Ddos - Am I A Target?: Kalle Bjorn Director, Systems Engineering - Middle East

DDoS – Am I a Target?
Kalle Bjorn
Director, Systems Engineering – Middle East
9/14/21
1
FORTINET HIGHLIGHTS
A leader of multi-billion dollar security market

• Top 4 in security appliances market
• Fast-growth security segments
Advanced technology and products

• 121 patents; 95 pending
Strong global footprint

• 2,000+ employees; 30+ offices worldwide
Blue chip customer base

• 150,000+ customers
(incl. majority of Global 100)
• Shipped 1M+ FortiGate appliances to date
Strong financial stability

• FY12 revenues: $534M (23% YoY growth)
• FY12 billings: $ 602M (27% YoY growth)
• Cash flow positive & profitable
• Strong balance sheet: $740M+ in cash; no debt
2
FORTINET PRODUCT PORTFOLIO
FortiGate FortiMail FortiDB FortiDDoS

Network Security Messaging Security Database Security Application D/DOS
Platform Gateway Solution Mitigator
Security FortiWeb FortiScan FortiAuthenticator

Web Application Vulnerability Access Management
Firewall Management
FortiAP
Wireless Access
FortiBalancer FortiDNS
Application Delivery High Performance
FortiSwitch DNS Server
Wired Access Network Services
FortiCache FortiVoice
FortiClient Content Caching VoIP & IP Telephony
Endpoint Security
FortiToken FortiManager FortiAnalyzer

2-Factor Authentication Centralized Device Centralized Logging Management
Manager & Reporting
FortiGuard FortiCare FortiCloud

Security & Network Support Services Hosted Services Services
Services
Also Available as Virtual Appliance
3
IN THE PRESS…
4
… MORE R E C E N T LY …
5
… AND EVEN MORE R E C E N T LY
Step 1: Buy BitCoins

Step 2: ?
Step 3: PROFIT!
6
INTRODUCTION TO DoS/DDoS ATTACKS
Handlers
Agents
Victim(s)
Critical IT
Services
7
DDoS VOLUMETRIC ATTACK TRENDS
Centralized execution,
decentralized chaos
Spoofed attacks
Fewer machines, limited power
Non-spoofed bot clients
More machines, more power
Bot servers
More power and bandwidth,
socially engineered, more with less
8
FIZZY-ISAC CALLS FOR L AY E R E D DEFENSES
“…traditional measures
are ineffective against
today’s DDoS attacks.”
Financial Services Information Sharing and Analysis Center (FS-ISAC)
9
VOLUME AND MOTIVATION
Size isn’t everything

Maximum size of a DDOS attack decreased
from 2010 to 2011 for the first time
Fewer than 10% of attacks> 10Gbps
More than 75% of attacks< 1Gbps
Fewer than half knew why they were attacked

More than 20% political
More than 10% unhappy users
Fewer than 5% financial extortion
10
COST AND MITIGATION
How much?
More than half say <10K/hr
More than 10% say >100K/hr
80% in financial services say >10K/hr
Current mitigation
Most use
firewalls/IDS/IPS/Routers/Switches
Reasonable % have no protection
Less than 5% have dedicated hardware
11
DDoS AND MARKET TRENDS
New attack methods

Data per attack decreasing
Layer 3 & 4 detection less effective
Data centre protection surpassed
carrier protection in 2012
Layer 7 attacks are the fastest-growing
source of DDoS
12
THE EVOLUTION OF DDoS MITIGATION
New defenses
Historically Next Generation
Large attack focus Behavioral and heuristic learning
Vulnerable to attack Detecting small targeted attacks
Limited mitigation Hardware assisted solutions
Spoofed Automatic mitigation
Slow response Removal of threat to service
Human intervention
NEW DEFENSES SPUR THE

DEVELOPMENT OF NEW ATTACKS
13
DIFFERENTIATED SERVICES ARE CRITICAL
The new goal:

Identify and maintain critical business services
New levels of visibility
Improved flexibility in identifying services
Not all services have the same level or priority
Business reputation is paramount
No single resource in inexhaustible
Scaling managed solutions should not
detract or reduce granularity
14
WHY IMPLEMENT DoS/DDoS PROTECTION TO D AY ?
• Projecting from current trends analysis, any organization has 75%

chance of being DDoS’ed over the next 12 months
• DDoS attacks are increasing by 20%-45% annually
• The average overall loss of a 24 hour DDoS attack is $2M*
• The average loss per hour of downtime due to a DDoS attack is
$100,000*
• Its hard to prevent …. distinguishing between bona-fide traffic and attack
• Nobody is safe, Many examples of attacks at all levels including
Visa/Mastercard, Hosting providers, Governments (India, Sweden)
* Ponemon Institute Study August 2011
15
WHY IMPLEMENT DoS/DDoS PROTECTION TO D AY ?
HOW EASY IS IT TO
ATTACK?
16
DDoS THREAT TRENDS NOW: 2012 Q4
Q4 2012
 18.6%  24.95% : Proportion of application layer attacks Q3->Q4 2012

 27.5% : Increase in no. attacks Q3->Q4 2012
 32.2 hours : Average attack duration
 5.9Gbps : Average attack traffic bandwidth
 More : DDoS TooLkits can send more diverse traffic protocols
17
Prolexic_Quarterly_Global_DDoS_Attack_Report_Q412
DoS/DDoS PROTECTION: THE MITIGATION GAP
• Surveyed 1000 IT professionals across 26 industries in the US Q1 2012
• PREVELANCE?
• 300+ reported having been DDoS attacked.
• BIGGEST FEAR?
• Customer service (51%)
• Negative brand impact (25%)
• Revenue loss (19%)
• TYPE OF DDoS PROTECTION USED?
• ATTACK DURATION? • Firewalls/Routers/Switches(56%)
• More than 24hours (35%) • None (25%)
• More than 1 week! (11%) • IDS/IPS(11%)
• Other (3%)
• DDoS Mitigation Hardware (5%) !!
*Source – Neustar Insights: DDoS Survey Q1 2012
18
WHERE IS THE DDoS SILVER BULLET SOLUTION?
Enterprise
ISP IT Services
19
Scrubbing
Solution
Enterprise
ISP IT Services
Option A - ISP
20
Cloud based Scrubber
Enterprise
ISP IT Services
Option B - Cloud
21
IT SERVICE PROTECTION Detection &

Mitigation
Solution
Enterprise
ISP IT Services
Option C - Dedicated
22
EXISTING SOLUTIONS ARE BROKEN
Software or general CPU-based

High traffic volume can cause false positives
Can’t “set it and forget it” IDC 2011
Service-based
High and generally unpredictable costs
Slower and inflexible
Customer lacks control Frost & Sullivan 2011
Traditional firewall/IPS
Ineffective against sophisticated attacks
Problems scaling to high-volume attacks
Complex IDC 2011
23
EXISTING SOLUTIONS ARE BROKEN
Small and mid sized enterprises are

particularly vulnerable to attacks
Enterprises with multiple carriers or web-

centric businesses need on-premise
solutions with scalable detection and
mitigation capabilities
24
INTRODUCING FORTIDDOS
Hardware Accelerated DDoS Defense

Intent Based Protection
 Uses the newest member of the FortiASIC • Adapts based on behavior

family, FortiASIC-TPTM  Granular Protection
 Rate Based Detection • Multiple thresholds to detect subtle changes
and provide rapid mitigation
 Inline Full Transparent Mode ISP 1 Web Hosting Center
• No MAC address changes FortiDDoS™
 Signature Free Defense
• Hardware based protection
 Self Learning Baseline
Firewall
ISP 2
Legitimate Traffic
Malicious Traffic
25
DETECTION AND MITIGATION
Virtual Partitioning
How it works
Geo-Location ACL
Bogon Filtering
Protocol Anomaly
Detection is performed in hardware Prevention
Legitimate Traffic
Attack Traffic
Packet Flood
Mitigation
Stateful Inspection
Out of State Filtering
Granular Layer 3 and 4

Filtering
Mitigation occurs inline Application Layer
Filtering
Algorithmic Filtering
Heuristic Filtering
26
SERVICE PROTECTION PROFILES
Flexible protection
Global triggers
Flexible service
definitions
Hardware-based
monitoring and
mitigation
27
FORTIDDoS-100A / PROVIDES 2 Gbps PROTECTION
2U Appliance – provides dual link

protection
Specification
LAN 2 x 1G (copper and optical)
WAN 2 x 1G (copper and optical)
FortiASIC 2 x FortiASIC-TP1
RAM 4G
Storage 1TB HDD
FortiDDoS-100A Management 1 x RJ45 10/100/1000
Power Single AC
Protection 2 Gbps
28
4U Appliance – provides protection for

up to 4 links
Specification
RAM 8G
Storage 2 x 1TB HDD RAID
Power Dual Redundant AC

Protection 4 Gbps
29
4U Appliance – provides protection for

up to 6 links
Specification
RAM 8G
Storage 2 x 1TB HDD RAID
Power Dual Redundant AC

Protection 6 Gbps
30
FORTIDDoS: 5 KEY FEATURES AND BENEFITS
Feature Benefit
FortiASIC accelerated • Custom designed high-speed ASIC processors block
A
detection & mitigation attacks before they can affect network availability
• Achieves more accurate threat detection through
Automatic traffic
B multi-layer profiling
pattern learning
• Modeling requires almost no end user intervention
• In multi-tenant or virtual environments, prevents
attack on one customer from affecting another
C Virtual Partitions
• Provides flexible deployment options and optimal
TCO for service providers and cloud environments
Rapid & Resilient • No network topology or configuration changes
D
deployment needed, integrates into existing network architecture
• Significantly reduces false positives
Microfine enforcement
• Automatically builds a complex and detailed
E of network traffic on
legitimate traffic model
layers 2, 3, 4 and 7
• Facilitates detection of sophisticated attacks
31
31
A. POWERED BY FORTIASIC TRAFFIC PROCESSOR
FortiASIC Traffic Processor
Inbound Granular Application Outbound

Risks Stateful TCP Algorithmic Risks
Protocol Packet Layer 3 Layer
Virtual Geolocation Inspection And
Anomaly Flood Layer 4 Flood Mitigation
Internet Traffic Partitioning Based ACL Out of State Heuristic Outbound Traffic
Prevention Mitigation Flood (HTTP)
Filtering Filtering
Mitigation
Bidirectional Hardware Logic

GUI Management/CLI
32
A. POWERED BY FORTIASIC TRAFFIC PROCESSOR
• FortiASIC : Benchmarked at 27 microseconds latency

• FortiASIC : Benchmarked at <2s mitigation velocity
• Software / CPU Solution : Suffers performance degradation
33
Feature Benefit
A
Automatic traffic
pattern learning
D
34
34
B. TRAFFIC LEARNING: BASELINE BUILDING
Links from
ISP(s)
• Legitimate traffic model is automatically constructed

» Calendar based baseline
» Adaptive Threshold Estimation
• Typically increases over time, no need to re-measure DDOS
Protection
» Multiple links supported FortiDDOS
Firewall
FortiGate
Hosting
Center
35
Feature Benefit
A
Automatic traffic
pattern learning
D
36
36
C. VIRTUAL PARTITIONS
Links from
• Uniquely enables up to 8 segmented zones ISP(s)
» Segmentation by server address / subnet

• Consider a customer with multiple traffic types
A. Web Browsing
8x
B. Firmware Updates DDOS
Protection
C. Online Ordering
• Separate Policies for Unique Traffic Patterns
» Connection patterns differ from service to service Firewall
FortiGate
• Need to protect services from each other
» Permits the development of Service Protection Profiles
Corporate site
37
Feature Benefit
A
Automatic traffic
pattern learning
D
38
38
D. RESILIENT DELPOYMENT WITH MULTIPLE
ISP LINKS
• Dual links provided for business continuity

• FortiDDOS appliance pair provides physical redundancy Data / Hosting
Center
• Asymmetric Flow Synchronization
» Allows FortiDDOS state machines to have complete
traffic visibility
» Enables handling asymmetric traffic
» FortiDDOS devices are interconnected to provide Asymmetric
Flow
the synchronization path Sync
» Mitigation occurs on both

ISP-A
appliances
ISP-B
Attacker
39
Feature Benefit
A
Automatic traffic
pattern learning
D
layers 3, 4 and 7
40
40
E. MICROFINE ENFORCEMENT OF MULTIPLE
N E T W OR K LAY E R S
• Layer 3 (varying layer 3 headers)

– ICMP floods, TCP floods, fragment floods.
• Layer 4 (port floods)
– TCP or UDP port floods. Single port attacks, ICMP
echo flood
• Layer 7 (URL floods).
– In this attack, a single URL is continuously attacked
from multiple sources.
41
RECENT CUSTOMER FEEDBACK
“ We recently experienced a very large DDoS attack on our network.

We've found FortiDDoS withstanding the attack very well at this
time. Seeing as this is the largest network attack we've ever
experienced, utilizing this information will help us significantly in
protecting us against other attacks in the future”
Scale of the attack?

 6.8BN : Packets dropped in 8 hours
 27 hours : Attack duration
 ~last 12 hours : Initiated FortiDDoS mitigation
42
BASELINE BUILDING
Links from
ISPs
FortiDDOS is typically protecting
the customer links
Legitimate traffic model is

automatically constructed FortiDDOS
FortiGate
Hosting
Center
43
BYPASS OPTIONS
LAN
Corporate
Headquarters
FortiDDoS
FortiGate
FortiBridge
44
SERVICE PROFILES
Wealth
Management
Access Online
Layer Banking
Distribution
Layer
Loans and
Mortgages
FortiDDoS
45
DEPLOYMENT SCENARIOS
46
FORENSICS OF AN ATTACK OVER A MONTH
47
MORE COMMON ATTACK CHARACTERISTICS
48
AGGREGATE DROPPED TRAFFIC
Summary Over 1 month

Packets Dropped/3 Hours Total Packets
Legend Type
Maximum Minimum Average Dropped
█ Layer 2 0 0 0 0
█ Layer 3 71,796,072 0 21,262,421 5,273,080,458
█ Layer 4 375,005,802 300 5,899,631 1,463,108,503
█ Layer 7 303 0 1 304
49
PACKETS DROPPED AT L AY E R 3

Legend Type
█ Protocols 8,225,652 0 637,875 158,193,111
█ TOS 0 0 0 0
█ IPv4 Options 0 0 0 0
█ Fragmented Packets 1,157 0 7 1,873
█ L3 Anomalies 11,870,534 0 79,834 19,798,847
█ Source Flood 57,013,194 0 20,532,304 5,092,011,434
█ Misc. Source Flood 289,674 0 1,168 289,675
█ Destination Flood 2,441,260 0 11,231 2,785,518
Misc. Destination
█ 0 0 0 0
Flood
█ Dark Address Scan 0 0 0 0
█ Network Scan 0 0 0 0
50

Legend Type
█ TCP Options 0 0 0 0
█ SYN Packets 278,119,806 0 5,034,862 1,248,645,939
█ L4 Anomalies 12,549,983 300 54,866 13,606,809
█ TCP Ports 7,194,921 0 165,534 41,052,592
█ UDP Ports 27,297 0 908 225,429
█ ICMP Types/Codes 0 0 0 0
█ Port Scan 0 0 0 0
Misc. Drops for Port
█ 0 0 0 0
Scan
█ Packets Per Connection 0 0 0 0
█ Misc. Connection Flood 71,585 0 6,992 1,734,081
█ Zombie Flood 13,368,886 0 93,770 23,254,968
█ SYN Packets Per Source 36,527,319 0 234,548 58,168,070
Excessive Concurrent
█ 109 0 0 110
Connections Per Source
Excessive Concurrent
█ Connections Per 0 0 0 0
Destination
TCP Packets Per
█ 0 0 0 0
Destination
51

Legend Type
█ Opcode Flood 303 0 1 304
█ HTTP Anomalies 0 0 0 0
█ URL Flood 0 0 0 0
52
CAN YOU AFFORD NOT TO PROTECT IT
S E RV I C E S - TA K E AWAY S
1. DDoS attacks will continue to increase in frequency and complexity

through 2013
2. Check out World Economic Forum : www.weforum.org/cyber
3. There is no ‘Silver Bullet’ solution … yet
4. Firewalls and IPS are not fit to protect against today’s DDoS attacks
5. Enterprises with multiple carriers or web-centric businesses need an
effective and scalable on-premise DDoS protection.
6. ASIC is the ONLY way : A software/general CPU-based security
device cannot keep up with high volume and sophistication of the
attack traffic
7. Critical IT Services demand IT Service Protection!
53
Thank you
Kalle Bjorn
Email: kbjorn@fortinet.com
9/14/21
54

Ddos - Am I A Target?: Kalle Bjorn Director, Systems Engineering - Middle East

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ddos - Am I A Target?: Kalle Bjorn Director, Systems Engineering - Middle East

Uploaded by

Copyright:

Available Formats

DDoS – Am I a Target?

A leader of multi-billion dollar security market

Advanced technology and products

Strong global footprint

Blue chip customer base

Strong financial stability

FortiGate FortiMail FortiDB FortiDDoS

Security FortiWeb FortiScan FortiAuthenticator

FortiToken FortiManager FortiAnalyzer

FortiGuard FortiCare FortiCloud

Also Available as Virtual Appliance

Step 1: Buy BitCoins

Size isn’t everything

Fewer than half knew why they were attacked

New attack methods

NEW DEFENSES SPUR THE

The new goal:

• Projecting from current trends analysis, any organization has 75%

* Ponemon Institute Study August 2011

 18.6%  24.95% : Proportion of application layer attacks Q3->Q4 2012

• Surveyed 1000 IT professionals across 26 industries in the US Q1 2012

*Source – Neustar Insights: DDoS Survey Q1 2012

Cloud based Scrubber

IT SERVICE PROTECTION Detection &

Software or general CPU-based

Small and mid sized enterprises are

Enterprises with multiple carriers or web-

Hardware Accelerated DDoS Defense

 Uses the newest member of the FortiASIC • Adapts based on behavior

Granular Layer 3 and 4

2U Appliance – provides dual link

4U Appliance – provides protection for

Power Dual Redundant AC

4U Appliance – provides protection for

Power Dual Redundant AC

FortiASIC Traffic Processor

Inbound Granular Application Outbound

Bidirectional Hardware Logic

• FortiASIC : Benchmarked at 27 microseconds latency

• Software / CPU Solution : Suffers performance degradation

• Legitimate traffic model is automatically constructed

» Segmentation by server address / subnet

• Dual links provided for business continuity

the synchronization path Sync

» Mitigation occurs on both

• Layer 3 (varying layer 3 headers)

“ We recently experienced a very large DDoS attack on our network.

Scale of the attack?

Legitimate traffic model is

Summary Over 1 month

Summary Over 1 month

Summary Over 1 month

Summary Over 1 month

1. DDoS attacks will continue to increase in frequency and complexity

You might also like