 Solution Brief

ORACLE DYN
DDOS PROTECTION
FOR NETWORKS

8 150 Dowdyn.com 603

Street, Manchester, 668
NH 4998USA
03101 150@dyn
Dow Street, Manchester, NH 03101 USA @dyn
 Solution Brief:
Oracle Dyn DDoS
Protection for Networks

Overview
Threat actors use globally distributed and highly scalable resources to
attack and breach enterprises. As a result, they retain an advantage over
organizations attempting to combat cyber threats with perimeter-only
solutions. Organizations need to embrace dynamically scalable, globally
distributed solutions to detect and thwart attacks before they reach the
network perimeter.

Scalable workload resources that grow when threat detection

processing is required.
No longer are enterprises limited to the computing power of the security
solutions installed as perimeter hardware devices in their data centers. Oracle
Dyn offers the ability to scale dynamically, using cloud resources to maximize
resource effectiveness, while keeping costs in check.

page 2 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

On-demand bandwidth to handle the largest DDoS • Always-On requires L2 redundant connections: Always-On via
attacks. GRE tunnels is notrecommended, since a GRE tunnel can flap
from time to time.
Distributed Denial of Service (DDoS) attacks are commonplace in
today’s cybersecurity landscape. These attacks range from just a few Oracle Dyn RapidBGP™ provides always-on monitoring and
Gbps to several hundred Gbps and beyond. Most organizations have automatic rerouting once an attack is detected. When no attack is
limited transit and available “burst” traffic capacity connecting their detected, the traffic flows normally to the clients’ infrastructure.
data centers. Attackers use this to their advantage, easily flooding
data centers with enough malicious traffic to make their online It is similar to an Always-On SLA (as there is instantaneous attack
services unavailable to customers, partners, and internal staff. detection and automatic re-routing/mitigation), without any of the
latency impacts and the risks of noisy neighbors:

Shared, global threat intelligence. • Time-to-Mitigation (TTM) is less than 60 seconds, which
ensures that the client is underfull mitigation protection before
Oracle Dyn provides the ability to share the latest attack information the attack has fully ramped up.
and mitigation techniques across departments, partners, and an
organization’s supply chain. Oracle Dyn allows for a common set of • Latency impact only happens during an attack (contrary to
policies for all sites and infrastructures that use the ecosystem. Threat an Always-On solution, whenthere is latency impact 100%
Intelligence and IP blacklisting are updated in real-time across the of the time).
entire network.
• Surgical precision: only the /24 under attack is rerouted. The
rest of the traffic is not impacted. RapidBGP is able to reroute
RapidBGP™: 60 second time-to-mitigate only the C-class IP block (/24) that is under attack so that there
is no collateral damage to the rest of the net blocks in use.
Oracle Dyn provides fully automatic, always-on attack monitoring
using NetFlow samples from the customer’s edge routers. For
fully automated BGP rerouting, the time from detect to mitigate is
performed in less than 60 seconds.

Traditional Always-On solutions have high latency and SLA risk:

• Always-On introduces latency because 100% of all the traffic

must be rerouted 24x7 fromthe client’s data center to the
scrubbing center.

• Single point of failure: If an Always-On solution is down (for

example, the scrubbing centeris under attack), the customer may
be down also. We call this ‘noisy neighbor’ collateraldamage. It
can be common in the anti-DDoS industry.

page 3 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Oracle Dyn DDoS Protection Platform

When building the Oracle Dyn DDoS Protection platform, our team was
able to leverage years of experience with many of the top mitigation service
providers and technology vendors. After designing and testing initially in a lab
environment, extensive real-world alpha and beta testing was conducted with
live attack scenarios. In its entirety, Oracle Dyn DDoS Protection consists of:

• State-of-the-art high capacity hardware

• Patent pending software-based Oracle Dyn platform

• Security Operation Centers (SOCs) fully staffed 7/24 and compliant

• ITIL incident response procedures documented and audited

• Best in the industry security operational staff, researchers, and developers

Oracle Dyn leverages unique intellectual property that we have developed in

house to quickly find and automatically mitigate DDoS attack traffic through
data analysis, threat intelligence, and behavioral analysis.

Data Sovereignty
Oracle Dyn POPs are located in specifically designated regions. This enables
configuration capabilities, at the customer’s request, to provide for geographic
site constraints served exclusively from regionally defined POPs, hence
complying with local data residency and data sovereignty requirements.

DDoS Mitigation – Network Layer 3/4

Oracle Dyn DDoS Protection performs automated DDoS attack detection and
mitigation at the network layer. These types of attacks are often referred to
as layer 3 and 4 attacks since they affect the lower layers of the OSI Model
(Network and Transport).

page 4 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Some examples of types of attacks include: SYN Floods (Spoofed IPs, Key Capabilities: DDoS Protection For Networks
non-standard TCP flags), UDP Floods, IPSec Floods (IKE/ISAMP assoc.
• Comprehensive protection for all types of DDoS attacks.
attempts), IP/ICMP Fragmentation, NTP, DNS, SSDP, Memcached, etc.
Reflection/Amplification Attacks, DNS Floods, etc. • Protects large numbers of customer’ applications, destination
IPs, entire subnets, web and IP-based applications.
Oracle Dyn eliminates the effects of these types of attacks
automatically at the network layer within high capacity DDoS • Dedicated scrubbing centers in North America East,
Scrubbing Centers. These are globally distributed to minimize latency. North America West, and Europe with 1.7 Tbps of
DDoS Scrubbing Centers are located in North America East, North scrubbing capacity.
America West, and Western Europe. • Expert DDoS engineers who perform real-time analysis and
support for multi-vector attacks 24x7x365 in global SOCs.
Graphic Representation of an Attack: • Oracle Dyn Control Center (customer portal) provides
real-time traffic updates.

• RapidBGP™: Time-to-Mitigation under 60 seconds.

Attack Traffic Mitigated over Layer-2

Customers may also choose to route smaller attacks over a direct
Layer-2 connection to Oracle Dyn. For example, if the customer and
Oracle Dyn are connected over a 10 Gbps cross-connect, smaller
attacks (up to 8 Gbps recommended) may traverse the cross-
connect using Oracle Dyn as the next hop. Once traffic is cleansed,
it is returned over the same cross-connect to the customer
environment and is routed to the appropriate host. In this case,
RapidBGP can also be used for automatic detection and routing for
automated mitigation.

page 5 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Traffic flows – Automatic Detection and DDoS Detected: GRE Tunnel

On Demand Mitigation (RapidBGP™) Typically, the high-performance GRE tunnel will have 1Gbps of
capacity for normal traffic. The following diagram demonstrates the
traffic routes of a network under attack. It shows both legitimate
Normal traffic traffic flow as well as any potential DDoS flood of traffic. Without
scrubbing centers, malicious DDoS traffic would otherwise reach
In the network scenario below, valid traffic is routed uninterrupted
the network perimeter, potentially overwhelming the Internet pipe,
between remote users and the destination as indicted in the diagram.
gateway router, and security devices before incapacitating the
Traffic flow sampling is collected out of band and monitored in real
target server and application within the environment.
time at the Oracle Dyn POP.
The Oracle Dyn solution is designed to redirect all traffic to the
scrubbing centers. Only nonattack traffic traverses the Internet from
the Oracle Dyn scrubbing center to the customer datacenter.

page 6 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

RapidBGP™ solution:
60 second detect and act
Oracle Dyn has developed a new model for rapid DDoS Mitigation. Oracle
Dyn continuously monitors NetFlow and SNMP from the customer’ border
routers to detect attacks using an automatic analysis of DDoS alerts. In the
event of an attack, there is a deployment of BGP routing commands to take
immediate action. All of this takes place without the time delay caused by
human intervention.

Manual BGP routing changes would require a customer to communicate

network advertisements from their data-centers to Oracle Dyn. Our RapidBGP
technology can automatically make the necessary BGP changes after
detecting a DDoS attack once we receive an alert through our monitoring
systems via flow data analysis.

Tested DDoS Mitigation in 57 seconds

In production tests, Oracle Dyn can detect, route and mitigate volumetric
Layers 3 and 4DDoS attacks within 57 seconds. This is achieved by receiving
BGP advertisements but suppressing those routes from our upstream
providers until a DDoS attack is detected by RapidBGP.

Maximum Tolerable Downtime – MTD * 57 Seconds*

Maximum Tolerable Downtime is the time after which the process being
unavailable creates irreversible consequences resulting in severe damage to
the viability of the business. Depending the process, MTD can be in hours,
days or longer.

page 7 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Integrated Global Threat Intelligence

Oracle Dyn has integrated many threat intelligence feeds
into our mitigation platform based on customer demand.
Our Security Operations team works with our customers
to select the bestcombination of threat intelligence
feeds. Our platform manages the collection, enrichment,
and application of these feeds to both Layer 3 / 4 and
Layer 7 mitigation countermeasures.

Integrated Layer 7 Capabilities

Oracle Dyn offers our customers the ability to host the
Oracle Dyn Virtual Appliance on-premises.The Oracle
Dyn V-App is for those customers who require complete
control of their SSL keys.The Oracle Dyn V-App
integrates seamlessly with the Layer 3 / 4 mitigation
technology.Integration is achieved by pushing real-time
threat intelligence to the TMS to block malicious actions
Both open source and private threat feeds are integrated into our Layer 7 product
upstream. Oracle Dyn has made significant investments
in advanced Layer 7 detectiontechniques (patent
pending) such as the Device Fingerprint Challenge and
Human Interaction Challenge.

page 8 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Mitigating Attacks against single IP (/32)

Traffic Analysis by Application
Oracle Dyn provides a solution for customers who want
DDoS protection for non-HTTP traffic. This is done by
assigning designated VIPs at our scrubbing centers and
using TCP Port forwarding to terminate traffic on our
customer’s origin. This solution is available for any TCP
connection that doesn’t use the HTTP(s) protocol but is
exposed to volumetric L3 / L4 attacks.

Oracle Dyn provided VIP’s

Oracle Dyn can provide our customers with individual IP
addresses that can be published through DNS. These IPs
are part of the Oracle Dyn ASN and are routed “always-
on” through the Oracle Dyn scrubbing centers. Once traffic
reaches our scrubbing centers, Network Address Translation
is applied and the protected IP is forwarded for end user
traffic. This technique works synchronously (both inbound
and outbound traffic is routed through Oracle Dyn). Recent Alerts

Control Center and High Level

Network View
The Oracle Dyn Control Center provides the customers with
a dashboard to see criticalnetwork information at a glance as
well as alerts in real time.

page 9 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Example of mitigation techniques

TCP SYN Flood

Alerts by Profile
When a TCP SYN Flood is detected Oracle Dyn responds.
Depending on the attack vector,several countermeasures
can be taken.

TCP SYN Authentication – TCP SYN authentication is enabled

if a legitimate source host completes the TCP handshake and
the source host has only a TCP connection with Oracle Dyn then
normally sends a TCPreset to the source host. This TCP reset
usually results in an error from the application that is visible to the
user and that can require the user to refresh their Web browser
manually. To resolve this problem and to make the connection to
the real server transparent to the user, Oracle Dyn also enables
Out-of-sequence Authentication as described below.

TCP SYN out-of-sequence Authentication –

This authentication method allows Oracle Dyn to
Attack Search
transparently authenticate all applications without
displaying error messages to the user or requiring
them to refresh their Web browsers manually.

TCP SYN Non-Spoofed HTTP Authentication –

This countermeasure is used to apply additional
authentication steps to specific HTTP ports. While TCP
SYN authentication can identify spoofed SYN floods,
HTTP authentication can identify attacks by botnets or
malicious users that are not spoofed. HTTP authentication
makes sure that the source host is a valid HTTP client. It
does this by making sure that the source host correctly
responds to an HTTP redirect that Oracle Dyn sends. If
the source host correctly responds to the redirect, then it
is allowed to connect to the protected host.

page 10 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Oracle Dyn only enables this countermeasure when an attack has DNS Flood
multiple components that include both a spoofed SYN flood and
an HTTP request flood. Note that HTTP request floods and other If an attack targets the DNS, Oracle Dyn offers DNS DDoS
layer 7 attack types are detected by Oracle Dyn application runtime protection. The DNS is protected in two ways 1) at the network
and real-time threat intelligence is pushed to the packet filtering layer scrubbing bad requests, as well as 2) a proxy solution that
hardware automatically. customers can use to hide their DNS servers.

The countermeasures listed above are a few of the techniques that Operating at both the network layer, and through the proxy product
the Oracle Dyn SOC uses to mitigate attacks. In addition, other we have implemented a combination of countermeasures:
countermeasures are available through detailed configuration
tuning that controls host blocking policies. DNS Flood Regex – Oracle Dyn enables our SOC to
inspect request strings using a DNS Regular Expression.This
countermeasure will drop malicious inbound DNS message packets
based on standard and custom regular expression matching as
well as other filter settings. REGEX as a countermeasure can also
DNS Flood Protection blacklist hosts that were sending malicious packets that were
dropped. In addition, this countermeasure can be used for inbound
DNS queries and inbound DNS replies.

