A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 1 of 17
`
`A Cisco Guide to Defending Against Distributed Denial of
`Service Attacks
`
`Contents
`
`Introduction: The Case for Securing Availability and the DDoS Threat
`Categorization of DDoS Attacks and Problems Caused
`DDoS Attack General Categories
`Volume-Based DDoS Attacks
`Application DDoS Flood Attacks
`Low-Rate DoS Attacks
`Detailed Examples of DDoS Attacks and Tools
`Internet Control Message Protocol Floods
`Smurf Attacks
`SYN Flood Attacks
`UDP Flood Attacks
`Teardrop Attacks
`DNS Amplification Attacks
`SIP INVITE Flood Attacks
`Encrypted SSL DDoS Attacks
`Slowloris
`Low Orbit Ion Cannon and High Orbit Ion Canon
`Zero-Day DDoS Attacks
`The DDoS Lifecycle
`Reconnaissance
`Exploitation and Expansion
`Command and Control
`Testing
`Sustained Attack
`Network Identification Technologies
`User/Customer Call
`Anomaly Detection
`Cisco IOS NetFlow
`Packet Capture
`ACLs and Firewall Rules
`DNS
`Sinkholes
`Intrusion Prevention/Detection System Alarms
`ASA Threat Detection
`Modern Tendencies in Defending Against DDoS Attacks
`Challenges in Defending DDoS Attacks
`Stateful Devices
`Route Filtering Techniques
`Unicast Reverse Path Forwarding
`Geographic Dispersion (Global Resources Anycast)
`Tightening Connection Limits and Timeouts
`Reputation-Based Blocking
`Access Control Lists
`DDoS Run Books
`Manual Responses to DDoS Attacks
`Traffic Scrubbing and Diversion
`Conclusion
`References
`NetFlow
`Reputation Management Tools
`Case Studies of DDoS Run Books
`DDoS Run Book Templates
`
`Introduction: The Case for Securing Availability and the DDoS Threat
`
`Denial of service (DoS) and distributed denial of service (DDoS) attacks have been quite the topic of discussion over the past year since the widely publicized and very
`effective DDoS attacks on the financial services industry that came to light in September and October 2012 and resurfaced in March 2013.
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`1
`
`ARISTA 1027
`Arista v. Cisco
`IPR2016-00309
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 2 of 17
`
`The purpose of this white paper is to provide a number of tools, some or all of which may apply to a customer's environment, that can be part of an overall toolkit to help identify
`and mitigate potential DDoS attacks on customer networks.
`
`The following quotes and excerpts are from several high-profile individuals and organizations that are focused on defending networks from these types of attacks:
`
`"...recent campaigns against a number of high-profile companies—including U.S. financial institutions—serve as a reminder that any cyber security threat has the potential to
`create significant disruption, and even irreparable damage, if an organization is not prepared for it."
`
`"Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point where the economic losses generated
`by cybercrime are threatening to overwhelm the economic benefits created by information technology. Clearly, we need new thinking and approaches to reducing the damage
`that cybercrime inflicts on the well-being of the world."
`
`The preceding quotes from John Stewart, Cisco Senior Vice President and Chief Security Officer are eye opening considering that the miscreants are using the network
`infrastructure to financially impact organizations and diminish the purpose of this infrastructure.
`
`"The bottom line is that unfortunately, no organization is immune to a data breach in this day and age..."
`
`"We have the tools today to combat cybercrime, but it's really all about selecting the right ones and using them in the right way."
`
`"In other words, understand your adversary -- know their motives and methods, and prepare your defenses accordingly and always keep your guard up..."
`
`These quotes from the Verizon 2013 Data Breach Investigations Report (PDF) speak to the point that organizations are befuddled with the number of technologies, features, and
`processes available to help defend their networks. There is no one-size-fits-all approach. Each entity must determine which solutions meet its requirements and which help
`mitigate the threats that concern it.
`
`"The number of DDoS attacks in Q1 2013 increased by 21.75 percent over the same period of last year."
