During the webinar, Vivek Ganti, Product Marketing Manager for Cloudflare, & Jim Hodges, Chief Analyst of Cloud and Security at Heavy Reading, discussed how service providers are regular targets of DDoS attacks, and how these attacks directly impact their uptime, availability, and revenue.
Scaling service provider business with DDoS-mitigation-as-a-service
1. Live webinar
Scaling Service Provider
Business with DDoS-
Mitigation-as-a-Service
Jim Hodges
Chief Analyst
Heavy Reading
Vivek Ganti
Product Marketing
Cloudflare
2. Agenda
● DDoS Attack Enablers - New World Realities
● DDoS Global Attack Trends
● Service Provider DDoS Mitigation as a Service Strategies
2
5. Cloudflare’s Global Anycast Network 27M
Internet properties
42 Tbps
Network capacity
200
Cities and 100+ countries
72B
Cyber threats blocked each day
in Q2’20
99%
Of the Internet-connected
population in the developed
world is located within 100
milliseconds of our network
Note: Data as of June 28, 2019.
5
7. Every Product Runs On Every Server In Every Datacenter
Around The World
7
8. Industry leading DDoS mitigation
Most ‘High’ ratings, 2020
In Gartner’s April 2020
report, “Solution
Comparison for DDoS Cloud
Scrubbing Centers” (ID
G00467346)
Leader 2017
Leader of DDoS
Mitigation Solutions in
Forrester Wave™
Report
Leader 2019
"Leader" in the IDC
MarketScape: Worldwide DDoS
Prevention Solutions 2019
Vendor Assessment (doc #
US43699318, March 2019)
Gartner Forrester IDC
10. DDoS Attack Enablers - New World Realities
● Shift to edge deployments - 5G and MEC - Servers
everywhere - farewell to the perimeter
● Service Provider Cloud services migration - provide
source and scale/size for DDoS attacks
● Device capabilities - 5G and IoT devices - Power in
numbers
● Other wildcards - API exposure architectures (5G SBA) -
third party APIs - implicit trust architecture - O-RAN
Source: Heavy Reading
11. DDoS Attack Enablers - New World Realities
● Pandemic impact -
○ Acceleration of web traffic for mission
critical ultra-low latency services (medical
consults and online purchasing)
○ Decentralization of enterprise users and
services - unpredictable traffic patterns
● Automation cuts both ways - mitigation and
attack vectors
Source: Heavy Reading
15. ‘Smaller’ attacks dominated in Q2
15
From a packet rate perspective:
76% of all L3/4 DDoS attacks in Q2
peaked up to 1 million packets per
second (pps)
From a bit rate perspective:
Nearly 90% of all L3/4 DDoS attacks that
we saw peaked below 10 Gbps
16. Big attacks are getting bigger
16
Of attacks over 100
Gbps launched
since shelter-in-
place
88%
754 Mpps
Largest L3/4 DDoS attack from a
packet rate perspective
18. 57% of all L3/4 DDoS attacks in Q2 were SYN floods
19. Poll Question
What do you consider the greatest challenge associated with DDoS Mitigation?
● The increasing numbers of attacks
● The increasing size of attacks
● The security impact of transitioning to cloud and edge networks
● The security impact of more powerful devices
● The massive increase in number of devices accessing the network
● Transitioning to automated security policy networks
21. ● Direct and indirect attacks
● Increasingly subject to “carpet bombing”
attacks
● Trickle down effects = Impacted revenue
Service Providers are especially vulnerable to attacks
22. The problem with DDoS hardware
Capacity
● Constrained by bandwidth of the link
Capability
● Not designed for latest, sophisticated attacks
Costs
● High CAPEX and OPEX
26. Scrubbing
Industry Legacy Scrubbing Cloudflare DDoS
• Network Scale can absorb any
DDoS attack.
• Shared Intelligence constantly
learns and applies intel to ID new
attacks.
• Cost-effective
A Fully Differentiated DDoS Solution
Unmetered DDoS Protection = Trust
Fast and Safe -- Better than distant ‘scrubbing centers’
27. Our Story — L3 DDoS Protection With Magic Transit
Built for Cloudflare. Now available for our customers
Cloudflare Data Center
200 cities in 100+ countries
42 Tbps DDoS mitigation capacity
DDoS protection
Near-instant TTM
Network firewall
Granular Allow/Deny rules
for IP ranges
Customer Data Center
LAYER 3 - IP
(MAGIC TRANSIT)
28. Comprehensive, Advanced DDoS Protection
Type Size Mode
- Protect against sophisticated
DDoS attacks
- Layer 7 Attacks: HTTP, GET,
POST, DNS floods
- Layer 4 Attacks: SYN flood,
SMURF attacks
- Layer 3 Attacks: ICMP Flooding
- BGP diversion or DNS Proxy
- Always-on or On-demand
- Anycast GRE or PNI
- BYOIP, BYOASN
- Over 42 Tbps of network
capacity to mitigate very large
attacks
- Capability to mitigate majority of
large attacks under 10s
- GateBot and DosD provide
automated mitigation
31. Service Provider Reseller Options
Allocated Prefix Model
Service provider onboards their own IP prefix (/24
or larger) onto Cloudflare and allocates IPs within
the prefix to their end customers
Resell to Full Network Model
Service provider onboards an IP prefix (/24 or
larger) that comprises their own IP addresses as
well as their end customers
Resell to Prefix Model
Service provider onboards customers with their
own IP prefix (/24 or larger)
Referral Model
Service provider has customers with their own IP
prefixes (/24 or larger) and refers the customer to
Cloudflare
32. How Cloudflare Magic Transit Compares To Other Vendors
Feature
Data as of July 2020
1 Radware— https://www.radware.com/products/cloud-ddos-services/
2 Akamai Prolexic— https://www.akamai.com/us/en/multimedia/documents/product-brief/prolexic-routed-product-brief.pdf;https://blogs.akamai.com/2018/04/whats-new-with-prolexic.html
3 Neustar— https://www.home.neustar/resources/product-literature/make-ddos-direct-connection-with-netprotect
4 Imperva— https://www.imperva.com/resources/datasheets/Imperva_DDOS_ProtectionForNetworks.pdf
5 Cloudflare Magic Transit and other vendors offer 0-sec TTM for “proactive” or static rules. TTM listed here is for automatic detection and mitigation.
MAGIC
TRANSIT
IMPERVA4NEUSTAR3
AKAMAI
PROLEXIC1
RADWARE1
11
5 Tbps
‘seconds’
19
8 Tbps
< 5 min
14
12 Tbps
5-15 min
45
6 Tbps
< 3 sec
200+
42 Tbps
< 10 sec
No. of data centers for DDoS mitigation
DDoS scrubbing capacity
Time-to-mitigation (TTM5)
33. North American non-profit
organization that hosts
Wikipedia, one of the world’s
most renowned open
collaboration projects.
“
Cloudflare has reliable
infrastructure and an
extremely competent and
responsive team. They are
well-positioned
to deflect even the largest of
attacks.
“
—Grant Ingersoll
CTO, Wikimedia
CHALLENGES
• Target of a massive coordinated DDoS attack campaign of ~300Gbps of bandwidth,
105MPPS of TCP ACK traffic, and 340MPPS of UDP floods
• Significant increase in HTTP response times from servers that were still reachable
• Site accessibility impacted in various regions around the world
CLOUDFLARE SOLUTION
• Magic Transit protects their on-premise data centers from volumetric attacks
• Even as the attack changed patterns, Magic Transit was a resilient shield protecting
Wikimedia’s network infrastructure
• Improved resilience and availability
• Zero performance degradation due to filtering traffic at the edge
• Valuable partnership with Cloudflare and influence on product roadmap
KEY RESULTS
Cloudflare helps Wikimedia restore service following a massive DDoS attack
https://www.cloudflare.com/case-studies/wikimedia-foundation/
Bringing Wikipedia back online
34. For a limited time:
Replace your legacy provider with Cloudflare Magic Transit and pay nothing
until your existing contract expires*
● Get Magic Transit service at no charge until the expiration of your
current contract with Akamai Prolexic, Neustar, Imperva, or Radware
for up to 12 months.
● We will aim to beat the price you are paying your legacy provider,
for the paid period.
● For more information, go to www.cloudflare.com/lp/better
*Terms and conditions apply
Network DDoS Protection You’ll Love. We’ll Prove It.
35. Poll Question
How concerned are you about the capex and opex costs associated with scaling current DDoS
Mitigation as a Service solutions to meet current and future demand?
● We are extremely concerned
● We are concerned
● We are somewhat concerned
● We are not concerned
● We are still unclear what the true capex and opex costs are