1 / 16

Terabit Scale Edge DDoS Protection

Explore the evolution of DDoS attacks and the need for advanced protection. Discover how leveraging edge devices can provide always-on defense at unprecedented scale.

ealbert
Download Presentation

Terabit Scale Edge DDoS Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Terabit ScaleEdge DDoS Protection Peter CutlerSenior Systems Engineer

  2. Is DDoS Still on the increase? 500 Gbps Hong Kong attackFrance swarmed after terror attackPlayStation & Xbox hit at Christmas Mirai BotnetOVH / Krebs / DYN600 Gbps -> 1Tbps MemcachedGitHub1.35-1.7Tbps Anon hits Churchof Scientology RioOlympics 540 Gbps Spamhaus attack: Reported to reach 310 Gbps Reaper Botnet2M Devices Spammers discoverbotnets First Hacktivists: Zapatista National Liberation Army ProtonMail attack Estonia: Parliament, banks, media, Estonia Reform Party Coordinated US bank attacks: Grew to 200 Gbps,and continue today DoS forNotoriety 2019?? 2005 2007 2009 2011 2013 2015 2016 2017 2018 1993 …

  3. DDoS Evolution in 2018 • High Bandwidth • memcached exceeds 1Tbps, routinely > 100Gbps • Botnets • Mirai (and its many known variants) • IoT (100s of Millions of easy to recruit devices) • Multivector • 10+ vectors, Additive + Variation + Spray/Subnet • Booter/Stresser Services • the “10 minute” attack and pulsed attacks

  4. Key Trends Statistically: Frequent, Low Volume, Short Duration Attacks dominate • DDoS is an evolving and increasing threat • Example statistics across Corero customer networks Corero Full Year 2018 Trends Report:https://www.corero.com/resources/reports/corero-full-year-2018-ddos-trends-report-/

  5. SP/Telco DDoS Scrubbing Protection DDoS attacksarriving fromtransit/peering Good traffic destined for subscribers SP SP SP ingress from transit/peering ServiceProvider egress to subscribers DDoS victims DDoS victims

  6. SP/Telco DDoS Scrubbing Redirect DDoS attacksarriving fromtransit/peering Good traffic destined for subscribers SP SP SP ingress from transit/peering NetflowDetect(out-of-band) ServiceProvider egress to subscribers DDoS victims DDoS victims

  7. SP/Telco Large DDoS Attack Blackhole DDoS Attacksarriving fromtransit/peering SP SP SP ingress from transit/peering BGP redirect NetflowDetect(out-of-band) note: Some Providers will have multiple scrubbing centers for Geos, redundancy, backhaul reasons. ScrubbingCapacity(<10% edge capacity) ServiceProvider egress to subscribers Good traffic tunneled to edge or customer Good traffic tunneled to edge or cust

  8. Scrubbing Approach Increasingly Challenged Size of Attack BlackholeZone(some FlowSpec) Provider Edge Capacity 100s of Gbps to multiple Terabits/sec Provider RTBH Mitigation Manual instantiation of blackholes with target offline for duration of attack Attacks Partial Protection(needs to be > 10%) Scrubbing Zone Number of Attacks

  9. How to Improve?Enhanced Accuracy + Speed of DDoS Detection/Mitigation DDoS Attack Over Scrubbing Capacity Succeed! Flow Monitoring • Aggregation delay • Attack overload • Header only BGP/RTBH/FlowSpec • BGP propagation • Header only • Limited visibility Sampled Mirror • Immediate forwarding • Scales with attack • Header and payload ACL Filters • Rapid configuration • Header and payload • Streaming telemetry

  10. New Opportunity for Edge Mitigation • Monitor • Inspect • Detect • Report / Signal • Mitigate Network Edge NOC/SOC Sampled Mirror (1:N) Seconds Sampled Mirror (tuple + payload) Streaming Telemetry Ingress Traffic Egress Traffic Filter Generation (tuple + payload) Dynamic Filter (tuple + payload) Detection Mitigation

  11. Full Edge Capacity Mitigation Size of Attack BlackholeZone Provider Edge Capacity 100s of Gbps to multiple Terabits/sec<1% of attacks need to be blackholed 100% Edge Protection Provider EdgeMitigationZone Scales to Tens of Terabits of DDoS Protection Provider Edge Mitigation Leverage real-time data and analytics to deliver intelligent automation Attacks Provider Scrubbing Capacity >90% attacks mitigated at Provider Edge<10% redirected to scrubbing Scrubbing Zone Number of Attacks

  12. Total Provider Edge DDoS Protection DDoS Attacksarriving fromtransit/peering Internet SP SP SP ingress from transit/peering netconf ServiceProvider egress to subscribers Good traffic to edge or cust Good traffic to edge or cust

  13. Example Edge Filtering with Juniper MX • Matching Firewall-type rules with defined actions • Filters entered manually, or programmatically via netconf API • Unique ID for each filter provides statistics via remote telemetry

  14. Summary • DDoS as a whole still on the Increase • Attack Methods/Vectors more Sophisticated • Emerging trend for increase in proportion of larger attacks • Traditional Scrubbing/RTBH Protection. Industry is moving on • Typically too slow to react to avoid damage, or completes attack • Wastes core network bandwidth backhauling junk DDoS traffic • New Opportunity for Protection on Network Edge Devices • Leverage built-in power of latest infrastructure devices • No need to insert new devices at every ingress point • Deliver always-on protection at edge capacity up to unprecedented scale • Can operate as an overlay to existing scrubbing centers • Deploy filters automatically from DDoS protection solution

  15. Questions?

  16. Thank You!

More Related