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDCisco Netflow定定义义一个一个flow的的7个参数个参数: Source IP addressDestination IP addressSource portDestination portLayer 3
31、 protocol typeType of Service (ToS) byte (Differentiated Services Code Point (DSCP)Input logical interface (ifIndex)282828Enable NetFlowTrafficTraditional Export & CollectorNetFlowExport PacketsSNMP PollerNew SNMP MIB Interface第三方第三方第三方第三方监测监测监测监测告警告警告警告警设备设备设备设备NetFlow 是是IP网网络络流量分析流量分析和和统计统计的的标标准之一
32、准之一29 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDNetFlow Sampling 抽抽样样比例建比例建议议Ethernet 1:10Fast Ethernet/OC3 1:100Gig Ethernet 1:1000POS OC12/OC48 1:100010GE/POS OC192 1:500030 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession Num
33、berPresentation_ID3. 采用其他第三方采用其他第三方设备设备/软软件件监测监测1.对DDoS攻攻击的的监测可以采用各种可以采用各种设备, 如防火如防火墙, IDS/IPS等网等网络安全安全设备2.采用采用SNMP协议或其他或其他协议监控网控网络流量的异常流量的异常3.通通过对服服务器的器的CPU, 服服务连接数或其他指接数或其他指标监测攻攻击.4.用用户发现/被被动方式方式31 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID启启动动Guar
34、d防防护护机制机制防防护设备护设备Guard的启的启动动可以通可以通过过:1)网网络络部署的部署的detector直接通知直接通知Guard2)基于基于netflow的某些第三方的某些第三方监测设备监测设备(如如arbor)可以直可以直接通知接通知Guard3)IDS/IPS或其它方式或其它方式发现发现攻攻击击后后, 通通过过网管系网管系统统可通可通过过SSH script可以向可以向guard发发出启出启动动指令指令4)在在发现发现攻攻击击后人工启后人工启动动32 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialS
35、ession NumberPresentation_IDDDoS 攻攻击监测击监测的网的网络络部署部署NFbased3rd party detectorNF based 3rd party detectorIDS/IPSNF based3rd party detector地点地点设备设备CPE or IDCCisco Detector, IDS/IPS, SNMPMANCisco Detector, IDS/IPSBackboneNetflowSP Peering EdgeNetflowIDS/IPSIPS in cisco ISRCisco Detector33 2005 Cisco Sys
36、tems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID三三:攻攻击缓击缓解解阶阶段段Traffic diversion scrubbing and re-injectionInjectDivertDefendMitigateDetect34 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID步步骤骤攻攻击缓击缓解解阶阶段段3a. Divert: Guard用BG
37、P向路由器宣告, 将去往被攻击客户的流量转移到guard.3b. 所有的去往目标的流量(攻击和非攻击)都被转移到guard.4. Guard将攻击流量丢弃, 同时允许正常流量通过.5.Inject: 被清洁的流量重新注入网络到达目标.6.Cisco Detector和netflow设备持续观察.3rd party Detector35 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID攻攻击缓击缓解工作解工作过过程程区域区域1: WEB区域区域2: DNS区域区
38、域3: E-Commerce 应应用用 InternetLegitimate Traffic正正常常流流量量攻攻击击目目标标1. 检测检测非正常流量非正常流量2. 启启动动保保护护 (自自动动/手手动动)RemoteHealthInjection(RHI) 5. .将正常流量重新注入将正常流量重新注入6. 到其他区域的流到其他区域的流量没有受到影响量没有受到影响BGP PeerO 192.168.3.0/24 110/2 via 100.0.0.3, 2d11h, GigabitEthernet2B 192.168.3.128/32 20/0 via 20.0.0.2, 00:00:01 19
39、2.168.3.128 = zone, 10.0.0.2 = Guard Module, 20.0.0.2 = MSFCBGP announce 4. 攻攻击缓击缓解解(清清洁洁)36 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID3.1 流量流量”清清洁洁”37 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDGuard攻
