Filling the Gaps in Your DDoS Mitigation Strategy
•Download as PPTX, PDF•
3 likes•912 views
At Cloudflare, we protect 9 million domains against DDoS attacks with our global network. This puts us in a unique position to learn from the myriad of attacks on the network and use the knowledge to strengthen our DDoS mitigation capabilities. Be it small or large, even unusual. The new DDoS landscape Cloudflare's unmetered, always-on DDoS protection service Cloudflare Rate Limiting - a new solution for Layer 7 DDoS attacks Cloudflare Spectrum - a new solution for non-web DDoS attacks
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Filling the Gaps in Your DDoS Mitigation Strategy
Similar to Filling the Gaps in Your DDoS Mitigation Strategy (20)
More from Cloudflare
More from Cloudflare (13)
Recently uploaded
Recently uploaded (20)
Filling the Gaps in Your DDoS Mitigation Strategy
- 1. Filling the Gaps in Your DDoS Mitigation Strategy Threat landscape and mitigation solutions
- 2. Presenter Chris Wang Cloudflare Solutions Engineer @chriswang_tech
- 3. Topics 1. Current DDoS Threat Landscape 2. Cloudflare DDoS Mitigation Solutions 3. Cloudflare Rate Limiting - a new solution for layer 7 DDoS attacks 4. Cloudflare Spectrum - a new solution for non-web DDoS attacks
- 4. Poll #1 Are you a current Cloudflare user? Options: ● No ● Yes, I'm on Cloudflare Free Plan ● Yes, I'm on Cloudflare Pro Plan ● Yes, I'm on Cloudflare Business Plan ● Yes, I'm on Cloudflare Enterprise Plan Link: Plan definitions
- 5. Current DDoS Threat Landscape
- 6. DNS Bots DNS Server DNS Server Server IP/TCP/UDP ("Layer 3 & 4") HTTP/HTTPS ("Layer 7") 1 2 Bots 3 Bots Degrades availability and performance of applications, websites, and APIs HTTP Application Application/Login Types of DDoS Attack Traffic
- 7. DDoS 2018 and Beyond More Frequent Difficult to Mitigate DNS Layer 7 SSL CPU Exhaustion (Layer 6) HTTP Layer 7 Layer 3/4 500 Gbps 100 Gbps 200 Gbps 40 Gbps Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4 Less Frequent 7
- 8. L3/4: More spaced out with unmetered mitigation by Cloudflare 8 Unmetered Mitigation Introduced by Cloudflare
- 9. L7: Attackers Moving Up The Stack 9 Unmetered Mitigation Introduced by Cloudflare
- 10. DNS: Attacks Continue To Be Infrequent 10 Unmetered Mitigation Introduced
- 12. Industry Legacy Scrubbing Center Pre-Attack Attack Begins Mitigation Implemented 12 12:05 12:15 12:2012:00 Attack Detected
- 13. Cloudflare’s Always-On DDoS Mitigation Automatic Mitigation 13 12:0512:00 12:05 Real-Time DetectionContinuous Performance Benefit
- 14. Stay Online Global Anycast network with 150+ data centers absorbs highly distributed attack traffic so customers stay online Protect origin infrastructure Detect and drop at the edge volumetric attacks: layer 3/4, DNS and layer 7 Identify anomalous traffic Fingerprint HTTP requests to protect sites against known and emerging botnets with automatic mitigation rules Protect applications with control Rate Limiting gives more granular control to block harder-to-detect application-layer attacks Origin Server DDoS attack Anticipate attacks Shared intelligence across 8M websites proactively blocks known bad signatures Gives customers unlimited and unmetered distributed denial-of-service (DDoS) attack protection regardless of the size of attack. Cloudflare Data Center *Business and Enterprise customers will continue to benefit from additional advanced mitigation services including better reporting, productivity enhancements, fine- grained controls, business and enterprise-grade service level agreements (SLA’s), and customer support options to fit their individual needs. 14 Cloudflare DDoS Solutions
- 16. Cloudflare Rate Limiting: L7 throttling Precise DDoS Mitigation • High precision denial-of-service protection through robust configuration options Protect Customer Data • Protect sensitive customer information against brute force login attacks Ensure Availability • Avoid service disruptions by setting usage limits on HTTP requests Requests per IP address matching the traffic pattern 16
- 17. Spectrum Demo
- 18. Mitigate DDoS for TCP Protocols and Ports Cloudflare Spectrum proxies all non-HTTPS TCP traffic through the same 150+ cloudflare data centers, ensuring protection against DDoS attacks targeting layers 3 and 4 across open ports. Encrypt Non-HTTP/S TCP Traffic Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with Universal SSL to protect against snooping of data in transit. Block Traffic by IP or IP Range Spectrum integrates with Cloudflare’s IP Firewall so that traffic from specific IP or IP ranges can be dropped at the edge 2 1 Client Encrypted TCP Traffic SSH SMTP SFTP SSH SMTP SFTP 3 Client SSH SMTP SFTP IP 10.0.0.1 10.0.0.1 https://developers.cloudflare.com/spectrum/ Cloudflare Spectrum: protects all TCP ports (and UDP soon)
- 19. Questions? Follow our blog at https://blog.cloudflare.com/ Interested in Our Enterprise Solution? Visit https://www.cloudflare.com/plans/enterprise/contact/
- 20. Backup Slides 20
- 21. Cloudflare DDoS Differentiation Leverage Data ● Anycast scales DDoS surface area across all data centers (versus just a subset) ● Unified view of attacks across integrated stack of network, DNS, application ● Kernel bypass reduces CPU usage ● Innovation on hardware, routers, network increase capacity and lowers costs Architecture ● Broad, heterogeneous traffic across 8M websites to more proactively drop attacks ● Develop heuristics to automatically (versus manually) block ● No OEM of third-party hardware ● Settlement free peering reduces costs of traffic over peering points ● Easily absorb inbound attack traffic spikes at no extra cost Cost Structure 21
- 22. Benefit of Cloudflare’s Always-on DDoS Attack starts DDoS Config Mitigation starts Mitigation complete Next attack DDoS Config Mitigation Mitigation Turn on Cloudflare Next attack begins DDoS Config Next attack + mitigation Next attack + mitigation Next attack + mitigation 22 Load Time
- 23. Cloudflare Bot Mitigation ATTACKS Account Takeover Content Scraping Checkout Fraud 1. 2. 3. Classification By leveraging visibility into large volume of both good and bad traffic, intelligently classifying risk based on attributes like: ● IP reputation intelligence ● User Agent strings ● Other HTTP fingerprints ● Behavioral analysis Mitigation Techniques Different levels of severity and sophistication to block attacks. These can include: Block, throttle, image substitution, data obfuscations Rules Customization Customers can tune their security posture by defining rules to support both positive and negative security model. Client Validation To reduce false positives, provide progressive levels of client validation to distinguish between legitimate visitors and malicious bots based on clients validating themselves ● Browser Integrity ● Captcha ● JS Validations ● Client Classifications ● Machine Learning CLOUDFLARE SOLUTIONS 23
- 24. Cloudflare Security Summary 24 Cloudflare continues to out-innovate the market, driving growth in security-only deals The threat landscape is exploding with the growth in new platforms and devices; security solution use cases are expanding to meet them Cloud-based solutions reduce complexity, improve time to response and combine performance and security in a single, integrated offering Data-driven threat intelligence dynamically adapts our platform to meet the ever changing threat landscape
- 25. 1.7 Tbps
Editor's Notes
- Thanks for the introduction Erfi. Today's topic is
- I'm a Cloudflare Solutions Engineer based in the APAC region.
- First a quick poll, how many of you are currently using Cloudflare? https://www.cloudflare.com/plans/#compare-features
- With new vulnerabilities now and then, the attack types haven't changed that much. Typical DDoS attack types that can target at the web applications. DNS Flood: by floooding the DNS service, one can bring down the entire web infrature relying on it. e.g. October 2016 Dyn attack by Mirai botnet TCP/UDP Port 53 L3/4: exhaustion of network resources: typical techniques reflection & amplification: using a NTP/DNS to amplify requests and overload yours server using 3rd party services e.g. Feb 2018 Memcache UDP Port 11211: amplification factors of up to 51,200x: a 1 byte request, a 51 kB response can be sent. L7: exhaustion of system and application resources: volumetric HTTP attack to bring down the application e.g. HTTP POST flood at one's Wordpress login page They can be used together; used a ransom as financial incentive
- Same samples this year. Horizon frequency Vertical difficulty DNS & SSL: Less common; used to be a challenge. but the adoption of large scale DNS and SSL services like Cloudflare, it has become less frequent. L3/4: Bulk of traffic; Industry is getting better handling it L7: More frequent and more difficult to mitigate. https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
- Cloudflare introduced unmetered DDoS mitigation September 2017. SYN flood is L4 attack Things to note: 1. Since the introduction of Unmetered Mitigation large attacks continue but you can see they are more spaced out. https://blog.cloudflare.com/the-new-ddos-landscape/ 2. Cloudflare very frequently gets attacks greater than 300 Gbps and 400 Gbps; The large attacks still remain.
- The L7 volume in HTTP requests per second by day. This doesn't show a slow down which seems to indicate what we've long suspected: as protection services like Cloudflare have got really good at handling L3/L4 attacks attackers have moved up the stack to focus on L7. https://blog.cloudflare.com/the-new-ddos-landscape/
- This final chart shows the volume of DNS-based attacks in Mbps. It's notable that these are never very big, but the one big spike is the day after we announced Unmetered Mitigation. Almost as if someone had a go to see if they could cause us harm :-) They did not succeed, of course. https://blog.cloudflare.com/the-new-ddos-landscape/
- Scrubbing centers: a few (<10) of data centers with huge bandwidth and powerful hardware; The architecture give rise to some disadvantages: Performance: Longer distances for ‘clean’ traffic to travel since Scrubbers are centralized or different from cache On-demand: Manually change DNS introduces latency in time-to-migration Reliability: Single location can easily get flooded, and either exceed capacity or result in high overage charges during attack
- Cloudflare DDoS mitigation infrastructure lives in 152 data centers globally, instead of 10. The architecture advantages: Performance: improvement instead of degradation Always on: no monitoring required Reliability:
- https://blog.cloudflare.com/unmetered-mitigation/ Cloudflare takes a multi-layerd approach. Step 1: Global Anycast means we’re high resilient, and absorb attack traffic as close to the source of the attack as possible Means we do not have to transport or add latency diverting traffic to scrubbing centers Step 2 : The origin is key, and usually the weakest point Cloudflare hides the Origin’s IP address so we will always take the brunt of any attacks Step 3: Attack vectors are never the same Dynamic fingerprinting on the fly lowers false positives and also decreases “leakage” - which is where some traffic will get through (NOTE: AKAM in their ENT SLA say they will leak up to x%) Step 4: Proactive protections for DDoS attacks seen at other customers means we can track attribution, meaning faster detection and more accurate mitigations Step 5: Low and slow attacks are difficult to track, especially at the scale Cloudflare is at today. We put the power back into our customer’s hands by providing solutions like Rate-Limiting, allowing them to define what they know is to be a good level of traffic, and for Cloudflare to block everything else. Rate-Limiting can be applied to APIs with JSON responses as well
- Talking Points: Rate Limiting complements Cloudflare’s DDoS and Web Application Firewall (WAF) Services. Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer. It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period. Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic. Demo Disconnect from VPN Open UI Check: https://cecilsflorist.cf/wp-login.php
- Talk Track Historically, Cloudflare proxies web traffic only. With Spectrum, Cloudfalre now provides the same level of layer 3 and 4 volumetric DDoS mitigation expected, across all TCP protocols, including those which are proprietary. In addition, it protects said protocols from data snooping and theft by encrypting traffic with Universal SSL / TLS. Demo: Open UI dig ssh.cecilsflorist.cf ssh root@ssh.cecilsflorist.cf
- link to the Sheets form with the graph data is in the notes (also here: https://docs.google.com/spreadsheets/d/11NffR-jEWaSEi8CUUTk6IiWKoX3luOr-e1vQKwOYJMc/edit?zx=ochdtwfluz0u#gid=0) everything is mutable if you'd like to update the wording! Cloudflare mitigates DDoS attacks, including those that target UDP and ICMP protocols, SYN/ACK, DNS and NTP amplification and Layer 7 attacks. Our global network has defended against sustained attacks over 400Gbps. If you're under DDoS attack, we can get your site back online within minutes. https://docs.google.com/spreadsheets/d/11NffR-jEWaSEi8CUUTk6IiWKoX3luOr-e1vQKwOYJMc/edit?zx=ochdtwfluz0u#gid=0 Slide that discusses the fact that our customers never see attacks Which is why it is hard for us to find references to show process on how we mitigated an attack…. Our customers don’t even know we did it Which is why we don’t have many numbers on largest attack seen… And then tell story on why this is….. Customer’s Set it and Forget it!!
- Because of the wide surface area CF has today we are able to build a sustainable behavioral analysis on clients allowing us to identify a baseline of what is considered normal activity across the entire cloudflare network. I'm not sure the current design captures and punches up the 3 ways we are attacking this problem. We dive right down to the features. Instead, I think we need to frame our approach: AI, Client challenge, Finer grain controls. Also, we are missing our current capabilities (see notes) When we asked this group, #1 desire = bot mitigation Bots make up more than 50% of the world’s internet traffic today, that’s huge… The challenge is determining what’s a good bot and a bad bot. Today we challenge bots through our Browser Integrity Checks, JavaScript challenge, and Captchas. Our current Bot Management provisions blocked over 144m requests. But we know you need more specific protections. In the next year, we’re going to be launching aggressive protection against Account Takeover and Web Scraping, all powered through our new Machine Learning and Client Identification platforms which have been delivering some amazing preliminary results.
- address growing threats on new platforms and device , which calls for a broader breadth of services to meet demand (Access, Bot Mitigation, custom rules on the edge)
- What is driving the exponential growth in traffic here? Insecure devices and increased connectivity and increasing connected devices If you return to attack sizes over time Have 10 gbps - fast cnx to internet 2007 - 24 gbps would have overwhelemd See peek sizes growing Huge attacks, easily Can’t fight these on your own - Animate from smallest to largest – one circle at a time Side bar info = home internet connection https://www.youtube.com/watch?v=Sp6bnvbrJb8&t=364s 9.45 min 1