software-defined ddos mitigation platform · dedicated hardware platforms - 100g+ performance can...
TRANSCRIPT
Software-defined DDoS mitigation platform
Start to protect your infrastructure with software, carrier-grade.
Today DDoS attacks are one of the most important
threats to data centers and carriers, causing
major downtimes and customers dissatisfaction.
The are many reasons behind the DDoS attacks.
Initially, they were motivated politically or
ideologically, but in recent years, more and more
ad-hoc attacks have been observed. This new
cyber threat is known as „crime-as-a-service”
or CaaS. There are websites operated by criminal
groups on which users can rent botnets, consisting
of millions of infected devices, in exchange for a
small fee. With just few clicks, anyone can carry
out an attack and devastate the victim’s network
infrastructure.
Recent IoT vulnerabilities and rise of new type
of botnets, like Mirai, allowed attackers to enter
terabit-scale era, threatening even the largest
carriers and data centers.
redGuardian is a carrier-grade, software-defined DDoS mitigation platform, ready to handle fast moving,
terabit scale attacks, including IoT-based threats. redGuardian provides a first layer of network security
and allows to inspect and filter 100M+ pps on a single node, thanks to its unique dataplane architecture.
To date, such a performance level was achievable on FPGA and ASIC- based platforms only.
redGuardian allows defining traffic inspection pipeline comprising of signature-based stateless filters, stateful
filters and high performance L7 regexp module in order to fully protect the infrastructure against known
and emerging threats. Such approach yields the highest mitigation accuracy with the shortest activation
time and does not affect legitimate user traffic.
� What is redGuardian?
redGuardian can be deployed either inline or out-of-path, as a physical or virtual appliance, lowering the TCO and enabling carriers to offer value added services for the customers.
Stateless signature-based
ACLs
attack clean traffic
Stateful filters
L7 regexp
engine
redGuardian protects from
the widest range of known
and zero-day attacks, including
reflected NTP/SSDP/memcached
floods, DNS attacks, TCP floods
and more. redGuardian starts
mitigation within milliseconds
and does not impact legitimate
user traffic.
redGuardian does not require
dedicated hardware platforms
- 100G+ performance can be achieved on a commodity x86 server. The deployment scenarios
include inline, out-of-path
or scrubbing center. Multitenancy
support gives carriers an
opportunity to monetize DDoS
protection.
On-premise deployments are
extensively supported by own
Security Operations Team, which
covers management, signature
upgrades, fine tuning and
emergency response in case of
zero-day attacks.
State-of-the-art protection
Software-driven flexibility
Fully managed solution
� Benefits
� Deployment scenarios
Upon attack detection, /32 more specific routes
are injected into transit/peering VRF, causing
traffic redirection to redGuardian scrubber. Clean
trafic is injected into IP core.
Off-path
In this scenario, redGuardian scrubber acts
as a filtering bridge between pair of ports.
In-line
� Mitigated attacks
� Chargen reflected response flood
� DNS reflected response flood
� Echo reflected response flood
� IKE PAYLOAD-MALFORMED response flood
� IPMI/RMCP reflected response flood
� LDAP query flood
� LDAP reflected response flood
� memcached reflected reponse flood
� MSSQL reflected response flood
� NetBIOS reflected response flood
� NTP reflected response flood
� QOTD reflected response flood
� RIP reflected response flood
� RPC Portmap reflected response flood
� Sentinel reflected response flood
� SNMP reflected response flood
� SSDP reflected response flood
� Steam query flood
� Steam reflected response flood
� TFTP reflected response flood
� UDP fragment flood
� UDP invalid packets
� TCP SYN/ACK/RST/ACK flood
� TCP fragment flood
� TCP invalid packets
� ICMP PING flood
� ICMP obsolete/legacy packets
� ICMP invalid packets (bad quote)
� ICMP fragment flood
� GRE invalid packets (destination address validation)
� IP invalid packets (checksum, fragment offset, packet length, spoofed source)
upstream
protected network
IP coreDDoSvictim
BGP/32 injection,flowspec rules, FBR
flows or SPAN
normal traffic, other customers cleaned traffic,
injected into IP core
diverted trafficto/32 victim
IP coretransit/peering VRFflow-based
analytics
Stateless ACLs
Matchers • VLAN id, PCP, DEI
• protocol
• source, destination address
• source IP tag/mark
• source, destination port or range
• fragment type
• TCP flags and URG pointer
• ICMP code, type, id, sequence
• packet length
• TTL
• payload pattern (up to 84B)
Actions • drop
• pass
• pass with ratelimit
• pass with state control
• pass with regexp checks
State aware filters
State tables Yes, up to 31
Hashing criteria • src/dst IP
• src IP tag
• src/dst port
• DNS FQDN
• DNS ID
• first 8/16B of payload
Algorithms / actions • various algorithms, for example:
- tcp flow inspection
- fragment filter
- pass first
- drop first
- pass second (with or without delay)
• per flow policing
Maximum number of states Billions of entries (memory limited)
� Features
Regexp ACLs
Actions • drop if (not) matched
• TCP reset if (not) matched
Maximum number of regexp
databases
31
Deployment / management
Clean traffic delivery • VLAN id, PCP override
• source, destination MAC override
• VXLAN tunnel
• GRE tunnel
• GRE key (optional)
• fragmentation before or after encapsulation
• fragmentation PMTUD support
• fragmentation with clear-df
• balance over multiple exits
Performance • > 100 Gbps and > 100 Mpps on a single node
Latency • < 60 microseconds
Multitenancy • Yes, up to 8k tenants on a single instance
Management • TAP or KNI bypass to OS stack
• ingress packet sampling to OS stack
• per customer counters and ACL (ready to integrate with InfluxDB/Grafana stack)
www.redguardian.eu
Part no. Description
REDGUARDIAN-DP10 License for 10 GbE port. Basic support included for 1 year.
REDGUARDIAN-DP25 License for 25 GbE port. Basic support included for 1 year.
REDGUARDIAN-DP40 License for 40 GbE port. Basic support included for 1 year.
REDGUARDIAN-DP50 License for 50 GbE port. Basic support included for 1 year.
REDGUARDIAN-DP100 License for 100 GbE port. Basic support included for 1 year.
REDGUARDIAN-SUP-Basic Bugfixes, e-mail tech support, 8h x 5d, 120 min. response time
REDGUARDIAN-SUP-EssentialUpdates & upgrades, e-mail & phone tech support, 10h x 5d, 30 min. response time
REDGUARDIAN-SUP-EnterpriseUpdates & upgrades, e-mail, Slack & phone tech support, 24h x 7d, 10 min. response time
� Licensing and support options