(D)DOS DEMYSTIFIED. Tim Wagner Security Specialist Wes Stephens - Account Manager

Similar documents
Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

F5 Silverline DDoS Protection Onboarding: Technical Note

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Practical Advice for Small and Medium Environment DDoS Survival

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

TDC s perspective on DDoS threats

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

DDoS Mitigation Strategies

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

DDoS Mitigation Techniques

DDoS Overview and Incident Response Guide. July 2014

Acquia Cloud Edge Protect Powered by CloudFlare

The Practical Guide to Choosing a DDoS Mitigation Service

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Web Application Defence. Architecture Paper

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

How To Block A Ddos Attack On A Network With A Firewall

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

DDoS Protection Technology White Paper

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

CloudFlare advanced DDoS protection

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Distributed Denial of Service Attack Tools

Security Toolsets for ISP Defense

FortiDDos Size isn t everything

A Layperson s Guide To DoS Attacks

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

How Cisco IT Protects Against Distributed Denial of Service Attacks

The F5 DDoS Protection Reference Architecture

How To Protect A Dns Authority Server From A Flood Attack

and 26th november 2016

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Multi-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Implementing Cisco IOS Network Security

DDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques

Firewalls and Intrusion Detection

INTRODUCTION TO FIREWALL SECURITY

Data Sheet. DPtech Anti-DDoS Series. Overview

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

/ Staminus Communications

Datacenter Transformation

Firewalls P+S Linux Router & Firewall 2013

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

The Hillstone and Trend Micro Joint Solution

Arbor s Solution for ISP

Implementing Secure Converged Wide Area Networks (ISCW)

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

A S B

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

DDoS Mitigation Solutions

How To Attack A Website With An Asymmetric Attack

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Secure networks are crucial for IT systems and their

DDoS attacks in CESNET2

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Reducing the impact of DoS attacks with MikroTik RouterOS

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Application DDoS Mitigation

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Complete Protection against Evolving DDoS Threats

Securing Networks with PIX and ASA

Radware s Attack Mitigation Solution On-line Business Protection

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Pravail 2.0 Technical Overview. Exclusive Networks

CMPT 471 Networking II

Approaches for DDoS an ISP Perspective.

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Firewalls. Chapter 3

Protection Solution. Strategic White Paper

NSFOCUS Web Application Firewall White Paper

CS 356 Lecture 16 Denial of Service. Spring 2013

Distributed Denial of Service protection

DNS Best Practices. Mike Jager Network Startup Resource Center

efending The New Perimeter nd Protecting Applications Anywhere

Stop DDoS Attacks in Minutes

Corero Network Security First Line of Defense Executive Overview

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

How Effective CSOs Prepare for DDoS Attacks. Rob Kraus & Jeremy Scott Solutionary SERT

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Defense In Depth To Fight Against The Most Persistent DDoS

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Architecture Overview

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

Solution for Virtualization to Ensure Optimal Network Security Environment

Transcription:

(D)DOS DEMYSTIFIED Tim Wagner Security Specialist Wes Stephens - Account Manager

Definitions DOS Attack- a perpetrator uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests usually in an attempt to exhaust server resources (e.g., RAM and CPU). The goal is to make the resource unavailable. (Script based usually) DDOS Attack- launched from multiple connected devices that are distributed across the Internet. These multi-person, multi-device barrages are generally harder to deflect, mostly due to the sheer volume of devices involved. Unlike single-source DoS attacks, DDoS assaults tend to target the network infrastructure in an attempt to saturate it with huge volumes of traffic. (Botnet based usually) Hybrid Protection- The ability to use both on premises and off premises mechanisms to defend against a DOS and/or a DDOS attack

Attack Threats: Pay up or Else! April - May of 2015: emails sent to legitimate businesses with the threat of massive DDoS attacks DD4BC claims ~400 Gbps Extortion demands of 1-40 Bitcoin Initially targeted Bitcoin, Payment providers, banks and now moving to other targets UDP Amplification Attacks (NTP, SSDP, DNS); TCP SYN Floods; and Layer 7 attacks Sample from actual email

Attack Type Trends

The Hybrid Threat Carphone Warehouse Breach with a DDOS Smoke Screenhttp://www.theregister.co.uk/2015/08/11/carph one_warehouse_ddos_before_giant_data_breach / CyberCriminals Use DDOS to hide attacks: http://www.crn.com/news/security/300071742/c ybercriminals-using-ddos-as-smokescreenexperts-warn.htm

Attack Size Realities Attack Size 500-999Mbps 1-10Gbps 10-50Gbps Over 50Gbps Unknown

448 Gbps Attack Breakdown

Denial of Service Solution Options

Current Volumetric DDoS Solution Market Carriers Based CDN Based Enterprise Cloud Service Generally they leverage thresholds and only work on the link that you purchase from the carrier CDN technology is about absorbing and masking the effects of a DDOS attack, not removing it Generally based on 4-7 Scrubbing facilities, geo graphically dispersed, removes bad traffic and is priced on clean bandwidth Example: Verizon/ATT Example: Akamai/Cloudflare Example: F5 Silverline/Prolexic

Current Hybrid Options Carriers Based CDN Based Enterprise Cloud Service Generally they do not offer any on premises option to customers. Generally no on premises option is offered to customers Certain solutions in this group do offer hybrid offerings. While not common, 3 vendors in this space offer something, implementation is the differentiator

Important Decision Criteria Scale per Customer: Hybrid Option Solution Side Effects Limited Toolsets/Only DOS False Positives Visibility into Attacks

Physical Internet Cabling

Volumetric DDoS Protection - Service Options Always on Primary protection as the first line of defense The Always On service stops bad traffic from ever reaching your network by continuously processing all traffic through the cloud-scrubbing service and returning only legitimate traffic through your website. Always available Primary protection available on-demand The Always Available service runs on standby and can be initiated when under a DDoS attack.

Customers DDoS Attack ISPa Layer 3-4 DDoS mitigation Layer 7 DDoS mitigation?? SSL Termination?? Firewall Customers ISPb DDoS Platform DDoS Attack Volumetric Protection Cloud Sits in front of the Firewall for L3/4 Protection Deploy inline or out of band? Does it do Layer 7 as well? Signaling to of premises solution

Customers DDoS Attack ISPa Tier 1 L3-4 DDoS mitigation Firewall Tier 2 L7 DDoS mitigation SSL Termination Customers ISPb DDoS Platform DDoS Platform DDoS Attack Volumetric Protection Cloud Basic Layer 3/4 deployment inline in front of Firewall to protect against volumetric DDoS attacks Layer 7 DDoS mitigation on the inside tier. Requires SSL termination on the DDoS appliance

Two Ways to Direct Traffic to Silverline Scrubbing Centers Multiple Ways to Return Clean Traffic GRE TUNNELS BGP (BORDER GATEWAY PROTOCOL) ROUTED MODE L2VPN / VIRTUAL ETHERNET SERVICE IP REFLECTION EQUINIX CLOUD EXCHANGE DNS PROXY MODE PROXY

Routed Configuration DDoS Protection Engaged Data Center TCP Connection: SYN-ACK SRC: 1.2.3.4:80 DST: 86.75.30.9:27182 1.2.3.4 BGP Route Advertisement: F5 route for 1.2.3.0/24 becomes preferred F5 Silverline DDoS Protection 86.75.30.9 TCP Connection: SYN SRC: 86.75.30.9:27182 DST: 1.2.3.4:80 F5 Router F5 Router Internet ISP Router GRE Tunnel Customer/ISP Transit Network Customer Router 1.2.3.5 1.2.3.6 69.86.73.76 TCP Connection: SRC: 69.86.73.76:4243 DST: 1.2.3.4:80 Clean traffic is returned via GRE Tunnel to customer s data center 1.2.3.7 BGP Configuration Change: withdraw advertisement for 1.2.3.0/24 Customer Admin

Proxy Configuration DDoS Protection Engaged DNS Configuration Change #www.abc.com 1.2.3.4 www.abc.com 5.6.7.8 DNS Query: www.abc.com DNS Query: www.abc.com DNS Query: www.abc.com Data Center DNS Response: www.abc.com 5.6.7.8 Local DNS DNS Response: www.abc.com 5.6.7.8 Public DNS Servers F5 Silverline DDoS Protection DNS Response: www.abc.com 5.6.7.8 Authoritative DNS Customer Admin TCP Connection: SRC: 86.75.30.9:27182 DST: 5.6.7.8:80 TCP Connection: SRC: 9.9.9.18:31415 DST: 1.2.3.4:80 86.75.30.9 TCP Connection: SRC: 69.86.73.76:4243 DST: 5.6.7.8:80 5.6.7.8 Proxy NAT Pool 9.9.9.0/24 ISP Router Customer Router 1.2.3.4 69.86.73.76 TCP Connection: SRC: 69.86.73.76:4242 DST: 1.2.3.4:80 ISP Router ACL permit: 9.9.9.0/24 1.2.3.4/32 deny: any 1.2.3.4/32

What does traffic flow look like in a Scrubbing Center?

F5 Scrubbing Center Architecture- Routed Traffic Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects routes and steers traffic Inspection Toolsets Traffic Actioner Route Management Scrubbing Center Inspection Plane Flow Collection Flow collection aggregates attack data from all sources Visibility Portal Portal provides near real-time reporting and configuration Cloud Signaling Management Legitimate Users DDoS Copied traffic for inspection BGP signaling Netflow Data Plane Netflow GRE Tunnel IP Reflection Silverline Switching Routing/ACL Firewall Network Mitigation Routing (Customer VRF) L2VPN Customer DDoS Attackers Volumetric DDoS protection, Managed Application firewall service, zero-day threat mitigation with irules Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and filters traffic Cloud Firewall Rules Network Mitigation removes advanced L4 attacks Egress Routing returns good traffic back to customer

F5 Scrubbing Center Architecture- Routed + Proxy Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects routes and steers traffic Inspection Toolsets Traffic Actioner Route Management Scrubbing Center Inspection Plane Flow Collection Flow collection aggregates attack data from all sources Visibility Portal Portal provides near real-time reporting and configuration Cloud Signaling Management Legitimate Users DDoS WAF Silverline Switching Copied traffic for inspection BGP signaling Routing/ACL Netflow Firewall Data Plane Network Mitigation Netflow Proxy Mitigation Proxy Routing Customer DDoS Attackers Volumetric DDoS protection, Managed Application firewall service, zero-day threat mitigation with irules Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and filters traffic, deny all except for proxy listeners Cloud Firewall Rules Network Mitigation removes advanced L4 attacks Proxy Mitigation to Remove L7 Attacks. SNAT translation occurs Egress Routing

Key Considerations DDOS is about economics, both for the attacker and the victim DOS or DDOS is not a hack, but rather an attack Is DDOS/DOS protection a market or a feature of broader solutions? DDOS protection needs to become baked in to bandwidth considerations SSL DDOS is not common today, but it is growing Protection levels depend on Risk assessment Is it as a Service or Managed Service, it does matter https://f5.com/portals/1/cache/pdfs/2421/the-f5-ddos-protection-referencearchitecture.pdf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information