Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2

Share

Download to read offline

Filling the Gaps in Your DDoS Mitigation Strategy

Download to read offline

At Cloudflare, we protect 9 million domains against DDoS attacks with our global network. This puts us in a unique position to learn from the myriad of attacks on the network and use the knowledge to strengthen our DDoS mitigation capabilities. Be it small or large, even unusual.

The new DDoS landscape
Cloudflare's unmetered, always-on DDoS protection service
Cloudflare Rate Limiting - a new solution for Layer 7 DDoS attacks
Cloudflare Spectrum - a new solution for non-web DDoS attacks

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Filling the Gaps in Your DDoS Mitigation Strategy

  1. 1. Filling the Gaps in Your DDoS Mitigation Strategy Threat landscape and mitigation solutions
  2. 2. Presenter Chris Wang Cloudflare Solutions Engineer @chriswang_tech
  3. 3. Topics 1. Current DDoS Threat Landscape 2. Cloudflare DDoS Mitigation Solutions 3. Cloudflare Rate Limiting - a new solution for layer 7 DDoS attacks 4. Cloudflare Spectrum - a new solution for non-web DDoS attacks
  4. 4. Poll #1 Are you a current Cloudflare user? Options: ● No ● Yes, I'm on Cloudflare Free Plan ● Yes, I'm on Cloudflare Pro Plan ● Yes, I'm on Cloudflare Business Plan ● Yes, I'm on Cloudflare Enterprise Plan Link: Plan definitions
  5. 5. Current DDoS Threat Landscape
  6. 6. DNS Bots DNS Server DNS Server Server IP/TCP/UDP ("Layer 3 & 4") HTTP/HTTPS ("Layer 7") 1 2 Bots 3 Bots Degrades availability and performance of applications, websites, and APIs HTTP Application Application/Login Types of DDoS Attack Traffic
  7. 7. DDoS 2018 and Beyond More Frequent Difficult to Mitigate DNS Layer 7 SSL CPU Exhaustion (Layer 6) HTTP Layer 7 Layer 3/4 500 Gbps 100 Gbps 200 Gbps 40 Gbps Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4 Less Frequent 7
  8. 8. L3/4: More spaced out with unmetered mitigation by Cloudflare 8 Unmetered Mitigation Introduced by Cloudflare
  9. 9. L7: Attackers Moving Up The Stack 9 Unmetered Mitigation Introduced by Cloudflare
  10. 10. DNS: Attacks Continue To Be Infrequent 10 Unmetered Mitigation Introduced
  11. 11. DDoS Mitigation Solutions
  12. 12. Industry Legacy Scrubbing Center Pre-Attack Attack Begins Mitigation Implemented 12 12:05 12:15 12:2012:00 Attack Detected
  13. 13. Cloudflare’s Always-On DDoS Mitigation Automatic Mitigation 13 12:0512:00 12:05 Real-Time DetectionContinuous Performance Benefit
  14. 14. Stay Online Global Anycast network with 150+ data centers absorbs highly distributed attack traffic so customers stay online Protect origin infrastructure Detect and drop at the edge volumetric attacks: layer 3/4, DNS and layer 7 Identify anomalous traffic Fingerprint HTTP requests to protect sites against known and emerging botnets with automatic mitigation rules Protect applications with control Rate Limiting gives more granular control to block harder-to-detect application-layer attacks Origin Server DDoS attack Anticipate attacks Shared intelligence across 8M websites proactively blocks known bad signatures Gives customers unlimited and unmetered distributed denial-of-service (DDoS) attack protection regardless of the size of attack. Cloudflare Data Center *Business and Enterprise customers will continue to benefit from additional advanced mitigation services including better reporting, productivity enhancements, fine- grained controls, business and enterprise-grade service level agreements (SLA’s), and customer support options to fit their individual needs. 14 Cloudflare DDoS Solutions
  15. 15. Rate Limiting Demo
  16. 16. Cloudflare Rate Limiting: L7 throttling Precise DDoS Mitigation • High precision denial-of-service protection through robust configuration options Protect Customer Data • Protect sensitive customer information against brute force login attacks Ensure Availability • Avoid service disruptions by setting usage limits on HTTP requests Requests per IP address matching the traffic pattern 16
  17. 17. Spectrum Demo
