© Copyright Fortinet Inc. All rights reserved.

FortiDDoS DDoS Attack Mitigation Appliances

2

What is a DDoS Attack?

§  Flooding attack from compromised PCs run by a Botmaster §  The Botmaster’s motivations may be political, financial, retaliatory §  The goal is to disrupt networks, applications or services §  Steal or destroy proprietary or confidential information §  Steal or destroy personal information §  They might try to charge a ransom to stop the attack

Servers

Switch

ZOMBIE

ZOMBIE

ZOMBIE

ZOMBIE

BOTMASTER

3

DDoS Challenges

§  DDoS attacks still #1 threat to data centers

§  Size of volume-based attacks increasing §  80% of attacks less than 50 Mbps §  Most successful attacks under

1 Gbps §  Attacks getting more sophisticated §  Layer 7 attacks, DNS and SSDP reflection

attacks fastest growing types §  Hackers using DDoS to mask data

breaches

4

Types of DDoS Attacks

Application Layer

Smaller, more sophisticated attacks that target layer 7 application services on servers like HTTP, SMTP and HTTPS.

Problems:

§  Slip past traditional defenses

§  Fastest growing attack type

§  Detection difficult

§  Easier for botmasters to implement

Bulk Volumetric

Designed to overwhelm and consume available internet bandwidth or overload servers (e.g. SYN, UDP, ICMP floods).

Problems: §  Services unavailable to

users

§  Can mask data breaches

§  Attack sizes getting larger

§  Easy to implement attack

L7 Multi-Vector

A combination of bulk volumetric and application layer attacks

Problems:

§  More difficult to defend against.

§  Detection is more difficult

§  Can mask data breaches

§  Takes more resources to launch

5

DDoS Defense Options

Firewall/IPS

Integrated device that includes firewall, intrusion protection and DDoS prevention.

Pros:

§  Single device

§  Less units to manage

Cons:

§  Poor volumetric mitigation

§  May require licensing

§  Performance impacts

Dedicated Appliance

Inline data center appliance that provides layer 3, 4 and 7 DDoS detection and mitigation.

Pros:

§  Predictable costs

§  Advanced Layer 7 protection

Cons:

•  Additional device management

•  Layer 3 devices can be vulnerable to large attack

•  May require signature updates

•  Expensive for high-performance

DDoS Service Provider

Managed service subscription model usually with separate detection and mitigation.

Pros:

§  Easy sign up

§  Easy deployment

Cons:

§  Expensive overages

§  Unpredictable costs

§  Limited to L3/4 attacks

§  Limited flexibility

6

Bulk Volumetric

SYN Flood: Spoofed SYN Packets fill the connection table of servers, and all other devices in your network path

Zombie Flood: In zombie or botnet floods, non-spoofed connections overload network and application services.

ICMP Flood: In these floods, ICMP packets, such as those used for “ping”, overload servers and network connections.

TCP/UDP Port Flood: TCP/UDP packets overload the servers and network ports not being used for a service, such as TCP port 81.

Fragment Flood: Fragmented packets overload the servers.

Anomalous Packet Flood: Deliberate or accidental packet errors in scripts by hackers easily overload network equipment and servers as they attempt to deal with anomalies.

Amplification Attacks: Abuse the fact that lots of UDP protocols respond to requests without validating the validity of the requestor. Reflection Attacks: First we saw DNS, Simple Service Discovery Protocol (SSDP), and NTP. The latest vector in this attack mode is Portmapper.

Bulk Volumetric Designed to overwhelm and consume available internet bandwidth or overload servers (e.g. SYN, UDP, ICMP floods).

Problems:

§  Services unavailable to users

§  Can mask data breaches

§  Attack sizes getting larger

§  Easy to implement attack

§  Lots of unpatched hosts to use

7

Application Layer Attacks

These attacks exploit design flaws in the HTTP protocol regarding how and when requests are processed by the server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps resources busy waiting for the rest of the data. As with any DoS, if this goes on for too long the server can run out of resources and crash.

HTTP POST: POST body messages are sent at a very slow rate and disrupt proper connection completion. Eventually the victim server runs out of resources and crashes.

HTTP Slow Read: Attackers force servers to send a large amount of data, however its sent in many very small fragments and read at a very slow rate by the receiver.

Slowloris: Using HTTP GET, attackers launch multiple incomplete and time-delayed HTTP GET’s to keep the connections open as long as needed to deplete resources.

HTTPS: Similar to HTTP attacks, these attack SSL services on servers.

