Evolution of DDoS Multi-Vector Attacks: Customer …...DDoS attack peaking at 100Gbps 5 Vectors...
Transcript of Evolution of DDoS Multi-Vector Attacks: Customer …...DDoS attack peaking at 100Gbps 5 Vectors...
Confidential | ©A10 Networks, Inc.
Evolution of DDoS Multi-Vector Attacks: Customer Perspectives
Yovani Piamba June 28th 2016
Confidential | ©A10 Networks, Inc.
DDoS Attacks have Evolved
Single Vector Multi Vector
Network layer attacks
••Fragmentation ••SYN floods ••Ping floods ••…
Application layer attacks
••Slowloris ••HTTP GET floods ••R.U.D.Y. ••…
Amplification attacks
••DNS amplification ••NTP amplification ••SSDP amplification ••…
Multi-vector attacks
••Simultaneous attacks on all levels
••Adaptive strategy
Confidential | ©A10 Networks, Inc.
Based on 640 interviews with IT decision makers in large organizations (1000+ employees) In 11 countries across the world Range of sectors finance retail and public
S
of all attacks are multi-vector attacks
Source: BT, 2014
75%
Confidential | ©A10 Networks, Inc.
Multi-Vector Attacks Are Here
Online gambling site hit by five-vector DDoS attack peaking at 100Gbps
5 Vectors Gambling Site 100 Gbps Q2 2014
Confidential | ©A10 Networks, Inc.
Multi-Vector Attacks Are Here
Verisign Thwarts Massive 300 GBPS Multi-Vector DDoS Attack Against Global Media Customer
7 VectorsMedia/Entertainment Service
300 Gbps
Q2 2014
Confidential | ©A10 Networks, Inc.
Multi-Vector Attacks Are Here
XOR DDoS Botnet Launches 20 Attacks A Day
2 VectorsEducational Institutions XOR Botnet 150+ Gbps attackQ4 2015
Confidential | ©A10 Networks, Inc.
Verising Reports about MVA
Confidential | ©A10 Networks, Inc.
Many Motivations
Cyber Criminal
Disgruntled Employee
Hacktivist Script Kiddie Gamer
Confidential | ©A10 Networks, Inc.
…and then you just press “Launch DDoS”
Confidential | ©A10 Networks, Inc.
There’s an App for That!
Confidential | ©A10 Networks, Inc.
MVA: Find the Weakest Link
Internet Pipe
RoutersFirewall
Server
Application
Networking
BandwidthBandwidthBandwidth
Networking
Confidential | ©A10 Networks, Inc.
Adaptive Simultaneous
and
Bandwidth Application
Network
Bandwidth Application
Network
Confidential | ©A10 Networks, Inc.
Business Impact of DDoS
Reputation damage
Average attack:
24+hrs**
$1M+ per hour*
*Ponemon, 2015 ** Akamai
Confidential | ©A10 Networks, Inc.
Q: What is the average effective downtime because of a DDoS
attack? (Enter number of hours)
What Is the Average Downtime?
Average = 17 Hours
Confidential | ©A10 Networks, Inc.
MVA: Too Much for Legacy Solutions
Bandwidth Application
Network
May repel a single-vector attack
Confidential | ©A10 Networks, Inc.
MVA: Too Much for Legacy Solutions
Bandwidth Application
Network
May repel a single-vector attack
Confidential | ©A10 Networks, Inc.
MVA: Too Much for Legacy Solutions
Bandwidth Application
Network
Ineffective for multi-vector attacks
Confidential | ©A10 Networks, Inc.
Problem of Conventional On Premise Solutions
• Solution runs out of steam with MVA
• Can not enforce granular rate limits
• Lack telemetry
• Can not quickly adapt to new vectors
• No programmable environment
• Not DevOps ready
Not Efficient
• Poor scalability per appliance
• Large Data Center footprint • Very expensive
Not AgileNot Effective
Confidential | ©A10 Networks, Inc.
On premise protection ▪ Always-on ▪ No convergence delay ▪ Low latency ▪ Predicable cost ▪ Full policy control
Escalation to Cloud optionalfor large volumetric attacks
Cloud DDoS Protection is NOT a Panacea
Cloud Pros
Volumetric attacks
On-demand
Cloud Cons
Still vulnerable (CloudPiercer)
Slow convergence (downtime)
Site performance (latency)
Overages and price
Trust, privacy and control
Confidential | ©A10 Networks, Inc.
