2 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline Full Transparent Mode No MAC address changes Signature Free Defense Hardware based protection Self Learning Baseline Adapts based on behavior ISP 1 ISP 2 Granular Protection Multiple thresholds to detect subtle changes and provide rapid mitigation FortiDDoS Firewall Legitimate Traffic Malicious Traffic Web Hosting Center
3 How it works Virtual Partitions Enables up to eight segmented zones Consider a customer with multiple traffic types Web Browsing Firmware Updates Online Ordering Separate Policies for Unique Traffic Patterns Need to protect services from each other Mitigation could include limiting the volume of firmware downloads Links from ISP(s) DDOS Protection FortiDDOS Firewall FortiGate Corporate site
4 How it works Basics FortiDDOS is typically protecting the customer link(s) On premise, or within ISP data center Transparent deployment Bypass capability with FortiBridge Traffic flows are handled by the FortiASIC-TP Legitimate traffic model is automatically constructed Calendar based baseline Adaptive Threshold Estimation Typically increases over time, no need to re-measure Multiple links supported Links from ISP(s) Hosting Center DDOS Protection FortiDDOS Firewall FortiGate
5 Attack Traffic Legitimate Traffic How it works Detection and Mitigation Detection is performed in hardware Packets processed by FortiASIC-TP Classification and metering across multiple layers Single pass decision making Correlated with the created traffic model Protocol Anomalies, Threshold Violations Application level attacks Mitigation occurs here No traffic redirection (eg.bgp) or control plane disruption No hidden costs, easy to deploy, immediate relief Virtual Partitioning Geo-Location ACL Bogon Filtering Protocol Anomaly Prevention Packet Flood Mitigation Stateful Inspection Out of State Filtering Granular Layer 3 and 4 Filtering Application Layer Filtering Algorithmic Filtering Heuristic Filtering
6 Overall System Architecture Multiple Independent FortiASIC-TP complexes No CPU paths No concept of fast or slow path No IP/MAC address in the data path Data Path Control Bus Management Interface
7 FortiAsic-Traffic Processor (TP) No CPU in the path of the packets No fast or slow path No IP/MAC address in the path of the packets Network, Transport, Application Layer Header Anomaly Prevention Anti-spoofing State Anomaly Prevention Inbound and outbound packets Virtualization Network, Transport, Application Layer Rate Anomaly Prevention Application Layer Heuristics Decision Multiplexer Dropped packets Allowed packets Network, Transport, Application Layer Access Control Lists Dark Address, Geolocation, IP Reputation Source Tracking Control and Statistics SNMP Traps/MIBs, Syslog, Event Notifications Event/ Traffic Statistics, Graphs Threshold Wizard, Continuous Adaptive Threshold Estimation Policy Configuration, Archive, Restore
8 How it works Baseline Building
9 Overall View Over a Month These two graphs here depict the daily traffic over a month s period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks. The purpose of the appliance is to maintain the normal traffic and only pass what s legitimate. That s what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). What s being allowed is the blue area.
10 View of another link This maroon line shows what s incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack that s getting dropped. This graph shows the second link on the same device. This link has larger and continuous attacks over the month s period. As you can see the appliance maintains the normal behavior and drops excessive packets.
11 Aggregate Drop Traffic This graph shows the aggregate dropped traffic and gives you visibility into excess traffic that s getting flitered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages. Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped Layer Layer 3 71,796, ,262,421 5,273,080,458 Layer 4 375,005, ,899,631 1,463,108,503 Layer
12 Top Attacks and Top Attacker Reports Top Attacks: Inbound Index Attack Packets dropped Events 0 Source flood 30,913,661,628 30,630 1 SYN flood 1,250,473,117 8,516 2 SYN flood from source 1,030,033,363 13,577 3 Protocol flood 147,159,676 23,042 4 TCP port flood 41,015,858 1,399 5 TCP checksum error 27,768,790 8,927 6 TCP zombie flood 23,254, Source IP==dest IP 19,793, L4 anomalies 19,252,249 4,461 9 Destination flood 2,785,518 8 Top Attackers: Inbound Index Attacker Packets dropped Events whois 10,264,827,716 2, whois 2,722,698,591 1, whois 1,696,605,289 1, whois 1,597,620,580 1, whois 1,569,216,884 1, whois 1,469,239, whois 1,092,829,398 1, whois 1,054,221, whois 757,198, whois 676,203, FortiDDoS appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.
13 Packets Dropped at Layer 3 Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped Protocols 8,225, , ,193,111 TOS IPv4 Options Fragmented Packets 1, ,873 L3 Anomalies 11,870, ,834 19,798,847 Source Flood 57,013, ,532,304 5,092,011,434 Misc. Source Flood 289, , ,675 Destination Flood 2,441, ,231 2,785,518 Misc. Destination Flood Dark Address Scan Network Scan This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.
