Implementing Distributed Denial of Service (ddos) Sytem in Abc, Inc. Backbone Network

...

The following should be accomplished after DDoS attack simulation:

- ADM should learn normal PC traffic

- ADM should detect simulated DDoS attack

- AGM should clean the traffic

- Monitor normal and anomalous traffic using MDM

- Traffic logs should be generated in MDM

The test lab will be housed at vendor XYZ. Building the test lab will be done in parallel with Senior IP Backbone Engineers. The test environment will serve as a training platform for the Senior IP Backbone Engineers. All issues will be documented by the Senior IP Backbone Engineers and will be discussed with IP Planning and Engineering team.

Proof-of-concept phase will mark the start of Phase 2. Project will not move forward if this phase yielded negative result.

Task-2: Anomaly Detector Module (ADM) and Anomaly Guard Module (AGM) installation to Live Network

Anomaly Detectors and Guard modules will be installed at the four Network Access Points (NAP) Cisco 7600 routers of ABC, Inc. Backbone network. This will ensure that all incoming traffic to ABC, Inc. network will be detected and cleaned by the DDoS mitigation system. All modules will be delivered and installed by vendor XYZ, and will be supervised by IP Backbone Operations team.

Modules installation is successful when all modules are reachable from ABC, Inc. network (Local Area Network). Basic configuration will be done to make the modules accessible from Local Area Network.

Pilot site (NAP) will be selected. Once activity is successful, site will be replicated to the remaining three sites. Pilot site should have the least number of ABC, Inc. Internet subscribers to ensure minimal affected subscriber should outage occur.

Task-3: Multi-Device Manager (MDM) installation to Live Network

Before installing the DDoS Multi-Device Manager (MDM), ADMs must be properly installed. MDM Server will be delivered by vendor XYZ and will be installed at ABC, Inc. Data Center. IP Planning and Engineering will determine all requirements of the location owner (Network Operations Center). MDM software installation will be done by IP Backbone Operations with the guidance of vendor XYZ.

Installation is successful when all ADM and AGM are reachable from MDM. MDM system configuration will be performed such as user access configuration. Configuration will be restricted to MDM system and should not affect ADM and AGM.

Task-4: Anomaly Detector and Guard modules configuration to Live Network

Routing and switching configurations will be done at the ADM, AGM and the NAP routers in order to insert the modules logically in the ABC, Inc. Backbone network.

Pilot site (NAP) will be selected and configuration will be replicated to the remaining three sites if the pilot site activity is successful.

Routing table of the ADM should be populated to determine if the ADM is configured correctly and able to learn the traffic. Route manipulation would be able to simulate AGM expected traffic behavior.

Task-5: MDM configuration to Live Network

Once ADM and AGM configuration is completed, the modules should be managed using the MDM. MDM will be configured to manage the modules. ADM monitors traffic of DNS system, Email servers and base stations called zones. These zones will be defined at MDM and normal traffic will be learned by the ADMs. This learning stage would provide baseline of normal traffic to the ADM. Policies should be set per zone as per recommendation of vendor XYZ. The policies associated with the zone configuration enable the ADM to detect anomalies.

You enable the learning process to replace the default set of zone policies or to update the current set of zone policies that may not be configured properly to recognize current normal traffic services and volume. When policy thresholds are set too high compared to the current normal traffic volume, the Detector module might not be able to detect traffic anomalies (attacks). When policy thresholds are set too low, the Detector module may mistake legitimate traffic for attack traffic.

AGM should be managed through MDM. Network traffic should be diverted to AGM to clean the anomalous traffic (called hijacking) then inject the cleaned traffic back to IP Backbone Network. Traffic hijacking and injection will be simulated without simulating the DDoS attack just to test the flow of traffic when AGM is put into clean mode using MDM.

The following are expected output after MDM configuration:

- Zones configuration

- Policy Construction (Learning Phase)

- Threshold Tuning (Learning Phase)

- Traffic hijacking and injection when AGM is in clean mode

- Traffic and activity logs generated

Task-6: DDoS Attack Simulation to Live Network

Vendor XYZ will coordinate a simulated attack through another vendor. DDoS attack would be generated outside of ABC, Inc. network. DDoS attack will be directed to the enumerated zones (DNS system, Email servers and base stations). Rate of anomalous traffic will be defined and should match the logs generated by the MDM. DDoS attack will be directed individually to each defined zones.

Close coordination to System Administrators of the zones should be done to ensure testing parameters are met. The following are the expected output of the activity:

- Zone services unavailable during the DDoS attack

- ADM detect the anomalous traffic

- Alert generated at MDM that the zone is under attack

- AGM should be manually or automatically hijack then clean the traffic and inject it back to the IP Backbone network

- 100% service and resource availability of the zone during DDoS attack when AGM is in clean mode

- Traffic and activity logs generated

DDoS mitigation will be performed by IP Backbone Operations under guidance of vendor XYZ.

Task-7: System Acceptance