vDDoS Solution: Arbor + Cisco Sachlany Kasman

Presales Consultant ASEAN skasman@arbor.net

2

Agenda – Arbor & Cisco ASR9000 / VSM

1.   Arbor  Introduc.on  2.   DDoS  Landscape  3.   Cisco  +  Arbor  Solu.on  Overview  4.   Deployment  Scenarios  and  Use  Cases  5.   Configura.on  and  Availability  6.   Arbor  DDoS  and  Visibility  Family  7.   Q&A  

3 3  

ARBOR NETWORKS OVERVIEW 90%

Percentage  of  world’s    Tier  1  service  providers    who  are  Arbor  customers   107

Number  of  countries  with  Arbor  products  deployed  

120+ Tbps

Amount  of  global  traffic  monitored  by  the  ATLAS  security  intelligence  iniAaAve!  

#1

Arbor  market  posiAon  in  DDoS  MiAgaAon  Equipment  in  Carrier,  Enterprise  and  Mobile  markets    [InfoneAcs  Research,  Dec.  2014]  

Number  of  years  Arbor  has  been  delivering  innovaAve  security  and  network  visibility  technologies  &  products  

14

$19B

2013  GAAP  revenues  [USD]  of  Danaher  –  Arbor’s  parent  company  providing  deep  financial  backing  

4

DDoS Threat Landscape

5

DDoS Attacks: A Major Problem Getting Worse

DDoS attacks continue to increase in size, frequency and complexity.

Arbor Networks 10th Annual Worldwide Infrastructure Security Report

Ø  NTP, DNS & SSDP reflection/amplification attacks are common. §  Over 300Gbps in size. §  93 NTP attacks over

100Gbps and 5 over 200Gbps.

Ø  Stopping DDoS attacks is becoming a normal part of running business. §  38% see more than 21

attacks/month, up from 25% in 2013

Ø  Modern day DDoS attacks are a combination of volumetric and application layer attacks.

ALack  Frequency  

Source:  Arbor  Networks,  Inc.  

0  

1-­‐10  

11-­‐20  

21-­‐50  

51-­‐100  

101-­‐500  

>500  

6

DDoS Attacks: Impact Can Be Severe

Impact: (To You and Your Customers) Ø  Availability of network and services. Ø  Operational cost to mitigate attack. Ø  Lost revenue and profitability. Ø  Unwanted media attention and tarnished

brand/reputation. Ø  Fees/Fines.

Legit Traffic

Your Customers

The Internet

Botnet

DDoS Traffic

Your Network

Impact Impact

Arbor Networks 10th Annual Worldwide Infrastructure Security Report

How much will downtime cost your business?

7

Pervasive Network Visibility View traffic across entire networks: • Backbone • Peering/Transit edge • Cloud/Datacenter • Mobile network • Customer

Threat Protection Detect and mitigate DDoS attacks & cyber threats before they impact services.

Service Enablement Monetize network infrastructure and technologies for revenue generating services & competitive differentiation.

Peakflow SP / TMS

8

Two Best of Breeds Combine For DDoS Protection

#1 in DDoS Attack Protection

Products

#1 in Network Infrastructure

Products

Industries Most Comprehensive

DDoS Attack Protection Solution

9

Network Embedded, Virtual DDoS Protection

Arbor Peakflow Threat Management

System (TMS)

ASR 9000 with Virtual Services Module (VSM) Up to 40 Gbps Mitigation per VSM

Cisco ASR 9000 vDDoS

Protection “Powered By Arbor

Networks”

vDDoS  ProtecAon  

10

Backbone Provider B

Provider A

Cisco/Arbor’s Comprehensive DDoS Protection Solution Peering/Transit

Edge

Peakflow Console

Data Center/ Customer Edge

Scrubbing  Center  

Provider C

TMS 4000

Data Center

Customer

Ø  A single, Arbor Peakflow console used for Netflow analysis, DDoS attack detection (in as little as 1 second), alerting and reporting.

Ø  Cisco vDDoS Protection embedded in Cisco ASR 9000 routers distributed in dedicated peering edge, data centers, customer edge, etc. (40 Gbps mitigation per VSM)

Ø  Arbor TMS 4000 appliance in

regional scrubbing centers or where ASR 9000 does not exist. (40 Gbps mitigation per TMS4000)

DDoS Traffic Legit Traffic

Benefits: Ø  Infrastructure & Service Protection: Comprehensive (up to 4 Tbps system wide), DDoS

protection solution that can stop DDoS attacks in multiple network locations. Ø  Service Enablement: Increase revenue via new managed DDoS Protection Services.

