Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate...
Transcript of Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate...
![Page 1: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/1.jpg)
1 ©Corero2019www.corero.com 1 ©Corero2019www.corero.com
VeryLarge-ScaleEdgeDDoSProtection
SeanNewmanDirectorProductManagement
![Page 2: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/2.jpg)
2 ©Corero2019www.corero.com
Memcached GitHub
1.35-1.7Tbps
500 Gbps Hong Kong attack France swarmed after terror attack PlayStation & Xbox hit at Christmas
Mirai Botnet OVH / Krebs / DYN 600 Gbps -> 1Tbps
Rio Olympics 540 Gbps
Spamhaus attack: Reported to reach
310 Gbps
2013 2005 2007 2009 2011 2015 2016
First Hacktivists: Zapatista National
Liberation Army
DoS for Notoriety
Spammers discover botnets
Estonia: Parliament, banks,
media, Estonia Reform Party
1993
Anon hits Church of Scientology
Coordinated US bank attacks:
Grew to 200 Gbps, and continue today
ProtonMail attack
2017
IsDDoSStillontheincrease?
… 2018
Reaper Botnet 2M Devices
2019??
![Page 3: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/3.jpg)
3 ©Corero2019www.corero.com
• HighBandwidth– memcachedexceeds1Tbps,routinely>100Gbps
• Botnets– Mirai(anditsmanyknownvariants)– IoT(100sofMillionsofeasytorecruitdevices)
• Multivector– 10+vectors,Additive+Variation+Spray/Subnet
• Booter/StresserServices– the“10minute”attackandpulsedattacks
DDoSEvolutionin2018
![Page 4: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/4.jpg)
4 ©Corero2019www.corero.com
FrequentDDoSTrendContinues…
CoreroH12018TrendReport:https://www.corero.com/resources/reports/h1-ddos-trends-report/
77% 94%740%
![Page 5: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/5.jpg)
5 ©Corero2019www.corero.com
SP SPSP
DDoSattacksarrivingfromtransit/peering
DDoSvictims
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
DDoSvictims
Goodtrafficdestinedforsubscribers
NetflowDetect
(out-of-band)
SP/TelcoDDoSScrubbingProtection
![Page 6: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/6.jpg)
6 ©Corero2019www.corero.com
SP SPSP
DDoSattacksarrivingfromtransit/peering
Goodtraffictunneledtoedgeorcust
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
Goodtraffictunneledtoedgeorcust
BGPredirect
ScrubbingCapacity
(<10%edgecapacity)
NetflowDetect
(out-of-band)
note:SomeProviderswillhavemultiplescrubbingcentersforGeos,redundancy,backhaulreasons.
SP/TelcoDDoSScrubbingRedirect
Goodtrafficdestinedforsubscribers
![Page 7: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/7.jpg)
7 ©Corero2019www.corero.com
SP SPSP
LargeDDoSattackfrom
transit/peering
CustomerofflineforattackDuration
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
CustomerofflineforattackDuration
BGPRTBH
ScrubbingCapacity
(<10%edgecapacity)
NetflowDetect
(out-of-band)
note:SomeProviderswillhavemultiplescrubbingcentersforGeos,redundancy,backhaulreasons.
SP/TelcoLargeDDoSAttackBlackhole
Goodtrafficblockedbyblackhole
![Page 8: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/8.jpg)
8 ©Corero2019www.corero.com
ScrubbingApproachIncreasinglyChallenged
SizeofAttack
Attacks
ScrubbingZone
NumberofAttacks
BlackholeZone
PartialProtection(needstobe>10%)
ProviderRTBHMitigationManualinstantiationofblackholeswith
targetofflinefordurationofattack
ProviderEdgeCapacity100sofGbpstomultipleTerabits/sec
ProviderScrubbingCapacityMoreattacksmitigatedwithBlackholeScrubbingcapacityneedstoincrease
![Page 9: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/9.jpg)
9 ©Corero2019www.corero.com
FlowMonitoring– Aggregationdelay– Attackoverload– Headeronly
BGP/RTBH/FlowSpec– BGPpropagation– Headeronly– Limitedvisibility
SampledMirror§ Immediateforwarding§ Scaleswithattack§ Headerandpayload
ACLFilters§ Rapidconfiguration§ Headerandpayload§ Streamingtelemetry
ScrubbingRedirectChallenges
![Page 10: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/10.jpg)
10 ©Corero2019www.corero.com
– Monitor
– Inspect– Detect– Report/Signal
– Mitigate
NOC/SOC
SampledMirror(tuple+payload)
FilterGeneration(tuple+payload)
NetworkEdge
IngressTraffic EgressTraffic
SampledMirror(1:N)
DynamicFilter(tuple+payload)
StreamingTelemetry
Seconds
Detection Mitigation
NewOpportunityforEdgeMitigation
![Page 11: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/11.jpg)
11 ©Corero2019www.corero.com
FullEdgeCapacityMitigation
SizeofAttack
ProviderEdgeMitigationLeveragereal-timedataandanalytics
todeliverintelligentautomation
ProviderEdgeCapacity100sofGbpstomultipleTerabits/sec<1%ofattacksneedtobeblackholed
ProviderScrubbingCapacity>90%attacksmitigatedatProviderEdge
<10%redirectedtoscrubbing ScrubbingZone
NumberofAttacks
ProviderEdgeMitigation
Zone
BlackholeZone
ScalestoTensofTerabitsofDDoSProtection
100%EdgeProtection
Attacks
![Page 12: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/12.jpg)
12 ©Corero2019www.corero.com
SP SPSP
DDoSAttacksarrivingfromtransit/peering
Goodtraffictoedgeorcustomer
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
Goodtraffictoedgeorcustomer
Internet
ProviderEdgeDDoSProtection
NETCONF
![Page 13: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/13.jpg)
13 ©Corero2019www.corero.com
• MatchingFirewall-typeruleswithdefinedactions:
• Filtersenteredmanually,orprogrammaticallyvianetconfAPI
• UniqueIDforeachfilterprovidesstatisticsviaremotetelemetry
ExampleEdgeFilteringwithJuniperMX
![Page 14: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/14.jpg)
14 ©Corero2019www.corero.com
• DDoSasawholestillontheIncrease– AttackMethods/VectorsmoreSophisticated– Emergingtrendforincreaseinproportionoflargerattacks
• TraditionalScrubbing/RTBHProtectionisinadequate– Typicallytooslowtoreacttoavoiddamage,orcompletesattack– WastescorenetworkbandwidthbackhaulingjunkDDoStraffic
• NewOpportunityforProtectiononNetworkEdgeDevices– Leveragebuilt-inpoweroflatestinfrastructuredevices– Noneedtoinsertnewdevicesateveryingresspoint– Deliveralways-onprotectionatedgecapacityuptounprecedentedscale– Canoperateasanoverlaytoexistingscrubbingcenters– DeployfiltersautomaticallyfromDDoSprotectionsolution
Summary
![Page 15: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/15.jpg)
15 ©Corero2019www.corero.com 15 ©Corero2019www.corero.com
Questions?
![Page 16: Very Large-Scale Edge DDoS Protection · • Traditional Scrubbing/RTBH Protection is inadequate – Typically too slow to react to avoid damage, or completes attack – Wastes core](https://reader034.fdocuments.net/reader034/viewer/2022042303/5ecdf6f9bfc6953554016552/html5/thumbnails/16.jpg)
16 ©Corero2019www.corero.com 16 ©Corero2019www.corero.com
ThankYou!