Advanced DDoS Mitigation Techniques

Tomer Shani

Infrastructure Protection Development Group Manager, Imperva

BIO

Tomer ShaniThree kids,

Three cats. Three years at

Imperva Incapsula

Various R&D

positions, all in thee

field of networking

Plan for the worst,

only the paranoid

survive

© 2017 Imperva, Inc. All rights reserved. 2

Introduction to DDoS

© 2017 Imperva, Inc. All rights reserved. 3

Distributed Denial of Service

Denial of Service: • Resource exhaustion

• Exploit: Network capacity, infrastructure, compute or applicative weaknesses

• Will eventually lead to service being unavailable

Why “Distributed”?• Difficult to track, contain and prevent

• Enabler for mega-scale attacks

Attack Types

Application Layer• Aimed at specific services

Network Layers 3/4• Volumetric attack – consuming bandwidth

• PPS attacks – consuming network equipment capacity

• Syn flood/Connection flood – target server’s network stack resources

Introduction to DDoS – Cont.

© 2017 Imperva, Inc. All rights reserved. 4

DDoS is Easy

• Stressers (DDoSers/Booters) will offer you to “test”

your website, these saints will offer a premium service:

• And in some cases very happy to

share their method of exploit

Introduction to DDoS – Cont.

© 2017 Imperva, Inc. All rights reserved. 5

Motivation• Hacktivism

• Vandalism

• Competition

• Extorsion

Introduction to DDoS – Cont.

© 2017 Imperva, Inc. All rights reserved. 6

The Impact

DDoS in the Wild – Challenging Mitigation Resources

© 2017 Imperva, Inc. All rights reserved. 7

VolumetricAttacks

PPSAttacks

DDoS in the Wild – Challenging Mitigation Tactics

© 2017 Imperva, Inc. All rights reserved. 8

Changing Attack Vectors

Pulse Wave DDoS

Challenges in Attack Mitigation

Fast! Time to Mitigation

• Minimal service impact

• Attack which goes through provider may get network null routed

– Minutes of impact may take hours to fix

• Pulse waves

• Changing attack vectors

Latency

• Latency should not degrade when scrubbing is in progress

Volume

• Distribute network capacity

• Equip to handle high PPS attacks and volumetric attacks

Agility

• React to evolving threats in real-time

© 2017 Imperva, Inc. All rights reserved. 9

Network Topology

© 2017 Imperva, Inc. All rights reserved. 10

Meet the Behemoth

© 2017 Imperva, Inc. All rights reserved. 11

Under the Hood

Behemoth 2

Sampling (10G)

Mitigation core

CPU

ALTASwitch

© 2017 Imperva, Inc. All rights reserved. 12

DDoS Traffic (160G)

Traffic (400G)

PEACE TIME

Mitigation Core

© 2017 Imperva, Inc. All rights reserved. 13

Sampled Traffic 1:40

Attack Traffic

.

.

.

16*10G -> 160 Gbps

Detection Core

Mitigation Core

WAR TIME

Performance Challenges

Scaling up the muscle

Detection Core

Brain

75% CPU

Mitigation Core

Muscle

99% CPU

© 2017 Imperva, Inc. All rights reserved. 14

Heavy Lifting

© 2017 Imperva, Inc. All rights reserved. 15

Behemoth 2

Sampling

Core Mitigation

CPU

CleanTraffic

QFXSwitchISP

ALTASwitch

Heavy Lifting

© 2017 Imperva, Inc. All rights reserved. 16

Behemoth 2

DDoSTraffic

QFXSwitchISP

ALTASwitch

Sampling

Core Mitigation

CPU

ScrubbedTraffic

Heavy Lifting

© 2017 Imperva, Inc. All rights reserved. 18

Behemoth 2

Sampling

Core Mitigation

CPU

CleanTraffic

QFXSwitchISP

ALTASwitch

ScrubbedTraffic

Revisiting the 650G DDoS

© 2017 Imperva, Inc. All rights reserved. 20