`
`"Attacks targeting the infrastructure layer represented more than a third of all attacks observed during the first three months of 2013."
`
`"What defined this quarter (Q1 2013) was an increase in the targeting of Internet Service Provider (ISP) and carrier router infrastructures..."
`
`While the preceding statements from Prolexic are certainly keeping service providers' (SP) network security experts awake at night, it is a legitimate fear that everyone should
`possess. If the core of the Internet is impacted by a malicious attack or inadvertent outage, we will all suffer because the Internet has become our lifeblood in terms of how we
`work, live, play, and learn.
`
`While the actual DDoS attacks garner the headlines, it is imperative that organizations also fully understand the impact of inadvertent, unmalicious outages. Two recent
`examples of unintentional events are the GoDaddy DNS Infastructure outage that took place in September 2012 and the CloudFlare outage that occurred in March 2013.
`Although the details of each event differ, the key message is that each outage occurred on a production network, adversely impacted resources that thousands—if not
`millions—of people used, and was initially reported in the press as an "attack."
`
`At the heart of many customers' concerns is the ability to protect against DDoS attacks. The focus may revolve around customers' own networks and data, network and data
`services that customers provide to their own customers, or a combination.
`
`While the network landscape and the nature of the assets that require protection will vary among customers and verticals, the general approach to mitigating DDoS attacks
`should be relatively similar across every environment. This approach should consist of, at a minimum, developing and deploying a solid security foundation that incorporates
`general best practices to detect the presence of outages and attacks and obtain details about them.
`
`At Cisco we have been espousing the following six-phase methodology to customers and at training conferences, Cisco Live, Black Hat, CanSecWest, and other venues.
`
`Figure 1. Six-Phase Methodology
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`2
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 3 of 17
`
`The Service Provider Security white paper provides more information about the six-phase methodology.
`
`Categorization of DDoS Attacks and Problems Caused
`
`DDoS attacks have become a "Swiss army knife" for hacktivists, cyber criminals, and cyber terrorists, and in some cases used in nation-state attacks.
`
`These attackers and their campaigns are becoming sophisticated. Attackers are using evasion techniques outside of the typical volume-based attacks to avoid detection and
`mitigation, including "low and slow" attack techniques and SSL-based attacks. They are deploying multivulnerability attack campaigns that target every layer of the victim's
`infrastructure, including the network infrastructure devices, firewalls, servers, and applications.
`
`In the following subsections, we cover the types of DDoS attacks, common methodologies and tools used, and the impact of each attack.
`
`DDoS Attack General Categories
`
`There are three different general categories of DDoS attacks:
`
`• Volume-based DDoS attacks
`• Application DDoS attacks
`• Low-rate DoS (LDoS) attacks
`
`Volume-Based DDoS Attacks
`
`In volume-based (or volumetric) DDoS attacks, the attackers typically flood the victim with a high volume of packets or connections, overwhelming networking equipment,
`servers, or bandwidth resources. These are the most typical DDoS attacks. In the past, volumetric attacks were carried out by numerous compromised systems that were part of
`a botnet; now hacktivists not only use conventional attack methodologies, but also recruit volunteers to launch these attacks from their own machines. In addition, new waves of
`huge volumetric attacks are now launched from datacenters of cloud service providers, when attackers either rent or compromise cloud-based systems that have tremendous
`Internet bandwidth.
`
`A botnet is a gang of Internet-connected compromised systems that could be used to send spam email messages, participate in DDoS attacks, or perform other illegitimate
`tasks. The word botnet comes from the words robot and network. The compromised systems are often called zombies. Zombies can be compromised by tricking users into
`making a "drive-by" download, exploiting web browser vulnerabilities, or convincing the user to run other malware such as a trojan horse program. Figure 2 shows an example of
`a typical botnet.
`
`Figure 2. Botnet Example
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`3
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 4 of 17
`
`In this example, an attacker controls the zombies to launch a DDoS attack against the victim's infrastructure. These zombies run a covert channel to communicate with the
`command-and-control server that the attacker controls. This communication often takes place over Internet Relay Chat (IRC), encrypted channels, bot-specific peer-to-peer
`networks, and even Twitter.
