SlideShare una empresa de Scribd logo

DDoS Threats Landscape : Countering Large-scale DDoS attacks

MyNOG
MyNOG

DDoS Threats Landscape : Countering Large-scale DDoS attacks CF Chui Solutions Architect, Arbor Networks

Internet
1 de 44
Descargar para leer sin conexión
DDoS Threat  Landscape Countering  Large-­scale  DDoS Attacks CF  Chui,  Arbor  Networks
Who  is  Arbor  Networks? 90% Percentage  of  world’s   Tier  1  service  providers   who  are  Arbor customers 107 Number  of  countries   with  Arbor  products   deployed #1 Arbor  market  position  in  DDoS   Mitigation  Equipment  in  Carrier,   Enterprise  and  Mobile  markets   [Infonetics Research,  Dec.  2014] Number  of  years  Arbor  has  been  delivering   innovative  security  and  network  visibility   technologies  &  products 14 $19B 2013  GAAP  revenues  [USD]  of   Danaher  – Arbor’s  parent  company   providing  deep  financial  backing Amount  of  global   traffic  monitored  by   the  ATLAS  security   intelligence  initiative! 120+ Tbps We  See  Things  Others  Can’t
ATLAS  Global  Threat  Analysis  System
Attack  Landscape  seen  by  ATLAS
ATLAS Demographics • ATLAS  provides   invaluable  data  to  Arbor  customers  and  the  broader   operational  security  community • 330+  participating  customers – 32%  Europe – 24%  North  America – 17%  Asia – 9%  South  America – 9%  Global • Tracking  a  peak  of  over  120Tbps
DDoS :  Attack  Types 0 10 20 30 40 50 60 70 2014 2015 2015 • Two-­‐thirds  of  attacks  are  volumetric,   up  slightly – No  surprise  given  reflection  storm   • 90%  of  respondents  report  seeing  application-­‐layer  attacks – 4%  fall  in  proportion  of  application-­‐layer  attacks 2014 2014 DDoS Attack Types
Substantial  Growth  in  Largest  Attacks • Largest  reported   attacks  ranged  from  400Gbps  at  the  top  end,  through   300Gbps,  200Gbps and  170Gbps • Some  saw  multiple  events  above  100Gbps  but  only  reported   largest
Worldwide  DDoS attacks  trend Period   Average Attack  size   (bps) Change (Q /  Q) Peak Attack  Size (bps) Change (Q /  Q) 2014 Q1 1.12Gbps -­‐ 325.06Gbps -­‐ 2014  Q2 759.83Mbps -­‐32.2% 154.69Gbps -­‐52.4% 2014  Q3 858.98Mbps +13.05% 264.61Gbps +71.1% 2014  Q4 830.37Mbps -­‐3.3% 267.21Gbps +1% 2015  Q1 804.12Mbps -­‐3.1% 334.22Gbps +25% 2015  Q2 1.04Gbps +29.4% 196.35Gbps -­‐41% World  2015  Q1  Size  Break-­‐Out,  BPS <500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps World  2015  Q2  Size  Break-­‐Out,BPS <500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps
§ Percentage  of  attacks  over  1Gbps  is   growing  strongly § 16%  in  2014,  17.7%  in  Q1  ‘15,   20.8% in  Q2. § Most  Growth  in  the  2  – 10Gbps   range § Attack  PPS  rates  also  on  the  rise § 8.7%  of  attacks  over  1Mpps  in  Q2,   up  from  5.7%  in  Q1  and  5.4%  in   2014 Attacks  size  Analysis  – Worldwide   § Percentage  of  attacks  over  10Gbps   resumes  growth. § 1.26%  in  2014,  0.9%  in  Q1  ’15,   1.41% in  Q2  ’15. § Big  jump  in  50-­100Gbps  attacks  in   June. 2014/2015  Event  Size  Break-­‐Out  Month-­‐by-­‐Month 0 100 200 300 400 500 >50Gbps >100Gbps 0 1000 2000 3000 4000 5000 6000 >10Gbps >20Gbps
Reflection/Amplification  attacks  – Worldwide     § Looking  at  attacks  with  source-­ports  of   services  used  for  reflection. § Q2  2015  shows  number  of  SSDP  attacks   starting  to  fall  back.   § 84K  in  Q2,  126K  in  Q1  2015,  83K  in  Q4  ’14 § 50%  of  reflection  attacks  in  Q2  targeting   UDP  port  80  (HTTP/U) § Average  attack  sizes  increase  for  all   vectors  except  SNMP.     § Average  duration  of  reflection  attack  20   mins in  Q2  (19  mins in  Q1).   Protocol UDP   Source   Port Max  Size   Q2 ‘15 Average   Size Q2 ‘15 SNMP 161 10.95bps 1.06Gbps Chargen 19 44.9Gbps 2.2Gbps DNS 53 120.3Gbps 2.78Gbps SSDP 1900 144.91Gbp s 2.42Gbps NTP 123 185.94Gbp s 2.75Gbps Reflection  Mechanism  as  %  of  Overall  Attacks 0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00% 14.00% 16.00% 2014  Q1 2014  Q2 2014  Q3 2014  Q4 2015  Q1   2015  Q2 SSDP   NTP DNS Chargen MSSQL SNMP
Period   Average Attack  size   (bps) Change (Q /  Q) Average  Attack   duration Change (Q /  Q) 2014 Q1 579.99Mbps -­‐ 28m 58s -­‐ 2014  Q2 530.51Mbps -­‐8.5% 29m +0% 2014  Q3 588.74Mbps +11% 31m  8s +7.3% 2014  Q4 500.68Mbps -­‐15% 41m  10s +32% 2015  Q1 483.65Mbps -­‐4.4% 46m  11s +12% 2015  Q2 800.01Mbps +65.4% 39m  53s -­‐14% Attack  traffic  size  -­‐ APAC  Q2  2015 >20Gbps 10-­‐20Gbps 5-­‐10Gbps 2-­‐5Gbps 1-­‐2Gbps 500Mbps-­‐1Gbps <500Mbps Attack  duration  -­‐ APAC  Q2  2015 >24  hours 12-­‐24  hours 6-­‐12  hours 3-­‐6  hours 1-­‐3  hours 30  mins-­‐1  hour <30  mins APAC  DDoS attacks  trend
Large  DDoS attacks  seen  in  2015  APAC Peak  Attack  Growth  trend  in  Gbps 0 50 100 150 200 250 300 350 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun 88.31 66.63 235.6 127.16 76.29 83.44 76.75 77.25 98.89 113.18 61.15 117.15 334.22 94.13 51.25 136.91 100.99 144.91 Q1  14 Q2  14 Q3  14 Q4  14 Q1  15 Q2  15 235Gbps/63Mpp s  to  India, NTP   reflection  attack,   21  min  23  sec 127Gbps/34Mpp s  to  Malaysia  ,   NTP  reflection   attack,  29  min 99Gbps/26Mpps   to  India,  NTP   reflection  attack,   31  min 117Gbps/31Mpp s  to  India,  NTP   reflection  attack,   15  min  37  sec 334.22Gbps/29. 13Mpps  to   India, reflection   attack,  6  min  45   sec 144.91Gbps/53.6 2Mpps  to  China,   SSDP  reflection   attack,  10  min  32   sec
Large  Attacks  Analysis § Number  of  attacks  >  10Gbps  increases  significantly  in  Q2  2015.     § Number  of  attacks  >  50Gbps  jump  from  12  in  Q1  2015  to  80 in  Q2   2015 Large  DDoS attacks  analysis  – APAC 0 200 400 600 800 1000 1200 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun no  of  events  of  attack  sizes  >  10Gbps
