agenda - veracomp
TRANSCRIPT
Agenda
DDoS Hybrid Defender / Silverline
DDoS Challenges
DDoS Attack Trends
DDoS attacks are easy to launchhping3 nmap Low Orbit ION
High Orbit IONkillapache.pl slowloris
metasploitslowhttptest
RussKill
Pandora
Dirt Jumper
PhantomJS
MultipleVulnerable Points Attacks target the network, WAN bandwidth, and applications.
Sophisticatedand TargetedMulti-vector attacks can hide within encrypted payloads.
Good VersusBad TrafficDifficult to distinguish the good from the bad.
DDoS Hybrid Defender
Accurate Detection
Ultra-Fast Mitigation
Full Protection on All Fronts
Accurate Detection
Comprehensive DDoS protection, tightly integrated on-premises and in the cloud.
Machine LearningLearns normal traffic baselines.
1 StressMonitoringDetects abnormal server stress.
2 Dynamic SignaturesIdentifies bad traffic and bad actors.
3 AttackMitigationShuns bad traffic automatically.
4
DDHD Configuration Options• Device protection
• Protected objects
• Protection profiles
• Auto discover
• Eviction Policy
• Attack vectors
(D)DoS Attack Vectors• Manual Configuration
• Detection / Reporting only
• Auto-Threshold (Learning)
• Dynamic Attack Signatures
• Bad Actor and Attacked Destination Detection
• Ability to initiate BGP Blackhole, Redirect, Flowspec
DDoS Hybrid Defender
Accurate Detection
Ultra-Fast Mitigation
Full Protection on All Fronts
Ultra-Fast Mitigation
Comprehensive DDoS protection, tightly integrated on-premises and in the cloud.
Intelligent Mitigation Intelligent techniques determine good versus bad traffic, automatically blocking the bad without impacting the good.
Application InspectionLow and slow: application-specific attacks need deep application layer analysis.
Real-Time DecryptionProvides high performance, scalable SSL/TLS decryption services to provide visibility into encrypted attacks.
DDoS Hybrid Defender
Accurate Detection
Ultra-Fast Mitigation
Full Protection on All FrontsFull Protection on All Fronts
Comprehensive DDoS protection, tightly integrated on-premises and in the cloud.
Application ProtectionLeverages SSL/TLS inspection to defend against L7 DoS with behavioral analysis.
NetworkProtectionMultiple techniques: statistical method to baseline 3000+ L3/4 metrics and auto-threshold IP reputation feeds.
Bandwidth Saturation Sends excessive network traffic to F5 Silverline for cloud-based scrubbing.
Layer 7 DefensesBot detectionSSL/TLS inspectionLow and slow attack discoveryHeavy URL detection
Application Protection
Zero-Day ProtectionBehavior AnalysisMachine Learning algorithms to profile normal traffic.
Auto ThresholdMachine Learning algorithms to generate thresholds for static vectors.
No Touch Defenses
DoS PredictionStress ComputationAccurate assessment of DoS condition significantly reduces false positivesTake action before the attack can disrupt services
FlexibleDeployment Models
Cloud-deliveredOn-premises, in-line, or out-of-bandHybrid with appliances and F5 Silverline
NetflowBIG-IP
SPAN Port
Switch
BIG-IP
VLAN 1 VLAN 2
VLAN Group BIG-IPVLAN 1 VLAN 2
Routed Mode BIG-IPSubnet 1 Subnet 2
Virtual Wire BIG-IPVLAN 1 VLAN 1
Telco Router
Silverline
Enterprise Router
CoreInternet Edge Data Center
DDoSHybrid
Defender
DDoSHybrid
Defender
F5 Silverline
F5 Security Operations Center (SOC) is available 24x7x365 with security experts ready to respond to DDoS attacks and build WAF policies within minutes• Seattle, WA, U.S.• Warsaw, PL
Fully redundant and globally distributed data centers• San Jose, CA, U.S.• Ashburn, VA, U.S.• Frankfurt, DE• Singapore, SG• London, UK
• Scrubbing capacity of over 2.0 Tbps• Guaranteed bandwidth with Tier 1
carriers
Primary protection as thefirst line of defense
Always On Always AvailablePrimary protection
available on-demand
Two Ways to Direct Traffic to Silverline Scrubbing Centers
Multiple Ways to Return Clean Traffic
L2VPN / VIRTUAL ETHERNET
GRE TUNNELS
PROXY
BGP (BORDER GATEWAY PROTOCOL)ROUTED MODE
DNS PROXY MODE
TCP Connection: SYNSRC: 86.75.30.9:27182DST: 1.2.3.4:80
86.75.30.9
F5 SilverlineDDoS Protection
TCP Connection:SRC: 69.86.73.76:4243DST: 1.2.3.4:80
69.86.73.76
ISP RouterCustomer/ISP
Transit Network
F5 Router
Internet
GRE Tunnel
Customer Admin
BGP Configuration Change:withdraw advertisement for 1.2.3.0/24
BGP Route Advertisement:F5 route for 1.2.3.0/24 becomes preferred
F5 Router Customer Router
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
TCP Connection: SYN-ACKSRC: 1.2.3.4:80DST: 86.75.30.9:27182
Clean traffic is returned via GRE Tunnel to
customer’s data center
Data Center
F5 Silverline – Routed Mode
DDHD Testing POC
Attack vector Target RateDNS Garbage flood
DNS Srv 200 Mbps and higher
SYN Flood WEB Srv 100K PPS
ICMP Flood SMTP Srv 400 Mbps
HTTP GET Flood WEB Srv 100K RPS
•Realistically asses your DDoS protection readiness
•Identify weakness points and improve your protection level
•Increase your confidence level for the day of a real attack
•Application floods vs Network Floods
DNS Garbage Flood
TCP SYN/ICMP/HTTP GET Flood
Silverline redirection
NetworkProtection
Multiple techniques - statistical method to baseline 3000+ L3/4
metrics & auto thresholds IP reputation feeds
ApplicationProtection
Leverages SSL inspection todefend against L7 DDoSwith behavioral analysis
WAN BandwidthSaturation
Silverline protection, including signaling from on-premisses
devices
With F5 you get Full Protection on All Fronts
F5 DDoS Hybrid Defender
•
(6) Virtual switch(8) Routed mode(2) ERSPAN