14 Packets Dropped at Layer 4 Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped TCP Options SYN Packets 278,119, ,034,862 1,248,645,939 L4 Anomalies 12,549, ,866 13,606,809 TCP Ports 7,194, ,534 41,052,592 UDP Ports 27, ,429 ICMP Types/Codes Port Scan Misc. Drops for Port Scan Packets Per Connection Misc. Connection Flood 71, ,992 1,734,081 Zombie Flood 13,368, ,770 23,254,968 SYN Packets Per Source 36,527, ,548 58,168,070 Excessive Concurrent Connections Per Source Excessive Concurrent Connections Per Destination TCP Packets Per Destination This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period. And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.
15 Packets Dropped at Layer 7 This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped Opcode Flood HTTP Anomalies URL Flood The appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excessses in any one of the dimensions.
16 Count of Unique Sources This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.
17 Customer Feedback We recently experienced a very large DDoS attack on our network. We've found FortiDDoS withstanding the attack quite well at this time. Seeing as this is the largest network attack we've ever experienced, utilizing this information should help significantly in protecting us against other attacks in the future. To give you an idea of the scale of the attack, the FortiDDoS device has had to drop nearly 6.8 billion packets within only 8 hours. The entire attack lasted approximately 27 hours of which the last ~12 hours were spent behind the FortiDDoS. 17
18 Deployment Scenarios
19 Bypass Options FortiDDoS FortiGate Corporate HQ LAN FortiBridge 19
20 Service Profiles Wealth Management Online Banking Loans and Mortgages 20
21 Deployment Scenarios (Contd.)
22 Deployment Scenarios (Contd.)
23 FortiDDoS-100A 2U Appliance provides dual link protection FortiDDoS-100A Specification LAN 2 x 1G (copper and optical) WAN 2 x 1G (copper and optical) FortiASIC 2 x FortiASIC-TP1 RAM 4G Storage 1TB HDD Management 1 x RJ45 10/100/1000 Power Protection Single AC 1Gbps full duplex Up to 1 million simulations connections/sec
24 FortiDDoS-200A 4U Appliance provides protection for up to 4 links FortiDDoS-200A Specification LAN 4 x 1G (copper and optical) WAN 4 x 1G (copper and optical) FortiASIC 4 x FortiASIC-TP1 RAM 8G Storage 2 x 1TB HDD RAID Management 1 x RJ45 10/100/1000 Power Protection Dual Redundant AC 2Gbps full duplex Up to 2 million simulations connections/sec
25 FortiDDoS-300A 4U Appliance provides protection for up to 6 links FortiDDoS-300A Specification LAN 6 x 1G (copper and optical) WAN 6 x 1G (copper and optical) FortiASIC 6 x FortiASIC-TP1 RAM 8G Storage 2 x 1TB HDD RAID Management 1 x RJ45 10/100/1000 Power Protection Dual Redundant AC 3Gbps full duplex Up to 3 million simulations connections/sec
FortiDDoS DDoS Attack Mitigation Appliances Copyright Fortinet Inc. All rights reserved. What is a DDoS Attack? Flooding attack from compromised PCs run by a Botmaster The Botmaster s motivations may be
TM FortiDDoS DDoS Attack Mitigation Appliances The Ever-changing DDoS Attack Distributed Denial of Service (DDoS) attacks continue to remain the top threat to IT security and have evolved in almost every
Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
TM FortiDDoS DDoS Attack Mitigation Appliances The Ever-Changing DDoS Attack Distributed Denial of Service (DDoS) attacks continue to remain the top threat to IT security and have evolved in almost every
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N
M series Release Notes Network Security Platform 7.5 Revision B Contents About this document New features Resolved issues Known issues Installation instructions Product documentation About this document
A Primer for Distributed Denial of Service (DDoS) Attacks Hemant Jain, VP of Engineering Sichao Wang, Director of Product Management April 2012, Fortinet, Inc A Primer for Distributed Denial of Service
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
HiPER 840 4-WAN Broadband Gateway/Router Overview HiPER 840 4-WAN Broadband Gateway/Router is a purpose-built solution designed for small-sized Internet cafés, broadband communities and schools which require
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
NSFOCUS Web Application Firewall 1 / 9 Overview Customer Benefits Mitigate Data Leakage Risk Ensure Availability and QoS of Websites Close the Gap for PCI DSS Compliance Collaborative Security The NSFOCUS
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks Stop DDoS before they stop you! James Braunegg (Micron 21) What Is Distributed Denial of Service A Denial of Service attack (DoS)
SURE 5 Zone DDoS PROTECTION SERVICE Sure 5 Zone DDoS Protection ( the Service ) provides a solution to protect our customer s sites against Distributed Denial of Service (DDoS) attacks by analysing incoming
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
WhitePaper DDoS Attack Mitigation Technologies Demystified The evolution of protections: From inclusion on border devices to dedicated hardware+behavior-based detection. Introduction Distributed Denial
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
RimApp RoadBLOCK goes beyond simple filtering! Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes. However, traditional
ForeScout is a high performance security appliance that protects your network perimeter against intrusion. Unlike traditional IPS products, ForeScout is extremely easy to install and manage. It does not
Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended
TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
Huawei Traffic Cleaning Solution Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
AntiDDoS1000 DDoS Protection Systems Background and Challenges With the IT and network evolution, the Distributed Denial of Service (DDoS) attack has already broken away from original hacker behaviors.
