shedding light on threats that lurk in your network blind spots
DESCRIPTION
Network visibility is a fundamental requirement for proper network and threat management. You can’t protect yourself (or your customers) from what you can’t see. In this presentation, you’ll learn about how the Arbor products, specifically Peakflow 7.0 with Flex Licensing and Pravail enable service providers to cost-effectively gain the proper level of visibility into their customer edges and data centers in order to detect and stop threats before they impact the availability of their services. This presentation, originally shared at our recent virtual CyberSecurity Summit, highlights real-world use cases and a recent report from the FCC’s CSRIC (Communication, Security, Reliability, Interoperability Council) Working Group 5: Remediation of Server‐Based DDoS Attacks. View the Webinar replay here: https://www.brighttalk.com/webcast/9051/128061TRANSCRIPT
Shedding Light on Threats That Lurk in Your Network Blind Spots
Presented by: Tom Bienkowski, Director, Product Marketing, Arbor Networks
Arbor Networks Cyber Security Summit
Attend any of the 6 live (or archived) webinars.
Shedding Light on Threats That Lurk in Your Network Blind Spots
INTERNET
MOBILE SUBSCRIBERS & DEVICES
CUSTOMER EDGE
BUSINESS CUSTOMERS
BROADBAND SUBSCRIBERS
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BACKBONE
Transit Peer Edge
Attack Traffic
Legit Traffic
A complex environment under constant threat
Today’s Service Provider Network…
INTERNET
MOBILE SUBSCRIBERS
& DEVICES
CUSTOMER
EDGE/ CORPORATE
BUSINESS CUSTOMERS
BROADBAND SUBSCRIBERS
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BACKBONE
Transit Peer Edge
Threat Legit
An integrated solution that offers:
…Requires A Comprehensive Solution
Pervasive Network Visibility
Advanced Threat Protection
Service Enablement
Advanced Threat Protection Detect and mitigate threats (e.g. volumetric & application layer DDoS attacks, mobile signaling storms) before they impact service availability or performance.
Service Enablement Monetize network infrastructure and Arbor technologies for revenue generating services & competitive differentiation.
Arbor’s Peakflow Solution for Service Providers
Backed By the Industry Leading Global Threat Intelligence
Pervasive Network Visibility • Backbone • Peering/Transit edge • Cloud/Datacenter • Mobile network • Customer Edge
You Can’t Protect What You Can’t See…We See Things Others Can’t.
Considerations: Proper network visibility is required for
threat management decisions.
Threat Trends:* • 70% experience multiple
attacks/month • Targets = 76% customers, 62%
infrastructure, 54% services (i.e. DNS) • ATLAS saw 8x number of attacks over
20Gbs • NTP attacks 300+Gbps • Rise in Fast Flood Attacks
BACKBONE INTERNET
Transit/ Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
Attack Traffic
Legit Traffic
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
* Arbor WISR
Threats at Your Peering/Transit Edge & Backbone Challenges: Understanding exactly what traffic is entering and leaving your network. Detecting and stopping anomalies/DDoS attacks before they impact your network/customers.
Introduction to “Fast Flood” DDoS Attacks
“Fast Flood” DDoS Attacks on The Rise Non sophisticated flood attacks (e.g. ICMP, UDP) that quickly ramp up in
size. (e.g. 0-50Gbps+ in seconds) Last for a short duration of time (less than 30 min) Readily available DDoS Attack Tools and Services, increase in number and
size of botnets and bandwidth make this type of attack a common occurrence. (see ATLAS stats above)
Need for quick detection and auto-mitigation to reduce impact.
2X increase in attacks over 20GB from 2013 to 1st Half 2014 Majority of attacks are less than 1 hour
Peakflow Console
Peakflow Visibility into traffic entering/leaving
your network for more intelligent network design.
Detection of anomalies and DDoS attacks (Peakflow 7.0 in as little as1 sec).
Peakflow TMS Out-of-band, stateless mitigation
stops attacks at edge of network before impacting backbone/customers.
