Advanced DDoS Protection for Service Providers & MSSPs

Ron Meyran – Director Product Marketing Security

July 2011

Agenda

• DDoS Is Growing & Evolving

• Key Success Criteria for Service Providers & MSSPs

• Radware’s Advanced Solution

• Customer Cases

• Summary

Slide 2

DDoS is growing and evolving

DDoS Threat is growing

Slide 4

2009 20112010

Source: Radware ERT report

Attack size

Time

Slowloris - Low &

Slow Attacks

July 2009 cyber

attacks (US and south korea)

Twitter DDOS

attack on Cyxymu

IMDDOS – Commercia

l Botnet

Operation payback – Wikileaks revenge

DDoS attacks

Operation Payback II on

Codero; Netbot DDoS on Wordpress.com

Operation Sony DDoS

When you have no Anti-DoS solution in place…

Slide 5

Wikileaks site outage

Westboro Baptist Outage

4 sites held down for 6 days

Poll question

• How many DDoS attacks did you (or your customer) face in the past year?– None– Only once– Few times– Many times– I don’t have the tools to detect DDOS attacks

Slide 6

Multi-Vulnerability Attack Campaigns

Slide 7

Business

Network

Server

Application

Business

Large volume network flood attacks

Slow Application flood attack (Slowloris)

Large volume SYN flood

Low & Slow connection DoS attacks

BUSINESS

IMPACT

Application flood attack (HTTP data flood)

Conclusions

• Attackers use multi-vulnerability attack campaigns making mitigation nearly impossible

• Even if one attack vector is successful – the business is severely impacted

High Med Low

DDoS Protection: layers of defense

Slide 8

Type of DoS attacks:

Challenges:

PPS & Bandwidth flood attacks

Connection & application flood attacks

Directed application DoS attacks

Attack volume:

• Accurate mitigation – maintain very low false positives• Time to protect

•PPS Processing capacity•Bandwidth capacity

•Identify malicious sources •Accurate mitigation – all sessions are legitimate

•Deep packet inspection•Ad-hoc filters creation

Key criteria to become a successful MSSP

What drives the MSSP success? (1 of 2)

• Business– True DDoS Protection

• Can you detect and protect emerging DDoS attacks including multi-vulnerability campaign attacks and slow DDoS attacks?

• How fast can you detect and protect against attacks? In seconds? In minutes?

• Financial– Solution scalability

• Can your infrastructure grow without painful forklift upgrades?

– How do you price your service?• Monthly fee• On demand / per incident• SLA penalties / rewards

Slide 10

What drives the MSSP success? (1 of 2)

• Technical – Flexible deployment

• Fit any customer architecture

• Operational– Customer centric reporting– Easy integration into provider environment (OSS, SEM, SOC)

• Marketing– What is unique in your offering?– SLA: can you guarantee Time to protect?– Coverage – what type of attacks do you protect, and what you don’t?– Multi locations vs. single location– Customers portfolio and testimonials

Slide 11

Radware solution for DDoS service providers

DDoS Protection: Radware coverage

Slide 13

Radware DDoS Protections:

Up to 12MPPS of attack prevention

Up to 800K new TPS of HTTP Challenge-Response

PPS & Bandwidth flood attacks

Connection & application flood attacks

Directed application DoS attacks

ASIC-Based DoS Mitigator Engine (DME)

Real-time signatures technology

Multi-core CPUsReal-time signatures

& challenge -response

technologies

StringMatch Engine (SME) RegEx Engine

Static & user filters

Full 10Gbps DPI (RegEx) processing

DDoS Protection: Radware technologies

Slide 14

PPS & Bandwidth flood attacks

Connection & application flood attacks

Directed application DoS attacks

• Behavioral based real-time signatures blocking• SYN Protection (SYN cookies; Web cookies)• Rate based protections

• HTTP & DNS advanced Challenge –Response techniques• Behavioral based real-time signatures• Rate based protections

• Auto-updated RegEx filters• Counter attack techniques• Ad-hoc filters

• Widest DDoS attacks coverage out-of-the-box• Best time to protect: in seconds

Deployment: Scrubbing center

Slide 15

Internet

Customer C

Scrubbing center

Attack Mitigation System

Customer B

Customer A

ISP Core IP Network

SOC

Customer Portal

DoS protection Service Provider In

frastru

cture

Management & SEM

Out-of-path attack mitigation

Slide 16

Scrubbing center

Attack Mitigation System

DoS protection Service Provider In

frastru

cture

•Operate in asymmetric & symmetric environment•Full coverage:

• Packet & BW attacks• Application DDoS attacks• Directed attacks

•No learning required•Time to protect : immediate (seconds)

