SlideShare a Scribd company logo

How To Take Your DDoS Protection To The Next Level

Download as PPTX, PDF
Cloudflare
Cloudflare

As the web application security landscape evolves, companies are facing increased pressures to strengthen their security posture. Recently, the world’s largest distributed denial of service (DDoS) recorded attacked GitHub at 1.35 Tbps. While the big attacks get all the headlines, at Cloudflare we have learned about other forms of attacks that can unexpectedly bring your site down. Join this webinar to learn about how small DDoS attacks can still bring your site down, a little known way attackers can bypass traditional DDoS protections, why TCP services may make you vulnerable to a DDoS attack, and how to augment Cloudflare’s unmetered DDoS solution with Spectrum, Rate Limiting, and Argo Tunnel

Technology
1 of 27
How To Take Your DDoS Protection To The Next Level
Presenters Tim Fong Product Marketing Manager John Esterline Solutions Engineer
Agenda ● The new DDoS landscape ● A little known way attackers can bypass traditional DDoS protections ● Why TCP services may make you vulnerable to a DDoS attack ● Pros and cons of multiple solutions: BGP, MPLS, and building your own ● How to augment Cloudflare’s unmetered DDoS solution with Spectrum, Rate Limiting, and Argo Tunnel
Poll #1 Have you experienced a DDoS attack in the past year? ● No, but I want DDoS protection ● No, and I already have enough DDoS protection to my site ● Yes, and I want to take my DDoS protection to the next level ● Yes, but I don’t think it will happen to my site again
The New DDoS Landscape
Volumetric DNS Flood Bots DNS Server DNS Server Server Amplification (Layer 3 & 4) HTTP Flood (Layer 7) 1 2 Bots 3 Bots Degrades availability and performance of applications, websites, and APIs HTTP Application Application/Login Types of DDoS Attack Traffic
DNS Attacks Continue To Be Infrequent 7 Unmetered Mitigation Introduced
1.7 Tbps
DDoS 2018 and Beyond More Frequent Difficult to Mitigate DNS Layer 7 SSL CPU Exhaustion (Layer 6) HTTP Layer 7 Layer 3/4 500 Gbps 100 Gbps 200 Gbps 40 Gbps Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4 Less Frequent 9
Globally distributed (128,833 IPs)
Say Cheese: a snapshot of the massive DDoS attacks coming from IoT cameras: 128,000+ unique IP’s 220k rps 360 Gbps IoT DDoS / Attack Case Study CHALLENGES • DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers switched to L7 attacks in an attempt to knock web applications offline • Unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to the attacked server. • These attacks came from Internet-of-Things (IoT) category of devices CLOUDFLARE SOLUTION • Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a fingerprint that protects all Cloudflare customers. Attacks Blog Post: https://blog.cloudflare.com/say- cheese-a-snapshot-of-the-massive-ddos- attacks-coming-from-iot-cameras/ The attack lasted 15 minutes with over 1 million HTTP RPS (Requests Per Second) The First Attack This attack had 128,833 unique IP addresses. It generated only 220k RPS, but topped out at a high 360 Gbps bandwidth The Second Attack 11
Poll #2 Do you run services (SSH, FTP, SharePoint, SMTP, etc.) other than HTTP/S traffic on your origin? ● Yes ● No
Traditional DDoS Mitigation Solutions
Industry Legacy Scrubbing Center Pre-Attack Attack Begins Mitigation Implemented 14 12:05 12:15 12:2012:00 Attack Detected
Alternative DDoS Mitigation Solutions
Cloudflare’s Always-On DDoS Mitigation Automatic Mitigation 16 12:0512:00 12:05 Real-Time DetectionContinuous Performance Benefit
Other DDoS Attack Vectors
Volumetric attacks on TCP-based services Attackers send direct volumetric attack traffic to TCP-based services like email or remote access, impacting performance and availability. DDoS Attack Customer Challenges Non-HTTP/S TCP Attack Traffic SSH Snooping Attempt on clear-text TCP Attackers snoop non-web, unencrypted traffic to gain access to sensitive data, such as user credentials. Data Theft SMTP SFTP SSH SMTP SFTP Snooping of Unencrypted Data in-Transit
Cloudflare Spectrum Proxy non-HTTP/S TCP traffic through Cloudflare Mitigate DDoS for TCP Protocols and Ports Cloudflare Spectrum proxies all non-HTTPS TCP traffic through the same 120+ cloudflare data centers, ensuring protection against DDoS attacks targeting layers 3 and 4 across open ports. Encrypt Non-HTTP/S TCP Traffic Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with Universal SSL to protect against snooping of data in transit. Block Traffic by IP or IP Range Spectrum integrates with Cloudflare’s IP Firewall so that traffic from specific IP or IP ranges can be dropped at the edge 2 1 Client Encrypted TCP Traffic SSH SMTP SFTP SSH SMTP SFTP 3 Client SSH SMTP SFTP IP 10.0.0.1 10.0.0.1 https://developers.cloudflare.com/spectrum/
Spectrum Demo
Direct Attack against Origin IP Attackers directly attack the origin IP address. DDoS Data Theft Intrusion Attempt Directly on Origin Applications exposed to the public Internet through the IP address can be brute-forced to access sensitive data. 206.221.179.46 206.221.179.46 Brute Force Attack stopped by Cloudflare proxy Direct Attack against Origin IP Attack bypasses proxy to hit IP address directly Attack stopped by Cloudflare proxy Attack bypasses proxy to hit IP address directly
Cloudflare Argo Tunnel Stop Direct Attacks Against the Web Server’s Origin with a Secure Agent Protect web servers from DDoS attacks directly against their origin’s public IP address When connected directly to Cloudflare, web servers can no longer be directly attacked through open ports on public IP addresses with DDoS or data theft attempts, keeping applications and APIs online and performant. Safely and easily expose development environments to the Internet Developers can expose the localhost on their laptop directly to the public Internet for testing code and speeding up development, while also being protected from attacks. Accelerate Origin Traffic Argo Tunnels not only protects web servers from direct attacks, but also accelerates origin requests through a persistent HTTP/2 connection. With Argo Smart routing, origin requests bypass congested networks and are routed on the shortest network distance to ensure fast 2 1 3 localhost HTTP/2 206.221.179.46
Argo Tunnel Demo
The Long Tail of “Layer 7” Attacks Site Rank Capacity(HTTPrequestspersecond)
Cloudflare Rate Limiting Precise DDoS Mitigation • High precision denial-of-service protection through robust configuration options Protect Customer Data • Protect sensitive customer information against brute force login attacks Ensure Availability • Avoid service disruptions by setting usage limits on HTTP requests Requests per IP address matching the traffic pattern 25
Rate Limiting Demo
Questions? ➔ John: jesterline@cloudflare.com ➔ Tim: fongster@cloudflare.com

Recommended

Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareClose your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareCloudflare
 
Why you should replace your d do s hardware appliance
Why you should replace your d do s hardware applianceWhy you should replace your d do s hardware appliance
Why you should replace your d do s hardware applianceCloudflare
 
Don't Let Bots Ruin Your Holiday Business - Snackable Webinar
Don't Let Bots Ruin Your Holiday Business - Snackable WebinarDon't Let Bots Ruin Your Holiday Business - Snackable Webinar
Don't Let Bots Ruin Your Holiday Business - Snackable WebinarCloudflare
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Cloudflare
 
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...Cloudflare
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastCloudflare
 
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...Cloudflare
 

Recommended

Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareClose your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareCloudflare
 
Why you should replace your d do s hardware appliance
Why you should replace your d do s hardware applianceWhy you should replace your d do s hardware appliance
Why you should replace your d do s hardware applianceCloudflare
 
Don't Let Bots Ruin Your Holiday Business - Snackable Webinar
Don't Let Bots Ruin Your Holiday Business - Snackable WebinarDon't Let Bots Ruin Your Holiday Business - Snackable Webinar
Don't Let Bots Ruin Your Holiday Business - Snackable WebinarCloudflare
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Cloudflare
 
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...Cloudflare
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastCloudflare
 
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...Cloudflare
 
Network Transformation: What it is, and how it’s helping companies stay secur...
Network Transformation: What it is, and how it’s helping companies stay secur...Network Transformation: What it is, and how it’s helping companies stay secur...
Network Transformation: What it is, and how it’s helping companies stay secur...Cloudflare
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceCloudflare
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataCloudflare
 
Recent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondRecent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondCloudflare
 
Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)Cloudflare
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersCloudflare
 
Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
Kentik and Cloudflare Partner to Mitigate Advanced DDoS AttacksKentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
Kentik and Cloudflare Partner to Mitigate Advanced DDoS AttacksCloudflare
 
Stopping DDoS Attacks in North America
Stopping DDoS Attacks in North AmericaStopping DDoS Attacks in North America
Stopping DDoS Attacks in North AmericaCloudflare
 
It’s 9AM... Do you know what’s happening on your network?
It’s 9AM... Do you know what’s happening on your network?It’s 9AM... Do you know what’s happening on your network?
It’s 9AM... Do you know what’s happening on your network?Cloudflare
 
Cyber security fundamentals (simplified chinese)
Cyber security fundamentals (simplified chinese)Cyber security fundamentals (simplified chinese)
Cyber security fundamentals (simplified chinese)Cloudflare
 
Bring speed and security to the intranet with cloudflare for teams
Bring speed and security to the intranet with cloudflare for teamsBring speed and security to the intranet with cloudflare for teams
Bring speed and security to the intranet with cloudflare for teamsCloudflare
 
Accelerate your digital transformation
Accelerate your digital transformationAccelerate your digital transformation
Accelerate your digital transformationCloudflare
 
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cloudflare
 
Cloudflareのソリューションを使用して悪意のあるBot対策
Cloudflareのソリューションを使用して悪意のあるBot対策Cloudflareのソリューションを使用して悪意のあるBot対策
Cloudflareのソリューションを使用して悪意のあるBot対策Cloudflare
 
Stopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South AfricaStopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South AfricaCloudflare
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Webinar - Cyber Security basics in Japanese
Webinar - Cyber Security basics in JapaneseWebinar - Cyber Security basics in Japanese
Webinar - Cyber Security basics in JapaneseCloudflare
 
How to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesHow to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesCloudflare
 
Fight bad bot on the internet
Fight bad bot on the internetFight bad bot on the internet
Fight bad bot on the internetCloudflare
 
How to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyHow to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyCloudflare
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 

More Related Content

More from Cloudflare

Network Transformation: What it is, and how it’s helping companies stay secur...
Network Transformation: What it is, and how it’s helping companies stay secur...Network Transformation: What it is, and how it’s helping companies stay secur...
Network Transformation: What it is, and how it’s helping companies stay secur...Cloudflare
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceCloudflare
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataCloudflare
 
Recent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondRecent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondCloudflare
 
Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)Cloudflare
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersCloudflare
 
Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
Kentik and Cloudflare Partner to Mitigate Advanced DDoS AttacksKentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
Kentik and Cloudflare Partner to Mitigate Advanced DDoS AttacksCloudflare
 
Stopping DDoS Attacks in North America
Stopping DDoS Attacks in North AmericaStopping DDoS Attacks in North America
Stopping DDoS Attacks in North AmericaCloudflare
 
It’s 9AM... Do you know what’s happening on your network?
It’s 9AM... Do you know what’s happening on your network?It’s 9AM... Do you know what’s happening on your network?
It’s 9AM... Do you know what’s happening on your network?Cloudflare
 
Cyber security fundamentals (simplified chinese)
Cyber security fundamentals (simplified chinese)Cyber security fundamentals (simplified chinese)
Cyber security fundamentals (simplified chinese)Cloudflare
 
Bring speed and security to the intranet with cloudflare for teams
Bring speed and security to the intranet with cloudflare for teamsBring speed and security to the intranet with cloudflare for teams
Bring speed and security to the intranet with cloudflare for teamsCloudflare
 
Accelerate your digital transformation
Accelerate your digital transformationAccelerate your digital transformation
Accelerate your digital transformationCloudflare
 
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cloudflare
 
Cloudflareのソリューションを使用して悪意のあるBot対策
Cloudflareのソリューションを使用して悪意のあるBot対策Cloudflareのソリューションを使用して悪意のあるBot対策
Cloudflareのソリューションを使用して悪意のあるBot対策Cloudflare
 
Stopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South AfricaStopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South AfricaCloudflare
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Webinar - Cyber Security basics in Japanese
Webinar - Cyber Security basics in JapaneseWebinar - Cyber Security basics in Japanese
Webinar - Cyber Security basics in JapaneseCloudflare
 
How to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesHow to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesCloudflare
 
Fight bad bot on the internet
Fight bad bot on the internetFight bad bot on the internet
Fight bad bot on the internetCloudflare
 
How to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyHow to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyCloudflare
 

More from Cloudflare (20)

Network Transformation: What it is, and how it’s helping companies stay secur...
Network Transformation: What it is, and how it’s helping companies stay secur...Network Transformation: What it is, and how it’s helping companies stay secur...
Network Transformation: What it is, and how it’s helping companies stay secur...
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare data
 
Recent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondRecent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respond
 
Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providers
 
Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
Kentik and Cloudflare Partner to Mitigate Advanced DDoS AttacksKentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
 
Stopping DDoS Attacks in North America
Stopping DDoS Attacks in North AmericaStopping DDoS Attacks in North America
Stopping DDoS Attacks in North America
 
It’s 9AM... Do you know what’s happening on your network?
It’s 9AM... Do you know what’s happening on your network?It’s 9AM... Do you know what’s happening on your network?
It’s 9AM... Do you know what’s happening on your network?
 
Cyber security fundamentals (simplified chinese)
Cyber security fundamentals (simplified chinese)Cyber security fundamentals (simplified chinese)
Cyber security fundamentals (simplified chinese)
 
Bring speed and security to the intranet with cloudflare for teams
Bring speed and security to the intranet with cloudflare for teamsBring speed and security to the intranet with cloudflare for teams
Bring speed and security to the intranet with cloudflare for teams
 
Accelerate your digital transformation
Accelerate your digital transformationAccelerate your digital transformation
Accelerate your digital transformation
 
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)
 
Cloudflareのソリューションを使用して悪意のあるBot対策
Cloudflareのソリューションを使用して悪意のあるBot対策Cloudflareのソリューションを使用して悪意のあるBot対策
Cloudflareのソリューションを使用して悪意のあるBot対策
 
Stopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South AfricaStopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South Africa
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Webinar - Cyber Security basics in Japanese
Webinar - Cyber Security basics in JapaneseWebinar - Cyber Security basics in Japanese
Webinar - Cyber Security basics in Japanese
 
How to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesHow to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer Games
 
Fight bad bot on the internet
Fight bad bot on the internetFight bad bot on the internet
Fight bad bot on the internet
 
How to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyHow to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security Strategy
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Recently uploaded (20)

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

How To Take Your DDoS Protection To The Next Level

  • 1. How To Take Your DDoS Protection To The Next Level
  • 2. Presenters Tim Fong Product Marketing Manager John Esterline Solutions Engineer
  • 3. Agenda ● The new DDoS landscape ● A little known way attackers can bypass traditional DDoS protections ● Why TCP services may make you vulnerable to a DDoS attack ● Pros and cons of multiple solutions: BGP, MPLS, and building your own ● How to augment Cloudflare’s unmetered DDoS solution with Spectrum, Rate Limiting, and Argo Tunnel
  • 4. Poll #1 Have you experienced a DDoS attack in the past year? ● No, but I want DDoS protection ● No, and I already have enough DDoS protection to my site ● Yes, and I want to take my DDoS protection to the next level ● Yes, but I don’t think it will happen to my site again
  • 5. The New DDoS Landscape
  • 6. Volumetric DNS Flood Bots DNS Server DNS Server Server Amplification (Layer 3 & 4) HTTP Flood (Layer 7) 1 2 Bots 3 Bots Degrades availability and performance of applications, websites, and APIs HTTP Application Application/Login Types of DDoS Attack Traffic
  • 7. DNS Attacks Continue To Be Infrequent 7 Unmetered Mitigation Introduced
  • 9. DDoS 2018 and Beyond More Frequent Difficult to Mitigate DNS Layer 7 SSL CPU Exhaustion (Layer 6) HTTP Layer 7 Layer 3/4 500 Gbps 100 Gbps 200 Gbps 40 Gbps Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4 Less Frequent 9
  • 11. Say Cheese: a snapshot of the massive DDoS attacks coming from IoT cameras: 128,000+ unique IP’s 220k rps 360 Gbps IoT DDoS / Attack Case Study CHALLENGES • DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers switched to L7 attacks in an attempt to knock web applications offline • Unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to the attacked server. • These attacks came from Internet-of-Things (IoT) category of devices CLOUDFLARE SOLUTION • Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a fingerprint that protects all Cloudflare customers. Attacks Blog Post: https://blog.cloudflare.com/say- cheese-a-snapshot-of-the-massive-ddos- attacks-coming-from-iot-cameras/ The attack lasted 15 minutes with over 1 million HTTP RPS (Requests Per Second) The First Attack This attack had 128,833 unique IP addresses. It generated only 220k RPS, but topped out at a high 360 Gbps bandwidth The Second Attack 11
  • 12. Poll #2 Do you run services (SSH, FTP, SharePoint, SMTP, etc.) other than HTTP/S traffic on your origin? ● Yes ● No
  • 14. Industry Legacy Scrubbing Center Pre-Attack Attack Begins Mitigation Implemented 14 12:05 12:15 12:2012:00 Attack Detected
  • 16. Cloudflare’s Always-On DDoS Mitigation Automatic Mitigation 16 12:0512:00 12:05 Real-Time DetectionContinuous Performance Benefit
  • 17. Other DDoS Attack Vectors
  • 18. Volumetric attacks on TCP-based services Attackers send direct volumetric attack traffic to TCP-based services like email or remote access, impacting performance and availability. DDoS Attack Customer Challenges Non-HTTP/S TCP Attack Traffic SSH Snooping Attempt on clear-text TCP Attackers snoop non-web, unencrypted traffic to gain access to sensitive data, such as user credentials. Data Theft SMTP SFTP SSH SMTP SFTP Snooping of Unencrypted Data in-Transit
  • 19. Cloudflare Spectrum Proxy non-HTTP/S TCP traffic through Cloudflare Mitigate DDoS for TCP Protocols and Ports Cloudflare Spectrum proxies all non-HTTPS TCP traffic through the same 120+ cloudflare data centers, ensuring protection against DDoS attacks targeting layers 3 and 4 across open ports. Encrypt Non-HTTP/S TCP Traffic Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with Universal SSL to protect against snooping of data in transit. Block Traffic by IP or IP Range Spectrum integrates with Cloudflare’s IP Firewall so that traffic from specific IP or IP ranges can be dropped at the edge 2 1 Client Encrypted TCP Traffic SSH SMTP SFTP SSH SMTP SFTP 3 Client SSH SMTP SFTP IP 10.0.0.1 10.0.0.1 https://developers.cloudflare.com/spectrum/
  • 21. Direct Attack against Origin IP Attackers directly attack the origin IP address. DDoS Data Theft Intrusion Attempt Directly on Origin Applications exposed to the public Internet through the IP address can be brute-forced to access sensitive data. 206.221.179.46 206.221.179.46 Brute Force Attack stopped by Cloudflare proxy Direct Attack against Origin IP Attack bypasses proxy to hit IP address directly Attack stopped by Cloudflare proxy Attack bypasses proxy to hit IP address directly
  • 22. Cloudflare Argo Tunnel Stop Direct Attacks Against the Web Server’s Origin with a Secure Agent Protect web servers from DDoS attacks directly against their origin’s public IP address When connected directly to Cloudflare, web servers can no longer be directly attacked through open ports on public IP addresses with DDoS or data theft attempts, keeping applications and APIs online and performant. Safely and easily expose development environments to the Internet Developers can expose the localhost on their laptop directly to the public Internet for testing code and speeding up development, while also being protected from attacks. Accelerate Origin Traffic Argo Tunnels not only protects web servers from direct attacks, but also accelerates origin requests through a persistent HTTP/2 connection. With Argo Smart routing, origin requests bypass congested networks and are routed on the shortest network distance to ensure fast 2 1 3 localhost HTTP/2 206.221.179.46
  • 24. The Long Tail of “Layer 7” Attacks Site Rank Capacity(HTTPrequestspersecond)
  • 25. Cloudflare Rate Limiting Precise DDoS Mitigation • High precision denial-of-service protection through robust configuration options Protect Customer Data • Protect sensitive customer information against brute force login attacks Ensure Availability • Avoid service disruptions by setting usage limits on HTTP requests Requests per IP address matching the traffic pattern 25

Editor's Notes

  1. Talk Track: This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well. The important take-away is that these attacks are layered. In other words, a DDoS can attack different parts of your infrastructure. Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable Amplification: using a DNS to amplify requests and overload yours server over UDP HTTP Flood: volumetric HTTP attack to bring down the application All of those attacks impacts availability and performance of of websites, applications and API’s. Questions: This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that? Which have you experienced in the past, if any? How did you respond to them if you did?
  2. This final chart shows the volume of DNS-based attacks in Mbps. It's notable that these are never very big, but the one big spike is the day after we announced Unmetered Mitigation. Almost as if someone had a go to see if they could cause us harm :-)
  3. What is driving the exponential growth in traffic here? Insecure devices and increased connectivity and increasing connected devices If you return to attack sizes over time Have 10 gbps - fast cnx to internet 2007 - 24 gbps would have overwhelemd See peek sizes growing Huge attacks, easily Can’t fight these on your own - Animate from smallest to largest – one circle at a time Side bar info = home internet connection https://www.youtube.com/watch?v=Sp6bnvbrJb8&t=364s 9.45 min 1
  4. Measuring Gigabytes is not an effective way of measuring DDoS Across enterprises, l3 + 4 handled with existing solutions. Attackers moving to L7. Today the most damaging attacks are more frequent and not the size of the attacks Targeted frequency greater than size…. Most damaging… less damage… Request per second… You still need layer ¾ Hitting the application layer it is more effective Rough Notes Size of attacks vs effectiveness of attacks.... Application attacks are much more complex Quadrant - frequency and effectiveness -small L7 and effective,,, Resource exhaustion.... reason this is happening is that we have gotten good at layer 3 layer 4 Differeinater.... data, what you get for free DDoS 2017 Customers automatically get DDOS updates... does not require human interaction Freeium and worlds largest QA. New fingerprinting Free unmitigated DDoS exists and why it is better because the more people using service the Speak re issue with dine
  5. Frankfurt is top
  6. CHALLENGES DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers switched to L7 attacks in an attempt to knock web applications offline Unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to the attacked server. These attacks came from Internet-of-Things (IoT) category of devices These attacks featured unique, long payloads that allowed the attackers to generate substantial traffic CLOUDFLARE SOLUTION Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a fingerprint that protects all Cloudflare customers.
  7. Manually change DNS introduces latency in time-to-migration Single location can easily get flooded, and either exceed capacity or result in high overage charges during attack These scrubbers have exotic and extensive dedicated hardware which is expensive to maintain and operate! Versus Cloudflare commodity hardware that leverages the network Longer distances for ‘clean’ traffic to travel since Scrubbers are centralized or different from cache DDoS integrated Trey Comments We should show: 1. What is normal traffic not under attack 2. What happens when an attack starts 3, what happens when mitigations are now in place (with cloudflare)
  8. Continuous Performance Benefit Real-Time Detection and automated mitigation Non Impact Mitigation Manually change DNS introduces latency in time-to-migration Single location can easily get flooded, and either exceed capacity or result in high overage charges during attack Longer distances for ‘clean’ traffic to travel since Scrubbers are centralized or different from cache DDoS integrated Trey Comments We should show: 1. What is normal traffic not under attack 2. What happens when an attack starts 3, what happens when mitigations are now in place (with cloudflare)
  9. Talk Track DDoS Attack Internet application and API owners expose pieces of origin infrastructure to the public Internet when hosting non-HTTP/S services, such as: gaming networks, remote access servers, file transfer services, email, and more. Exposing pieces of origin infrastructure increases the likelihood of unmasking origin IPs, potentially resulting in volumetric DDoS attack. Data Theft
  10. Talk Track Spectrum ensures the same level of layer 3 and 4 volumetric DDoS mitigation expected from Cloudflare, across all TCP protocols, including those which are proprietary. In addition, it protects said protocols from data snooping and theft by encrypting traffic with Universal SSL / TLS.
  11. Talk Track Securing internal applications using a VPN is complex, lacks granular control, and doesn’t meet the performance needs of mobile users. To solve these problems is why Cloudflare created Cloudflare Access. Cloudflare Access protects internal resources without having to setup a VPN. With Cloudflare Access, only authenticated users with the required permissions are able to access specific resources behind the Cloudflare edge. Support for existing identity providers such as Google, GSuite, Github, Okta, and more ensures the right users have easy and instant access regardless of physical location.
  12. Talking Points: Rate Limiting complements Cloudflare’s DDoS and Web Application Firewall (WAF) Services. Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer. It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period. Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic.