Excellent DDoS Protection

Transcription

1 DDoS Protection Excellent DDoS Protection MADE IN GERMANY CONTACT LINK11 GmbH Hanauer Landstraße 291a Frankfurt am Main Germany Phone: +49 (0) Web:

2 02 / LINK11 DDoS ATTACKS Risk potential of DDoS attacks As opposed to a simple denial-of-service attack (DoS), distributed denial of service attacks (DDoS) do not come from a single computer, but instead simultaneously from many computers, sometimes tens of thousands. A DDoS Attack often starts when an attacker infects several computers with malware. The attacker then links these computers into a botnet; some botnets already control several tens of thousands of computers. In addition to the immense impact of such DDoS attacks, the wide distribution of attacking computers also makes it nearly impossible to determine the source of the attack manually. Conventional DDoS protective mechanisms do not provide sufficient defense against the increasing level of threat, since the attack patterns are often quite variable and attackers switch between volume and application attacks or combinations of the two. Victims of such attacks find their access link, firewall resources and web and database servers overloaded. DDoS attacks inflict tremendous damage to the businesses affected. Compared to external filter services affordable on Premise solutions can only handle a small number of connections and have no influence when, due to a high bandwidth attack, your access link is saturated. In addition to substantial revenue losses, many companies experience a loss of reputation among customers and in the wider public that is difficult to remedy. The necessary reconstruction of the infrastructure after an attack requires further follow-up investments. Moreover, a DDos leads to lost productivity because internal access to necessary business applications may be disrupted. Forrester Research, 2014: Only 57 percent of respondents [enterprises] reported that they currently had a DDoS response plan in place, and 53 percent indicated difficulties when attempting to detect and mitigate DDoS and DNS threats against multiple systems and ISP links. Distribution of DDoS attack methods 29 % TCP Floods 3 % Other 20 % Amplification Attacks 22% Application Attacks Sony under attack At Christmas 2014, the hacker group Lizard Squad took down the Sony Playstation Network (PSN) with a DDoS attack. Millions of gamers could not use their PlayStation over the Christmas holidays. As a compensation, Sony offered them a one-time 10 % discount off a total cart purchase in the PlayStation Store. 26 % UDP Floods Average bandwidth of DDoS attacks Mbps 120 Mbps 1420 Mbps 7600 Mbps This PSN outage was the second attack on the Sony Group within one month. Already in late November 2014 Sony Pictures Entertainment was hacked by a group calling itself the Guardians of Peace. The hackers stole over 100 Terabytes of sensitive data (films, internal files) and published them on the internet. Already in 2011, attackers hacked into the Play- Station Network and stole more than 75 million customer records. The attack was disguised by a DDoS attack. The total loss was estimated to be at least $ 172 million, including the costs for expanding the security infrastructure and compensation of damage to customers. Application Attacks Amplification Attacks TCP Floods UDP Floods

3 03 / LINK11 INNOVATIVE DDoS PROTECTION SOLUTION Which features are expected of DDoS protection nowadays? Link11 DDoS protection offers: 1. Intelligent behavior analysis and adaptation to new attack scenarios in addition to signaturebased detection Effective DDoS protection must be intelligent, adaptable, orchestrated and powerful so that it can run reliably in the face of ever increasing bandwidth, a steady flow of new attack patterns and expanding botnets. The hardware solutions that were often the only remaining defense in recent years were also always associated with high acquisition and maintenance costs. In addition, these solutions quickly reach their limits in the face of current attacks, because they are too rigid and not powerful enough considering their very high acquisition costs. A reliable DDoS protection must have high enough bandwidth to be able to respond to volume attacks as well as being able to handle complex application attacks, and even be prepared against combinations of both forms of attack. As a rule, a purely signature-based protection system lags behind the evolving attacks, since it only recognizes known forms of attack. Intelligent DDoS protection, however, is also able to analyze and orchestrate rapid response to attack patterns not yet known, since it adapts to each application reducing false positive rates. A DDoS protection with built-in redundancy should offer 24/7 expert support, low latency, an alarm system and meaningful reports. Ideally, the blocking mechanism will dynamically adapt due to the permanent monitoring of the system load and the protective system will only intervene in attack or stress situations. Crawler compatibility, compliance with the company s privacy policy, geo-blocking and protection of internal services such as , VPN gateways and databases are important particularly for companies operating on a global scale. 2. High bandwidth protection in the maximum security data center 3. Protection of fundamental business applications 4. Broad bandwidths and low latency 5. 24/7 customer support provided by the Link11 Security Operations Center (SOC) 6. Re-adjustable and customized filtering mechanisms and individual reports 7. CAPEX offer excellent value for money in relation to the acquisition of the hardware 8. Geo-blocking and on-demand protection in the event of an attack 9. Support for all major crawlers 10. Compliance with German and international privacy and compliance policies LINK11 DDOS PROTECTION CLUSTER Server Server Internet Provider Link11 DDoS Protection Cloud Service Provider Switch Firewall IDS Loadbalancer Server INTERNET BACKBONE DATACENTER SERVICE PROVIDER CUSTOMER DATACENTER Server Link11-protected network in the event of an attack

