Cisco企业DDOS安全防护解决方案

1©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigrationEnterpriseSolutionsCISCODDoSMITIGATIONENTERPRISESOLUTIONSFebruary15,2005222©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsIntegratedSecuritySecureConnectivitySystemSecuretransportofapplicationsacrossnumerousnetworkenvironmentsTrustandIdentityManagementSystemContextualidentitymanagementforpolicyenforcement,networkentitlement,andtrustThreatDefenseSystemCollaborationofsecurityandnetworkintelligenceservicestominimizeimpactofbothknownandunknownthreatsPRIVACYPROTECTIONCONTROLManagementandAnalysisFoundationforSelf-DefendingNetworks333©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsExecutiveSummary•DetectsANDMITIGATESthebroadestrangeofdistributeddenialofservice(DDoS)attacks•HasthegranularityandaccuracytoENSUREBUSINESSCONTINUITYbyforwardinglegitimatetransactions•DeliversperformanceandarchitecturesuitablefortheLARGESTENTERPRISESANDPROVIDERS•AddressesDDoSattackstoday,anditsNETWORK-BASEDBEHAVIORALANOMALYCAPABILITYwillbeextendedtoadditionalthreats444©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsDDoSVulnerabilitiesMultipleThreatsandTargetsPeeringpointPOPISPBackboneAttackedserverAttackombies:UsevalidprotocolsSpoofsourceIPMassivelydistributedVarietyofattacksEntiredatacenter:•Servers,securitydevices,routers•E-commerce,Web,DNS,e-mail…Providerinfrastructure:•DNS,routers,andlinksAccessline555©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsTHEDDoSPROBLEM666©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutions•Nonessentialprotocols(e.g.,ICMP)•100sofsources•10Kpackets/secondScaleofAttacksSophisticationofAttacksTwoscalingdimensions:•Millionsofpackets/second•100Ksofzombies•Essentialprotocols•Spoofed•10Kofzombies•100Kpackets/second•CompoundandmorphingPastPresentEmergingPotentiallyrandomTargetedeconomicPublicitydrivenMainstreamcorporationsHigh-profiletargetsNichetargetsAttackEvolutionStrongerandMoreWidespread777©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutions“Muchlargerattacknetworkthananythingbefore.Thishorsepowercouldtakedownthousandsofbigsites…atthesametime,andkeepthemdownforquiteawhile.”“MyDoomTasteofVirusestoCome,SaysSecurityAnalyst”Reuters,February3,2004888©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsSecurityChallengesSabotageSystemPenetrationWebSiteDefacementMisuseofPublicWebApplicationTelecomFraudUnauthorizedAccessLaptopTheftFinancialFraudAbuseofWirelessNetworkInsiderNetAbuseTheftofProprietaryInfo0$871,000$901,500$958,100$2,747,000$3,997,500$4,278,205$6,734,500$7,670,500$10,159,250$10,601,055$11,460,000$26,064,0505M10M20M25M30MDenialofService2004CSI/FBIComputerCrimeandSecuritySurveySource:ComputerSecurityInstituteTotalLossesfor2004—$141,496,5602004:269RespondentsDollarAmountofLossbyTypeofAttack(CSI/FBI2004Survey)TheCostofThreats999©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutions“E-bizSitesHitWithTargetedAttacks”“16%oftheattacksagainste-commercesiteswereidentifiedastargeted.Lastyear,only4%wereaimedatspecificsites.”•ComputerWorld,September27,2004“ExtortionschemesthatuseattacksliketheoneagainstAuthorize.Netarebecomingmorecommon...definitelytargeted,ransom-typeattacks,andthere'sgoingtobealotmoreofthem.”•JohnPescatore,GartnerInc.ComputerWorld,September27,2004101010©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsDDoSIsaBusinessIssueImpactsRevenueandCustomerRetentionNotjustdowntime:•Lostcustomers•Damagedreputations•ContractualliabilitiesOnlinepaymentsystembadlydisruptedforthreedaysbymaliciousDDoSattack.Worldpay’srivalsattemptedtopoachonlineretailcustomersduringtheattackbyoffering“emergencyservices”111111©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsSOLUTIONOVERVIEW121212©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsAuthenticatedAccessDataIntegrityAVAILABILITYAVAILABILITYDDoSSolutionCompletesSecurityinDepth•Addressesneedto“secureavailability”ofinfrastructureNetworkbehavior-basedsolutionrequiredtostopDDoSDoesnotuseattacksignatures—catchesday-zeroattacks•ComplementsandstrengthensoverallsecuritysolutionFirewall,IPS,SSL,andantivirusaswellascontentswitchingEfficientsequentialeliminationofdifferentlevelsofthreats131313©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsDDoSProtectionCiscoServiceModulesFCS1QCY05AttackDETECTIONtosupporton-demand,sharedscrubbingMonitorsCOPYOFTRAFFICCiscoAnomalyGuardModuleCiscoTrafficAnomalyDetectorModuleAttackANALYSISANDMITIGATIONDivertstrafficflowsforON-DEMANDSCRUBBING141414©2005CiscoSystems,Inc.Allrightsreserved.CiscoDDoSMitigationEnterpriseSolutionsCiscoDDoSProductFamilyCiscoGuardXT5650CiscoTrafficAnomalyDetectorXT5600DDoSMitigationCiscoAnomalyGuardModuleDDoSDetectionCiscoTrafficAnomalyDetectorModuleMaximumdeploymentflexibility.Similarfunctionalityandperformance.Interoperableformixeddeplo