shedding light on threats that lurk in your network blind spots

Shedding Light on Threats That Lurk in Your Network Blind Spots

Presented by: Tom Bienkowski, Director, Product Marketing, Arbor Networks

Arbor Networks Cyber Security Summit

Attend any of the 6 live (or archived) webinars.

Shedding Light on Threats That Lurk in Your Network Blind Spots

INTERNET

MOBILE SUBSCRIBERS & DEVICES

CUSTOMER EDGE

BUSINESS CUSTOMERS

BROADBAND SUBSCRIBERS

DATA CENTER & CLOUD SERVICES

MOBILE NETWORK

BACKBONE

Transit Peer Edge

Attack Traffic

Legit Traffic

A complex environment under constant threat

Today’s Service Provider Network…

INTERNET

MOBILE SUBSCRIBERS

& DEVICES

CUSTOMER

EDGE/ CORPORATE

BUSINESS CUSTOMERS



MOBILE NETWORK

BACKBONE

Transit Peer Edge

Threat Legit

An integrated solution that offers:

…Requires A Comprehensive Solution

Pervasive Network Visibility

Advanced Threat Protection

Service Enablement

Advanced Threat Protection Detect and mitigate threats (e.g. volumetric & application layer DDoS attacks, mobile signaling storms) before they impact service availability or performance.

Service Enablement Monetize network infrastructure and Arbor technologies for revenue generating services & competitive differentiation.

Arbor’s Peakflow Solution for Service Providers

Backed By the Industry Leading Global Threat Intelligence

Pervasive Network Visibility • Backbone • Peering/Transit edge • Cloud/Datacenter • Mobile network • Customer Edge

You Can’t Protect What You Can’t See…We See Things Others Can’t.

Considerations: Proper network visibility is required for

threat management decisions.

Threat Trends:* • 70% experience multiple

attacks/month • Targets = 76% customers, 62%

infrastructure, 54% services (i.e. DNS) • ATLAS saw 8x number of attacks over

20Gbs • NTP attacks 300+Gbps • Rise in Fast Flood Attacks

BACKBONE INTERNET

Transit/ Peer Edge



MOBILE NETWORK

Attack Traffic

Legit Traffic


BUSINESS CUSTOMERS

CUSTOMER EDGE

* Arbor WISR

Threats at Your Peering/Transit Edge & Backbone Challenges: Understanding exactly what traffic is entering and leaving your network. Detecting and stopping anomalies/DDoS attacks before they impact your network/customers.

Introduction to “Fast Flood” DDoS Attacks

“Fast Flood” DDoS Attacks on The Rise Non sophisticated flood attacks (e.g. ICMP, UDP) that quickly ramp up in

size. (e.g. 0-50Gbps+ in seconds) Last for a short duration of time (less than 30 min) Readily available DDoS Attack Tools and Services, increase in number and

size of botnets and bandwidth make this type of attack a common occurrence. (see ATLAS stats above)

Need for quick detection and auto-mitigation to reduce impact.

2X increase in attacks over 20GB from 2013 to 1st Half 2014 Majority of attacks are less than 1 hour

Peakflow Console

Peakflow Visibility into traffic entering/leaving

your network for more intelligent network design.

Detection of anomalies and DDoS attacks (Peakflow 7.0 in as little as1 sec).

Peakflow TMS Out-of-band, stateless mitigation

stops attacks at edge of network before impacting backbone/customers.

Advanced countermeasures can stop volumetric and application layer attacks.

ATLAS Intelligence Feed (AIF) arms TMS with latest threat intelligence from ASERT.

BACKBONE INTERNET

Transit Peer Edge



Attack Traffic

Legit Traffic


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Core )

TMS

Arbor’s Solution: Peering/Transit Edge & Backbone

Peakflow Traffic Reports

TMS Portfolio

TMS Countermeasures

Scrubbing Center

Peakflow Console

Peakflow SP Visibility into traffic entering/leaving


Detection of anomalies and DDoS attacks.





