Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 ©Corero2019www.corero.com 1 ©Corero2019www.corero.com
VeryLarge-ScaleEdgeDDoSProtection
SeanNewmanDirectorProductManagement
2 ©Corero2019www.corero.com
Memcached GitHub
1.35-1.7Tbps
500 Gbps Hong Kong attack France swarmed after terror attack PlayStation & Xbox hit at Christmas
Mirai Botnet OVH / Krebs / DYN 600 Gbps -> 1Tbps
Rio Olympics 540 Gbps
Spamhaus attack: Reported to reach
310 Gbps
2013 2005 2007 2009 2011 2015 2016
First Hacktivists: Zapatista National
Liberation Army
DoS for Notoriety
Spammers discover botnets
Estonia: Parliament, banks,
media, Estonia Reform Party
1993
Anon hits Church of Scientology
Coordinated US bank attacks:
Grew to 200 Gbps, and continue today
ProtonMail attack
2017
IsDDoSStillontheincrease?
… 2018
Reaper Botnet 2M Devices
2019??
3 ©Corero2019www.corero.com
• HighBandwidth– memcachedexceeds1Tbps,routinely>100Gbps
• Botnets– Mirai(anditsmanyknownvariants)– IoT(100sofMillionsofeasytorecruitdevices)
• Multivector– 10+vectors,Additive+Variation+Spray/Subnet
• Booter/StresserServices– the“10minute”attackandpulsedattacks
DDoSEvolutionin2018
4 ©Corero2019www.corero.com
FrequentDDoSTrendContinues…
CoreroH12018TrendReport:https://www.corero.com/resources/reports/h1-ddos-trends-report/
77% 94%740%
5 ©Corero2019www.corero.com
SP SPSP
DDoSattacksarrivingfromtransit/peering
DDoSvictims
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
DDoSvictims
Goodtrafficdestinedforsubscribers
NetflowDetect
(out-of-band)
SP/TelcoDDoSScrubbingProtection
6 ©Corero2019www.corero.com
SP SPSP
DDoSattacksarrivingfromtransit/peering
Goodtraffictunneledtoedgeorcust
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
Goodtraffictunneledtoedgeorcust
BGPredirect
ScrubbingCapacity
(<10%edgecapacity)
NetflowDetect
(out-of-band)
note:SomeProviderswillhavemultiplescrubbingcentersforGeos,redundancy,backhaulreasons.
SP/TelcoDDoSScrubbingRedirect
Goodtrafficdestinedforsubscribers
7 ©Corero2019www.corero.com
SP SPSP
LargeDDoSattackfrom
transit/peering
CustomerofflineforattackDuration
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
CustomerofflineforattackDuration
BGPRTBH
ScrubbingCapacity
(<10%edgecapacity)
NetflowDetect
(out-of-band)
note:SomeProviderswillhavemultiplescrubbingcentersforGeos,redundancy,backhaulreasons.
SP/TelcoLargeDDoSAttackBlackhole
Goodtrafficblockedbyblackhole
8 ©Corero2019www.corero.com
ScrubbingApproachIncreasinglyChallenged
SizeofAttack
Attacks
ScrubbingZone
NumberofAttacks
BlackholeZone
PartialProtection(needstobe>10%)
ProviderRTBHMitigationManualinstantiationofblackholeswith
targetofflinefordurationofattack
ProviderEdgeCapacity100sofGbpstomultipleTerabits/sec
ProviderScrubbingCapacityMoreattacksmitigatedwithBlackholeScrubbingcapacityneedstoincrease
9 ©Corero2019www.corero.com
FlowMonitoring– Aggregationdelay– Attackoverload– Headeronly
BGP/RTBH/FlowSpec– BGPpropagation– Headeronly– Limitedvisibility
SampledMirror§ Immediateforwarding§ Scaleswithattack§ Headerandpayload
ACLFilters§ Rapidconfiguration§ Headerandpayload§ Streamingtelemetry
ScrubbingRedirectChallenges
10 ©Corero2019www.corero.com
– Monitor
– Inspect– Detect– Report/Signal
– Mitigate
NOC/SOC
SampledMirror(tuple+payload)
FilterGeneration(tuple+payload)
NetworkEdge
IngressTraffic EgressTraffic
SampledMirror(1:N)
DynamicFilter(tuple+payload)
StreamingTelemetry
Seconds
Detection Mitigation
NewOpportunityforEdgeMitigation
11 ©Corero2019www.corero.com
FullEdgeCapacityMitigation
SizeofAttack
ProviderEdgeMitigationLeveragereal-timedataandanalytics
todeliverintelligentautomation
ProviderEdgeCapacity100sofGbpstomultipleTerabits/sec<1%ofattacksneedtobeblackholed
ProviderScrubbingCapacity>90%attacksmitigatedatProviderEdge
<10%redirectedtoscrubbing ScrubbingZone
NumberofAttacks
ProviderEdgeMitigation
Zone
BlackholeZone
ScalestoTensofTerabitsofDDoSProtection
100%EdgeProtection
Attacks
12 ©Corero2019www.corero.com
SP SPSP
DDoSAttacksarrivingfromtransit/peering
Goodtraffictoedgeorcustomer
ingressfromtransit/peering
egresstosubscribers
ServiceProvider
Goodtraffictoedgeorcustomer
Internet
ProviderEdgeDDoSProtection
NETCONF
13 ©Corero2019www.corero.com
• MatchingFirewall-typeruleswithdefinedactions:
• Filtersenteredmanually,orprogrammaticallyvianetconfAPI
• UniqueIDforeachfilterprovidesstatisticsviaremotetelemetry
ExampleEdgeFilteringwithJuniperMX
14 ©Corero2019www.corero.com
• DDoSasawholestillontheIncrease– AttackMethods/VectorsmoreSophisticated– Emergingtrendforincreaseinproportionoflargerattacks
• TraditionalScrubbing/RTBHProtectionisinadequate– Typicallytooslowtoreacttoavoiddamage,orcompletesattack– WastescorenetworkbandwidthbackhaulingjunkDDoStraffic
• NewOpportunityforProtectiononNetworkEdgeDevices– Leveragebuilt-inpoweroflatestinfrastructuredevices– Noneedtoinsertnewdevicesateveryingresspoint– Deliveralways-onprotectionatedgecapacityuptounprecedentedscale– Canoperateasanoverlaytoexistingscrubbingcenters– DeployfiltersautomaticallyfromDDoSprotectionsolution
Summary
15 ©Corero2019www.corero.com 15 ©Corero2019www.corero.com
Questions?
16 ©Corero2019www.corero.com 16 ©Corero2019www.corero.com
ThankYou!