§ 99%  of  the  attacks  <  1Gbps § 95%  of  attacks  last  less  than  1  hour DDoS attacks  target  Malaysia  H1  2015   Peak attack  size Avg attack  size Avg duration Q1  15 94.13  Gbps/18.73  Mpps UDP  flooding  attack 80.94  Mbps/ 17.93  Kpps 42  min  32  sec Q2  15 27.90  Gbps/2.41  Mpps UDP  flooding  attack 72.71  Mbps/ 11.99  Kpps 30  min  3  sec Attack  traffic  size  -­‐ MY  Q2  2015 >20Gbps 10-­‐20Gbps 5-­‐10Gbps 2-­‐5Gbps 1-­‐2Gbps 500Mbps-­‐1Gbps <500Mbps Attack  duration  -­‐ MY  Q2  2015 >24  hours 12-­‐24  hours 6-­‐12  hours 3-­‐6  hours 1-­‐3  hours 30  mins-­‐1  hour <30  mins
Average  attack  sizes  – Malaysia   139.05 114.6 119.8 65 64.46 147.51 128.46 209.25 80.94 72.71 0 50 100 150 200 250 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Average  attack  traffic  size  (Mbps)  per  Quarter
Peak  attack  sizes  – Malaysia   69.69 10.96 7.47 124.77 20.49 127.16 58.33 91.2 94.13 27.9 0 20 40 60 80 100 120 140 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Peak  attack  traffic  size  (Gbps)  per  Quarter
Number  of  attacks  – Malaysia   2356 1179 1493 21361 25844 30147 30957 28036 42428 34605 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 No  of  attacks  per  Quarter
Average  attack  duration  – Malaysia   4740 1984 1471 741 1470 2146 1917 2901 2552 1803 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Average  attack  duration  (sec)  per  Quarter
Reflection/Amplification  attacks Attacker-Reflector Leg Attacker-Victim Leg SOURCE: Data sourced from tenth Annual Worldwide Infrastructure Security Report and ATLAS data Anatomy of an NTP Reflection Attack Source: ATLAS Data VictimAttacker Unsecured NTP Servers (http://openntpproject.org) Used to reflect and amplify NTP Monlist Request (small) Src IP: Spoofed (Victim’s IP) Dest IP: Unsecured NTP Server Src Port: 80, Dest Port: 123 NTP Monlist Request (large) Src IP: Unsecured NTP Server Dest IP: Victim Src Port: 123, Dest Port: 80 NTP reflection attack was responsible for the largest monitored attack by ATLAS in 2014 325Gbps 89 NTP attacks over 50Gbps including 5 attacks over 200Gbps
Industry  Best  Current  Practices  (BCPs) • BCPs  are  industry  best  practices  for  locking  down  a  network   • Deploy  these  as  policy  to  limit  the  exposure  of  your  network Network  Infrastructure  BCPs • Separation  of  control  plane   from  data  plane • Interface  ACLs  (iACLs) • Source  based  remote   triggered  blackhole  S/RTBH • Destination  based  remote   triggered  blackhole  D/RTBH • Flowspec • uRPF Host  Based  BCPs • OS  Hardening • Access  control • Antivirus • Patching/Version  Control • Application  Tuning
Mitigation  Architecture  – Options  available tACLs – block  all  unnecessary  protocols/ports  at   network  ingress  – protect  critical  resources Flowspec – BGP-­based  injections  of  ACLs  or  routing   policy  to  filter  or  divert  traffic   S/RTBH – Source  based  remote  triggered  blackhole   can  be  used  to  block  known  bad  sources D/RTBH – Destination  based  remote  triggered   blackhole  can  be  used  as  a  method  of  last  resort  to   protect  the  network   IDMS – Intelligent  DDoS  mitigation  to  protect   everything  else
How  Can  ISPs  Defend  Against  These  Attacks? • Deploy  antispoofing at  all  network  edges. – uRPF Loose-­Mode  at  the  peering  edge – uRPF Strict  Mode  at  customer  aggregation  edge – ACLs at  the  customer  aggregation  edge – uRPF Strict-­Mode  and/or  ACLs at  the  Internet  Data   Center  (IDC)  aggregation  edge – DHCP  Snooping  (works  for  static  addresses,  too)  and   IP  Source  Verify  at  the  IDC  LAN  access  edge – PACLs &  VACLs at  the  IDC  LAN  access  edge – Cable  IP  Source  Verify,  etc.  at  the  CMTS – Other DOCSIS  &  DSL  mechanisms
Customer  1 Downstream  ISP Internet Data  Center  1 Service  Provider Data  Center  2 Customer  2 Regional Broadband • Utilize  flow  telemetry  (NetFlow,  cflowd/jflow,  etc.)   exported  from  all  network  edges  for  attack   detection/classification/traceback – Open-­source  flow  telemetry  collection/analysis  tools  allow  basic   visibility;;  can  be  sufficient  for  high-­volume  attacks,  once  impact  is   evident – Arbor  Peakflow  SP,  which  provides  automated   detection/classification/traceback  and  alerting  of  DDoS  attacks  via   anomaly-­detection  technology Pervasive  Detection  – The  Attack  Surface
Mitigation  – IDMS Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   IDMS
Mitigation  High  Availability • Network-­Based  Redundancy – Regional  redundancy  using  BGP  anycast to  mitigate  traffic  at  the   nearest  location – Appliances  or  blades  in  a  router • Scrubbing  Center  Redundancy – Multiple  TMS  appliances  in  a  single  scrubbing  center – Use  of  Equal  Cost  Multipath  (ECMP)  between  appliances • Link  Redundancy  in  Datacenter – Deploy  APS  appliances  in  redundant  datacenter  paths – Manually  fail  over  to  backup  path  if  system  fails  into  bypass
BGP  Anycast  Mitigation  Redundancy   Peakflow  SP  TMS Customer Aggregation IP  Core Scrubbing   Center  1 POP   B D1 D2 P1 A2A1 S1 Peers Customer  CPE S1 S2 P2 C2C2 S2 S1 Peakflow  SP  TMS Scrubbing   Center  2 D1 D2 S1S1 S2 Transit
Mitigation  Center  Redundancy  -­ CEF/ECMP CEF/ECMP  load  balancing   between  TMS  appliances  in   a  mitigation  center Arbor  TMS  IDMSes TMS   Mitigation Cluster Attack Regional  Mitigation  Center
IDC On-­Premise  APS  Link  Redundancy Pravail 1 Since  each  APS  port-­‐pair  can   also  offer  hardware  bypass,   single  box  failures  do  not   require  re-­‐convergence. Internet Pravail 2
