how to stop a ddos attack in less than 1 minute
DESCRIPTION
When you are under attack, every seconds counts. In this presentation, you will learn about the new features in Arbor Networks' Peakflow version 7.0 that are designed to significantly reduce the time required for DDoS attack detection, mitigation and comprehensive reporting -- in some cases, reduced to less than 1 minute. If you missed this presentation, which was originally given during the first day of our recent CyberSecurity virtual summit, you can watch the webinar replay here: https://www.brighttalk.com/r/PqQTRANSCRIPT
How to Stop a DDoS Attack in Less Than 1 Minute
Presented by: Scott Iekel-Johnson, Product Manager, Arbor Networks
Arbor Networks Cyber Security Summit
Attend any of the 6 live (or archived) webinars.
Overview of Peakflow 7.0 (GA 11/10/14) Reduction in Time to Detection and Mitigation
Essential Attack Details At Your Finger Tips
attack detection in 1 second and mitigation in less than 30 seconds
Expanded DDoS traffic analysis New streamlined attack management workflow
New / Improved DDoS Attack Countermeasures Continuous Countermeasure improvements Decryption and Mitigation of SSL based attacks
The “User Dimension” in Peakflow Analysis and Reporting
Introduction to “Fast Flood” DDoS Attacks
“Fast Flood” DDoS Attacks on The Rise Non sophisticated flood attacks (e.g. ICMP, UDP) that quickly ramp up in
size. (e.g. 0-50Gbps+ in seconds) Last for a short duration of time (less than 30 min) Readily available DDoS Attack Tools and Services, increase in number and
size of botnets and bandwidth make this type of attack a common occurrence. (see ATLAS stats above)
Need for quick detection and auto-mitigation to reduce impact.
2X increase in attacks over 20GB from 2013 to 1st Half 2014 Majority of attacks are less than 1 hour
“Detection in 1 sec, Mitigation in less than 30 secs.”
New DoS Alert Reporting and Workflow
Redesigned for modern day DDoS attacks - DDoS attack reports have been redesigned to show the most important information regarding an attack.
A single alert showing key information per attack: • Top attack traffic patterns, major traffic
characteristics, packet size distribution • IPV4 and IPV6 DDOS attack alerts parity
Gives user the ability to view the impact of an
attack across key points in the network (peering edge, customer edge, every router).
Integrated view of mitigations allows you to manage an attack from a single screen
More intelligence and better workflow enables users to quickly determine impact and ultimately reduce time to mitigation.
Essential Attack Details At Your Finger Tips
Alert Summary: Network Perspectives
View impact on network from 3 major perspectives Network Boundary Managed Object Boundary Routers
The legend is also an interactive filter for Alert Traffic chart.
Alert Summary: Top 10 Traffic Patterns
Automatically identify significant traffic patterns in alert Patterns aggregated from groups of flows to help identify
attack traffic
Alert Summary: Alert Characterization
The Alert Characterization table lists the most significant traffic characteristics of the alert
Can include any alert data, including source country or AS, TCP flags, source and destination CIDRs, etc.
Alert Summary: Packet Size Distribution
Number of bytes per Packet size ranges (150 bytes each); Jumbo Frames for greater than 1500 bytes.
Helps you determine type of attack: For example, if you receive a UDP flood alert for packets sourced from
port 123 (NTP), and the majority of the packets are large (400 bytes or larger), you are probably looking at a reflection attack because these NTP packets would normally be much smaller.
Alert Scratch Pad
• Scratchpad, cut-paste-edit reference, persistent across UI
Alert Summary: Active/ Start Mitigation
From the alerts screen you can see all active mitigations or start mitigations.
Traffic Details Dashboard
New Traffic Details enhancements improve workflow
Shows the most significant (Top 5) elements contributing to attack: Traffic summary per network boundary Top Traffic Patterns Source & Destination IP Addresses IP, ICMP, Misuse Types and TCP Flags Source & Destination TCP/UDP Ports Source Countries & ASNs
“View Graph” selects data to graph
“View Details” shows top 100 items
Dynamic use of Scratch Pad
Routers Details Dashboard
Details of routers impacted by attack.
