Protecting your business from DDoS

 Marko Djordjevic Regional Sales Manager Eastern Europe TMSI Antidotum 09.11.2016 Budapest

© Arbor Networks 2016 2

100%Tier-1 ISP as customers

107Countries using our products

120Tbps

Monitored by ATLAS initiative

#1 Market position in DDoS protection– [Infonetics Research June, 2015]

Years working on DDoS problem15

ARBOR overview

© Arbor Networks 2016 3

• 100+ national CERT teams• ATLAS portal has 711 unique users, registering

6,006 ASNs for reporting• We share up to 5GB of samples per day, which

have no re-use restrictions

• ASERT’s Malware Corral has seen 9.1M unique IPv4 addresses over 90 days

• ASERT has data for 44,570 of 45,369 ASNs (over 98% of all ASNs)

Unmatched Security Research & Community Leadership

ASERT research

© Arbor Networks 2016 4

Digital Attack Map: powered by

5© Arbor Networks 2016

Protecting you from one of the major threats to your business – the availability threat

What are we doing ?

ConfidentialityIntegrity

Availability

6© Arbor Networks 2016

How can one stop your business?

7© Arbor Networks 2016

Pricing

8© Arbor Networks 2016

Business Impact

9© Arbor Networks 2016

Will that ever happen to me?

10© Arbor Networks 2016

ATLAS statistics for Hungary - 2016

11© Arbor Networks 2016

Global ATLAS statistics

Largest attack reported in 2015 was 500 Gbps with other respondents reporting attacks of 450 Gbps, 425 Gbps, and 337 Gbps.

12© Arbor Networks 2016

Who could easily generate 500Gbps+?

13© Arbor Networks 2016

The history of IoT-based botnet: 2014

14© Arbor Networks 2016

Observed IoT botnet activity: 2015-2016

15© Arbor Networks 2016

The current state of IoT botnet: September 2016

“The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second.”

https://krebsonsecurity.com/

https://twitter.com/olesovhcom

16© Arbor Networks 2016

Bot installation

17© Arbor Networks 2016

It’s not just about size… Complexity is on the rise

Media focus on volumetric attacks, stealthy application-layer attacks haven’t gone away

DNS is now top application-layer target, over-taking HTTP

18© Arbor Networks 2016

Impact of multilayer attacksFirewall

IPS

Load Balancer

Web Proxy

WAF

Servers

Devices that maintain “state”

information

Failure due to DDoS results in partial or full services impact

CPU

Crypto Resources

Memory

Connection Pool

Elements Affected due to Resource Exhaustion Attacks

19© Arbor Networks 2016

Multilayered DDOS mitigation approach

Stop application layer DDoS attacks

1

Your NetworkThe Internet

Application Attack

Scrubbing Center

Service Provider

Stop volumetric attacks

Signal upstream if you need help

Volumetric Attack

A Recommended Industry Best Practice:

23

20© Arbor Networks 2016

What does industry think about it?...On-prem devices are calibrated to recognize application layer DDoS attacks, which usually flow through bandwidth in low volumes of slow traffic... …When on-prem boxes run out of bandwidth to mitigate traffic under attack, they can shift the oversight to a cloud service, capable of managing much larger volumes of traffic…

...Hybrid DDoS solutions offer best-of-breed attack mitigation by combining on premise and cloud mitigation into a single, integrated solution...

... improve time to mitigation by quickly handling low-volumeattacks with on-premisehardware, while still offering the added security of back-up in the cloud for large-scale and extremely complex attacks...

. ...the ideal approach is to pursue a defense-in-depth strategy that combinesa cloud-based service and a customer premise device operating in a complementary manner...

...mitigate smaller attacks locally with on-premise appliances, which will be followed by failover to the cloud once inbound traffic exceedsthe local network capacity...

• Obtained from companies public documents or newsroom

21© Arbor Networks 2016

How does multi-layer approach work?

Volumetric DDoS

TCP flood

Small packet floods

Large packet floods

HTTP/DNS L7 attack

SSL encrypted attack

Service Provider

Enterprise CPE

22© Arbor Networks 2016

DO’s: ◦ Get prepared

‒ Talk to your ISP and develop the plan ◦ Estimate all aspects of risk

‒ DDoS is a multivector threat

DON’Ts: ◦ Rely on Firewalls / IPS as DDoS

mitigators◦ Dismiss DDoS attacks as one-off

events ‒ DDoS might be a “smoke screen”

◦ Disable security tools during attacks‒ Attackers might be provoking you to do that

The last word: DO’s and DON’Ts

23© Arbor Networks 2016

Thank you!

Marko Djordjevicmdjordjevic@arbor.net