Radware DefenseFlow

The SDN Application That Programs Networks for DoS Security

Sales Presentation

April 2013

• DDoS Threat is Evolving• Limitations of Legacy Out-Of-Path

Deployments• Radware DefenseFlow Solution• Summary

US Banks Under Attack: From The News

3

Anonymous Attacks Grow

4

Industry Security SurveyWhich of the following motivation(s) are behind the DDoS/DoS

attacks that you experienced?

Motivation is unknown

57%Political/Hacktivism

22%

Angry users10%

Competition6%

Ransoms5%

Ponemon Research 2012:DDoS Attacks are Mainstream

5

of organizations had an average of 3 DDoS attacks in the past 12 months65%

Minutes average downtime during one DDoS attack54 MinAverage cost per minute of downtime$22,000Average annual cost of DDoS attacks

$3,000,000

6

Limitations of Netflow Based Mitigation

CapabilityNetflow Based

Mitigation

Detection Network DDoS flood attacks Full coverage

Mitigation Mitigation response time Slow – 5 Minutes

Network OperationRequires BGP announcement, GRE

tunneling and several detectorsComplicated

Diversion Traffic granularity Low Granularity

Cost Effective

Requires hardware detectors

Requires scrubbing center

Consumes routers CPU and ports

Expensive

Slow

Complicated

Inaccurate

Expensive

7

Introducing Radware DefenseFlow

Controller

DefensePro

SDN Data Plane

SDN Controller

SDN Applications

The SDN Application That Programs Networks for DDoS Protection

OpenFlow API

API

Slide 8

DefensePro

Internet

“Flow Diversion” - Control

Detection Analyze & Decide

Programmable Probe – Collect

Security Service provisioning

Attack!!!

SDN Controller

Create baselines per: IP Address, Protocol &

Service (Port)

DefenseFlow: The SDN Application That Programs Networks for DoS Security

Configure DefensePro with learned baselines

9

CapabilityNetflow Based

MitigationRadware DefenseFlow

Detection Network DDoS flood attacks Full coverage Full Coverage

MitigationMitigation response time

Slow – 5 MinImmediate –

seconds

Network Operation

Requires BGP announcement, GRE tunneling and several detectors

ComplicatedSimple -

diversion is a

network service

Diversion Traffic granularity Low GranularityHigh Granularity

– divert only

suspicious traffic

Cost Effective

Requires hardware detectors

Requires scrubbing center

Consumes routers CPU and ports

Expensive Low cost

DefenseFlow Vs. Netflow

Slow

Complicated

Inaccurate

Expensive

10

Operator Benefits

• Designed for attack mitigation– Attack detection is performed out of path– During attack period only suspicious traffic is

diverted through mitigation device

• Scalable solution – DefensePro mitigation devices can be placed

in any location– DefenseFlow diverts the traffic to the nearest

mitigation device

• Easy provisioning– Adding protection policy to a customer in a

few seconds

• Lowest cost solution– Detection as a native SDN stats collection– Diversion as a native SDN control operation

11

Summary

• DDoS attacks are prevalent threat to every business and agency

• Current Netflow based solutions fail to offer cost effective solution

• DefenseFlow is a SDN application that programs networks for DDoS Protection, gaining:– Easy provisioning– Immediate attack detection– Low cost

Thank Youwww.radware.com