Your SlideShare is downloading. ×
Ip Guardian customer presentation
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ip Guardian customer presentation


Published on

Published in: Technology, News & Politics

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Colt IP Guardian© 2010 Colt Technology Services Group Limited. All rights reserved.
  • 2. Agenda • DoS and DDoS Attacks • Colt Proposition: IP Guardian • Technical View2
  • 3. DoS attack: definition • A Denial of Service (DoS) attack is an explicit attempt by attackers to prevent legitimate users from using that service. Examples include: – Attempts to flood a network, thereby preventing legitimate network traffic – Attempts to use all available processing power on the end system to prevent regular users access – Attempts to disrupt connections between two machines, preventing access to a service – Attempts to prevent a particular individual from accessing a service – Attempts to disrupt service to a specific system or person3
  • 4. What is a Distributed Denial of Service Attack? (1/2) • A DDoS attack is the most prominent form of DoS attack – The attacker scans millions of computers on the Internet to identify unsecured hosts to be used as launch pads – Then secretly installs software on a master computer and a collection of compromised zombie computers – The attacker hides their true identity and location by using these zombie machines to launch the attacks – The attack results in denial of service to legitimate users because their infrastructure is overwhelmed with illegitimate requests, thereby choking off the sites available bandwidth4
  • 5. What is a Distributed Denial of Service Attack? (2/2) Areas vulnerable to attack include: Zombies on Zombies on innocent computers innocent computers • Routers A A S S • Firewalls ISP Backbone • Web servers • DNS servers Infrastructure level attacks • Mail Servers • VoIP gateways Indirect victims, elements that share the A victims’ network (for example, otherS Zombies on servers in a server farm) innocent computers Bandwidth level attacks Enterprise Server level attacks5
  • 6. Real world proposals … • Someone offers a DDoS service -----Original Message----- From: Martyn Clapham [] Sent: Friday, 16 May 2003 2:45 PM To: ******************** Subject: Offer from 2787! Do you want to get rid of your competitors? Or blackmail your boss because he didnt pay you? We can help! Ddos attack on any internet server. We pay admins of for hosting so our bandwidth is huge and our knowledge of such attacks allows us to fulfill any requirement. If you are in need of Ddos attacks, or simply looking for specific content for your web site (like child porn or anything weird) - tell us and will give you what you need! Our contacts are: 2787 • Someone else offers protection you can’t refuse (if you don’t pay, you will be attacked) • So-called “cyber mafia” mainly based in Russia and Eastern Europe6
  • 7. Typical Targets of a DDoS Attack • Typical Targets of a DDoS attacks are: – eCommerce – On line banking – On line trading – iGaming – iGambling – Content Providers – Governmental organizations – ISPs In general, all those companies that make business providing online/Internet services7
  • 8. Agenda • DoS and DDoS Attacks • Colt Proposition: IP Guardian • Technical View8
  • 9. Colt Proposition: IP Guardian • Proposal – Colt will protect the customer bandwidth by detecting attacks whilst still within the Colt network – Customer traffic is diverted only in case an attack is detected  no impact for customers during normal operations • How? – By expanding the existing state of the art platform built using Arbor Peakflow monitors and Arbor TMS (Threat Management System) and locating them throughout Colt’s Tier1 pan-European network9
  • 10. Service Variants • Continuous – Automatic redirection/mitigation if anomaly detected – Reports via customer portal • On-Demand – Customer control via portal – alerts via email/SMS, – customer reviews anomaly on Colt portal – triggers mitigation if it is deemed to be an attack • Emergency Implementation – Set up temporary IPG service in midst of attack – No baselining, default profile – Can migrate to full service (Continuous or On-Demand)10
  • 11. Benefits of the IP Guardian Service • “In the cloud” DDoS protection – DDoS protection on site can be useless – attacks can flood the pipe however good the mitigation devices are. IP Guardian stops the attack before it can reach you • Anomaly monitoring – Constant monitoring of Netflow telemetry data to ensure rapid detection of any abnormal activity • Resiliency – Protection deployed at multiple strategic locations throughout Colt global network to ensure near continuous uptime of the IP Guardian service and the best possible round trip time (RTT) in case traffic needs to be diverted • Productivity – Avoid downtime – you can carry on working as normal if the attack is successfully mitigated • Flexibility – New ‘On Demand’ Variant provides more customer control to avoid false positives11
  • 12. IP Guardian: how it works (1/3) – IP Guardian is a dedicated service in Arbor TMS which the customer traffic is Arbor Peakflow SP continuously monitored ensuring that the customer is continually prepared to react against DDoS attacks – The traffic to the customer is constantly Public Colt monitored while it follows its path in the Internet Backbone network. The Arbor Peakflow SP Collectors gather traffic statistics (network telemetry data) from all peering and transit routers, which it Arbor SP constantly constantly analyzes to construct a monitors traffic destined network-wide view of possible traffic to the customer and network anomalies Customer Network12
  • 13. IP Guardian: how it works (2/3) – An alert is generated if the behaviour is Arbor TMS TMS is found to be abnormal. triggered Arbor Peakflow – When an attack is detected by Arbor SP Peakflow SP, traffic is automatically diverted to Arbor TMS, which mitigates Public BGP the attack based on traffic patterns Internet Announcement learnt by Arbor Peakflow SP Arbor SP constantly monitor traffice detined to the customer Customer Network Malicious Traffic Cleaned Traffic13
  • 14. IP Guardian: how it works (3/3) – The customer never feels the full Arbor TMS impact of an attack as their circuit is being continually Arbor Peakflow SP monitored and protection triggered automatically by the Public Colt platform Internet Backbone – Only the cleaned traffic flows toward the customer, which will be provided with high levels of protection Whenever an attack occurs, traffic is reqdirected to Arbor TMS, the attack mitigated and cleaned traffic only flows to the customer Customer Network Malicious Traffic Cleaned Traffic14
  • 15. IP Guardian: Proactive eMail Alerting • In case an attack is detected, an email is sent to the customer • Another email is sent once the attack is mitigated • The structure of such emails is provided below as an example. – From: "Peakflow SP" – Date: date/time – To: Customer’s Address (this address shall be reachable in case of attacks) – Subject: [Peakflow SP] Bandwidth attack #[Attack ID] Incoming to [Customer] Done – Type: (Bandwidth, Protocol) – ID: a number identifying the attack – Resource: Customer’s name – Severity: high – Started: date/time (UTC) referred to the attack beginning – Ended: date/time (UTC) referred to the attack mitigation – Link rate: traffic (in Mbps) related to the attack – Router: Colt peering router and interfaces involved – Input If: Input Interface – Output If: Output Interface – URL: www.colt.net15
  • 16. Customer Portal • View traffic profiles • View anomalies • Trigger mitigation (On-Demand Only)16
  • 17. Agenda • DoS and DDoS Attacks • Colt Proposition: IP Guardian • Technical View17
  • 19. Technicalities • The service is available to customers with a service bandwidth of at least 10Mbps and 30/40% of spare bandwidth (recommended) • Traffic content is not monitored or stored: IP Guardian is not what is known as “Deep Packet Inspection” • The maximum number of packets that can be dealt with is 1 Million packets per second • Maximum bandwidth up to 2Gbps per TMS – this means a maximum of 2Gbps in case of a DoS attack managed by one TMS or Nx2Gbps DDoS attack through multiple entry points (N=6, the number of TMS installed) • Simultaneous TCP connections during a SYN attack per device: 100,000 • Source and destination HTTP host pairs per device: 1 Million • Zombies per device: 20,00019