Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DDoS Threats Landscape : Countering Large-scale DDoS attacks

1,815 views

Published on

DDoS Threats Landscape : Countering Large-scale DDoS attacks
CF Chui
Solutions Architect, Arbor Networks

Published in: Internet
  • Be the first to comment

  • Be the first to like this

DDoS Threats Landscape : Countering Large-scale DDoS attacks

  1. 1. DDoS Threat  Landscape Countering  Large-­scale  DDoS Attacks CF  Chui,  Arbor  Networks
  2. 2. Who  is  Arbor  Networks? 90% Percentage  of  world’s   Tier  1  service  providers   who  are  Arbor customers 107 Number  of  countries   with  Arbor  products   deployed #1 Arbor  market  position  in  DDoS   Mitigation  Equipment  in  Carrier,   Enterprise  and  Mobile  markets   [Infonetics Research,  Dec.  2014] Number  of  years  Arbor  has  been  delivering   innovative  security  and  network  visibility   technologies  &  products 14 $19B 2013  GAAP  revenues  [USD]  of   Danaher  – Arbor’s  parent  company   providing  deep  financial  backing Amount  of  global   traffic  monitored  by   the  ATLAS  security   intelligence  initiative! 120+ Tbps We  See  Things  Others  Can’t
  3. 3. ATLAS  Global  Threat  Analysis  System
  4. 4. Attack  Landscape  seen  by  ATLAS
  5. 5. ATLAS Demographics • ATLAS  provides   invaluable  data  to  Arbor  customers  and  the  broader   operational  security  community • 330+  participating  customers – 32%  Europe – 24%  North  America – 17%  Asia – 9%  South  America – 9%  Global • Tracking  a  peak  of  over  120Tbps
  6. 6. DDoS :  Attack  Types 0 10 20 30 40 50 60 70 2014 2015 2015 • Two-­‐thirds  of  attacks  are  volumetric,   up  slightly – No  surprise  given  reflection  storm   • 90%  of  respondents  report  seeing  application-­‐layer  attacks – 4%  fall  in  proportion  of  application-­‐layer  attacks 2014 2014 DDoS Attack Types
  7. 7. Substantial  Growth  in  Largest  Attacks • Largest  reported   attacks  ranged  from  400Gbps  at  the  top  end,  through   300Gbps,  200Gbps and  170Gbps • Some  saw  multiple  events  above  100Gbps  but  only  reported   largest
  8. 8. Worldwide  DDoS attacks  trend Period   Average Attack  size   (bps) Change (Q /  Q) Peak Attack  Size (bps) Change (Q /  Q) 2014 Q1 1.12Gbps -­‐ 325.06Gbps -­‐ 2014  Q2 759.83Mbps -­‐32.2% 154.69Gbps -­‐52.4% 2014  Q3 858.98Mbps +13.05% 264.61Gbps +71.1% 2014  Q4 830.37Mbps -­‐3.3% 267.21Gbps +1% 2015  Q1 804.12Mbps -­‐3.1% 334.22Gbps +25% 2015  Q2 1.04Gbps +29.4% 196.35Gbps -­‐41% World  2015  Q1  Size  Break-­‐Out,  BPS <500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps World  2015  Q2  Size  Break-­‐Out,BPS <500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps
  9. 9. § Percentage  of  attacks  over  1Gbps  is   growing  strongly § 16%  in  2014,  17.7%  in  Q1  ‘15,   20.8% in  Q2. § Most  Growth  in  the  2  – 10Gbps   range § Attack  PPS  rates  also  on  the  rise § 8.7%  of  attacks  over  1Mpps  in  Q2,   up  from  5.7%  in  Q1  and  5.4%  in   2014 Attacks  size  Analysis  – Worldwide   § Percentage  of  attacks  over  10Gbps   resumes  growth. § 1.26%  in  2014,  0.9%  in  Q1  ’15,   1.41% in  Q2  ’15. § Big  jump  in  50-­100Gbps  attacks  in   June. 2014/2015  Event  Size  Break-­‐Out  Month-­‐by-­‐Month 0 100 200 300 400 500 >50Gbps >100Gbps 0 1000 2000 3000 4000 5000 6000 >10Gbps >20Gbps
  10. 10. Reflection/Amplification  attacks  – Worldwide     § Looking  at  attacks  with  source-­ports  of   services  used  for  reflection. § Q2  2015  shows  number  of  SSDP  attacks   starting  to  fall  back.   § 84K  in  Q2,  126K  in  Q1  2015,  83K  in  Q4  ’14 § 50%  of  reflection  attacks  in  Q2  targeting   UDP  port  80  (HTTP/U) § Average  attack  sizes  increase  for  all   vectors  except  SNMP.     § Average  duration  of  reflection  attack  20   mins in  Q2  (19  mins in  Q1).   Protocol UDP   Source   Port Max  Size   Q2 ‘15 Average   Size Q2 ‘15 SNMP 161 10.95bps 1.06Gbps Chargen 19 44.9Gbps 2.2Gbps DNS 53 120.3Gbps 2.78Gbps SSDP 1900 144.91Gbp s 2.42Gbps NTP 123 185.94Gbp s 2.75Gbps Reflection  Mechanism  as  %  of  Overall  Attacks 0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00% 14.00% 16.00% 2014  Q1 2014  Q2 2014  Q3 2014  Q4 2015  Q1   2015  Q2 SSDP   NTP DNS Chargen MSSQL SNMP
  11. 11. Period   Average Attack  size   (bps) Change (Q /  Q) Average  Attack   duration Change (Q /  Q) 2014 Q1 579.99Mbps -­‐ 28m 58s -­‐ 2014  Q2 530.51Mbps -­‐8.5% 29m +0% 2014  Q3 588.74Mbps +11% 31m  8s +7.3% 2014  Q4 500.68Mbps -­‐15% 41m  10s +32% 2015  Q1 483.65Mbps -­‐4.4% 46m  11s +12% 2015  Q2 800.01Mbps +65.4% 39m  53s -­‐14% Attack  traffic  size  -­‐ APAC  Q2  2015 >20Gbps 10-­‐20Gbps 5-­‐10Gbps 2-­‐5Gbps 1-­‐2Gbps 500Mbps-­‐1Gbps <500Mbps Attack  duration  -­‐ APAC  Q2  2015 >24  hours 12-­‐24  hours 6-­‐12  hours 3-­‐6  hours 1-­‐3  hours 30  mins-­‐1  hour <30  mins APAC  DDoS attacks  trend
  12. 12. Large  DDoS attacks  seen  in  2015  APAC Peak  Attack  Growth  trend  in  Gbps 0 50 100 150 200 250 300 350 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun 88.31 66.63 235.6 127.16 76.29 83.44 76.75 77.25 98.89 113.18 61.15 117.15 334.22 94.13 51.25 136.91 100.99 144.91 Q1  14 Q2  14 Q3  14 Q4  14 Q1  15 Q2  15 235Gbps/63Mpp s  to  India, NTP   reflection  attack,   21  min  23  sec 127Gbps/34Mpp s  to  Malaysia  ,   NTP  reflection   attack,  29  min 99Gbps/26Mpps   to  India,  NTP   reflection  attack,   31  min 117Gbps/31Mpp s  to  India,  NTP   reflection  attack,   15  min  37  sec 334.22Gbps/29. 13Mpps  to   India, reflection   attack,  6  min  45   sec 144.91Gbps/53.6 2Mpps  to  China,   SSDP  reflection   attack,  10  min  32   sec
  13. 13. Large  Attacks  Analysis § Number  of  attacks  >  10Gbps  increases  significantly  in  Q2  2015.     § Number  of  attacks  >  50Gbps  jump  from  12  in  Q1  2015  to  80 in  Q2   2015 Large  DDoS attacks  analysis  – APAC 0 200 400 600 800 1000 1200 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun no  of  events  of  attack  sizes  >  10Gbps
  14. 14. § 99%  of  the  attacks  <  1Gbps § 95%  of  attacks  last  less  than  1  hour DDoS attacks  target  Malaysia  H1  2015   Peak attack  size Avg attack  size Avg duration Q1  15 94.13  Gbps/18.73  Mpps UDP  flooding  attack 80.94  Mbps/ 17.93  Kpps 42  min  32  sec Q2  15 27.90  Gbps/2.41  Mpps UDP  flooding  attack 72.71  Mbps/ 11.99  Kpps 30  min  3  sec Attack  traffic  size  -­‐ MY  Q2  2015 >20Gbps 10-­‐20Gbps 5-­‐10Gbps 2-­‐5Gbps 1-­‐2Gbps 500Mbps-­‐1Gbps <500Mbps Attack  duration  -­‐ MY  Q2  2015 >24  hours 12-­‐24  hours 6-­‐12  hours 3-­‐6  hours 1-­‐3  hours 30  mins-­‐1  hour <30  mins
  15. 15. Average  attack  sizes  – Malaysia   139.05 114.6 119.8 65 64.46 147.51 128.46 209.25 80.94 72.71 0 50 100 150 200 250 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Average  attack  traffic  size  (Mbps)  per  Quarter
  16. 16. Peak  attack  sizes  – Malaysia   69.69 10.96 7.47 124.77 20.49 127.16 58.33 91.2 94.13 27.9 0 20 40 60 80 100 120 140 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Peak  attack  traffic  size  (Gbps)  per  Quarter
  17. 17. Number  of  attacks  – Malaysia   2356 1179 1493 21361 25844 30147 30957 28036 42428 34605 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 No  of  attacks  per  Quarter
  18. 18. Average  attack  duration  – Malaysia   4740 1984 1471 741 1470 2146 1917 2901 2552 1803 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 Q1  2013 Q2  2013 Q3  2013 Q4  2013 Q1  2014 Q2  2014 Q3  2014 Q4  2014 Q1  2015 Q2  2015 Average  attack  duration  (sec)  per  Quarter
  19. 19. Reflection/Amplification  attacks Attacker-Reflector Leg Attacker-Victim Leg SOURCE: Data sourced from tenth Annual Worldwide Infrastructure Security Report and ATLAS data Anatomy of an NTP Reflection Attack Source: ATLAS Data VictimAttacker Unsecured NTP Servers (http://openntpproject.org) Used to reflect and amplify NTP Monlist Request (small) Src IP: Spoofed (Victim’s IP) Dest IP: Unsecured NTP Server Src Port: 80, Dest Port: 123 NTP Monlist Request (large) Src IP: Unsecured NTP Server Dest IP: Victim Src Port: 123, Dest Port: 80 NTP reflection attack was responsible for the largest monitored attack by ATLAS in 2014 325Gbps 89 NTP attacks over 50Gbps including 5 attacks over 200Gbps
  20. 20. Industry  Best  Current  Practices  (BCPs) • BCPs  are  industry  best  practices  for  locking  down  a  network   • Deploy  these  as  policy  to  limit  the  exposure  of  your  network Network  Infrastructure  BCPs • Separation  of  control  plane   from  data  plane • Interface  ACLs  (iACLs) • Source  based  remote   triggered  blackhole  S/RTBH • Destination  based  remote   triggered  blackhole  D/RTBH • Flowspec • uRPF Host  Based  BCPs • OS  Hardening • Access  control • Antivirus • Patching/Version  Control • Application  Tuning
  21. 21. Mitigation  Architecture  – Options  available tACLs – block  all  unnecessary  protocols/ports  at   network  ingress  – protect  critical  resources Flowspec – BGP-­based  injections  of  ACLs  or  routing   policy  to  filter  or  divert  traffic   S/RTBH – Source  based  remote  triggered  blackhole   can  be  used  to  block  known  bad  sources D/RTBH – Destination  based  remote  triggered   blackhole  can  be  used  as  a  method  of  last  resort  to   protect  the  network   IDMS – Intelligent  DDoS  mitigation  to  protect   everything  else
  22. 22. How  Can  ISPs  Defend  Against  These  Attacks? • Deploy  antispoofing at  all  network  edges. – uRPF Loose-­Mode  at  the  peering  edge – uRPF Strict  Mode  at  customer  aggregation  edge – ACLs at  the  customer  aggregation  edge – uRPF Strict-­Mode  and/or  ACLs at  the  Internet  Data   Center  (IDC)  aggregation  edge – DHCP  Snooping  (works  for  static  addresses,  too)  and   IP  Source  Verify  at  the  IDC  LAN  access  edge – PACLs &  VACLs at  the  IDC  LAN  access  edge – Cable  IP  Source  Verify,  etc.  at  the  CMTS – Other DOCSIS  &  DSL  mechanisms
  23. 23. Customer  1 Downstream  ISP Internet Data  Center  1 Service  Provider Data  Center  2 Customer  2 Regional Broadband • Utilize  flow  telemetry  (NetFlow,  cflowd/jflow,  etc.)   exported  from  all  network  edges  for  attack   detection/classification/traceback – Open-­source  flow  telemetry  collection/analysis  tools  allow  basic   visibility;;  can  be  sufficient  for  high-­volume  attacks,  once  impact  is   evident – Arbor  Peakflow  SP,  which  provides  automated   detection/classification/traceback  and  alerting  of  DDoS  attacks  via   anomaly-­detection  technology Pervasive  Detection  – The  Attack  Surface
  24. 24. Mitigation  – IDMS Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   IDMS
  25. 25. Mitigation  High  Availability • Network-­Based  Redundancy – Regional  redundancy  using  BGP  anycast to  mitigate  traffic  at  the   nearest  location – Appliances  or  blades  in  a  router • Scrubbing  Center  Redundancy – Multiple  TMS  appliances  in  a  single  scrubbing  center – Use  of  Equal  Cost  Multipath  (ECMP)  between  appliances • Link  Redundancy  in  Datacenter – Deploy  APS  appliances  in  redundant  datacenter  paths – Manually  fail  over  to  backup  path  if  system  fails  into  bypass
  26. 26. BGP  Anycast  Mitigation  Redundancy   Peakflow  SP  TMS Customer Aggregation IP  Core Scrubbing   Center  1 POP   B D1 D2 P1 A2A1 S1 Peers Customer  CPE S1 S2 P2 C2C2 S2 S1 Peakflow  SP  TMS Scrubbing   Center  2 D1 D2 S1S1 S2 Transit
  27. 27. Mitigation  Center  Redundancy  -­ CEF/ECMP CEF/ECMP  load  balancing   between  TMS  appliances  in   a  mitigation  center Arbor  TMS  IDMSes TMS   Mitigation Cluster Attack Regional  Mitigation  Center
  28. 28. IDC On-­Premise  APS  Link  Redundancy Pravail 1 Since  each  APS  port-­‐pair  can   also  offer  hardware  bypass,   single  box  failures  do  not   require  re-­‐convergence. Internet Pravail 2
  29. 29. Scaling  Mitigation  Capacity • Currently-­shipping  largest-­capacity  Intelligent  DDoS Mitigation  System   (IDMS)  – 40gb/sec • 16-­IDMS  (CEF/ECMP   limit)  =  640gb/sec  per  cluster • Multiple  clusters  can  be  anycasted • Largest  number  of  IDMSes per  deployment  currently  100  =  4tb/sec  of   mitigation  capacity  per  deployment,  10x  more than  largest  DDoS to  date. • Deploy  IDMSes in  mitigation  centers  at  edges  -­ in/out  of  edge  devices. • Deploy  IDMSes in  regional  or  centralized  mitigation  centers  with   dedicated,  high-­capacity  OOB  diversion/re-­injection  links.    Sufficient   bandwidth  for  diversion/re-­injection  is  key! • S/RTBH  &  flowspec leverage  router/switch  hardware,  hundreds  of  mpps,   gb/sec.    Leveraging  network  infrastructure  is  required due  to  ratio  of   attack  volumes  to  peering  and  core  link  capacities!
  30. 30. • The  Flow  specification  can  match  on  the  following  criteria: – Source  /  Destination  Prefix – IP  Protocol  (UDP,  TCP,  ICMP,  etc.) – Source  and/or  Destination  Port – ICMP  Type  and  Code   – TCP  Flags – Packet  Length – DSCP  (Diffserv Code  Point) – Fragment  (DF,  IsF,  FF,  LF) • Actions  are  defined  using  Extended  Communities: – 0x8006:  traffic-­rate  (rate  0  discards  all  traffic  for  the  flow) – 0x8007:  traffic-­action  (sample) – 0x8008:  redirect  to  VRF – 0x8009:  traffic-­marking  (DSCP  value  ) DDoS Mitigation  – BGP  Flowspec
  31. 31. • ACLs  are  still  the  most  widely  used  tool  to  mitigate  DDoS attacks – But…ACLs  are  demanding  in  configuration  &  maintenance. • BGP  Flowspec leverages  the  BGP  Control  Plane  to   simplify  the  distribution  of  ACLs,  greatly  improving   operations: – Inject  new  filter  rules  to  all  routers simultaneously  without  changing  configuration. – Reuse  existing  BGP  operational  knowledge  &   and  best  practices. • Improve  response  time  to  mitigate   mitigate  DDoS attacks! Why  Use  BGP  For  ACLs?
  32. 32. BGP  Flowspec Mitigation IPS/ID S Enterprise  or  IDC Victim Service  Provider  Network Route r Flowspec filter  applied  on  the   external  interfaces,  only  traffic   matching  that  flow  is  discarded. SP  Portal  initiates  BGP  update  with   ACL  filter  to  be  applied  at  the  edge   router  external  interfaces  (in   theory  the  customer  could  also   initiate  it). Firewal l Botnet Legitimate Users Route r Good  traffic Attack  traffic BGP  Announcement FLOWFLO W • BGP Flowspec route validation performed for eBGP sessions only. Edge  routers  configured   with  BGP  flowspec sessions,   and  flowspec filtering   enabled  on  external  peering   interfaces.
  33. 33. BGP  Flowspec Traffic  Redirection DDoS Scrubber Detection &  Control Good  traffic Attack  traffic BGP  Flowspec   Diversion Internet Internet Scrubbing  Center “Dirty”  VRF IPS/ID S Enterprise  or  IDC Victim Route r Firewal l Route r Traffic   Reinjection BGP  Flowspec filter  to   redirect  only  specified   traffic  that  matches   rule FLOW Diverted  traffic  is  a   subset  of  all  traffic   destined  to  victim
  34. 34. BGP  Flowspec – Vendors • Router  vendors  supporting  BGP  Flowspec: – Cisco  IOS  XR  5.2.0  &  XE  3.14 – Alcatel-­Lucent  7750  SROS  9.0R1 – Juniper  JunOS 7.3 • DDoS mitigation  vendors: – Arbor  Peakflow SP  >5.8 • BGP  Tools: – ExaBGP Injector
  35. 35. Mitigation  – S/RTBH  or  Flowspec Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   Peakflow SP  advertises   list  of  blackholed prefixes  based  on   source  or  destination   addresses,  or  layer-­‐4   flowspec classifier Edge  routers  drop  attack   traffic  packets  based  on   source  or  destination address,  or  layer-­‐4   classifier  (flowspec) Edge  routers  drop  attack   traffic  packets  based  on   source  or  destination address,  or  layer-­‐4   classifier  (flowspec)
  36. 36. SDN  Illustrated Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API Logical  View Physical  View Controller Policy OpenFlow
  37. 37. NFV  Illustrated Internet Router Arbor APS FW IPS LB Webservers Internet vRouter vAPS vFW vIPS vLB Logical  View Physical  View Web  VMs
  38. 38. Where  SDN  Could  be  Ideal • Meter traffic  conditions,   application  and  user   behavior • Match those  conditions   against  a  set  of  pre-­ defined  criteria  (policy) • Act on  the  match   according  to  a  policy   (control  behavior) Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API OpenFlow
  39. 39. Where  SDN  Could  be  Ideal • Meter traffic  conditions,   application  and  user   behavior • Match those  conditions   against  a  set  of  pre-­ defined  criteria  (policy) • Act on  the  match   according  to  a  policy   (control  behavior) Northbound API (REST) Controller Southbound API Northbound API (REST) Controller Southbound API WB API OpenFlow
  40. 40. Provider  B Provider  A Data  Center TMS GOOD  TRAFFIC BAD  TRAFFIC X X X OPENFLOW TMS  Blacklist  Offload  via  OpenFlow • Offloads  traffic  filtering  from  TMS  to  the  network  fabric  via   SDN  protocol  for  greater  scale  and  performance • Integrates  3rd party  SDN  controller  ‘speaking’  OpenFlow • Similar/extensible  to  other  policy-­based  protocols:  BGP,   FlowSpec,  NETCONF,  etc.
  41. 41. Mitigation  – OpenFlow Peer  B Peer  A Upstream   Upstream   IXP-­W Upstream   IXP-­E Upstream   TMS
  42. 42. Summary  -­ Detection/Classification/Traceback/Mitigation • Utilize  flow  telemetry  (NetFlow,  cflowd/jflow,  etc.)  exported   from  all  network  edges  for  attack   detection/classification/traceback – Many  open-­source  tools  available as  well • Enforce  standard  network  access  policies  in  front  of   servers/services  via  stateless  ACLs  in  hardware-­based   routers/layer-­3  switches. • Ensure  recursive  DNS  servers  are  not  queryable from  the   public  Internet  – only  from  your  customers/users. • Ensure  SNMP  is  disabled/blocked  on  public-­facing   infrastructure/servers. • Disallow  level-­6/-­7  NTP  queries  from  the  public  Internet. • Disable  all  unnecessary  services  such  as  chargen. • Regularly  audit  network  infrastructure  and  servers/services.
  43. 43. Arbor  Networks’  Product  Portfolio
  44. 44. Thank  You

×