d3tlv17- advanced ddos mitigation techniques
Post on 21-Jan-2018
51 Views
Preview:
TRANSCRIPT
Advanced DDoS Mitigation Techniques
Tomer Shani
Infrastructure Protection Development Group Manager, Imperva
BIO
Tomer ShaniThree kids,
Three cats. Three years at
Imperva Incapsula
Various R&D
positions, all in thee
field of networking
Plan for the worst,
only the paranoid
survive
© 2017 Imperva, Inc. All rights reserved. 2
Introduction to DDoS
© 2017 Imperva, Inc. All rights reserved. 3
Distributed Denial of Service
Denial of Service: • Resource exhaustion
• Exploit: Network capacity, infrastructure, compute or applicative weaknesses
• Will eventually lead to service being unavailable
Why “Distributed”?• Difficult to track, contain and prevent
• Enabler for mega-scale attacks
Attack Types
Application Layer• Aimed at specific services
Network Layers 3/4• Volumetric attack – consuming bandwidth
• PPS attacks – consuming network equipment capacity
• Syn flood/Connection flood – target server’s network stack resources
Introduction to DDoS – Cont.
© 2017 Imperva, Inc. All rights reserved. 4
DDoS is Easy
• Stressers (DDoSers/Booters) will offer you to “test”
your website, these saints will offer a premium service:
• And in some cases very happy to
share their method of exploit
Introduction to DDoS – Cont.
© 2017 Imperva, Inc. All rights reserved. 5
Motivation• Hacktivism
• Vandalism
• Competition
• Extorsion
DDoS in the Wild – Challenging Mitigation Resources
© 2017 Imperva, Inc. All rights reserved. 7
VolumetricAttacks
PPSAttacks
DDoS in the Wild – Challenging Mitigation Tactics
© 2017 Imperva, Inc. All rights reserved. 8
Changing Attack Vectors
Pulse Wave DDoS
Challenges in Attack Mitigation
Fast! Time to Mitigation
• Minimal service impact
• Attack which goes through provider may get network null routed
– Minutes of impact may take hours to fix
• Pulse waves
• Changing attack vectors
Latency
• Latency should not degrade when scrubbing is in progress
Volume
• Distribute network capacity
• Equip to handle high PPS attacks and volumetric attacks
Agility
• React to evolving threats in real-time
© 2017 Imperva, Inc. All rights reserved. 9
Under the Hood
Behemoth 2
Sampling (10G)
Mitigation core
CPU
ALTASwitch
© 2017 Imperva, Inc. All rights reserved. 12
DDoS Traffic (160G)
Traffic (400G)
PEACE TIME
Mitigation Core
© 2017 Imperva, Inc. All rights reserved. 13
Sampled Traffic 1:40
Attack Traffic
.
.
.
16*10G -> 160 Gbps
Detection Core
Mitigation Core
WAR TIME
Performance Challenges
Scaling up the muscle
Detection Core
Brain
75% CPU
Mitigation Core
Muscle
99% CPU
© 2017 Imperva, Inc. All rights reserved. 14
Heavy Lifting
© 2017 Imperva, Inc. All rights reserved. 15
Behemoth 2
Sampling
Core Mitigation
CPU
CleanTraffic
QFXSwitchISP
ALTASwitch
Heavy Lifting
© 2017 Imperva, Inc. All rights reserved. 16
Behemoth 2
DDoSTraffic
QFXSwitchISP
ALTASwitch
Sampling
Core Mitigation
CPU
ScrubbedTraffic
Heavy Lifting
© 2017 Imperva, Inc. All rights reserved. 18
Behemoth 2
Sampling
Core Mitigation
CPU
CleanTraffic
QFXSwitchISP
ALTASwitch
ScrubbedTraffic
top related