4 04 / LINK11 DDoS PROTECTION via DNS DDoS protection via DNS forwarding DNS protection is a cost-effective solution to protect a company s web-based applications. Link11 DNS protection does not require an upgrade of the server infrastructure, additional bandwidth, or new router technology. The DNS protection is available for as few as one IP address and protects domain-named based applications against DDoS attacks on layers 3 7. To this end, the DNS A-record entries in the affected application are adapted, rerouting the data transfer to the Link11 Filter Center. The DDoS Protection Cloud has two components: (1) a DDoS filter that blocks volume attacks based on their signature and on customized filter settings and (2) a protocol analyzer using a signature based technology in conjunction with intelligence statistically driven modeling and behavior analysis that reliably allows the cloud to detect and prevent complex attacks, even those that are unknown or develop in the future. The Link11 DDoS protection is immediately active after the switch in the DNS server has been completed. Site Shield To prevent attackers from directly attacking the original server IP address, a site shield is established at the DNS protection. The router/firewall configuration is adjusted so as to permit only access from Link11 DDoS filters. Necessity of a Site Shield Internet Provider Link11 DDoS Protection Cloud Internetprovider The infected clients query the DNS servers for their IP address and, as a result of the DNS switch, receive the IP address of the Link11 Filter Center, thus preventing the attack from being sent to the original server.

5 05 / LINK11 DDoS PROTECTION via DNS Internet Provider Link11 DDoS Protection Cloud Internetprovider Since the attacker knows the IP address of the target server, the attack is now no longer sent to the domain; rather the ISP sends it directly to the IP of the server. SITE SHIELD SITE SHIELD Link11 DDoS Protection Cloud Internetprovider A site shield is implemented where the ISP can black hole the target IP address for access from the outside to its IP filter list, which means that the data traffic it receives will go nowhere (the black hole ).

6 06 / LINK11 DDoS PROTECTION via BGP Network announcement: Link11 DDoS protection via Border Gateway Protocol Our BGP protection solution offers a comprehensive protection of the entire company network to protect all basic business applications, such as , VPN, database servers, etc. The BGP-DDoS protection can be used in a hot standby version to maintain the normal data flow as long as there is no attack. The data will be rerouted via the Link11 Filter Center in the case of an attack. The clean data packets are transferred back to the customer s network via a protected tunnel (VPN, IP-sec., GRE). After successfully blocking the DDoS attack, the data transfer is then returned to its original routing. The BGP solution requires a /24 or larger IP network for the rerouting. In addition, it is also possible to transfer entire protocols on a customized basis. If a standby integration is selected, the customer and the Link11 security team are able to announce the network in the event of an attack. By adding Link11 monitoring, the flow data of the local routers is analyzed so that Link11 protection can step in automatically in the event of an attack. In the event of an attack, the network announcement reroutes the entire traffic via the Link11 protection for analysis. It is also possible to announce smaller parts of the network affected by the attack. For example, announce only a /24 network from an existing /16 network to be forwarded to the Link11 protection. After a successfully blocked attack, the network is then routed directly back to the customer via a second announcement. Link11 monitoring: The Link11 monitoring system serves to permanently monitor the status of the network and potential DDoS threats are reported. In addition, the Link11 monitoring system monitors the availability of applications and reports other incidents. The monitoring system is integrated as a remote service or a local installation. Internet Provider Link11 DDoS Protection Cloud GRE TUNNEL Internetprovider A secure IP tunnel is established between the DDoS protection solution and the data center.

7 07 / LINK11 DDoS PROTECTION via BGP Internet Provider IP ANNOUNCEMENT Link11 DDoS Protection Cloud Internetprovider GRE TUNNEL Once a DDoS attack has been detected, the routing is switched to Link11 and the protection is activated. Internet Provider Link11 DDoS Protection Cloud Internetprovider Data traffic is routed and filtered through Link11. The customer can specify here which IPs should be forwarded unchanged and which should be monitored.

