FortiDDoS DDoS Attack Mitigation Appliances Copyright Fortinet Inc. All rights reserved.
What is a DDoS Attack? Flooding attack from compromised PCs run by a Botmaster The Botmaster s motivations may be political, financial, retaliatory The goal is to disrupt networks, applications or services Steal or destroy proprietary or confidential information Steal or destroy personal information They might try to charge a ransom to stop the attack Servers ZOMBIE Switch ZOMBIE BOTMASTER ZOMBIE ZOMBIE 2
DDoS Challenges DDoS attacks still #1 threat to data centers Size of volume-based attacks increasing 80% of attacks less than 50 Mbps Most successful attacks under 1 Gbps Attacks getting more sophisticated Layer 7 attacks, DNS and SSDP reflection attacks fastest growing types Hackers using DDoS to mask data breaches 3
Types of DDoS Attacks Bulk Volumetric L7 Application Layer Multi-Vector Designed to overwhelm and consume available internet bandwidth or overload servers (e.g. SYN, UDP, ICMP floods). Problems: Services unavailable to users Can mask data breaches Attack sizes getting larger Easy to implement attack Smaller, more sophisticated attacks that target layer 7 application services on servers like HTTP, SMTP and HTTPS. Problems: Slip past traditional defenses Fastest growing attack type Detection difficult Easier for botmasters to implement A combination of bulk volumetric and application layer attacks Problems: More difficult to defend against. Detection is more difficult Can mask data breaches Takes more resources to launch 4
DDoS Defense Options DDoS Service Provider Firewall/IPS Dedicated Appliance Managed service subscription model usually with separate detection and mitigation. Pros: Easy sign up Easy deployment Cons: Expensive overages Unpredictable costs Limited to L3/4 attacks Limited flexibility Integrated device that includes firewall, intrusion protection and DDoS prevention. Pros: Single device Less units to manage Cons: Poor volumetric mitigation May require licensing Performance impacts Inline data center appliance that provides layer 3, 4 and 7 DDoS detection and mitigation. Pros: Predictable costs Advanced Layer 7 protection Cons: Additional device management Layer 3 devices can be vulnerable to large attack May require signature updates Expensive for high-performance 5
Bulk Volumetric SYN Flood: Spoofed SYN Packets fill the connection table of servers, and all other devices in your network path Zombie Flood: In zombie or botnet floods, non-spoofed connections overload network and application services. Bulk Volumetric Designed to overwhelm and consume available internet bandwidth or overload servers (e.g. SYN, UDP, ICMP floods). Problems: Services unavailable to users Can mask data breaches Attack sizes getting larger Easy to implement attack Lots of unpatched hosts to use ICMP Flood: In these floods, ICMP packets, such as those used for ping, overload servers and network connections. TCP/UDP Port Flood: TCP/UDP packets overload the servers and network ports not being used for a service, such as TCP port 81. Fragment Flood: Fragmented packets overload the servers. Anomalous Packet Flood: Deliberate or accidental packet errors in scripts by hackers easily overload network equipment and servers as they attempt to deal with anomalies. Amplification Attacks: Abuse the fact that lots of UDP protocols respond to requests without validating the validity of the requestor. Reflection Attacks: First we saw DNS, Simple Service Discovery Protocol (SSDP), and NTP. The latest vector in this attack mode is Portmapper. 6
Application Layer Attacks L7 Application Layer These attacks exploit design flaws in the HTTP protocol regarding how and when requests are processed by the server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps resources busy waiting for the rest of the data. As with any DoS, if this goes on for too long the server can run out of resources and crash. Smaller, more sophisticated attacks that target layer 7 application services on servers like HTTP and HTTPS. Problems: Slip past traditional defenses Fastest growing attack type Detection difficult Easier for small botmasters to implement HTTP POST: POST body messages are sent at a very slow rate and disrupt proper connection completion. Eventually the victim server runs out of resources and crashes. HTTP Slow Read: Attackers force servers to send a large amount of data, however its sent in many very small fragments and read at a very slow rate by the receiver. Slowloris: Using HTTP GET, attackers launch multiple incomplete and time-delayed HTTP GET s to keep the connections open as long as needed to deplete resources. HTTPS: Similar to HTTP attacks, these attack SSL services on servers. 7