DNS Reflection – Upon provisioning, we define the source ports

that need to connect and block any source port 53 for reflection
attacks.

DNS Open Resolver Blacklisting – Oracle Dyn maintains a real-

time database of DNS Open Resolves to prevent these potentially
harmful servers from overwhelming customer environments. Oracle
Dyn applies ACLs to blacklist Open Resolves as well as other
malicious IPs that have been harvested from our Threat Intelligence
programs.

page 11 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

DDoS monitoring and mitigation for the

Application Layer (Layer 7)
Application layer DDoS attacks (Layer 7) are dangerous attack types. Layer
7 attacks will drain application resources such as dynamically generated
web content, database resources, search index resources, ecommerce
components, and API endpoints.

Oracle Dyn protects applications from Layer 7 DDoS by using real-time

algorithms to detect thenseparate bots from legitimate user traffic.

What is a botnet?
A botnet is a network of computers infected with malicious software
(aka malware). Botnets run on the infected computer without the user’s
knowledge. The infected computer is controlled by an attacker, or bot-
herder, from the command and control center, updating the bot software as
it progresses through the various stages of an attack. The bot communicates
with the command center sending information then morphing via software
updates making them extremely hard to detect. Botnets are used to commit
a variety of cybercrimes such as SPAM, scams, hacks and distributed denial
of service (DDoS) attacks. Computers called command and control (C&C)
servers are responsible for commanding the infected computers, allowing
the bot-herder to put the botnet to use. Bot-herders also often sell or rent
out parts of their botnet to other attackers for their own use. The larger the
botnet, the more cybercrime it can commit. An entire industry, Crime as a
Service, has emerged from botnet usage. Oracle Dyn researchers diligently
collectinformation from the dark web and integrate this information into
detection algorithms.

Computer resources that are deployed in next generation botnets (zombies)

have fixed malware running on each bot, which can be updated by the
command and control server from time to time. Zombies typically have
headless browsers running in the background, so users that are compromised
don’t realize that their computer is being used as part of a botnet.

page 12 dyn.com @dyn

Solution Brief | Oracle Dyn DDoS Protection for Networks

Oracle Dyn Botnet Protection

Zenedge deploys several algorithms to test the capabilities of headless
browsers to ensure thatthey have all the capabilities required by a real
“windowed” web browser. The Oracle Dyn Layer7 toolbox includes several
challenge / response algorithms to detect bot activity including:

Example of Layer 7 Mitigation strategy:

JavaScript ChallengeAn example of a highly effective
Botnet DDoS detection algorithm that is deployed
by Oracle Dyn is the JavaScript Challenge. In a
simple, single configuration screen Oracle Dyn will
setupparameters to implement this mitigation strategy.
Javascript Challenge
When the JavaScript Challenge is turned on, Oracle
Dyn will inject a small piece of JavaScript into the
application (head section) as it’s being delivered
through the Oracle Dyn network. Nocode changes are
required within the application itself.

In “Alert Only” mode, Oracle Dyn will record the

number of failed attempts for each user when
presented with the JavaScript Challenge. When a
maximum configurable threshold is reached, Oracle
Dyn (optionally) will report each failed session back to
the web application through a custom HTTP header
value. The header name is configurable. In “Blocking”
mode, failed challenges will be blocked through a
custom HTTP response code.

page 13 dyn.com @dyn

 Rethink
DNS.
Oracle Dyn is a global business unit focused on the cloud infrastructure that
connects users with digital content and experiences across a global Internet.
Dyn, a pioneer in DNS, has now added the Zenedge web application security
products to secure applications, networks, databases, and APIs from malicious
Internet traffic. Our solutions are powered by a global network that drives
40 billion traffic optimization decisions daily for more than 3,500 enterprise
customers, including preeminent digital brands such as Netflix, Twitter,
LinkedIn and CNBC. 
Copyright © 2018. Oracle and/or its affiliates. All rights reaserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.
Other names may be trademarks of their respective owners. 1067

8 150 Dowdyn.com 603

Street, Manchester, 668
NH 4998USA
03101 150@dyn
Dow Street, Manchester, NH 03101 USA @dyn