Advanced Attack Response and Mitigation

Similar documents
Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

DDoS Protection in Backbone Networks

Clean Pipe Solution 2.0

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

A10 DDOS PROTECTION CLOUD

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Flow-based Traffic Visibility

DDoS Detection&Mitigation: Radware Solution

One Planet. One Network. Infinite Possibilities.

DDoS Mitigation & Case Study Ministry of Finance

Arbor WISR XII The Stakes Have Changed. Julio Arruda V1.0

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Leverage the power of the cloud without the security worry. Private Connectivity to Your Cloud Applications with EarthLink Cloud Express

What is SD-WAN? Presented by:

Network Security Monitoring with Flow Data

Imma Chargin Mah Lazer

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Check Point DDoS Protector Introduction

Arbor s Peakflow Solution

PROVIDING SECURE INTERNET SERVICES ARBOR TMS INTEGRATION

TDC DoS Protection Service Description and Special Terms

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Cisco ASR 9000 vddos Protection Solution

The IBM Platform Computing HPC Cloud Service. Solution Overview

Security by BGP 101 Building distributed, BGP-based security system

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Internet2 DDoS Mitigation Update

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

CLOUD-BASED DDOS PROTECTION FOR HOSTING PROVIDERS

Silverline DDoS Protection. Filip Verlaeckt

GARR customer triggered blackholing

Corrigendum 3. Tender Number: 10/ dated

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

The Value of Content at the Edge

Free or Reduced Air from Select Gateways for 1st & 2nd guest on reservation

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

Increase uptime with a faster, more reliable, connection

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

F5 DDoS Hybrid Defender : Setup. Version

DDoS: STRATEGIES FOR DEALING WITH A GROWING THREAT

Grow Your Business & Expand Your Service Offerings

Andrisoft Wanguard. On-premise anti-ddos solution. Carrier-grade DDoS detection and mitigation software. Product Data Sheet Wanguard 6.

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

QTS IS ABOUT CONNECTING YOU

OSSIR. 8 Novembre 2005

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Brocade Flow Optimizer

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Minimizing Collateral Damage by Proactive Surge Protection

AWS Direct Connect Deep Dive

Modeling Internet Application Traffic for Network Planning and Provisioning. Takafumi Chujo Fujistu Laboratories of America, Inc.

Computer Networks: Lab 3 Traceroute and IP Luca Bedogni

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Thunder TPS. Overview. A10 Networks, Inc.

DDoS Defense Mechanisms for IXP Infrastructures

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Enterprise QoS. Tim Chung Network Architect Google Corporate Network Operations March 3rd, 2010

Municipal Networks. Don Berryman. Executive Vice President & President, Municipal Networks

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

OpenFlow: What s it Good for?

Driving Network Visibility

Distributed Denial of Service (DDoS)

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Disaster Recovery: Types of Hosting and How they Differ. April 9, 2014

Insight Guide into Securing your Connectivity

Prolexic Attack Report Q4 2011

SDN: Openflow & Internet2. Jon Hudson Global Solutions Architect June 2012

Withstanding the Infinite: DDoS Defense in the Terabit Era

Increase Threat Detection & Incident Response

From Zero Touch Provisioning to Secure Business Intent

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

The Future of Threat Prevention

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT

Check Point DDoS Protector Simple and Easy Mitigation

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Best Practices in Deploying Skype for Business Voice and Video for Office 365

Summary Report. Prepared for: Refresh Date: 28 Oct :02

IBM Proventia Network Anomaly Detection System

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

CCNA Security Official Cert Guide First Edition. Copyright 2015 Cisco Systems, Inc. ISBN-10: ISBN-13:

The State of Traffic Engineering - an ISP's Perspective

IETF 81 World IPv6 Day Operators Review

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

SBC Investor Update. Merrill Lynch Global Communications Investor Conference March 16, 2004

DDoS Managed Security Services Playbook

Cisco Intrusion Prevention Solutions

A peering perspective from a global CDN

Transcription:

Advanced Attack Response and Mitigation

Agenda Overview of cloud DDoS detection and mitigation which features geographically diverse scrubbing and high velocity auto-mitigation capabilities. - Overview - Architecture & Deployment - Trends - Auto-mitigation Approach

Overview

CRS-8 CRS-1 CRS-8 CRS-1 CRS-1 CRS-8 CRS- 8 CRS-1 CRS-8 CRS-1 CRS-1 CRS-8 CRS-8 CRS-1 CRS-8 CRS-8 CRS-8 CRS-8 CRS-1 CRS-8 CRS-1 CRS-8 9 Total CRANs INTERNET CRAN Seattle L HFC CONTENT PROVIDERS TELCOs Portland L Eugene L San Jose L 4 Reith L Tionesta Sacramento L Bakersfield Los Angles L 4 Boise L Edison Odgen L Denver QWEST Tucson Stratford L Omaha L Centerview L St. Louis L Chicago L Omaha L Denver L Indianapolis L Rocky Ford Louisville Nashville L Little Rock 4 4 4 Detroit L Cleveland L Pittsburg L Raleigh 5 4 Atlanta L Charlotte Toronto L Montreal L Philadelphia L CRAN McLean L New York L Boston L NODE HFC Commercial CRS-8 Dallas L MSOs Santa Teresa L CRAN 1 Orlando Miami L NODE HFC MDUs HFC Residential Third Party National / Global Metro Access CP

Considerations Do we need this? Are we under attack? Why don t we ask them to stop? More harm than good? Who s responsible? Ambiguity around response Do we have capability to take specific action for impacted customers? What types of actions should be taken (with and without authorization)? How do we strike the balance between risk mitigation and availability? Overall DDoS needs to be evaluated Historically, such events or traffic simply got blocked or shut down Today, such events get detected or escalated; mitigation not easy Slightly easier on the Residential side (tolerance for service outage)

Solution Detection Architecture Heavily reliant on Netflow for traffic analysis Leverage flow replication to redistribute Netflow to appropriate tools for analysis Monitor DDoS Host Detection for the entire footprint X-services and beyond (Xfinity) Mitigation Architecture Auto vs. Manual Real-Time Blackhole (RTBH) to drop DDoS by either source or destination Sinkhole - cloud based DDoS solution: BGP off-ramping for surgical mitigation. It also includes packet sniffing and analysis Ability to mitigate DDoS attacks for any customers residing on Comcast networks

Architecture

Peer Peer CR/PE CR/PE CMC Comcast Backbone AS79 CH Multi-hop ebgp CR/PE CR/PE CR/PE Multi-hop ebgp BHS01 AR AR AR BHS0 Region Sub-AS 65xxx+1 Region Sub-AS 65xxx+n-1 Region Sub-AS 65xxx+n

Backbone (55 routers/1156 interfaces) 819 Sampled All IBONE routers Service Delivery (80 routers/40k interfaces) 819 Sampled All AR routers National Data Center (15 routers/k interfaces) 18 Sampled Layer 7 application visibility (flow sensor) Enterprise (471 routers/4k interfaces) 18 Sampled Layer 7 application visibility with (flow sensor)

UI Controller Platform HA Scrubbing 18 x Collector Appliances 8 x Flow Sensors 10 Router Capacity 16 of 10 routers 74,050 of 50,000 interfaces 607 of 1000 MOs.M BGP routes of 610M IPv6 capable *PI for High Availability

1 1 San Jose, CA Scrubbing NYC, NY Atlanta, GA Chicago, IL CRAN P E Customer Los Angeles, CA Ashburn, VA CRAN Customer P E Threat Center Threat Center Core P E CRAN Customer Core CRAN Threat Center Detection Core Threat Center P E Core Comcast Backbone Core Customer CRAN Threat Center P E Core Threat Center P E CRAN Customer Customer

Trends

Attack Protocol Distribution Majority is Volumetric or Flood Attacks Large botnets or spoofed IP to generate a lot of traffic bps or pps 99% is UDP-based floods from spoofed IP take advantage of connection less UDP protocol Take out the infrastructure capacity routers, switches, servers, links

Common DDoS Attacks Universal Plug and Play (SSDP 1900) Network Time Protocol (NTP 1) Simple Network Management Protocol (SNMP 161) Chargen (19) ICMP Flood (0)

Common DDoS Attacks HTTP over UDP (80, 44, 8080, 8081, etc) DNS (5) Xbox (074) UDP Fragmentation Based Attacks (0) TCP Syn Flood (very small)

ASN Attack Detail

Attack Size Large SSDP (UDP 1900) attacks over 100G observed in May 014 Large DNS attack closed to 00G observed in March 015

Typical Month September Attacks: 10,000 or more Attacks >100Gbps: 97, a 746% increase in this reporting period Cases Mitigated: 8,151 - over 0+ Trillion Packets Scrubbed Commericial Cases: 44% of mitigated attacks were for Commercial (BCS) users

Global Benchmarks Comcast attack size distribution very different to world-wide Much higher percentage of events over 1Gb/sec o 1.1% v s 48.8% in Q1 o 15.% v s 50.1% in Q Much higher proportions of events over 10Gb/sec o o 1.76% v s 5.56% in Q1 0.9% v s 4.49% in Q World 014 Q Size Break-Out, BPS <500Mbps >500Mbps<1Gbps >1<Gbps ><5Gbps Comcast 014 Q Size Break-Out, BPS <500Mbps >500Mbps<1Gbps >1<Gbps ><5Gbps

Auto-Mitigation

Anomaly Types Misuse Anomalies Traffic of a certain type directed towards an individual hosts that exceeds what should normally be seen on a network Profiled Anomalies Customized detection event tailored to specific conditions within Fingerprints.0 Fingerprints received via ATF, FSA, or traffic that match a user specified signature

Alert Generation 1. Detection Real time discovery of deviant traffic Traffic that deviates from acceptable Internet use (Misuse) Traffic exceeding normal levels for a resource (Profiled) Traffic that matches user specified threat patterns (Fingerprint). Classification Sets a level of importance to detected anomalies Misuse Based on static thresholds Profiled Based on auto classification or administrator configured high severity traffic rates Helps determine what anomalies to give precedence Three classification levels: High severity (Red) Medium Severity (Orange) Low Severity (Green) Once an alert has been detected and classified, its severity can only go up

Looking Ahead Looking at VRF as an option for onramp/reinjection the traffic IPv4/IPv6 transparent routing and mitigation Using VRF where you can, avoid GRE if you could Ease the pain of the high maintenance in GRE Possible leverage BGP dynamic route leaking feature or MPLS VPN to import routes from global/default (dirty) VRF routing table to non-default (clean) VRF routing table

Lessons Learned Know your monitoring Trust your tools and telemetry Test often Not all vendors are created equal Track everything and kill what you need to

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback