ddos protection system dps
Post on 15-Jan-2017
47 Views
Preview:
TRANSCRIPT
DDoS Protection Solution#Terabit Security LLC, 2016
2015 © Terabit Security - All rights reserved
2015 © Terabit Security, All rights reserved
AGENDA
About DDoS
Terabit Security DPS
Technical Specialty
Contact UsRequest a Demo
About DDoS
2015 © Terabit Security - All rights reserved
2015 © Terabit Security, All rights reserved
ABOUT DDoS
2015 © Terabit Security, All rights reserved
SOME FIGURES ABOUT DDoS
2015 © Terabit Security, All rights reserved
IMPACT OF DDoS ATTACKS ON YOUR BUSINESS
TheftAttacks are becoming more advanced and now
include stolen funds, customer data, and
intellectual property
Productivity lossWhen critical network system are shut down,
your workforce’s productivity comes to a halt
Revenue lossDowntime affects your bottom-line. The average
costs of downtime is $5,600/minute, or over
$300K/hour
Reputation DamageYour band suffers if customers can't access your
site or became casualties of data breach
Even with a large staff of IT
professionals it is almost impossible
for companies to handle a serious
DDoS attack and recover their
services on their own
Kaspersky LabE.Vigovsky, head of DDoS protection
2015 © Terabit Security, All rights reserved
PROFESSIONALS SAYS ABOUT DDoS
Hackers' improving and evolving
techniques are especially obvious
when it comes to distributed-denial-
of-service attacks.
DDos is on a trend that is only
going to continue
Businesses are facing a number of
threats in today's economy. When a
DDoS attack or DNS failure hits a
website or network, companies are
losing significant revenue and
employee productivity, and are likely
seeing decreasing customer
satisfaction and loyalty
Arbor NetworksMatt Moynahan, president
VerisignBen Petro, senior VC
Terabit Security DPS
2015 © Terabit Security - All rights reserved
2015 © Terabit Security, All rights reserved
TERABIT SECURITY DPS
Terabit DPS is solution for the detection of
DDoS attacks and their subsequent
treatment. Terabit DPS will help to ensure
maximum availability of your network and
eliminate any disruptions caused by DoS /
DDoS attacks
2015 © Terabit Security, All rights reserved
WHY DPS
Fast DeploymentDisparately fast deployment of DDoS protection system – 10 minutes to start
ClusteringClustering option for performance and redundancy. Sflow capture – up to 10Tbps (1Tbps per server), traffic mirroring – up to 6.4Tbps (40Gbps per server)
Premium SupportAll support inquiries are answered by experienced engineers. Terabit DPS Proffesional Support with SLA 24×5, 24×7, 24×365
Advanced WEB GUIWeb application offers single-point DPS management, network monitoring and reporting of data received from Collector, Explorer and Filters deployed within the network
Affordable DDoS ProtectionThe most cost-effective on-premise DDoSmitigation solution on the market! Annual subscriptions include free support and upgrades.
Traffic Visualization ToolVisualization of traffic Upstream / Donwstream in bps and pps for whole network or dedicated host
Short response timeImmediate detection of DoS/DDoS attack in 1-2 seconds
Low hardware requirementsUp to 10GE with 12 Mpps on E5-1650V3 with Intel NIC 82599 10GE
Primary uplink
CustomersBorder router
Access switch
Backup uplink
DPS Server
BGP, BGP Flowspec
NetFlow/IPFIXsFlow, Port mirror
2015 © Terabit Security, All rights reserved
HOW DPS WORKS
Supported border routersExtreme X460/X670
Juniper EX, MX seriesCisco ASR-series
2015 © Terabit Security, All rights reserved
HOW DPS WORKS
Traffic CapturingNetFlow v5, v9IPFIXsFlow v4 (dev branch only), v5Port mirror/SPAN capture with PF_RING (with ZC/DNA mode), SnabbSwitch, NETMAP and PCAP
DDoS MitigationComplete BGP Flowspec support, RFC 5575Can process incoming and outgoing trafficCan trigger block script if certain IP loads network with a large amount of packets/bytes/flows per secondThresholds could be configured in per subnet basis withhostgroups featureCould announce blocked IPs to BGP router with ExaBGPGoBGP integration for unicast IPv4 announces