BACKBONE INTERNET

Transit Peer Edge



Attack Traffic

Legit Traffic


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Core )

TMS


Scrubbing Center

Peakflow Network Traffic Reports

Peakflow Console








BACKBONE INTERNET

Transit Peer Edge



Attack Traffic

Legit Traffic


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Core )

TMS


Scrubbing Center

Surgical Mitigation with Peakflow Threat Management System

Peakflow Console








BACKBONE INTERNET

Transit Peer Edge



Attack Traffic

Legit Traffic


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Core )

TMS


Scrubbing Center

Comprehensive Set of Attack Counter Measures

New Peakflow 7.0 (GA 11/10/14) Reduction in Time to Detection and Mitigation

Essential Attack Details At Your Finger Tips

attack detection in 1 second and mitigation in less than 30 seconds

New / Improved DDoS Attack Counter Measures Continuous Counter measures improvements Decryption and Mitigation of SSL based attacks

The “User Dimension” in Peakflow Analysis and Reporting

Peakflow 7.0: Redesigned Alert Dashboards

Quickly view impact on different parts of network

Top 10 attack traffic patterns

Attack traffic characteristics

Top impacted router/router interfaces.

See all active Mitigations and One-click to start mitigation

Dynamic, interactive charts

Interactive legend/filter

Attack packet size distribution

Annotations

Scratch Pad

View Raw Flows shows attack forensics

Essential Attack Details At Your Finger Tips

Detection of Fast Flood Attacks in as little as 1 sec.

Mitigation in under 30 seconds

Designed to maximize your security teams and reduce time to mitigation.

Peakflow 7.0: Detection in 1 sec and Mitigation in less than 30 seconds

Challenges: Visibility into customer edge traffic for more intelligent network management and planning. Detect and stop traffic anomalies , customer-customer / customer-datacenter s attacks before

they impact edge infrastructure and services.

Considerations: Customer Edge Threats:*

• Customer-Customer attacks are not uncommon.

• 64% experienced DDoS attacks towards their customers.

• 34% experienced botted/compromised/ C&C hosts from their customers/network

BACKBONE

0

INTERNET

Transit Peer Edge



MOBILE NETWORK


BUSINESS CUSTOMERS

CUSTOMER EDGE

Legit

Volumetric Application

Threats at Your Customer Edge

*Arbor WISR

Peakflow Visibility into customer-to-customer

traffic and its impact on peering, backbone capacity and routing enables more intelligent network design.

Detect anomalies or threats from compromised or customer-to-customer or customer-datacenter attacks before they impact services.

Peakflow TMS TMS 4000: Out of band, stateless,

mitigation in regional scrubbing centers to stop DDoS attacks.

TMS 2300: In-line, dedicated for specific customers.

ATLAS Intelligence Feed (AIF) arms TMS with latest ASERT threat intelligence.

BACKBONE INTERNET

Transit Peer Edge



MOBILE NETWORK


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Edge)

Collectors (Edge)

TMS 4000

Legit

Attack

Arbor’s Solution: Customer Edge

Interface reports

Customer DOS Alert

Customer –to-Customer

Peakflow Console

TMS 2300

Peakflow SP Visibility into customer-to-customer







BACKBONE INTERNET

Transit Peer Edge



MOBILE NETWORK


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Edge)

Collectors (Edge)

TMS 4000

Legit

Attack


Interface reports

Customer DOS Alert

Customer –to-Customer

Peakflow Console

TMS 2300

Robust set of Customer reports

Customer Edge Router / Router Interface Reports

Peakflow SP Visibility into customer-to-customer







BACKBONE INTERNET

Transit Peer Edge



MOBILE NETWORK


BUSINESS CUSTOMERS

CUSTOMER EDGE

Collectors (Edge)

Collectors (Edge)

TMS 4000

Legit

Attack


Peakflow Console

TMS 2300

Detection of Customer – to –Customer Attack

Considerations:* Security is #1 concern for cloud

providers and their customers. 94% of data center operators

experienced attacks. (DNS & HTTP top targets)

Attacks (e.g. Operation Ababil) also originate from and exploit protocols (e.g. SSL) commonly used in DCs Rise in HTTPs attacks: 2011=24%, 2012=37%, 2013= 54%

Challenges: Ability to detect and stop DDoS attacks against/from your DC infrastructure or customers

before they impact availability of services. (reduce potential for collateral damage)

0

INTERNET

Transit Peer Edge


DATA CENTER &

CLOUD SERVICES

MOBILE NETWORK


BUSINESS CUSTOMERS

BACKBONE

CUSTOMER EDGE

* Arbor 9th annual

Threats in Your Cloud/Data Center

“Operation Ababil”: Case Study for Data Center & SSL Attacks

A series of DDoS attacks against US financial institutions that lasted for approximately 1 year.

A dynamic combination of volumetric and application layer attacks.

