2. Who is Arbor Networks?
90%
Percentage
of
world’s
Tier
1
service
providers
who
are
Arbor customers
107
Number
of
countries
with
Arbor
products
deployed
#1
Arbor
market
position
in
DDoS
Mitigation
Equipment
in
Carrier,
Enterprise
and
Mobile
markets
[Infonetics Research,
Dec.
2014]
Number
of
years
Arbor
has
been
delivering
innovative
security
and
network
visibility
technologies
&
products
14
$19B
2013
GAAP
revenues
[USD]
of
Danaher
– Arbor’s
parent
company
providing
deep
financial
backing
Amount
of
global
traffic
monitored
by
the
ATLAS
security
intelligence
initiative!
120+ Tbps
We
See
Things
Others
Can’t
5. ATLAS Demographics
• ATLAS
provides
invaluable
data
to
Arbor
customers
and
the
broader
operational
security
community
• 330+
participating
customers
– 32%
Europe
– 24%
North
America
– 17%
Asia
– 9%
South
America
– 9%
Global
• Tracking
a
peak
of
over
120Tbps
6. DDoS : Attack Types
0
10
20
30
40
50
60
70
2014
2015
2015
• Two-‐thirds
of
attacks
are
volumetric,
up
slightly
– No
surprise
given
reflection
storm
• 90%
of
respondents
report
seeing
application-‐layer
attacks
– 4%
fall
in
proportion
of
application-‐layer
attacks
2014
2014
DDoS Attack Types
7. Substantial Growth in Largest Attacks
• Largest
reported
attacks
ranged
from
400Gbps
at
the
top
end,
through
300Gbps,
200Gbps and
170Gbps
• Some
saw
multiple
events
above
100Gbps
but
only
reported
largest
9. § Percentage of attacks over 1Gbps is
growing strongly
§ 16% in 2014, 17.7% in Q1 ‘15,
20.8% in Q2.
§ Most Growth in the 2 – 10Gbps
range
§ Attack PPS rates also on the rise
§ 8.7% of attacks over 1Mpps in Q2,
up from 5.7% in Q1 and 5.4% in
2014
Attacks size Analysis – Worldwide
§ Percentage of attacks over 10Gbps
resumes growth.
§ 1.26% in 2014, 0.9% in Q1 ’15,
1.41% in Q2 ’15.
§ Big jump in 50-100Gbps attacks in
June.
2014/2015
Event
Size
Break-‐Out
Month-‐by-‐Month
0
100
200
300
400
500
>50Gbps
>100Gbps
0
1000
2000
3000
4000
5000
6000
>10Gbps
>20Gbps
10. Reflection/Amplification attacks – Worldwide
§ Looking at attacks with source-ports of
services used for reflection.
§ Q2 2015 shows number of SSDP attacks
starting to fall back.
§ 84K in Q2, 126K in Q1 2015, 83K in Q4 ’14
§ 50% of reflection attacks in Q2 targeting
UDP port 80 (HTTP/U)
§ Average attack sizes increase for all
vectors except SNMP.
§ Average duration of reflection attack 20
mins in Q2 (19 mins in Q1).
Protocol UDP
Source
Port
Max
Size
Q2 ‘15
Average
Size
Q2 ‘15
SNMP 161 10.95bps 1.06Gbps
Chargen 19 44.9Gbps 2.2Gbps
DNS 53 120.3Gbps 2.78Gbps
SSDP 1900 144.91Gbp
s
2.42Gbps
NTP 123 185.94Gbp
s
2.75Gbps
Reflection
Mechanism
as
%
of
Overall
Attacks
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
16.00%
2014
Q1 2014
Q2 2014
Q3 2014
Q4 2015
Q1
2015
Q2
SSDP
NTP
DNS
Chargen
MSSQL
SNMP
12. Large DDoS attacks seen in 2015 APAC
Peak Attack Growth trend in Gbps
0
50
100
150
200
250
300
350
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
88.31
66.63
235.6
127.16
76.29 83.44
76.75 77.25 98.89 113.18
61.15
117.15
334.22
94.13
51.25
136.91
100.99
144.91
Q1
14 Q2
14 Q3
14 Q4
14 Q1
15 Q2
15
235Gbps/63Mpp
s
to
India, NTP
reflection
attack,
21
min
23
sec
127Gbps/34Mpp
s
to
Malaysia
,
NTP
reflection
attack,
29
min
99Gbps/26Mpps
to
India,
NTP
reflection
attack,
31
min
117Gbps/31Mpp
s
to
India,
NTP
reflection
attack,
15
min
37
sec
334.22Gbps/29.