8 08 / LINK11 MONITORING AND EVALUATION Link11 monitoring The Link11 monitoring system continuously monitors the status of the network and reports potential DDoS threats. In addition, the monitoring system monitors the availability of applications and reports other potential incidents. The monitoring system can be integrated as a remote service or a local installation. Remote Monitoring System The Link11 Remote Monitoring System uses the Link11 DDoS protection system to perform automatic, real-time monitoring of server linking via DNS forwarding. It analyzes the applications, the server behavior and the incoming and outgoing data transfer and constantly monitors the response times. This makes it possible to detect and fend off attacks in advance. Local monitoring system for BGP protection For local monitoring systems, a monitoring server is installed on the local network. The monitoring system evaluates the flow data of the router and issues an alert as soon as attack patterns are detected. The system is constantly monitored by the Link11 Security Operation Center (SOC). To allow for permanent communication between the monitoring system and the SOC, the monitoring system is equipped with an out-of-band connection. Link11 Security Operation Center: In the Security Operation Center, DDoS protection and network specialists continuously analyze attack patterns and route the data transfer via the Link11 DDoS Filter Center in the event of an attack. Internetprovider SFLOW GATEWAY Monitoring Server

9 09 / LINK11 MONITORING AND EVALUATION Link11 WebGUI Link11 offers its customers a web-based, graphical user interface to monitor the server functions. The interface provides insight into the real-time traffic analysis, shows blocked DDoS attacks, server availability and provides metrics on current server response times. Graphical Timelines can be displayed and analyzed as desired. In addition, the nature of the attacks and the respective places of origin are clearly presented. In addition to user management (with individual read or write rights), the WebGUI makes it possible, for example, to block entire countries with the geo-blocking function. Features at a glance The Diagnostic Dashboard offers general DDoS information and hints on current threats. In addition, a DDoS warning system and DDoS traffic indicator offer a quick overview on the current security status. In the settings area, the granularity of the intelligent DDoS prevention can be set and customized blocking can be used to adjust settings for authorized and unauthorized access. The customizable controls can be used to set up permanent authorized access for systems that deviate too far from that of a normal user. For example, desirable automated scripts such as crawlers can be identified, ensuring compatibility with standard search engines, desirable advertising bots and administrators. Reporting makes it possible to generate individual and routine reports in a management overview. The reports can be transmitted on a regular and automatic basis. Any settings made by administrators in the user interface can be traced and edited ad hoc. An alert function is able to send SMS alerts about current threats. The prevention list states the reason for each prevented connection, the origin and the duration of the connection. The prevented connections can also be authorized to access the server on their next attempt. Dashboard view of the Link11 Dashboard

10 10 / LINK11 DISTINCTION OF DATA PACKETS How does Link11 prevention technology work? Link11 DDoS protection is based on two methods of protection where signature-based detection is supplemented by statistical behavior analysis. On the first level, all types of unauthorized traffic, for example, UDP or ICMP are filtered according to customer needs. These packets are not used for the operation of the web pages, but are often used as a traffic-intensive flooding method. On the second level, the Protocol Analyzer is based on an intelligent statistical modeling and behavioral analysis to provide reliable detection and prevention of complex attacks, even those currently unknown and those that will come in the future. The users are compared with the regular user behavior patterns in the network and classified with a scoring model. The higher the degree of deviation from the default connection, the more scoring points that are assigned to the connection. A decision matrix is used to compare the score to the current system load for each connection and potentially to filter out the requested connection. As the system load increases, the score required for blocking is adjusted and integrated accordingly into the decision matrix. As a secondary defense our signature-based detection uses more than 100 characteristics to review a connection against known Layer 2 and Layer 3 attacks. The Protocol Analyzer s intelligent analysis and the continuous analysis is almost deception-proof compared to rigid, on-premise DDoS protection solutions, providing optimal complementary protection against attacks against Layers 4 7. Statistical Modeling and Response Orchestration 24x7 Network monitoring 24x7 Filter monitoring Backbone Multi Ten Gigabit Aggregation Bogon Filtering IP Reputation Filtering Protocol Verification Stateful TCP Connection Filtering IP Rate Limiting Statistical Application Protocol Filtering Customer Gateway Backbone