Scaling  Mitigation  Capacity • Currently-­shipping  largest-­capacity  Intelligent  DDoS Mitigation  System   (IDMS)  – 40gb/sec • 16-­IDMS  (CEF/ECMP   limit)  =  640gb/sec  per  cluster • Multiple  clusters  can  be  anycasted • Largest  number  of  IDMSes per  deployment  currently  100  =  4tb/sec  of   mitigation  capacity  per  deployment,  10x  more than  largest  DDoS to  date. • Deploy  IDMSes in  mitigation  centers  at  edges  -­ in/out  of  edge  devices. • Deploy  IDMSes in  regional  or  centralized  mitigation  centers  with   dedicated,  high-­capacity  OOB  diversion/re-­injection  links.    Sufficient   bandwidth  for  diversion/re-­injection  is  key! • S/RTBH  &  flowspec leverage  router/switch  hardware,  hundreds  of  mpps,   gb/sec.    Leveraging  network  infrastructure  is  required due  to  ratio  of   attack  volumes  to  peering  and  core  link  capacities!
• The  Flow  specification  can  match  on  the  following  criteria: – Source  /  Destination  Prefix – IP  Protocol  (UDP,  TCP,  ICMP,  etc.) – Source  and/or  Destination  Port – ICMP  Type  and  Code   – TCP  Flags – Packet  Length – DSCP  (Diffserv Code  Point) – Fragment  (DF,  IsF,  FF,  LF) • Actions  are  defined  using  Extended  Communities: – 0x8006:  traffic-­rate  (rate  0  discards  all  traffic  for  the  flow) – 0x8007:  traffic-­action  (sample) – 0x8008:  redirect  to  VRF – 0x8009:  traffic-­marking  (DSCP  value  ) DDoS Mitigation  – BGP  Flowspec
• ACLs  are  still  the  most  widely  used  tool  to  mitigate  DDoS attacks – But…ACLs  are  demanding  in  configuration  &  maintenance. • BGP  Flowspec leverages  the  BGP  Control  Plane  to   simplify  the  distribution  of  ACLs,  greatly  improving   operations: – Inject  new  filter  rules  to  all  routers simultaneously  without  changing  configuration. – Reuse  existing  BGP  operational  knowledge  &   and  best  practices. • Improve  response  time  to  mitigate   mitigate  DDoS attacks! Why  Use  BGP  For  ACLs?
BGP  Flowspec Mitigation IPS/ID S Enterprise  or  IDC Victim Service  Provider  Network Route r Flowspec filter  applied  on  the   external  interfaces,  only  traffic   matching  that  flow  is  discarded. SP  Portal  initiates  BGP  update  with   ACL  filter  to  be  applied  at  the  edge   router  external  interfaces  (in   theory  the  customer  could  also   initiate  it). Firewal l Botnet Legitimate Users Route r Good  traffic Attack  traffic BGP  Announcement FLOWFLO W • BGP Flowspec route validation performed for eBGP sessions only. Edge  routers  configured   with  BGP  flowspec sessions,   and  flowspec filtering   enabled  on  external  peering   interfaces.
BGP  Flowspec Traffic  Redirection DDoS Scrubber Detection &  Control Good  traffic Attack  traffic BGP  Flowspec   Diversion Internet Internet Scrubbing  Center “Dirty”  VRF IPS/ID S Enterprise  or  IDC Victim Route r Firewal l Route r Traffic   Reinjection BGP  Flowspec filter  to   redirect  only  specified   traffic  that  matches   rule FLOW Diverted  traffic  is  a   subset  of  all  traffic   destined  to  victim
BGP  Flowspec – Vendors • Router  vendors  supporting  BGP  Flowspec: – Cisco  IOS  XR  5.2.0  &  XE  3.14 – Alcatel-­Lucent  7750  SROS  9.0R1 – Juniper  JunOS 7.3 • DDoS mitigation  vendors: – Arbor  Peakflow SP  >5.8 • BGP  Tools: – ExaBGP Injector
Mitigation  – S/RTBH  or  Flowspec Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   Peakflow SP  advertises   list  of  blackholed prefixes  based  on   source  or  destination   addresses,  or  layer-­‐4   flowspec classifier Edge  routers  drop  attack   traffic  packets  based  on   source  or  destination address,  or  layer-­‐4   classifier  (flowspec) Edge  routers  drop  attack   traffic  packets  based  on   source  or  destination address,  or  layer-­‐4   classifier  (flowspec)
SDN  Illustrated Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API Logical  View Physical  View Controller Policy OpenFlow
NFV  Illustrated Internet Router Arbor APS FW IPS LB Webservers Internet vRouter vAPS vFW vIPS vLB Logical  View Physical  View Web  VMs
Where  SDN  Could  be  Ideal • Meter traffic  conditions,   application  and  user   behavior • Match those  conditions   against  a  set  of  pre-­ defined  criteria  (policy) • Act on  the  match   according  to  a  policy   (control  behavior) Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API OpenFlow
Where  SDN  Could  be  Ideal • Meter traffic  conditions,   application  and  user   behavior • Match those  conditions   against  a  set  of  pre-­ defined  criteria  (policy) • Act on  the  match   according  to  a  policy   (control  behavior) Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API OpenFlow
Provider  B Provider  A Data  Center TMS GOOD  TRAFFIC BAD  TRAFFIC X X X OPENFLOW TMS  Blacklist  Offload  via  OpenFlow • Offloads  traffic  filtering  from  TMS  to  the  network  fabric  via   SDN  protocol  for  greater  scale  and  performance • Integrates  3rd party  SDN  controller  ‘speaking’  OpenFlow • Similar/extensible  to  other  policy-­based  protocols:  BGP,   FlowSpec,  NETCONF,  etc.
Mitigation  – OpenFlow Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   TMS
Summary  -­ Detection/Classification/Traceback/Mitigation • Utilize  flow  telemetry  (NetFlow,  cflowd/jflow,  etc.)  exported   from  all  network  edges  for  attack   detection/classification/traceback – Many  open-­source  tools  available as  well • Enforce  standard  network  access  policies  in  front  of   servers/services  via  stateless  ACLs  in  hardware-­based   routers/layer-­3  switches. • Ensure  recursive  DNS  servers  are  not  queryable from  the   public  Internet  – only  from  your  customers/users. • Ensure  SNMP  is  disabled/blocked  on  public-­facing   infrastructure/servers. • Disallow  level-­6/-­7  NTP  queries  from  the  public  Internet. • Disable  all  unnecessary  services  such  as  chargen. • Regularly  audit  network  infrastructure  and  servers/services.
Arbor  Networks’  Product  Portfolio
Thank  You

