copyright © 2018 netscout systems, inc. | …...1 ddos attacks on premises. stop large attacks...

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

• Advanced DDoS Trends

• Next Generation DDoS Protection

Agenda




Agenda


Security Portfolio

ENTERPRISESERVICE

PROVIDER

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY

Traffic Visibility Arbor SP

DDoS Mitigation Arbor TMS

Cloud Services Arbor CLOUD

DDoS Protection Arbor APS

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4Network Visibility underpins everything we do at Arbor

THE VALUE OF NETWORK VISIBILITYAmount of Internet traffic monitored by the ATLAS

1/3Internet

Global Network Analysis 140Tbps / 300+ ISP

Honey Pots

INTERNETVISIBILITY

• Internet Health• DDoS Attacks• Threat Tracking

MALWAREDETECTION

• Real-time Behavior• Family Focus

BOTNETMONITORING

• Sinkhole• Infiltration/Activity

Monitoring

Advanced DDoS Attacks

APTCampaign§ Growing frequency and

complexity of DDoS attacks:

• Multi-vector

• Micro Burst

• IoT (inside and out)

§ Growing frequency and complexity of Advanced Persistent Threats increasing

• Phishing

• Ransomware


IoT Timeline

20172016 2018

DDoS Meets Ransomware

• DDoS discovered in Cerber ransomware• A typical because DDoS Hackers don’t focus on other malware

forms and vice versa• Could only DOS local network• Indicates interest in launching DDoS within the enterprise


IoT Timeline

20172016 2018

DDoS + IoT = Massive Attacks

• Aug. 540 Gbs Sustsained Attack on Rio Olympics from opening to closing ceremony (Lizardstresser)

• Sep. 20 620 Gbs Attack on KrebsOnSecurity (Mirai)• Sep. 21 990 Gbs Attack on OVH (Mirai)• Oct. 21 Three attacks on Dyn’s Managed DNS (Mirai)


IoT Timeline

20172016 2018

First Multi-Platform IoT Seeder

• New Mirai Windows seeder targets IoT• Mirai continues to evolve


IoT Timeline

20172016 2018

Reaper: Default Passwords No More• Based on Mirai• 10-20K IoT bots• Additional 2M IoT devices scanned but not

subsumed• Believed Chinese criminal underground DDoS-for-

hire tool• Exploited OS security flaws not default usernames

& passwords


IoT Timeline

20172016 2018

Memcached DDoS• Record Breaking

• Combine with IP spoofing , results is a 1.7Tbps attack


IoT Timeline

20172016 2018

What’s Next?

• Larger more complex more frequent attacks for sure

• DDoS + Ransomware + IOT + Multi-Platform = Internally Launched Attacks


7,7 MillionDuring this

presentation, approx.

160,000 new IoT devices

will go onlineEstimated 7,7 million (mostly vulnerable) IoT devices are

connected to the Internet EVERY day. (Gartner report Feb. 2017)


1:500.0001:500.000 is the theoretical DDoS

amplification factor for the Memcached service

Lab test: 1:516.436


The Memcached DDoS Reflection Attackfrom scapy.all import *

import binascii

# cmd = "get a a a a a a a a a a a a a a a a a a a a a a a … <729 times>"

payload=binascii.unhexlify('0001000000010000676574206120612061206120612061206120612061206120…

pkt=Ether()/IP(src="10.1.138.170",dst="172.17.10.103")/UDP(sport=80,dport=11211)/payload

sendp(pkt, iface="eth1", loop=0,verbose=False)

Attacker sends 1 packet

Reflector sends 536,302 packets =

6.2Gb


31,4%31,4% of Internet ASN’s allow spoofed traffic to originate

from their networks. (Caida spoofer project)


1,7 Tbps1.7 Tbps is the size of the largest DDoS attacks in history (Memcached DDoS Reflection attack, February 25th 2018)


Not Just Amplification/Reflection Attack

Attack Vectors:

◦ SYN-flooding

◦ ACK-flooding

◦ UDP flooding

◦ Valve Source Engine (VSE)

query-flooding

◦ GRE-flooding

◦ Pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’

attacks)

◦ HTTP GET, POST and HEAD attacks

◦ The Mirai Botnet is capable of launching complex multi-vector attacks.


Application-Layer Attacks

✘✘

• New Tail Attacks delay applications rather than shut them down (LSU & Ga Tech)

• Every 100ms delay equates to a 1% loss in sales (Amazon)

• 1s Delay (Aberdeen Group)• 11% ↓ in page views• 7% ↓ in ecommerce sales

conversions• 16% ↓ in customer satisfaction


DDoS Attack Trends - FrequencyDDoS Attacks Increasing in Frequency. Fact:


DDoS Attack Trends - DurationMost DDoS attacks are short in duration.Fact:

Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report


DDoS Attack Trends - SizeMost DDoS attacks are small. (88% less than 2GTbps)Fact:

Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report, ATLAS data


DDoS Attack Trends - ComplexityThe modern day DDoS Attacks is complex; dynamic multi-vector.Fact:

Mirai Botnet isa Modern DayMulti-Vector

Attack

The Internet

BotNet

Your ISP

Firewall

Your Data Center

Volumetric Attacks◦ Large(up to 800 Gbps)◦ Saturates links

TCP State-Exhaustion Attacks◦ Crashes stateful devices (Load balancers,

firewalls, IPSs)

Application Layer Attacks◦ Low and Slow, Stealth attacks◦ Crashes application servers

Legitimate Traffic



DDoS Attack TrendsThe impact of a DDoS attack can be immediate and severe.Fact:

Penalties:§ Organizations in breach of GDPR can be fined up to (max) 4% of annual global

turnover or €20 Million (whichever is greater).§ It is important to note that these rules apply to both controllers and processors --

meaning 'clouds' will not be exempt from GDPR enforcement.


To Stop Large Attacks….

Recall: DDoS Attacks exceeding Internet bandwidth:§ 41% of Enterprises§ 61% of Data-center Operators

The Internet

BotNet

Your ISP

Firewall

Your Data Center

DDoS Protection

Attack Traffic


Application Servers


Your only option is the Cloud

The Internet

BotNet

Your ISP Firewall

Your Data Center

DDoS Protection

Cloud-based Mitigation

DDoS Protection

Attack Traffic Clean Traffic

Increase in Demand for Managed DDoS Protection Services



To Stop the Smaller, Majority of Attacks….

The Internet

BotNet

Your ISP

Firewall

Your Data Center

Attack Traffic

§ Recall:§ Vast majority of DDoS attacks are small (e.g. less than 2 GB)§ And last for short duration of time (e.g. less than 1 hr)§ Yet they still can be multi-vector (e.g. 67%)§ These attacks are difficult for ISP/MSSP to detect.


You Should Deploy On-Premises Protection

The Internet

BotNet

Your ISP

Firewall

Your Data Center

DDoS Protection

Attack Traffic

§ Put DDoS protection on-premises.§ In front of most critical data centers/applications.§ Customize policies for application running in those datacenters.§ Install in front of firewalls to protect them from TCP-state exhaustion

attacks.


Stopping The Modern Day DDoS AttackRequires Layered, Automated Protection

4 Backed by continuous threat intelligence.

Your Data Centers/Internal NetworksThe Internet

Your (ISP’s) Network

Volumetric Attack

Application Attack

Scrubbing Center

Automatically stop application layer DDoS attacks on premises. 1

Stop large attacks In-Cloud. 3

Automatic, intelligent communication between on-prem and in-cloud protection to address dynamic attack vectors.

2

DDoS Protection

A Recommended Industry Best Practice:


Defending Against Insider Threats• These Security Best Practices include:

– Updating the software on all devices on a regular basis.

– Implementing full Network segmentation and harden (or isolate) vulnerable network devices and services.

– Developing a DDoS Attack mitigation process.

– Utilizing flow telemetry to analyze external and internal traffic. This is necessary for attack detection, classification and trace back.

– Deploying a multi-layered DDoS protection.

– Scanning for misconfigured and abusable services, this includes NTP, DNS and SSDP service which can be used for amplification attacks.

– Implementing Anti-Spoofing mechanisms such as Unicast Reverse-Path Forwarding, ACLs, DHCP Snooping & IP Source Guard on all edge devices.




Agenda


Hybrid DDoS mitigation

Stop session exhaustion and application layer DDoS attacks

1

CustomerInternet

State&Application

Service Provider

Stop volumetric attacks In-Cloud

3 Intelligent communication between both environments

2

Volume

Scrubbing Center

A Recommended Industry Best Practice:


Improving Hybrid DDoS mitigation

How to deploy CPE-based protection for the masses? 1

CustomerInternet

State&Application

Scrubbing Center

Service Provider

How to scale to Terabit attacks?

How to make this communication open and widely supported?

Volume

1

3 2


MSSP view on CPE-based DDoS protectionA growing business, but…

• Shipment of the appliance or installation of the VM

• Rack&Stack, configuration and provisioning

• Maintenance

It does not look like those problems are specific to DDoS mitigation appliances.


Cloud CPE or Telco Cloud Universal CPE

• DDoS VNF is deployed in the Telco Cloud along with other VNFs

• DDoS VNF runs at the edge of enterprise network on the CPE

DDoS function as a VNF

CustomerInternet

Telco Cloud

Service Provider

Demonstrates Arbor’s market and thought leadership


DDoS VNF onboarding experiences• Onboarding of DDoS VNF into MANO is easy

– If you don’t have HW dependency (offload of forwarding or filtering to ASIC/NPU/FPGA)

– If you support cloud-init and REST API

• Performance is predictable• Scaling in Cloud CPE mode is easy

– You control the compute resource

• Healing is also easy– … because it is “merciful killing”

• Enabling operators to integrate Arbor’s solutions into orchestrated service delivery platforms




CustomerInternet

State&Application

Scrubbing Center

Service Provider



Volume

1

3 2


DDoS Open Threat Signaling (DOTS)

The documents are in the final stage:

• The informational documents are matureand will be RFCs soon,

• The protocol documents are stabilizing, and have been used as references forworking implementations:

– 4 implementations exist, one of them is open source

• DOTS protocols may reach RFC status in the calendar year.

From https://datatracker.ietf.org/meeting/93/materials/slides-93-dots-3/


DOTS: how it works?

DOTS client

Signal channel

DOTS server

Data channel (optional)

Attack VictimMitigator

MitigationRequest

MitigationUpdate

AliasesBW listsFiltersPolicies

In scope of DOTS Out of scope of DOTS




CustomerInternet

State&Application

Scrubbing Center

Service Provider



Volume

1

3 2


Automation of FlowSpecRate-limit Amplification DDoS

DDoS

MemcachedAmplification

Scrubbing center

Protocol: UDPSRC port: 11211DST IP: victim/32Action: rate-limit to 0


Automation of FlowSpecOffload blocking of identified bots

DDoS

Scrubbing center

Protocol: UDPDST IP: victim/32Action: redirect to IPUDP to random ports

SRC IP: identified botDST IP: victim/32Action: rate-limit to 0

Non-spoofed TCP attacks

Application layer attacks


Future of network integration

• Better scalability for FlowSpec support

– More FlowSpec rules supported in Control and Data plane

• More granular redirection rules and rate limiting policies using FlowSpecinterface-set

– draft-ietf-idr-flowspec-interfaceset-03

• Consistent approach to reporting on FlowSpec rules

– A lot of proprietary options available

– Is there a consensus on using netflow with egress_interface == 0 for dropped traffic?

– Will OpenConfig or YANG models be adopted?

• https://tools.ietf.org/html/draft-wu-idr-flowspec-yang-cfg-02

• Tighter integration with network equipment to offload additional blocking rules


Thank You.

www.netscout.com

Patrick Lin

[email protected]

mailto:[email protected]

copyright © 2018 netscout systems, inc. | …...1 ddos attacks on premises. stop large attacks...

Documents