APSolute Vision Reports & Alerts•Most extensive monitoring and reporting engine•Per customer dashboards•Per customer reports•Compliance reports•Advanced Alerts based on event correlation rules

Built-in reports and alerts engine

Slide 17

DoS protection Service Provider In

frastru

cture

Management & SEM

Poll question

• What is the main reason customer select your security services:– Attack coverage– Reporting– Price– One stop shop – we are their hosting service provider– We do not provide yet security services

Slide 18

Advanced alerts: SOC/NOC alarms

Slide 19

SOC

DoS protection Service Provider In

frastru

cture

Management & SEM

Customer critical

application is

under high risk

attack

Attack volume is

higher than

1Gbps in past 5

minutes

Provider SOC must be aware of high risk and high importance cases

Advanced alerts: Show customer SLA

Slide 20

DoS protection Service Provider In

frastru

cture

Management & SEMDemonstrate SLA and ROIAutomatic customer notification via email

Dear customer,

Your site is under high volume

attack for more than 1 hours. You

are fully protected.

Regards.

Dear customer,

Your booking application has been

attacked more than 4 times

throughout the day.

Regards.

APSolute Vision Reporter•Web interface•Scheduled Reports and Alerts by email•Northbound interface via SNMP, SMTP

• Export Alerts and event logs•Direct access API to events log database

Reports & Alerts: easy service integration

Slide 21

DoS protection Service Provider In

frastru

cture

Management & SEM

Customer Portal

Portal monitoring view

Historical reports

Deployment: SOC & ERT support

Slide 22

Scrubbing centerDoS protection Service Provider In

frastru

cture

Attack Mitigation System

Management & SEM

SOC

Security Operations Center (SOC)•Provides weekly and emergency signature updates•Develop counter attack tools – fighting back!

Emergency Response Team (ERT)•Provide 24x7 service for backup when customers under attack•Product and security experts support

Radware security expertise : ERT cases (1 of 2)

Slide 23

Radware ERT helped High Council for Telecommunications (TIB) to achieve full protection against Anonymous attacks• Anonymous group published a poster calling its fans to

attack Turkish government agency – Target: High Council for Telecommunications (TIB)– When: June 9th (Thursday) 2011 at 6PM– Attack tool: Low Orbit Ion Canon (LOIC)

• Type of attack - Multi-vulnerability campaign:– HTTP Get flood attack– TCP connection flood on port 80– SYN flood attack– UDP flood attack

Radware security expertise : ERT cases (2 of 2)

Slide 24

Radware ERT helped Istanbul police to achieve full protection against Anonymous attacks

• Anonymous group attacks Istanbul police as revenge of the arrest– Target: Istanbul police site– When: June 13th 2011– Attack tool: Low Orbit Ion Canon (LOIC)

• Type of attack - Multi-vulnerability campaign

“We just watched the attacks and DefensePro easily eliminated the attacks. We didn’t even see any latency during the attacks. Istanbul Police is thankful to us and to you. While most of the state websites gets unresponsive during the attacks, they didn’t feel anything.”Istanbul Police integrator

Customer success

Hosting service provider: in-the-cloud DoS protection

Slide 26

Challenges and Objective• Protect the SP infrastructure against bandwidth

consuming attacks• Offer their customers value-added DoS protection service

Solution Overview• DefensePro devices deployed in scrubbing center with

the following protection sets:

• DoS Protection: Prevent high volume and high PPS flood attacks

• NBA: Prevent Application DDoS attacks

Solution Business Benefits• Maintain customer business continuity and satisfaction

when the network is under attack

• Return on investment within 6 months

• Service profit over 3 years: $1.2M

Customer• One of the top three IT

infrastructure providers in North America delivering Managed, Self-Managed, and Co-location hosting services

• Hosts over 10,000 customers worldwide

Summary

What drives the MSSP success? (1 of 2)

• Business: best DDoS attacks coverage– Packet and bandwidth flood attacks protection– Application DDoS flood attacks protection– Directed (low & slow, SSL) attacks protection– Short time to protect – in seconds!

• Financial– Solution scalability: OnDemand platform

• Unique pay as you grow approach• No forklift upgrades• Best performing 10G attack mitigation platforms

– Lowest CapEx & OpEx• Multitude of security tools and SEM in a single solution• Out-of-the-box protections

Slide 28

What drives the MSSP success? (1 of 2)

• Technical – Flexible deployment of attack mitigation devices in any environment

• Symmetric, Asymmetric, no learning.

• Operational– Emergency Response Team (ERT) to support your SOC

• Our commitment to your success

– Customer centric reporting• Integrated SEM with per-customer reports and dashboards

• Marketing– The only NSS Recommended Attack Mitigation solution– SLA: Short time to protect!– SLA: Coverage: protect against emerging DDoS attacks

Slide 29

Thank Youwww.radware.com