Date post: | 02-Aug-2015 |
Category: |
Technology |
Upload: | arbor-networks |
View: | 559 times |
Download: | 8 times |
Best Practices: Using Your Network and the Cisco ASR 9000 for DDoS Protection
Tom Bienkowski Product Marketing,
Arbor Networks
Talbot Hack Product Manager,
Arbor Networks
Mike Geller Principal Engineer,
Cisco
Modern Day DDoS Attacks DDoS Attacks are increasing in Size (up to 400G), Frequency (daily) and
Complexity (A dynamic combination of Volumetric, TCP State Exhaustion and Application layer attack vectors)
Legit Traffic
Your (ISP’s) Network
Your Data Centers The Internet
Volumetric Attack Botnet
Application Attack
State Exhaustion
Impact: (To You and Your Customers) Availability of network and services Operational cost to mitigate attack Lost revenue and profitability Unwanted media attention; tarnished brand Fees/Fines
The Solution
Layered DDoS Attack Protection
Stop application layer DDoS attacks and other advanced threats; detect abnormal outbound activity
2
Volumetric Attack
Your Data Centers/ Internal Networks
The Internet
Application Attack
Scrubbing Center
Your (ISP’s) Network
Stop volumetric attacks In-Cloud 1 Intelligent communication between both environments
3
4 Backed by continuous threat intelligence
Backed By Continuous Threat Intelligence
Backbone Provider C
Providers A
Multiple Places/Ways to Stop DDoS Attacks Peering/Transit
Edge Data Center/
Customer Edge
Scrubbing Center
Provider D
DC/Customer
Peering/Transit Edge: Stop DDoS attacks at network edge before they impact backbone, Data centers and customers.
Data Center/ Customer Edge: Dedicated DDoS protection.
Regional Scrubbing Centers: Shared DDoS protection for multiple customers placed in strategic parts of network.
DDoS Traffic
Comprehensive DDoS protection is accomplished using a combination of: a) Dedicated DDoS protection solutions b) Best Current Practices leveraging network infrastructure
1
2
3 3
2
1
Who Is Arbor Networks?
For the past 15 years Arbor Networks has been the undisputed leader
A majority of the world’s service providers (100% of Tier 1) and largest enterprises have trusted Arbor Networks for their DDoS Protection
15
Proven & Trusted DDoS Protection
DDoS Protection?... We invented it!
#1
Arbor’s DDoS Protection Solution
Proven, Industry Leading, Layered DDoS Protection Products & Services
Continuously Armed with Global Visibility and Threat Intelligence
Arbor Cloud
Volumetric Attack
On-Prem The Internet
Application Attack/Malware
In-Cloud
Cloud Signaling
(Arbor Deployments in majority of world’s ISPs)
Compromised Hosts
Network Embedded, Virtual DDoS Protection
Arbor Peakflow Threat Management
System (TMS)
#1 in DDoS Attack Protection Products
Cisco ASR 9000 Virtual Services Module (VSM) Up to 40 Gbps Mitigation per VSM
#1 in Network Infrastructure
Products
Cisco ASR 9000 vDDoS Protection
Industry’s Most Comprehensive
DDoS Attack Protection Solution
vDDoS Protection
Two Best of Breeds Combine
Backbone Provider B
Provider A
Cisco/Arbor’s Comprehensive DDoS Protection Solution
Provider C
TMS 4000
A single Peakflow console used for Netflow analysis, attack detection (in as little as 1 sec), alerting and reporting
vDDoS Protection embedded in Cisco ASR 9000 routers distributed at peering edge, data centers, customer edge, etc. (40 Gbps mitigation per VSM)
Existing Arbor TMS DDoS solutions in
regional scrubbing centers or where ASR 9000’s not deployed
Leverage Network (i.e. ACLs, BGP Flowspec, D/RTBH, S/RTBH, OpenFlow) for mitigation
DDoS Traffic
Legit Traffic
Benefits: Infrastructure & Service Protection: Comprehensive DDoS protection solution
that can stop DDoS attacks in multiple network locations Service Enablement: Increase revenue via new managed Visibility and DDoS
Protection
ASR 9000 vDDoS
Protection
Peakflow SP NetFlow Collector
DATA CENTER & CLOUD SERVICES
PEERING & TRANSIT EDGE
CUSTOMER EDGE
1
2
3
4 1
2
3
4
SCRUBBING CENTER
Peakflow Console
Substantial Growth in Largest Attacks
Increase in size and number of Reflection/Amplification attacks DNS, NTP, SSDP, SNMP and Chargen the most common To effectively stop these attacks you must leverage your network
Using Your Network For Mitigation
ACLs – block all unnecessary protocols/ports at the network ingress to protect critical resources
BGP Flowspec – signal injections of ACLs or routing policy to filter or divert traffic upstream
S/RTBH – use source based remote triggered blackholing to block known bad sources
D/RTBH – use destination based remote triggered blackholing as a last resort to protect the network
SDN (OpenFlow) – Offload blacklists, policies, etc. to upstream routers to filter or divert traffic
Benefit: substantially better scale and performance
Blacklist Offload via OpenFlow
ASR 9000 vDDoS
Protection
Provider B
Provider A
Data Center
GOOD TRAFFIC
BAD TRAFFIC
Blacklist offload via OPENFLOW
X
X
Benefit: pushes filtering to the network fabric (via OpenFlow) for greater scale and performance
What’s New
Leveraging the power of the cloud Pushing SSL decryption to the cloud
Improving visibility Enabling underlay / overlay visibility Enabling selective bypass of certain flows
based on policies (‘coloring’)
Improving agility Enabling more dynamic, intelligent offload
Arbor’s (And Cisco’s) DDoS Protection Solution
Proven, Industry Leading, Layered DDoS Protection Products & Services
Continuously Armed with Global Visibility and Threat Intelligence
Arbor Cloud
Volumetric Attack
On-Prem The Internet
Application Attack/Malware
In-Cloud
Cloud Signaling
(Arbor deployment in majority of ISPs)
Compromised Hosts
ASR 9000 vDDoS
Protection
Q&A…Thanks
Tom Bienkowski [email protected]
For more information visit us at Cisco Live Booth # 1307