DDoS Threats Landscape : Countering Large-scale DDoS attacks

44
DDoS Threat Landscape Countering Largescale DDoS Attacks CF Chui, Arbor Networks

Transcript of DDoS Threats Landscape : Countering Large-scale DDoS attacks

Page 1: DDoS Threats Landscape : Countering Large-scale DDoS attacks

DDoS Threat LandscapeCountering Large-­scale DDoSAttacks

CF Chui, Arbor Networks

Page 2: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Who is Arbor Networks?

90%Percentage of world’s Tier 1 service providers who are Arbor customers

107Number of countries with Arbor products deployed

#1

Arbor market position in DDoS Mitigation Equipment in Carrier, Enterprise and Mobile markets [Infonetics Research, Dec. 2014]

Number of years Arbor has been delivering innovative security and network visibility technologies & products

14

$19B

2013 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing

Amount of global traffic monitored by the ATLAS security intelligence initiative!

120+ Tbps

We See Things Others Can’t

Page 3: DDoS Threats Landscape : Countering Large-scale DDoS attacks

ATLAS Global Threat Analysis System

Page 4: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Attack Landscape seen by ATLAS

Page 5: DDoS Threats Landscape : Countering Large-scale DDoS attacks

ATLAS Demographics

• ATLAS provides invaluable data to Arbor customers and the broader operational security community

• 330+ participating customers– 32% Europe– 24% North America– 17% Asia– 9% South America– 9% Global

• Tracking a peak of over 120Tbps

Page 6: DDoS Threats Landscape : Countering Large-scale DDoS attacks

DDoS : Attack Types

0

10

20

30

40

50

60

70

2014

2015

2015

• Two-­‐thirds of attacks are volumetric, up slightly– No surprise given reflection storm

• 90% of respondents report seeing application-­‐layer attacks– 4% fall in proportion of application-­‐layer attacks

2014

2014

DDoS Attack Types

Page 7: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Substantial Growth in Largest Attacks

• Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps, 200Gbps and 170Gbps

• Some saw multiple events above 100Gbps but only reported largest

Page 8: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Worldwide DDoS attacks trendPeriod AverageAttack size

(bps)Change(Q / Q)

Peak Attack Size(bps)

Change(Q / Q)

2014Q1 1.12Gbps -­‐ 325.06Gbps -­‐

2014 Q2 759.83Mbps -­‐32.2% 154.69Gbps -­‐52.4%

2014 Q3 858.98Mbps +13.05% 264.61Gbps +71.1%

2014 Q4 830.37Mbps -­‐3.3% 267.21Gbps +1%

2015 Q1 804.12Mbps -­‐3.1% 334.22Gbps +25%

2015 Q2 1.04Gbps +29.4% 196.35Gbps -­‐41%

World 2015 Q1 Size Break-­‐Out, BPS

<500Mbps

>500Mbps<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

World 2015 Q2 Size Break-­‐Out,BPS

<500Mbps

>500Mbps<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

Page 9: DDoS Threats Landscape : Countering Large-scale DDoS attacks

§ Percentage of attacks over 1Gbps is growing strongly

§ 16% in 2014, 17.7% in Q1 ‘15, 20.8% in Q2.

§ Most Growth in the 2 – 10Gbps range

§ Attack PPS rates also on the rise§ 8.7% of attacks over 1Mpps in Q2, up from 5.7% in Q1 and 5.4% in 2014

Attacks size Analysis – Worldwide § Percentage of attacks over 10Gbps resumes growth.

§ 1.26% in 2014, 0.9% in Q1 ’15, 1.41% in Q2 ’15.

§ Big jump in 50-­100Gbps attacks in June.

2014/2015 Event Size Break-­‐Out Month-­‐by-­‐Month

0100200300400500

>50Gbps

>100Gbps0

100020003000400050006000

>10Gbps

>20Gbps

Page 10: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Reflection/Amplification attacks – Worldwide

§ Looking at attacks with source-­ports of services used for reflection.

§ Q2 2015 shows number of SSDP attacks starting to fall back.

§ 84K in Q2, 126K in Q1 2015, 83K in Q4 ’14

§ 50% of reflection attacks in Q2 targeting UDP port 80 (HTTP/U)

§ Average attack sizes increase for all vectors except SNMP.

§ Average duration of reflection attack 20 mins in Q2 (19 mins in Q1).

Protocol UDP Source Port

Max Size Q2 ‘15

Average Size

Q2 ‘15SNMP 161 10.95bps 1.06Gbps

Chargen 19 44.9Gbps 2.2Gbps

DNS 53 120.3Gbps 2.78Gbps

SSDP 1900 144.91Gbps

2.42Gbps

NTP 123 185.94Gbps

2.75Gbps

Reflection Mechanism as % of Overall Attacks

0.00%

2.00%

4.00%

6.00%

8.00%

10.00%

12.00%

14.00%

16.00%

2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2

SSDP

NTP

DNS

Chargen

MSSQL

SNMP

Page 11: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Period AverageAttack size (bps)

Change(Q / Q)

Average Attack duration

Change(Q / Q)

2014Q1 579.99Mbps -­‐ 28m 58s -­‐

2014 Q2 530.51Mbps -­‐8.5% 29m +0%

2014 Q3 588.74Mbps +11% 31m 8s +7.3%

2014 Q4 500.68Mbps -­‐15% 41m 10s +32%

2015 Q1 483.65Mbps -­‐4.4% 46m 11s +12%

2015 Q2 800.01Mbps +65.4% 39m 53s -­‐14%

Attack traffic size -­‐ APAC Q2 2015>20Gbps10-­‐20Gbps5-­‐10Gbps2-­‐5Gbps1-­‐2Gbps500Mbps-­‐1Gbps<500Mbps

Attack duration -­‐ APAC Q2 2015>24 hours12-­‐24 hours6-­‐12 hours3-­‐6 hours1-­‐3 hours30 mins-­‐1 hour<30 mins

APAC DDoS attacks trend

Page 12: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Large DDoS attacks seen in 2015 APACPeak Attack Growth trend in Gbps

0

50

100

150

200

250

300

350

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

88.3166.63

235.6

127.16

76.29 83.44 76.75 77.25 98.89 113.18

61.15

117.15

334.22

94.13

51.25

136.91

100.99144.91

Q1 14 Q2 14 Q3 14 Q4 14 Q1 15 Q2 15

235Gbps/63Mpps to India, NTP

reflection attack, 21 min 23 sec

127Gbps/34Mpps to Malaysia , NTP reflection attack, 29 min

99Gbps/26Mpps to India, NTP

reflection attack, 31 min

117Gbps/31Mpps to India, NTP reflection attack, 15 min 37 sec

334.22Gbps/29.13Mpps to

India, reflection attack, 6 min 45

sec

144.91Gbps/53.62Mpps to China, SSDP reflection attack, 10 min 32

sec

Page 13: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Large Attacks Analysis§ Number of attacks > 10Gbps increases significantly in Q2 2015. § Number of attacks > 50Gbps jump from 12 in Q1 2015 to 80 in Q2 2015

Large DDoS attacks analysis – APAC

0

200

400

600

800

1000

1200

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

no of events of attack sizes > 10Gbps

Page 14: DDoS Threats Landscape : Countering Large-scale DDoS attacks

§ 99% of the attacks < 1Gbps

§ 95% of attacks last less than 1 hour

DDoS attacks target Malaysia H1 2015

Peak attack size Avg attack size Avg duration

Q1 15 94.13 Gbps/18.73 Mpps UDP flooding attack 80.94 Mbps/17.93 Kpps

42 min 32 sec

Q2 15 27.90 Gbps/2.41 Mpps UDP flooding attack 72.71 Mbps/11.99 Kpps

30 min 3 sec

Attack traffic size -­‐ MY Q2 2015

>20Gbps

10-­‐20Gbps

5-­‐10Gbps

2-­‐5Gbps

1-­‐2Gbps

500Mbps-­‐1Gbps

<500Mbps

Attack duration -­‐ MY Q2 2015

>24 hours

12-­‐24 hours

6-­‐12 hours

3-­‐6 hours

1-­‐3 hours

30 mins-­‐1 hour

<30 mins

Page 15: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Average attack sizes – Malaysia

139.05

114.6119.8

65 64.46

147.51

128.46

209.25

80.94

72.71

0

50

100

150

200

250

Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015

Average attack traffic size (Mbps) per Quarter

Page 16: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Peak attack sizes – Malaysia

69.69

10.96 7.47

124.77

20.49

127.16

58.33

91.294.13

27.9

0

20

40

60

80

100

120

140

Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015

Peak attack traffic size (Gbps) per Quarter

Page 17: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Number of attacks – Malaysia

23561179 1493

21361

25844

30147 30957

28036

42428

34605

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015

No of attacks per Quarter

Page 18: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Average attack duration – Malaysia

4740

1984

1471741

1470

21461917

29012552

1803

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015

Average attack duration (sec) per Quarter

Page 19: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Reflection/Amplification attacks

Attacker-Reflector Leg Attacker-Victim Leg

SOURCE: Data sourced from tenth Annual Worldwide Infrastructure Security Report and ATLAS data

Anatomy of an NTP Reflection AttackSource: ATLAS Data

(

(

(

(

VictimAttacker

Unsecured NTP Servers(http://openntpproject.org)Used to reflect and amplify

NTP Monlist Request (small)Src IP: Spoofed (Victim’s IP)

Dest IP: Unsecured NTP ServerSrc Port: 80, Dest Port: 123

NTP Monlist Request (large)Src IP: Unsecured NTP Server

Dest IP: VictimSrc Port: 123, Dest Port: 80

NTP reflection attack was responsible for the largest monitored attack

by ATLAS in 2014

325Gbps

89 NTP attacks over

50Gbpsincluding 5

attacks over

200Gbps

Page 20: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Industry Best Current Practices (BCPs)

• BCPs are industry best practices for locking down a network • Deploy these as policy to limit the exposure of your network

Network Infrastructure BCPs• Separation of control plane from data plane

• Interface ACLs (iACLs)• Source based remote triggered blackhole S/RTBH

• Destination based remote triggered blackhole D/RTBH

• Flowspec• uRPF

Host Based BCPs

• OS Hardening• Access control• Antivirus• Patching/Version Control• Application Tuning

Page 21: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Mitigation Architecture – Options available

tACLs – block all unnecessary protocols/ports at network ingress – protect critical resourcesFlowspec – BGP-­based injections of ACLs or routing policy to filter or divert traffic S/RTBH – Source based remote triggered blackhole can be used to block known bad sourcesD/RTBH – Destination based remote triggered blackhole can be used as a method of last resort to protect the network IDMS – Intelligent DDoS mitigation to protect everything else

Page 22: DDoS Threats Landscape : Countering Large-scale DDoS attacks

How Can ISPs Defend Against These Attacks?

• Deploy antispoofing at all network edges.– uRPF Loose-­Mode at the peering edge– uRPF Strict Mode at customer aggregation edge– ACLs at the customer aggregation edge– uRPF Strict-­Mode and/or ACLs at the Internet Data Center (IDC) aggregation edge

– DHCP Snooping (works for static addresses, too) and IP Source Verify at the IDC LAN access edge

– PACLs & VACLs at the IDC LAN access edge– Cable IP Source Verify, etc. at the CMTS– Other DOCSIS & DSL mechanisms

Page 23: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Customer 1

Downstream ISP

Internet

Data Center 1

Service ProviderData Center 2

Customer 2

RegionalBroadband

• Utilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported from all network edges for attack detection/classification/traceback– Open-­source flow telemetry collection/analysis tools allow basic visibility;; can be sufficient for high-­volume attacks, once impact is evident

– Arbor Peakflow SP, which provides automated detection/classification/traceback and alerting of DDoS attacks via anomaly-­detection technology

Pervasive Detection – The Attack Surface

Page 24: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Mitigation – IDMS

Peer B

Peer A

Upstream

Upstream

IXP-­W

Upstream

IXP-­E

Upstream

IDMS

Page 25: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Mitigation High Availability

• Network-­Based Redundancy– Regional redundancy using BGP anycast to mitigate traffic at the nearest location

– Appliances or blades in a router

• Scrubbing Center Redundancy– Multiple TMS appliances in a single scrubbing center– Use of Equal Cost Multipath (ECMP) between appliances

• Link Redundancy in Datacenter– Deploy APS appliances in redundant datacenter paths– Manually fail over to backup path if system fails into bypass

Page 26: DDoS Threats Landscape : Countering Large-scale DDoS attacks

BGP Anycast Mitigation Redundancy

Peakflow SP TMS

CustomerAggregation

IP Core

Scrubbing Center 1 POP

B

D1 D2

P1

A2A1

S1

Peers

Customer CPE

S1S2

P2

C2C2

S2S1

Peakflow SP TMS

Scrubbing Center 2

D1 D2

S1S1S2

Transit

Page 27: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Mitigation Center Redundancy -­ CEF/ECMP

CEF/ECMP load balancing between TMS appliances in a mitigation center

Arbor TMS IDMSes

TMS MitigationCluster

Attack

Regional Mitigation Center

Page 28: DDoS Threats Landscape : Countering Large-scale DDoS attacks

IDC

On-­Premise APS Link Redundancy

Pravail 1

Since each APS port-­‐pair can also offer hardware bypass, single box failures do not require re-­‐convergence.

Internet

Pravail 2

Page 29: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Scaling Mitigation Capacity

• Currently-­shipping largest-­capacity Intelligent DDoS Mitigation System (IDMS) – 40gb/sec

• 16-­IDMS (CEF/ECMP limit) = 640gb/sec per cluster• Multiple clusters can be anycasted• Largest number of IDMSes per deployment currently 100 = 4tb/sec of mitigation capacity per deployment, 10x more than largest DDoS to date.

• Deploy IDMSes in mitigation centers at edges -­ in/out of edge devices.• Deploy IDMSes in regional or centralized mitigation centers with dedicated, high-­capacity OOB diversion/re-­injection links. Sufficient bandwidth for diversion/re-­injection is key!

• S/RTBH & flowspec leverage router/switch hardware, hundreds of mpps, gb/sec. Leveraging network infrastructure is required due to ratio of attack volumes to peering and core link capacities!

Page 30: DDoS Threats Landscape : Countering Large-scale DDoS attacks

• The Flow specification can match on the following criteria:– Source / Destination Prefix– IP Protocol (UDP, TCP, ICMP, etc.)– Source and/or Destination Port– ICMP Type and Code – TCP Flags– Packet Length– DSCP (Diffserv Code Point)– Fragment (DF, IsF, FF, LF)

• Actions are defined using Extended Communities:– 0x8006: traffic-­rate (rate 0 discards all traffic for the flow)– 0x8007: traffic-­action (sample)– 0x8008: redirect to VRF– 0x8009: traffic-­marking (DSCP value )

DDoS Mitigation – BGP Flowspec

Page 31: DDoS Threats Landscape : Countering Large-scale DDoS attacks

• ACLs are still the most widely used tool to mitigate DDoSattacks– But…ACLs are demanding in configuration & maintenance.

• BGP Flowspec leverages the BGP Control Plane to simplify the distribution of ACLs, greatly improving operations:– Inject new filter rules to all routerssimultaneously without changing configuration.

– Reuse existing BGP operational knowledge & and best practices.

• Improve response time to mitigate mitigate DDoS attacks!

Why Use BGP For ACLs?

Page 32: DDoS Threats Landscape : Countering Large-scale DDoS attacks

BGP Flowspec Mitigation

IPS/IDS

Enterprise or IDC

Victim

Service Provider Network

Router

Flowspec filter applied on the external interfaces, only traffic matching that flow is discarded.

SP Portal initiates BGP update with ACL filter to be applied at the edge

router external interfaces (in theory the customer could also

initiate it).

Firewall

Botnet

Legitimate Users

Router

Good trafficAttack trafficBGP Announcement

FLOWFLOW

• BGP Flowspec route validation performed for eBGPsessions only.

Edge routers configured with BGP flowspec sessions,

and flowspec filtering enabled on external peering

interfaces.