Advanced countermeasures can stop volumetric and application layer attacks.
ATLAS Intelligence Feed (AIF) arms TMS with latest threat intelligence from ASERT.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
Attack Traffic
Legit Traffic
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Core )
TMS
Arbor’s Solution: Peering/Transit Edge & Backbone
Peakflow Traffic Reports
TMS Portfolio
TMS Countermeasures
Scrubbing Center
Peakflow Console
Peakflow SP Visibility into traffic entering/leaving
your network for more intelligent network design.
Detection of anomalies and DDoS attacks.
Peakflow TMS Out-of-band, stateless mitigation
stops attacks at edge of network before impacting backbone/customers.
Advanced countermeasures can stop volumetric and application layer attacks.
ATLAS Intelligence Feed (AIF) arms TMS with latest threat intelligence from ASERT.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
Attack Traffic
Legit Traffic
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Core )
TMS
Arbor’s Solution: Peering/Transit Edge & Backbone
Scrubbing Center
Peakflow Network Traffic Reports
Peakflow Console
Peakflow SP Visibility into traffic entering/leaving
your network for more intelligent network design.
Detection of anomalies and DDoS attacks.
Peakflow TMS Out-of-band, stateless mitigation
stops attacks at edge of network before impacting backbone/customers.
Advanced countermeasures can stop volumetric and application layer attacks.
ATLAS Intelligence Feed (AIF) arms TMS with latest threat intelligence from ASERT.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
Attack Traffic
Legit Traffic
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Core )
TMS
Arbor’s Solution: Peering/Transit Edge & Backbone
Scrubbing Center
Surgical Mitigation with Peakflow Threat Management System
Peakflow Console
Peakflow SP Visibility into traffic entering/leaving
your network for more intelligent network design.
Detection of anomalies and DDoS attacks.
Peakflow TMS Out-of-band, stateless mitigation
stops attacks at edge of network before impacting backbone/customers.
Advanced countermeasures can stop volumetric and application layer attacks.
ATLAS Intelligence Feed (AIF) arms TMS with latest threat intelligence from ASERT.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
Attack Traffic
Legit Traffic
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Core )
TMS
Arbor’s Solution: Peering/Transit Edge & Backbone
Scrubbing Center
Comprehensive Set of Attack Counter Measures
New Peakflow 7.0 (GA 11/10/14) Reduction in Time to Detection and Mitigation
Essential Attack Details At Your Finger Tips
attack detection in 1 second and mitigation in less than 30 seconds
New / Improved DDoS Attack Counter Measures Continuous Counter measures improvements Decryption and Mitigation of SSL based attacks
The “User Dimension” in Peakflow Analysis and Reporting
Peakflow 7.0: Redesigned Alert Dashboards
Quickly view impact on different parts of network
Top 10 attack traffic patterns
Attack traffic characteristics
Top impacted router/router interfaces.
See all active Mitigations and One-click to start mitigation
Dynamic, interactive charts
Interactive legend/filter
Attack packet size distribution
Annotations
Scratch Pad
View Raw Flows shows attack forensics
Essential Attack Details At Your Finger Tips
Detection of Fast Flood Attacks in as little as 1 sec.
Mitigation in under 30 seconds
Designed to maximize your security teams and reduce time to mitigation.
Peakflow 7.0: Detection in 1 sec and Mitigation in less than 30 seconds
Challenges: Visibility into customer edge traffic for more intelligent network management and planning. Detect and stop traffic anomalies , customer-customer / customer-datacenter s attacks before
they impact edge infrastructure and services.
Considerations: Customer Edge Threats:*
• Customer-Customer attacks are not uncommon.
• 64% experienced DDoS attacks towards their customers.
• 34% experienced botted/compromised/ C&C hosts from their customers/network
BACKBONE
0
INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Legit
Volumetric Application
Threats at Your Customer Edge
*Arbor WISR
Peakflow Visibility into customer-to-customer
traffic and its impact on peering, backbone capacity and routing enables more intelligent network design.
Detect anomalies or threats from compromised or customer-to-customer or customer-datacenter attacks before they impact services.
Peakflow TMS TMS 4000: Out of band, stateless,
mitigation in regional scrubbing centers to stop DDoS attacks.
TMS 2300: In-line, dedicated for specific customers.
ATLAS Intelligence Feed (AIF) arms TMS with latest ASERT threat intelligence.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Edge)
Collectors (Edge)
TMS 4000
Legit
Attack
Arbor’s Solution: Customer Edge
Interface reports
Customer DOS Alert
Customer –to-Customer
Peakflow Console
TMS 2300
Peakflow SP Visibility into customer-to-customer
traffic and its impact on peering, backbone capacity and routing enables more intelligent network design.
Detect anomalies or threats from compromised or customer-to-customer or customer-datacenter attacks before they impact services.
Peakflow TMS TMS 4000: Out of band, stateless,
mitigation in regional scrubbing centers to stop DDoS attacks.
TMS 2300: In-line, dedicated for specific customers.
ATLAS Intelligence Feed (AIF) arms TMS with latest ASERT threat intelligence.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Edge)
Collectors (Edge)
TMS 4000
Legit
Attack
Arbor’s Solution: Customer Edge
Interface reports
Customer DOS Alert
Customer –to-Customer
Peakflow Console
TMS 2300
Robust set of Customer reports
Customer Edge Router / Router Interface Reports
Peakflow SP Visibility into customer-to-customer
traffic and its impact on peering, backbone capacity and routing enables more intelligent network design.
Detect anomalies or threats from compromised or customer-to-customer or customer-datacenter attacks before they impact services.
Peakflow TMS TMS 4000: Out of band, stateless,
mitigation in regional scrubbing centers to stop DDoS attacks.
TMS 2300: In-line, dedicated for specific customers.
ATLAS Intelligence Feed (AIF) arms TMS with latest ASERT threat intelligence.
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Collectors (Edge)
Collectors (Edge)
TMS 4000
Legit
Attack
Arbor’s Solution: Customer Edge
Peakflow Console
TMS 2300
Detection of Customer – to –Customer Attack
Considerations:* Security is #1 concern for cloud
providers and their customers. 94% of data center operators
experienced attacks. (DNS & HTTP top targets)
Attacks (e.g. Operation Ababil) also originate from and exploit protocols (e.g. SSL) commonly used in DCs Rise in HTTPs attacks: 2011=24%, 2012=37%, 2013= 54%
Challenges: Ability to detect and stop DDoS attacks against/from your DC infrastructure or customers
before they impact availability of services. (reduce potential for collateral damage)
0
INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER &
CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
BACKBONE
CUSTOMER EDGE
* Arbor 9th annual
Threats in Your Cloud/Data Center
“Operation Ababil”: Case Study for Data Center & SSL Attacks
A series of DDoS attacks against US financial institutions that lasted for approximately 1 year.
A dynamic combination of volumetric and application layer attacks.
Leveraged DC Technology to launch attacks: Compromised hosts with unpatched web server software
to become part of botnet. Leveraged high speed internet connections to launch
volumetric attacks Leveraged web scripting languages to make it easier for attacker to configure and
launch attacks designed to exploit SSL protocol or hidden in SSL packets.
New set of requirements for modern day DDoS Protection solutions to detect and stop attacks: Which try to exploit SSL protocol (e.g. SSL negotiation attacks) Try to hide within SSL packets (in other words, decryption)
Peakflow Visibility , anomaly/threat detection
for the data center. Peakflow TMS Protect availability of services via TMS 4000
in central scrubbing centers. SSl Decryption in TMS2300
Other Arbor Products: Pravail APS Always on detection for application
layer attacks; Cloud Signaling to TMS in scrubbing center for volumetric attacks.
Pravail NSI Internal DC visibility, malware
detection. Pravail SA Incident response and security
forensics via packet capture; Looping.