Recomendados

DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS SolutionSrikrupa Srivatsan
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 

Recomendados

DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS SolutionSrikrupa Srivatsan
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation J Hartig
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
Cloudflare
CloudflareCloudflare
CloudflareFadi Abdulwahab
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS ProtectionAmazon Web Services
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
OpenFlow
OpenFlowOpenFlow
OpenFlowKingston Smiler
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
DDoS Threat Landscape - Challenges faced by Network Operators
DDoS Threat Landscape - Challenges faced by Network OperatorsDDoS Threat Landscape - Challenges faced by Network Operators
DDoS Threat Landscape - Challenges faced by Network OperatorsAPNIC
 
Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Key Findings from Arbor's Tenth World-Wide Infrastructure Security ReportKey Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Key Findings from Arbor's Tenth World-Wide Infrastructure Security ReportAPNIC
 

Más contenido relacionado

La actualidad más candente

Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation J Hartig
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 

La actualidad más candente (20)

Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
 
Cloudflare
CloudflareCloudflare
Cloudflare
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM Presentation
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
OpenFlow
OpenFlowOpenFlow
OpenFlow
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 

Similar a DDoS Threats Landscape : Countering Large-scale DDoS attacks

DDoS Threat Landscape - Challenges faced by Network Operators
DDoS Threat Landscape - Challenges faced by Network OperatorsDDoS Threat Landscape - Challenges faced by Network Operators
DDoS Threat Landscape - Challenges faced by Network OperatorsAPNIC
 
Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Key Findings from Arbor's Tenth World-Wide Infrastructure Security ReportKey Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Key Findings from Arbor's Tenth World-Wide Infrastructure Security ReportAPNIC
 
Akamai security report
Akamai security reportAkamai security report
Akamai security reportHonza Beranek
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceCloudflare
 
DDOS –Global threats and mitigation
DDOS –Global threats and mitigationDDOS –Global threats and mitigation
DDOS –Global threats and mitigationCisco Russia
 
DDoS threat landscape report
DDoS threat landscape reportDDoS threat landscape report
DDoS threat landscape reportBee_Ware
 
MNSEC 2018 - Evolving DDoS Threat Landscape
MNSEC 2018 - Evolving DDoS Threat LandscapeMNSEC 2018 - Evolving DDoS Threat Landscape
MNSEC 2018 - Evolving DDoS Threat LandscapeMNCERT
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enAndrey Apuhtin
 
akamai-q2-2016-state-of-the-internet-ddos-trends-infographic
akamai-q2-2016-state-of-the-internet-ddos-trends-infographicakamai-q2-2016-state-of-the-internet-ddos-trends-infographic
akamai-q2-2016-state-of-the-internet-ddos-trends-infographicElizabeth Low
 
Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?ManageEngine
 
Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?ManageEngine
 
DMMS presentation29
DMMS presentation29DMMS presentation29
DMMS presentation29Yuri Alimov
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPROIDEA
 
CloudSmart Webinar
CloudSmart WebinarCloudSmart Webinar
CloudSmart Webinarnloek
 
Best Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseBest Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseSplunk
 
DDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersDDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersCorero Network Security
 
How AppDynamics Saved Garmin's Christmas! - AppSphere16
How AppDynamics Saved Garmin's Christmas! - AppSphere16How AppDynamics Saved Garmin's Christmas! - AppSphere16
How AppDynamics Saved Garmin's Christmas! - AppSphere16AppDynamics
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 

Similar a DDoS Threats Landscape : Countering Large-scale DDoS attacks (20)

DDoS Threat Landscape - Challenges faced by Network Operators
DDoS Threat Landscape - Challenges faced by Network OperatorsDDoS Threat Landscape - Challenges faced by Network Operators
DDoS Threat Landscape - Challenges faced by Network Operators
 
Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Key Findings from Arbor's Tenth World-Wide Infrastructure Security ReportKey Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report
 
Akamai security report
Akamai security reportAkamai security report
Akamai security report
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
 
DDOS –Global threats and mitigation
DDOS –Global threats and mitigationDDOS –Global threats and mitigation
DDOS –Global threats and mitigation
 
DDoS threat landscape report
DDoS threat landscape reportDDoS threat landscape report
DDoS threat landscape report
 
MNSEC 2018 - Evolving DDoS Threat Landscape
MNSEC 2018 - Evolving DDoS Threat LandscapeMNSEC 2018 - Evolving DDoS Threat Landscape
MNSEC 2018 - Evolving DDoS Threat Landscape
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_en
 
akamai-q2-2016-state-of-the-internet-ddos-trends-infographic
akamai-q2-2016-state-of-the-internet-ddos-trends-infographicakamai-q2-2016-state-of-the-internet-ddos-trends-infographic
akamai-q2-2016-state-of-the-internet-ddos-trends-infographic
 
Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?
 
Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?Webinar - How to Get Real-Time Network Management Right?
Webinar - How to Get Real-Time Network Management Right?
 
DDoS Protection System DPS
DDoS Protection System DPSDDoS Protection System DPS
DDoS Protection System DPS
 
DMMS presentation29
DMMS presentation29DMMS presentation29
DMMS presentation29
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
CloudSmart Webinar
CloudSmart WebinarCloudSmart Webinar
CloudSmart Webinar
 
Best Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseBest Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The Enteprrise
 
DDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersDDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service Providers
 
How AppDynamics Saved Garmin's Christmas! - AppSphere16
How AppDynamics Saved Garmin's Christmas! - AppSphere16How AppDynamics Saved Garmin's Christmas! - AppSphere16
How AppDynamics Saved Garmin's Christmas! - AppSphere16
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 

Más de MyNOG

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalidsMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXMyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in KubernetesMyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEMyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...MyNOG
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...MyNOG
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...MyNOG
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyNOG
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...MyNOG
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 

Más de MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 

Último

一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...Sareena Khatun
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...MOHANI PANDEY
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 

Último (20)

一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 

DDoS Threats Landscape : Countering Large-scale DDoS attacks

  • 1. DDoS Threat  Landscape Countering  Large-­scale  DDoS Attacks CF  Chui,  Arbor  Networks
  • 2. Who  is  Arbor  Networks? 90% Percentage  of  world’s   Tier  1  service  providers   who  are  Arbor customers 107 Number  of  countries   with  Arbor  products   deployed #1 Arbor  market  position  in  DDoS   Mitigation  Equipment  in  Carrier,   Enterprise  and  Mobile  markets   [Infonetics Research,  Dec.  2014] Number  of  years  Arbor  has  been  delivering   innovative  security  and  network  visibility   technologies  &  products 14 $19B 2013  GAAP  revenues  [USD]  of   Danaher  – Arbor’s  parent  company   providing  deep  financial  backing Amount  of  global   traffic  monitored  by   the  ATLAS  security   intelligence  initiative! 120+ Tbps We  See  Things  Others  Can’t
  • 3. ATLAS  Global  Threat  Analysis  System
  • 5. ATLAS Demographics • ATLAS  provides   invaluable  data  to  Arbor  customers  and  the  broader   operational  security  community • 330+  participating  customers – 32%  Europe – 24%  North  America – 17%  Asia – 9%  South  America – 9%  Global • Tracking  a  peak  of  over  120Tbps
  • 6. DDoS :  Attack  Types 0 10 20 30 40 50 60 70 2014 2015 2015 • Two-­‐thirds  of  attacks  are  volumetric,   up  slightly – No  surprise  given  reflection  storm   • 90%  of  respondents  report  seeing  application-­‐layer  attacks – 4%  fall  in  proportion  of  application-­‐layer  attacks 2014 2014 DDoS Attack Types
  • 7. Substantial  Growth  in  Largest  Attacks • Largest  reported   attacks  ranged  from  400Gbps  at  the  top  end,  through   300Gbps,  200Gbps and  170Gbps • Some  saw  multiple  events  above  100Gbps  but  only  reported   largest
  • 8. Worldwide  DDoS attacks  trend Period   Average Attack  size   (bps) Change (Q /  Q) Peak Attack  Size (bps) Change (Q /  Q) 2014 Q1 1.12Gbps -­‐ 325.06Gbps -­‐ 2014  Q2 759.83Mbps -­‐32.2% 154.69Gbps -­‐52.4% 2014  Q3 858.98Mbps +13.05% 264.61Gbps +71.1% 2014  Q4 830.37Mbps -­‐3.3% 267.21Gbps +1% 2015  Q1 804.12Mbps -­‐3.1% 334.22Gbps +25% 2015  Q2 1.04Gbps +29.4% 196.35Gbps -­‐41% World  2015  Q1  Size  Break-­‐Out,  BPS <500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps World  2015  Q2  Size  Break-­‐Out,BPS <500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps
  • 9. § Percentage  of  attacks  over  1Gbps  is   growing  strongly § 16%  in  2014,  17.7%  in  Q1  ‘15,   20.8% in  Q2. § Most  Growth  in  the  2  – 10Gbps   range § Attack  PPS  rates  also  on  the  rise § 8.7%  of  attacks  over  1Mpps  in  Q2,   up  from  5.7%  in  Q1  and  5.4%  in   2014 Attacks  size  Analysis  – Worldwide   § Percentage  of  attacks  over  10Gbps   resumes  growth. § 1.26%  in  2014,  0.9%  in  Q1  ’15,   1.41% in  Q2  ’15. § Big  jump  in  50-­100Gbps  attacks  in   June. 2014/2015  Event  Size  Break-­‐Out  Month-­‐by-­‐Month 0 100 200 300 400 500 >50Gbps >100Gbps 0 1000 2000 3000 4000 5000 6000 >10Gbps >20Gbps
  • 10. Reflection/Amplification  attacks  – Worldwide     § Looking  at  attacks  with  source-­ports  of   services  used  for  reflection. § Q2  2015  shows  number  of  SSDP  attacks   starting  to  fall  back.   § 84K  in  Q2,  126K  in  Q1  2015,  83K  in  Q4  ’14 § 50%  of  reflection  attacks  in  Q2  targeting   UDP  port  80  (HTTP/U) § Average  attack  sizes  increase  for  all   vectors  except  SNMP.     § Average  duration  of  reflection  attack  20   mins in  Q2  (19  mins in  Q1).   Protocol UDP   Source   Port Max  Size   Q2 ‘15 Average   Size Q2 ‘15 SNMP 161 10.95bps 1.06Gbps Chargen 19 44.9Gbps 2.2Gbps DNS 53 120.3Gbps 2.78Gbps SSDP 1900 144.91Gbp s 2.42Gbps NTP 123 185.94Gbp s 2.75Gbps Reflection  Mechanism  as  %  of  Overall  Attacks 0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00% 14.00% 16.00% 2014  Q1 2014  Q2 2014  Q3 2014  Q4 2015  Q1   2015  Q2 SSDP   NTP DNS Chargen MSSQL SNMP
  • 11. Period   Average Attack  size   (bps) Change (Q /  Q) Average  Attack   duration Change (Q /  Q) 2014 Q1 579.99Mbps -­‐ 28m 58s -­‐ 2014  Q2 530.51Mbps -­‐8.5% 29m +0% 2014  Q3 588.74Mbps +11% 31m  8s +7.3% 2014  Q4 500.68Mbps -­‐15% 41m  10s +32% 2015  Q1 483.65Mbps -­‐4.4% 46m  11s +12% 2015  Q2 800.01Mbps +65.4% 39m  53s -­‐14% Attack  traffic  size  -­‐ APAC  Q2  2015 >20Gbps 10-­‐20Gbps 5-­‐10Gbps 2-­‐5Gbps 1-­‐2Gbps 500Mbps-­‐1Gbps <500Mbps Attack  duration  -­‐ APAC  Q2  2015 >24  hours 12-­‐24  hours 6-­‐12  hours 3-­‐6  hours 1-­‐3  hours 30  mins-­‐1  hour <30  mins APAC  DDoS attacks  trend
  • 12. Large  DDoS attacks  seen  in  2015  APAC Peak  Attack  Growth  trend  in  Gbps 0 50 100 150 200 250 300 350 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun 88.31 66.63 235.6 127.16 76.29 83.44 76.75 77.25 98.89 113.18 61.15 117.15 334.22 94.13 51.25 136.91 100.99 144.91 Q1  14 Q2  14 Q3  14 Q4  14 Q1  15 Q2  15 235Gbps/63Mpp s  to  India, NTP   reflection  attack,   21  min  23  sec 127Gbps/34Mpp s  to  Malaysia  ,   NTP  reflection   attack,  29  min 99Gbps/26Mpps   to  India,  NTP   reflection  attack,   31  min 117Gbps/31Mpp s  to  India,  NTP   reflection  attack,   15  min  37  sec 334.22Gbps/29. 13Mpps  to   India, reflection   attack,  6  min  45   sec 144.91Gbps/53.6 2Mpps  to  China,   SSDP  reflection   attack,  10  min  32   sec
  • 13. Large  Attacks  Analysis § Number  of  attacks  >  10Gbps  increases  significantly  in  Q2  2015.     § Number  of  attacks  >  50Gbps  jump  from  12  in  Q1  2015  to  80 in  Q2   2015 Large  DDoS attacks  analysis  – APAC 0 200 400 600 800 1000 1200 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun no  of  events  of  attack  sizes  >  10Gbps
  • 14. § 99%  of  the  attacks  <  1Gbps § 95%  of  attacks  last  less  than  1  hour DDoS attacks  target  Malaysia  H1  2015   Peak attack  size Avg attack  size Avg duration Q1  15 94.13  Gbps/18.73  Mpps UDP  flooding  attack 80.94  Mbps/ 17.93  Kpps 42  min  32  sec Q2  15 27.90  Gbps/2.41  Mpps UDP  flooding  attack 72.71  Mbps/ 11.99  Kpps 30  min  3  sec Attack  traffic  size  -­‐ MY  Q2  2015 >20Gbps 10-­‐20Gbps 5-­‐10Gbps 2-­‐5Gbps 1-­‐2Gbps 500Mbps-­‐1Gbps <500Mbps Attack  duration  -­‐ MY  Q2  2015 >24  hours 12-­‐24  hours 6-­‐12  hours 3-­‐6  hours 1-­‐3  hours 30  mins-­‐1  hour <30  mins
  • 15. Average  attack  sizes  – Malaysia   139.05 114.6 119.8 65 64.46 147.51 128.46 209.25 80.94 72.71 0 50 100 150 200 250 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Average  attack  traffic  size  (Mbps)  per  Quarter
  • 16. Peak  attack  sizes  – Malaysia   69.69 10.96 7.47 124.77 20.49 127.16 58.33 91.2 94.13 27.9 0 20 40 60 80 100 120 140 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Peak  attack  traffic  size  (Gbps)  per  Quarter
  • 17. Number  of  attacks  – Malaysia   2356 1179 1493 21361 25844 30147 30957 28036 42428 34605 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 No  of  attacks  per  Quarter
  • 18. Average  attack  duration  – Malaysia   4740 1984 1471 741 1470 2146 1917 2901 2552 1803 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Average  attack  duration  (sec)  per  Quarter
  • 19. Reflection/Amplification  attacks Attacker-Reflector Leg Attacker-Victim Leg SOURCE: Data sourced from tenth Annual Worldwide Infrastructure Security Report and ATLAS data Anatomy of an NTP Reflection Attack Source: ATLAS Data VictimAttacker Unsecured NTP Servers (http://openntpproject.org) Used to reflect and amplify NTP Monlist Request (small) Src IP: Spoofed (Victim’s IP) Dest IP: Unsecured NTP Server Src Port: 80, Dest Port: 123 NTP Monlist Request (large) Src IP: Unsecured NTP Server Dest IP: Victim Src Port: 123, Dest Port: 80 NTP reflection attack was responsible for the largest monitored attack by ATLAS in 2014 325Gbps 89 NTP attacks over 50Gbps including 5 attacks over 200Gbps
  • 20. Industry  Best  Current  Practices  (BCPs) • BCPs  are  industry  best  practices  for  locking  down  a  network   • Deploy  these  as  policy  to  limit  the  exposure  of  your  network Network  Infrastructure  BCPs • Separation  of  control  plane   from  data  plane • Interface  ACLs  (iACLs) • Source  based  remote   triggered  blackhole  S/RTBH • Destination  based  remote   triggered  blackhole  D/RTBH • Flowspec • uRPF Host  Based  BCPs • OS  Hardening • Access  control • Antivirus • Patching/Version  Control • Application  Tuning
  • 21. Mitigation  Architecture  – Options  available tACLs – block  all  unnecessary  protocols/ports  at   network  ingress  – protect  critical  resources Flowspec – BGP-­based  injections  of  ACLs  or  routing   policy  to  filter  or  divert  traffic   S/RTBH – Source  based  remote  triggered  blackhole   can  be  used  to  block  known  bad  sources D/RTBH – Destination  based  remote  triggered   blackhole  can  be  used  as  a  method  of  last  resort  to   protect  the  network   IDMS – Intelligent  DDoS  mitigation  to  protect   everything  else
  • 22. How  Can  ISPs  Defend  Against  These  Attacks? • Deploy  antispoofing at  all  network  edges. – uRPF Loose-­Mode  at  the  peering  edge – uRPF Strict  Mode  at  customer  aggregation  edge – ACLs at  the  customer  aggregation  edge – uRPF Strict-­Mode  and/or  ACLs at  the  Internet  Data   Center  (IDC)  aggregation  edge – DHCP  Snooping  (works  for  static  addresses,  too)  and   IP  Source  Verify  at  the  IDC  LAN  access  edge – PACLs &  VACLs at  the  IDC  LAN  access  edge – Cable  IP  Source  Verify,  etc.  at  the  CMTS – Other DOCSIS  &  DSL  mechanisms
  • 23. Customer  1 Downstream  ISP Internet Data  Center  1 Service  Provider Data  Center  2 Customer  2 Regional Broadband • Utilize  flow  telemetry  (NetFlow,  cflowd/jflow,  etc.)   exported  from  all  network  edges  for  attack   detection/classification/traceback – Open-­source  flow  telemetry  collection/analysis  tools  allow  basic   visibility;;  can  be  sufficient  for  high-­volume  attacks,  once  impact  is   evident – Arbor  Peakflow  SP,  which  provides  automated   detection/classification/traceback  and  alerting  of  DDoS  attacks  via   anomaly-­detection  technology Pervasive  Detection  – The  Attack  Surface
  • 24. Mitigation  – IDMS Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   IDMS
  • 25. Mitigation  High  Availability • Network-­Based  Redundancy – Regional  redundancy  using  BGP  anycast to  mitigate  traffic  at  the   nearest  location – Appliances  or  blades  in  a  router • Scrubbing  Center  Redundancy – Multiple  TMS  appliances  in  a  single  scrubbing  center – Use  of  Equal  Cost  Multipath  (ECMP)  between  appliances • Link  Redundancy  in  Datacenter – Deploy  APS  appliances  in  redundant  datacenter  paths – Manually  fail  over  to  backup  path  if  system  fails  into  bypass
  • 26. BGP  Anycast  Mitigation  Redundancy   Peakflow  SP  TMS Customer Aggregation IP  Core Scrubbing   Center  1 POP   B D1 D2 P1 A2A1 S1 Peers Customer  CPE S1 S2 P2 C2C2 S2 S1 Peakflow  SP  TMS Scrubbing   Center  2 D1 D2 S1S1 S2 Transit
  • 27. Mitigation  Center  Redundancy  -­ CEF/ECMP CEF/ECMP  load  balancing   between  TMS  appliances  in   a  mitigation  center Arbor  TMS  IDMSes TMS   Mitigation Cluster Attack Regional  Mitigation  Center
  • 28. IDC On-­Premise  APS  Link  Redundancy Pravail 1 Since  each  APS  port-­‐pair  can   also  offer  hardware  bypass,   single  box  failures  do  not   require  re-­‐convergence. Internet Pravail 2
