Large-Scale Edge DDoS Protection

Slides:

Advertisements

Similar presentations

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION

Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

Arbor Multi-Layer Cloud DDoS Protection

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Data Communications and Networking

Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Tracking and Tracing Cyber-Attacks

Network management Reinhard Laroy BIPT European Parliament - 27 February 2012.

Web Application Firewall (WAF) RSA ® Conference 2013.

Chapter 5: Implementing Intrusion Prevention

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

Net Optics Confidential and Proprietary 1 Bypass Switches Intelligent Access and Monitoring Architecture Solutions.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.

Page 2 Biggest DDoS attack in history slows Internet, breaks record at 300 Gbps 'Biggest cyber-attack in history' slows down internet worldwide after.

1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.

DoS Threat Landscape Sean Newman Director Product Management Q © 2016 Corero

Corero DDoS Protection for your Network and Services Bipin Mistry VP Product Management.

Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.

Re-writing the Playbook for DDoS Mitigation Strategies

S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.

DDoS Protection

DISA Cyclops Program.

Denial of Service Mitigation with OpenFlow using SciPass

Advanced Network Tap application for

IoT Security Part 2, The Malware

A Speculation on DNS DDOS

Barracuda Link Balancer

IoT as an Attack Vector The DDoS Game Changer!

Barracuda Firewall The Next-Generation Firewall for Everyone

Authors: Justine Sherry. , Shaddi Hasan. , Colin Scott

OptiView™ XG Network Analysis Tablet

DDoS Defense for a Community of Peers

IoT devices as an attack vector

Real-time protection for web sites and web apps against ATTACKS

State of the Internet Security – Q2 2017

Sub-Saturating DDoS Attacks The Silent Bandwidth Thief

Track and measure Social Media and Darknet through

A Speculation on DNS DDOS

Who should be responsible for risks to basic Internet infrastructure?

SONATA: Query-Driven Network Telemetry

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Is Your Online Security Intelligent? Internet Performance Management

The Multi-Terabit DDoS Era - Memcached

Sizing …today. T: Here’s how. .

IoT Pulse Wave DDoS Attacks

AKAMAI INTELLIGENT PLATFORM™

Network Optimizer Optimize Your Business & Cloud Networks

Software-Defined Secure Networks in Action

Data collection methodology and NM paradigms

Chapter 4: Protecting the Organization

Software-Defined Secure Networks in Action

AT&T/Cisco Partnership…Enabling Customer Success

Terabit Scale Edge DDoS Protection

Reinhard Laroy BIPT European Parliament - 27 February 2012

Autonomous Network Alerting Systems and Programmable Networks

Modelli di Controllo e Mitigazione per Attacchi DDoS

Utilizing the Network Edge

Tokyo OpenStack® Summit

Presentation transcript:

Large-Scale Edge DDoS Protection Sean Newman Director Product Management

Is DDoS Still on the increase? 500 Gbps Hong Kong attack France swarmed after terror attack PlayStation & Xbox hit at Christmas Mirai Botnet OVH / Krebs / DYN 600 Gbps -> 1Tbps Memcached GitHub 1.35-1.7Tbps Anon hits Church of Scientology Spamhaus attack: Reported to reach 310 Gbps Rio Olympics 540 Gbps Spammers discover botnets Reaper Botnet 2M Devices First Hacktivists: Zapatista National Liberation Army ProtonMail attack Estonia: Parliament, banks, media, Estonia Reform Party Coordinated US bank attacks: Grew to 200 Gbps, and continue today DoS for Notoriety 2019 ?? 1993 … 2005 2007 2009 2011 2013 2015 2016 2017 2018

DDoS Evolution in 2018 High Bandwidth Botnets Multivector memcached exceeds 1Tbps, routinely > 100Gbps Botnets Mirai (and its many known variants) IoT (100s of Millions of easy to recruit devices) Multivector 10+ vectors, Additive + Variation + Spray/Subnet Booter/Stresser Services the “10 minute” attack and pulsed attacks

