1 / 9

ANCP Network Anti-Attack Updates

ANCP Network Anti-Attack Updates. draft-fan-ancp-network-anti-attack-01 IETF 78 th , July. 25-30, 2010 Bo Wu ( wu.bo@zte.com.cn ) Liang Fan ( fan.liang2@zte.com.cn ) Bo Yuan ( yuan.bo3@zte.com.cn ) ZTE Corporation. Current Status. 01-version updates

lethia
Download Presentation

ANCP Network Anti-Attack Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78th , July. 25-30, 2010 Bo Wu (wu.bo@zte.com.cn ) Liang Fan ( fan.liang2@zte.com.cn ) Bo Yuan ( yuan.bo3@zte.com.cn) ZTE Corporation

  2. Current Status • 01-version updates • Add 2 use cases based on comments from last meeting

  3. Attacker Problem statement • Traditionally, network attacks from subscribers are detected at NAS site • Detection could be done by NAS or additional device, such as Firewall/DPI box. Centralized attacking detection & policy enforcement

  4. Case 1: Control Message Attack • PPPoE/DHCP Control Message Attack • PPPoE PADI, DHCP discover, etc. • Could be a fake one or just replicated from the original one • Massive amount of packets per second • Influence to the NAS • All control message will be sent to the control plane • Though trigger the traffic managing policy on control plane, but will Loss of the legal control message of the same type • NAS will enforce ACL to rate-limit control packets from dedicated subscriber Attacker

  5. Attacker Example: PADI Packet Attack • The attacker sends a large number of PADI Packets • The NAS receives these packets and sends the packets to its control plane • The PPP control plane on the NAS will be aware of the abnormal rate of control messages from a dedicated subscriber • The NAS sends the anti-attack policy to the AN.

  6. Case 2: DOS Attack • DOS attack • SYN flood, fraggle, smurf, etc. • Towards the NAS & the network behind the NAS • Usually happened on a large number of hosts (synchronously) • Original Solution • Detected on the NAS site, by an internal or external DPI function module • Policies implemented on the NAS site Attacker

  7. Example: SYN Flood Attack • The attacker sends a large number of SYN packets • The NAS will be aware of the SYN flood attack from the dedicated subscriber with or without an external box. • The NAS sends the anti-attack policy to the AN. Attacker

  8. Conclusion • Use ANCP to dynamically trigger current available function on the AN. • MAC Black/White List • Send MAC black list of the attacking message, or MAC white list of the registered MAC addresses to the AN • MAC white list not applicable to enterprise user • MAC Table Size Limitation • Enable MAC learning limitation on the AN • MAC Rate Limitation • Limit upstream rate of a dedicated MAC on the AN • No influence to other hosts on the same access loop

  9. Next steps • Need comments from work group Thank you

More Related