JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

Similar documents

SECURE THE DATACENTER. Dennis de Leest Sr. Systems Engineer

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

IT SECURITY SEMINAR "STALLION " Security, NGFW fallacy & going Beyond IP? Juniper Networks - Jaro Pietikäinen

RETHINK SECURITY FOR UNKNOWN ATTACKS

FortiDDos Size isn t everything

How Cisco IT Protects Against Distributed Denial of Service Attacks

Complete Protection against Evolving DDoS Threats

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Pravail 2.0 Technical Overview. Exclusive Networks

How To Protect A Dns Authority Server From A Flood Attack

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

A Layperson s Guide To DoS Attacks

TDC s perspective on DDoS threats

Radware s Attack Mitigation Solution On-line Business Protection

How To Block A Ddos Attack On A Network With A Firewall

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

On-Premises DDoS Mitigation for the Enterprise

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

DECODING SOFTWARE DEFINED NETWORKING (SDN) Nico Siebelink Technical Director Northern Europe

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection on the Security Gateway

Acquia Cloud Edge Protect Powered by CloudFlare

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

VALIDATING DDoS THREAT PROTECTION

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Introducing FortiDDoS. Mar, 2013

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Arbor s Solution for ISP

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

Introducing IBM s Advanced Threat Protection Platform

CloudFlare advanced DDoS protection

Chapter 11 Cloud Application Development

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

BlackRidge Technology Transport Access Control: Overview

Understanding and Defending Against the Modern DDoS Threat

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Unified Threat Management, Managed Security, and the Cloud Services Model

Check Point DDoS Protector

Secure Cloud-Ready Data Centers Juniper Networks

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Chapter 3

Introduction of Intrusion Detection Systems

INTRODUCTION TO FIREWALL SECURITY

Networking for Caribbean Development

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Edge Configuration Series Reporting Overview

Firewall Defaults and Some Basic Rules

Surviving a DDoS Attack

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Distributed Denial of Service (DDoS)

Solution Brief. Secure and Assured Networking for Financial Services

White Paper. Copyright 2012, Juniper Networks, Inc. 1

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Service Description DDoS Mitigation Service

EVOLVED DATA CENTER ARCHITECTURE

DDoS Protection Technology White Paper

DDoS Overview and Incident Response Guide. July 2014

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Internet Content Provider Safeguards Customer Networks and Services

Stop DDoS Attacks in Minutes

Gateway Security at Stateful Inspection/Application Proxy

Technical Note. ForeScout CounterACT: Virtual Firewall

NSFOCUS Web Application Firewall White Paper

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

PROFESSIONAL SECURITY SYSTEMS

1 You will need the following items to get started:

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Firewall Firewall August, 2003

Stop DDoS Attacks in Minutes

NSFOCUS Web Application Firewall

VPN Lesson 2: VPN Implementation. Summary

White Paper. Five Steps to Firewall Planning and Design

Approaches for DDoS an ISP Perspective.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

FortiWeb 5.0, Web Application Firewall Course #251

Transcription:

JUNOS DDoS SECURE Advanced DDoS Mitigation Technology

Biography Nguyen Tien Duc ntduc@juniper.net, +84 903344505 Consulting Engineer- Viet Nam CISSP # 346725 CISA # 623462 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net

SECURITY AT JUNIPER Customer segments Service Providers, Enterprise Business segments Routing, Switching, Security Security innovation & leadership Invest more than 20% of revenue on R&D Leader in high-end firewalls and remote access SSL VPN Pioneer in Intrusion Deception technology DDoS advanced technology First to deliver purpose-built virtual firewall SC Magazine 2014 best cloud, UTM and NAC solution Tech Target s 2013 reader s choice gold awards for virtual security, IDP, and NAC 3 Copyright 2013 Juniper Networks, Inc. Access Apps Networks Mgmt Mobility Edge Data center Cloud Products

DDOS ATTACK VECTORS VOLUMETRIC Easy to detect. Attacks are getting bigger in size Frequency of attacks increasing at a moderate rate. ANYTHING THAT MAKES THE RESOURCES BUSY Flash mobs. Legitimate requests for a big event available at one time. SLOW AND LOW Growing faster than volumetric 25% of attacks in 2013 (source: Gartner) More sophisticated & difficult to detect Target back-end weaknesses Small volume of requests can take out a large web site. 4 Copyright 2013 Juniper Networks, Inc. www.juniper.net

TUTORIALS ON LAUNCHING DDOS ATTACKS 5 Copyright 2013 Juniper Networks, Inc. www.juniper.net