Page 33: DDoS Threats Landscape : Countering Large-scale DDoS attacks

BGP Flowspec Traffic Redirection

DDoSScrubber

Detection& Control

Good trafficAttack trafficBGP Flowspec Diversion

Internet

Internet

Scrubbing Center

“Dirty” VRF

IPS/IDS

Enterprise or IDC

Victim

Router

Firewall

Router

Traffic Reinjection

BGP Flowspec filter to redirect only specified traffic that matches

rule

FLOW

Diverted traffic is a subset of all traffic destined to victim

Page 34: DDoS Threats Landscape : Countering Large-scale DDoS attacks

BGP Flowspec – Vendors• Router vendors supporting BGP Flowspec:

– Cisco IOS XR 5.2.0 & XE 3.14– Alcatel-­Lucent 7750 SROS 9.0R1– Juniper JunOS 7.3

• DDoS mitigation vendors:– Arbor Peakflow SP >5.8

• BGP Tools:– ExaBGP Injector

Page 35: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Mitigation – S/RTBH or Flowspec

Peer B

Peer A

Upstream

Upstream

IXP-­W

Upstream

IXP-­E

Upstream

Peakflow SP advertises list of blackholedprefixes based on source or destination addresses, or layer-­‐4 flowspec classifier

Edge routers drop attack traffic packets based on source or destinationaddress, or layer-­‐4 classifier (flowspec)

Edge routers drop attack traffic packets based on source or destinationaddress, or layer-­‐4 classifier (flowspec)

Page 36: DDoS Threats Landscape : Countering Large-scale DDoS attacks

SDN Illustrated

Northbound API (REST)

ControllerSouthbound API

Northbound API (REST)

ControllerSouthbound API

WB API

Logical View Physical View

Controller

Policy

OpenFlow

Page 37: DDoS Threats Landscape : Countering Large-scale DDoS attacks

NFV Illustrated

Internet

Router ArborAPS

FW IPS LBWebservers

Internet

vRouter

vAPS

vFW

vIPS

vLB

Logical View

Physical View

Web VMs

Page 38: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Where SDN Could be Ideal

• Meter traffic conditions, application and user behavior

• Match those conditions against a set of pre-­defined criteria (policy)

• Act on the match according to a policy (control behavior)

Northbound API (REST)

ControllerSouthbound API

Northbound API (REST)

ControllerSouthbound API

WB API

OpenFlow

Page 39: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Where SDN Could be Ideal

• Meter traffic conditions, application and user behavior

• Match those conditions against a set of pre-­defined criteria (policy)

• Act on the match according to a policy (control behavior)

Northbound API (REST)

ControllerSouthbound API

Northbound API (REST)

ControllerSouthbound API

WB API

OpenFlow

Page 40: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Provider B

Provider A

Data Center

TMS

GOOD TRAFFICBAD TRAFFIC

X

X X OPENFLOW

TMS Blacklist Offload via OpenFlow

• Offloads traffic filtering from TMS to the network fabric via SDN protocol for greater scale and performance

• Integrates 3rd party SDN controller ‘speaking’ OpenFlow• Similar/extensible to other policy-­based protocols: BGP, FlowSpec, NETCONF, etc.

Page 41: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Mitigation – OpenFlow

Peer B

Peer A

Upstream

Upstream

IXP-­W

Upstream

IXP-­E

Upstream

TMS

Page 42: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Summary -­Detection/Classification/Traceback/Mitigation• Utilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported from all network edges for attack detection/classification/traceback– Many open-­source tools available as well

• Enforce standard network access policies in front of servers/services via stateless ACLs in hardware-­based routers/layer-­3 switches.

• Ensure recursive DNS servers are not queryable from the public Internet – only from your customers/users.

• Ensure SNMP is disabled/blocked on public-­facing infrastructure/servers.

• Disallow level-­6/-­7 NTP queries from the public Internet.• Disable all unnecessary services such as chargen.• Regularly audit network infrastructure and servers/services.

Page 43: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Arbor Networks’ Product Portfolio

Page 44: DDoS Threats Landscape : Countering Large-scale DDoS attacks

Thank You