Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PLNOG 17 - Artur Kane - DDoS? You shall not pass!


Published on

From zero to hero. The story of technology startup from national academic network of the Czech Republic to world leader in Netflow/IPFIX. Flowmon is developing artificial inteligence that detects and responds to volumetric attacks. Flowmon DDoS Defender is an example how DDoS protection can be easy, efficient and flexible.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

PLNOG 17 - Artur Kane - DDoS? You shall not pass!

  1. 1. DDoS? You shall not pass! PLNOG 17 KRAKÓW, 26.09.2016 Artur Kane Technology Evangelist
  2. 2. Our beginnings
  3. 3. Our beginnings First 10GE monitoring board in academic environment 2004
  4. 4. Functional prototype of HW accelerated multigigabit (4x1GE, 1x10GE) NetFlow probe Final recommendation – monitor EU networks by the Flowmon (NetFlow) probe 2005/6 Our beginnings
  5. 5. 600+ customers on 5 continents 100+ employees, HQ in CZ Rapidly growing - organically Recognized/awarded by Gartner and Deloitte, technology partnership Technology leader in next generation network, security and application monitoring Who we are today
  6. 6. Verticals ISP, banking/finance/utilities. From SMB to ENT and GOV customers 600+ customers in 30+ countries
  7. 7. Technology leader – 100G
  8. 8. Next Generation Network Traffic & Performance Monitoring (NetFlow/IPFIX) • Provides visibility – “eyes” into the network traffic • Saves time and money for network administrators • Enables quick troubleshooting and ticket resolution • Delivers a substantial reduction in network implementation, operation and management costs Value proposition - visibility
  9. 9. Next Generation Network Security - Behavior Analysis & Anomaly Detection • Detects and alerts on abnormal behaviors • Reports anomalies and advanced persistent threats • Detect intrusions and attacks not visible by standard signature based tools Paul E. Proctor, VP at Gartner: “NBA is about higher visibility in the behavior of your network to cover gaps left by signature based mechanism.” Value proposition - security
  10. 10. Out of path Detection and Mitigation of volumetric DoS/DDoS attacks • Average cost of one minute downtime is $22.000 • Average downtime is 54 minutes per attack • Protect your business & customers satisfaction Value proposition – DDoS protection
  11. 11. Technology landscape
  12. 12. Network Traffic Monitoring Network Statistics Collection & Analysis Advanced Analysis of Network Statistics Flowmon Probes • Stand-alone passive sources of network statistics (NetFlow / IPFIX ) Flowmon Collector • Storing, visualization and analysis of network statistics Flowmon Modules • Anomaly detection, traffic capture, Application Performance Monitoring, DDoS attacks detection and mitigation The solution
  13. 13. All-in-one package • data generation, collection, analytics, reporting, detection capabilities, troubleshooting on infrastructure, application, database level – as an all-in-one device Neat integration • use the whole potential of your past investments into network/security instruments Massive performance • first 100G NetFlow/IPFIX probes in the world, the most robust NetFlow collector Ultimate scalability • proven in deployments in organizations from 50 to 50 million users Transparent licensing • perpetual and subscription licensing per appliance, only limitations is a performance of the given device Smashing user-friendliness • agentless, non-intrusive, easy and quick deployment, intuitive, straight- forward GUI, great time-to-value Outstanding cost efficiency • best price/performance ration in the industry, low operational costs How are we better?
  14. 14. DDoS Defender
  15. 15. Average cost of one minute downtime is $22.000 Average downtime is 54 minutes per attack Protect your business & customers satisfaction Facts about DDoS
  16. 16. In-line detection and mitigation fits enterprises • Limited number of uplinks • L7 attacks coverage • Reasonable price/performance ratio ISP/telco/datacenter need out-of-path mitigation • Focus on covering volumetric attacks • To many uplinks and throughput Solution? Flow-based volumetric DDoS detection combined with out of path mitigation Protection strategies
  17. 17. DDoS detection and mitigation • Focused on volumetric attacks • Uses flow data from any sources (routers, probes, …) • Predicts traffic volume using baseline/static methods • Provides attack characteristics and notifications Multi-tenant environment to protect various customers, network segments, services, etc. Universal deployment scenarios Flowmon DDoS Defender Standalone Out-of-band elimination of DDoS attack (PBR, BGP) Scrubbing Center DDoS Defender overview
  18. 18. Uses various types of flow specification used for dynamic signature of the attack Provides specific action for traffic corresponding to the attack characteristics Flowmon DDoS Defender 3.0 supports following attributes to create dynamic signature: • Destination Prefix • Source Prefix • IP Protocol • Destination port • ICMP type • ICMP code BGP Flowspec
  19. 19. Detection performed over protected segments • Segments defined by network subnets For each segment, a set of baselines is learned from monitored traffic. The attack is detected if the current traffic exceeds defined threshold. Baseline is learned for: • TCP traffic with specific flags • UDP traffic • ICMP traffic Attack detection
  20. 20. Alerting • E-mail, Syslog, SNMP trap Routing diversion • PBR (Policy Based Routing) • BGP (Border Gateway Protocol), • BGP Flowspec • RTBH (Remotely-Triggered Black Hole) User-defined scripting Automatic mitigation • With out-of-band mitigation devices • With services of Scrubbing center Response to attack
  21. 21. Internet Service Provider Core Flow Data Collection Learning Baselines Attack Anomaly Detection Mitigation Enforcement Scrubbing center Attack path Clean path Traffic Diversion via BGP Route Injection Dynamic Protection Policy Deployment incl. Baselines and attack characteristics Protected Object 1 e.g. Data Center, Organization, Service etc… Protected Object 2 Out-of-band
  22. 22. Internet Service Provider Core Flow Data Collection Learning Baselines Attack Anomaly Detection Mitigation Enforcement Protected Object 1 e.g. Data Center, Organization, Service etc… Protected Object 2 Sending specific Route advertisement via BGP FlowSpec Dynamic signature: Dst IP: Dst Port: 135 Protocol IP: 17 (UDP) Discard Dropped traffic for Dst IP: Dst Port: 135 Protocol IP: 17 (UDP) BGP Flowspec
  23. 23. Customers
  24. 24. Multitenant DDoS protection for ISPs, DCs, Cloud providers against volumetric attacks Fast detection - up to 1 min SDN compatible Affordable pricing Comprehensive solution including NPMD, NBA, APM and full packet capture Summary
  25. 25. Flowmon DDoS Defender 3.0 Live demo – DDoS mitigation
  26. 26. Q&A
  27. 27. Flowmon Networks a.s. U Vodárny 2965/2 616 00 Brno, Czech Republic Artur Kane +420 734 754 449