DDoS Protection in Backbone Networks

Similar documents
DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

Flow-based Traffic Visibility

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Network Security Monitoring with Flow Data

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

DDoS Detection&Mitigation: Radware Solution

Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER

Driving Network Visibility

GARR customer triggered blackholing

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

TDC DoS Protection Service Description and Special Terms

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

Growing DDoS attacks what have we learned (29. June 2015)

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Comprehensive datacenter protection

Intelligent Programmatic Peering Summary Report

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

F5 DDoS Hybrid Defender : Setup. Version

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Border Gateway Protocol - BGP

Clean Pipe Solution 2.0

Andrisoft Wanguard. On-premise anti-ddos solution. Carrier-grade DDoS detection and mitigation software. Product Data Sheet Wanguard 6.

Advanced Attack Response and Mitigation

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Cisco Security Monitoring, Analysis and Response System 4.2

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Cisco DDoS Solution Clean Pipes Architecture

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Denial of Service Protection Standardize Defense or Loose the War

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

DDoS Mitigation & Case Study Ministry of Finance

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

A Security Orchestration System for CDN Edge Servers

Flowmon. IPv6 Summit & SINOG mee=ng Andrej Vnuk, network&security

Data Plane Protection. The googles they do nothing.

FlowMon ADS implementation case study

Distributed Denial of Service

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Scrutinizer Flow Analytics

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

haltdos - Web Application Firewall

OpenFlow DDoS Mitigation

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

A10 DDOS PROTECTION CLOUD

NETWORK DDOS PROTECTION STANDBY OR PERMANENT INFRASTRUCTURE PROTECTION VIA BGP ROUTING

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

Unicast Reverse Path Forwarding Loose Mode

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

The information in this document is based on Cisco IOS Software Release 15.4 version.

Next Generation Network Traffic Monitoring and Anomaly Detection. Petr Springl

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Silverline DDoS Protection. Filip Verlaeckt

Case study: NBA as a Service at GÉANT

OpenFlow: What s it Good for?

SDN Applications and Use Cases. Copyright 2015 ITRI

Distributed Denial of Service (DDoS)

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Corrigendum 3. Tender Number: 10/ dated

IBM Aurora Flow-Based Network Profiling System

Check Point DDoS Protector Introduction

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

RIPE75 - Network monitoring at scale. Louis Poinsignon

Chapter 10: Denial-of-Services

Internet2 DDoS Mitigation Update

Cisco Virtual Networking Solution for OpenStack

Configuring DDoS Prevention

Trisul Network Analytics - Traffic Analyzer

DoS Mitigation Strategies

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

McAfee Network Security Platform 8.3

Network Policy Enforcement

SANGFOR AD Product Series

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Flow-based Accounting: Applications and Standardisation

Introduction to Network Address Translation

Introduction to IP Routing. Geoff Huston

Flows at Masaryk University Brno

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4

Cisco Firepower with Radware DDoS Mitigation

Check Point DDoS Protector Simple and Easy Mitigation

Always Keep IT Purely Simple

Monitoring and Threat Detection

Introduction to BGP ISP/IXP Workshops

CISCO DDoS MITIGATION SERVICE PROVIDER SOLUTIONS

Cisco Performance Routing

Routing on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP

Thunder TPS. Overview. A10 Networks, Inc.

SANGFOR AD Product Series

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Protection Against Distributed Denial of Service Attacks

Brocade Flow Optimizer

F5 Synthesis Information Session. April, 2014

Transcription:

DDoS Protection in Backbone Networks The Czech Way Pavel Minarik, Chief Technology Officer Holland Strikes Back, 3 rd Oct 2017

Backbone DDoS protection Backbone protection is specific High number of up-links, network perimeter is wide Massive throughputs dozens or hundreds of Gbps In-line solution is out of question! flow export 1. Flow collection 2. DDoS detection 3. Routing control 4. Mitigation orchestration Detection based on flow analysis and out-of-path mitigation Simple and cost-efficient solution for backbones Prevents volumetric attacks to reach enterprise networks

What is Flow Data? Modern method for network monitoring flow measurement Cisco standard NetFlow v5/v9, IETF standard IPFIX Focused on L3/L4 information and volumetric parameters Real network traffic to flow statistics reduction ratio 500:1 Flow data

Flow-Enabled Devices Network equipment (routers/switches) Traditional capability known for many years Firewalls, UTMs, load balancers, hypervisors Ongoing initiative of majority of vendors Packet brokers and matrix switches Convenient option

Attack Detection For each segment, a set of baselines is learned from real traffic Attack is detected if the current traffic exceeds defined threshold Baseline is learned for: TCP traffic with specific flags UDP traffic ICMP traffic

Attack Reporting Start/end time Attack target Type and status Traffic volumes during attack/peace time Attack targets (top 10 dst IPs, source subnets, L4 protocols, TCP flags combinations )

Response to Attack Alerting E-mail, Syslog, SNMP trap Routing diversion PBR (Policy Based Routing) BGP (Border Gateway Protocol) BGP Flowspec RTBH (Remotely-Triggered Black Hole) User-defined scripting Automatic mitigation With out-of-band mitigation devices With services of Scrubbing centers

DDoS Protection Scenario 1 Out-of-path Mitigation

Out-of-Path Mitigation Anomaly Detection Mitigation Enforcement Dynamic Protection Policy Deployment incl. baselines and attack characteristics Traffic Diversion via BGP Route Injection Scrubbing center Flow Data Collection Learning Baselines Attack Attack path Clean path Protected Object 1 e.g. Data Center, Organization, Service etc Internet Service Provider Core Protected Object 2

DDoS Protection Scenario 2 Mitigation with BGP Flowspec

BGP Flowspec Based on dynamic signature of the attack Provides specific action to take with network traffic BGP Flowspec rules are based on Destination Prefix Source Prefix IP Protocol Destination port ICMP type ICMP code

BGP Flowspec Scenario Anomaly Detection Mitigation Enforcement Sending specific Route advertisement via BGP FlowSpec Dynamic signature: Dst IP: 1.1.1.1/32 Dst Port: 135 Protocol IP: 17 (UDP) Discard Flow Data Collection Learning Baselines Attack Protected Object 1 e.g. Data Center, Organization, Service etc Internet Service Provider Core Protected Object 2 Dropped traffic for Dst IP: 1.1.1.1/32 Dst Port: 135 Protocol IP: 17 (UDP)

Use Case: Carrier Grade Anti-DDoS ČD Telematika AntiDDoS Service

ČD Telematika and its Core Infrastructure CORE CONNECTIVITY 4x 10Gb/s NIX 3x10 Gb/s global transit 4x10Gb/s Google CONNECTED NETWORKS 180+ CONTRACTED TRAFFIC 90 Gb/s REAL PEAK TRAFFIC 50 Gb/s in 10Gb/s out

Why do we care about DDoS attacks on backbone? Attacks of multiple Gb/s hitting our customers No one is capable of handling volumes of Nx their port speed Cooperation with the ISP is a must Current solution based on filters and RTBH is insufficient

ČDT AntiDDoS Service Operated since July 2015 Attack detection and re-routing with Flowmon DDoS Defender 40 Scrubbing center for traffic cleaning is Radware DefensePro, 10Gbps of legitimate traffic + 12Gbps of attack Protection against volumetric attacks

ČDT-ANTIDDoS: Deployment scheme upstream upstream peering aggregation access upstream Protected Objects e.g. Data Center, Organization, Service etc REST API Access networks upstream upstream upstream

A real customer case study Local ISP ČDT customer since 2007 1Gbps connectivity no experience with attacks so far A month of constant stream of attacks!

A real customer case study 706 628 304 The Largest The Longest 706 different attacks, always multiple attacks in parallel 89% (628) attacks from multiple IPs 43% (304) attacks targeted multiple IPs The largest attack up to 19 Gbps (UDP flood) The longest lasting attack 2:42h (DNS flood)

One month under attack From internet to the scrubbing center From the scrubbing center to the customer Daily averages

ČDT-ANTIDDoS: Service options Always available Always on Emergency scrubbing Normal path doesn t go through the scrubbing center Attack detection by Flowmon Re-routing to the scrubbing center Attack mitigation starts within max 4 minutes since attack start Traffic always goes trough the scrubbing center Attack mitigation starts within max 1 minute since attack start Not under contract activated by NOC ondemand Limited to 12 hours of scrubbing, max. 3x per annum

Automation All the manual work is no longer necessary Entire process is fully automated, admins only receive a notification Speed No need for human communication, alerting, process control Automated reporting for the attack start and end Reliability In principle, nature of the deployment doesn t leave a space for errors Benefits and Experience

Summary Flow data enable quick detection and response to DDoS attack (primarily volumetric) Appropriate aggregation rates and sufficient detail Detection and mitigation can be automated We can t get rid of all attacks, but their impacts can be reduced

Thank you Performance monitoring, visibility and security with a single solution Pavel Minarik, Chief Technology Officer pavel.minarik@flowmon.com, +420 733 713 703 Flowmon Networks a.s. Sochorova 3232/34 616 00 Brno, Czech Republic www.flowmon.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback