Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
1. DDOS SOLUTIONS – CUSTOMER
POINT OF VIEW
Piotr Wojciechowski (CCIE #25543)
2. ABOUT ME
¢ Senior Network Engineer MSO at VeriFone Inc.
¢ Previously Network Solutions Architect at one of top polish IT
integrators
¢ CCIE #25543 (Routing & Switching)
¢ Administrator of CCIE.PL board
— The biggest Cisco community in Europe
— About 7800 users
— 3 admin, 3 moderators
— Over 60 polish CCIEs as members, 20 of them actively posting
— About 100 new topics per month
— About 800 posts per month
— English section available
3. AGENDA
¢ Risk analysis including threats about attacks, attacks and also attack
that are meant to hide hacking
¢ Someone is attacking me! - am I able to get scrubbing service within
few hours?
¢ Two models of deployment - DNS Redirection and BGP
¢ What is better - AlwaysOn or AlwaysAvailable?
¢ Volumetric attacks vs. L3-L7 DDoS protection
¢ Scrubbing service is not everything - how to deal with first wave of
attack?
4. INTRODUCTION
¢ What this session is about
— Highlight of DDoS problems and different attack
— Overview of different solution
— Tips about what to look at while designing DDoS protection
¢ What this session isn’t about
— Presentation of vendors portfolio
— Comparison between available services of multiple vendors
5. RISK ANALYSIS INCLUDING THREATS ABOUT ATTACKS,ATTACKS
AND ALSO ATTACK THAT ARE MEANT TO HIDE HACKING
6. DDOS ATTACK CATEGORIES
¢ Volumetric
— Flood based attacks at layer 3, 4 or 7
¢ Asymmetric
— Attacks designated to invoke timeouts or
sessions state change
¢ Computational
— Designated to saturate CPU and Memory
¢ Vulnerability-based
— Exploit software vulnerabilities
— Scrubbing Center
— WAF
— WAF
— Application Delivery Controller
— Network Firewall
— IP Reputation Database
— IDS/IPS + WAF
— Application Delivery Controller
10. MULTIPLE PROTECTION TOOLS
¢ To effectively mitigate multiple types of DoS/DDoS attacks, multiple
protection tools are needed
— Cloud DDoS protection to mitigate volumetric attacks that cansaturate the
Internet link
— DDoS protection to detect and mitigate all types of network DDoS attacks
— Behavioral Analysis to protect against application DDoS and misuse attacks
and filter them from legitimate traffic
— Intrusion Prevention System (IPS) to block known attack tools and the low
and slow attacks and prevent application and system vulnerability
exploitations
— SSL protection to protect against encrypted flood attacks
— Web Application Firewall (WAF) to prevent web application vulnerability
exploitations
11. DDOS ATTACKS
DDoS Aware Firewalls:
¢ Most network firewalls are not resistant to DDoS attacks
— Even if they are resistance is very limited
— Simple layer 4 attack can disable the firewall
¢ Sheer throughput is not the answer
— But it can give us some time to react!
