Agenda

• Advanced DDoS Trends

• Next Generation DDoS Protection

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

Agenda

• Advanced DDoS Trends

• Next Generation DDoS Protection

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

Security
Portfolio Traffic Visibility Arbor SP

DDoS Mitigation Arbor TMS

Cloud Services Arbor CLOUD

DDoS Protection Arbor APS

ENTERPRISE
SERVICE
PROVIDER

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
 THE VALUE OF NETWORK VISIBILITY
Amount of Internet traffic monitored
by the ATLAS

1/3 Global Network Analysis 140Tbps /

Internet 300+ ISP

Honey Pots

INTERNET MALWARE BOTNET

VISIBILITY DETECTION MONITORING
• Internet Health • Sinkhole
• Real-time Behavior
• DDoS Attacks • Infiltration/Activity
• Family Focus
• Threat Tracking Monitoring

§ Growing frequency and § Growing frequency and

Advanced
APT
complexity of DDoS complexity of Advanced
attacks: Persistent Threats increasing
• Multi-vector
DDoS Campaign • Phishing
• Micro Burst Attacks • Ransomware
• IoT (inside and out)

Network Visibility underpins everything we do at Arbor

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4
IoT Timeline

DDoS Meets Ransomware

• DDoS discovered in Cerber ransomware

• A typical because DDoS Hackers don’t focus on other malware
forms and vice versa
• Could only DOS local network
• Indicates interest in launching DDoS within the enterprise

2016 2017 2018

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
IoT Timeline

DDoS + IoT = Massive Attacks

• Aug. 540 Gbs Sustsained Attack on Rio Olympics from

opening to closing ceremony (Lizardstresser)
• Sep. 20 620 Gbs Attack on KrebsOnSecurity (Mirai)
• Sep. 21 990 Gbs Attack on OVH (Mirai)
• Oct. 21 Three attacks on Dyn’s Managed DNS (Mirai)

2016 2017 2018

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
IoT Timeline

First Multi-Platform IoT Seeder

• New Mirai Windows seeder targets IoT

• Mirai continues to evolve

2016 2017 2018

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7
IoT Timeline
Reaper: Default Passwords No More
• Based on Mirai
• 10-20K IoT bots
• Additional 2M IoT devices scanned but not
subsumed
• Believed Chinese criminal underground DDoS-for-
hire tool
• Exploited OS security flaws not default usernames
& passwords

2016 2017 2018

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8
IoT Timeline

Memcached DDoS
• Record Breaking
• Combine with IP spoofing ,
results is a 1.7Tbps attack

2016 2017 2018

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
IoT Timeline
What’s Next?

• Larger more complex more frequent

attacks for sure

• DDoS + Ransomware + IOT + Multi-

Platform = Internally Launched Attacks

2016 2017 2018

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10
 7,7 Million During this
presentation,
approx.
160,000 new
IoT devices
will go online
Estimated 7,7 million (mostly vulnerable) IoT devices are
connected to the Internet EVERY day. (Gartner report Feb. 2017)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
 1:500.000 Lab test:
1:516.436
1:500.000 is the theoretical DDoS
amplification factor for the
Memcached service

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

The Memcached DDoS Reflection Attack
Reflector sends
from scapy.all import *
536,302 packets =
Attacker import binascii 6.2Gb
sends 1 # cmd = "get a a a a a a a a a a a a a a a a a a a a a a a … <729 times>"

packet payload=binascii.unhexlify('0001000000010000676574206120612061206120612061206120612061206120…
pkt=Ether()/IP(src="10.1.138.170",dst="172.17.10.103")/UDP(sport=80,dport=11211)/payload
sendp(pkt, iface="eth1", loop=0,verbose=False)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

 31,4%
31,4% of Internet ASN’s allow spoofed traffic to originate
from their networks. (Caida spoofer project)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

 1,7 Tbps
1.7 Tbps is the size of the largest DDoS attacks in history
(Memcached DDoS Reflection attack, February 25th 2018)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Not Just Amplification/Reflection Attack

Attack Vectors:
◦ SYN-flooding ◦ The Mirai Botnet is
◦ ACK-flooding capable of launching
◦ UDP flooding complex multi-vector
◦ Valve Source Engine (VSE) attacks.
query-flooding
◦ GRE-flooding
◦ Pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’
attacks)
◦ HTTP GET, POST and HEAD attacks

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

Application-Layer Attacks
• New Tail Attacks delay
applications rather than shut them

✘
down (LSU & Ga Tech)

✘
• Every 100ms delay equates to a
1% loss in sales (Amazon)

• 1s Delay (Aberdeen Group)

• 11% ↓ in page views
• 7% ↓ in ecommerce sales
conversions
• 16% ↓ in customer satisfaction
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17
DDoS Attack Trends - Frequency
Fact: DDoS Attacks Increasing in Frequency.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

DDoS Attack Trends - Duration
Fact: Most DDoS attacks are short in duration.

Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19
DDoS Attack Trends - Size
Fact: Most DDoS attacks are small. (88% less than 2GTbps)

Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report, ATLAS data

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

DDoS Attack Trends - Complexity
Fact: The modern day DDoS Attacks is complex; dynamic multi-vector.

Mirai Botnet is TCP State-Exhaustion Attacks

◦ Crashes stateful devices (Load balancers,
a Modern Day firewalls, IPSs)
Multi-Vector
Attack
Your Data Center
The Internet Your ISP

Legitimate Traffic

Firewall
BotNet

Volumetric Attacks
◦ Large(up to 800 Gbps)
Application Layer Attacks
◦ Saturates links ◦ Low and Slow, Stealth attacks
◦ Crashes application servers

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report
DDoS Attack Trends
Fact: The impact of a DDoS attack can be immediate and severe.

Penalties:
§ Organizations in breach of GDPR can be fined up to (max) 4% of annual global
turnover or €20 Million (whichever is greater).
§ It is important to note that these rules apply to both controllers and processors --
meaning 'clouds' will not be exempt from GDPR enforcement.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22
To Stop Large Attacks….

Your Data Center

The Internet Your ISP

Attack Traffic
DDoS Firewall
BotNet Application
Protection
Servers

Recall: DDoS Attacks exceeding Internet bandwidth:

§ 41% of Enterprises
§ 61% of Data-center Operators
Source: Arbor Networks 12th Annual Worldwide Infrastructure Security Report

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

Your only option is the Cloud
Cloud-based
Mitigation
Your Data Center

DDoS
ffic Protection Cl e
BotNet Tr
a an
T
k raff
ttac ic
A

The Internet Your ISP DDoS Firewall

Protection

Increase in Demand for

Managed DDoS Protection
Services
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24 Arbor Networks 12th Annual Worldwide Infrastructure Security Report
Source:
To Stop the Smaller, Majority of Attacks….

Your Data Center

The Internet Your ISP

Attack Traffic
Firewall
BotNet

§ Recall:
§ Vast majority of DDoS attacks are small (e.g. less than 2 GB)
§ And last for short duration of time (e.g. less than 1 hr)
§ Yet they still can be multi-vector (e.g. 67%)
§ These attacks are difficult for ISP/MSSP to detect.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

You Should Deploy On-Premises Protection

Your ISP Your Data Center

The Internet

Attack Traffic
DDoS Firewall
BotNet
Protection

§ Put DDoS protection on-premises.

§ In front of most critical data centers/applications.
§ Customize policies for application running in those datacenters.
§ Install in front of firewalls to protect them from TCP-state exhaustion
attacks.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26
Stopping The Modern Day DDoS Attack
Requires Layered, Automated Protection

Stop large attacks

3
In-Cloud. Automatic, intelligent communication
Scrubbing Center
2 between on-prem and in-cloud protection
to address dynamic attack vectors.

Automatically stop application layer

1
DDoS attacks on premises.
Volumetric Attack

Application Attack

DDoS Protection
Your (ISP’s) Network
Your Data Centers/
The Internet Internal Networks

Backed by continuous
4
threat intelligence.
A Recommended Industry Best Practice:
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27
Defending Against Insider Threats
• These Security Best Practices include:
– Updating the software on all devices on a regular basis.
– Implementing full Network segmentation and harden (or isolate)
vulnerable network devices and services.
– Developing a DDoS Attack mitigation process.
– Utilizing flow telemetry to analyze external and internal traffic.
This is necessary for attack detection, classification and trace
back.
– Deploying a multi-layered DDoS protection.
– Scanning for misconfigured and abusable services, this includes
NTP, DNS and SSDP service which can be used for amplification
attacks.
– Implementing Anti-Spoofing mechanisms such as Unicast
Reverse-Path Forwarding, ACLs, DHCP Snooping & IP Source
Guard on all edge devices.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28
Agenda

• Advanced DDoS Trends

• Next Generation DDoS Protection

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

 Hybrid DDoS mitigation

3 Stop volumetric 2 Intelligent communication

attacks In-Cloud Scrubbing
Center
between both environments

Volume

State&Application

Internet Service Customer

Provider
Stop session exhaustion and
1 application layer DDoS
A Recommended Industry Best Practice:

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30 attacks

Improving Hybrid DDoS mitigation

How to make this

3 How to scale to
Scrubbing 2 communication open
Terabit attacks? Center and widely supported?

Volume

State&Application

Internet Service Customer

Provider
How to deploy CPE-based
1
protection for the masses?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31
MSSP view on CPE-based DDoS protection
A growing business, but…
• Shipment of the appliance or installation of
the VM
• Rack&Stack, configuration and provisioning
• Maintenance

It does not look like those problems are

specific to DDoS mitigation appliances.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

DDoS function as a VNF
Cloud CPE or Telco Cloud Universal CPE
• DDoS VNF is deployed in the Telco • DDoS VNF runs at the edge of
Cloud along with other VNFs enterprise network on the CPE

Telco Cloud

Internet Service Customer

Provider

Demonstrates Arbor’s market and thought leadership

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33
DDoS VNF onboarding experiences
• Onboarding of DDoS VNF into MANO is easy
– If you don’t have HW dependency (offload of forwarding or filtering to
ASIC/NPU/FPGA)
– If you support cloud-init and REST API
• Performance is predictable
• Scaling in Cloud CPE mode is easy
– You control the compute resource
• Healing is also easy
– … because it is “merciful killing”
• Enabling operators to integrate Arbor’s solutions into orchestrated
service delivery platforms

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

Improving Hybrid DDoS mitigation

How to make this

3 How to scale to
Scrubbing 2 communication open
Terabit attacks? Center and widely supported?

Volume

State&Application

Internet Service Customer

Provider
How to deploy CPE-based
1
protection for the masses?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35
DDoS Open Threat Signaling (DOTS)

The documents are in the final stage:

• The informational documents are mature
and will be RFCs soon,
• The protocol documents are stabilizing,
and have been used as references for
working implementations:
– 4 implementations exist, one of them is open
source
• DOTS protocols may reach RFC status in
the calendar year.

From https://datatracker.ietf.org/meeting/93/materials/slides-93-dots-3/

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

DOTS: how it works?

Mitigation
Signal channel Mitigation
Update Request

DOTS DOTS Attack

Mitigator server client Victim

Aliases
BW lists
Filters
Data channel (optional) Policies

In scope of DOTS Out of scope of DOTS

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37
Improving Hybrid DDoS mitigation

How to make this

3 How to scale to
Scrubbing 2 communication open
Terabit attacks? Center and widely supported?

Volume

State&Application

Internet Service Customer

Provider
How to deploy CPE-based
1
protection for the masses?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38
Automation of FlowSpec
Rate-limit Amplification DDoS
Protocol: UDP
Memcached SRC port: 11211
Amplification DST IP: victim/32
Action: rate-limit to 0

DDoS

Scrubbing center
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39
Automation of FlowSpec
Offload blocking of identified bots

Protocol: UDP
DST IP: victim/32 DDoS
UDP to random ports Action: redirect to IP
Non-spoofed TCP attacks

Application layer attacks SRC IP: identified bot

DST IP: victim/32
Action: rate-limit to 0
Scrubbing center
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40
Future of network integration
• Better scalability for FlowSpec support
– More FlowSpec rules supported in Control and Data plane
• More granular redirection rules and rate limiting policies using FlowSpec
interface-set
– draft-ietf-idr-flowspec-interfaceset-03
• Consistent approach to reporting on FlowSpec rules
– A lot of proprietary options available
– Is there a consensus on using netflow with egress_interface == 0 for dropped traffic?
– Will OpenConfig or YANG models be adopted?
• https://tools.ietf.org/html/draft-wu-idr-flowspec-yang-cfg-02
• Tighter integration with network equipment to offload additional blocking rules
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41
Thank You.

Patrick Lin
plin@arbor.net

www.netscout.com

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42