Introducing FortiDDoS Mar, 2013
Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline Full Transparent Mode No MAC address changes Signature Free Defense Hardware based protection Self Learning Baseline Adapts based on behavior ISP 1 ISP 2 Granular Protection Multiple thresholds to detect subtle changes and provide rapid mitigation FortiDDoS Firewall Legitimate Traffic Malicious Traffic Web Hosting Center
How it works Virtual Partitions Enables up to eight segmented zones Consider a customer with multiple traffic types Web Browsing Firmware Updates Online Ordering Separate Policies for Unique Traffic Patterns Need to protect services from each other Mitigation could include limiting the volume of firmware downloads Links from ISP(s) DDOS Protection FortiDDOS Firewall FortiGate Corporate site
How it works Basics FortiDDOS is typically protecting the customer link(s) On premise, or within ISP data center Transparent deployment Bypass capability with FortiBridge Traffic flows are handled by the FortiASIC-TP Legitimate traffic model is automatically constructed Calendar based baseline Adaptive Threshold Estimation Typically increases over time, no need to re-measure Multiple links supported Links from ISP(s) Hosting Center DDOS Protection FortiDDOS Firewall FortiGate
Attack Traffic Legitimate Traffic How it works Detection and Mitigation Detection is performed in hardware Packets processed by FortiASIC-TP Classification and metering across multiple layers Single pass decision making Correlated with the created traffic model Protocol Anomalies, Threshold Violations Application level attacks Mitigation occurs here No traffic redirection (eg.bgp) or control plane disruption No hidden costs, easy to deploy, immediate relief Virtual Partitioning Geo-Location ACL Bogon Filtering Protocol Anomaly Prevention Packet Flood Mitigation Stateful Inspection Out of State Filtering Granular Layer 3 and 4 Filtering Application Layer Filtering Algorithmic Filtering Heuristic Filtering
Overall System Architecture Multiple Independent FortiASIC-TP complexes No CPU paths No concept of fast or slow path No IP/MAC address in the data path Data Path Control Bus Management Interface
FortiAsic-Traffic Processor (TP) No CPU in the path of the packets No fast or slow path No IP/MAC address in the path of the packets Network, Transport, Application Layer Header Anomaly Prevention Anti-spoofing State Anomaly Prevention Inbound and outbound packets Virtualization Network, Transport, Application Layer Rate Anomaly Prevention Application Layer Heuristics Decision Multiplexer Dropped packets Allowed packets Network, Transport, Application Layer Access Control Lists Dark Address, Geolocation, IP Reputation Source Tracking Control and Statistics SNMP Traps/MIBs, Syslog, Event Notifications Event/ Traffic Statistics, Graphs Threshold Wizard, Continuous Adaptive Threshold Estimation Policy Configuration, Archive, Restore
How it works Baseline Building
Overall View Over a Month These two graphs here depict the daily traffic over a month s period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks. The purpose of the appliance is to maintain the normal traffic and only pass what s legitimate. That s what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). What s being allowed is the blue area.
View of another link This maroon line shows what s incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack that s getting dropped. This graph shows the second link on the same device. This link has larger and continuous attacks over the month s period. As you can see the appliance maintains the normal behavior and drops excessive packets.
Aggregate Drop Traffic This graph shows the aggregate dropped traffic and gives you visibility into excess traffic that s getting flitered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages. Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped Layer 2 0 0 0 0 Layer 3 71,796,072 0 21,262,421 5,273,080,458 Layer 4 375,005,802 300 5,899,631 1,463,108,503 Layer 7 303 0 1 304
Top Attacks and Top Attacker Reports Top Attacks: Inbound Index Attack Packets dropped Events 0 Source flood 30,913,661,628 30,630 1 SYN flood 1,250,473,117 8,516 2 SYN flood from source 1,030,033,363 13,577 3 Protocol flood 147,159,676 23,042 4 TCP port flood 41,015,858 1,399 5 TCP checksum error 27,768,790 8,927 6 TCP zombie flood 23,254,968 779 7 Source IP==dest IP 19,793,175 843 8 L4 anomalies 19,252,249 4,461 9 Destination flood 2,785,518 8 Top Attackers: Inbound Index Attacker Packets dropped Events 0 62.141.36.249 whois 10,264,827,716 2,537 1 178.32.48.19 whois 2,722,698,591 1,759 2 217.23.10.193 whois 1,696,605,289 1,813 3 208.53.158.149 whois 1,597,620,580 1,959 4 178.32.48.20 whois 1,569,216,884 1,681 5 213.165.69.62 whois 1,469,239,395 432 6 67.213.219.97 whois 1,092,829,398 1,230 7 66.219.17.96 whois 1,054,221,515 552 8 174.37.45.152 whois 757,198,482 32 9 91.191.167.12 whois 676,203,668 231 FortiDDoS appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.
