cisco asr 9000 vddos solution protection · cisco asr 9000: service edge foundation business cpe...

Cisco Confidential © 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco ASR 9000 vDDoS Solution Protection Vikash Sharma, PM, Cisco Systems Jorge Escobar, Technical Architect, Arbor Networks

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 "All Specifications Subject to Change without Notice"

• Introduction to DDoS • DDoS Threat Landscape • ASR 9000 Router overview • vDDoS Solution Overview • vDDoS Solution Positioning • vDDoS Deployment Scenarios


INTRODUCTION TO DDOS


What is a Distributed Denial of Service (DDoS) attack?

•  An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity

•  Targets the availability and utility of computing and network resources

•  Attacks are almost always distributed for even more significant effect (i.e. DDoS)

•  The collateral damage caused by an attack can be as bad, if not worse than the attack itself

•  DDoS attacks affect availability! No availability, no applications/ services/data/Internet! No revenue!

•  DDoS attacks are attacks against capacity and/or state!


DDoS attacks can consist of just about anything

•  Large quantities of raw traffic designed to overwhelm a resource or infrastructure

•  Application specific traffic designed to overwhelm a particular service – sometimes stealthy in nature

•  Traffic formatted in such a way to disrupt a host from normal processing

•  Traffic reflected and/or amplified through legitimate hosts

•  Traffic from compromised sources or from spoofed IP addresses

•  Pulsed attacks – start/stop attacks

DDoS attacks can be broken out by category


Volumetric Brute Force attacks

•  Traffic Floods –  Exhaust resources by creating high

bps or pps volumes – Overwhelm the infrastructure – links,

routers, switches, servers

Layer 4-7 Smart attacks

•  TCP resource exhaustion –  Exhaust resources in servers, load

balancers, firewalls or routers

•  Application Layer –  Take out specific services or

applications


•  Any part of your network or services that is vulnerable to an attack: Network Interfaces Infrastructure Firewall/IPS Servers Protocols Applications Databases

•  Attackers will find the weakness


6% 0 40% 1-10 16% 11-20 7% 21-50 9% 51-100 9% 101-500 13% >500

42% Yes 36% Do not know 23% No

Multi-Vector DDoS Attacks

Attack Frequency

2002 2003 0

50

100

150

200

250

300

350

400

450

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

100 Gbps

10 Gbps

400 Gbps

Gbp

s

Survey Peak Attack Size Year Over Year

Source: Arbor Networks, Inc.

Attacks Per

Month


Cus

tom

er

Faci

ng

Infra

stru

ctur

e

Bus

ines

s S

ervi

ces

3rd

Par

ty


Firewalls & IPSs

17% of all DDoS attacks target stateful devices, which include stateful defenses like Firewalls,

IPSs, and WAFs

35% of all DDoS attacks affect the Firewall or IPS


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Surv

ey R

espo

nden

ts

Data Center DDoS Business Impact

Source: Arbor Networks, Inc.

81% Operational Expense 44% Revenue Loss 33% Customer Churn 2% Employee Turnover

14% Other

81%

44%

33%

2%

14%


Confidentiality Integrity

Availability

The primary goal of DDoS defense is

maintaining availability in the face

of attack.


•  Maintaining availability in the face of attack requires a combination of skills, architecture, operational agility, analytical capabilities, and mitigation capabilities which most organizations simply do not possess

•  In practice, most organizations never take availability into account when designing/specifying/building/deploying/testing online apps/services/properties

•  In practice, most organizations never make the logical connection between maintaining availability and business continuity

•  In practice, most organizations never stress-test their apps/services stacks in order to determine scalability/resiliency shortcomings and proceed to fix them

•  In practice, most organizations do not have plans for DDoS mitigation - or if they have a plan, they never rehearse it!


ASR 9000 OVERVIEW


•  Optimized for Aggregation of Dense 100GE

•  Next-Generation Linecards Shipping Today: 40 - 800 Gbps edge services cards; 1.2 Tbps cards available in Q4 CY ’15

•  Based on IOS-XR & Cisco PRIME for Nonstop Availability & Manageability

•  Industry Leading Operational Savings & Management with Cisco nV Technology

•  Industry Leading Infrastructure Security


Key Edge

Market Roles

Cisco ASR 9000: Service Edge Foundation

Business CPE

Mobile Backhaul (2G/3G, LTE)

Residential Triple Play (Cable, DSL, WiFi)

Access & Pre-Aggregation

1

Media Cloud / Hosting Mobile Services

Massively Scalable & Virtualized Multi-Tenant Data Centers 2

Elastic Core

3

1. High-End Aggregation & Transport

•  Mobile Backhaul

•  CMTS Aggregation •  L2/Metro Aggregation •  DSLAM Aggregation

•  Video Distribution & Services

2. Cloud Gateway Router

•  DC Interconnect •  DC WAN Edge

•  WEB/OTT

3. Services Router

•  Business Services •  Residential Broadband •  Converged Edge/Core

•  Enterprise WAN


ASR 9000 VSM

•  Data Center Compute: •  4 x Intel 10-‐core x86 CPU

•  2 X Forwarding Engine for hardware network processing •  120 Gbps of Raw processing throughput