Frequent DDoS Trend Continues… Frequent, low-volume, short-duration attacks dominate! 40% 7 77% 94% However… Corero H1 2018 Trend Report: https://www.corero.com/resources/reports/h1-ddos-trends-report/

SP/Telco DDoS Scrubbing Protection DDoS attacks arriving from transit/peering Good traffic destined for subscribers SP SP SP ingress from transit/peering Netflow Detect (out-of-band) Service Provider egress to subscribers DDoS victims DDoS victims

SP/Telco DDoS Scrubbing Redirect DDoS attacks arriving from transit/peering Good traffic destined for subscribers SP SP SP ingress from transit/peering BGP redirect Netflow Detect (out-of-band) note: Some Providers will have multiple scrubbing centers for Geos, redundancy, backhaul reasons. Service Provider Scrubbing Capacity (<10% edge capacity) egress to subscribers Good traffic tunneled to edge or cust Good traffic tunneled to edge or cust

SP/Telco Large DDoS Attack Blackhole Large DDoS attack from transit/peering Good traffic blocked by blackhole SP SP SP ingress from transit/peering BGP RTBH Netflow Detect (out-of-band) note: Some Providers will have multiple scrubbing centers for Geos, redundancy, backhaul reasons. Service Provider Scrubbing Capacity (<10% edge capacity) egress to subscribers Customer offline for attack Duration Customer offline for attack Duration

Scrubbing Approach Increasingly Challenged Size of Attack Blackhole Zone Provider Edge Capacity 100s of Gbps to multiple Terabits/sec Provider RTBH Mitigation Manual instantiation of blackholes with target offline for duration of attack Attacks Provider Scrubbing Capacity More attacks mitigated with Blackhole Scrubbing capacity needs to increase Partial Protection (needs to be > 10%) Scrubbing Zone Number of Attacks

Scrubbing Redirect Challenges DDoS Attacks Over Scrubbing Capacity Succeed! Flow Monitoring Aggregation delay Attack overload Header only BGP/RTBH/FlowSpec BGP propagation Limited visibility Sampled Mirror Immediate forwarding Scales with attack Header and payload ACL Filters Rapid configuration Streaming telemetry

New Opportunity for Edge Mitigation NOC/SOC Network Edge Monitor Inspect Detect Report / Signal Mitigate Sampled Mirror (1:N) Seconds Sampled Mirror (tuple + payload) Streaming Telemetry Ingress Traffic Egress Traffic Filter Generation (tuple + payload) Dynamic Filter (tuple + payload) Detection Mitigation

Full Edge Capacity Mitigation Size of Attack Blackhole Zone Provider Edge Capacity 100s of Gbps to multiple Terabits/sec <1% of attacks need to be blackholed 100% Edge Protection Provider Edge Mitigation Zone Provider Edge Mitigation Leverage real-time data and analytics to deliver intelligent automation Scales to Tens of Terabits of DDoS Protection Attacks Provider Scrubbing Capacity >90% attacks mitigated at Provider Edge <10% redirected to scrubbing Scrubbing Zone Number of Attacks

Provider Edge DDoS Protection DDoS Attacks arriving from transit/peering SP Internet SP SP ingress from transit/peering Service Provider egress to subscribers Good traffic to edge or customer Good traffic to edge or customer

Example Edge Filtering with Juniper MX Matching Firewall-type rules with defined actions Filters entered manually, or programmatically via netconf API Unique ID for each filter provides statistics via remote telemetry

Summary DDoS as a whole still on the Increase Attack Methods/Vectors more Sophisticated Emerging trend for increase in number of larger attacks Traditional Scrubbing/RTBH Protection is inadequate Typically too slow to react to avoid damage, or completes attack Wastes core network bandwidth backhauling junk DDoS traffic New Opportunity for Protection on Network Edge Devices Leverage built-in power of latest infrastructure devices No need to insert new devices at every ingress point Deliver always-on protection at edge capacity up to unprecedented scale Can operate as an overlay to existing scrubbing centers Deploy filters automatically from DDoS protection solution

Questions?

Thank You!