Application Layer Smaller, more sophisticated attacks that target layer 7 application services on servers like HTTP and HTTPS.

Problems:

•  Slip past traditional defenses

•  Fastest growing attack type

•  Detection difficult

•  Easier for small botmasters to implement

L7

8

Why the increase?

Its easy. All you have to do is google around for stresser. Columbus School District in WI had an incident two weeks ago, which has since been repeated at other districts. A group of students went to www.ipstresser.com and purchased a DOS attack that shut down the district, and then after it was over has caused them blacklist and DNS issues.

9

Why the increase?

And if you like the product you can sign up

10

FortiDDoS – DDoS Attack Mitigation Appliances

§  7 models with 3 to 36 Gbps throughput §  Up to 16x GE/10GE SFP+ ports +

4x 10GE LC bypass ports §  100% Behavior-based detection

§  100% ASIC-based single-pass processing

Full standalone DDoS solution or can be combined with ISP basic protections

§  Up to 6x FortiASIC TP2 processors §  <50µs latency (typically <10µs)

§  <2 second DDoS mitigation response time

§  Automatic learning process

§  Adaptive rate thresholds §  IP Reputation by FortiGuard

§  Advanced DNS Mitigation

§  Hybrid On-premise/Cloud Support

§  ACLs for Geo-location, IP Reputation, Source Address Validation and L4, L7 services

§  Continuous threat evaluation

§  Full CLI and easy-to-use GUI

§  RESTful API

§  Advanced analysis and reporting

11

Perf

orm

ance

& S

cala

bilit

y

Speed < 10 Gbps 10 To 20 Gbps 20+ Gbps

ASIC 1x FortiASIC TP2 2x FortiASIC TP2 3x FortiASIC TP2

Ports GE GE/10GE GE/10GE

FortiDDoS Product Lineup

FDD-400B

FDD-200B

FDD-800B

FDD-1200B

FDD-600B

FDD-900B

FDD-1000B

12

FortiDDoS Product Matrix

200B 400B 600B 800B 900B 1000B/DC 1200B

Total Throughput (Gbps) 3 6 12 12 18 18 36

Latency < 50 µs < 50 µs < 50 µs < 50 µs < 50 µs < 50 µs < 50 µs

Packet Throughput (Mpps) 3.5 7 14 14 21 21 42

TCP Sessions (millions) 1 1 2 2 3 3 6

IP Reputation P P P P P P P

DNS Mitigation P P P P P

Form Factor 1U 1U 1U 1U 2U 2U 2U

Storage 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD 480 GB SSD

GE LAN Ports (w/bypass) 4 8 8 8

GE WAN Ports (w/bypass) 4 8 8 8

GE SFP LAN 4 8 8 8

GE SFP WAN 4 8 8 8

10GE SFP+ LAN 8 8 7

10GE SFP+ WAN 8 8 7

10GE SFP+ LAN (bypass) 2

10GE SFP+ WAN (bypass) 2

Power Supply Single Single Single Single Dual Dual Dual

Optional Dual Power P P P P

13

Key Features and Benefits

100% Behavioral FortiDDoS doesn’t rely on signature files that need to be updated with the latest threats so you’re protected from both known and unknown “zero-day” attacks and your life-cycle cost is significantly reduced.

100% Hardware The FortiASIC TP2 transaction processor provides full bi-directional detection and mitigation of Layer 3, 4 and 7 DDoS attacks for industry-leading performance

100% Inspection Unlike competitors, every packet of every connection is inspected in both directions. Millions of connections with hundreds of monitored parameters per connection

Continuous Attack Evaluation Minimizes the risk of “false positive” detection by reevaluating the attack to ensure that “good” traffic isn’t disrupted

Advanced DNS Protection FortiDDoS provides 100% inspection of all DNS traffic for protection from a broad range of DNS-based volumetric, application and anomaly attacks

Automated Learning With minimal configuration, FortiDDoS will automatically build normal traffic and resources behavior profiles saving you time and IT management resources

Hybrid On-premise/Cloud Support

Open API allows integration with third-party cloud DDoS mitigation providers for flexible deployment options and protection from large-scale DDoS attacks.

14

DDoS Protection: FortiGate vs. FortiDDoS

FortiASIC TP2 §  100% hardware-

based DDoS detection and mitigation

§  Full layer 3, 4 and 7 detection on one chip

§  Models with up to 6x TP2 processors – 36 Gbps throughput

§  Less than 50ms latency

FortiDDoS Shared DDoS Features

ACLs

IP Reputation

Geo-location

Source tracking Slow attack mitigation

Address matching

100% hardware-based

Behavior-based Threshold granularity

Bi-directional

DNS

FortiGate

IPS Firewall

UTM NAT

VPN

TP2

15

Advanced DNS Mitigation

•  Protects authoritative and recursive DNS servers along with infrastructure from DDoS attcks

•  Mitigates: •  DNS reflection attacks

•  DNS query floods •  DNS TCP anomaly floods

•  New DNS attack reporting tools •  Query Response Matching •  100% DNS traffic monitoring •  Available on most models

FortiDDoS

DNS Servers

DNS Attack (Reflection, Query Flood,

TCP Anomaly)

RECURSIVE

AUTHORITATIVE CARRIER/ISP

DATA CENTER

DNS AUTHORITATIVE

WEBSERVER

EMAIL

16

On-Premise/Cloud Hybrid DDoS Protection

FortiDDoS

Network Services and Applications Network

Users

DDoS Attack (Bulk Volumetric

and/or Application Layer)

Verisign OpenHybrid™

Alert signal sent by FortiDDoS is received by Verisign triggering investigation for possible traffic

redirection to the Verisign scrubbing centers.

Signaling

•  Uses FortiDDoS Signaling and Open API with Verisign

•  Best of breed on-premise and cloud •  Threshold on FortiDDoS •  FortiDDoS alerts Verisign

•  Verisign evaluates and takes action to mitigate if under attack

17

Competitive Comparison – Hardware-based Options

FortiDDoS Arbor Pravail

Radware DefensePro

Check Point DDoS (OEM Radware)

Throughput 3 to 36 Gbps 2-10 Gbps 0.2-160 Gbps 0.5-12 Gbps

Pricing $40-150K $32K-145K $18-600K $19-170K

Latency (microseconds)

<50 <80 <60 <60

Detection Type Heuristic Signature Signature Signature

18

FortiDDoS Competitive Advantages

§  Performance »  Up to 10X better that Radware and Arbor in detecting and protecting against threats »  100% ASIC based allows max data and packets-per-second throughput unlike CPU or partial

ASIC-based appliances

§  Lowest TCO for private DDoS protection »  Up to 50% less overall TCO compared to Radware and Arbor (hardware-based) »  Fixed-cost model is less expensive and more predictable compared to enterprise-grade cloud

DDoS mitigation

§  Best False Positive Detection Avoidance »  Behavior-based model won’t mistakenly identify threats and block applications from legitimate traffic »  60 second reset unblocks traffic if it’s not a real threat or for application errors

§  Always up-to-date »  No signatures means the device doesn’t have to wait for a threat to be predefined »  Eliminates zero-day attacks

19

Pricing Structure

Appliance DDoS Protection Appliance

Add on FortiGuard security service FortiGuard IP reputation service subscription

Add on support 8x5 or 24x7 FortiCare contract

20

FortiDDoS Qualifying Questions

§  Are DDoS attacks one of your top data center threats? »  DDoS attacks are still the number one threat to IT data centers even with ISP-based DDoS mitigation

§  Are DDoS attacks continuing to plague your data center even with other DDoS mitigation solutions? »  ISP-based solutions mostly focus on layer 3 and 4 attacks and let anomaly, state and smaller application-level attacks through to

data centers. FortiDDoS’ behavior-based DDoS detection can identify and mitigate these attacks and can supplement ISP services for large bulk events

§  Do you find that your current service-based DDoS mitigation solution is expensive with unpredictable costs? »  FortiDDoS can be up to 1/3 less than service-based DDoS mitigation solutions without overages. With overages, customers can

easily run up charges based on the size and volume of DDoS attacks once they exceed their caps

§  Are you worried that a dedicated hardware solution is tough to manage and can’t protect against large bulk DDoS attacks?

»  FortiDDoS easily integrates in with other data center equipment and it’s automatic learning tools allow customers to setup their device in less than an hour. Line rating on FortiDDoS protects the device from being overwhelmed during a DDoS attack and still lets good traffic to pass through with minimal interruptions

21

Additional Resources

§  FortiDDoS Sales Presentation §  Data Center DDoS Testing White Paper: “Is Your Data Center Ready for Today’s

DDoS Threats?” §  FortiDDoS product demo on Fortinet.com §  User guides and reference materials on docs.fortinet.com to refer customers to for

detailed overviews of features and how FortiDDoS operates.