Q: What current solutions do you use to address the multi-vector DDoS
threat? (Select one or more) Which is most effective? (Select one only)
What is the Most Effective Solution?
Hybrid Solution: On-premise with cloud bursting option
Confidential | ©A10 Networks, Inc.
Q: How much weight of importance do you give to the follow features
and capabilities provided by a new DDoS solution? (Sum to 100)
What are the Most Important Features?
Rate Limit Enforcement 12%
Custom Processors 13%
Expansive Policies for Protected Objects 13%
Hardware Accelerated Traffic Processing 14%
Programmability 14%
Threat Intelligence Feed 16%
Automated Detection and Mitigation 18%
A wide range of advanced features is needed
Confidential | ©A10 Networks, Inc.
Q: What internal barriers prevent greater DDoS protection? (Select
one or more) Which is most important? (Select one only)
Biggest Barrier to Implementation?
Insufficient Staff Expertise 15%
Insufficient Bandwidth 18%
Current Solutions Lack Flexibility Against New DDoS Attacks 19%
Concerns that False Positives Impact User Experience 19%
Cost of Detection and Mitigation Solutions 29%
Legacy solutions are expensive
Confidential | ©A10 Networks, Inc.
What you need for
True MVP Protect against full attack spectrum
Agile and rapid action
Efficient
Confidential | ©A10 Networks, Inc.
True Multi-vector Protection – True MVP
Bandwidth Application
Network
Multi-tiered, inc. Hardware offload
Confidential | ©A10 Networks, Inc.
True Multi-vector Protection – True MVP
Bandwidth Application
Network
Multi-tiered, inc. Hardware offload
High bandwidth capacity
Confidential | ©A10 Networks, Inc.
True Multi-vector Protection – True MVP
Bandwidth Application
Network
Multi-tiered, inc. Hardware offload
High bandwidth capacity
Max CPU resources for DPI
Confidential | ©A10 Networks, Inc.
True Multi-vector Protection – True MVP
Bandwidth Application
Network
Multi-tiered, inc. Hardware offload
High bandwidth capacity
Max CPU resources for DPI
100% UPTIME
Confidential | ©A10 Networks, Inc.
Requirements for a Clean Pipe Solution
Anomaly/ Attack Detection
Learn how my user’s networks behaves Detect whenever there is an anomaly
Offer manual or automatic countermeasures
External Threat Intelligence
Know in advance who are the bad guys Receive information from different sources Expand the breadth of protection
Clean Pipe Solution
Redirect traffic when needed Integrate easily with 3rd party Automatic Blackholing
Traffic Redirection/ DiversionAttack Visibility
Reporting
Need to have attack visibility and show regularly to my customers how we are protecting their assets
Security Response Team
Offer 24x7 dedicated staff monitoring my customer’s net
Performance to stop the attack Add minimum delay while doing it
Easily inserted in my network Flexibility to mitigate attacks
Anomaly/ Attack Mitigation
Confidential | ©A10 Networks, Inc.
A10 Clean Pipe Solution Set
Anomaly/ Attack Detection Natively or 3rd-party
External Threat Intelligence
Anomaly/ Attack Mitigation
Clean Pipe Solution
Traffic Redirection/ Diversion Natively or 3rd-party
Attack Visibility Reporting Natively or 3rd-party
Security Response Team
Regular security intelligence feeds to enable lists of confirmed bad actors across the globe. TPS official integration available as a subscription service Block bad traffic beyond DDoS (e.g. spam)
TPS allows Tunneling (GRE), Scripting (Perl, Python, Bash) and Black Holing as a response to an anomaly
Open Hybrid Cloud Scrubbing available as a Service. Official integration available with TPS
BGP-Null Route via ExaBGP plugin
Traffic and Attack history, Alerts, Duration and type of attacks. End User console
available as part of the solution. SMTP and Syslog alerts available
aGalaxy offers Traffic and Attack history Integration via API to TPS allows all
protection counters to be gathered by 3rd party systems
Next-gen multi-tiered architecture Up to 60 attack vectors in FPGA hardware
SSL hardware for encrypted attacks (e.g. POODLE) Best value for CAPEX/OPEX
Full feature parity for IPv6/IPv4 Automated mitigation or fully programmatic
Many deployment modes 3rd party integration via BGP signaling or aXAPI
Vendor-neutral approach
A10 PS (Resident Engineer) A10 Reseller offering as a service
TPS offers manual thresholds or traffic indicators (Baselining).
