1. Best Practices: Using Your Network and
the Cisco ASR 9000 for DDoS Protection
Tom Bienkowski
Product Marketing,
Arbor Networks
Talbot Hack
Product Manager,
Arbor Networks
Mike Geller
Principal Engineer,
Cisco
2. Modern Day DDoS Attacks
DDoS Attacks are increasing in Size (up to 400G), Frequency (daily) and
Complexity (A dynamic combination of Volumetric, TCP State Exhaustion and
Application layer attack vectors)
Legit Traffic
Your (ISP’s)
Network
Your Data CentersThe Internet
Volumetric Attack
Botnet
Application Attack
State
Exhaustion
Impact: (To You and Your Customers)
Availability of network and services
Operational cost to mitigate attack
Lost revenue and profitability
Unwanted media attention; tarnished brand
Fees/Fines
3. The Solution
Layered DDoS Attack Protection
Stop application layer DDoS attacks and
other advanced threats; detect abnormal
outbound activity
2
Volumetric Attack
Your Data Centers/
Internal Networks
The Internet
Application Attack
Scrubbing Center
Your (ISP’s)
Network
Stop volumetric attacks In-Cloud1 Intelligent communication between
both environments
3
4 Backed by continuous threat intelligence
Backed By Continuous Threat Intelligence
4. BackboneProvider C
Providers A
Multiple Places/Ways to Stop DDoS Attacks
Peering/Transit
Edge
Data Center/
Customer Edge
Scrubbing Center
Provider D
DC/Customer
Peering/Transit Edge: Stop DDoS attacks
at network edge before they impact
backbone, Data centers and customers.
Data Center/ Customer Edge: Dedicated
DDoS protection.
Regional Scrubbing Centers: Shared
DDoS protection for multiple customers
placed in strategic parts of network.
DDoS Traffic
Comprehensive DDoS protection is accomplished using a
combination of:
a) Dedicated DDoS protection solutions
b) Best Current Practices leveraging network infrastructure
1
2
3 3
2
1
5. Who Is Arbor Networks?
For the past 15 years Arbor
Networks has been the
undisputed leader
A majority of the world’s service
providers (100% of Tier 1) and
largest enterprises have trusted
Arbor Networks for their DDoS
Protection
15
Proven & Trusted
DDoS Protection
DDoS Protection?... We invented it!
#1
6. Arbor’s DDoS Protection Solution
Proven, Industry Leading, Layered DDoS
Protection Products & Services
Continuously Armed with Global Visibility
and Threat Intelligence
Arbor Cloud
Volumetric Attack
On-PremThe Internet
Application Attack/Malware
In-Cloud
Cloud
Signaling
(Arbor Deployments
in majority of
world’s ISPs)
Compromised Hosts
7. Network Embedded, Virtual DDoS Protection
Arbor Peakflow
Threat Management
System (TMS)
#1 in DDoS Attack
Protection
Products
Cisco ASR 9000 Virtual
Services Module (VSM)
Up to 40 Gbps Mitigation per VSM
#1 in Network
Infrastructure
Products
Cisco ASR 9000
vDDoS Protection
Industry’s Most
Comprehensive
DDoS Attack
Protection Solution
vDDoS
Protection
Two Best of Breeds Combine
8. Backbone
Provider B
Provider A
Cisco/Arbor’s Comprehensive DDoS Protection Solution
Provider C
TMS 4000
A single Peakflow console used for
Netflow analysis, attack detection (in as
little as 1 sec), alerting and reporting
vDDoS Protection embedded in Cisco
ASR 9000 routers distributed at peering
edge, data centers, customer edge, etc.
(40 Gbps mitigation per VSM)
Existing Arbor TMS DDoS solutions in
regional scrubbing centers or where
ASR 9000’s not deployed
Leverage Network (i.e. ACLs, BGP
Flowspec, D/RTBH, S/RTBH,
OpenFlow) for mitigation
DDoS Traffic
Legit Traffic
Benefits:
Infrastructure & Service Protection: Comprehensive DDoS protection solution
that can stop DDoS attacks in multiple network locations
Service Enablement: Increase revenue via new managed Visibility and DDoS
Protection
ASR 9000
vDDoS
Protection
Peakflow SP NetFlow
Collector
DATA CENTER &
CLOUD SERVICES
PEERING &
TRANSIT EDGE
CUSTOMER
EDGE
1
2
3
4
1
2
3
4
SCRUBBING
CENTER
Peakflow Console
9. Substantial Growth in Largest Attacks
Increase in size and number of Reflection/Amplification attacks
DNS, NTP, SSDP, SNMP and Chargen the most common
To effectively stop these attacks you must leverage your network
10. Using Your Network For Mitigation
ACLs – block all unnecessary protocols/ports at the
network ingress to protect critical resources
BGP Flowspec – signal injections of ACLs or routing
policy to filter or divert traffic upstream
S/RTBH – use source based remote triggered
blackholing to block known bad sources
D/RTBH – use destination based remote triggered
blackholing as a last resort to protect the network
SDN (OpenFlow) – Offload blacklists, policies, etc. to
upstream routers to filter or divert traffic
Benefit: substantially better scale and performance
11. Blacklist Offload via OpenFlow
ASR 9000
vDDoS
Protection
Provider B
Provider A
Data Center
GOOD TRAFFIC
BAD TRAFFIC
Blacklist offload via
OPENFLOW
X
X
Benefit: pushes filtering to the network fabric (via
OpenFlow) for greater scale and performance
12. What’s New
Leveraging the power of the cloud
Pushing SSL decryption to the cloud
Improving visibility
Enabling underlay / overlay visibility
Enabling selective bypass of certain flows
based on policies (‘coloring’)
Improving agility
Enabling more dynamic, intelligent offload
13. Arbor’s (And Cisco’s) DDoS Protection Solution
Proven, Industry Leading, Layered DDoS
Protection Products & Services
Continuously Armed with Global Visibility
and Threat Intelligence
Arbor Cloud
Volumetric Attack
On-PremThe Internet
Application Attack/Malware
In-Cloud
Cloud
Signaling
(Arbor deployment
in majority of ISPs)
Compromised Hosts
ASR 9000
vDDoS
Protection