Why the increase? Its easy. All you have to do is google around for stresser. Columbus School District in WI had an incident two weeks ago, which has since been repeated at other districts. A group of students went to www.ipstresser.com and purchased a DOS attack that shut down the district, and then after it was over has caused them blacklist and DNS issues. 8
Why the increase? And if you like the product you can sign up 9
FortiDDoS DDoS Attack Mitigation Appliances 7 models with 3 to 36 Gbps throughput Up to 16x GE/10GE SFP+ ports + 4x 10GE LC bypass ports 100% Behavior-based detection 100% ASIC-based single-pass processing Up to 6x FortiASIC TP2 processors <50µs latency (typically <10µs) <2 second DDoS mitigation response time Automatic learning process Adaptive rate thresholds IP Reputation by FortiGuard Advanced DNS Mitigation Hybrid On-premise/Cloud Support ACLs for Geo-location, IP Reputation, Source Address Validation and L4, L7 services Continuous threat evaluation Full CLI and easy-to-use GUI RESTful API Advanced analysis and reporting Full standalone DDoS solution or can be combined with ISP basic protections 10
FortiDDoS Product Lineup FDD-1200B Performance & Scalability FDD-400B FDD-900B FDD-800B FDD-600B FDD-1000B FDD-200B Speed < 10 Gbps 10 To 20 Gbps 20+ Gbps ASIC 1x FortiASIC TP2 2x FortiASIC TP2 3x FortiASIC TP2 Ports GE GE/10GE GE/10GE 11
FortiDDoS Product Matrix 200B 400B 600B 800B 900B 1000B/DC 1200B Total Throughput (Gbps) 3 6 12 12 18 18 36 Latency < 50 µs < 50 µs < 50 µs < 50 µs < 50 µs < 50 µs < 50 µs Packet Throughput (Mpps) 3.5 7 14 14 21 21 42 TCP Sessions (millions) 1 1 2 2 3 3 6 IP Reputation P P P P P P P DNS Mitigation P P P P P Form Factor 1U 1U 1U 1U 2U 2U 2U Storage 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD GE LAN Ports (w/bypass) 4 8 8 8 GE WAN Ports (w/bypass) 4 8 8 8 GE SFP LAN 4 8 8 8 GE SFP WAN 4 8 8 8 10GE SFP+ LAN 8 8 7 10GE SFP+ WAN 8 8 7 10GE SFP+ LAN (bypass) 2 10GE SFP+ WAN (bypass) 2 Power Supply Single Single Single Single Dual Dual Dual Optional Dual Power P P P P 12
Key Features and Benefits 100% Behavioral FortiDDoS doesn t rely on signature files that need to be updated with the latest threats so you re protected from both known and unknown zero-day attacks and your life-cycle cost is significantly reduced. 100% Hardware The FortiASIC TP2 transaction processor provides full bi-directional detection and mitigation of Layer 3, 4 and 7 DDoS attacks for industry-leading performance 100% Inspection Unlike competitors, every packet of every connection is inspected in both directions. Millions of connections with hundreds of monitored parameters per connection Continuous Attack Evaluation Advanced DNS Protection Automated Learning Minimizes the risk of false positive detection by reevaluating the attack to ensure that good traffic isn t disrupted FortiDDoS provides 100% inspection of all DNS traffic for protection from a broad range of DNS-based volumetric, application and anomaly attacks With minimal configuration, FortiDDoS will automatically build normal traffic and resources behavior profiles saving you time and IT management resources Hybrid On-premise/Cloud Support Open API allows integration with third-party cloud DDoS mitigation providers for flexible deployment options and protection from large-scale DDoS attacks. 13
DDoS Protection: FortiGate vs. FortiDDoS Source tracking IPS Slow attack mitigation TP2 Firewall FortiGate Shared DDoS Features Address matching 100% hardwarebased FortiDDoS FortiASIC TP2 100% hardwarebased DDoS detection and mitigation UTM NAT VPN ACLs IP Reputation Geo-location Behavior-based Threshold granularity Bi-directional DNS Full layer 3, 4 and 7 detection on one chip Models with up to 6x TP2 processors 36 Gbps throughput Less than 50ms latency 14
Advanced DNS Mitigation Protects authoritative and recursive DNS servers along with infrastructure from DDoS attcks Mitigates: DNS reflection attacks DNS query floods DNS TCP anomaly floods New DNS attack reporting tools Query Response Matching 100% DNS traffic monitoring Available on most models DNS Attack (Reflection, Query Flood, TCP Anomaly) CARRIER/ISP FortiDDoS DNS Servers DATA CENTER AUTHORITATIVE RECURSIVE DNS AUTHORITATIVE WEBSERVER EMAIL 15
On-Premise/Cloud Hybrid DDoS Protection Uses FortiDDoS Signaling and Open API with Verisign Best of breed on-premise and cloud Threshold on FortiDDoS FortiDDoS alerts Verisign Verisign evaluates and takes action to mitigate if under attack Network Users FortiDDoS Network Services and Applications Signaling DDoS Attack (Bulk Volumetric and/or Application Layer) Verisign OpenHybrid Alert signal sent by FortiDDoS is received by Verisign triggering investigation for possible traffic redirection to the Verisign scrubbing centers. 16
Competitive Comparison Hardware-based Options FortiDDoS Arbor Pravail Radware DefensePro Check Point DDoS (OEM Radware) Throughput 3 to 36 Gbps 2-10 Gbps 0.2-160 Gbps 0.5-12 Gbps Pricing $40-150K $32K-145K $18-600K $19-170K Latency (microseconds) <50 <80 <60 <60 Detection Type Heuristic Signature Signature Signature 17
FortiDDoS Competitive Advantages Performance» Up to 10X better that Radware and Arbor in detecting and protecting against threats» 100% ASIC based allows max data and packets-per-second throughput unlike CPU or partial ASIC-based appliances Lowest TCO for private DDoS protection» Up to 50% less overall TCO compared to Radware and Arbor (hardware-based)» Fixed-cost model is less expensive and more predictable compared to enterprise-grade cloud DDoS mitigation Best False Positive Detection Avoidance» Behavior-based model won t mistakenly identify threats and block applications from legitimate traffic» 60 second reset unblocks traffic if it s not a real threat or for application errors Always up-to-date» No signatures means the device doesn t have to wait for a threat to be predefined» Eliminates zero-day attacks 18
Pricing Structure Appliance DDoS Protection Appliance Add on FortiGuard security service FortiGuard IP reputation service subscription Add on support 8x5 or 24x7 FortiCare contract 19
FortiDDoS Qualifying Questions Are DDoS attacks one of your top data center threats?» DDoS attacks are still the number one threat to IT data centers even with ISP-based DDoS mitigation Are DDoS attacks continuing to plague your data center even with other DDoS mitigation solutions?» ISP-based solutions mostly focus on layer 3 and 4 attacks and let anomaly, state and smaller application-level attacks through to data centers. FortiDDoS behavior-based DDoS detection can identify and mitigate these attacks and can supplement ISP services for large bulk events Do you find that your current service-based DDoS mitigation solution is expensive with unpredictable costs?» FortiDDoS can be up to 1/3 less than service-based DDoS mitigation solutions without overages. With overages, customers can easily run up charges based on the size and volume of DDoS attacks once they exceed their caps Are you worried that a dedicated hardware solution is tough to manage and can t protect against large bulk DDoS attacks?» FortiDDoS easily integrates in with other data center equipment and it s automatic learning tools allow customers to setup their device in less than an hour. Line rating on FortiDDoS protects the device from being overwhelmed during a DDoS attack and still lets good traffic to pass through with minimal interruptions 20
Additional Resources FortiDDoS Sales Presentation Data Center DDoS Testing White Paper: Is Your Data Center Ready for Today s DDoS Threats? FortiDDoS product demo on Fortinet.com User guides and reference materials on docs.fortinet.com to refer customers to for detailed overviews of features and how FortiDDoS operates. 21