Detection delivered via Inline Mode or via traffic mirroring
Detection based on network behavior (learned automatically) or manual
thresholds Detection delivered via flow collection
(e.g. Sflow, IPFIX, Jflow)
Confidential | ©A10 Networks, Inc.
• Collective intelligence from millions of devices
• Block threats before they happen
• Increase effectiveness and capacity
Increase Security Efficacy with Threat Intelligence
Dynamic Threat Intelligence
Cloud
Detect
Correlate
Validate
Dynamic Threat Intelligence Updates
Reputation Lists
Bad Actors Honeypots
Malware Lists
DshieldAbuse.ch
Shadowserver More...
30
Thunder TPS
Thunder TPS
Thunder TPS
Thunder TPS
Confidential | ©A10 Networks, Inc.
Considerations ▪ For organizations with limited Internet
bandwidth ▪ No vendor lock-in for cloud-based
protection ▪ Best of breed, hybrid solution
Main Features ▪ Smart on-premise protection
– Zone-based behavioral learning & anomaly Auto-escalation & auto-mitigation based on violation of established profiles
▪ When threshold levels are exceeded, invoke cloud service – On-premise equipment signals to cloud service
via API
Volumetric Attack Redirection to DDoS Protection Cloud
TPS
Verisign OpenHybrid
API Call
Data Center
Confidential | ©A10 Networks, Inc.
Full attack spectrum protection ▪ Best protection against Multi-vector attacks ▪ 60 FTA hardware mitigations ▪ Verisign partnership for hybrid protection
Powerful and efficient ▪ Mitigate up to 155 Gbps of attack throughput ▪ 223 M packets per second (pps) in 1 rack unit ▪ A10 Threat Intelligence service
Full control for agile protection ▪ Programmatic Policy Engine ▪ 3rd party integration ▪ Many deployment modes
32
Next Generation DDoS ProtectionFor True MVP
Full attack spectrum
protection
Powerful and efficient
Full control for agile
protection
Thunder TPS
Confidential | ©A10 Networks, Inc.
Metrics that Matter for
True MVP
Hardware (FTA)Mitigations
60 48 1.2 223 64k 100Cores Tbps Mpps Protected
ObjectsGbE Ports
Confidential | ©A10 Networks, Inc.
Case Study: Gaming Software Platform
Overview
vendor that hosts the world's largest online gaming platform. On this platform, fans can easily buy, play, share, modify, and build gaming communities ▪ 1,800+ game titles ▪ 35 million active users ▪ 237 countries
Deployment scale
▪ 12 Data centers worldwide ▪ 150 Gbps transit
Competition
▪ On-premise network and DDoS solutions ▪ 3rd party Cloud service
Why they chose A10
▪ Value ▪ Performance ▪ Features
– Per session rate limiting for UDP traffic feature
▪ Strong support from local team
Details
▪ 24 Thunder 6435 TPS
Confidential | ©A10 Networks, Inc.
Users
Infrastructure
Applications
On Premise & In-the-cloud
We Keep Your Business
ACOS Harmony – Platform that Performs
Thunder ADC
Responsive
Thunder CFW and SSLi
Secure
Thunder TPS & CGN
Always On
Confidential | ©A10 Networks, Inc.
Next Steps
A10 can help you to improve your Network Security
Use the form "Contact Us" on our website
If you want a copy of the presentation,
Send an email to [email protected]
Questions? We will be happy to answer
Contact: [email protected] at your disposal
Want to see more? Visit www.a10networks.com
Best of Microsoft TechEd 2014 - Breakthrough Technology and Attendees’ Pick
North America IPv6 Summit Best of Show: IPv6 Service
TechTarget Reader’s Choice Award
Thank You