Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A10 issa d do s 5-2014


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

A10 issa d do s 5-2014

  1. 1. 1 Customer Driven Innovation 1 Do not distribute/edit/copy without the written consent of A10 Networks The Growing DDoS Threat Jim Mason, CISSP Sr. Systems Engineer A10 Networks – NC/SC Ralph Bozzini Regional Sales Director A10 Networks – NC/SC Mark Mormann Trusted Advisor Channel Systems
  2. 2. 2 2009 1010 3,000+ 1.888.822.7210 2004 A10 founded in San Jose, CA by Lee Chen Our name: “A” in Hexadecimal, “10” in Decimal Shipped industry’s first “true” 64-bit ADCs Customer Install Base Worldwide (1-888-TACS-A10) World-class Customer Support! A10 (NYSE: ATEN): By the Numbers
  3. 3. 3 A10 Products ADC Product Line Application Optimization, Availability & Security for Web and Data Center Servers CGN Product Line Carrier-Grade, RFC Compliant IPv4 NAT Extension & IPv6 Migration Solutions TPS Product Line DDoS Detection & Mitigation Products Protecting Attack on Critical Server Infrastructure A10 provides solutions today in three distinct areas: Advanced Core OS
  4. 4. 4 Impact of DDoS Attacks v  Overwhelmed Internet Links v  Diminished Brand Equity v  Customer Dissatisfaction v  Winding up on “NBC Nightly News”
  5. 5. 5 DDoS & Intrusion: Top of mind
  6. 6. 6 DDoS Crime Timeline Q3 2010 PayPal Discloses cost of attack £3.5M ($5.8 Million) Q1 2013 Nat’l Credit Union Administration Recommended DDoS protection to all members Q4 2012 Bank of the West $900k stolen DDoS used as a diversion Q4 2012 al Qassam Cyber Fighters 10-40 Gbps attacks aimed at 10 major banks over 5-week period Q4 2013 6.8 million mobile devices are potential attackers (LOIC and AnDOSid) “The average hourly revenue loss during a Layer 7 DDoS attack is $220,000” – Forrester “Predicted growth in financial impact from cybercrime: 10% (through 2016)” – Gartner Q2 2014 Federal Financial Institutions Examination Council (FFIEC) issues new mandate requiring banks to monitor for DDoS
  7. 7. 7 DDoS Readiness †  Co-Op Financial Services (April 2013) ¿  Conducted a random survey of Credit Unions regarding DDoS planning:
  8. 8. 8 DDoS and the Financial Sector †  Federal Financial Institutions Examination Council (FFIEC) ¿  Banks and financial institutions regulated by the federal government must now monitor for Distributed Denial-of-Service (DDoS) attacks against their networks and have a plan in place to try and mitigate against such attacks ¿  “…sometimes DDoS attacks will serve as “a diversionary tactic” by criminals in the course of attempting to commit fraud of various kinds” †  Six step program: ¿  Assess risk to IT systems ¿  Monitor Internet traffic ¿  Prepare to activate response ¿  Ensure sufficient staffing ¿  Share information ¿  Evaluate and adjust
  9. 9. 9 †  Akamai – Internet Content Delivery network Headquartered in Cambridge MA (HQ) Delivers over 2 trillion Internet transactions a day Name: Hawaiian word meaning “intelligent” or “witty” †  DDoS attacks on websites shot up 75% last quarter †  A 23% Year Over Year increase †  Most of the targets were enterprises †  Chances of a repeat attack: 1 in 3 (35% YOY increase) †  Largest percentage by Country of Origin: China – 43% The Latest from Akamai Technologies Source: Akamai Technologies' State of the Internet Report for Q4 2013 (April 23, 2014)
  10. 10. 10 †  “High-bandwidth (200-400 Gbps) DDoS attacks are becoming “The new normal” and will continue wreaking havoc on unprepared enterprises…” - Gartner †  “Despite Volumetric-based attacks remaining most popular, more advanced hybrid attacks that include Application Layer and encrypted traffic will grow” – IDC †  “Bot traffic is up to 61.5% of all website traffic” – Incapsula Analyst Observations: DDoS will keep growing… Bottom line: Anyone can be targeted now.
  11. 11. 11 What is a DDoS Attack? †  Denial of Service (DoS) is an attack to make a service unusable †  Distributed DoS (DDoS) leveraged by botnets: many “Zombie” hosts send a high volume of traffic to a target server/service/website †  “Botnets-for-hire” are a reality for on-demand attacks Attacker Zombie Target Zombie Zombie Zombie
  12. 12. 12 Attack Percentages Source: Prolexic - Q4 2013 75% Network Layer 20% Application Layer TCP/UDP Floods – 37% †  Largest attack increase: 33% 300 Gbps (Q2 2013) 400 Gbps (Q1 2014)* †  60 Gbps regularly seen 100 Gbps not uncommon** †  Average attack: 35 Million Packets-per-second
  13. 13. 13 DDoS Network Attack Traits †  Common characteristics ¿  Exploits layer Layer 3-4 protocols ¿  Does not require a full connection (often spoofed) ¿  High volume attacks can overwhelm pipes and/or connection capabilities ¿  Simple to create the high volumes necessary for such attacks †  Types ¿  Malformed requests ¿  Spoofing ¿  High PPS rates ¿  Connection exhaustion
  14. 14. 14 SYN Flood Attack •  The attacker or botnet sends multiple TCP SYN requests to the target •  Target responds to each SYN with a SYN-ACK to establish a valid connection, waits for ACKs •  Connection table of the server fills up with “half-opens”, new connections are dropped •  Server/service effectively “DDoSed” at that point, legitimate users shut out •  Why it works – Exploits the TCP 3-Way Handshake weakness (blind trust)
  15. 15. 15 DNS Amplification Attacks •  Valid UDP-based DNS requests using a spoofed IP address (similar to Smurf attack) are sent to the intended target (victim) •  Type of attack executed against Spamhaus (300Gbps) in 2013 •  Why it works: DNS is heavily used (Web, Email, VoIP) and generally unrestricted Nature of DNS results in larger response volume than request volume
  16. 16. 16 †  Common characteristics ¿  Legit TCP/UDP connections (Not spoofed) Thus harder to differentiate ¿  Operates at L7 (Protocol and packet payload) ¿  Exploits flaws in or limitations of applications ¿  More efficient and lethal ¿  Sophisticated: Evades simple countermeasures †  Types ¿  High host processing ¿  Application floods ¿  Application exploits ¿  Amplification attacks DDoS Application Attack Traits
  17. 17. 17 HTTP GET Flood •  Huge flood of HTTP GET packets, requesting large amounts of data/objects from the target server •  Due to the amount of requests coming from botnets, the target system is overwhelmed and cannot respond to legitimate requests from users •  Why it works: Since the 3-way TCP handshake has been completed, these requests look legitimate
  18. 18. 18 Slow POST/RUDY Attack •  A common attack, where attacker sends HTML “POSTs” at slow rates under the same session Slow POST tool RUDY uses long-form field submissions to perform these attacks •  Causes server application threads to await the end of boundless POSTs in order to process them •  This results in exhaustion of web server resources and prevents service for legitimate traffic
  19. 19. 19 Slowloris Attack •  Slowloris holds many connections to the target web server open as possible, for as long as possible. Creates connections to the target server, but sends only a partial request at a very slow rate. •  The targeted server keeps each of these false connections open, eventually overflowing the maximum concurrent connection pool and shutting out legitimate clients.
  20. 20. 20 Network Time Protocol (NTP) Amplification Attack •  Attacker gains control of a server on a network that allows Source IP address spoofing (i.e., it does not follow IETF BCP38 (Best Current Practices) for ingress filtering) •  Large number of spoofed UDP packets sent appearing to come from the intended target •  UDP packets are sent to NTP servers (port 123) that support the MONLIST command •  CloudFlare attacker used 4,529 NTP servers running on 1,298 different networks Each server sent an average 87Mbps of traffic to CloudFlare = 400Gbps!
  21. 21. 21 What’s Needed for Effective DDoS Mitigation? Mitigation device with higher Packet Per Second (PPS) and throughput capacity Fast, dedicated hardware to combat frequent network attacks Attacks are now very high volume Existing solutions cannot keep up Advanced L7 intelligence and high processing capacity More sophisticated Layer-7 attacks
  22. 22. 22 ACOS: Optimal Platform for DDoS Mitigation Shared Memory Architecture 1 2 3 N Flexible Traffic Accelerator Switching and Routing Efficient & Accurate Memory Architecture 64-bit Multi-Core Optimized Optimized Flow Distribution Hardware DDoS Mitigation Assist •  Packet Integrity Check •  SYN Cookie •  More… Unparalleled Packet Processing and Throughput Capacity 64K Protected Object Capacity Large Capacity Threat Intelligence List (8 x 16 Million lines) Sub-second Traffic Rate Control for Burst Traffic
  23. 23. 23 Thunder TPS: Next Generation DDoS Protection Multi-vector Application & Network Protection High Performance Mitigation Broad Deployment Options & 3rd Party Integration High performance 155 Gbps of attack mitigation throughput, 200 Million PPS (5x today’s average) in 1 RU Up to 1.2 Tbps in 8-device cluster Broad Deployment and 3rd Party Symmetric, Asymmetric, Out-of-band (TAP) Modes Open SDK/RESTful API for 3rd party integration Multi-vector protection Detect & mitigate application & network attacks Flexible scripting & DPI for rapid response
  24. 24. 24 Mitigating DDoS Attacks Five principal methods for effective mitigation: •  Packet Anomaly Check Network level packet sanity check (Conformity) •  Black/White Lists Network level high speed inspection and control •  Authentication Challenge: Network & application level validation of client origination integrity •  Traffic Rate Control Network and application monitoring to rate limit traffic •  Protocol and Application Check
  25. 25. 25 Packet Anomaly Check †  Packet sanity check (conformity) in hardware and software ¿  Prevents volumetric attacks and protocol attacks ¿  Network checks (Layer 3-4) for standard behavior ¿  No configuration required †  Auto detects (HW) 30+ attacks such as: ¿  Empty Fragment, Invalid IP Fragment, LAND Attack, Ping of Death, No IP Payload, Runt IP Header, TCP XMAS, UDP Short Header, and many more… Denied Allowed Packet Anomaly Inspection
  26. 26. 26 Black and White Lists †  High speed inspection & control of good and bad sources ¿  Prevents known bad clients ¿  List capacity of 8 x 16 Million entries ¿  Network level enforcement (Layer 3-4) †  Options to build Black/White Lists ¿  Import 3rd party lists e.g. ThreatSTOP, Spamhaus ¿  Manual configuration ¿  Dynamic creation with: °  Authentication challenges °  Protocol and application checks Denied Allowed Large List Look-up With Multiple Actions Known Bad IP
  27. 27. 27 Authentication Challenge †  Validates client origination integrity ¿  Prevents volumetric and protocol attacks ¿  Network and application checks (Layer 3-7) †  Examples ¿  DNS Authentication ¿  HTTP Challenge ¿  TCP SYN packet authentication ¿  TCP SYN Cookie Denied Allowed
  28. 28. 28 Traffic Rate Control †  Monitor and rate limit traffic ¿  Prevents volumetric attacks, protocol and resource attacks ¿  Network and application level enforcement (Layer 3-7) †  Examples ¿  Connection limit ¿  Connection rate limit ¿  Packet rate limit ¿  HTTP Request rate limit Rate and/or Connection Limits for Predictable Load
  29. 29. 29 Protocol and Application Check †  Monitor and check traffic behavior ¿  Prevents resource attacks and application attacks ¿  Enforce specific values ¿  Network and application checks (Layer 3-7) †  Examples ¿  TCP template, HTTP template, DNS template, UDP template, SSL-L4 template more… ¿  HTTP example - Slowloris Denied Allowed DPI and Application Awareness for L7 Protection
  30. 30. 30 Thunder TPS Release Quotes "As an early user of the Thunder TPS, we believe A10 is delivering a high-value product, with rich features and really great performance," said Gerold Arheilger, CTO Xantaro Group. "In order to sufficiently protect against large-scale, multi- vector DDoS attacks, mitigation solutions must provide very high packet-per-second processing power. Thunder TPS is built for these extreme environments." "The Microsoft Digital Crimes Unit and A10 Networks have a shared vision to protect the Internet from large-scale threats," said Richard Boscovich, assistant general counsel, Microsoft Digital Crimes Unit. "We will continue to partner to mitigate future threats leveraging DCU's expertise and A10's advanced threat protection technologies." 
  31. 31. 31 CPE class platform MSSP integrated solution Thunder TPS Hardware Appliances Price Performance Thunder 5435(S) TPS 77 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 6435(S) TPS 155 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 3030S TPS 10 Gbps (TBC) 6x1G Copper, 2x1G (SFP) 4x10/1G (SFP+) SSL Processor Thunder 4435(S) TPS 38 Gbps 16x10/1G (SFP+) SSL Processor* Hardware FTA Mitigation High performance extended platforms for Financial, Gaming, Government, Large Enterprise, MSSPs, Service Providers & Web Giants * “S” model must be purchased
  32. 32. 32 Please visit us at: