Evolution of DDoS Multi-Vector Attacks: Customer …...DDoS attack peaking at 100Gbps 5 Vectors...

Confidential | ©A10 Networks, Inc.

Evolution of DDoS Multi-Vector Attacks: Customer Perspectives

Yovani Piamba June 28th 2016


DDoS Attacks have Evolved

Single Vector Multi Vector

Network layer attacks

••Fragmentation ••SYN floods ••Ping floods ••…

Application layer attacks

••Slowloris ••HTTP GET floods ••R.U.D.Y. ••…

Amplification attacks

••DNS amplification ••NTP amplification ••SSDP amplification ••…

Multi-vector attacks

••Simultaneous attacks on all levels

••Adaptive strategy


Based on 640 interviews with IT decision makers in large organizations (1000+ employees) In 11 countries across the world Range of sectors finance retail and public

S

of all attacks are multi-vector attacks

Source: BT, 2014

75%


Multi-Vector Attacks Are Here

Online gambling site hit by five-vector DDoS attack peaking at 100Gbps

5 Vectors Gambling Site 100 Gbps Q2 2014



Verisign Thwarts Massive 300 GBPS Multi-Vector DDoS Attack Against Global Media Customer

7 VectorsMedia/Entertainment Service

300 Gbps

Q2 2014



XOR DDoS Botnet Launches 20 Attacks A Day

2 VectorsEducational Institutions XOR Botnet 150+ Gbps attackQ4 2015


Verising Reports about MVA


Many Motivations

Cyber Criminal

Disgruntled Employee

Hacktivist Script Kiddie Gamer


…and then you just press “Launch DDoS”


There’s an App for That!


MVA: Find the Weakest Link

Internet Pipe

RoutersFirewall

Server

Application

Networking

BandwidthBandwidthBandwidth

Networking


Adaptive Simultaneous

and

Bandwidth Application

Network


Network


Business Impact of DDoS

Reputation damage

Average attack:

24+hrs**

$1M+ per hour*

*Ponemon, 2015 ** Akamai


Q: What is the average effective downtime because of a DDoS

attack? (Enter number of hours)

What Is the Average Downtime?

Average = 17 Hours


MVA: Too Much for Legacy Solutions


Network

May repel a single-vector attack


MVA: Too Much for Legacy Solutions


Network

Ineffective for multi-vector attacks


Problem of Conventional On Premise Solutions

• Solution runs out of steam with MVA

• Can not enforce granular rate limits

• Lack telemetry

• Can not quickly adapt to new vectors

• No programmable environment

• Not DevOps ready

Not Efficient

• Poor scalability per appliance

• Large Data Center footprint • Very expensive

Not AgileNot Effective


On premise protection ▪ Always-on ▪ No convergence delay ▪ Low latency ▪ Predicable cost ▪ Full policy control

Escalation to Cloud optionalfor large volumetric attacks

Cloud DDoS Protection is NOT a Panacea

Cloud Pros

Volumetric attacks

On-demand

Cloud Cons

Still vulnerable (CloudPiercer)

Slow convergence (downtime)

Site performance (latency)

Overages and price

Trust, privacy and control


Q: What current solutions do you use to address the multi-vector DDoS

threat? (Select one or more) Which is most effective? (Select one only)

What is the Most Effective Solution?

Hybrid Solution: On-premise with cloud bursting option


Q: How much weight of importance do you give to the follow features

and capabilities provided by a new DDoS solution? (Sum to 100)

What are the Most Important Features?

Rate Limit Enforcement 12%

Custom Processors 13%

Expansive Policies for Protected Objects 13%

Hardware Accelerated Traffic Processing 14%

Programmability 14%

Threat Intelligence Feed 16%

Automated Detection and Mitigation 18%

A wide range of advanced features is needed


Q: What internal barriers prevent greater DDoS protection? (Select

one or more) Which is most important? (Select one only)

Biggest Barrier to Implementation?

Insufficient Staff Expertise 15%

Insufficient Bandwidth 18%

Current Solutions Lack Flexibility Against New DDoS Attacks 19%

Concerns that False Positives Impact User Experience 19%

Cost of Detection and Mitigation Solutions 29%

Legacy solutions are expensive


What you need for

True MVP Protect against full attack spectrum

Agile and rapid action

Efficient


True Multi-vector Protection – True MVP


Network

Multi-tiered, inc. Hardware offload




Network


High bandwidth capacity




Network



Max CPU resources for DPI




Network



Max CPU resources for DPI

100% UPTIME


Requirements for a Clean Pipe Solution

Anomaly/ Attack Detection

Learn how my user’s networks behaves Detect whenever there is an anomaly

Offer manual or automatic countermeasures

External Threat Intelligence

Know in advance who are the bad guys Receive information from different sources Expand the breadth of protection

Clean Pipe Solution

Redirect traffic when needed Integrate easily with 3rd party Automatic Blackholing

Traffic Redirection/ DiversionAttack Visibility

Reporting

Need to have attack visibility and show regularly to my customers how we are protecting their assets