11 11 / LINK11 FUNCTIONALITY FILTER TECHNOLOGY PROTECTION METHODS MITIGATED ATTACKS (e.g.) LAYER 3-4 Fragment-Screener: checks the fragments and blocks bogus queries Ping of Death Nestea / Nestea 2 Teardrop / Newtear Bonk / Boink Syndrop Jolt / Jolt 2 / SSPING / sping / Icenewk Rose Fragementation Attack Syntax-Screener Land / La Tierra TCP-SYN-Proxying: only successful TCP SYN requests are forwarded TCP SYN Flooding TCP Ack Flood / Stream Signature-based prevention WinNuke Apache Killer Firewalling: prevents UDP by default and only allows certain UDP services such as DNS, SIP, as defined individually by the customer UDP Floods, z. B. Pepsi Fraggle DNS Reflection Firewalling: prevents ICMP echo / batches by default and/or allows only a few MB/s per protocol, as defined individually by the customer Echo / Chargen Smurf LAYER 4-7 Firewalling: prevents by default SNMP connections on the web server and allows only SNMP for certain IPs, as defined individually by the customer SNMP-Reflection Protocol analysis: protocol-specific analysis (e.g. of the HTTP traffic) for mechanistic behavior in combination with algorithm-based, statistical user data PIH Flooding (PHP Interpreting Host Flooding) Get Food, Slow Loris, Slow Read Fake DNS queries DNS Reflection Rate limiting: prevents by default all queries from a certain number, as defined individually by the customer Geofilter Sufficient capacity of the backend server Botnet Spontaneous formation of groups on the internet

12 12 / LINK11 FUNCTIONALITY PERFORMANCE The performance and functionality of Link11 DDoS protection in detail Features The prevention technology developed by Link11 is based on deep packet inspection. Domain requests are examined for each IP address. Conspicuous behavior by users of the IP address is awarded points as part of a points scoring system. A user who reaches a predefined score by reason of such behavior is blocked. Our prevention technology can handle static as well as dynamic web content. Since a legitimate query is not answered by a proxy/cache, but instead by the original server, no complications occur. Performance characteristics: The DDoS protection cluster analyzes the data transfer on certain patterns and evaluates them anonymously. The content of data packets is not saved. The Link11 DNS solution provides good valuefor-money to protect your web servers. The Link11 BGP solution is suitable for all customer networks from a minimum size of 256 continuous IP addresses (/24 network or Class C network). Activation of DDoS protection in the BGP version is performed immediately after the routing was switched in the DNA version, after the modified entries in the DNS server are active. The current capacity of the DDoS protection cluster is about 500 Gbit/s. The DDoS protection cluster can filter currently up to 744 million packets per second.

13 13 / LINK11 FUNCTIONALITY PERFORMANCE The following functions are included in the Link11 DDoS protection DNS forwarding / BGP announcement The service can be implemented via DNS forwarding, or the data transfer is guided and filtered in the event of an attack via BGP. This makes the DDoS protection is independent of the client server location User / IP Filtering Link11 observes the behavior of the individual user and has granular user prevention capabilities Multi Ten Gigabit aggregation Several 10GE Tier-1 provider uplinks to the individual scrubbing centers IP reputation filtering There is a comparison with the Link11 database that contains IP addresses which are part of a botnet, or is otherwise misbehaving. Protocol verification Verification if the user uses the indicated protocol (e.g. HTTP, POP3, HTTPS, etc.) Stateful TCP Connection Inspection Analysis of the 3-way connection establishment of the TCP protocol as well as SYN Flood detection and blocking IP rate limiting Analysis of application protocols (e.g. HTTP) with several statistical models and filtering of malicious requests Statistical application protocol inspection Analysis of application protocols (e.g. HTTP) with several statistical models and filtering of malicious requests Crawler detection / identification Identification of authorized or unauthorized internet crawlers Compatibility with standard search engines Flooding attack mitigation (HTTP, SYN, UDP, etc.) Detection and prevention of volume-based attacks on a website Rate limiting Individual limitation of the data rate to the customer GEO blocking Connection of users from certain regions (country-specific) SSL encryption With own certificate Web application firewall (WAF) filtering An optional additional WAF for applying own firewall rules to protect applications Caching Statistical HTTP client content is cached in our network Layer 3 and 4 DDoS mitigation DDoS protection on protocol layers 3 and 4 Layer 7 DDoS mitigation Application-specific protection at the level of the application Individual suspicious user behavior recognition Statistical procedure for individual detection of conspicuous behavior on the website Whitelisting/blacklisting Customers are able to maintain their own black lists and white lists Blocking of suspicious users Conspicuous users are blocked as of a defined threshold value. These users have the option to enable their access via a CAPTCHA page. User interface/real-time monitorin Graphical user interface, which permits real-time analysis of the data traffic on the website, provides information on the form of attacks and serves as an administrative interface Reporting Individual reports that can be transmitted to defined users DNS Anycast protection To ward off attacks on the DNS structure, Link11 offers a DNS Anycast compound system at 25 locations Integration in a CDN is possible.

