Your SlideShare is downloading. ×
0
Eldad Chai, VP Product
Preparing for the Terabit Scale DDoS Attack
Agenda
• Network DDoS trends
• Is a Terabit DDoS imminent?
• A DDoS resilient network
• Infrastructure and DNS protection
...
Where do we stand today?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3
59%
28%
13%
<20Gbps
20-40Gb...
Its not all bandwidth
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
More than 25% of attacks excee...
Recent campaigns / SaaS applications
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.5
Recent campaigns / DNS providers
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
How are they reaching these numbers?
• Are botnets becoming bigger?
> No, according to www.shadowserver.org
• Are there mo...
How are they reaching these numbers?
• They are using bigger guns
Incapsula, Inc. / Proprietary and Confidential. All Righ...
What can we learn from all this?
• The stronger the internet is becoming, the stronger the attacks
• The largest attacks u...
A DDoS resilient network
• Can scale its capacity on demand
> Cloud solution are built to scale efficiently
> Cloud provid...
Incapsula DDoS protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.
11
DNS
Web
SSH, FTP, Telnet...
Incapsula DDoS protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.
12
DNS
Web
SSH, FTP, Telnet...
Incapsula Application Protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
Protect HTTP/S App...
Incapsula DNS Protection - NEW
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
Protect DNS servers
...
Incapsula Infrastructure Protection - NEW
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
Protect a...
BGP and Cloud
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16
LAX
80Gbps
IAD
60Gbps
FRA
80Gbps
+1
2...
The “Behemoth”
• We still need to filter DDoS traffic…
• Our requirements
> Filter 100Gbps+ of traffic per POP
> Manage BG...
Please send follow up questions to info@incapsula.com
Thank you
Upcoming SlideShare
Loading in...5
×

DNS and Infrastracture DDoS Protection

408

Published on

DNS Protection safeguards Incapsula clients’ DNS servers, while also accelerating DNS responses.
Infrastructure Protection, enabled by the addition of a GRE tunneling onboarding option, widen Incapsula's security perimeter - allowing it to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
408
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Click to edit Master text styles
    Second level
    Third level
    Fourth level
    Fifth level
  • Transcript of "DNS and Infrastracture DDoS Protection"

    1. 1. Eldad Chai, VP Product Preparing for the Terabit Scale DDoS Attack
    2. 2. Agenda • Network DDoS trends • Is a Terabit DDoS imminent? • A DDoS resilient network • Infrastructure and DNS protection Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2
    3. 3. Where do we stand today? Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3 59% 28% 13% <20Gbps 20-40Gbps >40Gbps Attacks bandwidth is showing exponential growth One third of attacks exceed 20Gbps More than 13% exceed 40Gbps
    4. 4. Its not all bandwidth Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4 More than 25% of attacks exceed 10Mpps Most IPS/IDS will crash at 5Mpps
    5. 5. Recent campaigns / SaaS applications Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.5
    6. 6. Recent campaigns / DNS providers Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
    7. 7. How are they reaching these numbers? • Are botnets becoming bigger? > No, according to www.shadowserver.org • Are there more open DNS resolvers? > No, the number is actually declining according to www.openresolverproject.org • Are there more open NTP servers? > Probably not • So what is it then? Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
    8. 8. How are they reaching these numbers? • They are using bigger guns Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8 Example of a 4Mpps attack Less than 30 IPs are generating more than 99% of the traffic
    9. 9. What can we learn from all this? • The stronger the internet is becoming, the stronger the attacks • The largest attacks use a small set of super resources rather than a large set of weak resources • Attacks will far exceed a single network capacity • Should we expect a 1Tbps+ attack within the next 12-36 months? Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
    10. 10. A DDoS resilient network • Can scale its capacity on demand > Cloud solution are built to scale efficiently > Cloud provides the most cost effective way to scale capacity • Can protect any service from any attack > Both layer 3&4 and layer 7 mitigation is required > Web servers and DNS servers are a target for sophisticated attacks • Provides real time visibility > You cannot mitigate what you cannot see • Can respond rapidly to changes > DDoS mitigation is a delicate balance between false positives and false negatives > You need to react quickly to any change that disrupts this balance Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.10
    11. 11. Incapsula DDoS protection Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved. 11 DNS Web SSH, FTP, Telnet SIP SMTP UDP, TCP Network services
    12. 12. Incapsula DDoS protection Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved. 12 DNS Web SSH, FTP, Telnet SIP SMTP Incapsula Application Protection Incapsula DNS Protection Incapsula Infrastructure Protection UDP, TCP
    13. 13. Incapsula Application Protection Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13 Protect HTTP/S Applications Layer 3&4 and also Layer 7 Always On / On Demand
    14. 14. Incapsula DNS Protection - NEW Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14 Protect DNS servers Prevent Blacklisting Always On Service
    15. 15. Incapsula Infrastructure Protection - NEW Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15 Protect all services and protocols Protect entire IP ranges Layer 3&4 (Network) On Demand Service
    16. 16. BGP and Cloud Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16 LAX 80Gbps IAD 60Gbps FRA 80Gbps +1 23.5.6.0/24 23.5.6.0/24 23.5.6.0/24 23.5.6.0/24 23.5.6.0/ 24 IP ranges are announced in Anycast Traffic is forwarded to origin over the same GRE tunnel
    17. 17. The “Behemoth” • We still need to filter DDoS traffic… • Our requirements > Filter 100Gbps+ of traffic per POP > Manage BGP for announcing > Manage GRE for origin forwarding > Software defined network (SDN) capabilities • The solution > An appliance that can deal with 170Gbps > Advanced implementations of DDoS filtering algorithms > Anomaly detection > Proprietary implementation of BGP and GRE > C&C for internal networking devices Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17
    18. 18. Please send follow up questions to info@incapsula.com Thank you
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×