DDoS Mitigation Solutions



Similar documents
/ Staminus Communications

Acquia Cloud Edge Protect Powered by CloudFlare

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

CloudFlare advanced DDoS protection

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Automated Mitigation of the Largest and Smartest DDoS Attacks

DDoS Attack Mitigation Report. Media & Entertainment Finance, Banking & Insurance. Retail

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

How To Block A Ddos Attack On A Network With A Firewall

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Service Description DDoS Mitigation Service

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

How To Protect A Dns Authority Server From A Flood Attack

Stop DDoS Attacks in Minutes

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

VALIDATING DDoS THREAT PROTECTION

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Stop DDoS Attacks in Minutes

How To Mitigate A Ddos Attack

Automated Mitigation of the Largest and Smartest DDoS Attacks

DDoS Mitigation Techniques

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Cloud Security In Your Contingency Plans

How To Protect Yourself From A Dos/Ddos Attack

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

How to launch and defend against a DDoS

Reducing the impact of DoS attacks with MikroTik RouterOS

Complete Protection against Evolving DDoS Threats

DDoS attacks in CESNET2

Strategies to Protect Against Distributed Denial of Service (DD

Denial of Service Attacks, What They are and How to Combat Them

SECURING APACHE : DOS & DDOS ATTACKS - I

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

DDoS Overview and Incident Response Guide. July 2014

Distributed Denial of Service Attack Tools

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

TDC s perspective on DDoS threats

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How Cisco IT Protects Against Distributed Denial of Service Attacks

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

On-Premises DDoS Mitigation for the Enterprise

How To Connect To Telx Dia (Dia) For Free

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

FortiDDos Size isn t everything

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Modern Denial of Service Protection

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Mitigating DDoS Attacks at Layer 7

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

WHITE PAPER Hybrid Approach to DDoS Mitigation

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Company Overview. October 2014

An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Distributed Denial of Service (DDoS)

colocation. perfected. Overview

co Characterizing and Tracing Packet Floods Using Cisco R

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Putting the Tools to Work DDOS Attack

Network Bandwidth Denial of Service (DoS)

A S B

How To Classify A Dnet Attack

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Denial of Service Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Chapter 8 Security Pt 2

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Safeguards Against Denial of Service Attacks for IP Phones

Yahoo Attack. Is DDoS a Real Problem?

Arbor s Solution for ISP

Transcription:

DDoS Mitigation Solutions

The Real Cost of DDOS Attacks Hosting, including colocation at datacenters, dedicated servers, cloud hosting, shared hosting, and infrastructure as a service (IaaS) supports many millions of websites and internet facing services globally. Research suggests the total market for hosted services is expected to grow from about $76B in 2010 to nearly $210B by 2016. Public Cloud Services Market 2010-2016 Billions of Dollars Example Financial Loss from a Sustained DDoS Attack As usage of the internet has exploded, so has the variety of hosting companies. Distributed Denial of Service (DDoS) attacks have become the vector of choice for criminals to attack their desired targets. Often, these targets are customers of unsuspecting hosting companies who merely provide a reliable infrastructure & platform services to SaaS companies, websites, and other online applications. DDoS attacks are widespread. They harm the target as well as other customers supported by the hosting company. The attacks are often powerful enough to cause service interruption across the entire hosting operation. Criminals have various motivations and means behind their attacks. Some use an arsenal of compromised servers to launch their attacks. Some are motivated by grievances, financial gain, or simply for sport. DDoS Details Size: 110 Gbps Total Duration: 48 hours Time to RTBH: 30 minutes Hosting Facility Business: Cloud Hosting Annual Revenue: $10M Network: 4x10 Gbps Transit Target of DDoS: Retail Website SLA 99.99% Violation: 25.68 minutes SLA Policy: 1 day for violation Customer MRR for Hosting: $20,000/month ACV for Hosting: $240,000 Annual Revenue: $5M Downtime: 2 days Impact Customer Loss: $28,000 At this point, the client will relocate their services to another provider due to downtime. This results in an ACV loss of $240,000 to the hosting provider. Hosting SLA credit: $27,000 Total Impact: $295,000

Networks for Hosting - An Overview The purpose of this paper is to provide you with information about the true costs of a DDoS attack. We will discuss the history of these attacks and their far reaching impacts. Businesses often only see the immediate damage caused by a DDoS attack (bandwidth) and forget to look at the big picture ramifications (SLA violations, customer loss, public image, etc). First, let s have a look at common networks used in hosting. Typically, hosting environments are redundant. In such an environment, a pair of redundant edge networks terminate public IP transit and peering. These networks then feed on-premises firewalls which then go to an aggregation layer. This aggregation layer is then fed into switches in each rack inside of the datacenter. The rack switches then feed end user services & equipment. In this type of network, any single point, up to an entire half of the network can drop without the rest of it experiencing service impact. Network architects identify needs for a firewall which is capable of providing a level of stateful filtering, ACL, and any other necessary security features.

