This document discusses techniques for advanced protection against distributed denial-of-service (DDoS) attacks. It begins by asking questions about knowing the latest DDoS attack trends, best mitigation practices, and the real impact of attacks. It then discusses how easy it is to launch DDoS attacks and the complexity of modern multi-vector attacks. Specific examples of DDoS attacks are provided, such as a 2018 attack against Dutch banks, and how every physical or geopolitical event has a corresponding cyber reflection. The document promotes Arbor Networks as the industry leader in DDoS protection and describes their hybrid DDoS mitigation approach using on-premise and in-cloud/operator solutions.

1. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1
Techniques Avancés de Protection
Anti-DDoS
Reda Nedjar – Consulting Engineer EMEA (rnedjar@arbor.net)

2. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2
Do I know the• latest DDoS attack
trends?
Do I know the best practices in• DDoS
attack mitigation?
Do I know the real impact of a• DDoS
attack to my business?
Time to re-assess risk of DDoS attacks
Can you answer these questions?
Cost of DDoS Impact to Victim

3. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3
How easy it really is to launch a DDoS?
• Easy to find
• Clear and modern User Interface
• Several locations
• Many attack vectors
• Multiple paiement options
• Support center
• Community Manager
Really really easy!!!

4. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4
Modern day DDoS attacks are Complex
Dynamic Multi-vector Combination
The Internet
BotNet
Your ISP
Firewall
Your Data Center
Volumetric Attacks
◦ Large(up to 500 Gbps)
◦ Saturates links
TCP State-Exhaustion Attacks
Crashes◦ stateful devices (Load balancers,
firewalls, IPSs)
Application Layer Attacks
◦ Low and Slow, Stealth attacks
◦ Crashes application servers
Legitimate Traffic

5. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
Dutch banks crippled by DDoS Attack
January 2018
Myth:
ABN Amro CEO Kees van Dijkhuizen said that “attacks like these probably cost the
perpetrators tens of millions of euros”, fuelling speculation that the attack had
come from a nation state.
Fact:
But the truth has proved rather less spectacular when police arrested an 18-year-
old known as Jelle S in his home town of Oosterhout. Jelle claimed to have bought
a ready-made “stresser” DDoS package on the dark web for which he had paid €50
a week to send 50-100Gb/s of data to victims.
Source: computerweekly.com

6. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
The Cyber Reflection
Every Physical Geo-Political Event…
Has a Cyber Reflection…

7. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7
Every event has a cyber reflection
Attack targets were not necessarily the events themselves,
but organizations tangentially associated with the events.

8. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8
Who are we?
We See What
Others Can’t
Collaboration
Continuous
Innovation
> 100 Countries
Protect World’s
Largest Networks
Leading
Authority

9. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
Arbor Networks
The Security Division of
Industry leader in DDoS attack
protection products.
Number of years Arbor has been
delivering innovative security and
network visibility technologies &
products
18
98%
Percentage of world’s Tier 1
service providers who are
Arbor customers
http://digitalattackmap.com
Amount of Internet traffic
monitored by the ATLAS
1/3

10. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10
• New weaponized attack vector
• Targets a vulnerability in a Datacenter
service used to improve request
performance
• Amplification factor can go up to
1:500,000 (maximum achieved in a
lab environment)
• 1Mbps can generate 50Gbps
• Not the most dangerous attack
Peak attacks
And after Memcached

11. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
On-PremThe Internet In-Operator
Intelligent coordination
between on-prem and
in-cloud protection
2
Global, In-Cloud, Volumetric Attack
Protection (over 7 Tbps Mitigation
Capacity)
3
Detection &
Alerting with
Mitigation
Capabilities
1
Backed by global threat intelligence4
Operator
Scrubbing
Center
Cloud
Signal
Arbor APS
Volumetric Attack
Application Attack
Botnet,
DDoS,
Malware
DDoS Protection Against Complex Attacks
Hybrid Model

12. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12
How to counter every type of attack
Data Center
Firewall IDS
Backbone
ISP 3
ISP 2
ISP 1
Load
Balancer
Saturation
Volumetric or Flooding Attack
Exhaustion of State
L4 – L7
Crashes stateful devices (Load
Balancers, Firewalls, IPS/IDS)
Exhaustion of Service
L4 – L7
Application Layer or Slow &
Low Attack, Crashes application servers

13. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13 13©2016 ARBOR® CONFIDENTIAL & PROPRIETARY
DDoS Attacks Vectors and Mitigation Options
• UDP / ICMP Floods : Reflection/Amplification
NTP/DNS/SSDP/SNMP/MS-SQL attacks
• IP / TCP /UDP Fragments Floods
• Procotol Floods (GRE)
Volumetric Attacks
• TCP SYN (ACK) Floods
• Window Size Attacks (Sockstress, etc)
• Slow TCP Connections (TCP Idling, etc)
State Exhaustion
Attacks
• Http-Get / Post Floods (LOIC, HOIC)
• HTTP Slow request (Slowloris, Pyloris)
• DNS Floods (DNS water torture)
• DNS Authentication
• SSL Renegociation (THC, Pushdo)
• SSL Encrypted (HTTPS)
Application Layer
Attacks
Confidential Arbor Networks – For Internal Use Only
Arbor Cloud
Operator Scrubbing
(Arbor SP/TMS)
ISP / In-Cloud
Arbor CloudOperator Scrubbing
(Arbor SP/TMS)
ISP / In-Cloud
On-Premise (Arbor APS)

14. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
VOLUMETRIC ATTACKS USING ARBOR SP AND
BGP FLOWSPEC
Core
Peering Edge
BGP FS
BGP FS
Peering Edge
UDP RA attack
UDP RA attack
Arbor TMS
Arbor SP
• Arbor SP does Automatic BGP FlowSpec
Blocking on routers
– Block UDP Reflection/Amplifcation Attacks
• Memcached, NTP, SSDP, CLDAP
– Arbor SP automatically detects and blocks attacks
on routers
• Arbor TMS capacity can be used for other complex
attacks : L4 TCP – L7 (DNS / HTTP)
• Leverages the routers capacity to block large UDP
attacks
– 1.7 Tbps was the largest attack (memcached)

15. COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
Thank You.
www.netscout.com
Reda Nedjar
rnedjar@arbor.net