DDoS Detection&Mitigation: Radware Solution Igor Urosevic Head of Technical Department SEE CCIE #26391 Ingram Micro Inc. 1
Agenda DDoS attack overview Main point of failures Key challenges today DDoS protection strategies Radware DDoS solution detection & mitigation 2 2
DDoS attacks - history 1996: the first SYN flood attack 1997-1998: well known Smurf attack 1 st large-scale DDoS attack was in 1999: hacker disabled University of Minesota for more then 2 days by using Master and Deamons computers In 2002 all 13 Internet root domain DNS servers were attacked 2016: the largest DDoS attack in history - 600Gbps; One of the largest regional operators in the region had a significant downtime; 3
Today DDoS attacks Sophisticated multivector attacks Duration: from few minutes up to several months Increase of Network attack vs Application level attack DDoS level: 60% are Service Degradation Knowing the limits of infrastructure is an important factor what DoS safeguard is needed 4
YoY Diversity of Attack vectors Secure access any user, any device, any time, any location Complete user visibility and behavior Always on protection even when off the corporate network and with Umbrella integration Seamless user experience no headache for your IT team Cisco AnyConnect 5
The threat landscape 6
Internet Pipe - #1 Failure Point 7
Key challenges today: According to Gartner: Many organizations lack the technical expertise and the operational experience to respond effectively to DDoS attacks Business leaders and IT leaders often fail to communicate well during the critical early stages of a DDoS attack. DDoS toolkits have made it possible for individuals with little technical knowledge to launch attacks. 8
DDoS protection strategies Onsite DDoS protection: Enterprise solutions: inline detection and mitigation SP solutions: out-of-path mitigation, scrubbing centre Cloud DDoS protection: DDoS vendor cloud AWS, Akamai, CloudFlare, Neustar, Incapsula... Hybrid solutions Both On-premise and Cloud DDoS protection 9
Onsite Deployment Models Inline deployment: Detection based on full L7 traffic inspection Suitable for Enterprises, Banks Higher security protection Lower scalability Out-of-path deployment Detection based on L3/L4 information (Netflow) Bgp redirection to scrubbing center Clean traffic injection throw tunnel (GRE, VPN) High Scalability Possibility to divert sensitive traffic always throw DefensePro 10
Radware DDoS solution Radware components: `DefensePro: hardware DME and SME (integrated stateful IPS), Reputation engines, Network Behavioral analysis Defense Flow: L3/L4 traffic analysis based on netflow AbsoluteVision: Centralized device management, SIEM like functionality DefensePipe: Radware Cloud based offering Radware Emergency Response Team (ERT) 11
DefensePro Real Time Attack Mitigation 12
DefensePro Product Line 13
Flood attack protection Connection limits Protects against connection flood attacks requires manual tuning and monitoring generates false positives Last line of defense Syn flood protection prevents SYN flood attacks using SYN cookies/safe reset low CPU requirements highly accurate protection - but only to SYN floods Behavioral DoS detects and prevents zero-day DoS DDoS attacks most CPU intensive; low false positive rate used for flood, NOT FOR SINGLE PACKET ATTACK; 14
Behavioral DDoS protection Behavioral analysis: detects and prevents zero-day DDoS attacks most cpu intensive low false positives due to Radware proprietary algorithm create real time signatures, mainly L3 and L4 characteristics metrics for signature creation: Src/dst addr TTL Src/dst port DNS Query Packet size Packet ID Type of service TCP Sequence number Fragment offset &20 more.. 15
Legitimate user activity example 16
Attacker user activity example 17
SSL flood protection 18
Multivector attacks target all layers of infrastructure 19
Thank you! 20