Arbor Multi-Layer Cloud DDoS Protection Nurfedin Zejnulahi, Arbor Consultant

Ten + Years of Innovation 500+ of The Worlds Most Demanding Networks Who is Arbor Networks? Founded from DARPA grant Over 40 networking and security patents Ten + Years of Innovation 500+ of The Worlds Most Demanding Networks Across all continents Service Providers, Hosters, Fortune 50 companies Largest financials and online giants Trusted Experts Globally Over 400 employees across all continents >50% in Engineering, Service and Support Best in class support experts, global infrastructure Arbor best kept secret 2000- u of m darpa grant 450 customers- in 60 countries – isps, hosters, enterprises DdoS solutions Global intelligence Distributed systems- DdoS at the begginning in 2000 when taking govt websites down,Traffic and routing of Internet infrastrcture. This history allows Arbor to take a look back Global ATLAS 290+ World-wide Sensors Analyzing over >160Tb of data per second Monitoring over 260K malware families Proprietary and Confidential Information of Arbor Networks, Inc.

Enterprise Incident Response

DDoS attacks can be very large Largest (Gbps) / longest reported DDoS attack, Worldwide infrastructure security report, 2005 to 2014.

Targets of Application-Layer Attacks

DDoS Attack Types

Most DDoS Attacks are relatively short and small

DDoS : case of MORoCco (janvier 2015)

Stopping Attacks in the Right Place SCRUBBING CENTER Cloud-based DDoS Protection Peakflow SP/TMS Cloud Signaling DATA CENTER INTERNET Pravail APS Firewall IPS Load Balancer Target Applications & Services CPE-based DDoS Protection

Arbor Cloud: Global Availability 4 strategically placed scrubbing centers each with scrubbing capacity: East Coast West Coast Central Europe Asia Point out that the field have been running mitigations for their customers…this is not a new service for us, it’s a new product – but we are well versed in the business practices that are delivered with a cloud service.

Customizable Service Options Traffic re-routing mechanisms DNS DNS A records are modified by customer to point attacked FQDN to Arbor cloud Full DNS proxy in cloud will route clean traffic to its destination Full proxy requires traffic in both directions Clean Traffic = Inbound + outbound traffic BGP Must divert a minimum of a /24 subnet Traffic returned via GRE Clean Traffic = Inbound traffic only DNS GRE Arbor Cloud GRE DNS Proxy ISP Network ISP Arbor’s DDoS Protection Appliance on-site Arbor’s DDoS Protection Appliance on-site DNS Reroute: DNS A records are modified to point attack FQDN to Arbor cloud Full DNS proxy in cloud will route clean traffic to its destination Full proxy requires traffic in both directions Clean Traffic = Inbound + outbound traffic BGP Reroute Must divert a minimum of a /24 subnet Arbor requires 3 days to register routes with Internet Registry If customer only has a /24, then customer must de-announce the route when Arbor announces it Traffic returned via GRE Clean Traffic = Inbound traffic only Normally traffic – green Redirect – red Enterprise Network Enterprise Network

Traffic Diversion Options DNS BGP Proxy ISP ISP GRE DNS Reroute: DNS A records are modified to point attack FQDN to Arbor cloud Full DNS proxy in cloud will route clean traffic to its destination Full proxy requires traffic in both directions Clean Traffic = Inbound + outbound traffic BGP Reroute Must divert a minimum of a /24 subnet Arbor requires 3 days to register routes with Internet Registry If customer only has a /24, then customer must de-announce the route when Arbor announces it Traffic returned via GRE Clean Traffic = Inbound traffic only Pravail APS Pravail APS Enterprise Network Enterprise Network

DNS Diversion Option Proxy Internet Proxy ISP Network DNS A records are modified to point attack FQDN to Arbor Cloud Full Proxy will route clean traffic to its original destination or customer-defined IP address Full Proxy redirects traffic in both directions Clean Traffic = Maximum of inbound or outbound traffic Pravail APS Enterprise Network

BGP Diversion Option May need to divert a minimum of a /24 subnet Internet GRE ISP Network May need to divert a minimum of a /24 subnet Arbor requires 3 days to register routes with Internet registry Traffic returned via GRE Clean Traffic = Inbound only Pravail APS Enterprise Network

Reporting Customers have four ways of accessing statistics for their incidents (mitigations): Via the Service Reporting Portal Via Incident (mitigation) Reports emailed out within two business days of incident termination Via automated update reports sent hourly during an incident (mitigation) Via a two-hourly update to a mitigation ticket, done by the customer specialist team

DDoS Mitigation with Arbor Cloud When you subscribe to Arbor Cloud, you will: receive a Provisioning Questionnaire that you can use to provide all information relevant to your protected services review the questionnaire with Arbor SOC during the Orientation Call receive a Welcome Pack document with all the service’s details receive a welcome email with your Arbor Cloud portal access credentials

DDoS Mitigation with Arbor Cloud After the orientation call: a test mitigation will be scheduled purpose of the test mitigation is: make sure that traffic diversion and reinjection work as expected analyze production traffic and fine tune the mitigation policy Arbor recommends that test mitigations are performed every six months, to verify that all is working as expected even if no attacks are detected.

DDoS Mitigation with Arbor Cloud The portal includes the customer’s configuration data

ATLAS Global Threat Analysis and Monitoring System E-mail Spam Traps Botnet Reconnaissance Tool Worlds Largest Distributed Honeypot Sensors Public Intelligence The ATLAS Global Threat Analysis and Monitoring System is actively monitoring more than 160 Tbps or 1/3 of all internet traffic 24/7 ATLAS is a collaborative project with more than 275 ISP’s customers sharing anonymous traffic data through E-mail spam traps, Botnet reconnaissance tools, the worlds largest distributed honeypot, globally dispersed sensors and publicly shared intelligence

Thank You