Black Hole Filtering
This is a common technique that is very efficient. Typically this needs to be done in conjunction with your ISP. RTBH filtering is a technique that provides the ability to drop undesirable traffic before it enters a protected network. It uses BGP host routes to route traffic heading to victim servers to a null0 next hop. RTBH has several variations but one stands out as is worth special mention. Performing RTBH with your ISP (check with your ISP for support, they should) lets them drop the traffic in the cloud for you thus preventing a DoS on your pipe. Block Hole filtering is a large topic, if you’re interested in learning more about it I’d suggest reading this whitepaper Remotely Triggered Black Hole filtering (RTBH).
Cisco IPS 7.0 Source IP Reputation Filtering
Cisco recently released the IPS 7.0 code upgrade. This upgrade includes a feature called global correlation. In a nutshell, global correlation checks the reputation score of every source IP address it sees. If the source’s reputation is bad the IPS sensor can drop the traffic or raise the Risk Rating value of a signature hit. Now here is Cisco’s description of what Global Correlation does:
IPS 7.0 contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives threat updates from the Cisco SensorBase Network, which contain detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier.
You can configure Global Correlation so that your sensors are aware of network devices with a reputation for malicious activity, and can take action against them.
One of the ways Cisco refines the SensorBase is by taking in feeds from the deployed Cisco 7.0 IPS sensors. Companies can choose to opt in or out of the program.
The SensorBase that the Cisco IPS uses is full of different threat categories, two of which are Botnet harvesters and previous DoS offenders. Therefore, when you are under attack from a Botnet DDoS attack the Sensor will drop all of the traffic coming from bad reputation sources. This process happens before the signatures are used and is very inexpensive to the sensors’ resources (CPU, backplane, etc). This makes it an ideal method to utilize during a DDoS attack. It is also why the Cisco IPS checks the SensorBase before processing its IPS signatures.
Many Botnet DDoS attacks use SSL to your web servers. This helps the attacker hide his payload from any inspection engines you may have. However, given that Global Correlation only uses the reputation score of the source IP address to makes its decision it has no issues defending against SSL DDoS attacks. No other IPS vendor has added reputation to their IPS solution so they would be unable to defend against any form of SSL DDoS attack. Some IPS vendors do have the ability to open up and look inside SSL packets by decrypting them on the fly. However, this process is too expensive on the IPS’s resources (CPU, backplane, memory, etc) to be used in a DDoS attack. It would simply move the traffic bottleneck to the sensor itself.
Of course if the DDoS attack is saturating your link this tactic likely won’t work. But if the DDoS attack is just overwhelming some servers and not all your bandwidth then this works great. Global Correlation is not a silver bullet but rather another tool in your toolbox.