Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Confidential © 2012 Cisco and/or its affiliates. All rights reserved. 1 Cisco ASR 9000 vDDoS Solution Protection Vikash Sharma, PM, Cisco Systems.

Similar presentations


Presentation on theme: "Cisco Confidential © 2012 Cisco and/or its affiliates. All rights reserved. 1 Cisco ASR 9000 vDDoS Solution Protection Vikash Sharma, PM, Cisco Systems."— Presentation transcript:

1 Cisco Confidential © 2012 Cisco and/or its affiliates. All rights reserved. 1 Cisco ASR 9000 vDDoS Solution Protection Vikash Sharma, PM, Cisco Systems Jorge Escobar, Technical Architect, Arbor Networks

2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 "All Specifications Subject to Change without Notice" Introduction to DDoS DDoS Threat Landscape ASR 9000 Router overview vDDoS Solution Overview vDDoS Solution Positioning vDDoS Deployment Scenarios

3 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 "All Specifications Subject to Change without Notice" INTRODUCTION TO DD O S

4 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 "All Specifications Subject to Change without Notice" What is a Distributed Denial of Service (DDoS) attack? An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity Targets the availability and utility of computing and network resources Attacks are almost always distributed for even more significant effect (i.e. DDoS) The collateral damage caused by an attack can be as bad, if not worse than the attack itself DDoS attacks affect availability! No availability, no applications/ services/data/Internet! No revenue! DDoS attacks are attacks against capacity and/or state!

5 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 "All Specifications Subject to Change without Notice" DDoS attacks can consist of just about anything Large quantities of raw traffic designed to overwhelm a resource or infrastructure Application specific traffic designed to overwhelm a particular service – sometimes stealthy in nature Traffic formatted in such a way to disrupt a host from normal processing Traffic reflected and/or amplified through legitimate hosts Traffic from compromised sources or from spoofed IP addresses Pulsed attacks – start/stop attacks DDoS attacks can be broken out by category

6 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 "All Specifications Subject to Change without Notice" Traffic Floods –Exhaust resources by creating high bps or pps volumes –Overwhelm the infrastructure – links, routers, switches, servers TCP resource exhaustion –Exhaust resources in servers, load balancers, firewalls or routers Application Layer –Take out specific services or applications

7 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 "All Specifications Subject to Change without Notice" Any part of your network or services that is vulnerable to an attack: Network Interfaces Infrastructure Firewall/IPS Servers Protocols Applications Databases Attackers will find the weakness

8 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 "All Specifications Subject to Change without Notice"

9 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 "All Specifications Subject to Change without Notice" 6% 0 40% 1-10 16% 11-20 7% 21-50 9% 51-100 9% 101-500 13% >500 42% Yes 36% Do not know 23% No Multi-Vector DDoS Attacks Attack Frequency 20022003 0 50 100 150 200 250 300 350 400 450 20042005200620072008200920102011201220132014 100 Gbps 10 Gbps 400 Gbps Gbps Survey Peak Attack Size Year Over Year Source: Arbor Networks, Inc. Attacks Per Month

10 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 "All Specifications Subject to Change without Notice" Customer Facing Infrastructur e Business Services 3 rd Party

11 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 "All Specifications Subject to Change without Notice" 17% of all DDoS attacks target stateful devices, which include stateful defenses like Firewalls, IPSs, and WAFs 35% of all DDoS attacks affect the Firewall or IPS

12 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 "All Specifications Subject to Change without Notice" 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Survey Respondents Data Center DDoS Business Impact Source: Arbor Networks, Inc. 81% Operational Expense 44% Revenue Loss 33% Customer Churn 2% Employee Turnover 14% Other 81% 44% 33% 2% 14%

13 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 "All Specifications Subject to Change without Notice" Confidentiality Integrity Availability The primary goal of DDoS defense is maintaining availability in the face of attack.

14 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 "All Specifications Subject to Change without Notice" Maintaining availability in the face of attack requires a combination of skills, architecture, operational agility, analytical capabilities, and mitigation capabilities which most organizations simply do not possess In practice, most organizations never take availability into account when designing/specifying/building/deploying/testing online apps/services/properties In practice, most organizations never make the logical connection between maintaining availability and business continuity In practice, most organizations never stress-test their apps/services stacks in order to determine scalability/resiliency shortcomings and proceed to fix them In practice, most organizations do not have plans for DDoS mitigation - or if they have a plan, they never rehearse it!

15 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 "All Specifications Subject to Change without Notice" ASR 9000 O VERVIEW

16 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 "All Specifications Subject to Change without Notice" Optimized for Aggregation of Dense 100GE Next-Generation Linecards Shipping Today: 40 - 800 Gbps edge services cards; 1.2 Tbps cards available in Q4 CY ’15 Based on IOS-XR & Cisco PRIME for Nonstop Availability & Manageability Industry Leading Operational Savings & Management with Cisco nV Technology Industry Leading Infrastructure Security

17 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 "All Specifications Subject to Change without Notice" Key Edge Market Roles Key Edge Market Roles Cisco ASR 9000: Service Edge Foundation Business CPE Mobile Backhaul (2G/3G, LTE) Residential Triple Play (Cable, DSL, WiFi) Access & Pre-Aggregation 1 1 Media Cloud / HostingMobile Services Massively Scalable & Virtualized Multi-Tenant Data Centers 2 2 Elastic Core 3 3 1. High-End Aggregation & Transport Mobile Backhaul CMTS Aggregation L2/Metro Aggregation DSLAM Aggregation Video Distribution & Services 2. Cloud Gateway Router DC Interconnect DC WAN Edge WEB/OTT 3. Services Router Business Services Residential Broadband Converged Edge/Core Enterprise WAN

18 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 "All Specifications Subject to Change without Notice" ASR 9000 VSM Data Center Compute: Data Center Compute: 4 x Intel 10-core x86 CPU 4 x Intel 10-core x86 CPU 2 X Forwarding Engine for hardware network processing 2 X Forwarding Engine for hardware network processing 120 Gbps of Raw processing throughput 120 Gbps of Raw processing throughput HW Acceleration HW Acceleration 40 Gbps of hardware assisted Crypto throughput 40 Gbps of hardware assisted Crypto throughput Hardware assist for Reg-Ex matching Hardware assist for Reg-Ex matching Virtualization Hypervisor (KVM) Virtualization Hypervisor (KVM) Service VM life cycle management integrated into IOS-XR Service VM life cycle management integrated into IOS-XR SDN SDK for 3rd Party Apps SDN SDK for 3rd Party Apps OS / Hypervisor VMM VM-4VM-4 Service-3 VM-1VM-1 Service-1 VM-3VM-3 Service-4 VM-2VM-2 Service-2

19 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 "All Specifications Subject to Change without Notice" V DD O S S OLUTION O VERVIEW

20 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 "All Specifications Subject to Change without Notice" Arbor Peakflow Threat Management System (TMS) Cisco ASR 9000 with Virtual Services Module (VSM) #1 in DDoS Attack Protection Products #1 in Network Infrastructure Products

21 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 "All Specifications Subject to Change without Notice" Cisco & Arbor have teamed to integrate the Arbor Peakflow DDoS solution into Industry leading Cisco ASR 9000 platform Customers looking for a distributed architectural solution at the edge or core or both to thwart attacks at point of entry Solution ideal for Service providers and Enterprise customers Higher scale (40Gbps per VSM) with tiered licensing options Solution benefits are architectural superiority, simplicity, & unified management Cisco and Arbor Networks: Best of Breed INTERNET Transit / Peer Edge MOBILE SUBSCRIBERS & DEVICES DATA CENTER & CLOUD SERVICES MOBILE NETWORK BROADBAND SUBSCRIBERS BUSINESS CUSTOMERS CUSTOMER EDGE Customer Edge 64% experienced attacks towards their customer Data Center 94% of data center operators experienced attacks. Mobile Edge 60% providers experienced outages from a DDoS attack

22 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 "All Specifications Subject to Change without Notice" Virtualized Arbor Peakflow SP ASR 9000 VSM running Arbor Peakflow TMS Netflow stats  Arbor Peakflow SP (formerly known as Collector Platform CP) Collects Flow records Detects abnormal network behavior and trigger alerts Can influence the routing, injecting BGP routes in the network Supports BGP FlowSpec as a Controller Sets up and monitors the TMS remotely Arbor Peakflow SP Threat Management System (TMS) Configured by SP, receives diverted traffic and proceeds to in-depth packet analysis Discards the attack packets and transmits the legit ones Provides real-time monitoring info to operators Available July 2015 Available now

23 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 "All Specifications Subject to Change without Notice" Protect service and network infrastructure from attack Mitigate where ASR9000 is already deployed (peering edge or core) Reduce back-haul costs and risk of network congestion during attack Service Provider or Enterprise Launch MSSP DDoS Protection Services Leverage investment in infrastructure protection Protect Datacenter Deployment directly in edge router Used in conjunction with Arbor Cloud Service for large attacks Augment existing scrubbing capacity Deploy additional mitigation capacity at key locations where ASR 9000 is located

24 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 "All Specifications Subject to Change without Notice" V DD O S S OLUTION D EPLOYMENT S CENARIOS

25 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 "All Specifications Subject to Change without Notice" SP detects DDoS attack based on Netflow Configures VSM/TMS as needed via ASR Redirection of traffic to TMS TMS use BGP via backplane to get traffic MPLS configured via ISP Good traffic re-injection Send back out via ASR Challenge traffic TMS is normal source IP sending traffic via the backplane Blacklisting in ASR (HW)* VSM/TMS can handle one/more customers * Not in First release ASR9K + VSM/TMS Peakflow SP Netflow + SP/TMS communication

26 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 "All Specifications Subject to Change without Notice" SP detects DDoS attack based on Netflow Configures VSM/TMS as needed via ASR Redirection of traffic to TMS TMS use BGP via backplane to get traffic MPLS configured via ISP Good traffic re-injection GRE tunnel over backplane MPLS Challenge traffic TMS is normal source IP sending traffic via the backplane Blacklisting in ASR (HW)* VSM/TMS can handle one/more customers * Not in first release ASR9K + VSM/TMS Peakflow SP Netflow + SP/TMS communication

27 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 "All Specifications Subject to Change without Notice" ASR9K + VSM/TMS Peakflow SP Netflow + SP/TMS communication Traffic always inspected Done via permanent redirections Works like local and long diversion redirections Can be combined with normal (temporary) redirection For same and/or multiple customers

28 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 "All Specifications Subject to Change without Notice" Arbor Peakflow ASR 9000 with Virtual Services Module (VSM) Cisco ASR 9000 vDDoS Protection “Powered By Arbor Networks” Architectural Superiority Unified Management Scalable Performance Reduced OPEX Flexible Deployment

29 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 "All Specifications Subject to Change without Notice" Schedule a session with your Cisco representative to 1.Review your DDoS Mitigation Strategy 2.Show how you can offer DDoS mitigation as a service 3.Schedule a Network Assessment for DDoS

30 Thank you.


Download ppt "Cisco Confidential © 2012 Cisco and/or its affiliates. All rights reserved. 1 Cisco ASR 9000 vDDoS Solution Protection Vikash Sharma, PM, Cisco Systems."

Similar presentations


Ads by Google