1 Fortinet Confidential
Zbynek Lebduska
Fortinet
Introducing FortiDDoS Intent Based Detection and Mitigation
2 Fortinet Confidential
• DoS = Denial of Service attack
»An attempt to make resource unavailable to its intended users,
executed with:
• Non legitimate traffic
• High volume of legitimate traffic exhausting resources
• DDoS = Distributed Denial of Service attack
»DoS attack that originates from many different places (geographically
and network)
Defining DoS & DDoS
1
50
100
CPU/MEM
1
10
100
10000
Traffic
1000
3 Fortinet Confidential
Architecture of DDoS attack – example 1
…
4 Fortinet Confidential
Architecture of DDoS attack – example 2
…
… Attacker Handler Zombie Victim
5 Fortinet Confidential
DDoS on the rise – tools are easily available
Botnets available at very little cost • Digital black market
• Botnet of 10.000 zombies aprox $50 per
24hours
Software tools allow anyone to participate in a distributed attack •LOIC, HOIC,Letdown, …
•WebLoic (LOIC for Android)
6 Fortinet Confidential
Typical DDOS Motivations
• Financial
• Political
• What ever the motivation,
the result is the same,
denial of legitimate access
DDOS provides a revenue stream opportunity for the attacker who
targets ecommerce sites
How much would you pay to keep the store open?
DDOS is used to protest about a given issue, disrupt operations but the
primary motivation is not financial
The Armchair Hacktivist
7 Fortinet Confidential
What to attack?
• Four main areas are vulnerable
Web Hosting Center
Firewall
ISP 1
ISP 2 Back End Database
Servers
Server resources
SQL Injection vulnerabilities
Web Hosting Servers
Server vulnerabilities,
process and connection
limits
Firewall / IPS Device
connection tables,
forwarding and session
set up processing
Bandwidth
Flood with illegitimate
traffic to fill available
capacity
8 Fortinet Confidential
The Classification of Attacks
Volumetric Attack
Designed to consume
available Internet
bandwidth or overload
server resources.
Typical examples SYN
Flood, UDP Flood, ICMP
Flood, SMURF attacks.
Application Layer
Attacks
More sophisticated,
attractive to the attacker
since they require less
resource to carry out
(botnet costs)
Target vulnerabilities in
applications to evade
flood detection strategies
Cloud Infrastructure
Attacks
Cloud solutions can turn
the Internet in the
Corporate WAN. Modern
attackers target the full
range of cloud
infrastructure (firewall,
mail & web servers)
Mitigation can be
complex and any attack
can impact multiple
customers
10 Fortinet Confidential
Approaches to DDOS Prevention
Scrubbing Service from
Internet or Cloud
Service Providers
Model: Managed service
subscription model.
Usually separate
detection and mitigation
Pros: Easy sign up and
deployment
Cons: Expensive,
inflexible, costs can rise
during an attack
Firewall / IPS
Model: Integrated device
for FW/IPS and DDoS
prevention
Pros: Single device,
simplified architecture,
less units to manage
Cons: Not designed to
detect/block sophisticated
DDoS attacks; typically
requires an update
license,
Dedicated Device
Model: Inline detection,
mitigation and reporting.
Auto detection of a wide
range of DDoS attacks
Pros: Cost effective, no
unpredictable or hidden
charges. Multi-layer,
accurate, fast, scalable
and easy to deploy
Cons: Additional network
element
11 Fortinet Confidential
Uses the newest member of the FortiASIC
family, FortiASIC-TPTM
Rate Based Detection
Signature Free Defense
• Hardware based protection
Inline Full Transparent Mode
• No MAC address changes
Self Learning Baseline
• Adapts based on behavior
Granular Protection
• Multiple thresholds to detect subtle changes
and provide rapid mitigation
Hardware Accelerated DDoS Defense Intent Based Protection
Introducing FortiDDoS
FortiDDoS™
Web Hosting Center
Firewall
Legitimate Traffic
Malicious Traffic
ISP 1
ISP 2
12 Fortinet Confidential
Virtualization
Decision
Multiplexer Inbound and
outbound
packets Allowed
packets
Dropped packets
SNMP Traps/MIBs,
Syslog, Event
Notifications
FortiAsic-Traffic Processor (TP)
Control and Statistics
Network, Transport,
Application Layer
Rate Anomaly
Prevention
Dark Address, Geo-
location, IP
Reputation
Network, Transport,
Application Layer
Access Control Lists
Anti-spoofing
Network, Transport,
Application Layer
Header Anomaly
Prevention
State Anomaly
Prevention
Application Layer
Heuristics
Source Tracking
Event/ Traffic
Statistics, Graphs
Threshold Wizard,
Continuous Adaptive
Threshold Estimation
Policy Configuration,
Archive, Restore
13 Fortinet Confidential
Virtual Partitions
• Uniquely enables up to eight segmented zones
» Segmentation by server address / subnet
• Consider a customer with multiple traffic types
» Web Browsing
» Firmware Updates
» Online Ordering
• Separate Policies for Unique Traffic Patterns
» Connection patterns could differ from server to server
• Need to protect services from each other
» Mitigation could include limiting the
volume of firmware downloads
Corporate site
Firewall
FortiGate
DDOS
Protection
FortiDDOS
Links from
ISP(s)
14 Fortinet Confidential
FortiDDoS product line
FortiDDoS 100A
LAN 2 x 1G (copper and optical)
WAN 2 x 1G (copper and optical)
FortiASIC 2 x FortiASIC-TP1
Protection 1Gbps full duplex
FortiDDoS 200A
LAN 4 x 1G (copper and optical)
WAN 4 x 1G (copper and optical)
FortiASIC 4 x FortiASIC-TP1
Protection 2Gbps full duplex
FortiDDoS 300A
LAN 6 x 1G (copper and optical)
WAN 6 x 1G (copper and optical)
FortiASIC 6 x FortiASIC-TP1
Protection 3Gbps full duplex
15 Fortinet Confidential
March 22, 2013
Thank You
16 Fortinet Confidential
Selected Customers Worldwide