www.harppddos.com HARPP DDoS Mitigator Appliances and DDoS CERT The HARPP DDoS Mitigator s unique DDI (Deep DDoS Inspection) and AVS (Attack Visualization System) provide unparalleled protection of your
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
Game changing Technology für Ihre Kunden Thomas Bürgis System Engineering Manager CEE Threats have evolved traditional firewalls & IPS have not Protection centered around ports & protocols Expensive to
IndusGuard Web Application Firewall Test Drive User Registration Document Version 1.0 24/06/2015 Confidentiality INDUSFACE HAS PREPARED THIS DOCUMENT FOR INTERNAL PURPOSE. NEITHER THIS DOCUMENT NOR ITS
TEST METHODOLOGY Network Firewall Data Center v1.0 Table of Contents 1 Introduction... 4 1.1 The Need for Firewalls In The Data Center... 4 1.2 About This Test Methodology and Report... 4 1.3 Inclusion
White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect
DDoS Threat Report Insights on Finding, Fighting, and Living with DDoS Attacks v1.1 Chris Beal Chief Security Architect MCNC email@example.com @mcncsecurity on Twitter DDoS in the News - 2014 DDoS Trends
Technology Blueprint Defend Against Denial of Service (DOS and DDOS) Attacks Protect each IT service layer against exploitation and abuse LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL
DATA SHEET Extreme Security Threat Protection G2 - Intrusion Prevention Integrated security, visibility, and control for next- generation network protection HIGHLIGHTS Delivers superior zero-day threat
Truffle Broadband Bonding Network Appliance Reliable high throughput data connections with low-cost & diverse transport technologies PART I Truffle in standalone installation for a single office. Executive
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
CIRA s experience in deploying IPv6 Canadian Internet Registration Authority (CIRA) Jacques Latour Director, Information Technology Ottawa, April 29, 2011 1 About CIRA The Registry that operates the Country
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is a ideal to help the SMBs increase the broadband
Denial-of-Service (DoS) Secured Virtual Tenant Networks (VTN) Value-added DoS protection as a service for Software Defined Network (SDN) a solution paper by Radware & NEC Corporation of America Whitepaper
TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to
Amcom Internet Services This Support and Troubleshooting Guide provides information about your internet service; including setting specifications, testing instructions and common service issues. For further
April 21 Commissioned by Radware, Ltd Radware AppDirector x8 and x16 Application Switches Performance Evaluation versus F5 Networks BIG-IP 16 and 36 Premise & Introduction Test Highlights 1 Next-generation
Reporting Edge Configuration Series Reporting Overview The Reporting portion of the Edge appliance provides a number of enhanced network monitoring and reporting capabilities. WAN Reporting Provides detailed
CCNA Security 1.1 Instructional Resource Chapter 4 Implementing Firewall Technologies 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe numbered, named, standard and extended IP ACLs. Configure
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators
Gigabit Content Security Router As becomes essential for business, the crucial solution to prevent your connection from failure is to have more than one connection. PLANET is the Gigabit Content Security
DEPLOYMENT GUIDE Version 1.1 DNS Traffic Management using the BIG-IP Local Traffic Manager Table of Contents Table of Contents Introducing DNS server traffic management with the BIG-IP LTM Prerequisites
Data Sheet DPtech ADX Series DPtech ADX Application Delivery Platform Series Overview IT requirements for service capability can be summarized as "acceleration", "security" and "reliability". The contradiction
UNIFIED PERFORMANCE MANAGEMENT VISIBILITY CONTROL OPTIMIZATION COMPLETE WAN OPTIMIZATION Increase the speed and efficiency of your wide area network. Exinda s Unified Performance Management (UPM) solution
Network Monitoring and Traffic Analysis in CSTNET Chunjing Han Aug. 2013 CSTNET, CNIC Topics 1. The background of network monitoring 2. Network monitoring protocols and related tools 3. Network monitoring
Outline (Network Security Challenge) Security Device Selection Internet Sharing Solution Service Publishing 2 Security Device Selection Firewall Firewall firewall: An introduction to firewalls A firewall
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
Integrated Services Routers Performance Overview What You Will Learn The Integrated Services Routers Generation 2 (ISR G2) provide a robust platform for delivering WAN services, unified communications,
McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course The McAfee Firewall Enterprise System Administration course from McAfee University is a fast-paced,
Load Balance Router R258V Specification Hardware Interface WAN - 5 * 10/100M bps Ethernet LAN - 8 * 10/100M bps Switch Reset Switch LED Indicator Power - Push to load factory default value or back to latest
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...
VALIDATING DDoS THREAT PROTECTION Ensure your DDoS Solution Works in Real-World Conditions WHITE PAPER Executive Summary This white paper is for security and networking professionals who are looking to