MegaRocker1987
Jul 4, 2014, 01:34 AM
The Three Methods an ISP Uses to Defend Against DoS and DDoS
JULY 17, 2013 by Ted, Sr Network InfoSec Engineer
When I worked at a Tier 1 Internet Service Provider (ISP), I had three methods to handle DOS and DDoS attacks: blackhole routes, upstream filtering and cloud-based mitigation. In this article, I will explain what each of these methods do and when you would use them, along with their benefits and detriments.
Blackhole Route
A blackhole route is used to discard traffic at the ISP’s edge routers — the traffic is dropped when it enters the network. A blackhole route works by injecting a static route into the network with a specific community string. Some ISPs allow the customer to inject blackhole routes for their own network blocks.
The propagation of the blackhole route is very quick, making it a very efficient way to deal with a saturated network circuit. The downside, however, is that the IP addresses under attack are now completely unavailable from the Internet. In effect, the ISP has “completed” the attack against the server in question. Although this undesirable for the affected customer, it may be necessary to protect your other customers.
Upstream Filtering
Upstream filtering takes place when an ISP places an access control list (ACL) on the router upstream from the customer’s router. The ACL is applied in the outbound direction on the ISP’s edge router interface peered with the customer’s router. This method is very effective against single source DoS attacks and DDoS attacks that are not specifically targeting a service the customer provides, such as a website.
Upstream filtering is ineffective, however, against DDoS attacks directed at a specific customer’s service. Additionally, if there is no communication between the customer and the ISP engineer to provide feedback, determining the vector of the attack can consume a significant amount of time. The ACL can only be applied on the network (IP) and transport (TCP/UDP) layers to stop the attack. The ISP engineer will have no visibility into the application (web/email) layer, nor will he/she be able to mitigate traffic at that layer. Moreover, if the attack is causing impact to the ISP infrastructure, you may have to resort to blackholing the IP to protect the infrastructure or service.
Cloud-Based Mitigation
A few ISPs provide DDoS cloud mitigation services, which is a premium service often offered on a subscription basis. Here, the ISP will either (1) reroute the traffic via a border gateway protocol (BGP) announcement to direct the traffic into a scrubbing center or (2) offer the customer an alternate IP address to direct their Domain Name Service (DNS) entry.
Once the traffic is redirected, the malicious requests are removed (or “scrubbed”) and the “clean” traffic is sent to the customer using a generic router encapsulation (GRE) tunnel, multi-label protocol switching (MPLS) or a reverse web proxy. The GRE tunnel requires configuration on the customer end, whereas MPLS does not. In contrast, a DNS redirection only requires changing one or more DNS records, something that customers should be able to do.
The tunnel options are usually reserved for protecting large sections of a customer’s network, such as an entire /24, whereas a DNS redirection can be as small as a single address. The scrubbing centers can scrub the traffic at the application level, which is a preferred method due to its highly focused nature, but more brute-force methods are also at their disposal.
I hope this has provided a good overview of how DoS and DDoS attacks can be mitigated. With an understanding of the methods, the pros and the cons of each, you will be able to select the best option for the situation at hand.
JULY 17, 2013 by Ted, Sr Network InfoSec Engineer
When I worked at a Tier 1 Internet Service Provider (ISP), I had three methods to handle DOS and DDoS attacks: blackhole routes, upstream filtering and cloud-based mitigation. In this article, I will explain what each of these methods do and when you would use them, along with their benefits and detriments.
Blackhole Route
A blackhole route is used to discard traffic at the ISP’s edge routers — the traffic is dropped when it enters the network. A blackhole route works by injecting a static route into the network with a specific community string. Some ISPs allow the customer to inject blackhole routes for their own network blocks.
The propagation of the blackhole route is very quick, making it a very efficient way to deal with a saturated network circuit. The downside, however, is that the IP addresses under attack are now completely unavailable from the Internet. In effect, the ISP has “completed” the attack against the server in question. Although this undesirable for the affected customer, it may be necessary to protect your other customers.
Upstream Filtering
Upstream filtering takes place when an ISP places an access control list (ACL) on the router upstream from the customer’s router. The ACL is applied in the outbound direction on the ISP’s edge router interface peered with the customer’s router. This method is very effective against single source DoS attacks and DDoS attacks that are not specifically targeting a service the customer provides, such as a website.
Upstream filtering is ineffective, however, against DDoS attacks directed at a specific customer’s service. Additionally, if there is no communication between the customer and the ISP engineer to provide feedback, determining the vector of the attack can consume a significant amount of time. The ACL can only be applied on the network (IP) and transport (TCP/UDP) layers to stop the attack. The ISP engineer will have no visibility into the application (web/email) layer, nor will he/she be able to mitigate traffic at that layer. Moreover, if the attack is causing impact to the ISP infrastructure, you may have to resort to blackholing the IP to protect the infrastructure or service.
Cloud-Based Mitigation
A few ISPs provide DDoS cloud mitigation services, which is a premium service often offered on a subscription basis. Here, the ISP will either (1) reroute the traffic via a border gateway protocol (BGP) announcement to direct the traffic into a scrubbing center or (2) offer the customer an alternate IP address to direct their Domain Name Service (DNS) entry.
Once the traffic is redirected, the malicious requests are removed (or “scrubbed”) and the “clean” traffic is sent to the customer using a generic router encapsulation (GRE) tunnel, multi-label protocol switching (MPLS) or a reverse web proxy. The GRE tunnel requires configuration on the customer end, whereas MPLS does not. In contrast, a DNS redirection only requires changing one or more DNS records, something that customers should be able to do.
The tunnel options are usually reserved for protecting large sections of a customer’s network, such as an entire /24, whereas a DNS redirection can be as small as a single address. The scrubbing centers can scrub the traffic at the application level, which is a preferred method due to its highly focused nature, but more brute-force methods are also at their disposal.
I hope this has provided a good overview of how DoS and DDoS attacks can be mitigated. With an understanding of the methods, the pros and the cons of each, you will be able to select the best option for the situation at hand.