Packets Dropped at Layer 3 Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped Protocols 8,225,652 0 637,875 158,193,111 TOS 0 0 0 0 IPv4 Options 0 0 0 0 Fragmented Packets 1,157 0 7 1,873 L3 Anomalies 11,870,534 0 79,834 19,798,847 Source Flood 57,013,194 0 20,532,304 5,092,011,434 Misc. Source Flood 289,674 0 1,168 289,675 Destination Flood 2,441,260 0 11,231 2,785,518 Misc. Destination Flood 0 0 0 0 Dark Address Scan 0 0 0 0 Network Scan 0 0 0 0 This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.
Packets Dropped at Layer 4 Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped TCP Options 0 0 0 0 SYN Packets 278,119,806 0 5,034,862 1,248,645,939 L4 Anomalies 12,549,983 300 54,866 13,606,809 TCP Ports 7,194,921 0 165,534 41,052,592 UDP Ports 27,297 0 908 225,429 ICMP Types/Codes 0 0 0 0 Port Scan 0 0 0 0 Misc. Drops for Port Scan 0 0 0 0 Packets Per Connection 0 0 0 0 Misc. Connection Flood 71,585 0 6,992 1,734,081 Zombie Flood 13,368,886 0 93,770 23,254,968 SYN Packets Per Source 36,527,319 0 234,548 58,168,070 Excessive Concurrent Connections Per Source 109 0 0 110 Excessive Concurrent Connections Per 0 0 0 0 Destination TCP Packets Per Destination 0 0 0 0 This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period. And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.
Packets Dropped at Layer 7 This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. Summary Over 1 month Legend Type Packets Dropped/3 Hours Total Packets Maximum Minimum Average Dropped Opcode Flood 303 0 1 304 HTTP Anomalies 0 0 0 0 URL Flood 0 0 0 0 The appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excessses in any one of the dimensions.
Count of Unique Sources This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.
Customer Feedback We recently experienced a very large DDoS attack on our network. We've found FortiDDoS withstanding the attack quite well at this time. Seeing as this is the largest network attack we've ever experienced, utilizing this information should help significantly in protecting us against other attacks in the future. To give you an idea of the scale of the attack, the FortiDDoS device has had to drop nearly 6.8 billion packets within only 8 hours. The entire attack lasted approximately 27 hours of which the last ~12 hours were spent behind the FortiDDoS. 17
Deployment Scenarios
Bypass Options FortiDDoS FortiGate Corporate HQ LAN FortiBridge 19
Service Profiles Wealth Management Online Banking Loans and Mortgages 20
Deployment Scenarios (Contd.)
Deployment Scenarios (Contd.)
FortiDDoS-100A 2U Appliance provides dual link protection FortiDDoS-100A Specification LAN 2 x 1G (copper and optical) WAN 2 x 1G (copper and optical) FortiASIC 2 x FortiASIC-TP1 RAM 4G Storage 1TB HDD Management 1 x RJ45 10/100/1000 Power Protection Single AC 1Gbps full duplex Up to 1 million simulations connections/sec
FortiDDoS-200A 4U Appliance provides protection for up to 4 links FortiDDoS-200A Specification LAN 4 x 1G (copper and optical) WAN 4 x 1G (copper and optical) FortiASIC 4 x FortiASIC-TP1 RAM 8G Storage 2 x 1TB HDD RAID Management 1 x RJ45 10/100/1000 Power Protection Dual Redundant AC 2Gbps full duplex Up to 2 million simulations connections/sec
FortiDDoS-300A 4U Appliance provides protection for up to 6 links FortiDDoS-300A Specification LAN 6 x 1G (copper and optical) WAN 6 x 1G (copper and optical) FortiASIC 6 x FortiASIC-TP1 RAM 8G Storage 2 x 1TB HDD RAID Management 1 x RJ45 10/100/1000 Power Protection Dual Redundant AC 3Gbps full duplex Up to 3 million simulations connections/sec
Thank You New in 4.0 MR3 Email: zlebduska@fortinet.com 2