DDoS Protection, An Inside Look The 3 main types of attacks Will I be victim ? Why Us ? The Top 3 Misconceptions Fact vs Fiction A Realistic Defense

The 3 Main Types of Attack ‣ # 1 Big and Dumb - UDP, ICMP floods ‣ Attackers try to overwhelm your available Bandwidth resources  Y our ISP or Carrier may “Null route you” If your attack is disruptive to their network A good ISP or carrier will filter this out for you Although it still happens it is rarely the cause for outages Unfortunately it may be combined with other types of attack ‣ Consider having all non-essential traffic(ports) denied, as part of normal operations

The 3 Main Types of Attack There are a variety of good DDoS mitigation devices available today for 10-60K Beware of false positives, keep the rate limiting “loose “or just right ‣ #2 SYN Floods ‣ Syn type floods try to overwhelm CPU, Memory, OS limitations or Network gear

The 3 Main Types of Attack ‣ #3 Layer 7 attacks ‣ HTTP get attacks, CPU intensive, slows web server to a crawl * Sometimes hard to even detect, leads to misdiagnoses * Low bandwidth, low PPS Requires large(2K-200K+) Botnet Existing off the shelf mitigation gear is not very effective

‣ Our Observations over the last 12 months ending May 2010 The 3 Main Types of Attack UDP/ICMP flood only attacks account for less than 10% of total number of attacks SYN Flood only type attacks, account for less than 30% of total attacks Layer 7 only type attacks account for approximately 60 % of total attacks 80% of all attacks have 2 or more of the above components 80% of all attacks have a layer 7 component

Will I Be a Victim ? Why us ? ‣ Given the number of attacks VS number of websites Overall risk is still very low, but very unpredictable Renting Botnets are cheap and easy to operate (see control panel sample) 30% of attacks are sector targeted, 5-25 websites of similar nature are attacked at the same time. i.e. Jewelry, Electronics, Car Parts, Fitness Gear, etc The perpetrator is most likely a competitor trying to gain market share 40% are High risk sectors E-gaming, Social/Dating Networks, Online Pharmacies, Investment Info, Payment processors, etc The perpetrator is most likely a disgruntled customer or competitor Extortion is sometimes involved, but rare 30% are “one offs” No Logical reason

Rent-a-Bot Botnet control panel ‣ Can be rented for less Than $100.00/day ‣ Easy to operate Will I Be a Victim ? Why us ?

The Top 3 Misconceptions Fact vs Fiction ‣ #1 My Firewall/DDoS device will handle anything There is no easy to operate off-the-shelf box that will effectively stop all types of attacks in real-time ‣ #2 My engineers are brilliant and will be able to stop anything In reality most technical staff have very little experience in real world DDoS attacks Attack intensities and types change too often ‣ #3 My Hosting/Network provider will help me Most hosting providers are ill equipped to handle all types of attacks on an ad-hock basis Can be too time intensive for many hosting providers They will not risk network disruptions to other customers/ collateral damage

A Realistic Defense A simple layered approach UDP ICMP TCP UDP ICMP TCP TCP port * 80 * TCP port 443 * TCP/SYN * layer 7 attacks TCP port * 80 * TCP port 443 * layer 7 attacks Legitimate TCP requests Have your provider filter Everything except TCP port 80/443 Buy a box that has good SYN protection 1 million PPS + Use a reverse proxy and/or cache array

ONLINE DEMO