ASR  9000  vDDoS  

ProtecAon  

ASR  9000  vDDoS  

ProtecAon  

Peakflow  SP  NetFlow  Collector  

1  

1  

2  

2  

3   3  

11

Overview & Goals

•  Arbor Peakflow TMS available on the Virtualized Services Module March 2015 –  VSM Blade available for Cisco’s

ASR9000 Router Series

•  Sold by Cisco with support by Arbor Networks –  New ISP’s & Enterprises –  Expansion within Existing Accounts –  Cisco SKU, Support by Cisco / Cisco

partner –  Backend Cisco to Arbor support in

place

•  Up to 40Gbps throughput on a single blade

12

Virtualized Services Module (VSM)

•  Replacement for the Integrated Services Module (ISM)

•  Supported ASR’s can have one or more blades –  Each blade can run one or

more virtualized services •  Incl multiple TMS’

•  Currently supported services: –  Wireless Security Gateway –  IPSec –  Carrier Grade NAT

Virtualized Services Module (VSM) Launched February 2014

Supported Routers

ASR 9904 ASR 9006 ASR 9010 ASR 9912 ASR 9922

Processing 40 physical CPU cores

Memory 128G

Front-panel Ports

Four 10 Gigabit Ethernet SFP+ module

Management Port(s)

1

Backplane Connectivity

120Gbps

13

Deployment Scenarios

ASR within ISP •  ASR at customer edge

–  Scrub traffic for one/multiple customer(s) •  ASR located at network (upstream)

edge –  VSM/TMS protecting customer(s)

•  Scrub traffic going to downstream customers –  VSM/TMS preserving core bandwidth

•  Scrub traffic entering ISP (regardless of target)

•  ASR located at data center edge –  VSM/TMS protecting ISP Data / Hosting

center •  Scrub traffic going to data center

ASR9K + VSM/TMS

Peakflow SP

SP/TMS communication

Clean traffic

Attack traffic

14

Selective Diversion / Re-Injection Inspection on demand

Local Diversion •  SP detects attack based on

Netflow from routers –  Configures VSM/TMS to divert traffic

•  Redirection of traffic to TMS –  TMS use BGP to divert traffic

•  Clean traffic re-injected to ASR –  Sent back from VSM to ASR –  Loop avoidance strategy dependent

on ISP – ASR configuration. •  VRF, GRE, LSP, PBR etc..

•  Counter-Measure Challenge traffic

–  Configurable •  ASR Located in ISP or Customer •  VSM/TMS can handle one/more

customers concurrently ASR9K + VSM/TMS

Peakflow SP

SP/TMS communication

Clean traffic

Attack traffic

15

Selective Diversion / Re-injection Inspection on demand

Long Diversion

•  Detection as per Local Diversion •  Re-direction of traffic to TMS

–  TMS use BGP to divert traffic –  LSP long path provisioned by ISP

•  LSP used to carry traffic through routers that do not receive the diversion route.

•  Good traffic re-injection as per Local Diversion

•  Counter-Measure Challenge traffic –  Configurable

•  ASR Located in ISP or Enterprise •  VSM/TMS can handle one/more

customers concurrently •  Local and long diversion can be

used concurrently.

ASR9K + VSM/TMS

Peakflow SP

SP/TMS communication

Clean traffic

Attack traffic

16

Always on “nailed up” Permanent diversion

Traffic always inspected •  Done via permanent BGP

redirects •  Works like local and long

diversion •  Can be combined with normal

(on-demand) diversion –  For same and/or multiple customers

ASR9K + VSM/TMS

Peakflow SP

SP/TMS communication

Clean traffic

Attack traffic

17

Solution Features: Peakflow SP §  Netflow collection & BGP/Peering §  Anomaly / DDoS detection §  Flex licensing ASR 9000 vDDoS Protection §  Out-of-band, stateless mitigation §  40G mitigation modules per VSM §  Multiple countermeasures §  Updated threat intelligence

(Atlas Intelligence Feed)

Solution Benefits: §  Visibility into backbone, peering/transit traffic for more cost effective network design. §  Stop DDoS attacks at edge of network before impacting backbone and customers. §  Out-of-band mitigation used only when needed and shared across multiple customers.

BACKBONE INTERNET

Transit Peer Edge

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

MOBILE NETWORK

Attack Traffic Legit Traffic

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

CUSTOMER EDGE

Peakflow SP (Core + Edge)

Arbor Cloud

ASR 9000 vDDoS

Protection

Backbone, Peering/Transit Edge

18

ASERT § Dedicated, industry respected, security research team. § Best Practices, Threat Portal

ATLAS § Global threat intelligence § 290+ Providers participating § 120+ Tbps of Internet traffic processed (40% of the Internet’s traffic) § Deep intelligence of DDoS attacks, Botnets, Malware, Hacktivism, etc…

ATLAS Intelligence Feed § “Local” Arbor products automatically armed with latest “global” threat intelligence

Solution Benefits: §  Arm your security teams with the latest global threat intelligence. §  Reduced time to threat detection and mitigation.

CUSTOMER EDGE

BACKBONE INTERNET

Transit Peer Edge

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

MOBILE NETWORK

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

Arbor Products

SERT

AIF

Security Intelligence

19

Customer Benefits

•  Leverage your Cisco ASR 9000 and VSM investment for virtualized DDoS Protection.

•  Distribute DDoS protection to edges of network and avoid backhaul to regional scrubbing centers.

•  Combine Arbor appliances and Cisco vDDoS for comprehensive DDoS protection.

•  Detect and stop DDoS attacks to maintain availability and performance of infrastructure and services.

•  Quickly bring new, virtualized DDoS Protection services to market.

Virtualized, Network

Embedded, DDoS Protection

20

Use Cases

•  Protect service and network infrastructure from attack –  Ensure service availability –  Reduce back-hauls costs and risk of network congestion during attack

•  Launch MSSP DDoS Protection Services –  Leverage investment in infrastructure protection –  ‘Sticky’ service. –  Provide customers with instant protection from volumetric flood attacks

•  Fast flood detection coupled with auto mitigation •  Stops attacks in less than 30 secs

•  Protect Data-Centre –  Magnet for attack activity –  Collateral damage if a large attack isn’t quickly dealt with

•  Augment existing scrubbing capacity –  Deploy addition mitigation capacity at key locations –  Address changes in:

•  DDoS threat landscape •  Customer expectation / requirement

21

Configurations of VSM with TMS

•  Dedicated VSM – 40Gbps – One VM image –  4 CPU sockets

•  12*10Gbps ports (2 mgmt, 8 traffic, 2 unused)

•  Licensing of throughput capacity – Available for dedicated and shared VSM – Options for 10,20,40Gbps – Upgrades from 10->20, 10->40Gbps etc.

available also.

22

Availability Release 1.0 •  Delivered to Cisco: January 12, 2015 •  EFT Available now, Commercial release expected March 2015 •  HW used for development - ASR 9006, VSM 500 •  SW releases:

–  ASR: 5.3.0 officially (might also be tested on 5.2.2 or 5.2.3) –  KVM 1.7.0 –  Windriver 4.3 –  TMS 7.0.1 in 64-bit mode for additional memory / pktengine –  SP 7.0.1

•  TMS per VSM: 1 •  Configured for optimized use of HW •  4 CPU sockets, 10*10Gbps ports (2 mgmt, 8 traffic) •  VM per VSM: 1 (full board) •  VSM-TMS <-> ASR communication: Backplane only •  Performance - 40Gbps

Release 1.1 •  Q2 2015 •  Fully virtual SP / TMS solution •  Blacklist offload to ASR •  Openflow / OnePK

23

Summary

24

Arbor’s Solution for Service Providers

“We see things others can’t”

25

Peakflow Enables True Pervasive Network Visibility and Threat Protection

INTERNET

MOBILE SUBSCRIBERS

& DEVICES

Transit Peer Edge

BACKBONE

DATA CENTER & CLOUD SERVICES

CUSTOMER EDGE

MOBILE NETWORK

BUSINESS CUSTOMERS

BROADBAND SUBSCRIBERS

(Core + Edge)

(Core + Edge)

TMS4000

(Edge)

(Edge)

(Edge)

TMS4000

(Core + Edge)

TMS2300

Greater performance, scalability and flexibility enable less costly, more optimized deployment across entire network.

