7/31/2019 DDoS Threat to Clouds
1/30
The DDoS Threat
to Internet DataCenters (IDCs)
Darren AnsteeEMEA Solutions Architect
March 2011
7/31/2019 DDoS Threat to Clouds
2/30
Page 2 - Company Confidential
Introduction
300+ employees in 20+ countries
300+ customers 90%+ of Tier1 providers, 60%+ of Tier2 providers, 11 of 13 of NA MSOs.
Privileged relationships with majority ofworlds ISPs
ATLAS/ASERT thought leadership
Darren Anstee, EMEA Technical Specialist 15+ years of experience in Networking and
Security.
8 years at Arbor Network
7/31/2019 DDoS Threat to Clouds
3/30
Page 3 - Company Confidential
1. The Evolution of the DDoS Threat2. Internet Data Center (IDC) DDoS Examples and
Details
3. Best Current Practices for Preventing DDoS
Attacks
Agenda
7/31/2019 DDoS Threat to Clouds
4/30
Page 4 - Company Confidential
1. The Evolution of the DDoS Threat2. Internet Data Center (IDC) DDoS Examples and
Details
3. Best Current Practices for Preventing DDoS
Attacks
Agenda
7/31/2019 DDoS Threat to Clouds
5/30
Page 5 - Company Confidential
2010 Infrastructure Security Survey
6th Annual Survey
Survey conducted inSeptember October2010
111 total respondentscontributed Service providers
Content/ASPs
Enterprises
Broadband
Mobile
DNS
Educational
7/31/2019 DDoS Threat to Clouds
6/30
7/31/2019 DDoS Threat to Clouds
7/30Page 7 - Company Confidential
Looking at the IDC.
DDoS directly impactsbusiness
84% see increased Opexdue to DDoS
43% see customer churn
86% of respondents hadfirewalls and / or IDS deployed
49% have experienced a failureof their firewalls or IPS due toDDoS attack
7/31/2019 DDoS Threat to Clouds
8/30Page 8 - Company Confidential
Loss of Availability Goes Beyond Financials
Source: Ponemon Institute 2010 State of Web Application Security
Botnets & DDoS
attacks cost anaverageenterprise
$6.3M*for a 24-houroutage
* Source: McAfee Into the Crossfire January 2010
Botnets & DDoS
also hurt acompanys brand,
lower customers
confidence, andwaste employees
time especiallywhen they are
front-page news
7/31/2019 DDoS Threat to Clouds
9/30Page 9 - Company Confidential
The Evolving Threat Against Data Centers
Both volumetricand application-layerDDoS attacks
can bring down critical data center services
IPS Load
Balancer
Application-LayerDDoS Impact
VolumetricDDoS Impact
7/31/2019 DDoS Threat to Clouds
10/30Page 10 - Company Confidential
The Failure of Existing Security Devices
Other CPE-based security devices focus on integrity
and confidentiality and noton availability
IPS Load
Balancer
Information Security Triangle
Product Family Triangle Benefit
Firewalls IntegrityEnforce network policy to prevent
unauthorized access to data
Intrusion Prevention System IntegrityBlock break-in attempts causing data
theft
Firewalls and IPS device do
not solve the DDoS problem
because they (1) are
optimized for other security
problems, (2) cant detect or
stop distributed attacks, and
(3) can not integrate with in-
cloud security solutions.
Because they are stateful and
inline, they are part of theDDoS problem and not thesolution.
7/31/2019 DDoS Threat to Clouds
11/30Page 11 - Company Confidential
1. The Evolution of the DDoS Threat2. Internet Data Center (IDC) DDoS Examples and
Details
3. Best Current Practices for Preventing DDoS
Attacks
Agenda
7/31/2019 DDoS Threat to Clouds
12/30Page 12 - Company Confidential
The IDC Infrastructure and DDoS
IDC Based
IDMS
DataCenterNetwork
Firewall / IPS / WAF
PublicFacingServers
1. Service Operating
Normally
2. Attack Begins with both
volumetric, state exhasution
and application layer
components.
3. Bandwidth Saturation and
/or state exhaustion and /
or application layer impact.
4. Application layer
component mitigated inIDC
5. Volumetric Component
Mitigated in ISP
Subscriber Network Subscriber Network
Internet Service
ProviderISP Based
IDMS
6. Normal Service Operation
Anatomy of DDoS
7/31/2019 DDoS Threat to Clouds
13/30Page 13 - Company Confidential
Common Attack Vectors, Part 1
Volumetric Traffic Floods
Large botnets or spoofed IPsgenerate high bps / pps trafficvolume
UDP based floods from spoofed IPtake advantage of connection lessUDP protocol
Take out the infrastructure capacity routers, switches, servers, links
319% growth in number ofATLAScmonitored attacks > 10Gbfrom 2009 -> 2010
ATLAS 2010 Attack Size
Break-Out, BPS
>1251020Gbps
Reflection Attacks Use a legitimate resource to
amplify an attack to a destination Send a request to an IP that will
yield a big response and spoof thesource IP address to that of theactual victim
The victim will see a lot of trafficfrom the legitimate source
DNS Reflective Amplificationincreasingly common
Attacker Server
DNS RequestV
DNS Serverresponds torequest fromspoofedsource.DNSResponse ismany timeslarger thanrequest.
Repeated many times
Victim
DNS ResponseV
7/31/2019 DDoS Threat to Clouds
14/30Page 14 - Company Confidential
Common Attack Vectors, Part 2
TCP resource exhaustion Take advantage of stateful nature
of TCP protocol SYN, FIN, RST Floods TCP connection attacks Exhaust resources in servers,
load balancers, firewalls or routers
Client ServerSYNC
SYNS, ACKC
Listening
Store data(connectionstate, etc.)
Repeated many times System runsout of TCPlistener
sockets or outmemory forstored state
Application layer attacks Exploit limitations, scale and
functionality of specific applications Can be low level and still be
effective HTTP Get queries that return large
files DNS requests that prompt many
zone transfers Malformed HTTP, SIP, DNS
requests
7/31/2019 DDoS Threat to Clouds
15/30Page 15 - Company Confidential
TCP Exhaustion Attacks
Client Server
SYNC
SYNS, ACKC
ACKS
Listening
Store data(connection state, etc.)
WaitConnected
Little or no traffic is sent
over the establishedsession
Application Data
System runs out ofavailable connections
Client ServerSYNC
SYNS, ACKCACKS
ListeningStore data(connection state, etc.)
Wait
ConnectedFINC Wait
FINS, ACKCNo traffic sent over the session.Connection is followed by an
immediate FIN.
System runs out of state
resources available
TCP
Connection
Attack
TCP
Connecti
on
FINA
ttack
7/31/2019 DDoS Threat to Clouds
16/30Page 16 - Company Confidential
Common Attack Vectors, Part 2
TCP resource exhaustion Take advantage of stateful nature
of TCP protocol SYN, FIN, RST Floods TCP connection attacks Exhaust resources in servers, load
balancers, firewalls or routers
Client ServerSYNC
SYNS, ACKC
Listening
Store data(connectionstate, etc.)
Repeated many times System runsout of TCPlistener
sockets or outmemory forstored state
Application layer attacks Exploit limitations, scale and
functionality of specific applications Can be low level and still be
effective HTTP Get queries that return large
files DNS requests that prompt many
zone transfers Malformed HTTP, SIP, DNS
requests
7/31/2019 DDoS Threat to Clouds
17/30
Page 17 - Company Confidential
Mitigating the effects of DDoS in the IDC
Shared, state rich
infrastructure exacerbatesthe DDoS issue 69% of 2010 Arbor ISR IDC
respondents saw DDoS attackslast year
46% see more than 10 DDoSattacks per month
Collateral damage
IDCs can, and do, protectthemselves A combination of tools are
used
Need to be very careful howtools such as firewalls andIDS are used
Security, and availabilityassurance, must be a partof the underlying design
7/31/2019 DDoS Threat to Clouds
18/30
Page 18 - Company Confidential
1. The Evolution of the DDoS Threat2. Internet Data Center (IDC) DDoS Examples and
Details
3. Best Current Practices for Preventing DDoS
Attacks
Agenda
7/31/2019 DDoS Threat to Clouds
19/30
Page 19 - Company Confidential
Pervasive Security in an Age of Distrust
Security is the heart of internetworkings future; we
have moved from an Internet of implicit trust to anInternet of pervasive distrust
Network/application design = security, security =network/application design
We can no longer differentiate networking &applications from security, they must beintertwined
What is security? QoS? Routing? DNS? Web 2.0?
No packet can be trusted; all packets must earnthat trust through a network devices ability to
inspect and enforce policy
7/31/2019 DDoS Threat to Clouds
20/30
Page 20 - Company Confidential
PREPARATIONPrep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice
IDENTIFICATIONHow do you know aboutthe attack?What tools can you use?Whats your process for
communication?
CLASSIFICATIONWhat kind of attack is it?
TRACEBACKWhere is the attack comingfrom?Where and how is it affectingthe network?
REACTIONWhat options do you haveto remedy?Which option is the bestunder the circumstances?
POST MORTEMWhat was done?Can anything be done toprevent it?How can it be less painful in
the future?
Six Phases of Infrastructure Security
7/31/2019 DDoS Threat to Clouds
21/30
Page 21 - Company Confidential
Industry Best Current Practices (BCPs)
BCPs have been developed and evolved over time by
security architects and security vendors
Goals of BCPs are to prepare the network for the possibilityof threats.
IDCs must take pro-active steps to implement BCPs toharden the network against threats
2 types of BCPs
Network infrastructure based
Host based
7/31/2019 DDoS Threat to Clouds
22/30
Page 22 - Company Confidential
Network Infrastructure BCPs
Security capabilities built into routing/switching
infrastructure use it or lose it iACLs protect control plane, reduce attack potential
URPF reduce impact of spoofing
BGP Policy protect the routing control plane
Black hole routing framework Source and destination based black hole routing a
very effective defense using fast path resources
Dedicated OOB Management Network
Protect load-balancers / firewalls / IDS from stateexhaustion = Design / iACLS / IDMS
Flow export = Pervasive Visibility = Context
IDMS = protection against DDoS and traffic visibility
7/31/2019 DDoS Threat to Clouds
23/30
Page 23 - Company Confidential
Visibility through Flow Telemetry
Flow technology provides
visibility into normalnetwork traffic
Flow is generated byexisting networkinfrastructure
Flow can begenerated for IPv4,IPv6 and MPLStraffic
Flow can be usedas a means to detect
threats as they occur Flow can provide
contextual trafficinformation This is KEY to understanding
impact.
7/31/2019 DDoS Threat to Clouds
24/30
Page 24 - Company Confidential
Intelligent DDoS Mitigation Systems (IDMS)
General Infrastructure and host BCPs provide a general
coverage for many of the threats that may impact a network Most DDoS attacks are designed to thwart general defenses
Use large, distributed botnets
Employ lower level, application specific attacks
Combine the above for obfuscation
IDMS are specifically designed to detect and mitigate thesetypes of attacks using more advanced techniques Firewalls are policy enforcement points not built for DDoS
Stateful firewalls can be manipulated by DDoS
IPS equipment is built for pattern matching to detect
vulnerabilities. DDoS often mimics legitimate traffic. IDMS equipment uses a combination of Deep Packet
Inspection (DPI), proxy inspection and heuristic basedtechniques to separate malicious traffic from good traffic
7/31/2019 DDoS Threat to Clouds
25/30
Page 25 - Company Confidential
IDMS Anomaly Detection
Can you see the anomaly in this picture?
7/31/2019 DDoS Threat to Clouds
26/30
Page 26 - Company Confidential
IDMS Flow Based Detection Techniques
Baseline Detection Detecting shifts in traffic above what is normally seen
Catches non standard application/protocol floods, multi-victim attacks,
application attacks, changes in GeoIP traffic mix
Misuse Detection
Detecting host traffic that exceeds normally accepted Internet behavior
Catches common attack vectors like SYN floods, ICMP floods, DNS
floods
Fingerprint Detection
Detecting known anomalous traffic behaviors indicative of a knownthreat. Malware detection, specific packet size attacks.
7/31/2019 DDoS Threat to Clouds
27/30
Page 27 - Company Confidential
IDMS Mitigation Counter-Measures
Static & DynamicPacket Filters
Rate-limitingAnti-SpoofingMechanisms
BaselineEnforcement
Application-LevelCountermeasures
TCP StackFlood Attacks
Generic FloodAttacks
FragmentationAttacks
ApplicationAttacks
VulnerabilityExploits
7/31/2019 DDoS Threat to Clouds
28/30
Page 28 - Company Confidential
IDMS Stopping Attacks in the Right Place
7/31/2019 DDoS Threat to Clouds
29/30
Page 29 - Company Confidential
Summary
Threat severity and complexity continue to increase
Attack size increases dramatically, impacting underlying networkinfrastructure
Application layer attacks continue with some new applications
being targeted more frequently
Firewall and IPS equipment represents critical points of failure
during DDoS attacks These products are commonly the targets of DDoS attacks
Solutions must be put in place to deal with multiple DDoSattack vectors
Security Best Current Practices (BCPs) exist to help operators
address the growing DDoS threat IDMS is a key part of a DDoS detection and mitigation solution
7/31/2019 DDoS Threat to Clouds
30/30