Best Practices: Using Your Network and the Cisco ASR 9000 for DDoS Protection

Tom Bienkowski Product Marketing,

Arbor Networks

Talbot Hack Product Manager,

Arbor Networks

Mike Geller Principal Engineer,

Cisco

Modern Day DDoS Attacks DDoS Attacks are increasing in Size (up to 400G), Frequency (daily) and

Complexity (A dynamic combination of Volumetric, TCP State Exhaustion and Application layer attack vectors)

Legit Traffic

Your (ISP’s) Network

Your Data Centers The Internet

Volumetric Attack Botnet

Application Attack

State Exhaustion

Impact: (To You and Your Customers) Availability of network and services Operational cost to mitigate attack Lost revenue and profitability Unwanted media attention; tarnished brand Fees/Fines

The Solution

Layered DDoS Attack Protection

Stop application layer DDoS attacks and other advanced threats; detect abnormal outbound activity

2

Volumetric Attack

Your Data Centers/ Internal Networks

The Internet

Application Attack

Scrubbing Center

Your (ISP’s) Network

Stop volumetric attacks In-Cloud 1 Intelligent communication between both environments

3

4 Backed by continuous threat intelligence

Backed By Continuous Threat Intelligence

Backbone Provider C

Providers A

Multiple Places/Ways to Stop DDoS Attacks Peering/Transit

Edge Data Center/

Customer Edge

Scrubbing Center

Provider D

DC/Customer

Peering/Transit Edge: Stop DDoS attacks at network edge before they impact backbone, Data centers and customers.

Data Center/ Customer Edge: Dedicated DDoS protection.

Regional Scrubbing Centers: Shared DDoS protection for multiple customers placed in strategic parts of network.

DDoS Traffic

Comprehensive DDoS protection is accomplished using a combination of: a) Dedicated DDoS protection solutions b) Best Current Practices leveraging network infrastructure

1

2

3 3

2

1

Who Is Arbor Networks?

For the past 15 years Arbor Networks has been the undisputed leader

A majority of the world’s service providers (100% of Tier 1) and largest enterprises have trusted Arbor Networks for their DDoS Protection

15

Proven & Trusted DDoS Protection

DDoS Protection?... We invented it!

#1

Arbor’s DDoS Protection Solution

Proven, Industry Leading, Layered DDoS Protection Products & Services

Continuously Armed with Global Visibility and Threat Intelligence

Arbor Cloud

Volumetric Attack

On-Prem The Internet

Application Attack/Malware

In-Cloud

Cloud Signaling

(Arbor Deployments in majority of world’s ISPs)

Compromised Hosts

Network Embedded, Virtual DDoS Protection

Arbor Peakflow Threat Management

System (TMS)

#1 in DDoS Attack Protection Products

Cisco ASR 9000 Virtual Services Module (VSM) Up to 40 Gbps Mitigation per VSM

#1 in Network Infrastructure

Products

Cisco ASR 9000 vDDoS Protection

Industry’s Most Comprehensive

DDoS Attack Protection Solution

vDDoS Protection

Two Best of Breeds Combine

Backbone Provider B

Provider A

Cisco/Arbor’s Comprehensive DDoS Protection Solution

Provider C

TMS 4000

A single Peakflow console used for Netflow analysis, attack detection (in as little as 1 sec), alerting and reporting

vDDoS Protection embedded in Cisco ASR 9000 routers distributed at peering edge, data centers, customer edge, etc. (40 Gbps mitigation per VSM)

Existing Arbor TMS DDoS solutions in

regional scrubbing centers or where ASR 9000’s not deployed

Leverage Network (i.e. ACLs, BGP Flowspec, D/RTBH, S/RTBH, OpenFlow) for mitigation

DDoS Traffic

Legit Traffic

Benefits: Infrastructure & Service Protection: Comprehensive DDoS protection solution

that can stop DDoS attacks in multiple network locations Service Enablement: Increase revenue via new managed Visibility and DDoS

Protection

ASR 9000 vDDoS

Protection

Peakflow SP NetFlow Collector

DATA CENTER & CLOUD SERVICES

PEERING & TRANSIT EDGE

CUSTOMER EDGE

1

2

3

4 1

2

3

4

SCRUBBING CENTER

Peakflow Console

Substantial Growth in Largest Attacks

Increase in size and number of Reflection/Amplification attacks DNS, NTP, SSDP, SNMP and Chargen the most common To effectively stop these attacks you must leverage your network

Using Your Network For Mitigation

ACLs – block all unnecessary protocols/ports at the network ingress to protect critical resources

BGP Flowspec – signal injections of ACLs or routing policy to filter or divert traffic upstream

S/RTBH – use source based remote triggered blackholing to block known bad sources

D/RTBH – use destination based remote triggered blackholing as a last resort to protect the network

SDN (OpenFlow) – Offload blacklists, policies, etc. to upstream routers to filter or divert traffic

Benefit: substantially better scale and performance

Blacklist Offload via OpenFlow

ASR 9000 vDDoS

Protection

Provider B

Provider A

Data Center

GOOD TRAFFIC

BAD TRAFFIC

Blacklist offload via OPENFLOW

X

X

Benefit: pushes filtering to the network fabric (via OpenFlow) for greater scale and performance

What’s New

Leveraging the power of the cloud Pushing SSL decryption to the cloud

Improving visibility Enabling underlay / overlay visibility Enabling selective bypass of certain flows

based on policies (‘coloring’)

Improving agility Enabling more dynamic, intelligent offload

Arbor’s (And Cisco’s) DDoS Protection Solution

Proven, Industry Leading, Layered DDoS Protection Products & Services

Continuously Armed with Global Visibility and Threat Intelligence

Arbor Cloud

Volumetric Attack

On-Prem The Internet

Application Attack/Malware

In-Cloud

Cloud Signaling

(Arbor deployment in majority of ISPs)

Compromised Hosts

ASR 9000 vDDoS

Protection

Q&A…Thanks

Tom Bienkowski tbienkowski@arbor.net

For more information visit us at Cisco Live Booth # 1307