  • 29. Scaling  Mitigation  Capacity • Currently-­shipping  largest-­capacity  Intelligent  DDoS Mitigation  System   (IDMS)  – 40gb/sec • 16-­IDMS  (CEF/ECMP   limit)  =  640gb/sec  per  cluster • Multiple  clusters  can  be  anycasted • Largest  number  of  IDMSes per  deployment  currently  100  =  4tb/sec  of   mitigation  capacity  per  deployment,  10x  more than  largest  DDoS to  date. • Deploy  IDMSes in  mitigation  centers  at  edges  -­ in/out  of  edge  devices. • Deploy  IDMSes in  regional  or  centralized  mitigation  centers  with   dedicated,  high-­capacity  OOB  diversion/re-­injection  links.    Sufficient   bandwidth  for  diversion/re-­injection  is  key! • S/RTBH  &  flowspec leverage  router/switch  hardware,  hundreds  of  mpps,   gb/sec.    Leveraging  network  infrastructure  is  required due  to  ratio  of   attack  volumes  to  peering  and  core  link  capacities!
  • 30. • The  Flow  specification  can  match  on  the  following  criteria: – Source  /  Destination  Prefix – IP  Protocol  (UDP,  TCP,  ICMP,  etc.) – Source  and/or  Destination  Port – ICMP  Type  and  Code   – TCP  Flags – Packet  Length – DSCP  (Diffserv Code  Point) – Fragment  (DF,  IsF,  FF,  LF) • Actions  are  defined  using  Extended  Communities: – 0x8006:  traffic-­rate  (rate  0  discards  all  traffic  for  the  flow) – 0x8007:  traffic-­action  (sample) – 0x8008:  redirect  to  VRF – 0x8009:  traffic-­marking  (DSCP  value  ) DDoS Mitigation  – BGP  Flowspec
  • 31. • ACLs  are  still  the  most  widely  used  tool  to  mitigate  DDoS attacks – But…ACLs  are  demanding  in  configuration  &  maintenance. • BGP  Flowspec leverages  the  BGP  Control  Plane  to   simplify  the  distribution  of  ACLs,  greatly  improving   operations: – Inject  new  filter  rules  to  all  routers simultaneously  without  changing  configuration. – Reuse  existing  BGP  operational  knowledge  &   and  best  practices. • Improve  response  time  to  mitigate   mitigate  DDoS attacks! Why  Use  BGP  For  ACLs?
  • 32. BGP  Flowspec Mitigation IPS/ID S Enterprise  or  IDC Victim Service  Provider  Network Route r Flowspec filter  applied  on  the   external  interfaces,  only  traffic   matching  that  flow  is  discarded. SP  Portal  initiates  BGP  update  with   ACL  filter  to  be  applied  at  the  edge   router  external  interfaces  (in   theory  the  customer  could  also   initiate  it). Firewal l Botnet Legitimate Users Route r Good  traffic Attack  traffic BGP  Announcement FLOWFLO W • BGP Flowspec route validation performed for eBGP sessions only. Edge  routers  configured   with  BGP  flowspec sessions,   and  flowspec filtering   enabled  on  external  peering   interfaces.
  • 33. BGP  Flowspec Traffic  Redirection DDoS Scrubber Detection &  Control Good  traffic Attack  traffic BGP  Flowspec   Diversion Internet Internet Scrubbing  Center “Dirty”  VRF IPS/ID S Enterprise  or  IDC Victim Route r Firewal l Route r Traffic   Reinjection BGP  Flowspec filter  to   redirect  only  specified   traffic  that  matches   rule FLOW Diverted  traffic  is  a   subset  of  all  traffic   destined  to  victim
  • 34. BGP  Flowspec – Vendors • Router  vendors  supporting  BGP  Flowspec: – Cisco  IOS  XR  5.2.0  &  XE  3.14 – Alcatel-­Lucent  7750  SROS  9.0R1 – Juniper  JunOS 7.3 • DDoS mitigation  vendors: – Arbor  Peakflow SP  >5.8 • BGP  Tools: – ExaBGP Injector
  • 35. Mitigation  – S/RTBH  or  Flowspec Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   Peakflow SP  advertises   list  of  blackholed prefixes  based  on   source  or  destination   addresses,  or  layer-­‐4   flowspec classifier Edge  routers  drop  attack   traffic  packets  based  on   source  or  destination address,  or  layer-­‐4   classifier  (flowspec) Edge  routers  drop  attack   traffic  packets  based  on   source  or  destination address,  or  layer-­‐4   classifier  (flowspec)
  • 36. SDN  Illustrated Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API Logical  View Physical  View Controller Policy OpenFlow
  • 37. NFV  Illustrated Internet Router Arbor APS FW IPS LB Webservers Internet vRouter vAPS vFW vIPS vLB Logical  View Physical  View Web  VMs
  • 38. Where  SDN  Could  be  Ideal • Meter traffic  conditions,   application  and  user   behavior • Match those  conditions   against  a  set  of  pre-­ defined  criteria  (policy) • Act on  the  match   according  to  a  policy   (control  behavior) Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API OpenFlow
  • 39. Where  SDN  Could  be  Ideal • Meter traffic  conditions,   application  and  user   behavior • Match those  conditions   against  a  set  of  pre-­ defined  criteria  (policy) • Act on  the  match   according  to  a  policy   (control  behavior) Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API OpenFlow
  • 40. Provider  B Provider  A Data  Center TMS GOOD  TRAFFIC BAD  TRAFFIC X X X OPENFLOW TMS  Blacklist  Offload  via  OpenFlow • Offloads  traffic  filtering  from  TMS  to  the  network  fabric  via   SDN  protocol  for  greater  scale  and  performance • Integrates  3rd party  SDN  controller  ‘speaking’  OpenFlow • Similar/extensible  to  other  policy-­based  protocols:  BGP,   FlowSpec,  NETCONF,  etc.
  • 41. Mitigation  – OpenFlow Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   TMS
  • 42. Summary  -­ Detection/Classification/Traceback/Mitigation • Utilize  flow  telemetry  (NetFlow,  cflowd/jflow,  etc.)  exported   from  all  network  edges  for  attack   detection/classification/traceback – Many  open-­source  tools  available as  well • Enforce  standard  network  access  policies  in  front  of   servers/services  via  stateless  ACLs  in  hardware-­based   routers/layer-­3  switches. • Ensure  recursive  DNS  servers  are  not  queryable from  the   public  Internet  – only  from  your  customers/users. • Ensure  SNMP  is  disabled/blocked  on  public-­facing   infrastructure/servers. • Disallow  level-­6/-­7  NTP  queries  from  the  public  Internet. • Disable  all  unnecessary  services  such  as  chargen. • Regularly  audit  network  infrastructure  and  servers/services.