The Gaming & Gambling industry has been the target of increasingly sophisticated cyber attacks in recent years, ranging from automated bots carrying out credential stuffing and intellectual property scraping to Layer 3 DDoS attacks, which can result in reduced network speed and performance, and in some cases loss of business when such incidents occur.
View this presentation from Cloudflare security experts Stephane Nouvellon, Principal Solutions Engineer and Philip Björkman, Strategic Vertical Account Executive (EMEA Gaming & Gambling) to learn about:
-How you can protect your business and improve the performance and reliability of your infrastructure, globally
-Solutions to secure your organization's online traffic (all OSI layers) against bots and cyber attacks whilst improving the performance of your applications.
3. What we are talking about today
Security challenges faced by online gaming & gambling platforms
Strategies to secure on-prem networks (layer 3) and applications (layer 7)
4. About Cloudflare
Cloudflare is a leading security, performance, and reliability company.
We protect and accelerate any Internet application online without adding
hardware, installing software, or changing a line of code.
We have one of the world’s largest networks that powers more than 28
million Internet properties, with approximately 16% of the Fortune 1,000
companies using at least one Cloudflare product.
Trusted by:
5. PERFORMANCE &
RELIABILITY
SECURITY
Domain Name
System (DNS)
Firewall
AnalyticsWorkers
IoT Security
Cache
Load Balancing
SSL/TLS
Secure Origin
Connection
Rate
Limiting
Bot Management
DDoS Protection
Intelligent
Routing
Image
Optimization
Access
CLOUDFLARE FOR INFRASTRUCTURE
CLOUDFLARE
FOR TEAMS
Magic Transit
Gateway
Workers KV
SERVERLESS
APPLICATION
PLATFORM
Stream
Integrated, Intelligent Global Cloud Network
10. How bad bots affect your business
Take-over of user’s account from
automatically applying previously stolen
account credentials.
Scraping and stealing information from a
website
Adding malicious content to web
properties such as forums and
registration forms
Credential Stuffing
Content Scraping
Content Spam
Fraudulently purchase goods to deprive
legitimate customers or resell for a higher
price
Inventory Hoarding
Credit Card Stuffing
Attempts to validate stolen credit cards to then
make fraudulent purchases
Application DDoS
Slowing sites, wasting bandwidth and compute
resources
11. Evolution of Bots
● Simply collect info
● Limited number of static
IP addresses
● Repetitive attack pattern
● Easy to detect
Basic Bots
● Mimic human behavior or
hijack a real customer’s
browser and tokens
● Need threat intelligence,
behavioral analysis, machine
learning, fingerprinting
Sophisticated Bots
● Steal sensitive data, commit
fraud, and disrupt business
● Botnets, change source IP
addresses or to originate
from legitimate customers’
devices
● Challenge scripts, sending
misleading information to a
bot
Mature Bots
12. Impact due to bot attacks
Financial OperationalReputational
●Pipeline and
sales impact
●Customer
reimbursement
●Customer trust
and loyalty
●Brand reputation
●Service disruption
●Firefighting mode
with resource
reallocation
14. The Cloudflare Bot Difference
Fast Intelligent Integrated
● Cutting-edge detection
engines
● Constantly learning
from billions of new
requests
● SDK-free
● Implement in under one
hour
● Onboard customers
under attack
● Effectively zero latency
● Retroactive analytics
for existing customers
● Built to work with
Cloudflare’s security
suite
● No scale concerns
17. Built for security needs of the modern business
Configuration
Flexibility
Threat Intelligence
At-Scale
Automatic Allowlist
Optional JS injection
Integrated Security
and Performance
Mobile App Endpoint and
API Protection
Complete without
Complexity
Bot Management
18. #2 What if HTTP isn’t your only public
facing perimeter?