•  HW AcceleraLon •  40 Gbps of hardware assisted Crypto throughput •  Hardware assist for Reg-‐Ex matching

•  VirtualizaLon Hypervisor (KVM) •  Service VM life cycle management integrated into IOS-‐XR •  SDN SDK for 3rd Party Apps

OS / Hypervisor VMM

VM-‐4

Service-‐3

VM-‐1

Service-‐1

VM-‐3

Service-‐4

VM-‐2

Service-‐2


VDDOS SOLUTION OVERVIEW


Arbor Peakflow Threat Management System

(TMS)

Cisco ASR 9000 with Virtual Services

Module (VSM)

#1 in DDoS Attack Protection Products

#1 in Network Infrastructure Products


•  Cisco & Arbor have teamed to integrate the Arbor Peakflow DDoS solution into Industry leading Cisco ASR 9000 platform

•  Customers looking for a distributed architectural solution at the edge or core or both to thwart attacks at point of entry

•  Solution ideal for Service providers and Enterprise customers

•  Higher scale (40Gbps per VSM) with tiered licensing options

•  Solution benefits are architectural superiority, simplicity, & unified management

Cisco and Arbor Networks: Best of Breed

INTERNET

Transit / Peer Edge

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

MOBILE NETWORK

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

CUSTOMER EDGE

Customer Edge

64% experienced attacks towards their

customer

Data Center

94% of data center operators experienced

attacks.

Mobile Edge

60% providers experienced outages from a DDoS attack


Virtualized Arbor Peakflow SP

ASR 9000

ASR 9000

ASR 9000

VSM running Arbor Peakflow

TMS

Netflow stats

Netflow stats

§ Arbor Peakflow SP (formerly known as Collector Platform CP)

ü  Collects Flow records ü  Detects abnormal network behavior and

trigger alerts ü  Can influence the routing, injecting BGP

routes in the network ü  Supports BGP FlowSpec as a Controller ü  Sets up and monitors the TMS remotely

Arbor Peakflow SP Threat Management System (TMS)

ü  Configured by SP, receives diverted traffic and proceeds to in-depth packet analysis

ü  Discards the attack packets and transmits the legit ones

ü  Provides real-time monitoring info to operators

Available July 2015

Available now


•  Protect service and network infrastructure from attack • Mitigate where ASR9000 is already deployed (peering edge or core) • Reduce back-haul costs and risk of network congestion during attack • Service Provider or Enterprise

•  Launch MSSP DDoS Protection Services • Leverage investment in infrastructure protection

•  Protect Datacenter • Deployment directly in edge router • Used in conjunction with Arbor Cloud Service for large attacks

•  Augment existing scrubbing capacity • Deploy additional mitigation capacity at key locations where ASR 9000 is located


VDDOS SOLUTION DEPLOYMENT SCENARIOS


•  SP detects DDoS attack based on Netflow •  Configures VSM/TMS as needed via ASR

•  Redirection of traffic to TMS •  TMS use BGP via backplane to get traffic •  MPLS configured via ISP

•  Good traffic re-injection •  Send back out via ASR

•  Challenge traffic •  TMS is normal source IP sending traffic via the

backplane

•  Blacklisting in ASR (HW)*

•  VSM/TMS can handle one/more customers

* Not in First release

ASR9K + VSM/TMS

Peakflow SP Netflow + SP/TMS

communication


•  SP detects DDoS attack based on Netflow •  Configures VSM/TMS as needed via ASR

•  Redirection of traffic to TMS •  TMS use BGP via backplane to get traffic •  MPLS configured via ISP

•  Good traffic re-injection •  GRE tunnel over backplane •  MPLS

•  Challenge traffic •  TMS is normal source IP sending traffic via the backplane

•  Blacklisting in ASR (HW)*

•  VSM/TMS can handle one/more customers

* Not in first release

ASR9K + VSM/TMS


communication


ASR9K + VSM/TMS


communication

Traffic always inspected • Done via permanent redirections

• Works like local and long diversion redirections

• Can be combined with normal (temporary) redirection For same and/or multiple customers


Arbor Peakflow ASR 9000 with Virtual Services Module (VSM)

Cisco ASR 9000 vDDoS Protection

“Powered By Arbor Networks”

Architectural Superiority

Unified Management

Scalable Performance

Reduced OPEX

Flexible Deployment


• Schedule a session with your Cisco representative to 1. Review your DDoS Mitigation Strategy 2. Show how you can offer DDoS mitigation as a

service 3. Schedule a Network Assessment for DDoS

Thank you.

cisco asr 9000 vddos solution protection · cisco asr 9000: service edge foundation business cpe...

Documents