The network is a key component in application delivery and is often a direct or indirect target of security attacks
such as DDoS and BGP hijacking. Mitigation strategies often involve using a third party cloud service without any
visibility into whether the mitigation is working well. Using real life examples, we will show how one can measure
the user perceived impact of an ongoing attack, as well as identify which aspects of the mitigation are not working
as desired. With this detailed availability and performance data at the various layers, financial firms can learn how
to better manage ongoing attacks.
2. 1
About ThousandEyes
What We Do Our Customers’ Stories
Network performance management
designed for today’s dynamic and
complex networks
Used by 4 of the world’s top banks
Founded in 2010 with an HQ in San
Francisco CA and a London office
Recognized by Gartner and EMA
Reduced time to
troubleshoot globally load
balanced infrastructure
Solved multi-week support
issue due to an ISP cable
cut in Asia
Improved customer
experience during the Brazil
World Cup
3. 2
Today’s Cyber Threat Landscape
• Increasing size, frequency and severity of attacks
• Exposure via external vendors (DNS, CDN, ISPs)
• Greater complexity of corporate networks
• Increasing importance of network for business operations
4. 3
More Networks Connected to the Internet
Source: CIDR Report
Global Routing
Table Growth
5. 4
More Devices Connected to the Internet
Source: Akamai State of the Internet Reports, Q2 2010-14; Akamai blog
1,600
1,400
1,200
1,000
800
600
400
200
0
2007 2008 2009 2010 2011 2012 2013 2014
Millions
IPv6
IPv4
Unique IP
Addresses
Observed
6. 5
Size of DDoS Attacks Increasing 50% YoY
Source: Verizon Data Breach Report 2014
7. 6
Major DDoS Attacks in 2014
400
350
300
250
200
150
100
50
0
Attack Volume Rising Major Attacks in 2014
Q4 12 Q1 13 Q2 13 Q3 13 Q4 13 Q1 14 Q2 14
February: Bitstamp
April: UltraDNS
August: PlayStation
Network, Blizzard
Source: Akamai State of the Internet Q2 2014
8. 7
Three Network Security Threats We’ll Cover
BGP Hijacks DDoS Attacks DNS Poisoning
10. 9
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
Autonomous System
AS 7018
AT&T
AS 3356
Level3
Border Router
Salesforce advertises
routes among BGP peers
to upstream ISPs
Salesforce.com advertises
prefix 96.43.144.0/22
AT&T receives route
advertisements to
Salesforce via Level3 and
NTT
AS 4761
Indosat
Traffic Path
11. 10
A Primer on BGP Hijacks
AS 14340
Salesforce
AS 2914
NTT
AS 7018
AT&T
AS 3356
Level3
Indosat also advertises
prefix 96.43.144.0/22,
‘hijacking’ Salesforce’s
routes
AS 4761
Indosat
Traffic Path
AT&T now directs
Salesforce-destined traffic
to Indosat
12. 11
BGP Hijack: Normal Routes to PayPal
PayPal / Akamai prefix
Akamai
Autonomous
System
Comcast upstream
13. Locations with completely
12
BGP Hijack: Routes Advertised from Indosat
PayPal / Akamai prefix
Correct
Autonomous System
Hijacked
hijacked routes
Autonomous System
14. 13
BGP Hijack: PCCW Has No Routes to PayPal
PCCW Network only
connected to Indosat
Not to Akamai /
PayPal
15. 14
BGP Hijack: Causing All Traffic to Drop
Traffic transiting
PCCW has no routes
and terminates
17. 16
Network Topology of a DDoS Attack
Attackers flood your web
service from around the world
Sydney
Portland, OR
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Internet Enterprise
18. 17
DDoS Mitigation Strategy 1: On-Premises
Sydney
Portland, OR
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Appliance at network edge
monitors and mitigates
application-layer attacks
Internet On-Premises Enterprise
DDoS
Mitigation
Appliance
19. 18
DDoS Mitigation Strategy 2: ISP Collaboration
Sydney
Portland, OR
ISP 1
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Attack traffic is routed by ISPs
to a remote-triggered black
hole
ISP 2
Internet Remote- Enterprise
Triggered
Black Hole
20. 19
DDoS Mitigation Strategy 3: Cloud-Based
Sydney
Portland, OR
London YourBank.com
Chicago, IL
Tokyo
Atlanta
Traffic is rerouted, using DNS
or BGP, to cloud-based
scrubbing centers and ‘real’
traffic is routed back to your
network
Internet Scrubbing Enterprise
Center
22. 21
DDoS Attack: Drop in Global Availability
Problems at TCP
connection and
HTTP receive
phases
Global availability
issues
Availability dip to 0%
23. 22
DDoS Attack: Increased Packet Loss and Latency
Loss,
latency
and jitter
Loss during height
of attack
24. 23
DDoS Attack: Congested Nodes in Upstream ISPs
Nodes with >25%
packet loss
Packet loss in
upstream ISPs
Verizon and
AT&T
HSBC bank
website under
attack
High packet
loss from all
testing points
26. 25
DDoS Attack: Mitigation Handoff Using BGP
New Autonomous
System (VeriSign)
Prior Autonomous
System (HSBC)
HSBC prefix
New routes
Withdrawn routes
28. 27
DNS Cache Poisoning
Local DNS Cache
www.attack.com
Attacker
DNS Server
dns.attack.com
Authoritative
DNS Server
dns.website.com
Attacker
www.website.com
Attacker inserts a
false record into the
DNS cache
Unsecured DNS server, no
DNSSEC, no port
randomization
User
1
User requests DNS
record for
www.website.com
2
Looks up record
on spoofed name
server
3
User accesses
spoofed URL
4
30. 29
Redirecting Facebook to Alternate IP Addresses
Facebook is
typically routed to
173.252.110.27,
except in China
31. • Understand network topology and dependencies
• Focus on critical network services
30
Key Capabilities to Monitor Network Security
• Reachability to your address blocks
• Path changes and more specific prefixes
upstream
Get global
visibility
Alert on routing
to your network
• DNS, CDN and hosting providers
• DDoS mitigation vendors and ISPs
Track efficacy of
external services
Implement
DNSSEC
• Prevent cache poisoning on your resolvers
• Monitor for poisoning of your records on other
networks