Security Response Team

Offer 24x7 dedicated staff monitoring my customer’s net

Performance to stop the attack Add minimum delay while doing it

Easily inserted in my network Flexibility to mitigate attacks

Anomaly/ Attack Mitigation


A10 Clean Pipe Solution Set

Anomaly/ Attack Detection Natively or 3rd-party

External Threat Intelligence

Anomaly/ Attack Mitigation

Clean Pipe Solution

Traffic Redirection/ Diversion Natively or 3rd-party

Attack Visibility Reporting Natively or 3rd-party

Security Response Team

Regular security intelligence feeds to enable lists of confirmed bad actors across the globe. TPS official integration available as a subscription service Block bad traffic beyond DDoS (e.g. spam)

TPS allows Tunneling (GRE), Scripting (Perl, Python, Bash) and Black Holing as a response to an anomaly

Open Hybrid Cloud Scrubbing available as a Service. Official integration available with TPS

BGP-Null Route via ExaBGP plugin

Traffic and Attack history, Alerts, Duration and type of attacks. End User console

available as part of the solution. SMTP and Syslog alerts available

aGalaxy offers Traffic and Attack history Integration via API to TPS allows all

protection counters to be gathered by 3rd party systems

Next-gen multi-tiered architecture Up to 60 attack vectors in FPGA hardware

SSL hardware for encrypted attacks (e.g. POODLE) Best value for CAPEX/OPEX

Full feature parity for IPv6/IPv4 Automated mitigation or fully programmatic

Many deployment modes 3rd party integration via BGP signaling or aXAPI

Vendor-neutral approach

A10 PS (Resident Engineer) A10 Reseller offering as a service

TPS offers manual thresholds or traffic indicators (Baselining).

Detection delivered via Inline Mode or via traffic mirroring

Detection based on network behavior (learned automatically) or manual

thresholds Detection delivered via flow collection

(e.g. Sflow, IPFIX, Jflow)


• Collective intelligence from millions of devices

• Block threats before they happen

• Increase effectiveness and capacity

Increase Security Efficacy with Threat Intelligence

Dynamic Threat Intelligence

Cloud

Detect

Correlate

Validate

Dynamic Threat Intelligence Updates

Reputation Lists

Bad Actors Honeypots

Malware Lists

DshieldAbuse.ch

Shadowserver More...

30

Thunder TPS

Thunder TPS

Thunder TPS

Thunder TPS


Considerations ▪ For organizations with limited Internet

bandwidth ▪ No vendor lock-in for cloud-based

protection ▪ Best of breed, hybrid solution

Main Features ▪ Smart on-premise protection

– Zone-based behavioral learning & anomaly Auto-escalation & auto-mitigation based on violation of established profiles

▪ When threshold levels are exceeded, invoke cloud service – On-premise equipment signals to cloud service

via API

Volumetric Attack Redirection to DDoS Protection Cloud

TPS

Verisign OpenHybrid

API Call

Data Center


Full attack spectrum protection ▪ Best protection against Multi-vector attacks ▪ 60 FTA hardware mitigations ▪ Verisign partnership for hybrid protection

Powerful and efficient ▪ Mitigate up to 155 Gbps of attack throughput ▪ 223 M packets per second (pps) in 1 rack unit ▪ A10 Threat Intelligence service

Full control for agile protection ▪ Programmatic Policy Engine ▪ 3rd party integration ▪ Many deployment modes

32

Next Generation DDoS ProtectionFor True MVP

Full attack spectrum

protection

Powerful and efficient

Full control for agile

protection

Thunder TPS


Metrics that Matter for

True MVP

Hardware (FTA)Mitigations

60 48 1.2 223 64k 100Cores Tbps Mpps Protected

ObjectsGbE Ports


Case Study: Gaming Software Platform

Overview

vendor that hosts the world's largest online gaming platform. On this platform, fans can easily buy, play, share, modify, and build gaming communities ▪ 1,800+ game titles ▪ 35 million active users ▪ 237 countries

Deployment scale

▪ 12 Data centers worldwide ▪ 150 Gbps transit

Competition

▪ On-premise network and DDoS solutions ▪ 3rd party Cloud service

Why they chose A10

▪ Value ▪ Performance ▪ Features

– Per session rate limiting for UDP traffic feature

▪ Strong support from local team

Details

▪ 24 Thunder 6435 TPS


Users

Infrastructure

Applications

On Premise & In-the-cloud

We Keep Your Business

ACOS Harmony – Platform that Performs

Thunder ADC

Responsive

Thunder CFW and SSLi

Secure

Thunder TPS & CGN

Always On


Next Steps

A10 can help you to improve your Network Security

Use the form "Contact Us" on our website

If you want a copy of the presentation,

Send an email to [email protected]

Questions? We will be happy to answer

Contact: [email protected] at your disposal

Want to see more? Visit www.a10networks.com

mailto:[email protected]



Best of Microsoft TechEd 2014 - Breakthrough Technology and Attendees’ Pick

North America IPv6 Summit Best of Show: IPv6 Service

TechTarget Reader’s Choice Award

Thank You

Evolution of DDoS Multi-Vector Attacks: Customer …...DDoS attack peaking at 100Gbps 5 Vectors...

Documents

Transcript of Evolution of DDoS Multi-Vector Attacks: Customer …...DDoS attack peaking at 100Gbps 5 Vectors...