13Mpps
to
India, reflection
attack,
6
min
45
sec
144.91Gbps/53.6
2Mpps
to
China,
SSDP
reflection
attack,
10
min
32
sec
13. Large Attacks Analysis
§ Number of attacks > 10Gbps increases significantly in Q2 2015.
§ Number of attacks > 50Gbps jump from 12 in Q1 2015 to 80 in Q2
2015
Large DDoS attacks analysis – APAC
0
200
400
600
800
1000
1200
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
no
of
events
of
attack
sizes
>
10Gbps
14. § 99% of the attacks < 1Gbps
§ 95% of attacks last less than 1 hour
DDoS attacks target Malaysia H1 2015
Peak attack
size Avg attack
size Avg duration
Q1
15 94.13
Gbps/18.73
Mpps UDP
flooding
attack 80.94
Mbps/
17.93
Kpps
42
min
32
sec
Q2
15 27.90
Gbps/2.41
Mpps UDP
flooding
attack 72.71
Mbps/
11.99
Kpps
30
min
3
sec
Attack
traffic
size
-‐ MY
Q2
2015
>20Gbps
10-‐20Gbps
5-‐10Gbps
2-‐5Gbps
1-‐2Gbps
500Mbps-‐1Gbps
<500Mbps
Attack
duration
-‐ MY
Q2
2015
>24
hours
12-‐24
hours
6-‐12
hours
3-‐6
hours
1-‐3
hours
30
mins-‐1
hour
<30
mins
19. Reflection/Amplification attacks
Attacker-Reflector Leg Attacker-Victim Leg
SOURCE: Data sourced from tenth Annual Worldwide Infrastructure Security Report and ATLAS data
Anatomy of an NTP Reflection Attack
Source: ATLAS Data
VictimAttacker
Unsecured NTP Servers
(http://openntpproject.org)
Used to reflect and amplify
NTP Monlist Request (small)
Src IP: Spoofed (Victim’s IP)
Dest IP: Unsecured NTP Server
Src Port: 80, Dest Port: 123
NTP Monlist Request (large)
Src IP: Unsecured NTP Server
Dest IP: Victim
Src Port: 123, Dest Port: 80
NTP reflection attack
was responsible for the
largest monitored attack
by ATLAS in 2014
325Gbps
89 NTP
attacks over
50Gbps
including 5
attacks over
200Gbps
20. Industry Best Current Practices (BCPs)
• BCPs are industry best practices for locking down a network
• Deploy these as policy to limit the exposure of your network
Network Infrastructure BCPs
• Separation of control plane
from data plane
• Interface ACLs (iACLs)
• Source based remote
triggered blackhole S/RTBH
• Destination based remote
triggered blackhole D/RTBH
• Flowspec
• uRPF
Host Based BCPs
• OS Hardening
• Access control
• Antivirus
• Patching/Version Control
• Application Tuning
21. Mitigation Architecture – Options available
tACLs – block all unnecessary protocols/ports at
network ingress – protect critical resources
Flowspec – BGP-based injections of ACLs or routing
policy to filter or divert traffic
S/RTBH – Source based remote triggered blackhole
can be used to block known bad sources
D/RTBH – Destination based remote triggered
blackhole can be used as a method of last resort to
protect the network
IDMS – Intelligent DDoS mitigation to protect
everything else
22. How Can ISPs Defend Against These Attacks?
• Deploy antispoofing at all network edges.
