![Page 1: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/1.jpg)
![Page 2: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/2.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1
• Advanced DDoS Trends
• Next Generation DDoS Protection
Agenda
![Page 3: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/3.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2
• Advanced DDoS Trends
• Next Generation DDoS Protection
Agenda
![Page 4: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/4.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3
Security Portfolio
ENTERPRISESERVICE
PROVIDER
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
Traffic Visibility Arbor SP
DDoS Mitigation Arbor TMS
Cloud Services Arbor CLOUD
DDoS Protection Arbor APS
![Page 5: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/5.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4Network Visibility underpins everything we do at Arbor
THE VALUE OF NETWORK VISIBILITYAmount of Internet traffic monitored by the ATLAS
1/3Internet
Global Network Analysis 140Tbps / 300+ ISP
Honey Pots
INTERNETVISIBILITY
• Internet Health• DDoS Attacks• Threat Tracking
MALWAREDETECTION
• Real-time Behavior• Family Focus
BOTNETMONITORING
• Sinkhole• Infiltration/Activity
Monitoring
Advanced DDoS Attacks
APTCampaign§ Growing frequency and
complexity of DDoS attacks:
• Multi-vector
• Micro Burst
• IoT (inside and out)
§ Growing frequency and complexity of Advanced Persistent Threats increasing
• Phishing
• Ransomware
![Page 6: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/6.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
IoT Timeline
20172016 2018
DDoS Meets Ransomware
• DDoS discovered in Cerber ransomware• A typical because DDoS Hackers don’t focus on other malware
forms and vice versa• Could only DOS local network• Indicates interest in launching DDoS within the enterprise
![Page 7: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/7.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
IoT Timeline
20172016 2018
DDoS + IoT = Massive Attacks
• Aug. 540 Gbs Sustsained Attack on Rio Olympics from opening to closing ceremony (Lizardstresser)
• Sep. 20 620 Gbs Attack on KrebsOnSecurity (Mirai)• Sep. 21 990 Gbs Attack on OVH (Mirai)• Oct. 21 Three attacks on Dyn’s Managed DNS (Mirai)
![Page 8: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/8.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7
IoT Timeline
20172016 2018
First Multi-Platform IoT Seeder
• New Mirai Windows seeder targets IoT• Mirai continues to evolve
![Page 9: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/9.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8
IoT Timeline
20172016 2018
Reaper: Default Passwords No More• Based on Mirai• 10-20K IoT bots• Additional 2M IoT devices scanned but not
subsumed• Believed Chinese criminal underground DDoS-for-
hire tool• Exploited OS security flaws not default usernames
& passwords
![Page 10: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/10.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
IoT Timeline
20172016 2018
Memcached DDoS• Record Breaking
• Combine with IP spoofing , results is a 1.7Tbps attack
![Page 11: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/11.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10
IoT Timeline
20172016 2018
What’s Next?
• Larger more complex more frequent attacks for sure
• DDoS + Ransomware + IOT + Multi-Platform = Internally Launched Attacks
![Page 12: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/12.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
7,7 MillionDuring this
presentation, approx.
160,000 new IoT devices
will go onlineEstimated 7,7 million (mostly vulnerable) IoT devices are
connected to the Internet EVERY day. (Gartner report Feb. 2017)
![Page 13: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/13.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12
1:500.0001:500.000 is the theoretical DDoS
amplification factor for the Memcached service
Lab test: 1:516.436
![Page 14: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/14.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13
The Memcached DDoS Reflection Attackfrom scapy.all import *
import binascii
# cmd = "get a a a a a a a a a a a a a a a a a a a a a a a … <729 times>"
payload=binascii.unhexlify('0001000000010000676574206120612061206120612061206120612061206120…
pkt=Ether()/IP(src="10.1.138.170",dst="172.17.10.103")/UDP(sport=80,dport=11211)/payload
sendp(pkt, iface="eth1", loop=0,verbose=False)
Attacker sends 1 packet
Reflector sends 536,302 packets =
6.2Gb
![Page 15: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/15.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
31,4%31,4% of Internet ASN’s allow spoofed traffic to originate
from their networks. (Caida spoofer project)
![Page 16: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/16.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
1,7 Tbps1.7 Tbps is the size of the largest DDoS attacks in history (Memcached DDoS Reflection attack, February 25th 2018)
![Page 17: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/17.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
Not Just Amplification/Reflection Attack
Attack Vectors:
◦ SYN-flooding
◦ ACK-flooding
◦ UDP flooding
◦ Valve Source Engine (VSE)
query-flooding
◦ GRE-flooding
◦ Pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’
attacks)
◦ HTTP GET, POST and HEAD attacks
◦ The Mirai Botnet is capable of launching complex multi-vector attacks.
![Page 18: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/18.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17
Application-Layer Attacks
✘✘
• New Tail Attacks delay applications rather than shut them down (LSU & Ga Tech)
• Every 100ms delay equates to a 1% loss in sales (Amazon)
• 1s Delay (Aberdeen Group)• 11% ↓ in page views• 7% ↓ in ecommerce sales
conversions• 16% ↓ in customer satisfaction
![Page 19: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/19.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18
DDoS Attack Trends - FrequencyDDoS Attacks Increasing in Frequency. Fact:
![Page 20: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/20.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19
DDoS Attack Trends - DurationMost DDoS attacks are short in duration.Fact:
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
![Page 21: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/21.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20
DDoS Attack Trends - SizeMost DDoS attacks are small. (88% less than 2GTbps)Fact:
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report, ATLAS data
![Page 22: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/22.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21
DDoS Attack Trends - ComplexityThe modern day DDoS Attacks is complex; dynamic multi-vector.Fact:
Mirai Botnet isa Modern DayMulti-Vector
Attack
The Internet
BotNet
Your ISP
Firewall
Your Data Center
Volumetric Attacks◦ Large(up to 800 Gbps)◦ Saturates links
TCP State-Exhaustion Attacks◦ Crashes stateful devices (Load balancers,
firewalls, IPSs)
Application Layer Attacks◦ Low and Slow, Stealth attacks◦ Crashes application servers
Legitimate Traffic
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
![Page 23: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/23.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22
DDoS Attack TrendsThe impact of a DDoS attack can be immediate and severe.Fact:
Penalties:§ Organizations in breach of GDPR can be fined up to (max) 4% of annual global
turnover or €20 Million (whichever is greater).§ It is important to note that these rules apply to both controllers and processors --
meaning 'clouds' will not be exempt from GDPR enforcement.
![Page 24: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/24.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23
To Stop Large Attacks….
Recall: DDoS Attacks exceeding Internet bandwidth:§ 41% of Enterprises§ 61% of Data-center Operators
The Internet
BotNet
Your ISP
Firewall
Your Data Center
DDoS Protection
Attack Traffic
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
Application Servers
![Page 25: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/25.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24
Your only option is the Cloud
The Internet
BotNet
Your ISP Firewall
Your Data Center
DDoS Protection
Cloud-based Mitigation
DDoS Protection
Attack Traffic Clean Traffic
Increase in Demand for Managed DDoS Protection Services
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
![Page 26: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/26.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25
To Stop the Smaller, Majority of Attacks….
The Internet
BotNet
Your ISP
Firewall
Your Data Center
Attack Traffic
§ Recall:§ Vast majority of DDoS attacks are small (e.g. less than 2 GB)§ And last for short duration of time (e.g. less than 1 hr)§ Yet they still can be multi-vector (e.g. 67%)§ These attacks are difficult for ISP/MSSP to detect.
![Page 27: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/27.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26
You Should Deploy On-Premises Protection
The Internet
BotNet
Your ISP
Firewall
Your Data Center
DDoS Protection
Attack Traffic
§ Put DDoS protection on-premises.§ In front of most critical data centers/applications.§ Customize policies for application running in those datacenters.§ Install in front of firewalls to protect them from TCP-state exhaustion
attacks.
![Page 28: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/28.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27
Stopping The Modern Day DDoS AttackRequires Layered, Automated Protection
4 Backed by continuous threat intelligence.
Your Data Centers/Internal NetworksThe Internet
Your (ISP’s) Network
Volumetric Attack
Application Attack
Scrubbing Center
Automatically stop application layer DDoS attacks on premises. 1
Stop large attacks In-Cloud. 3
Automatic, intelligent communication between on-prem and in-cloud protection to address dynamic attack vectors.
2
DDoS Protection
A Recommended Industry Best Practice:
![Page 29: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/29.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28
Defending Against Insider Threats• These Security Best Practices include:
– Updating the software on all devices on a regular basis.
– Implementing full Network segmentation and harden (or isolate) vulnerable network devices and services.
– Developing a DDoS Attack mitigation process.
– Utilizing flow telemetry to analyze external and internal traffic. This is necessary for attack detection, classification and trace back.
– Deploying a multi-layered DDoS protection.
– Scanning for misconfigured and abusable services, this includes NTP, DNS and SSDP service which can be used for amplification attacks.
– Implementing Anti-Spoofing mechanisms such as Unicast Reverse-Path Forwarding, ACLs, DHCP Snooping & IP Source Guard on all edge devices.
![Page 30: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/30.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29
• Advanced DDoS Trends
• Next Generation DDoS Protection
Agenda
![Page 31: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/31.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30
Hybrid DDoS mitigation
Stop session exhaustion and application layer DDoS attacks
1
CustomerInternet
State&Application
Service Provider
Stop volumetric attacks In-Cloud
3 Intelligent communication between both environments
2
Volume
Scrubbing Center
A Recommended Industry Best Practice:
![Page 32: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/32.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31
Improving Hybrid DDoS mitigation
How to deploy CPE-based protection for the masses? 1
CustomerInternet
State&Application
Scrubbing Center
Service Provider
How to scale to Terabit attacks?
How to make this communication open and widely supported?
Volume
1
3 2
![Page 33: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/33.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32
MSSP view on CPE-based DDoS protectionA growing business, but…
• Shipment of the appliance or installation of the VM
• Rack&Stack, configuration and provisioning
• Maintenance
It does not look like those problems are specific to DDoS mitigation appliances.
![Page 34: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/34.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33
Cloud CPE or Telco Cloud Universal CPE
• DDoS VNF is deployed in the Telco Cloud along with other VNFs
• DDoS VNF runs at the edge of enterprise network on the CPE
DDoS function as a VNF
CustomerInternet
Telco Cloud
Service Provider
Demonstrates Arbor’s market and thought leadership
![Page 35: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/35.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34
DDoS VNF onboarding experiences• Onboarding of DDoS VNF into MANO is easy
– If you don’t have HW dependency (offload of forwarding or filtering to ASIC/NPU/FPGA)
– If you support cloud-init and REST API
• Performance is predictable• Scaling in Cloud CPE mode is easy
– You control the compute resource
• Healing is also easy– … because it is “merciful killing”
• Enabling operators to integrate Arbor’s solutions into orchestrated service delivery platforms
![Page 36: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/36.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35
Improving Hybrid DDoS mitigation
How to deploy CPE-based protection for the masses? 1
CustomerInternet
State&Application
Scrubbing Center
Service Provider
How to scale to Terabit attacks?
How to make this communication open and widely supported?
Volume
1
3 2
![Page 37: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/37.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36
DDoS Open Threat Signaling (DOTS)
The documents are in the final stage:
• The informational documents are matureand will be RFCs soon,
• The protocol documents are stabilizing, and have been used as references forworking implementations:
– 4 implementations exist, one of them is open source
• DOTS protocols may reach RFC status in the calendar year.
From https://datatracker.ietf.org/meeting/93/materials/slides-93-dots-3/
![Page 38: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/38.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37
DOTS: how it works?
DOTS client
Signal channel
DOTS server
Data channel (optional)
Attack VictimMitigator
MitigationRequest
MitigationUpdate
AliasesBW listsFiltersPolicies
In scope of DOTS Out of scope of DOTS
![Page 39: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/39.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38
Improving Hybrid DDoS mitigation
How to deploy CPE-based protection for the masses? 1
CustomerInternet
State&Application
Scrubbing Center
Service Provider
How to scale to Terabit attacks?
How to make this communication open and widely supported?
Volume
1
3 2
![Page 40: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/40.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39
Automation of FlowSpecRate-limit Amplification DDoS
DDoS
MemcachedAmplification
Scrubbing center
Protocol: UDPSRC port: 11211DST IP: victim/32Action: rate-limit to 0
![Page 41: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/41.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40
Automation of FlowSpecOffload blocking of identified bots
DDoS
Scrubbing center
Protocol: UDPDST IP: victim/32Action: redirect to IPUDP to random ports
SRC IP: identified botDST IP: victim/32Action: rate-limit to 0
Non-spoofed TCP attacks
Application layer attacks
![Page 42: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/42.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41
Future of network integration
• Better scalability for FlowSpec support
– More FlowSpec rules supported in Control and Data plane
• More granular redirection rules and rate limiting policies using FlowSpecinterface-set
– draft-ietf-idr-flowspec-interfaceset-03
• Consistent approach to reporting on FlowSpec rules
– A lot of proprietary options available
– Is there a consensus on using netflow with egress_interface == 0 for dropped traffic?
– Will OpenConfig or YANG models be adopted?
• https://tools.ietf.org/html/draft-wu-idr-flowspec-yang-cfg-02
• Tighter integration with network equipment to offload additional blocking rules
![Page 43: COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | …...1 DDoS attacks on premises. Stop large attacks In-Cloud. 3 Automatic, intelligent communication between on-prem and in-cloud protection](https://reader034.vdocuments.us/reader034/viewer/2022050603/5faa3ad735cf1201137f68cf/html5/thumbnails/43.jpg)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42
Thank You.
www.netscout.com
Patrick Lin