How to Stop a DDoS Attack in Less Than 1 Minute

Presented by: Scott Iekel-Johnson, Product Manager, Arbor Networks

Arbor Networks Cyber Security Summit

Attend any of the 6 live (or archived) webinars.

Overview of Peakflow 7.0 (GA 11/10/14) Reduction in Time to Detection and Mitigation

Essential Attack Details At Your Finger Tips

attack detection in 1 second and mitigation in less than 30 seconds

Expanded DDoS traffic analysis New streamlined attack management workflow

New / Improved DDoS Attack Countermeasures Continuous Countermeasure improvements Decryption and Mitigation of SSL based attacks

The “User Dimension” in Peakflow Analysis and Reporting

Introduction to “Fast Flood” DDoS Attacks

“Fast Flood” DDoS Attacks on The Rise Non sophisticated flood attacks (e.g. ICMP, UDP) that quickly ramp up in

size. (e.g. 0-50Gbps+ in seconds) Last for a short duration of time (less than 30 min) Readily available DDoS Attack Tools and Services, increase in number and

size of botnets and bandwidth make this type of attack a common occurrence. (see ATLAS stats above)

Need for quick detection and auto-mitigation to reduce impact.

2X increase in attacks over 20GB from 2013 to 1st Half 2014 Majority of attacks are less than 1 hour

“Detection in 1 sec, Mitigation in less than 30 secs.”

New DoS Alert Reporting and Workflow

Redesigned for modern day DDoS attacks - DDoS attack reports have been redesigned to show the most important information regarding an attack.

A single alert showing key information per attack: • Top attack traffic patterns, major traffic

characteristics, packet size distribution • IPV4 and IPV6 DDOS attack alerts parity

Gives user the ability to view the impact of an

attack across key points in the network (peering edge, customer edge, every router).

Integrated view of mitigations allows you to manage an attack from a single screen

More intelligence and better workflow enables users to quickly determine impact and ultimately reduce time to mitigation.

Essential Attack Details At Your Finger Tips

Alert Summary: Network Perspectives

View impact on network from 3 major perspectives Network Boundary Managed Object Boundary Routers

The legend is also an interactive filter for Alert Traffic chart.

Alert Summary: Top 10 Traffic Patterns

Automatically identify significant traffic patterns in alert Patterns aggregated from groups of flows to help identify

attack traffic

Alert Summary: Alert Characterization

The Alert Characterization table lists the most significant traffic characteristics of the alert

Can include any alert data, including source country or AS, TCP flags, source and destination CIDRs, etc.

Alert Summary: Packet Size Distribution

Number of bytes per Packet size ranges (150 bytes each); Jumbo Frames for greater than 1500 bytes.

Helps you determine type of attack: For example, if you receive a UDP flood alert for packets sourced from

port 123 (NTP), and the majority of the packets are large (400 bytes or larger), you are probably looking at a reflection attack because these NTP packets would normally be much smaller.

Alert Scratch Pad

• Scratchpad, cut-paste-edit reference, persistent across UI

Alert Summary: Active/ Start Mitigation

From the alerts screen you can see all active mitigations or start mitigations.

Traffic Details Dashboard

New Traffic Details enhancements improve workflow

Shows the most significant (Top 5) elements contributing to attack: Traffic summary per network boundary Top Traffic Patterns Source & Destination IP Addresses IP, ICMP, Misuse Types and TCP Flags Source & Destination TCP/UDP Ports Source Countries & ASNs

“View Graph” selects data to graph

“View Details” shows top 100 items

Dynamic use of Scratch Pad

Routers Details Dashboard

Details of routers impacted by attack.

“+” expands to show router interfaces.

Pull down provides three views: Scratch Pad Traffic

summary Router

configuration

New DDoS Mitigation Countermeasures

Javascript for HTTP Authentication

Forces clients to execute Javascript to be authenticated

Can block attack tools that can follow simple HTTP 302 redirects

DNS Regular Expression Enhancements • New, more user-friendly UI • More filtering options

– DNS Record Type – Recursion Desired (RD) Flag – Domain Regular Expression

• New option to process inbound DNS Queries, Query Replies, or both helps block DNS Reflection attacks

Per Connection Flood Protection

• Can be enabled for specific TCP and UDP ports

• Useful to protect custom applications where source blocking is undesirable, such as customers behind a NAT gateway

TCP Connection Limiting

• Block attacks that attempt to exhaust server resources by opening many simultaneous TCP connections and holding them open

Blacklist for Existing Countermeasures

• Blacklisting actions have been added to several existing countermeasures – Black / White Lists – IP-Based Filter Lists

• IPv4 or IPv6 – Payload Regular

Expression – DNS Regular

Expression

Exposing Attacks Hidden in SSL Traffic

New Hardware Security Module (HSM) option for TMS 2300 Completely transparent – invisible to client and server, no proxy interaction issues Inline, Peakflow TMS 2300 checks the HSM for a certificate that matches the traffic. If the HSM has a matching certificate, the Peakflow TMS 2300:

1. Decrypts the traffic (up to 5 Gbps). 2. Applies configured HTTP-related countermeasures such as AIF or HTTP Object

Request Limiting; Passes or blocks the traffic accordingly. 3. Original packets of passed traffic are forwarded.

The decrypted data will not appear in the Peakflow TMS 2300 packet captures. However, the Web UI does display the levels of traffic dropped or passed by a mitigation for the encrypted data.

Refer to new TMS datasheet for performance and supported SSL protocols, FIPS and non-FIPS cypher suites

HTTPS Server HTTPS Clients

TMS 2300

Encrypted Traffic

Cert Key

Key

Encrypted Traffic

New ATLAS Intelligence Feed for Peakflow

“Active Threat Feed” (ATF) has been enhanced and renamed to “Peakflow ATLAS Intelligence Feed (AIF) Standard” Peakflow SP now backed by the global threat intelligence of ATLAS and

high fidelity, reputation-based research from ASERT.

Category Sub-Category of Threats DDoS Threats IP Reputation policies from ASERT

BotNet Command and Control

Peer to Peer, HTTP, IRC

Malware

Webshell Ransomware RAT Fake Anti Virus Banking Virtual Currency Spyware Drive By Social Network

DDoS Bot Dropper Ad Fraud Worm Credential Theft Backdoor Other Exploit Kit Point of Sale

Detect and identify traffic for common malware and botnet threats: Dirt Jumper Athena Citadel Cidox Pwdump …and many more

The “User Dimension” in Peakflow

Peakflow’s unmatched ability to provide pervasive network visibility and analysis has gotten even better.

Users can now slice massive amounts of Peakflow data in ways that are meaningful to them, their security teams, their marketing departments, product managers or their executives.

In other words, it adds the “User Dimension” to reporting and analysis.

Tag-based Reporting • Tag-based Reporting is a new feature which allows a

user to further customize Peakflow reporting for their unique environment.

• A user can logically group multiple objects together (customers, applications, interfaces, peers, managed objects, etc.) and assign a custom keyword or “tag” to this group; which then can be used for reporting or searching.

• Types of Tags Application Customer Interface Peer Peer Profile Router Service Peakflow and TMS

appliance VPN

Conclusion • Peakflow SP/TMS 7.0 is a huge leap ahead in DDoS

protection – Detect attacks in as little as 1 second – Mitigate attacks in as little as 30 seconds or less – Quickly and easily understand attacks and how to stop them – New countermeasures including new DNS protections and SSL

decryption protect you against the latest threats

• Tag-based reporting enables SP to directly answer critical business and engineering questions about your network in real-time

• Numerous other new features that we don’t have time to cover – speak to your Arbor representative to learn more!

Thank You