2015 © Terabit Security, All rights reserved
OUR SOLUTIONS
DPS SOFTWARE APPLIENCE DPS VIRTUAL APPLIENCE DPS HARDWARE APPLIENCE
GET FULL FUNCTIONALITY OF DPS
Install DPS on your own serverProtection up to 400GbpsMost popular OS supported
GET SAFETY WITHIN 15 MINUTES
Restore image to your hypervisorProtection up to 400GbpsMost popular hypervisors supported
GET ENTERPRISE LEVEL SOLUTION
Guaranteed SLAProtection up to 6.4TbpsAdvanced support included
2015 © Terabit Security, All rights reserved
PROFESSIONAL SUPPORT
Basic Intermediate Advanced8×5 support service | 20 cases per year 12×7 support service | unlimited cases per year 24×7 support service | unlimited cases per year
Provides an engaged response for
small companies with a limited number of cases
Provides professional support for
non-critical systems based on 12x7 schedule
Provides an enterprise level 24x7
support for critical systems with unlimited number of cases
2015 © Terabit Security, All rights reserved
OUR CUSTOMERS
1000+ customers20+ countriesTerabits of protected traffic
* Includes community versionWhat people say about us
Technical Specialty
2015 © Terabit Security - All rights reserved
2015 © Terabit Security, All rights reserved
DDoS MITIGATION HOW IT WORKS W/O FLOWSPEC
o Еаsy of implementation and uses well
understood constructs
o Requires high degree of co-ordination
between customer and provider
o Cumbersome to scale in a large network
perimeter
o Mis-configuration possible and expansive
Destination Remotely Triggered Black Hole (D/RTBH)
2015 © Terabit Security, All rights reserved
o RFC 5635 circa 2009
o Requires pre-configuration of discard route
and uRPF on all edge routers
o Victim`s destination address is still useable
o Only works for single (or small number)
source
Source Remotely Triggered Black Hole (S/RTBH)
DDoS MITIGATION HOW IT WORKS W/O FLOWSPEC
2015 © Terabit Security, All rights reserved
WHY BGP FLOWSPEC
FlowSpec Leverages the BGP Control-plane to simplify the distribution of ACL's, greatly improving operations.
• Inject new filter/firewall rules to all routers at the same time without changing router config
• Reuse existing BGP operational knowledge and best practices• Control policy propagation via BGP communities
Improve response time to mitigate DDOS attacks
Same Automation as RTBH
Route validation is performed for eBGP sessions.
RFC5575BGP Flowspec
2015 © Terabit Security, All rights reserved
BGP FLOWSPEC SPECIFICATION
Flowspec is very useful feature against today’sDDOS.Rule was too long, so forwarding router could notapply filter as the result not only DDOS but alsonormal traffic down.This is defined in RFC 5575 . Specific informationabout the flow can now be distributed using a BGPNLRI.AFI/SAFI = 1/133: Unicast Traffic FilteringApplicationsAFI/SAFI = 1/134 : VPN traffic filtering applications.
BGP Flow Specification can include the following information
Type 1 - Destination PrefixType 2 - Source PrefixType 3 - IP Protocol Type 4 - Source or Dest. PortType 5 - Destination PortType 6 - Source Port
Type 7 - ICMP TypeType 8 - ICMP CodeType 9 - TCP flagsType 10 - Packet lengthType 11 - DSCPType 12 - Fragment Encodins
Actions are defined using BGPExtended Communities
0x8006 - traffic-rate (set to 0 to drop all traffic)0x8007 - traffic-action (sampling)0x8008 - redirect to VRF (route target0x8009 - traffic-marking (DSCP value)
2015 © Terabit Security, All rights reserved
BGP FLOWSPEC VENDOR SUPPORT
Supported by router vendors
SR OS 9.0R1 JUNOS 7.3 ASR and CRS
Supported by DDoS protection vendors
Peakflow SP 3.5 DDoS Secure 5.14.2-0 Defense Pro
since
2015 © Terabit Security, All rights reserved
CONTACT US
Sales OfficeRocklin CA, USA
Development OfficeKiev, Ukraine
https://terabitsecurity.com/
Sales+1 650 460 14 86
sales@terabitsecurity.com
Terabit Security LLC
Rocklin CA, USA
SupportSupport Center
http://support.terabitsecurity.com/
support@terabitsecurity.com
2015 © Terabit Security, All rights reserved
REQUEST A DEMO
RequestA Demo
top related