Arbor’s Solution for ISP
Transcript of Arbor’s Solution for ISP
Arbor’s Solution for ISP
Recent Attack Cases
More Attack Motivations Greater Availability of Botnets
Increased Volume Increased Complexity Increased Frequency
Largest volumetric DDoS has grown from 9 to 100 Gbps in 5 years
Over 25% of attacks are now application-based DDoS mostly
targeting HTTP, DNS, SMTP
>50% of data center operators experience >10 attacks per month
DDoS is an Exploding & Evolving Trend
more attacks
Geopolitical “Burma taken offline by DDOS attack”
Protests “Visa, PayPal, and MasterCard attacked”
Extortion “Techwatch weathers DDoS extortion attack”
Better Bots More infected PCs with faster connections
Easy Access Using web 2.0 tools to control botnets
Commoditized Cloud-based botnets, cheaper
Largest single DDos Attack Observed per Year in Gbps
Largest 7 DDos Attacks Against IDC
Average Number of DDos Attacks per Month
4
Arbor Network
6
Who is Arbor Networks?
A Trusted & Proven Vendor Securing the World’s Largest
and Most Demanding Networks
90% Percentage of world’s Tier 1 service providers who are Arbor customers
105 Number of countries with Arbor products deployed
43+ Tbps Amount of global traffic monitored by the ATLAS security intelligence
initiative right now – 25% of global Internet traffic!
#1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment
market segments – 61% of total market [Infonetics Research Dec 2011]
12 Number of years Arbor has been delivering innovative security and
network visibility technologies & products
$16B 2011 GAAP revenues [USD] of Danaher – Arbor’s parent company
providing deep financial backing
Sampling of Arbor’s Customers
* These customers have given Arbor Networks authorization to use their names publicly. Over 300 customers use Peakflow SP & TMS today.
vodaphone
ASERT Arbor Security Engineering Research Team
Malware Analysis Example
CnC
Victim Web Server
Bot/CnC comms
HTTP Flood traffic New Malware Specimen
ASERT Sandbox
For AIF/Pravail: study bot-to-victim DDoS traffic to distinguish legit web requests from HTTP flood requests
For ATF/Peakflow SP: study bot-to-CnC traffic to alert on infected clients
Arbor DDoS Solution
12
DDoS Attack? It WILL Happen …
300Gbps of DDoS Attack !!
• Any part of your network or services that is vulnerable to an attack
– Network Interfaces
– Infrastructure
– Firewall/IPS
– Servers
– Protocols
– Applications
– Databases
• Attackers will find the weakness
14
The DDoS Attack Surface
Today’s DDoS attacks can cause (1) saturation upstream, (2)
state exhaustion, or (3) service outages – many times a single
attack can result in all three – and all with the same end result:
critical services are no longer available!
Modern DDoS Attacks Are Complex & Diverse
15
Load Balancer
DATA
CENTER
Attack Traffic Good Traffic T
he B
road
Im
pact
of
DD
oS
Att
ack
s
IPS
18
Stopping Volumetric Attacks
Cloud-based: Volumetric DDoS mitigation must be
done up stream, before traffic gets to Data Center
Activated “on demand”: only active when an attack
is detected or reported
Cloud-based
DDoS Protection
ISP 2
ISP 1
ISP n
ISP
Peakflow
SP/TMS
SCRUBBING CENTER
DATA CENTER
Firewall IPS
Load Balancer
How it all works?
(Peakflow SP/TMS)
Step 1: Have Visibility (x-flow based)
Peering
Point
POP
Mobile
Subscriber
Network
Enterprise B
Service Provider’s Core
POP
Peering
Point
Core Router
Enterprise A
Targeted
Arbor Peakflow CP
Comprehensive Dashboards
Network: Top peers, ASNs, Countries, Cities Applications, Fingerprints, Growth
Application: Customers, Ports, Peers, Markets
Customer: Applications, Peers, Fingerprints, Markets, Alerts
Router: Per router stats, Top Interfaces, Applications, Customers
Benefits
Better informed, more
timely operations
management
Traffic & Application
Cost Optimized Peering and Transit
− View where your customers traffic is truly destined
− Make intelligent decisions about peering expansions
− Assure that existing peering agreements are being used to their full potential
− Ensure that transit customers are abiding by service agreements like no-resell agreements
Transit reports
Peer traffic exchange
reports
Peering “what if” analysis
Interface reports
Source and Destination
Analysis
Where is traffic going
when it comes IN?
Where has traffic come
from when it goes OUT?
How much money will I
save if I peer with XYZ?
How much in transit costs is
customer A costing me?
Global Geography Reporting
A New Dimension of Network Intelligence
Benefits
Better threat response
Better market analysis
Better planning
Reports and tracking
by country, region, city
Track threat sources
Country baselines and
alerts
Allow, drop, shape
traffic based on country
Identify growth markets
Measure service usage
by city
Service Visibility
Measure application usage
Track Key Performance
Indicators (KPIs):
Jitter
latency
RTT
90 predefined applications
Customer defined
applications
Top URL reports
VoIP call reports
Comprehensive DNS reports
Real-time packet visibility
Alerts on service changes
Track baseline service levels Benefits
Identify and address problems before
users start to complain
Reduce help desk calls
Better business and operations planning
Subscriber Visibility
Identify infected
subscribers
Track # of infected
subscribers
Track individual and
aggregate subscriber
traffic
Identify top markets
(IP Location cities)
Identify top applications,
top ports
Protection and reporting
for mobile and fixed
networks
Benefits
Keep malicious traffic off the network
Protect subscribers
Serve markets better
The Attack
Peering
Point
POP
Mobile
Subscriber
Network
Enterprise B
Service Provider’s Core
POP
Peering
Point
Core Router
Enterprise A
Targeted
Arbor Peakflow CP
Surgical Mitigation Center
2 - Activate
3 – Divert only target’s traffic
1- Detect
The Mitigation
Peering
Point
POP
Mobile
Subscriber
Network
Enterprise B
Service Provider’s Core
POP
Peering
Point
Core Router
Enterprise A
Targeted
Arbor Peakflow CP
Arbor Peakflow CP
Surgical Mitigation Center
4 – Identify and
filter the
malicious
5 – Forward the legitimate:
GRE, MPLS, …
Multiple Countermeasures for Multiple Attacks
Static & Dynamic Packet Filters
Rate-limiting
Anti-Spoofing Mechanisms
Baseline Enforcement
Botnet screening
Layer 7 Protections
TCP Stack Flood Attacks
Generic Flood Attacks
Fragmentation Attacks
Application Attacks
Vulnerability Exploits
Service and Application Layer Protection
Benefits
Protect business critical applications
from targeted attacks
HTTP / Web 2.0 Protection – Block malformed HTTP
– Rate-limit HTTP requests
– Stop click fraud
– Stop “low and slow” attacks
SSL Protection – Neutralize SSL signaling protocol attacks
VoIP Protection – Block malformed SIP packets
– SIP request limiting
DNS Protection – DNS Regular Expressions (RegEx)
– DNS Authentication/Anti-Spoofing
– DNS Query Rate Limiting
– DNS Non-Existent Domain (NXDOMAIN)
– Rate Limiting
– DNS Reporting and Packet Sampling
IP-based Protection – Packet scrubbing (TCP / UDP/ ICMP)
– TCP Connection reset
– White list / black list
Arbor’s Unique Solution
Global & Enterprise
Visibility Security
Intelligence
Availability
Protection
A World-Class Research Team (ASERT) Analyzing all the World’s Internet Traffic
(ATLAS) to Stop Emerging Advanced Threats
Know Your Network
No Matter Where It
Resides
Find the Threat No
Matter Where the
Threat Lurks
Protect the Business
at All Times
The Solution to Stop Advanced Threats – Built on Global Network Visibility & Security Intelligence
32
Thank You