LOW ION ORBIT CANNON (LOIC) Flood any site Easy to download Simple to run 6 Copyright 2013 Juniper Networks, Inc. www.juniper.net

DDOS FOR ONE HOUR COSTS $5 7 Copyright 2013 Juniper Networks, Inc. www.juniper.net

Stealth EVOLVING ATTACK COMPLEXITY Signature-Based Scrubbers Volumetric Low-and-slow Challenge: Creating signatures for new attacks Emerging Battleground Challenge: manual management of IP thresholds in dynamic networks Thresholds & Netflow Analysis Known Newness Unknown 8 Copyright 2013 Juniper Networks, Inc. www.juniper.net

THE GAPS THAT DDOS SECURE ADDRESSES 1 New attacks: before the signature exists 2 Low-and-slow application attacks 9 Copyright 2013 Juniper Networks, Inc. www.juniper.net

KEY CONCEPT: CHARM CHARM: Real-time risk score for each source IP 100 Initial 50 Human-like Per packet Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular 0 Machine-like Algorithms updated regularly with characteristics of new attacks 10 Copyright 2013 Juniper Networks, Inc. www.juniper.net

Examples KEY CONCEPT: RESOURCE HEALTH Resource health: real-time view of status for every discrete thing on protected interface, based on stateful analysis of source and resource responsiveness Internet Traffic Internet Traffic Resources Internet Traffic DDoS Secure L7 DNS/URL Response Time URL Rate, Pending counts HTTP Server Error Codes L3-4 Backlog Queue (per resource, per port) TCP stats: SYN, SYN-ACK, CLS, RST, etc 11 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNOS DDoS SECURE RESOURCE MANAGEMENT Resource Control The In this attack example, traffic to Resource 2 s reduces response as the time attackers starts to switch degrade the and attack the CHARM to Resource pass threshold 3. is increased to start the process of rate Once limiting again, the bad Junos traffic. DDoS Secure responds dynamically At this point by the increasing good traffic the will pass continue threshold to pass for Resource unhindered 3 whilst Limiting the bad traffic. attackers will start to believe their attack has been successful as their request fails. Resource 1 Resource 2 Resource 3 Resource N 12 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNOS DDoS SECURE PACKET FLOW SEQUENCE CHARM Technology Resource Control IP Behavior Table Resource CHARM Threshold 1 Validates data packet Validates against defined filters Validates packet against RFCs Validates packet sequencing TCP Connection state 3 Behaviour is 4 Calculates recorded CHARM Threshold Supports up to 32M profiles Profiles aged on least used basis Responsiveness of Resource Packet Enters Syntax Screener OK So Far CHARM Generator With CHARM Value CHARM Screener Packet Exits Drop Packet 2 Calculates CHARM value for data packet References IP behaviour table Function of time and historical behaviour Better behaved = better CHARM 5 Drop Packet Allow or Drop CHARM Threshold CHARM value 13 Copyright 2013 Juniper Networks, Inc. www.juniper.net

HEURISTIC MITIGATION IN ACTION Normal Internet Traffic Normal Internet Traffic DDoS Attack Traffic Resources Normal Internet Traffic Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency. 14 Copyright 2013 Juniper Networks, Inc. www.juniper.net

LOW AND SLOW ATTACKS What to say about DDoS Secure and Topology DDoS Secure is an in-line device, usually deployed at the data center edge (behind internet facing router, in front of firewall) DDoS Secure performs real-time stateful analysis and heuristics of packets, both inbound and outbound, as they pass Source IP addresses are given a real-time risk score called CHARM Resource health (web server, firewall, etc) is monitored and have a CHARM threshold Once resource starts to struggle, threshold is raised, and packets with a lower CHARM score are rate limited One website is in logging mode so we can see the results of the attack. The other website is in defending mode so we can see how the attack is mitigated. 15 Copyright 2013 Juniper Networks, Inc. www.juniper.net

VOLUME ATTACK What to say: Once again, DDoS Secure is sitting inline behind the router. Attacker is sending traffic to the web server (but it could also be the customer s firewall or load balancer) and is attempting to overwhelm the customers network pipe But DDoS Secure will detect the attack, and will signal the upstream router to redirect the traffic so that the network is not saturated 16 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNOS DDoS SECURE SUMMARY Defined Outstanding 24/7 support 80% Effective 10 mins after installation 99.999% effective after 6-12 hours Virtualized options available Dynamic Heuristic Technology Multi Tenanted and fully IPv6 compliant 1Gb to 10Gb HA appliances No Public IP address Layer 2 Transport Bridge 17 Copyright 2013 Juniper Networks, Inc. www.juniper.net