12. DDOS ATTACKS
¢ Application Delivery Controller
— Can be both network-aware and application-aware
— Can offload services such as load-balancing, caching, and acceleration
— A logical defensive position against both DDoS attacks and targeted
application-layer attacks
13. DDOS ATTACKS
¢ IP Reputation Database
— Helps to defend against asymmetric attacks
— It block whole traffic or traffic pattern based on reputation database
— Database can be internally deployed (history of past attacks) or from external
subscription service
— May be accurate but cannot guarantee 100% success in filtering
14. DDOS ATTACKS
¢ IDS/IPS
— No role in volumetric attack prevention – usually weaker point than firewall
— Can be a point for protection on application or protocol related threads
¢ As long as signatures are updated and properly managed
— NGIPS can provide comprehensive analysis of network traffic and block
malware as well as other attacks on known vulnerabilities
15. DDOS ATTACKS
¢ Web Application Firewall
— It understand and enforce security policies on the applications
— Can give us protection against volumetric HTTP floods and vulnerability-
based attacks
— Can provide additional services like web scraping and PCI compliance
— Can offload and inspect SSL traffic
16. CAN I BE PROTECTED IN 100%?
¢ The hardest things to explain to management:
— Scrubbing center, or in general any external DDoS solution, won’t give the
company 100% protection
— Protection must be done on multiple layers and using multiple solutions
— Protection is an ongoing investment
— That means $$$ we have to spend
— We cannot spend those money when we are already under attack
17. WHAT SERVICES CAN BE OFFERED?
¢ Real-time DDoS detection and mitigation
— Technical requirements must be met on customer side
¢ Defend against large volumetric attacks
— Some companies will protect you for attacks up to specified volume only
— Other companies may charge you extra if you exceed the traffic limit
— But there are also companies that will guarantee minimum volume protection
while larger attacks can be mitigated for free if there is platform capacity
available
18. WHAT SERVICES CAN BE OFFERED?
¢ Protect against multiple attack vectors
— Complex DDoS Attacks
— Multilayered L3-L7 attacks
¢ Support team to respond on unusual cases
— 24/7 monitoring
19. MAGIC WORD – SCRUBBING CENTER IN THE CLOUD
¢ Everything happens in the CLOUD
— It’s a magic box that we don’t know how it works
— Nobody will really tell us how it works
Scrubbing Center
25. Customer DC
BGP AKA. ROUTED MODE
¢ Customer won’t announce prefix directly to ISP but to scrubbing center over
GRE tunnel (sometimes over MPLS VPN)
¢ Does not require any application-specific configuration
¢ But we have routing asymmetry
Scrubbing Center
Internet ISP
GRE Tunnel
BGP Advertisement
BGP Advertisement
26. Customer DC
BGP AKA. ROUTED MODE
¢ Usually used in AlwaysAvailable (on-demand) mode
¢ Good for thwarting large volumetric and advanced DDoS assaults targeting
any type of protocol or infrastructure
Scrubbing Center
Internet ISP
GRE Tunnel
BGP Advertisement
BGP Advertisement
27. Customer DC
BGP AKA. ROUTED MODE
¢ Requires additional monitoring and quite often manual action
Scrubbing Center
Internet ISP
GRE Tunnel
NetFlow
BGP Advertisement
BGP Advertisement
28. Customer DC
DEDICATED IP
¢ Scrubbing center provider assign dedicated public IP from its own IP range
¢ All incoming traffic passes through the provider’s network where it is inspected and filtered
¢ Two-way GRE tunnel is used to forward clean traffic
Scrubbing Center
Internet ISP
GRE Tunnel
Dedicated IP
29. Customer DC
DNS REDIRECTION AKA PROXY AKA WEB SERVICE
PROTECTION
¢ How DNS Redirection works?
— Attack is detected and blocked in scrubbing center
Scrubbing Center
Internet ISP
FQDN: www.mydomain.com
FQDN: www.mydomain.com
30. Customer DC
DNS REDIRECTION AKA PROXY AKA WEB SERVICE
PROTECTION
¢ DNS-based service for specific applications
— Other traffic may bypass scrubbing center
Scrubbing Center
Internet ISP
FQDN: www.mydomain.com
FQDN: www.mydomain.com
FQDN: www.myotherdomain.com
32. WHAT IS BETTER - ALWAYSON OR ALWAYSAVAILABLE?
¢ AlwaysOn model:
— Preferred model for DNS Redirection deployment
— 24/7 mitigation of DDoS attacks
— Monitoring and protection of layer 3, 4 and 7 attacks (in most cases)
— No additional hardware or software required
— DNS-based compatibility with any cloud service provider
— Good solution when there is high frequency of attacks
33. WHAT IS BETTER - ALWAYSON OR ALWAYSAVAILABLE?
¢ AlwaysAvailable (OnDemand) model:
— It can be automatically or manually started when attack is detected but no
traffic redirection is required
— Attack can be detected either by customer or by vendor
— Customer use either BGP route changes or DNS redirection to send the traffic
through scrubbing center
¢ Keep in mind that DNS records needs time to propagate and can be cached for long time
— OnDemand mode is more suitable for BGP-based solutions
34. WHAT IS BETTER - ALWAYSON OR ALWAYSAVAILABLE?
¢ Hybrid solution:
— It allow the customer to use their own DDoS solution as first line of defence
¢ WAF
¢ Local DDoS scrubbing centers
¢ BGP Blackholing
¢ Etc
— When facilities become overwhelmed the customer can redirect traffic to
vendor scrubbing center for additional remediation capacity
36. VOLUMETRIC ATTACKS VS. L3-L7 DDOS PROTECTION
¢ Volumetric Attacks
— Most common types of DDoS attack
— Botnet network to flood the network layers with a substantial amount of
seemingly legitimate traffic
— UDP-based floods
— Takes out the infrastructure capacity – routers, switches, firewalls etc.
