Eldad Chai, VP ProductPreparing for the Terabit Scale DDoS Attack
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2
Agenda
• Network DDoS trends
• Is a Terabit DDoS imminent?
• A DDoS resilient network
• Infrastructure and DNS protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3
Where do we stand today?
59%28%
13%<20Gbps
20-40Gbps
>40Gbps
Attacks bandwidth is showing exponential growth
One third of attacks exceed 20GbpsMore than 13% exceed 40Gbps
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
Its not all bandwidth
More than 25% of attacks exceed 10MppsMost IPS/IDS will crash at 5Mpps
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.5
Recent campaigns / SaaS applications
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
Recent campaigns / DNS providers
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
How are they reaching these numbers?
• Are botnets becoming bigger?> No, according to www.shadowserver.org
• Are there more open DNS resolvers?> No, the number is actually declining according to
www.openresolverproject.org
• Are there more open NTP servers?> Probably not
• So what is it then?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
How are they reaching these numbers?
• They are using bigger guns
Example of a 4Mpps attackLess than 30 IPs are generating more than 99% of the traffic
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
What can we learn from all this?
• The stronger the internet is becoming, the stronger the attacks
• The largest attacks use a small set of super resources rather than a large set of weak resources
• Attacks will far exceed a single network capacity
• Should we expect a 1Tbps+ attack within the next 12-36 months?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.10
A DDoS resilient network
• Can scale its capacity on demand> Cloud solution are built to scale efficiently> Cloud provides the most cost effective way to scale capacity
• Can protect any service from any attack> Both layer 3&4 and layer 7 mitigation is required> Web servers and DNS servers are a target for sophisticated attacks
• Provides real time visibility> You cannot mitigate what you cannot see
• Can respond rapidly to changes> DDoS mitigation is a delicate balance between false positives and
false negatives> You need to react quickly to any change that disrupts this balance
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.
Incapsula DDoS protection
11
DNS
Web
SSH, FTP, Telnet
SIP
SMTP
UDP, TCP
Network services
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.
Incapsula DDoS protection
12
DNS
Web
SSH, FTP, Telnet
SIP
SMTP
Incapsula Application Protection
Incapsula DNS Protection
Incapsula Infrastructure
Protection
UDP, TCP
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
Incapsula Application Protection
Protect HTTP/S Applications
Layer 3&4 and also Layer 7
Always On / On Demand
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
Incapsula DNS Protection - NEW
Protect DNS servers
Prevent Blacklisting
Always On Service
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
Incapsula Infrastructure Protection - NEW
Protect all services and protocols
Protect entire IP ranges
Layer 3&4 (Network)
On Demand Service
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16
BGP and Cloud
LAX
80Gbps
IAD
60Gbps
FRA
80Gbps+1
23.5.6.0/24 23.5.6.0/24 23.5.6.0/24 23.5.6.0/24
23.5.6.0/24
IP ranges are announced in Anycast
Traffic is forwarded to origin over the same GRE tunnel
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17
The “Behemoth”
• We still need to filter DDoS traffic…
• Our requirements> Filter 100Gbps+ of traffic per POP> Manage BGP for announcing > Manage GRE for origin forwarding> Software defined network (SDN) capabilities
• The solution> An appliance that can deal with 170Gbps> Advanced implementations of DDoS filtering algorithms> Anomaly detection> Proprietary implementation of BGP and GRE> C&C for internal networking devices
Please send follow up questions to [email protected] you