Presentation is loading. Please wait.

Presentation is loading. Please wait.

Large-Scale Edge DDoS Protection

Published by나래 후 Modified over 5 years ago

Similar presentations

Presentation on theme: "Large-Scale Edge DDoS Protection"— Presentation transcript:

1 Large-Scale Edge DDoS Protection
Sean Newman Director Product Management

2 Is DDoS Still on the increase?
500 Gbps Hong Kong attack France swarmed after terror attack PlayStation & Xbox hit at Christmas Mirai Botnet OVH / Krebs / DYN 600 Gbps -> 1Tbps Memcached GitHub Tbps Anon hits Church of Scientology Spamhaus attack: Reported to reach 310 Gbps Rio Olympics 540 Gbps Spammers discover botnets Reaper Botnet 2M Devices First Hacktivists: Zapatista National Liberation Army ProtonMail attack Estonia: Parliament, banks, media, Estonia Reform Party Coordinated US bank attacks: Grew to 200 Gbps, and continue today DoS for Notoriety 2019 ?? 1993 2005 2007 2009 2011 2013 2015 2016 2017 2018

3 DDoS Evolution in 2018 High Bandwidth Botnets Multivector
memcached exceeds 1Tbps, routinely > 100Gbps Botnets Mirai (and its many known variants) IoT (100s of Millions of easy to recruit devices) Multivector 10+ vectors, Additive + Variation + Spray/Subnet Booter/Stresser Services the “10 minute” attack and pulsed attacks

4 Frequent DDoS Trend Continues…
Frequent, low-volume, short-duration attacks dominate! 40% 7 77% 94% However… Corero H Trend Report:

5 SP/Telco DDoS Scrubbing Protection
DDoS attacks arriving from transit/peering Good traffic destined for subscribers SP SP SP ingress from transit/peering Netflow Detect (out-of-band) Service Provider egress to subscribers DDoS victims DDoS victims

6 SP/Telco DDoS Scrubbing Redirect
DDoS attacks arriving from transit/peering Good traffic destined for subscribers SP SP SP ingress from transit/peering BGP redirect Netflow Detect (out-of-band) note: Some Providers will have multiple scrubbing centers for Geos, redundancy, backhaul reasons. Service Provider Scrubbing Capacity (<10% edge capacity) egress to subscribers Good traffic tunneled to edge or cust Good traffic tunneled to edge or cust

7 SP/Telco Large DDoS Attack Blackhole
Large DDoS attack from transit/peering Good traffic blocked by blackhole SP SP SP ingress from transit/peering BGP RTBH Netflow Detect (out-of-band) note: Some Providers will have multiple scrubbing centers for Geos, redundancy, backhaul reasons. Service Provider Scrubbing Capacity (<10% edge capacity) egress to subscribers Customer offline for attack Duration Customer offline for attack Duration

8 Scrubbing Approach Increasingly Challenged
Size of Attack Blackhole Zone Provider Edge Capacity 100s of Gbps to multiple Terabits/sec Provider RTBH Mitigation Manual instantiation of blackholes with target offline for duration of attack Attacks Provider Scrubbing Capacity More attacks mitigated with Blackhole Scrubbing capacity needs to increase Partial Protection (needs to be > 10%) Scrubbing Zone Number of Attacks

9 Scrubbing Redirect Challenges
DDoS Attacks Over Scrubbing Capacity Succeed! Flow Monitoring Aggregation delay Attack overload Header only BGP/RTBH/FlowSpec BGP propagation Limited visibility Sampled Mirror Immediate forwarding Scales with attack Header and payload ACL Filters Rapid configuration Streaming telemetry

10 New Opportunity for Edge Mitigation
NOC/SOC Network Edge Monitor Inspect Detect Report / Signal Mitigate Sampled Mirror (1:N) Seconds Sampled Mirror (tuple + payload) Streaming Telemetry Ingress Traffic Egress Traffic Filter Generation (tuple + payload) Dynamic Filter (tuple + payload) Detection Mitigation

11 Full Edge Capacity Mitigation
Size of Attack Blackhole Zone Provider Edge Capacity 100s of Gbps to multiple Terabits/sec <1% of attacks need to be blackholed 100% Edge Protection Provider Edge Mitigation Zone Provider Edge Mitigation Leverage real-time data and analytics to deliver intelligent automation Scales to Tens of Terabits of DDoS Protection Attacks Provider Scrubbing Capacity >90% attacks mitigated at Provider Edge <10% redirected to scrubbing Scrubbing Zone Number of Attacks

12 Provider Edge DDoS Protection
DDoS Attacks arriving from transit/peering SP Internet SP SP ingress from transit/peering Service Provider egress to subscribers Good traffic to edge or customer Good traffic to edge or customer

13 Example Edge Filtering with Juniper MX
Matching Firewall-type rules with defined actions Filters entered manually, or programmatically via netconf API Unique ID for each filter provides statistics via remote telemetry

14 Summary DDoS as a whole still on the Increase
Attack Methods/Vectors more Sophisticated Emerging trend for increase in number of larger attacks Traditional Scrubbing/RTBH Protection is inadequate Typically too slow to react to avoid damage, or completes attack Wastes core network bandwidth backhauling junk DDoS traffic New Opportunity for Protection on Network Edge Devices Leverage built-in power of latest infrastructure devices No need to insert new devices at every ingress point Deliver always-on protection at edge capacity up to unprecedented scale Can operate as an overlay to existing scrubbing centers Deploy filters automatically from DDoS protection solution

15 Questions?

16 Thank You!

Download ppt "Large-Scale Edge DDoS Protection"

Similar presentations

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,

NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.

Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Data Communications and Networking

Data Communications and Networking
Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.

Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Tracking and Tracing Cyber-Attacks

Tracking and Tracing Cyber-Attacks
Network management Reinhard Laroy BIPT European Parliament - 27 February 2012.

Network management Reinhard Laroy BIPT European Parliament - 27 February 2012.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
Chapter 5: Implementing Intrusion Prevention

Chapter 5: Implementing Intrusion Prevention
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

Similar presentations

Ads by Google