40、攻击击流量清流量清洁洁原理原理: Multi-Verification Process (MVP)ActiveVerificationStatisticalAnalysisLayer 7AnalysisRate LimitingLegitimate + attack traffic to targetDynamic & Static Filters监测恶监测恶意意动动作和作和发现发现攻攻击击的流的流量及源量及源/目目标标地址地址启启动动anti-spoofing阻阻挡恶挡恶意流量意流量动态动态增加增加访问访问列表阻列表阻挡挡攻攻击击启启动动速率限制速率限制Legitimate traffic3
41、8 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID设备: Guard XT 和AGM ( Anomaly Guard Module)独立的独立的Guard XT 5650IBM X345 Server Platform2 GE Fiber/Copper 10/100/GE Copper Mgmt 2U rack mount single/dual power supplyDual RAID hard drive2 Gb DDRAM1 Broadcom SiB
42、yte Network Processor76/65的的AGM Single slot service moduleNo external interfaces uses line card or supervisor interfacesCat6k IOS support: 12.2(18)SXD3 or later7600 IOS support: 12.2(18)SXE or later 3 Broadcom SiByte Network ProcessorsMultiple AGMs per chassis39 2005 Cisco Systems, Inc. All rights r
43、eserved.Cisco ConfidentialSession NumberPresentation_IDGuard:通通讯讯接口方式接口方式HTTPS (aka Web-based HTTPS (aka Web-based Management)Management)Configuration & Operation, Configuration & Operation, Attack ReportsAttack ReportsFTPFTP Image Upgrade, Zone Configs Download & Upload, Attack Reports UploadSyslog
44、SyslogEvent LoggingEvent LoggingSNMPSNMPSystem StatusSystem StatusSSHSSHConfiguration, OperationBGP*BGP*Announced Guard as best Announced Guard as best next-hop to attacked zone next-hop to attacked zone Data PathData Path Diversion of Dirty Diversion of Dirty Traffic to GuardTraffic to GuardData Pa
45、th Data Path Re-injection of Cleaned Re-injection of Cleaned Traffic from GuardTraffic from Guard* * For AGM, the 7600/Cat6ks Supervisor Engine For AGM, the 7600/Cat6ks Supervisor Engine originates BGP update messagesoriginates BGP update messages40 2005 Cisco Systems, Inc. All rights reserved.Cisco
46、 ConfidentialSession NumberPresentation_ID“清清洁洁中心中心”是一是一组组存在于服存在于服务务供供应应商网商网络络中的中的Guard或或AGM流量清流量清洁设洁设备备的集合的集合扩扩展性展性 使用多个使用多个guard提供高性能提供高性能可靠性可靠性 多个多个guard可以提供可以提供 N+1 冗余冗余经济经济性性 一个清一个清洁洁中心可以中心可以为为多个用多个用户户服服务务达到高效率达到高效率灵活性灵活性 DDoS 攻攻击击可以被引可以被引导导到清到清洁洁中心集中中心集中处处理理41 2005 Cisco Systems, Inc. All righ
47、ts reserved.Cisco ConfidentialSession NumberPresentation_ID清清洁洁中心中心设计设计考考虑虑事事项项清清洁洁性能需求性能需求部署位置部署位置 扩扩展性展性-负载负载均衡均衡高可用性冗余配置高可用性冗余配置42 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID性能需求性能需求部署模式部署模式专用的设备为特定的用户专用的设备为特定的用户共享部署共享部署, 对受攻击的用对受攻击的用户专用防护户专用防护共享部署
48、共享部署, 对受攻击的用对受攻击的用户共享防护户共享防护CapEx for SPHighLow Very LowService Fee for CustomersHighHigh/MediumLowHighlights Dedicated service from subscriber standpoint Guaranteed cleaning capacity per agreement between SP and customer Customized baseline by learning Add Guards as new customers sign up the servic
49、e Policy & zone configs for the customer stored on the dedicated Guard Dedicated service from subscriber standpoint Guaranteed cleaning capacity per agreement between SP and customer Customized baseline by learning Add new Guards when the predefined over-subscription ratio exceeds Policy & zone conf