26

BACKBONE

0

Private Peering Links

Transit Peer Edge

Manage Private Peering / CDN Traffic

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

CUSTOMER EDGE

MOBILE NETWORKS

Attack Traffic Legit Traffic

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

§  Use SP to monitor BGP & traffic over private peering links

§  SP transit reports tell you where and how CDN and Content traffic is being delivered from private peering links

§  Ensure locality of content delivery §  Know when CDN providers are gaming

traffic distribution to use your network for free transit

(Core + Edge)

§  Monitor for private peering policy compliance

§  Detect and block DDoS attacks being proxied through CDNs or sent from compromised CDN servers

ASR 9000 vDDoS

Protection

27

Solu.on  Features:    Peakflow  SP    § Visibility  § Flex  Edge  Licenses  § Anomaly  /  compromised  customer  /  customer  –customer  DDoS  detecAon  

Cisco  ASR  9K  VSM  module  § Out-­‐of-­‐band,  surgical  miAgaAon  of    network  and  applicaAon  layer  aaacks  § Scalable  miAgaAon  opAons:  

 VSM:  40Gbps  modules/chassis    REST  API  :  Support  miAgaAon  capacity  up-­‐to  

terabytes                        Flowspec  :    Support  open  standard  BGP  filter  distribuAon  into  Cisco  VirtualizaAon  technology,  up  to  Terabytes  capacity.  § Updated  threat  intelligence                      (Atlas  Intelligence  Feed)  

BACKBONE

0  

INTERNET

Transit Peer Edge

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

MOBILE NETWORK

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

CUSTOMER EDGE

(Edge)

(Edge)

(Edge)

TMS2300

(Core )

Legit

Volumetric Application

Solution Benefits: §  Cost  effecAve  visibility  into  East  -­‐West  traffic  flow  enables  more  intelligent  network  design.    §  Ability  to  stop  mulA-­‐vector  and  customer-­‐customer  aaacks,  without  backhauling  over  backbone.  §  ProtecAon  of  BRAS  and  other  customer  edge  devices  /services.    

ASR  9000  vDDoS  

ProtecAon  

Arbor’s Solution: Customer Edge

28

BACKBONE

0  

INTERNET

Transit Peer Edge

Edge Use Case: Customer Accounting

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

CUSTOMER EDGE

MOBILE NETWORKS

Legit Traffic

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

§  Accurately measure per-customer traffic for service billing and SLA verification

§  Generate reports for customers to show their traffic utilization over time

§  Can use Transit reports to do distance-based billing for customer traffic – charge your customers more for traffic you have to carry to distant POPs and peers!

Volumetric Attack Application Attack

( Edge)

(Edge)

(Core + Edge)

29

BACKBONE

0  

INTERNET

Transit Peer Edge

Edge Use Case: Infrastructure Monitoring

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

CUSTOMER EDGE

MOBILE NETWORKS

Legit Traffic

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

§  Edge infrastructure is often sensitive to traffic spikes

§  Customers are deploying SP to monitor DSLAM and other sensitive infrastructure

§  Detect spikes and outages quickly, understand why services are down and how to fix them

§  Improve overall service quality and reduce support costs, especially for broadband customers

Volumetric Attack Application Attack

( Edge)

(Edge)

(Core + Edge)

30

BACKBONE

0

INTERNET

Transit Peer Edge

Edge Use Case: Network Planning

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

CUSTOMER EDGE

MOBILE NETWORKS

Legit Traffic

BROADBAND SUBSCRIBERS

BUSINESS CUSTOMERS

§  Understand  how  customer  traffic  impacts  your  enAre  network  

§  Ensure  efficient  rouAng  of  customer  traffic  to  other  customers,  data  centers,  and  peering  links  

§  Understand  traffic  growth  to  anAcipate  capacity  increases  before  network  congesAon  starts  

Volumetric Attack Application Attack

( Edge)

(Edge)

(Core + Edge)

31

Solution Features: Pravail APS § Customer Premises Protection from application layer attacks § Cloud Signaling (“Call for Help” to TMS for Volumetric attack) Peakflow SP & TMS § In-Cloud Protection from Volumetric DDoS attacks § Support for multi-tenancy, API, customized user portal

Solution Benefits: §  Revenue from new comprehensive DDoS Protection Service. (In-Cloud and on-Premise) §  Competitive differentiation.

Legit

Volumetric Application

BACKBONE INTERNET

Transit Peer Edge

MOBILE SUBSCRIBERS & DEVICES

DATA CENTER & CLOUD SERVICES

CUSTOMER Premises

MOBILE NETWORK

TMS

Pravail APS

Cloud Signal

(User) (Core + Edge)

(Edge)

Managed Security Services