`
`With the advent of cloud services and providers, a new trend has emerged. Attackers are either renting or compromising large datacenter/cloud machines to launch DDoS
`attacks. Cloud computing is not only creating new opportunities for legitimate organizations; it's also providing a great platform for cyber criminals because it inexpensively and
`conveniently allows them to use powerful computing resources to do bad things. This concept is illustrated in Figure 3.
`
`Figure 3. Compromised Cloud Servers
`
`Application DDoS Flood Attacks
`
`Application DDoS attacks can target many different applications; however, the most common target HTTP aiming to exhaust Web servers and services. Some of these attacks
`are characteristically more effective than others because they require fewer network connections to achieve their goal. For instance, an attacker could launch numerous HTTP
`GETs or POSTS to exhaust a web server or web application.
`
`On the other hand, other applications such as Voice over IP (VoIP), DNS, and others are often targeted. Examples of these attacks are covered later in this paper.
`
`Low-Rate DoS Attacks
`
`Low-rate DoS (LDoS) attacks often take advantage of application implementation weaknesses and design flaws. A prime example of these types of attacks is Slowloris, a tool
`that allows an attacker to take down a victim's web server with minimal bandwidth requirements and without launching numerous connections at the same time. Slowloris will be
`covered in detail later in this paper.
`
`Detailed Examples of DDoS Attacks and Tools
`
`The following are several examples of the more specific types of DDoS attacks and related tools.
`
`Internet Control Message Protocol Floods
`
`Internet Control Message Protocol (ICMP) flood attacks have existed for many years. They are among the oldest types of DoS attacks. In ICMP flood attacks, the attacker
`overwhelms the targeted resource with ICMP echo request (ping) packets, large ICMP packets, and other ICMP types to significantly saturate and slow down the victim's
`network infrastructure. This is illustrated in Figure 4.
`
`Figure 4. ICMP Flood Example
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`4
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 5 of 17
`
`Smurf Attacks
`
`Another type of ICMP-based attack is a smurf attack. The name smurf comes from the original exploit tool source code, smurf.c, created by an individual called TFreak in 1997.
`In a smurf attack, an attacker broadcasts a large number of ICMP packets with the victim's spoofed source IP to a network using an IP broadcast address. This causes devices
`in the network to respond by sending a reply to the source IP address. This exchange is illustrated in Figure 5.
`
`Figure 5. Smurf Attack
`
`This attack can easily be mitigated on a Cisco IOS device by using the no ip directed-broadcast subinterface command, as shown in the following example:
`Router(config)# interface GigabitEthernet 0
`Router(config-if)# no ip directed-broadcast
`
`Note: Additional mitigation techniques are covered later in this paper.
`
`SYN Flood Attacks
`
`When a host (client) initiates a TCP connection to a server, the client and server exchange a series of messages to establish the connection. This connection establishment is
`called the TCP three-way handshake. This is illustrated in Figure 6.
`
`Figure 6. TCP Three-Way Handshake
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`5
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 6 of 17
`
`• The client requests a connection by sending a SYN (synchronize) message to the server
`• The server acknowledges this request by sending SYN-ACK back to the client
`• The client responds with an ACK (acknowledgement) and the connection is established
`
`In a SYN flood attack, the attacker does not reply to the server with the expected ACK. To do this, the attacker can spoof the source IP address or simply not reply to the SYN-
`ACK. This is illustrated in Figure 7.
`
`Figure 7. SYN Flood Example
`
`RFC 4987 provides more information about how TCP SYN flood attacks work and common mitigations.
`
`Later in this paper we cover modern techniques for mitigating these types of attacks.