50、igs uploaded to a dedicated Guard when he is under attack Shared service from subscriber standpoint Best-effort cleaning capacity Baseline based on default templates. Optional manual threshold tuning for more precise mitigation Potentially insufficient cleaning capacity if multiple users are under a
51、ttack at the same timeApplicable DDoS Protection Models Managed NetworkManaged HostingManaged PeeringManaged NetworkManaged HostingManaged PeeringManaged NetworkManaged HostingManaged PeeringInfrastructure43 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID
52、部署地点建部署地点建议议 尽量靠近网尽量靠近网络络入口位置入口位置减少流量减少流量转转移移/注入的跳数,以减少注入的跳数,以减少时时延延保保证证流量流量转转移和重注入的路径有足移和重注入的路径有足够够的的带宽带宽在多清在多清洁洁中心的部署中,要保中心的部署中,要保证证每个清每个清洁洁中心到每个被保中心到每个被保护护的客的客户户的的带宽带宽清清洁洁中心需要独立管理,可以考中心需要独立管理,可以考虑虑采用和骨干网不同的采用和骨干网不同的AS44 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession Number
53、Presentation_ID扩扩展性展性: 负载负载均衡均衡在清在清洁洁中心采用中心采用guard集群或集群或AGM集群的方式,提供数集群的方式,提供数G的保的保护护能力。能力。Guard/AGM之之间负载间负载均衡均衡前端路由器上需要启前端路由器上需要启动动BGP maximum-path前端路由器上启前端路由器上启动动IP CEF load-sharing per source-destination IP address pair 最多最多8个个Guard负载负载均衡(均衡(BGP限制)限制)在一台在一台7600/Cat6500上上 AGM的数量限制的数量限制 :ChassisMaxi
54、mum Tested # of AGMsRealistic Maximum # of AGMs(Active & Standby Supervisors, Line Card for Guard Bandwidth)Dedicated 7609/Cat6509 Chassis 86Dedicated with 7613/Cat6513 Chassis 1010 45 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID高可用性考高可用性考虑虑清清洁洁中心接入路由中
55、心接入路由设备设备采用采用 NSF & SSO 高可用性高可用性N+1 Guards 其中一个做其中一个做为备为备份份, hot standby状状态态冗余的冗余的 AGMsActive/active mode: 每个每个AGM都都为为活活动动状状态态, 流量被均衡流量被均衡处处理理Active/standby mode: 备备份状份状态态, 一个一个Guard的的优优先先级较级较高高当一个清当一个清洁洁中心出中心出现问题时现问题时, 采用采用Anycast将可疑流量将可疑流量 自自动转动转移到其他清移到其他清洁洁中心中心.46 2005 Cisco Systems, Inc. All rig
56、hts reserved.Cisco ConfidentialSession NumberPresentation_ID3.2 流量流量转转移和注入移和注入47 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID流量流量转转移移 Diversion , 注入注入Injection流量流量转转移可以采用移可以采用CiscoDetector或其他第三方或其他第三方设备设备, 可以可以是自是自动动或手或手动动触触发发. 运运营营商可以商可以选择选择触触发发方式方式.可
57、以可以转转移到一个以上的移到一个以上的清清洁洁中心中心. 当攻当攻击击消失消失时时, 流量流量转转移可以解除移可以解除.Diversion: 将去往被攻将去往被攻击击目目标标的流量重路由到一个攻的流量重路由到一个攻击缓击缓解解的的清清洁洁中心中心, 以便在清以便在清洁洁中心中中心中处处理理, 丢丢弃攻弃攻击击流量和分辨正流量和分辨正常常业务业务.Injection: 正常正常业务业务流量流量经过经过轻洁轻洁后后, 被重新注入网被重新注入网络络, 到达到达目目标标.48 2005 Cisco Systems, Inc. All rights reserved.Cisco Confidential
58、Session NumberPresentation_ID流量流量转转移的模式移的模式L2 DiversionDivert-from router, Inject-to router and guard on same LANL3 (Short) Diversion: IP CoreDivert-from router and guard directly connectedDiversion in an MPLS coreLong Diversion (IP or MPLS)Traffic diverted to distributed cleaning centers not direct