19. Extending Cloudflare to networks
Layer 3 — IP Layer 4 — TCP
DDoS
mitigation
IP
firewall
L4
load
balancing
TLS &
protocols
CLOUDFLARE DATA CENTER
REVERSE PROXY
CUSTOMER
ORIGIN
NETWORK(S)
Layer 7 — HTTP
WAF
Content
caching
Filtering IP level traffic
20. Magic Transit: Our battle-tested network stack, available in
front of a customer’s data center for Layer 3 protection
Cloudflare Data Center
200 Cities in 100+ countries
51 Tbps DDoS mitigation capacity
Biggest attack mitigated ~942
gbps
DDoS protection
Near-instant TTM
Network firewall
Granular Allow/Deny rules
Customer Data Center
LAYER 3 - IP
(MAGIC TRANSIT)
20
21. Benefits
Get rid of network perimeter
hardware
DDoS protection, network
firewall, traffic acceleration,
and more delivered as a
service
Drive down your TCO
Pay exactly for only what
you use. Get operational
agility with VNFs
delivered and billed as a
service
Get security + performance for
your networks
Cloudflare has a physical
presence in over 200 cities across
100+ countries. Magic Transit
delivers DDoS protection with
integrated performance benefits
22. Connect:
Using BGP route
announcements customer
network traffic is ingested
by Cloudflare
Protect and Process:
All traffic inspected for
attacks automatically and
immediately
Accelerate:
Clean traffic is routed back
to the customer network
over Cloudflare. Anycast
GRE tunnels deliver traffic
to the customer network
How it works
23. PNI
Customers can
physically connect
using Private
Network
Interconnect (PNI) at
any of Cloudflare’s
physical Points of
Presence
How to connect to Cloudflare
Internet Exchanges
Customers who want to
use existing Internet
Exchanges can
interconnect with us at
any of the 235+ Internet
Exchanges that
Cloudflare participates
in
Virtual connections
Cloudflare has
partnered with five
cloud-exchange
providers to allow
customers to
connect using virtual
links at any of the
partner locations
24. Legit Client
Attacker
BGP announcements (from
dedicated scrubbing centers)
L3/ 4 attack traffic
L3 scrubbing centers
L7 attack traffic
Additional hop (latency) for
other L7 processing of
traffic
L7 services
Ingress to customer data center (over Anycast GRE/ PNI)
Customer data center
Egress (over the internet)
Other
implementation
s have dedicated
‘scrubbing
centers’ where
the traffic is
inspected for L3
threats before
being processed
for other L7
services—this
adds delay to
network traffic
Legit traffic
25. Legit Client
Attacker
BGP announcements
from every single
Cloudflare data center
L3/ 4 attack
traffic
Customer data center
Egress (over the internet)
All L3/ L4-7 services delivered from every Cloudflare
data center (no need for traffic diversion)
Smart routing over the
Cloudflare network
Ingress to customer data center
(over Anycast GRE/ PNI)
Legit traffic
Attacks are detected and mitigated at a Cloudflare
data center closest to the source of origin
26. Summary - Magic Transit Key Features
● DDoS mitigation capacity > 51+ Tbps
● Mitigate most attacks in < 3 seconds
● Sub-second threat detection
● BGP routing and GRE encapsulation
● 24 x 7 x 365 SOC
● Native integration with L7 services (CDN,
WAF, Bot Management, etc.)
● Support for all IP services (TCP, UDP,
IPSec, VoIP, custom protocols)
● Analytics dashboard
Cloudflare is a company which provides security, performance, and reliability to any web-facing property.
Traiditionally this meant web-sites, or web-facing applications for example mobile banking, and we did this by operating as a reverse proxy for HTTP traffic.
We’ve actually expanded that capability such that we are now ability to proxy any TCP and UDP traffic, will talk about that in a bit, but this allows you now to put your game server behind Cloudflare as well
We have more than 20 million such internet properties behind us, and you can see a few recognizable names like Discord and Hypixel there, who are utilizing various Cloudflare features
Cloudflare delivers a platform of deeply integrated products that serve as a unified control plane for our customers.
Our comprehensive Platform includes purpose built products for security, performance, reliability in one unified solution. The platform also makes it easy to build serverless application using edge computing, developing Cloudflare applications while providing meaningful insights and analytics on web activities.
Modern architecture with integrated design
Single UI to manage security and performance
All underlying data in centralized location allows faster insights into performance and security
Ensures uptime during DDoS attacks while delivering accelerated performance for the applications
Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
I always like to start speaking about Cloudflare by representing the portfolio aligned with the OSI Model since it provides a great visual overview or where Cloudflare’s solution is actually operating on your applications and infrastructures:
Layer 7 or application. This is where Cloudflare started 10 years ago with Performance and Security at the HTTP level. Bot Management is a relatively recent addition that we’re going to see in more detail later on in the presentation
Down to the layer 4. Because HTTP is probably not the only protocol you’re using and you might want to accelerate and protect. Cloudflare provide security, acceleration and load balancing for your TCP/UDP applications
The network layer is also an important piece of our stack, where Cloudflare can provide performance and security at the IP level with Magic transit that we’re going to see in more detail in the presentation
And finally down to the physical layer where Cloudflare can directly interconnect either physically or virtually with your infrastructure so cloudflare ends up being virtually on top of your rack with no borders left facing the internet without protection.
And an important point to note is that Cloudflare provides its service in a fully integrated way, which means that every single line of code representing service we offer runs on every server, in every datacenter and this all around the world where Cloudflare has a point of presence.
The first challenge we observed on the Gaming and Gambling industry is regarding scrapers and in general any kind of unwanted source of automated traffic targeting your applications
Here is a non comprehensive list of use-cases these bots are having when it comes to operate botnets towards your Origins
Credential Stuffing: This is how attackers are validating lists of credential stolen on the internet with the intent of either access these accounts on your services or just validate the accuracy of this listing for future coordinated attacks or selling of the validated information
Inventory hoarding: This targets especially ecommerce with the intent of programmatically buying all items and preventing real users from doing so
Content scraping: This one is particularly observed in the gambling industry where scrapers are industrially monitoring odds of the competition to place theirs in a better spot
Credit card stuffing: This one intents to validate stolen source of credit card information towards your application for fraudulent buying or validating credentials to sell them at a higher price
Content Spam: This one target any location of your website accepting information to be posted to either inject malicious payload or simply flood your workflows. This could be forums, account creation or reset a password interfaces
Application DDoS: Maybe not the most intuitive one but given these attacks are targeting dynamic portion of websites since they need to somehow interact with it it, it could end up having the application itself being non responsive and leave the real users with a bad experience
At Cloudflare we observed a quite representative transition in how these bots are operated for the last 5 years. They came from a basic to mature footprint which implies a limited number of IPs being used, limited support for Javascript computation to a more sophisticated form. This last one is very special since is in general very targeted where perpetrators are studying with detail the perimeter of the application to target, how does the real user experience looks like in terms of requests so they can emulate these without leaving obvious footprints.
They also implement advanced stacks that are able to mimic real browser behaviours, they can solve challenges and they can leverage a large range of IP, both being originating from Datacenter or even residential ISPs. This is the type of bot we’re going to focus here with Bot Management.
These are potentially impacting your operations via three potential ways. The first one is financial where you can end up being in a situation that you cannot sell to your customers since all your stock is being taken off from them.
Second is reputation and this has to do with the experience provided to your customers, this can either be coming from the fact your application is slow or unavailable because the automated traffic is disrupting it.
And finally operational because it costs already a lot to operate your service and even more with at the same time coping with the level of traffic these automated source of traffic are targeting your website.
Traditional Cloudflare’s offering was great at mitigating basic and mature bots but with the sophistication of these sources of automated traffic, they were not enough anymore.
Now, Cloudflare Bot Management difference in three key propositions
It is fast, because directly embedded in Cloudflare’s Security and Performance stack and provide a quick onboarding experience. No latency is added when adding Bot Management into the mix
It is intelligent, and this is the advantage of having such a breath of traffic with about 20M request/second in average received on the platform. This allows Cloudflare to learn even quicker and react to Bot transition and new trends
It is fully integrated, Bot Management is a product that can interact with other security products with no compromise on performance
In terms of operations, Bot Management is an addition to what Cloudflare does already on your traffic for performance and security Purposes. Bot Management analyses the traffic and establish a score coming from a various list of specific features like Machine learning, Behavioral analysis, Heuristics, JS fingerprinting and finally curating a list of verified bots to make sure none of your wanted automated traffic is being blocked.
All this platform integrates with the rest of Cloudflare’s stacks and provide you another signal to take accurate action on your traffic, with no latency added.
On top of that, when it comes to operating the solution, Cloudflare offers rich analytics and raw logs so your teams can monitor your applications at all time.
Bot Management as explained is provided as a platform that could be used in coordination with the other product which in turns allows customers to implement the solution via many ways. The score could be used in the Firewall Engine provided by Cloudflare, be pushed to your backend for analysis or even be leveraged inside our Serverless computing platform for advanced mitigation.
This last scenario is quite popular since it allows for instance to mitigate bot by confusing them. Instead of blocking or challenging the traffic which would give indication to the bot that he was detected, why not sending a confusing payload with randomized information? This is what the integration with workers allows.
Finally, Cloudflare Bot Management in a nutshell, this is:
Complete without Complexity: Protects against a full range of bot attacks with instant deployment
Threat Intelligence At-Scale: Leverages diverse data from more than 27 million Internet properties. Applies machine learning, behavioral analysis, and fingerprinting to accurately identify bots.
Integrated Security and Performance: Bot Management Integrates seamlessly with Cloudflare's DDoS, WAF, and CDN, enhancing - security, user experience and performance.
Automatic allowlist: Allows good bots, such as those belonging to search engines, to keep reaching site while preventing malicious traffic.
API and Mobile App Protection: Protects APIs that are generated in an automated fashion, accessed via web browsers. The solution also protects mobile applications from impersonation and emulation attacks.