`
`UDP Flood Attacks
`
`Similar to TCP flood attacks, the main goal of the attacker when performing a UDP flood attack is to cause system resource starvation. A UDP flood attack is triggered by
`sending a large number of UDP packets to random ports on the victim's system. The system will notice that no application listens at that port and reply with an ICMP destination
`unreachable packet. Subsequently, if a large number of UDP packets are sent, the victim will be forced to send numerous ICMP packets. In most cases, these attacks are
`accomplished by spoofing the attacker's source IP address. Most modern operating systems now limit the rate at which ICMP responses are sent, minimizing the impact and
`mitigating this type of DDoS attack.
`
`Teardrop Attacks
`
`Teardrop attacks involve sending crafted packets with overlapping, over-sized payloads to the victim system. Modern operating systems are now immune to this attack, but
`because of a deficiency in the TCP fragmentation and reassembly implementation of older operating systems, this attack caused a crash of those systems.
`
`DNS Amplification Attacks
`
`A Domain Name System (DNS) request can be recursive or nonrecursive (or iterative). Client applications, such as Internet browsers, typically request that the DNS server
`perform recursion by setting a Recursion Desired (RD) flag in the DNS request packet. If the DNS server cannot answer the request either from its cache or zone information, the
`server will request assistance from other DNS servers. See Recursive and Iterative Queries for an explanation of this process.
`
`Unfortunately, many recursive name servers accept DNS queries from any source. In addition, many DNS implementations allow recursion by default, even when the name
`server is anticipated to serve only authoritative requests. This is known as an open resolver. DNS open resolvers are vulnerable to multiple malicious attacks, such as DNS
`cache poisoning and DDoS attacks.
`
`A DNS amplification attack is the most common DDoS attack that uses recursive name servers, although some DNS amplifications attacks may not require a recursive server to
`be successful. DNS amplification attacks are similar to smurf attacks. In a smurf attack, an attacker can send spoofed ICMP echo requests (type 8) to create a DoS condition. In
`a DNS amplification DDoS attacker, an attacker sends small, spoofed address queries to an open resolver, causing it to send much larger responses to the spoofed-address
`target. Subsequently, the resolver contributes to the DDoS attack on spoofed addresses. Figure 8 illustrates the basic steps of a DNS amplification DDoS attack.
`
`Figure 8. DNS Amplification Attack
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`6
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 7 of 17
`
`The following steps are illustrated in Figure 8:
`
`1. The attacker triggers and directs the compromised machines to begin the attack
`2. The compromised machines send a DNS query for the domain example.com and set the source IP address to the victim's IP address
`3. The open resolver servers ask the upstream name server(s) the location of example.com
`4. The name server sends a reply back to the open recursive servers
`5. The open recursive servers send DNS responses to the victim
`
`Note: DNS Best Practices, Network Protections, and Attack Identification provides information about general best practices, network protections, and attack identification
`techniques that operators and administrators can use for DNS implementations:
`
`Additional modern DDoS mitigation techniques are covered later in this paper.
`
`The Open DNS Resolver Project maintains a list of DNS servers that are known open resolvers.
`
`The Measurement Factory is similar to the Open DNS Resolver Project. It keeps a list of Internet-accessible DNS servers and allows the community to search for open recursive
`resolvers. It also provides a free tool to test a single DNS server to determine whether it allows open recursion.
`
`DNSInspect is another free web-based tool for testing DNS resolvers.
`
`SIP INVITE Flood Attacks
`
`The Session Initiation Protocol (SIP) is a VoIP standard defined in RFC 3261. SIP INVITE messages are used to establish a media session between user and calling agents. In
`SIP INVITE flood attacks, the attacker sends numerous (often spoofed) INVITE messages to the victim, causing network degradation or a complete DoS condition.
`
`Encrypted SSL DDoS Attacks
`
`Encrypted (SSL-based) DDoS attacks are becoming more prevalent because they allow attackers to gain the following advantages:
`
`• Encrypted DDoS attacks consume more CPU resources during the encryption and decryption process. Consequently, they amplify the impact on the victim system or
`network.
`• Numerous DDoS mitigation technologies do not support decryption of SSL traffic. A large number of these attacks cannot be scrubbed.
`
`Note: Modern mitigation capabilities for SSL DDoS attacks are covered later in this paper.