“+” expands to show router interfaces.
Pull down provides three views: Scratch Pad Traffic
summary Router
configuration
New DDoS Mitigation Countermeasures
Javascript for HTTP Authentication
Forces clients to execute Javascript to be authenticated
Can block attack tools that can follow simple HTTP 302 redirects
DNS Regular Expression Enhancements • New, more user-friendly UI • More filtering options
– DNS Record Type – Recursion Desired (RD) Flag – Domain Regular Expression
• New option to process inbound DNS Queries, Query Replies, or both helps block DNS Reflection attacks
Per Connection Flood Protection
• Can be enabled for specific TCP and UDP ports
• Useful to protect custom applications where source blocking is undesirable, such as customers behind a NAT gateway
TCP Connection Limiting
• Block attacks that attempt to exhaust server resources by opening many simultaneous TCP connections and holding them open
Blacklist for Existing Countermeasures
• Blacklisting actions have been added to several existing countermeasures – Black / White Lists – IP-Based Filter Lists
• IPv4 or IPv6 – Payload Regular
Expression – DNS Regular
Expression
Exposing Attacks Hidden in SSL Traffic
New Hardware Security Module (HSM) option for TMS 2300 Completely transparent – invisible to client and server, no proxy interaction issues Inline, Peakflow TMS 2300 checks the HSM for a certificate that matches the traffic. If the HSM has a matching certificate, the Peakflow TMS 2300:
1. Decrypts the traffic (up to 5 Gbps). 2. Applies configured HTTP-related countermeasures such as AIF or HTTP Object
Request Limiting; Passes or blocks the traffic accordingly. 3. Original packets of passed traffic are forwarded.
The decrypted data will not appear in the Peakflow TMS 2300 packet captures. However, the Web UI does display the levels of traffic dropped or passed by a mitigation for the encrypted data.
Refer to new TMS datasheet for performance and supported SSL protocols, FIPS and non-FIPS cypher suites
HTTPS Server HTTPS Clients
TMS 2300
Encrypted Traffic
Cert Key
Key
Encrypted Traffic
New ATLAS Intelligence Feed for Peakflow
“Active Threat Feed” (ATF) has been enhanced and renamed to “Peakflow ATLAS Intelligence Feed (AIF) Standard” Peakflow SP now backed by the global threat intelligence of ATLAS and
high fidelity, reputation-based research from ASERT.
Category Sub-Category of Threats DDoS Threats IP Reputation policies from ASERT
BotNet Command and Control
Peer to Peer, HTTP, IRC
Malware
Webshell Ransomware RAT Fake Anti Virus Banking Virtual Currency Spyware Drive By Social Network
DDoS Bot Dropper Ad Fraud Worm Credential Theft Backdoor Other Exploit Kit Point of Sale
Detect and identify traffic for common malware and botnet threats: Dirt Jumper Athena Citadel Cidox Pwdump …and many more
The “User Dimension” in Peakflow
Peakflow’s unmatched ability to provide pervasive network visibility and analysis has gotten even better.
Users can now slice massive amounts of Peakflow data in ways that are meaningful to them, their security teams, their marketing departments, product managers or their executives.
In other words, it adds the “User Dimension” to reporting and analysis.
Tag-based Reporting • Tag-based Reporting is a new feature which allows a
user to further customize Peakflow reporting for their unique environment.
• A user can logically group multiple objects together (customers, applications, interfaces, peers, managed objects, etc.) and assign a custom keyword or “tag” to this group; which then can be used for reporting or searching.
• Types of Tags Application Customer Interface Peer Peer Profile Router Service Peakflow and TMS
appliance VPN
Conclusion • Peakflow SP/TMS 7.0 is a huge leap ahead in DDoS
protection – Detect attacks in as little as 1 second – Mitigate attacks in as little as 30 seconds or less – Quickly and easily understand attacks and how to stop them – New countermeasures including new DNS protections and SSL
decryption protect you against the latest threats
• Tag-based reporting enables SP to directly answer critical business and engineering questions about your network in real-time
• Numerous other new features that we don’t have time to cover – speak to your Arbor representative to learn more!
Thank You