59、ly connected to divert-from router49 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID流量重注入流量重注入injection 模式模式L2 injectionInject-to router and guard on same LANPBR based injectionGRE Injection: IP CoreGRE tunnel originated on guard, terminated on CPEVRF Inj
60、ection: MPLS coreTraffic injected into a separate “inject” VRFOther tunneling techniquesmGRE, L2TPv3 and VLAN based50 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDL2 Diversion / ReinjectionInternetZone192.168.1.0NOCBGP Update toRe-route ALL zoneTraffic
61、to guard1Next hop to zoneSet as R2 or R3Guard in same VLANAs R1, so traffic Forwarded using L23Route to Zone willHave next hop setAs guard2Guard re-injects cleanTraffic towards zoneTo either R2 or R34R1R2R351 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_I
62、DShort Diversion / GRE ReinjectionInternetZone192.168.1.0BGP Update toRe-route ALL zoneTraffic to guard1Route to Zone willHave next hop setAs guardGuard re-injects cleanTraffic towards zoneUsing pre-configuredGRE tunnel32R1R2R3NOCPreconfiguredGRE tunnel toEgress CPE52 2005 Cisco Systems, Inc. All ri
63、ghts reserved.Cisco ConfidentialSession NumberPresentation_IDmbehringTarget (192.168.1.1)GuardattackPEPECPEPECPEPECPEVRF: InjectBGP: Im next hop for 192.168.1.11Redistributioninto MPLS core2re-routing to 192.168.1.134CleanRe-inject cleanTraffic on separateInterface in VRF inject5Cleaned trafficForwa
64、rded to targetThrough egress PE6MPLS Diversion / ReinjectionMPLSCore53 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDmbehringTarget (192.168.1.1)Guard(192.168.254.1)attackPreconfiguredGRE tunnel toEgress CPEPEPECPELong Diversion (L3) / GRE InjectionBGP u
65、pdate settingNext hop for targetALL traffic to targetRe-routed to guardRedistributionInto coreClean traffic injected totarget on GRE tunnelReturn traffic from targetTo internet flows normallyRRNOC43215IPCore54 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_
66、IDPBR InjectionInternetNOCBGP Update toRe-route ALL zoneTraffic to guard1Route to Zone willHave next hop setAs guardPBR applied on R1 interface to match IPAddress of zone and set next hop as R2Next hop to zoneSet as R1R1 forwards traffic forZone to R2 based onConfigured PBR42Guard re-injects cleanTr
67、affic towardsZone back to R13R1R2BGPIp access-list extended zoneA!Route-map injectPBR permit 10 Match ip address zoneA!Route-map injectPBR permit 20Interface gigabitethernet3/1/1 Ip policy route-map injectPBRZone192.168.1.0Divert-from and Inject-toRouter is the same one55 2005 Cisco Systems, Inc. Al
68、l rights reserved.Cisco ConfidentialSession NumberPresentation_IDAGM: Single Chassis, Multiple AGM, One ZoneZone192.168.1.0/24InternetStatic routesRedistributed into BGP with next-hopfor zone Set to lo0GRETraffic re-injectedUsing PBR/GRE2AGM 1AGM 2SUP 7202 Static RoutesTo zone insertedLo 015Incoming
69、 trafficLoad balanced betweenAGM 1 and AGM 243CISCO 7609Traffic for ZoneDiverted to lo0Equal cost load balancing and Redundancy56 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDAGM: Single Chassis, Dedicated AGM per ZoneInternetStatic routesRedistributed
70、into BGP with next-hopSet for VLAN IPGRETraffic re-injectedUsing PBR/GRE2AGM 1AGM 2SUP 7202 Static RoutesTo zone inserted15Incoming trafficLoad balanced betweenAGM 1 and AGM 243CISCO 7609Traffic for Zone1Diverted to AGM1No Load balancing or redundancyZone1Zone257 2005 Cisco Systems, Inc. All rights
71、reserved.Cisco ConfidentialSession NumberPresentation_IDAGM 2One Zone Multiple Cleaning CentersAGM 1AGM 2SUP 720Lo 1AGM 1SUP 720Lo 1Zone192.168.1.0/24InternetAnycast address Advertised asNext hop to zoneTraffic to zoneDiverted to nearestInstance of CCTraffic re-injectedInto multipoint GRETunnel term
72、inated atEgress CE to zoneAnycast address Advertised asNext hop to zone2113MultipointGRELoad balancing andredundancy58 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDAGM 2Multiple Zones Multiple Cleaning CentersAGM 1AGM 2SUP 720Lo 1AGM 1SUP 720Lo 1Zone192
73、.168.1.0/24InternetTraffic to zoneDiverted to nearestInstance of CC2Anycast address Advertised asNext hop to zone1Anycast address Advertised asNext hop to zone1Traffic re-injectedInto multipoint GRETunnel terminated atEgress CE to zone3MultipointGREZone192.168.2.0/2459 2005 Cisco Systems, Inc. All r
74、ights reserved.Cisco ConfidentialSession NumberPresentation_ID目目录录什么是什么是Clean pipeClean pipe 技技术实现术实现Clean pipe 部署模式部署模式Clean pipe 服服务实务实例例60 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDDDoS攻攻击击防防护护: 4种典型部署模式种典型部署模式Server Server FarmsFarms运运运运营营营营商网商网商
75、网商网络络络络CustomerCustomerCisco Cisco DetectorDetectorOut-of-Out-of-bandbandTransoceanic Transoceanic PeerPeerDownstream Downstream ISPISPInternetInternetASBRASBRCECEASBRASBRASBRASBRPEPEASBRASBRASBRASBRASBRASBRGuard XT/AGMGuard XT/AGM清清清清洁洁洁洁中心中心中心中心 2 2清清清清洁洁洁洁中心中心中心中心 1 1Guard XT/AGMGuard XT/AGM3 3rd
76、rd party detector party detectorSP SOCSP SOCRRRR3. 用用户户网网络络 DDoS 防防护护1.IDC: DDoS 攻攻击击防防护护4. 网网络对络对等点等点 DDoS 攻攻击击防防护护2. 网网络络架构架构 DDoS 攻攻击击防防护护NetflowNetflow61 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID1. 保保护护IDC数据主机中心数据主机中心DetectorISCt a y s5 0Pr py S
77、SPw p tr c s rR IC STSCSSRouterSwitchInternal networkISP ISPGEthernetSwitchDNS ServersWeb, Chat, etc. ServersDetectorAlert运运营营商新的商新的赢赢利模式利模式 保保护护IDC重要客重要客户户, 重重要服要服务务器器基于基于SLA的重点保的重点保护护同同时时可以可以获获得用得用户户流流量特征的量特征的报报告告Guard XT/AGMGuard XT/AGM62 2005 Cisco Systems, Inc. All rights reserved.Cisco Confide