– uRPF Loose-Mode at the peering edge
– uRPF Strict Mode at customer aggregation edge
– ACLs at the customer aggregation edge
– uRPF Strict-Mode and/or ACLs at the Internet Data
Center (IDC) aggregation edge
– DHCP Snooping (works for static addresses, too) and
IP Source Verify at the IDC LAN access edge
– PACLs & VACLs at the IDC LAN access edge
– Cable IP Source Verify, etc. at the CMTS
– Other DOCSIS & DSL mechanisms
23. Customer
1
Downstream
ISP
Internet
Data
Center
1
Service
Provider
Data
Center
2
Customer
2
Regional
Broadband
• Utilize flow telemetry (NetFlow, cflowd/jflow, etc.)
exported from all network edges for attack
detection/classification/traceback
– Open-source flow telemetry collection/analysis tools allow basic
visibility;; can be sufficient for high-volume attacks, once impact is
evident
– Arbor Peakflow SP, which provides automated
detection/classification/traceback and alerting of DDoS attacks via
anomaly-detection technology
Pervasive Detection – The Attack Surface
25. Mitigation High Availability
• Network-Based Redundancy
– Regional redundancy using BGP anycast to mitigate traffic at the
nearest location
– Appliances or blades in a router
• Scrubbing Center Redundancy
– Multiple TMS appliances in a single scrubbing center
– Use of Equal Cost Multipath (ECMP) between appliances
• Link Redundancy in Datacenter
– Deploy APS appliances in redundant datacenter paths
– Manually fail over to backup path if system fails into bypass
26. BGP Anycast Mitigation Redundancy
Peakflow SP TMS
Customer
Aggregation
IP Core
Scrubbing
Center 1
POP
B
D1 D2
P1
A2A1
S1
Peers
Customer CPE
S1
S2
P2
C2C2
S2
S1
Peakflow SP TMS
Scrubbing
Center 2
D1 D2
S1S1
S2
Transit
27. Mitigation Center Redundancy - CEF/ECMP
CEF/ECMP load balancing
between TMS appliances in
a mitigation center
Arbor TMS IDMSes
TMS
Mitigation
Cluster
Attack
Regional Mitigation Center
28. IDC
On-Premise APS Link Redundancy
Pravail 1
Since
each
APS
port-‐pair
can
also
offer
hardware
bypass,
single
box
failures
do
not
require
re-‐convergence.
Internet
Pravail 2
29. Scaling Mitigation Capacity
• Currently-shipping largest-capacity Intelligent DDoS Mitigation System
(IDMS) – 40gb/sec
• 16-IDMS (CEF/ECMP limit) = 640gb/sec per cluster
• Multiple clusters can be anycasted
• Largest number of IDMSes per deployment currently 100 = 4tb/sec of
mitigation capacity per deployment, 10x more than largest DDoS to date.
• Deploy IDMSes in mitigation centers at edges - in/out of edge devices.
• Deploy IDMSes in regional or centralized mitigation centers with
dedicated, high-capacity OOB diversion/re-injection links. Sufficient
bandwidth for diversion/re-injection is key!
• S/RTBH & flowspec leverage router/switch hardware, hundreds of mpps,
gb/sec. Leveraging network infrastructure is required due to ratio of
attack volumes to peering and core link capacities!
30. • The Flow specification can match on the following criteria:
– Source / Destination Prefix
– IP Protocol (UDP, TCP, ICMP, etc.)
– Source and/or Destination Port
– ICMP Type and Code
– TCP Flags
– Packet Length
– DSCP (Diffserv Code Point)
– Fragment (DF, IsF, FF, LF)
• Actions are defined using Extended Communities:
– 0x8006: traffic-rate (rate 0 discards all traffic for the flow)
– 0x8007: traffic-action (sample)
– 0x8008: redirect to VRF
– 0x8009: traffic-marking (DSCP value )
DDoS Mitigation – BGP Flowspec
31. • ACLs are still the most widely used tool to mitigate DDoS
attacks
– But…ACLs are demanding in configuration & maintenance.
• BGP Flowspec leverages the BGP Control Plane to
simplify the distribution of ACLs, greatly improving
operations:
– Inject new filter rules to all routers
simultaneously without changing configuration.