`
`Slowloris
`
`Slowloris is an attack tool created by RSnake (Robert Hansen) that tries to keep numerous connections open on a web server. The attack works by opening connections on the
`victim's server and sending a partial request. Intermittently, the attack sends subsequent HTTP headers. However, the attack does not complete the request to maintain these
`connections as open until the victim is not able to process requests from legitimate clients.
`
`Similar attack tools and methodologies exist. The following are a few examples:
`
`• PyLoris
`• QSlowloris (a variant of Slowloris for Windows)
`• slowhttptest
`
`Low Orbit Ion Cannon and High Orbit Ion Canon
`
`Low Orbit Ion Cannon (LOIC) and High Orbit Ion Canon (HOIC) have become popular DDoS tools for hacktivist groups such as Anonymous and the Syrian Electronic Army.
`These tools allow even nontechnical people to create a DDoS attack with a few clicks using their own computers instead of the traditional bot-served attacks.
`
`Zero-Day DDoS Attacks
`
`Zero-day DDoS attacks (often called one-packet-killers) are vulnerabilities in systems that allow an attacker to send one or more packets to an affected system to cause a DoS
`condition (a crash or device reload). These attacks are often the most stealthy and difficult to detect because they often are unknown to vendors and no patches or workarounds
`exist. Typically, these type of vulnerabilities and exploits are sold in the underground market, making them one of the biggest threats for any organization. The weaponization of
`these types of exploits is becoming the new normal for cyber criminals.
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`7
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 8 of 17
`
`The DDoS Lifecycle
`
`The motives, targets, and scope of a DDoS attack have evolved over the past decade. The primary goal of the attack, however—to deny network users access to
`resources—has not evolved. The components that make up an attack have not changed much either. To understand the DDoS lifecycle, it is important to first understand the
`components that make up the infrastructure of an attack. The lifecycle described here focuses primarily on the botnet, or a collection of zombie machines reporting to one or
`more command-and-control (C2) servers.
`
`Reconnaissance
`
`The beginning of a DDoS attack is characterized by manual or automated attempts to find vulnerable hosts to act as C2 servers or botnet clients. The reconnaissance may come
`from the attacker in the form of IP probes (also called ping sweeps). These probes can create a smaller list of hosts to probe further with port scans. Port scans provide more
`information about the host, such as the services offered and the operating system version. The attacker uses this information to determine the easiest way to exploit a
`vulnerability.
`
`Figure 9. DDoS Reconnaissance
`
`Exploitation and Expansion
`
`After the potential victims are identified, they are targeted for exploitation so that the attacker can control the targeted system. The exploited system can now become a part of
`the DDoS infrastructure. Depending on the needs of the attacker, the victim machine may become a C2 server, send DDoS traffic, or propagate exploits to other machines. After
`time has passed, the botnet can grow to thousands, even millions, of hosts.
`
`Figure 10. DDoS Infrastructure Components
`
`It is important to note that not all hosts participating in a DDoS attack are victims of an exploit. Sometimes people who are sympathetic to a political cause willingly install DDoS
`software to harm a specific target. Likewise, botnets are used for purposes other than DDoS attacks.
`
`Command and Control
`
`Botnets require maintenance. Internet Relay Chat (IRC), a form of real-time text messaging, uses a client/server model and is also a common botnet communication protocol.
`The zombie clients and the C2 servers must communicate to deliver instructions to the clients, such as timing an attack or updating malware. A peer-to-peer (P2P) botnet model
`is more difficult to detect and disrupt because the connections are many-to-many, reducing the risk that an offline C2 server will disrupt operations.
`
`Testing
`
`A botnet reaches critical mass when there are enough hosts to generate traffic with enough bandwidth to saturate the victim. When the botnet reaches this point, there will likely
`be a testing period. Victims of the testing will see a large amount of traffic over a few seconds or minutes. The attacker can assess the effectiveness of the attack and make
`adjustments prior to creating the sustained attack. Often the traffic in a sustained attack changes over time, and the attacker will test these changes to maximize the impact on
`the victim.
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`8
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 9 of 17
`
`Sustained Attack
`
`The attacker determines when to instruct the botnet clients to begin sending traffic to the targeted infrastructure. The main body of the DDoS attack may last from hours to
`weeks, depending on the motives of the attacker. Layer 7 attacks are becoming more popular, and they come mostly in the form of HTTP GET floods, SSL GET floods, and
`HTTP POST floods. Amplification attacks are increasing in popularity.
`
`Network Identification Technologies
`
`To be properly prepared to defend the network infrastructure from DDoS attacks, it is extremely important to know as soon as possible that there is anomalous behavior,
`malicious or otherwise, occurring in the network. Having a pre-emptive awareness of malicious or nefarious behaviors and other incidents in the network will go a long way
`toward minimizing any downtime that impacts the network's data, resources, and end users.
`
`The following is a partial list of tools and technologies that are available--some of which are probably already present in the network—to help aid in the detection, identification,
`and subsequent classification of anomalous network events. These tools and technologies will help focus on Indicators of Compromise (IOC).
`
`User/Customer Call
`
`We are all too familiar with the phone call we get from our end user, customer, or even sometimes from our parents and grandparents! It usually starts with "The Internet is down.
`Can you help me?" Well, in most cases, we can be certain that the entire Internet itself is not down but there is some factor, or factors, that are impeding our ability to connect to
`the server, application, data, etc. we need to access. Regardless of the specifics of the scenario, we want to prevent an end user from telling us of a problem. Although requests
`from end users are sometimes the first time we find out about a network problem, we would rather be proactively notified of an issue prior before the users discover it. The
`balance of our list will help us do just that.
`
`Anomaly Detection
`
`As with many of these techniques, we need established baselines for network performance. These can include, but are not limited to, bandwidth usage, device CPU utilization,
`and traffic type breakdowns. It is simply impossible to detect changes in the network baseline if we have not established these baselines.
`
`Networks and network-enabled devices constantly create traffic. However, this traffic follows certain patterns according to application and user behavior. Analyzing these
`patterns allows us to see what is not normal. The key is to collect traffic information (NetFlow) and calculate various statistics to compare against a baseline. The resulting
`abnormalities are then analyzed in more detail.
`
`Cisco IOS NetFlow
`
`Cisco IOS NetFlow is a form of network telemetry that Cisco routers and switches can collect locally or push.
`
`Figure 11. Cisco IOS NetFlow
`
`Data provided through NetFlow is similar to information in a phone bill. The user can view who is talking (source and destination IP address) and how long the conversations last
`(amount of traffic in terms of bytes and packets).
`
`Figure 12 highlights the seven key parameters (as used in NetFlow version 5) that are inspected in each packet to determine whether a new flow should be created. If any of the
`seven fields differs from flows that have previously been created, a new flow is created and added to the NetFlow cache. The seven fields are as follows:
`
`• Source IP address
`• Destination IP address
`• Source port
`• Destination port
`• Layer 3 protocol
`• TOS byte
`• Input interface
`
`Figure 12. NetFlow Key Parameters
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`9
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 10 of 17
`
`NetFlow data can be exported from network devices to a variety of open source and commercial NetFlow Collection tools. The Cisco Cyber Threat Defense Solution is an
`effective method of collecting and analyzing NetFlow data. Cyber Threat Defense brings together the work of Cisco and Lancope to quickly and effectively identify anomalous
`behavior in the network and provide insight into how some of this behavior can be addressed. For more details on this solution, see Cisco Cyber Threat Defense.
`
`NetFlow Output Example: Financial Distributed Denial of Service Attacks Targeting Financial Institutions
`
`Cisco IOS NetFlow data on Cisco IOS routers and switches aided in the identification of IPv4 traffic flows that could have been attempts to perform the DDoS attacks against
`financial institutions. The following example shows NetFlow output that indicates the types of traffic flows seen during the DDoS events:
`
`router#show ip cache flow
`IP packet size distribution (90784136 total packets):
` 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
` .000 .698 .011 .001 .004 .005 .000 .004 .000 .000 .003 .000 .000 .000 .000
` 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
` .000 .001 .256 .000 .010 .000 .000 .000 .000 .000 .000
`IP Flow Switching Cache, 4456704 bytes
` 1885 active, 63651 inactive, 59960004 added
` 129803821 ager polls, 0 flow alloc failures
` Active flows timeout in 30 minutes
` Inactive flows timeout in 15 seconds
`IP Sub Flow Cache, 402056 bytes
` 0 active, 16384 inactive, 0 added, 0 added to flow
` 0 alloc failures, 0 force free
` 1 chunk, 1 chunk added
` last clearing of statistics never
`Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
`-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
`TCP-Telnet 11393421 2.8 1 48 3.1 0.0 1.4
`TCP-FTP 236 0.0 12 66 0.0 1.8 4.8
`TCP-FTPD 21 0.0 13726 1294 0.0 18.4 4.1
`TCP-WWW 22282 0.0 21 1020 0.1 4.1 7.3
`TCP-X 719 0.0 1 40 0.0 0.0 1.3
`TCP-BGP 1 0.0 1 40 0.0 0.0 15.0
`TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7
`TCP-other 47861004 11.8 1 211 18.9 0.0 1.3
`UDP-DNS 582 0.0 4 73 0.0 3.4 15.4
`UDP-NTP 287252 0.0 1 76 0.0 0.0 15.5
`UDP-other 310347 0.0 2 230 0.1 0.6 15.9
`ICMP 11674 0.0 3 61 0.0 19.8 15.5
`IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4
`GRE 4 0.0 1 48 0.0 0.0 15.3
`Total: 59957957 14.8 1 196 22.5 0.0 1.5
`SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
`Gi0/0 192.168.10.201 Gi0/1 192.168.60.102 06 0984 0050 1
`Gi0/0 192.168.11.54 Gi0/1 192.168.60.158 06 0911 0035 3
`Gi0/1 192.168.150.60 Gi0/0 10.89.16.226 06 0016 12CA 1
`Gi0/0 192.168.10.17 Gi0/1 192.168.60.97 11 0B89 0050 1
`Gi0/0 10.88.226.1 Gi0/1 192.168.202.22 11 007B 007B 1
`Gi0/0 192.168.12.185 Gi0/1 192.168.60.239 11 0BD7 0050 1
`Gi0/0 10.89.16.226 Gi0/1 192.168.150.60 06 12CA 0016 1
`router#
`
`In the preceding example, there are multiple flows for UDP port 80 (hex value 0050). In addition, there are also flows for TCP port 53 (hex value 0035) and TCP port 80 (hex
`value 0050).
`
`The packets in these flows may be spoofed and may indicate an attempt to perform these attacks. It is advisable to compare the flows for TCP port 53 (hex value
`0035) and TCP port 80 (hex value 0050) to normal baselines to aid in determining whether an attack is in progress.
`
`As shown in the following example, to view only the packets on UDP port 80 (hex value 0050), use the show ip cache flow | include SrcIf|_11_.*0050 command to display the
`related Cisco NetFlow records.
`
`UDP Flows
`
`router#show ip cache flow | include SrcIf|_11_.*0050
`SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
`Gi0/0 192.168.12.110 Gi0/1 192.168.60.163 11 092A 0050 6
`Gi0/0 192.168.11.230 Gi0/1 192.168.60.20 11 0C09 0050 1
`Gi0/0 192.168.11.131 Gi0/1 192.168.60.245 11 0B66 0050 18
`Gi0/0 192.168.13.7 Gi0/1 192.168.60.162 11 0914 0050 1
`
`http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
`
`1/26/2017
`
`10
`
`

`

`A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco
`
`Page 11 of 17
`
`Gi0/0 192.168.41.86 Gi0/1 192.168.60.27 11 0B7B 0050 2
`router#
`
`Packet Capture
`
`Whereas NetFlow can provi