78、ntialSession NumberPresentation_ID2. 安全托管服安全托管服务务: 保保护护商商业业客客户户商商业业客客户户运运营营商新的商新的赢赢利模式利模式 保保护护客客户户的接入网的接入网络络提高企提高企业业客客户户的网的网络络可用性可用性用用户户的流量特征的流量特征报报告告3rd party Detector3rd party DetectorCisco DetectorCleaning Center城域网63 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPr
79、esentation_ID3. 安全托管服安全托管服务务: 网网络对络对等点等点, 保保护护下游下游ISPCleaningCenterPeering Edge骨干网骨干网AS 234Out of BandManagementAS 123Arbor PeakflowSPAS 234下游下游 ISPPeering EdgeNetFlow ExportNetFlow ExportGuard Activation Guard Activation SSHSSHCleaned TrafficCleaned TrafficDirty TrafficDirty Traffic运运营营商新的商新的赢赢利模式利
80、模式“清清洁洁中心中心”在城域网骨干在城域网骨干层层部署部署可以可以远远程清洗流量程清洗流量中心中心统统一一为为多个客多个客户户服服务务3rd party Detector64 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID城域网城域网 BRASATM交交换换网网以太以太交交换换网网汇汇接交接交换换机机接入交接入交换换机机CATV接入网接入网 CMTS4. 对对网网络络架构的架构的DDoS攻攻击击防防护护骨干网骨干网保保护护网网络络本身本身部署在骨干网出口部
81、署在骨干网出口节节点点附近附近 或城域网核心或城域网核心层层与与 NFP一起使用一起使用,保保护护对对数据数据,控制和管理平控制和管理平面的攻面的攻击击保保护护网网络络骨干路由骨干路由设备设备保保护护DNS/DHCP服服务务降低网降低网络络 OPEXGuard XT/AGMGuard XT/AGMGuard Guard XT/AGMXT/AGM65 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID在骨干网在骨干网/城域网的部署城域网的部署1.骨干网骨干网, 可
82、以部署在出口附近可以部署在出口附近, 保保护护整个网整个网络络架构架构, 如路如路由由设备设备, 网网络络运运营营管理中心等管理中心等.2.城域网城域网, 可以部署在核心可以部署在核心汇汇聚聚层层, 保保护护城域范城域范围围的商的商业业客客户户, 以及运以及运营营商自身的商自身的DNS/DHCP/AAA服服务务等等.3.接入网接入网络络, 可以部署在客可以部署在客户户网网络络接入点接入点, 为为客客户户提供提供专专用的服用的服务务.4.IDC: 部署在部署在IDC入口入口, 保保护护IDC用用户户66 2005 Cisco Systems, Inc. All rights reserved.C
83、isco ConfidentialSession NumberPresentation_ID部署部署设计设计考考虑虑因素因素主题主题问题描述问题描述建议建议系统级高可用性系统级高可用性网络的每一个模块都要网络的每一个模块都要有高可用性有高可用性 采用采用NFP保护网络设备保护网络设备 采用清洁中心保护每个骨干设备采用清洁中心保护每个骨干设备网络流量监控网络流量监控DDoS 必须能实时监测必须能实时监测并阻挡并阻挡 Detector 能够实时的发现网络的异常流量能够实时的发现网络的异常流量 Netflow + Arbor SP 在大型广域网的范围使用在大型广域网的范围使用转移和注入转移和注入尽量
84、减少对网络结构的尽量减少对网络结构的影响影响 可以采用可以采用L2, L3的转移方式的转移方式 能支持能支持IP/ MPLS方案适应性方案适应性可扩展可扩展, 能应用不同场能应用不同场合合 可以根据需要可以根据需要, 做集中式或分布式部署做集中式或分布式部署 用堆叠的方式扩充能力用堆叠的方式扩充能力, 并提供冗错功能并提供冗错功能Note: Upcoming SE Presentation and DIG for more considerations and greater details67 2005 Cisco Systems, Inc. All rights reserved.Cisc
85、o ConfidentialSession NumberPresentation_ID目目录录什么是什么是Clean pipeClean pipe 技技术实现术实现Clean pipe 部署模式部署模式Clean pipe 服服务实务实例例68 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDCisco帮助多家运帮助多家运营营商提供商提供DDoS 攻攻击击防防护护可管理服可管理服务务and many othersand many othersNot annou
86、nced:1. DDoS 攻攻击击防防护护可管理服可管理服务务能提供能提供GE 速率的接口速率的接口带带有有SLA协议协议的服的服务务客客户户化的策略化的策略网网络监络监控和控和报报告告2. IDC DDoS攻攻击击防防护护服服务务在在IDC提供提供DDOS攻攻击击防防护护防防护护功能共享功能共享, 节节省省资资源源69 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_IDAT&T: 提供清提供清洁洁中心服中心服务务70 2005 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSession NumberPresentation_ID70 2005 Cisco Systems, Inc. All rights reserved.DDoS Protection SolutionMAY 2005Cisco Public