14 14 / LINK11 FUNCTIONAL SECURITY Distributed EU-Based s London, UK LON 1 DDOS SCRUBBING CENTER Frankfurt, DE FFM 2 FFM 3 Amsterdam, NL FFM 1 DDOS SCRUBBING CENTER AMS 1 DDOS SCRUBBING CENTER FFM 4 FFM 5 AMS 3 AMS 2 Network connectivity The network connectivity of cluster DDoS filter is designed for maximum availability, performance and security. All system-relevant components are redundant and represent the current state of the art. The Link11 GmbH monitors the degree of capacity utilization of the network at any time and ensures for adequate capacity. High bandwidths and low latency times are ensured by direct connections to the largest internet carriers (Level3, Global Crossing, Deutsche Telekom, etc.), which are responsible for the majority of data transfers in Europe. In addition, there are direct connections to the largest peering points DE-CIX, AMS-IX and LINX, who are among the world s three largest internet exchange points. Cluster locations and security The main cluster is located in two certified high security data centers of the company Interxion in Frankfurt am Main. The data centers are built according to the Tier 3 standard. This means that all servers are backed both by an uninterruptible power supply, as well as with additional diesel emergency generators. This guarantees an availability of % by Interxion. The data centers are protected by a security fence and are monitored around the clock by security guards and video cameras. In addition, there is a unique identification process where access to each data center building is granted only with an authenticated fingerprint. An additional backup cluster for emergencies is available in Amsterdam. Service standard/ Service level agreement (SLA) Link11 GmbH operates according to the highest standards of service. Particularly noteworthy are, among other things, the high availability and redundancy principle. The service standards are defined in total in several units. There are service categories for the reaction times, for troubleshooting and for general network and service availability. Link11 GmbH maintains these service standards as the permanently defined requirements of its customers. In the case of complex requirements, it is possible to enter into individual agreements on service standards.

15 15 / LINK11 LINK11 GmbH Link11 GmbH Since being founded in 2005, Link11 GmbH has developed into one the leading German specialist suppliers for DDoS protection solutions. The high-performance Link11 DDoS Protection Cloud offers intelligent and reliable protection made in Germany. Customers include leading e-commerce, finance and insurance companies. As an official partner of national and international professional associations and institutions, Link11 is actively engaged in issues related to IT security, internet technology and the e-commerce industry. For its innovative DDoS protection solution Link11 has been awarded three years in a row s Hosting & Service Provider Award and ZETA-Award reflect that the solution is particularly efficient and future-oriented. Deutscher Rechenzentrumspreis 2014 Link11 DDoS Protection wins in two categories: data center security and online audience award. Security Insider Award The readers of Security Insider voted Link11 as the IT-Security Product of the Month in July Eco Internet Award 2012 In 2012, Link11 was awarded the Internet Award for the most innovative DDoS protection solution by the eco association of the German Internet industry. Official partner Link11 is an official partner of the Alliance for Cyber Security. The ACS is a joint initiative by the Federal Office for Information Security (BSI) and the Federal Association for Information Technology, Telecommunications and New Media (BITKOM). BITKOM Partner Link11 is an official BITKOM Partner. BITKOM is the voice of the information technology, telecommunications and new media industry in Germany. BITKOM represents more than 2,100 companies. BITKOM s members generate an annual turnover of 140 billion Euros in total, exporting high-tech goods and services. bevh For its members, industry organisation Bundesverband E-Commerce und Versandhandel e.v. (bevh) has selected a team of highly qualified business partners like Link11 chosen for their innovative products, reliability, and experience. RIPE NCC Headquartered in Amsterdam, the Européens Network Coordination Centre (RIPE NCC) is provides Internet number resources, such as IPv4 and IPv6 address space. Official partner As an official partner of the TeleTrusT - IT Security Association, Link11 is part of the largest competence network for IT security in Germany and Europe. Certified by TÜV SÜD (technical inspection body) Link11 GmbH uses system resources carefully and responsibly, including only using green electricity, as certified by TÜV SÜD.

16 CONTACT LINK11 GmbH Hanauer Landstraße 291a Frankfurt am Main Germany Phone: +49 (0) Web: