DNS and Infrastracture DDoS Protection

Eldad Chai, VP ProductPreparing for the Terabit Scale DDoS Attack

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2

Agenda

• Network DDoS trends

• Is a Terabit DDoS imminent?

• A DDoS resilient network

• Infrastructure and DNS protection


Where do we stand today?

59%28%

13%<20Gbps

20-40Gbps

>40Gbps

Attacks bandwidth is showing exponential growth

One third of attacks exceed 20GbpsMore than 13% exceed 40Gbps


Its not all bandwidth

More than 25% of attacks exceed 10MppsMost IPS/IDS will crash at 5Mpps


Recent campaigns / SaaS applications


Recent campaigns / DNS providers


How are they reaching these numbers?

• Are botnets becoming bigger?> No, according to www.shadowserver.org

• Are there more open DNS resolvers?> No, the number is actually declining according to

www.openresolverproject.org

• Are there more open NTP servers?> Probably not

• So what is it then?

http://www.shadowserver.org/

http://www.openresolverproject.org/


How are they reaching these numbers?

• They are using bigger guns

Example of a 4Mpps attackLess than 30 IPs are generating more than 99% of the traffic


What can we learn from all this?

• The stronger the internet is becoming, the stronger the attacks

• The largest attacks use a small set of super resources rather than a large set of weak resources

• Attacks will far exceed a single network capacity

• Should we expect a 1Tbps+ attack within the next 12-36 months?


A DDoS resilient network

• Can scale its capacity on demand> Cloud solution are built to scale efficiently> Cloud provides the most cost effective way to scale capacity

• Can protect any service from any attack> Both layer 3&4 and layer 7 mitigation is required> Web servers and DNS servers are a target for sophisticated attacks

• Provides real time visibility> You cannot mitigate what you cannot see

• Can respond rapidly to changes> DDoS mitigation is a delicate balance between false positives and

false negatives> You need to react quickly to any change that disrupts this balance

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

Incapsula DDoS protection

11

DNS

Web

SSH, FTP, Telnet

SIP

SMTP

UDP, TCP

Network services

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

Incapsula DDoS protection

12

DNS

Web

SSH, FTP, Telnet

SIP

SMTP

Incapsula Application Protection

Incapsula DNS Protection

Incapsula Infrastructure

Protection

UDP, TCP


Incapsula Application Protection

Protect HTTP/S Applications

Layer 3&4 and also Layer 7

Always On / On Demand


Incapsula DNS Protection - NEW

Protect DNS servers

Prevent Blacklisting

Always On Service


Incapsula Infrastructure Protection - NEW

Protect all services and protocols

Protect entire IP ranges

Layer 3&4 (Network)

On Demand Service


BGP and Cloud

LAX

80Gbps

IAD

60Gbps

FRA

80Gbps+1

23.5.6.0/24 23.5.6.0/24 23.5.6.0/24 23.5.6.0/24

23.5.6.0/24

IP ranges are announced in Anycast

Traffic is forwarded to origin over the same GRE tunnel


The “Behemoth”

• We still need to filter DDoS traffic…

• Our requirements> Filter 100Gbps+ of traffic per POP> Manage BGP for announcing > Manage GRE for origin forwarding> Software defined network (SDN) capabilities

• The solution> An appliance that can deal with 170Gbps> Advanced implementations of DDoS filtering algorithms> Anomaly detection> Proprietary implementation of BGP and GRE> C&C for internal networking devices

Please send follow up questions to [email protected] you

Technology

DNS and Infrastracture DDoS Protection