0
INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER &
CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
BACKBONE
CUSTOMER EDGE
Collectors (Core + Edge) TMS
2300
Pravail APS
Legit
Volumetric Application
Arbor’s Solution: Cloud/Data Center
Cloud Signaling
Scrubbing Center
TMS 2300
TMS 4000
Cloud Signal
Pravail NSI/SA Console
Peakflow SP Visibility , anomaly/threat detection
for the data center. Peakflow TMS Protect availability of services via TMS 4000
in central scrubbing centers. SSl Decryption in TMS2300
Other Arbor Products: Pravail APS Always on detection for application
layer attacks; Cloud Signaling to TMS in scrubbing center for volumetric attacks.
Pravail NSI Internal DC visibility, malware
detection. Pravail SA Incident response and security
forensics via packet capture; Looping.
0
INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER &
CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
BACKBONE
CUSTOMER EDGE
Collectors (Core + Edge) TMS
2300
Pravail APS
Legit
Volumetric Application
Arbor’s Solution: Cloud/Data Center
Cloud Signaling
Scrubbing Center
TMS 2300
TMS 4000
Cloud Signal
Pravail NSI/SA Console
Peakflow SP Visibility , anomaly/threat detection
for the data center. Peakflow TMS Protect availability of services via TMS 4000
in central scrubbing centers. SSl Decryption in TMS2300
Other Arbor Products: Pravail APS Always on detection for application
layer attacks; Cloud Signaling to TMS in scrubbing center for volumetric attacks.
Pravail NSI Internal DC visibility, malware
detection. Pravail SA Incident response and security
forensics via packet capture; Looping.
0
INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER &
CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
BACKBONE
CUSTOMER EDGE
Collectors (Core + Edge) TMS
2300
Pravail APS
Legit
Volumetric Application
Arbor’s Solution: Cloud/Data Center
Cloud Signaling
Scrubbing Center
TMS 2300
TMS 4000
Cloud Signal
Pravail NSI/SA Console
INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
MOBILE DATA CENTER &
CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
BACKBONE
Considerations: Rise in malicious threats against
mobile network infrastructure
60% experienced outages from a DDoS attack**
Impact:** 55% DNS
52% other services 42% NAT/Firewalls
33% have seen misbehaving mobile apps impact services*
34% do not have visibility into their MPC*
Challenges: Having the proper level of visibility into Mobile Packet Core traffic. Visibility into attacks /anomalies that threaten mobile network services. Optimizing network performance and customer experience.
* Arbor WISR ** Heavy Reading Mobile Network Security Survey 2013
Your Mobile Network
BACKBONE INTERNET
Transit Peer Edge
MOBILE SUBSCRIBERS & DEVICES
MOBILE DATA CENTER & CLOUD SERVICES
CUSTOMER EDGE
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
TMS
GTP Traffic
(Core)
Peakflow and Peakflow MNA A comprehensive solution that
provides visibility and threat protection for the Gi LAN and Mobile Packet Core.
GTP-c traffic visibility and anomaly/threat detection in Mobile Packet Core.
Peakflow TMS 4000 Protect availability and performance of
mobile network infrastructure and services (on SGi/Gi interface)
Other Arbor Products: Pravail APS Detect and Stop application layer attacks
(i.e. DNS) in mobile data centers; Cloud Signaling
(Mobile GTP)
Pravail APS
Legit
Volumetric Application
Arbor’s Solution: Mobile Network
INTERNET
MOBILE SUBSCRIBERS & DEVICES
CUSTOMER EDGE
BUSINESS CUSTOMERS
BROADBAND SUBSCRIBERS
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BACKBONE
Transit Peer Edge
Attack Traffic
Legit Traffic
For Your Network Which is Under Constant Threat…
INTERNET
MOBILE SUBSCRIBERS & DEVICES
CUSTOMER EDGE
BUSINESS CUSTOMERS
BROADBAND SUBSCRIBERS
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BACKBONE
Attack Traffic
Legit Traffic
Trust Arbor. We See Things Others Can’t
For Your Network Which is Under Constant Threat…