37. VOLUMETRIC ATTACKS VS. L3-L7 DDOS PROTECTION
¢ Reflection Attacks
— Usage of legitimate resource to amplify an attack to destination
— Spoof victim IP address and send a request to server that will yield a big
response
— Example: DNS Amplification
¢ TCP State exhausion
— SYN, FIN, RST floods
— Exhaust resources on servers, load balancers and firewalls
38. VOLUMETRIC ATTACKS VS. L3-L7 DDOS PROTECTION
¢ L3-L7 DDoS Protection
— Exploit limitation, scale and functionality of specific application
— Can use known vulnerabilities
— Can be slow-and-grow type or flood
— Attack examples
¢ L3-4 - SYN flood, TCP flood, ICMP flood, UDP flood, known signature attacks, Teardrop,
Smurf, Ping of Death, Mixed Flood, Reflected ICMP
¢ L7 - NTP, HTTP Flood, Slowloris, DNS flood, DNS reflection attacks, DNS amplification
attacks
40. SOMEONE IS ATTACKING ME! - AM I ABLE TO GET
SCRUBBING SERVICE WITHIN FEW HOURS?
¢ The answer is: YES
— But as always there are conditions ;)
¢ Some companies offer service that can be setup within few hours
— If you have any other service from them process may be even faster
¢ You have to be able to setup service – ie. you still have to access
devices and prepare configuration during an attack
¢ This kind of protection is usually only against volumetric attacks
41. SOMEONE IS ATTACKING ME! - AM I ABLE TO GET
SCRUBBING SERVICE WITHIN FEW HOURS?
¢ Cost!
— Emergency setup is usually more expensive
— You still have to invest in comprehensive DDoS-mitigation solution
— You already lost revenue from business
— You will loose more if attacks are repeating
— You lost your reputation as well
43. DDOS PROTECTION APPROACH
¢ DDoS Protection Approach
1. Do Nothing
¢ Go on with business as usual
¢ It may work for small companies without significant presence on Internet
¢ Cost:
¢ Short-term – nothing, maybe some transactions or emails will be delayed
¢ Long-term – may impact business and be reason of shutdown
44. DDOS PROTECTION APPROACH
¢ DDoS Protection Approach
2. Disaster Recovery Site
¢ Backup site in case the primary business site is attacked
¢ May work if we base on IP addresses not on FQDN’s
¢ DR planning generally does not include provisions for DDoS
¢ Usually not really useful solution
¢ Cost:
¢ Short-term – cost of additional rack space, vCPU, RAM etc.
¢ Long-term – may impact business and be reason of shutdown
45. DDOS PROTECTION APPROACH
¢ DDoS Protection Approach
3. On-Premise DDoS Appliance
¢ Closed solutions provided by some vendors based on algorithms protected as intellectual
property – you will never know how it’s working
¢ Some good traffic will probably get filtered while some bad traffic will get through
¢ Throughput dependent on used hardware/licenses
¢ Can they really detect low-and-slow attacks?
¢ Would it prevent internet link from saturation? What’s the prediction of growth of your
Internet traffic next 2-4 years?
¢ Cost:
¢ Short-term – cost may vary by vendor, time of the month/quarter, amount purchased,
and also the volume of attacks that you we are trying to repel.