Leveraged DC Technology to launch attacks: Compromised hosts with unpatched web server software

to become part of botnet. Leveraged high speed internet connections to launch

volumetric attacks Leveraged web scripting languages to make it easier for attacker to configure and

launch attacks designed to exploit SSL protocol or hidden in SSL packets.

New set of requirements for modern day DDoS Protection solutions to detect and stop attacks: Which try to exploit SSL protocol (e.g. SSL negotiation attacks) Try to hide within SSL packets (in other words, decryption)

Peakflow Visibility , anomaly/threat detection

for the data center. Peakflow TMS Protect availability of services via TMS 4000

in central scrubbing centers. SSl Decryption in TMS2300

Other Arbor Products: Pravail APS Always on detection for application

layer attacks; Cloud Signaling to TMS in scrubbing center for volumetric attacks.

Pravail NSI Internal DC visibility, malware

detection. Pravail SA Incident response and security

forensics via packet capture; Looping.

0

INTERNET

Transit Peer Edge


DATA CENTER &

CLOUD SERVICES

MOBILE NETWORK


BUSINESS CUSTOMERS

BACKBONE

CUSTOMER EDGE

Collectors (Core + Edge) TMS

2300

Pravail APS

Legit


Arbor’s Solution: Cloud/Data Center

Cloud Signaling

Scrubbing Center

TMS 2300

TMS 4000

Cloud Signal

Pravail NSI/SA Console

Peakflow SP Visibility , anomaly/threat detection

for the data center. Peakflow TMS Protect availability of services via TMS 4000

in central scrubbing centers. SSl Decryption in TMS2300

Other Arbor Products: Pravail APS Always on detection for application

layer attacks; Cloud Signaling to TMS in scrubbing center for volumetric attacks.

Pravail NSI Internal DC visibility, malware

detection. Pravail SA Incident response and security

forensics via packet capture; Looping.

0

INTERNET

Transit Peer Edge


DATA CENTER &

CLOUD SERVICES

MOBILE NETWORK


BUSINESS CUSTOMERS

BACKBONE

CUSTOMER EDGE

Collectors (Core + Edge) TMS

2300

Pravail APS

Legit


Arbor’s Solution: Cloud/Data Center

Cloud Signaling

Scrubbing Center

TMS 2300

TMS 4000

Cloud Signal

Pravail NSI/SA Console

INTERNET

Transit Peer Edge


MOBILE DATA CENTER &

CLOUD SERVICES

MOBILE NETWORK


BUSINESS CUSTOMERS

CUSTOMER EDGE

BACKBONE

Considerations: Rise in malicious threats against

mobile network infrastructure

60% experienced outages from a DDoS attack**

Impact:** 55% DNS

52% other services 42% NAT/Firewalls

33% have seen misbehaving mobile apps impact services*

34% do not have visibility into their MPC*

Challenges: Having the proper level of visibility into Mobile Packet Core traffic. Visibility into attacks /anomalies that threaten mobile network services. Optimizing network performance and customer experience.

* Arbor WISR ** Heavy Reading Mobile Network Security Survey 2013

Your Mobile Network

BACKBONE INTERNET

Transit Peer Edge


MOBILE DATA CENTER & CLOUD SERVICES

CUSTOMER EDGE

MOBILE NETWORK


BUSINESS CUSTOMERS

TMS

GTP Traffic

(Core)

Peakflow and Peakflow MNA A comprehensive solution that

provides visibility and threat protection for the Gi LAN and Mobile Packet Core.

GTP-c traffic visibility and anomaly/threat detection in Mobile Packet Core.

Peakflow TMS 4000 Protect availability and performance of

mobile network infrastructure and services (on SGi/Gi interface)

Other Arbor Products: Pravail APS Detect and Stop application layer attacks

(i.e. DNS) in mobile data centers; Cloud Signaling

(Mobile GTP)

Pravail APS

Legit


Arbor’s Solution: Mobile Network

INTERNET


CUSTOMER EDGE

BUSINESS CUSTOMERS



MOBILE NETWORK

BACKBONE

Transit Peer Edge

Attack Traffic

Legit Traffic

For Your Network Which is Under Constant Threat…

INTERNET


CUSTOMER EDGE

BUSINESS CUSTOMERS



MOBILE NETWORK

BACKBONE

Attack Traffic

Legit Traffic

Trust Arbor. We See Things Others Can’t

For Your Network Which is Under Constant Threat…

Questions? Thank You

Tom Bienkowski Director, Product Marketing

[email protected]