1 Fortinet Confidential

Zbynek Lebduska

Fortinet

Introducing FortiDDoS Intent Based Detection and Mitigation

2 Fortinet Confidential

• DoS = Denial of Service attack

»An attempt to make resource unavailable to its intended users,

executed with:

• Non legitimate traffic

• High volume of legitimate traffic exhausting resources

• DDoS = Distributed Denial of Service attack

»DoS attack that originates from many different places (geographically

and network)

Defining DoS & DDoS

1

50

100

CPU/MEM

1

10

100

10000

Traffic

1000

3 Fortinet Confidential

Architecture of DDoS attack – example 1

…

4 Fortinet Confidential

Architecture of DDoS attack – example 2

…

… Attacker Handler Zombie Victim

5 Fortinet Confidential

DDoS on the rise – tools are easily available

Botnets available at very little cost • Digital black market

• Botnet of 10.000 zombies aprox $50 per

24hours

Software tools allow anyone to participate in a distributed attack •LOIC, HOIC,Letdown, …

•WebLoic (LOIC for Android)

6 Fortinet Confidential

Typical DDOS Motivations

• Financial

• Political

• What ever the motivation,

the result is the same,

denial of legitimate access

DDOS provides a revenue stream opportunity for the attacker who

targets ecommerce sites

How much would you pay to keep the store open?

DDOS is used to protest about a given issue, disrupt operations but the

primary motivation is not financial

The Armchair Hacktivist

7 Fortinet Confidential

What to attack?

• Four main areas are vulnerable

Web Hosting Center

Firewall

ISP 1

ISP 2 Back End Database

Servers

Server resources

SQL Injection vulnerabilities

Web Hosting Servers

Server vulnerabilities,

process and connection

limits

Firewall / IPS Device

connection tables,

forwarding and session

set up processing

Bandwidth

Flood with illegitimate

traffic to fill available

capacity

8 Fortinet Confidential

The Classification of Attacks

Volumetric Attack

Designed to consume

available Internet

bandwidth or overload

server resources.

Typical examples SYN

Flood, UDP Flood, ICMP

Flood, SMURF attacks.

Application Layer

Attacks

More sophisticated,

attractive to the attacker

since they require less

resource to carry out

(botnet costs)

Target vulnerabilities in

applications to evade

flood detection strategies

Cloud Infrastructure

Attacks

Cloud solutions can turn

the Internet in the

Corporate WAN. Modern

attackers target the full

range of cloud

infrastructure (firewall,

mail & web servers)

Mitigation can be

complex and any attack

can impact multiple

customers

10 Fortinet Confidential

Approaches to DDOS Prevention

Scrubbing Service from

Internet or Cloud

Service Providers

Model: Managed service

subscription model.

Usually separate

detection and mitigation

Pros: Easy sign up and

deployment

Cons: Expensive,

inflexible, costs can rise

during an attack

Firewall / IPS

Model: Integrated device

for FW/IPS and DDoS

prevention

Pros: Single device,

simplified architecture,

less units to manage

Cons: Not designed to

detect/block sophisticated

DDoS attacks; typically

requires an update

license,

Dedicated Device

Model: Inline detection,

mitigation and reporting.

Auto detection of a wide

range of DDoS attacks

Pros: Cost effective, no

unpredictable or hidden

charges. Multi-layer,

accurate, fast, scalable

and easy to deploy

Cons: Additional network

element

11 Fortinet Confidential

Uses the newest member of the FortiASIC

family, FortiASIC-TPTM

Rate Based Detection

Signature Free Defense

• Hardware based protection

Inline Full Transparent Mode

• No MAC address changes

Self Learning Baseline

• Adapts based on behavior

Granular Protection

• Multiple thresholds to detect subtle changes

and provide rapid mitigation

Hardware Accelerated DDoS Defense Intent Based Protection

Introducing FortiDDoS

FortiDDoS™

Web Hosting Center

Firewall

Legitimate Traffic

Malicious Traffic

ISP 1

ISP 2

12 Fortinet Confidential

Virtualization

Decision

Multiplexer Inbound and

outbound

packets Allowed

packets

Dropped packets

SNMP Traps/MIBs,

Syslog, Event

Notifications

FortiAsic-Traffic Processor (TP)

Control and Statistics

Network, Transport,

Application Layer

Rate Anomaly

Prevention

Dark Address, Geo-

location, IP

Reputation

Network, Transport,

Application Layer

Access Control Lists

Anti-spoofing

Network, Transport,

Application Layer

Header Anomaly

Prevention

State Anomaly

Prevention

Application Layer

Heuristics

Source Tracking

Event/ Traffic

Statistics, Graphs

Threshold Wizard,

Continuous Adaptive

Threshold Estimation

Policy Configuration,

Archive, Restore

13 Fortinet Confidential

Virtual Partitions

• Uniquely enables up to eight segmented zones

» Segmentation by server address / subnet

• Consider a customer with multiple traffic types

» Web Browsing

» Firmware Updates

» Online Ordering

• Separate Policies for Unique Traffic Patterns

» Connection patterns could differ from server to server

• Need to protect services from each other

» Mitigation could include limiting the

volume of firmware downloads

Corporate site

Firewall

FortiGate

DDOS

Protection

FortiDDOS

Links from

ISP(s)

14 Fortinet Confidential

FortiDDoS product line

FortiDDoS 100A

LAN 2 x 1G (copper and optical)

WAN 2 x 1G (copper and optical)

FortiASIC 2 x FortiASIC-TP1

Protection 1Gbps full duplex

FortiDDoS 200A

LAN 4 x 1G (copper and optical)

WAN 4 x 1G (copper and optical)

FortiASIC 4 x FortiASIC-TP1

Protection 2Gbps full duplex

FortiDDoS 300A

LAN 6 x 1G (copper and optical)

WAN 6 x 1G (copper and optical)

FortiASIC 6 x FortiASIC-TP1

Protection 3Gbps full duplex

15 Fortinet Confidential

March 22, 2013

Thank You

16 Fortinet Confidential

Selected Customers Worldwide