  18. 18. Mitigate DDoS for TCP Protocols and Ports Cloudflare Spectrum proxies all non-HTTPS TCP traffic through the same 150+ cloudflare data centers, ensuring protection against DDoS attacks targeting layers 3 and 4 across open ports. Encrypt Non-HTTP/S TCP Traffic Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with Universal SSL to protect against snooping of data in transit. Block Traffic by IP or IP Range Spectrum integrates with Cloudflare’s IP Firewall so that traffic from specific IP or IP ranges can be dropped at the edge 2 1 Client Encrypted TCP Traffic SSH SMTP SFTP SSH SMTP SFTP 3 Client SSH SMTP SFTP IP 10.0.0.1 10.0.0.1 https://developers.cloudflare.com/spectrum/ Cloudflare Spectrum: protects all TCP ports (and UDP soon)
  19. 19. Questions? Follow our blog at https://blog.cloudflare.com/ Interested in Our Enterprise Solution? Visit https://www.cloudflare.com/plans/enterprise/contact/
  20. 20. Backup Slides 20
  21. 21. Cloudflare DDoS Differentiation Leverage Data ● Anycast scales DDoS surface area across all data centers (versus just a subset) ● Unified view of attacks across integrated stack of network, DNS, application ● Kernel bypass reduces CPU usage ● Innovation on hardware, routers, network increase capacity and lowers costs Architecture ● Broad, heterogeneous traffic across 8M websites to more proactively drop attacks ● Develop heuristics to automatically (versus manually) block ● No OEM of third-party hardware ● Settlement free peering reduces costs of traffic over peering points ● Easily absorb inbound attack traffic spikes at no extra cost Cost Structure 21
  22. 22. Benefit of Cloudflare’s Always-on DDoS Attack starts DDoS Config Mitigation starts Mitigation complete Next attack DDoS Config Mitigation Mitigation Turn on Cloudflare Next attack begins DDoS Config Next attack + mitigation Next attack + mitigation Next attack + mitigation 22 Load Time
  23. 23. Cloudflare Bot Mitigation ATTACKS Account Takeover Content Scraping Checkout Fraud 1. 2. 3. Classification By leveraging visibility into large volume of both good and bad traffic, intelligently classifying risk based on attributes like: ● IP reputation intelligence ● User Agent strings ● Other HTTP fingerprints ● Behavioral analysis Mitigation Techniques Different levels of severity and sophistication to block attacks. These can include: Block, throttle, image substitution, data obfuscations Rules Customization Customers can tune their security posture by defining rules to support both positive and negative security model. Client Validation To reduce false positives, provide progressive levels of client validation to distinguish between legitimate visitors and malicious bots based on clients validating themselves ● Browser Integrity ● Captcha ● JS Validations ● Client Classifications ● Machine Learning CLOUDFLARE SOLUTIONS 23
  24. 24. Cloudflare Security Summary 24 Cloudflare continues to out-innovate the market, driving growth in security-only deals The threat landscape is exploding with the growth in new platforms and devices; security solution use cases are expanding to meet them Cloud-based solutions reduce complexity, improve time to response and combine performance and security in a single, integrated offering Data-driven threat intelligence dynamically adapts our platform to meet the ever changing threat landscape
  25. 25. 1.7 Tbps
  • MengranWANG2

    Dec. 2, 2018
  • KatieCummins

    Sep. 14, 2018

At Cloudflare, we protect 9 million domains against DDoS attacks with our global network. This puts us in a unique position to learn from the myriad of attacks on the network and use the knowledge to strengthen our DDoS mitigation capabilities. Be it small or large, even unusual. The new DDoS landscape Cloudflare's unmetered, always-on DDoS protection service Cloudflare Rate Limiting - a new solution for Layer 7 DDoS attacks Cloudflare Spectrum - a new solution for non-web DDoS attacks

Views

Total views

974

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

26

Shares

0

Comments

0

Likes

2

×