¢ Long-term – may impact business as not all attacks may be filtered, it can still cause
Internet links saturation, in worst case it can be reason of shutdown
46. DDOS PROTECTION APPROACH
¢ DDoS Protection Approach
4. DDoS Mitigation from Data Center Operator or ISP
¢ Offered sometimes as standard, sometimes as premium service
¢ Many of them only deal with volumetric attacks
¢ effectiveness against the resource or application attacks will vary depending on what
technology is used
¢ It may not be suitable solution for customers using multiple ISPs
¢ Cost:
¢ Short-term – may not be significant in cost (sometimes even free, sometimes flat
rate), but there may be cost of exceeded
¢ Long-term – may be costly and not fully efficient
47. DDOS PROTECTION APPROACH
¢ DDoS Protection Approach
5. DDoS Mitigation services from specialized companies
¢ Requires either change in DNS records or redirecting the traffic basing on BGP
¢ Can be deployed in AlwaysAvailable or AlwaysOn mode
¢ Can deal not only with volumetric attacks
¢ Cost:
¢ Short-term – may depend of vendor and subscribed services
¢ Long-term – may depend of vendor and subscribed services but may cost us penalties
or lost revenue if AlwaysAvailable model is used
48. DDOS PROTECTION APPROACH
¢ DDoS Protection Approach
6. Hybrid Model
¢ combination of an on-premise system and the specialized mitigation and/or provider-
based solution
¢ Most expensive but same time most flexible
¢ Cost:
¢ Short-term – cost of on-site protection plus cost of remote protection.
¢ Long-term – increased operational cost that should leverage lost revenue in case of
attack
49. WHAT ASSETS I WANT TO PROTECT?
¢ Identify possible risks for your company (examples):
— DDoS attacks targeted on specific sector (ie. financial institutions, media)
— DDoS attack threads (“We won’t attack you if you donate small amount of
BTC”)
— Application layer threads (well know vulnerabilities in common libraries)
— Shared DC infrastructure saturation (if we are DC provider or SP)
— Targeted attack on business critical application
50. HOW TO DEAL WITH FIRST WAVE OF ATTACK?
¢ Scenario depends on what solution is deployed
¢ Company should have approved procedure what to do in case of an
attack
¢ All network and applications teams have to have knowledge about:
— What are the symptoms of attack
— How to verify
— How to escalate
— How to redirect to scrubbing center
— How to monitor
51. HOW TO DEAL WITH FIRST WAVE OF ATTACK?
¢ Big Internet pipe is not a solution but it may help
— Especially if we have AlwaysAvailable type of service
— Many DC operators offer links with burstable CIR
— May help in first wave of an attack as long as out devices won’t be
overwhelmed with amount of traffic
— Won’t really protect us against other type of attacks than volumetric
¢ But will give us time to redirect traffic to AlwaysAvailable service!
¢ Remember to have OOB management network
53. PRACTICAL HINTS – PREPARATION CHECKLIST
1. Build your DDoS response team
— Identify people and departments that need to be involved
— Define roles and responsibilities
2. Create response plan
— Define procedures, resources and tools
3. Risk assessment
— Evaluate your infrastructure (routers, switches, DNS servers, links
bandwidth, firewalls, IPS etc.)
— Identify single points of failure
54. PRACTICAL HINTS – PREPARATION CHECKLIST
4. Define strategy with your ISP
— What protection they can offer
— How much protection they can provide
— What is the SLA of the service
— What is response time and how much control/visibility you can get
5. Test the solution readiness
— At least every 3-6 months
55. PRACTICAL HINTS – FUNDAMENTAL QUESTIONS
(EXAMPLES)
¢ DDoS protection, both on premise as well as in cloud, is crucial part of
traffic flow in your organization
— Bad design can affect traffic flow
— Bad design may create new SPOF
— Bad design may extend the outage and cost you money
— There are security concerns as well
56. PRACTICAL HINTS – FUNDAMENTAL QUESTIONS
(EXAMPLES)
¢ Do I want all traffic to flow through scrubbing center?
— Is additional delay in RTT significant for my traffic?
— Is routing asymmetry something that may affect my service?
— How much control I have if there are problems in scrubbing center?
— Am I going to loose any of monitoring?
57. PRACTICAL HINTS – FUNDAMENTAL QUESTIONS
(EXAMPLES)
¢ Do I trust my scrubbing service operator?
— Would I trust handing over my SSL keys to scrubbing center operator?
— What scrubbing center operator may do with metadata of my connections?
58. LAST WORD FROM THE SPEAKER
¢ I said I won’t talk about vendors ;)
¢ Comparison of global providers:
http://www.imperva.com/docs/RPT_Forrester_Wave_DDoS_2015.pdf
¢ Remember that’s not the finite list