– Reuse existing BGP operational knowledge &
and best practices.
• Improve response time to mitigate
mitigate DDoS attacks!
Why Use BGP For ACLs?
32. BGP Flowspec Mitigation
IPS/ID
S
Enterprise
or
IDC
Victim
Service
Provider
Network
Route
r
Flowspec filter
applied
on
the
external
interfaces,
only
traffic
matching
that
flow
is
discarded.
SP
Portal
initiates
BGP
update
with
ACL
filter
to
be
applied
at
the
edge
router
external
interfaces
(in
theory
the
customer
could
also
initiate
it).
Firewal
l
Botnet
Legitimate Users
Route
r
Good traffic
Attack traffic
BGP Announcement
FLOWFLO
W
• BGP Flowspec route validation performed for eBGP
sessions only.
Edge
routers
configured
with
BGP
flowspec sessions,
and
flowspec filtering
enabled
on
external
peering
interfaces.
33. BGP Flowspec Traffic Redirection
DDoS
Scrubber
Detection
& Control
Good traffic
Attack traffic
BGP Flowspec
Diversion
Internet
Internet
Scrubbing Center
“Dirty” VRF
IPS/ID
S
Enterprise
or
IDC
Victim
Route
r
Firewal
l
Route
r
Traffic
Reinjection
BGP
Flowspec filter
to
redirect
only
specified
traffic
that
matches
rule
FLOW
Diverted
traffic
is
a
subset
of
all
traffic
destined
to
victim
35. Mitigation – S/RTBH or Flowspec
Peer B
Peer A
Upstream
Upstream
IXP-W
Upstream
IXP-E
Upstream
Peakflow SP
advertises
list
of
blackholed
prefixes
based
on
source
or
destination
addresses,
or
layer-‐4
flowspec classifier
Edge
routers
drop
attack
traffic
packets
based
on
source
or
destination
address,
or
layer-‐4
classifier
(flowspec)
Edge
routers
drop
attack
traffic
packets
based
on
source
or
destination
address,
or
layer-‐4
classifier
(flowspec)
36. SDN Illustrated
Northbound API (REST)
Controller
Southbound API
Northbound API (REST)
Controller
Southbound API
WB API
Logical View Physical View
Controller
Policy
OpenFlow
38. Where SDN Could be Ideal
• Meter traffic conditions,
application and user
behavior
• Match those conditions
against a set of pre-
defined criteria (policy)
• Act on the match
according to a policy
(control behavior)
Northbound API (REST)
Controller
Southbound API
Northbound API (REST)
Controller
Southbound API
WB API
OpenFlow
39. Where SDN Could be Ideal
• Meter traffic conditions,
application and user
behavior
• Match those conditions
against a set of pre-
defined criteria (policy)
• Act on the match
according to a policy
(control behavior)
Northbound API (REST)
Controller
Southbound API
Northbound API (REST)
Controller
Southbound API
WB API
OpenFlow
40. Provider B
Provider A
Data Center
TMS
GOOD
TRAFFIC
BAD
TRAFFIC
X
X
X OPENFLOW
TMS Blacklist Offload via OpenFlow
• Offloads traffic filtering from TMS to the network fabric via
SDN protocol for greater scale and performance
• Integrates 3rd party SDN controller ‘speaking’ OpenFlow
• Similar/extensible to other policy-based protocols: BGP,
FlowSpec, NETCONF, etc.
42. Summary -
Detection/Classification/Traceback/Mitigation
• Utilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported
from all network edges for attack
detection/classification/traceback
– Many open-source tools available as well
• Enforce standard network access policies in front of
servers/services via stateless ACLs in hardware-based
routers/layer-3 switches.
• Ensure recursive DNS servers are not queryable from the
public Internet – only from your customers/users.
• Ensure SNMP is disabled/blocked on public-facing
infrastructure/servers.
• Disallow level-6/-7 NTP queries from the public Internet.
• Disable all unnecessary services such as chargen.
• Regularly audit network infrastructure and servers/services.