Protecting your business from DDoS
Marko Djordjevic Regional Sales Manager Eastern Europe TMSI Antidotum 09.11.2016 Budapest
© Arbor Networks 2016 2
100%Tier-1 ISP as customers
107Countries using our products
120Tbps
Monitored by ATLAS initiative
#1 Market position in DDoS protection– [Infonetics Research June, 2015]
Years working on DDoS problem15
ARBOR overview
© Arbor Networks 2016 3
• 100+ national CERT teams• ATLAS portal has 711 unique users, registering
6,006 ASNs for reporting• We share up to 5GB of samples per day, which
have no re-use restrictions
• ASERT’s Malware Corral has seen 9.1M unique IPv4 addresses over 90 days
• ASERT has data for 44,570 of 45,369 ASNs (over 98% of all ASNs)
Unmatched Security Research & Community Leadership
ASERT research
© Arbor Networks 2016 4
Digital Attack Map: powered by
5© Arbor Networks 2016
Protecting you from one of the major threats to your business – the availability threat
What are we doing ?
ConfidentialityIntegrity
Availability
6© Arbor Networks 2016
How can one stop your business?
7© Arbor Networks 2016
Pricing
8© Arbor Networks 2016
Business Impact
9© Arbor Networks 2016
Will that ever happen to me?
10© Arbor Networks 2016
ATLAS statistics for Hungary - 2016
11© Arbor Networks 2016
Global ATLAS statistics
Largest attack reported in 2015 was 500 Gbps with other respondents reporting attacks of 450 Gbps, 425 Gbps, and 337 Gbps.
12© Arbor Networks 2016
Who could easily generate 500Gbps+?
13© Arbor Networks 2016
The history of IoT-based botnet: 2014
14© Arbor Networks 2016
Observed IoT botnet activity: 2015-2016
15© Arbor Networks 2016
The current state of IoT botnet: September 2016
“The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second.”
https://krebsonsecurity.com/
https://twitter.com/olesovhcom
16© Arbor Networks 2016
Bot installation
17© Arbor Networks 2016
It’s not just about size… Complexity is on the rise
Media focus on volumetric attacks, stealthy application-layer attacks haven’t gone away
DNS is now top application-layer target, over-taking HTTP
18© Arbor Networks 2016
Impact of multilayer attacksFirewall
IPS
Load Balancer
Web Proxy
WAF
Servers
Devices that maintain “state”
information
Failure due to DDoS results in partial or full services impact
CPU
Crypto Resources
Memory
Connection Pool
Elements Affected due to Resource Exhaustion Attacks
19© Arbor Networks 2016
Multilayered DDOS mitigation approach
Stop application layer DDoS attacks
1
Your NetworkThe Internet
Application Attack
Scrubbing Center
Service Provider
Stop volumetric attacks
Signal upstream if you need help
Volumetric Attack
A Recommended Industry Best Practice:
23
20© Arbor Networks 2016
What does industry think about it?...On-prem devices are calibrated to recognize application layer DDoS attacks, which usually flow through bandwidth in low volumes of slow traffic... …When on-prem boxes run out of bandwidth to mitigate traffic under attack, they can shift the oversight to a cloud service, capable of managing much larger volumes of traffic…
...Hybrid DDoS solutions offer best-of-breed attack mitigation by combining on premise and cloud mitigation into a single, integrated solution...
... improve time to mitigation by quickly handling low-volumeattacks with on-premisehardware, while still offering the added security of back-up in the cloud for large-scale and extremely complex attacks...
. ...the ideal approach is to pursue a defense-in-depth strategy that combinesa cloud-based service and a customer premise device operating in a complementary manner...
...mitigate smaller attacks locally with on-premise appliances, which will be followed by failover to the cloud once inbound traffic exceedsthe local network capacity...
• Obtained from companies public documents or newsroom
21© Arbor Networks 2016
How does multi-layer approach work?
Volumetric DDoS
TCP flood
Small packet floods
Large packet floods
HTTP/DNS L7 attack
SSL encrypted attack
Service Provider
Enterprise CPE
22© Arbor Networks 2016
DO’s: ◦ Get prepared
‒ Talk to your ISP and develop the plan ◦ Estimate all aspects of risk
‒ DDoS is a multivector threat
DON’Ts: ◦ Rely on Firewalls / IPS as DDoS
mitigators◦ Dismiss DDoS attacks as one-off
events ‒ DDoS might be a “smoke screen”
◦ Disable security tools during attacks‒ Attackers might be provoking you to do that
The last word: DO’s and DON’Ts