Re-Writing the Rules for DDoS Defense On-Prem + Cloud Based Protection

Stephen Gates - Chief Security Evangelist

© 2014 Corero www.corero.com

DDoS Attacks, 2013-2014

Total Attack Bandwidth GbpsData shown represents the top ~2% of reported attacks

JUN 1 JUL 1 AUG 1 SEP 1 OCT 1 NOV 1 JAN 12014

FEB 1 APR 1 MAY 1MAR 1 JUN 1 JUL 1

100

200

300

400

DEC 42013

MAR 17 2014 JUNE 23 2014HONG KONG VOTING SITES

JUNE 21 2013

AUG 92013

DEC 1

MAR 29 2014DEC 31 2013MAJOR HOSTING

SITES

Source: Network Computing/Ponemon Institute

© 2014 Corero www.corero.com2

20% of data center downtime is caused by a DDoS attack86 minutes is an average of data center

downtime due to DDoS attacks$8K per minute is the average cost of this downtime$700K per incident is the

average cost of a DDoS outage

Source: Digital Attack Map - DDoS attacks around the globe

DDoS Digital Attack Map

© 2014 Corero www.corero.com

http://www.digitalattackmap.com/

Volumetric

Application

TCP Connect

Fragmented

According to a recent survey conducted by the SANS Institute…

“The most damaging DDoS attacks mix volumetric attacks with targeted, application-specific attacks.”

Are the attackers getting smarter?

Researchers are finding an uptick in the number of new techniques

Attackers defeating traditional protection (Firewall, ACL, Blackhole)

Attackers are developing new methods of bypassing defenses

© 2014 Corero www.corero.com

High Orbit ION Cannon

HULK SlowHTTPtest

Hping3 NMAP

Metasploit

Slowloris

Low Orbit ION Cannon

www.yoursite.com

KillApache.pl

What tools are the attackers using?

© 2014 Corero www.corero.com

Can your existing security layers handle the onslaught?

Volumetric Attack Components

Bandwidth Saturation

Connection Saturation

Spoofed Connections

Reflections/Amplifications

Fragments

Partial Saturation

6 © 2014 Corero www.corero.com

Concerns with partial saturation attacks

Beyond very small attacks exhausting or slowing a particular resource

Worse than traditional attacks targeted at disabling infrastructure

New attacks that are a diversion for some larger threat (data exfiltration, planting malware, etc.)

7 © 2014 Corero www.corero.com

Businesses need protection from the InternetWith a first line of defense that:

network/service outages by blocking attacks in real time

PREVENTS

the effective life of your existing

security investments

EXTENDS

insight into attacks and evolving threats

PROVIDES

customers can access online

services

ASSURES

© 2014 Corero www.corero.com8

Proper DDoS ProtectionThree options

© 2014 Corero www.corero.com9

On-Premises

Hybrid

Cloud/Hosted

Hybrid

On-premises and in-line

• Always-on, real-time protection

• Complete, comprehensive security event visibility

• Inspection, analysis, alerting and real-time mitigation

• Protects against layer 3–7 attacks

• Do-no-harm approach

Threat mitigation benefits

10

On-premise and in-line:

• Improved response time and mitigation for the vast majority of attacks

• Allows highly-trained staff to focus on more nefarious threats

• Broad protection at all layers protects critical infrastructure and optimizes its performance

• Service availability protects business integrity, and increases productivity

Operational benefits

11

On-premises and in-line:

• Fraction of the cost compared to scrubbing or out of band solutions

• Protects downstream security investments

• Allows skilled (and highly-paid) staff to focus on higher-layer threats, not mundane operational tasks

Cost benefits

12

Cloud/Hosted Scenario

If scrubbing is an option that your business is committed to, consider the following:• Always on, or on demand

• Cost implications

• Total event traffic captured and analyzed

• Manual/human intervention

• Duration of large scale attacks

• Application layer attacks

13

What will it take to eliminate this problem?

© 2014 Corero www.corero.com14

Service Provider Defenses

L3-L4

AttackTraffic

AttackLeakage

GoodTraffic

Protected CriticalInfrastructure

Good Traffic

Attack Traffic

On-PremisesDefenses L3-L7

GoodTraffic

GoodUsers

AttackersN

Always on

RedirectionMethod

Attack Type

Size of Attack

Base Service

$

$$

$$$

$$$$

Cloud Service Pricing

30 Mins.

20Mins.

10 Mins.

Attack Begins

Attack Detected

Rerouted to Scrubbing

Center

Time to Reroute

Attack Detection to Prevention Process

Conclusions: There is no one-size-fits-all solution

15

r

Plan for day-to-day protection against baseline attacks

Consider solutions that you can turn around and monetize

Think about the cost of mitigation in

a 24/7 attack environment:

human and capital

Prepare for larger sustained

attacks and massive spikes

What is Your DDoS Protection Plan?

Advanced DDoS/Cyber Threat Protection

Comprehensive Visibility

© 2014 Corero www.corero.com16

Next Generation Architecture

Corero SmartWall® Network Threat Defense

ADVANCED DDOS & CYBER THREAT DEFENSE TECHNOLOGY

BUILT ON NEXT GENERATION ARCHITECTURE

COMPREHENSIVE ATTACK VISIBILITY & NETWORK FORENSICS

SmartWall Threat Defense System (TDS)

Enterprises & Service/Hosting Providers

On-Premises or Cloud deployments

Protection in modular increments of 10 Gbps

In-line or scrubbing topologies

© 2014 Corero www.corero.com17 Confidential

Comprehensive Visibility

SecurityEvents

ThreatIntelligence

System HealthData

ForensicsData

NetworkStatistics

Powered by

Corero First Line of Defense®

VALUABLE RAW DATA

ACTIONABLE SECURITY ANALYTICS & VISUALIZATION

Real-time Dashboards

Historical Reporting Forensic AnalysisBehavioral Analysis

Virtual SOC Portal

Powerful Analytics Engine

© 2014 Corero www.corero.com18

10:00 PM

Visibility – Attack Analytics & Reporting

© 2014 Corero www.corero.com

Internet

Corero SecureWatch® Analytics Portal

Corero Secure Operations Center CORERO SOC CAN REMOTELY ASSIST CUSTOMERS AND PARTNERS Corero Partner

CORERO PARTNERS CAN VIEW DASHBOARDS OF CUSTOMERS THEY MANAGE

Corero CustomerCORERO CUSTOMERS CAN VIEW DASHBOARDS OF THEIR OWN DATA

DASHBOARD 1 DASHBOARD 2

DASHBOARD 3 DASHBOARD 4

DASHBOARD 5

DASHBOARD 6

Corero SecureWatch Analytics App

Site A Site B

© 2014 Corero www.corero.com20

First Line of Defense Applications

© 2014 Corero www.corero.com8

Protected CriticalInfrastructure and Services

In the CloudService providers, IT hosting and Cloud providers

On Premises Enterprises – financial services, e-commerce providers,

gaming, education

1- 10 Gbps

SLB/ADC

IPS/APT

WAF

SP

Internet

© 2014 Corero www.corero.com22

Arrange for a proof of conceptLearn more at: www.corero.com

Join the Conversation@Corero

@StephenJGates@SecurityBistro

Corero Security Blog – The Security Bistrowww.securitybistro.com

NEXT STEPS

Thank You!

For a copy of this presentation: info@corero.com