Cisco ASR 9000 vDDoS Solution Protection · Cisco ASR 9000: Service Edge Foundation Business CPE...
Transcript of Cisco ASR 9000 vDDoS Solution Protection · Cisco ASR 9000: Service Edge Foundation Business CPE...
Cisco Confidential © 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco ASR 9000 vDDoS Solution Protection Vikash Sharma, PM, Cisco Systems Jorge Escobar, Technical Architect, Arbor Networks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 "All Specifications Subject to Change without Notice"
• Introduction to DDoS • DDoS Threat Landscape • ASR 9000 Router overview • vDDoS Solution Overview • vDDoS Solution Positioning • vDDoS Deployment Scenarios
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 "All Specifications Subject to Change without Notice"
INTRODUCTION TO DDOS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 "All Specifications Subject to Change without Notice"
What is a Distributed Denial of Service (DDoS) attack?
• An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity
• Targets the availability and utility of computing and network resources
• Attacks are almost always distributed for even more significant effect (i.e. DDoS)
• The collateral damage caused by an attack can be as bad, if not worse than the attack itself
• DDoS attacks affect availability! No availability, no applications/ services/data/Internet! No revenue!
• DDoS attacks are attacks against capacity and/or state!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 "All Specifications Subject to Change without Notice"
DDoS attacks can consist of just about anything
• Large quantities of raw traffic designed to overwhelm a resource or infrastructure
• Application specific traffic designed to overwhelm a particular service – sometimes stealthy in nature
• Traffic formatted in such a way to disrupt a host from normal processing
• Traffic reflected and/or amplified through legitimate hosts
• Traffic from compromised sources or from spoofed IP addresses
• Pulsed attacks – start/stop attacks
DDoS attacks can be broken out by category
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 "All Specifications Subject to Change without Notice"
Volumetric Brute Force attacks
• Traffic Floods – Exhaust resources by creating high
bps or pps volumes – Overwhelm the infrastructure – links,
routers, switches, servers
Layer 4-7 Smart attacks
• TCP resource exhaustion – Exhaust resources in servers, load
balancers, firewalls or routers
• Application Layer – Take out specific services or
applications
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 "All Specifications Subject to Change without Notice"
• Any part of your network or services that is vulnerable to an attack: Network Interfaces Infrastructure Firewall/IPS Servers Protocols Applications Databases
• Attackers will find the weakness
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 "All Specifications Subject to Change without Notice"
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 "All Specifications Subject to Change without Notice"
6% 0 40% 1-10 16% 11-20 7% 21-50 9% 51-100 9% 101-500 13% >500
42% Yes 36% Do not know 23% No
Multi-Vector DDoS Attacks
Attack Frequency
2002 2003 0
50
100
150
200
250
300
350
400
450
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
100 Gbps
10 Gbps
400 Gbps
Gbp
s
Survey Peak Attack Size Year Over Year
Source: Arbor Networks, Inc.
Attacks Per
Month
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 "All Specifications Subject to Change without Notice"
Cus
tom
er
Faci
ng
Infra
stru
ctur
e
Bus
ines
s S
ervi
ces
3rd
Par
ty
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 "All Specifications Subject to Change without Notice"
Firewalls & IPSs
17% of all DDoS attacks target stateful devices, which include stateful defenses like Firewalls,
IPSs, and WAFs
35% of all DDoS attacks affect the Firewall or IPS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 "All Specifications Subject to Change without Notice"
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Surv
ey R
espo
nden
ts
Data Center DDoS Business Impact
Source: Arbor Networks, Inc.
81% Operational Expense 44% Revenue Loss 33% Customer Churn 2% Employee Turnover
14% Other
81%
44%
33%
2%
14%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 "All Specifications Subject to Change without Notice"
Confidentiality Integrity
Availability
The primary goal of DDoS defense is
maintaining availability in the face
of attack.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 "All Specifications Subject to Change without Notice"
• Maintaining availability in the face of attack requires a combination of skills, architecture, operational agility, analytical capabilities, and mitigation capabilities which most organizations simply do not possess
• In practice, most organizations never take availability into account when designing/specifying/building/deploying/testing online apps/services/properties
• In practice, most organizations never make the logical connection between maintaining availability and business continuity
• In practice, most organizations never stress-test their apps/services stacks in order to determine scalability/resiliency shortcomings and proceed to fix them
• In practice, most organizations do not have plans for DDoS mitigation - or if they have a plan, they never rehearse it!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 "All Specifications Subject to Change without Notice"
ASR 9000 OVERVIEW
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 "All Specifications Subject to Change without Notice"
• Optimized for Aggregation of Dense 100GE
• Next-Generation Linecards Shipping Today: 40 - 800 Gbps edge services cards; 1.2 Tbps cards available in Q4 CY ’15
• Based on IOS-XR & Cisco PRIME for Nonstop Availability & Manageability
• Industry Leading Operational Savings & Management with Cisco nV Technology
• Industry Leading Infrastructure Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 "All Specifications Subject to Change without Notice"
Key Edge
Market Roles
Cisco ASR 9000: Service Edge Foundation
Business CPE
Mobile Backhaul (2G/3G, LTE)
Residential Triple Play (Cable, DSL, WiFi)
Access & Pre-Aggregation
1
Media Cloud / Hosting Mobile Services
Massively Scalable & Virtualized Multi-Tenant Data Centers 2
Elastic Core
3
1. High-End Aggregation & Transport
• Mobile Backhaul
• CMTS Aggregation • L2/Metro Aggregation • DSLAM Aggregation
• Video Distribution & Services
2. Cloud Gateway Router
• DC Interconnect • DC WAN Edge
• WEB/OTT
3. Services Router
• Business Services • Residential Broadband • Converged Edge/Core
• Enterprise WAN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 "All Specifications Subject to Change without Notice"
ASR 9000 VSM
• Data Center Compute: • 4 x Intel 10-‐core x86 CPU
• 2 X Forwarding Engine for hardware network processing • 120 Gbps of Raw processing throughput
• HW AcceleraLon • 40 Gbps of hardware assisted Crypto throughput • Hardware assist for Reg-‐Ex matching
• VirtualizaLon Hypervisor (KVM) • Service VM life cycle management integrated into IOS-‐XR • SDN SDK for 3rd Party Apps
OS / Hypervisor VMM
VM-‐4
Service-‐3
VM-‐1
Service-‐1
VM-‐3
Service-‐4
VM-‐2
Service-‐2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 "All Specifications Subject to Change without Notice"
VDDOS SOLUTION OVERVIEW
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 "All Specifications Subject to Change without Notice"
Arbor Peakflow Threat Management System
(TMS)
Cisco ASR 9000 with Virtual Services
Module (VSM)
#1 in DDoS Attack Protection Products
#1 in Network Infrastructure Products
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 "All Specifications Subject to Change without Notice"
• Cisco & Arbor have teamed to integrate the Arbor Peakflow DDoS solution into Industry leading Cisco ASR 9000 platform
• Customers looking for a distributed architectural solution at the edge or core or both to thwart attacks at point of entry
• Solution ideal for Service providers and Enterprise customers
• Higher scale (40Gbps per VSM) with tiered licensing options
• Solution benefits are architectural superiority, simplicity, & unified management
Cisco and Arbor Networks: Best of Breed
INTERNET
Transit / Peer Edge
MOBILE SUBSCRIBERS & DEVICES
DATA CENTER & CLOUD SERVICES
MOBILE NETWORK
BROADBAND SUBSCRIBERS
BUSINESS CUSTOMERS
CUSTOMER EDGE
Customer Edge
64% experienced attacks towards their
customer
Data Center
94% of data center operators experienced
attacks.
Mobile Edge
60% providers experienced outages from a DDoS attack
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 "All Specifications Subject to Change without Notice"
Virtualized Arbor Peakflow SP
ASR 9000
ASR 9000
ASR 9000
VSM running Arbor Peakflow
TMS
Netflow stats
Netflow stats
§ Arbor Peakflow SP (formerly known as Collector Platform CP)
ü Collects Flow records ü Detects abnormal network behavior and
trigger alerts ü Can influence the routing, injecting BGP
routes in the network ü Supports BGP FlowSpec as a Controller ü Sets up and monitors the TMS remotely
Arbor Peakflow SP Threat Management System (TMS)
ü Configured by SP, receives diverted traffic and proceeds to in-depth packet analysis
ü Discards the attack packets and transmits the legit ones
ü Provides real-time monitoring info to operators
Available July 2015
Available now
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 "All Specifications Subject to Change without Notice"
• Protect service and network infrastructure from attack • Mitigate where ASR9000 is already deployed (peering edge or core) • Reduce back-haul costs and risk of network congestion during attack • Service Provider or Enterprise
• Launch MSSP DDoS Protection Services • Leverage investment in infrastructure protection
• Protect Datacenter • Deployment directly in edge router • Used in conjunction with Arbor Cloud Service for large attacks
• Augment existing scrubbing capacity • Deploy additional mitigation capacity at key locations where ASR 9000 is located
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 "All Specifications Subject to Change without Notice"
VDDOS SOLUTION DEPLOYMENT SCENARIOS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 "All Specifications Subject to Change without Notice"
• SP detects DDoS attack based on Netflow • Configures VSM/TMS as needed via ASR
• Redirection of traffic to TMS • TMS use BGP via backplane to get traffic • MPLS configured via ISP
• Good traffic re-injection • Send back out via ASR
• Challenge traffic • TMS is normal source IP sending traffic via the
backplane
• Blacklisting in ASR (HW)*
• VSM/TMS can handle one/more customers
* Not in First release
ASR9K + VSM/TMS
Peakflow SP Netflow + SP/TMS
communication
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 "All Specifications Subject to Change without Notice"
• SP detects DDoS attack based on Netflow • Configures VSM/TMS as needed via ASR
• Redirection of traffic to TMS • TMS use BGP via backplane to get traffic • MPLS configured via ISP
• Good traffic re-injection • GRE tunnel over backplane • MPLS
• Challenge traffic • TMS is normal source IP sending traffic via the backplane
• Blacklisting in ASR (HW)*
• VSM/TMS can handle one/more customers
* Not in first release
ASR9K + VSM/TMS
Peakflow SP Netflow + SP/TMS
communication
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 "All Specifications Subject to Change without Notice"
ASR9K + VSM/TMS
Peakflow SP Netflow + SP/TMS
communication
Traffic always inspected • Done via permanent redirections
• Works like local and long diversion redirections
• Can be combined with normal (temporary) redirection For same and/or multiple customers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 "All Specifications Subject to Change without Notice"
Arbor Peakflow ASR 9000 with Virtual Services Module (VSM)
Cisco ASR 9000 vDDoS Protection
“Powered By Arbor Networks”
Architectural Superiority
Unified Management
Scalable Performance
Reduced OPEX
Flexible Deployment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 "All Specifications Subject to Change without Notice"
• Schedule a session with your Cisco representative to 1. Review your DDoS Mitigation Strategy 2. Show how you can offer DDoS mitigation as a
service 3. Schedule a Network Assessment for DDoS
Thank you.