Networks for Hosting - RTBH Remote Triggered Black Hole Filtering (RTBH) Remote Triggered Black Hole (RTBH) filtering is a technique that allows a network to block undesirable traffic (i.e. a DDoS) before it enters your network. In the context of network security, a black hole is implemented when an attack is detected. Routing traffic to a black hole can be used to drop all attack traffic at the edge of your network. RTBH is performed on a destination address using BGP. It s effective for quickly dropping traffic that you do not want entering your network. RTBH Problems 1. If the target IP is not identified within several seconds, the network can become saturated. This can result in collateral damage impacting other customers. 2. The customer is effectively taken offline, thus the attackers original goal is achieved. 3. If the attacker attacks hundreds or thousands of IPs simultaneously, black holing becomes impossible due to BGP advertising limitations which are imposed by your upstream provider.

Networks for Hosting - Transit Costs Overview of Transit Costs When a hosting company purchases transit from a provider such as Cogent or GTT, they buy based on several paramaters: number of ports, total port capacity desired, and the data rate they commit to over those ports. If you ran a hosting operation, you might have utilization of around 15 Gbps, but have a peak usage of 20 Gbps. To grow, you decide you want 30 Gbps of total capacity from one of the providers mentioned earlier. This lets you burst to 20 Gbps periodically without any problems. In this scenario, you choose to buy 15 Gbps of Committed Data Rate (CDR), 20 Gbps, or 30 Gbps. If you re like most hosts, you ll buy 15 Gbps for around $1/mbit using 95th percentile billing. Using this type of billing, 300 second samples are obtained from your interface and the top 5% are thrown out. The immediate next value is your 95th percentile billed value. You re now paying around $15,000/month for your transit. Because your 20 Gbps bursts are infrequent, you won t be billed for the additional transit. That makes for a fantastic deal. DDoS Impact on Transit Costs Let s assume that you ve got a 30 Gbps network and you are the victim of a 10 Gbps DDoS attack. That s where you can handle the attack. Your network engineers block the attack using ACLs at your border router and they manage to do it once. But, future attacks will not be so easy to thwart. So, you purchase a DDoS appliance. You re now experiencing 10 Gbps DDoS attacks more frequently and you re filtering them for days at a time. Everything appears fine until your transit provider now sends you a bill for your original 15 Gbps and adds another 10 Gbps to it, thus bringing your total monthly bill to $25,000. Not only did you spend a lot on DDoS protection equipment, you ve not got to spend additional money on transit. It seem impractical to expand your network to 100 Gbps and mitigate an 80 Gbps attack. You may be able to obtain the available port capacity from your provider using a 20% CDR, but it s not worth it. The first 80 Gbps DDoS attack that comes in for more than 36 hours will cost you about $80,000.

DDoS Attacks Explained Historical Overview: Smurf One of the earliest known DDoS attacks, called Smurf was written by TFreak in 1997. The attack was quite popular. In this attack, ICMP packets would be spoofed to originate from the target s destination address and then sent to a network broadcast address. Network devices would respond, by default to this broadcast request and in turn respond to the spoofed source address. If the network contained a sufficient number of host systems to reply to these packets, the victim network would be flooded with an onslaught of ICMP packets. This attack was rendered ineffective via three changes: 1. Routers were configured to not forward packets to the broadcast address. 2. Systems were configured not to respond to broadcast requests or to even reply to ICMP at all. 3. Networks installed ingress & egress ICMP filters or policers. Historical Overview: Bang This attack is less widely known. Bang was a relatively uncommon attack written by Sorcerer. The attack is capable of amplifying TCP by about 2-3x. In a TCP Bang attack, the attacker spoofs the victim s target IP as usual, and sends a TCP SYN (new connection) to any number of public systems with open TCP ports. The system would then reply with 2 to 3 TCP SYN-ACK packets to the intended target. The interesting thing about this attack is that it is relatively simple to launch, requires no vulnerabilities in target hosts, and can leverage any open TCP service. To stop this attack, target systems would have to employ intelligent stateful firewalls that prohibit repetitive connections in quick succession. However, because this attack can leverage any open system, the attack does not need to reuse the same amplifier multiple times in quick succession. The source code to this can be found on http://www.exploit-db.com/exploits/343/. A quick review of the code shows that it is very simple, which is why it s such an elegant attack. Historical Overview: NTP Network Time Protocol is used to synchronize systems with centralized servers to within a fraction of a second of coordinated universal time (UTC). NTP operates over the public Internet and achieves fairly high reliability through its algorithm. The protocol is traditionally used as clientserver. NTP is susceptible to man-in-the-middle attacks unless encryption is employed. NTP operates on port 123 TCP and UDP. NTP based attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like monlist which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic.

DDoS Attacks Explained DDoS Attacks for Hire Building a botnet to mount attacks used to be a complex process that involved hacking many compromised systems and using those systems to attack other servers while maintaining everything. The botnet would be available for the use of the attacker and the attacker s associates. This was a sophisticated process that involved countless hours of work to build an effective large scale botnet. The paradigm for botnets & DDoS attacks has morphed in recent years. Typically, the rate for a DDoS botnet rental is about $175 for about 8,000 to 12,000 bots. The rate varies based on the effectiveness of the bots and the size of the network. The type of attack also figures into prices paid. Some botnets are also specific to a certain geographic region while some are designed for maximum volume impact. Trends in DDoS Attacks In the quarter ending in September 2013, hosts experienced a sharp rise in the number of DDoS attacks. Primary target industries included: Financial Services: Banks & Payment Processors Video Gaming Online Retail That particular quarter showed a dramatic rise in high throughput attacks exceeding 40 Gbps. As mentioned previously, there has been a trend towards larger attacks for over a decade so this is unsurprising. A key point is that September saw a 5x rise in the number of attacks exceeding 40 Gbps and a 2x rise in the number of attacks exceeding 10 mpps. This likely signifies there are more DDos-as-a-Service operators who make their botnets available for a fee. This allows subscribers to launch more large scale attacks. <1 Gbps 1-5 Gbps 5-10 Gbps 10-20 Gbps 20-40 Gbps >40 Gbps

Reducing the Risk How can hosts reduce their risk? Hosts provide the fundamental infrastructure that allows the Internet to function properly. As such, they will always be targeted by criminal attackers resulting in impacts to their customers. While this may be true, hosts are always improving and expanding their infrastructure to serve an ever growing connected population. This improves uptime and functionality. Unfortunately, such growth is usually done with little thought put toward security. As the hosting industry grows, attacks will likely become more prevalent. Criminals will continue to exploit any means of impacting their selected targets and the black market makes it easy for DDoS attacks to be launched. The black market has only begun to mature and take shape so we expect rapid growth over the next several years. Facilitating DDoS attacks has become a profitable business. To help mitigate the risks discussed throughout this paper, the following countermeasures should be employeed: Cloud based DDoS Protection. This service can help buffer the impact of large-scale attacks. Cloud providers would receive prefix advertisement over BGP to protect your network. On-premises DDoS Detection Appliances. These appliances serve to automatically blackhole the target IP thus allowing your cloud mitigation system to be activated to protect your network. Tightly Controlled Firewalls. Limiting unnecessary traffic and allowing only what is required can help reduce the overall impact of DDoS attacks. How can hosts reduce their risk? Ignoring the threat posed by DDoS attacks can be a costly and risky decision. The cost of a single attack can easily violate an SLA, forcing hosts to pay out large sums in SLA credits. It can result in damage to your brand as well as a direct loss of customers. At the very least, a RTBH strategy is necessary. Appliances can help as well. This can dramatically reduce the potential for network downtime caused by DDoS attacks. Cloud based mitigation is another strategy. This is like an insurance policy in that rather than paying for large amounts of transit as a hosting provider, you offload your company s DDoS expenses to a cloud provider. The provider pays for the massive bandwidth charges which shields you from this risk. You ve also got the added benefit of not requiring any DDoS mitigation equipment of your own. The most comprehensive solution is the combination of DDoS monitoring appliances on premises coupled with cloud-based mitigation. This allows the flexibility of protecting your network while only having specific resources routed through cloud-based mitigation.

We have partnered with Staminus A solid partner is the best defense. At Total Server Solutions we have researched numerous DDoS mitigation strategies. After carefully examining all other solutions, we have chosen Staminus to be our partner in helping with DDoS mitigation. Their solutions are a perfect fit for our customers and the way we do business. Like us, they pride themselves on providing the best experience to their customers. We want to protect you, and Staminus wants that too. It s a perfect fit. Who is Staminus? Staminus provides the most advanced automated DDoS mitigation system in the industry. They re powered by an ever-growing network that is dedicated solely to DDoS mitigation. With three patent-pending mitigation technologies, Staminus is capable of providing robust DDoS mitigation to customers of all sizes. Staminus has over 15 years of experience developing mitigation solutions that maximize performance, scalability, flexibility, and reliability. At its core, Staminus is powered by people. Everyone on the Staminus team has been selected for their understanding of network security concepts as well as their ability to build and contribute to a tight-knit, focused, and committed team of experts. You trust your data to Total Server Solutions so trust our choices that will help keep you safe

How much does it cost? DDoS Mitigation Pricing DDoS protection is something that we can provide to our customers on an as needed basis. Plans are based on a commitment cost per mbps of clean, inbound traffic. Please contact our sales team if you have any questions about our DDoS mitigation services. Bandwidth Cost Per Megabit Total Commit Cost Under 100 mbps $10.00 $1,000.00 Under 75 mbps $11.00 $825.00 Under 50 mbps $12.00 $600.00 Under 20 mbps $14.00 $280.00 Under 10 mbps $18.00 $180.00 Under 5 mbps $20.00 $100.00

Atlanta, GA, USA Chicago, IL, USA Dallas, TX, USA Los Angeles, CA, USA Phoenix, AZ, USA Weehawken, NJ, USA Salt Lake City, UT, USA Seattle, WA, USA London, United Kingdom Toronto, Canada Amsterdam, Netherlands http://www.totalserversolutions.com sales@totalserversolutions.com 1-855-227-1939

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information