Upload
yuri-alimov
View
61
Download
0
Embed Size (px)
Citation preview
Distributed Mitigation Managed Serviceagainst DDoS (DMMS)
www.iptp.net
Better network,not just a bigger one.
www.iptp.net
CLEANPIPE VS
LATENCY1. BANDWIDTH3.EXPENSES4.REACTION TIME2.
We compare 2 ways of mitigation of DDoS attack: 1. Traditional, known as Clean Pipe or Cleaning Center Solution
2 . Distributed Mitigation Managed Service (DMMS) by IPTP Networks.The comparison will be based on 4 aspects associated with DDoS Mitigation:
IPTPDMMS
NetwoRK
Dangers of DDoSwww.iptp.net
600
500
400
300
200
100
02009 2010 2011 2012 2013 2014 2015 2016
100 Gbps60 Gbps
500 Gbps
602 GbpsSurvey of DDoSattacks sizepeak overthe years
Loss in revenue
1%
8%
12%
15%
5%5%7%
11%
21%15%
Estimated loss in revenue for each minute of downtime. *
* — Ponemon Institute© Research Report
$1—10 $10—100 $100—1 000$1 000—5 000 $5 000—10 000
$10 000—25 000 $25 000—50 000$50 000—100 000over $100 000hard to determine
Average total loss per minute $21, 699
www.iptp.net
Volumetric distributed Denial-of-Service (DDoS) is a special type of denial of service attack where the malicious traffic is generated from multiple sources
What is volumetric DDoS?
ISP2
ISP3
ISP1
GlobalInternet
www.iptp.net
TargetServer
How Clean Pipe solution works?www.iptp.net
ISP2
ISP3
ISP1
GlobalInternet
TargetServer
CleaningCenter
FAKE TARGET
IPTP DMMS Networkwww.iptp.net
ISP2
ISP3
ISP1
GlobalInternet
DMMS Network
1.1 Latency
ISP1 ISP2 CLEANINGCENTER
ISP3 TARGETSERVER
WEB-SITEVISITOR
+50 ms
www.iptp.net
CLEAN PIPE OR CLEANING CENTER
The route of an IP packet during a volumetric DDoS attack,when redirected through the Cleaning Center.
+50 ms +50 ms +50 ms +50 ms
1.2 Latency
• IP packets do not go any extra distances. They move from the web-site visitor to the Target Server and back exclusively via our distributed firewalls.• All our firewalls are geographically-dispersed across the globe, applying distributed protection against volumetric DDoS while adding no latency.
www.iptp.net
The route of an IP packet during a volumetric DDoS attack,when protected by IPTP DMMS Network
IPTPNETWORKS
IPTPFIREWALL
TARGETSERVER
WEB-SITEVISITOR
IPTP DMMS NETWORK
2.1 Reaction Time
It can take from 30 minutes to 1 hour and even longer for the mitigation to begin.
www.iptp.net
DDoSDetect Report
to providerEstablisha tunnel
CLEAN PIPE OR CLEANING CENTER
2.2 Reaction Time
Reaction time is the time from detection of a DDoS attack to a counter-reaction against it.
3600sec
up to
sec
≈VSCleaning
CenterIPTP DMMSNetwork
www.iptp.net
0
2.3 Reaction Timewww.iptp.net
Router IPTPfirewall
Targetserver
Web-sitevisitor
IPTP globalMPLS network
BOTNET
IPTP DMMS NETWORK
IPTPFirewall
• The traffic is filtered directly at the border of IPTP DMMS Network.• No manual set-up.• No tunnel required
www.iptp.net 3.1 Bandwidth
• Cleaning Center is normally located within one geographical point, with limited internet capacity. • When the attack size exceeds Cleaning Centers capacity it results in channel aggregation as the ports cease to withstand the traffic load.
CLEAN PIPE OR CLEANING CENTER
ISP1
ISP2
ISP3
CleaningCenter
Target Server
ISP4
IPTP DMMS NETWORK
www.iptp.net 3.2 Bandwidth
• Network capacity of over 30 Tb/s allows to withstand heavy-bandwidth DDoS attacks, without the risk of service degradation.• Distribution of traffic among multiple points in our network - no combined volume of traffic on one network node.
OVER
150010 Gbpsports
totalcapacity
30Tbps
DATACENTERS IN
22countries
• When additional bandwidth is required, the ISP will charge the DDoS Mitigation Service Provider, increasing the mitigation costs.
www.iptp.net
CLEAN PIPE OR CLEANING CENTER4.1 Expenses
ISP1
ISP2
ISP3
ISP4 $
$
Bill for bandwidth
Bill for traffic
CleaningCenter
Target Server
No reaction time.No added latency
Bandwidth limits higher by an order of magnitude
No extra charges forbandwidth overloadNo volumetric DDoS
4.2 Expenseswww.iptp.net IPTP DMMS NETWORK
• Can mitigate bandwidth-heavy DDoS attacks whileapplying no additional charges for the traffic.
• Advanced firewalls can handle multi-gigabits of traffic and filter any types of floods (ICMP, UDP, SYN and others).
Summary
No reaction time.No added latency
Bandwidth limits higher by an order of magnitude
No extra charges forbandwidth overloadNo volumetric DDoS
Distributed Mitigation ManagedService against DDoS by
IPTP Networks is:
www.iptp.net
Geog
raph
ical
dest
ribut
ion
Advancedfirewalls
High networkcapacity
Zero
reac
tion
time No extra
traffic charges
No additionallatency
IPTPDMMS
Network