Configuration Flexibility: Granular rules, user-defined mitigations and integration with Cloudflare’s Workers platform allows for unique actions beyond the industry standard.
The second challenge is around the scope of the properties being protected, sometimes HTTP or even TCP/UDP aren’t the only types of application or resources you’ve got public facing and by extension you need to protect. We’re going to see how to close these gaps with Magic Transit.
When we started 10 years ago, we were providing Layer 7 Security and Performance but it didn’t mean that Cloudflare wasn’t operating DDoS mitigation for lower level of the OSI stack. With Magic transit, we’re making available to customer the product we’ve built all these years to protect our infrastructure so we can protect yours, too.
IP Level protection is directly operated by Cloudflare and sent back to customer Origin infrastructure when mitigated.
Magic transit isn’t different from the other products in the stack, this is totally integrated. It means Magic transit is operated in any server of any datacenter and this all around the world with providing a total of 51 tbps of mitigation capacity.
As of now and just to give you a perspective of the scale we provide with the platform, the biggest attack our network has mitigated was generating 942 gbps of traffic. From a packets perspective, the biggest attack we mitigated was generating 754 Million packet per second.
Now on to the benefits of Magic Transit:
One — it helps business make their transformation to the cloud and get rid of some portion of their on-premise boxes, Magic transit operates on all your traffic for DDoS purposes
Two — it provides security without compromise on performance. And using a network like Cloudflare’s helps with that + the fact that the solution is fully integrated with the others features and products the scanning of traffic is done only once and for all before reaching your infrastructure
Third — costs. More and more companies we talk to are looking for ways to reduce their Capex. Magic Transit helps you dramatically reduce your Capex and delivers operational agility with virtual network functions delivered and billed as a service.
OK, so how does it work?
We use BGP to announce routes to the customer’s network. Note that this is fundamentally a different product than anything Cloudflare has ever offered. This is not a simple DNS redirect. It’s a more involved process where we tell the Internet that we are the customer’s network and ingest all traffic destined to their networks using BGP. We can announce any customer network that is larger than a /24 prefix.
Once ingested by a Cloudflare data center closest to the source, the traffic is inspected for any threats. Of course, any L7 traffic that would benefit from content caching or WAF inspection is “upgraded” to our L7 pipeline without incurring additional network hops.
All clean network traffic is then encapsulated using GRE and tunneled over from the Cloudflare data center to the customer network. GRE tunnels are initiated from Cloudflare’s anycast endpoints to the customer’s network. Anycast GRE tunnels ensure they are highly available and resilient to network failures that would bring traditional GRE tunnels down.
Finally, any egress traffic from the customer’s network is sent directly to the requestor/ client using Direct Server Return.
Now, the next important question is the following: How do I connect with Cloudflare? Multiple solutions, the default being establishing a GRE tunnel over the internet but some other scenarios are also supported such as:
PNI: Setting up a cable between your infrastructure and Cloudflare where a location is compatible
Internet exchanges: Setting up a BGP peering directly within an IX
Virtual Connections: Setting up a connection via cloud-exchange providers we support (Zayo, Equinix, Megaport, ConsoleConnect, PacketFabric)
Important point to mention is the life of the packets and requests, when it comes to implement such a scrubbing mechanisms. This schema shows you how in general this kind of security solution is being implemented. You can see here in the schema that two locations are being used to clean the traffic at layer 3 and then at Layer 4 and 7.
Where this isn’t specifically a problem for bad traffic since we do not really care about the performance of this mitigation anyway, it can induce latency for legitimate traffic when crossing multiple hops potentially sitting in different regions. The blue line shows here that for legitimate traffic, 2 hops are going to be needed before reaching to the backend infrastructure.
With Cloudflare, the traffic goes through only on location and is inspected only once from Layer 3 up to layer 7 before being sent to your infrastructure if legitimate.
Cloudflare also implement a smart routing of the traffic to leverage even more the backbone so the traffic goes back to the infrastructure in the most efficient way.
Now a summary of the solution and what it provides
What requirement do you ask customers when using Magic Transit? (/24 subnet minimum and being able to sign a letter of authorization. Optional including ASN 13335 in the RPKI implementation)
Does Magic transit require customers to have a private interconnection with Cloudflare? (No, a GRE tunnel over the internet could be established too)
Is any modification needed at the client or application-side to use Bot Management? (No, Bot Management works directly on proxied request and challenge mitigation is inserted by Cloudflare directly without any change required)
How Bot Management is different from manually creating Firewall rules to mitigate traffic? (Bot Management provides the intelligence of the network and does it automatically for you with no operation overhead)
How is it possible that Cloudflare can support the execution of the security at different layer of the OSI model?