Time for Defense in Depth

Teemu Lehtonen
Systems Engineer at Fortinet, Finland & Baltics
May 2014

Copyright 2014 Fortinet Inc. All rights reserved.

Agenda

DDoS headlines today

DDoS attacks and types
The evolution of DDoS threats
DDoS defense options
FortiDDoS dedicated solution
DDoS competitive review
What analyst say

DDoS In the News

DDoS attacks still #1 threat to data centers

Size of volume-based attacks increasing
80% of attacks less than 50 Gbps
Most successful attacks under 1 Gbps
Attacks getting more sophisticated
Layer 7 attacks fastest growing type
Hackers using DDoS to mask data breaches

Enterprises Need Protection

Finance and Government primary targets
Disruptions to operations and commerce
Customer and financial data at risk
Traditional protections cant detect small attacks
Layer 7 attacks making through to data centers

What is a DDoS Attack?

Goal is to disrupt network, applications or services
Network and computer services reset or become unavailable to legitimate traffic
Packet flooding from botnets (relative easy)
Botmaster controls willing or unwilling devices
Motivations can be political, financial or ideologically
oriented (Anonynous, state-sponsored attacks)

Types of DDoS Attacks

Bulk Volumetric

Application Layer

Cloud Infrastructure

Designed to overwhelm and

consume available internet
bandwidth or overload servers (e.g.
SYN, UDP, ICMP floods).

Smaller, more sophisticated attacks

that target layer 7 application
services on servers like HTTP, SMTP
and HTTPS.

Modern attacks are going after all

cloud infrastructure elements
including firewalls, mail and web
servers.

Problems:

Problems:

Problems:

Services unavailable to users

Slip past traditional defenses

Complex protection requirements

Can mask data breaches

Fastest growing attack type

Multiple customer impacts

Attack sizes getting larger

Detection difficult

Combination DDoS attacks

Easy to implement attack

Easier for botmasters to implement

Need multi-site protection

Bulk Volumetric

SYN Flood: Spoofed SYN Packets fill the connection table of servers, and all other devices
in your network path
Zombie Flood: In zombie or botnet floods, non-spoofed connections overload network and
application services.

Bulk Volumetric
Designed to overwhelm and
consume available internet
bandwidth or overload servers (e.g.
SYN, UDP, ICMP floods).
Problems:
Services unavailable to users
Can mask data breaches
Attack sizes getting larger
Easy to implement attack

ICMP Flood: In these floods, ICMP packets, such as those used for ping, overload
servers and network connections.
TCP/UDP Port Flood: TCP/UDP packets overload the servers and network ports not being
used for a service, such as TCP port 81.
Fragment Flood: Fragmented packets overload the servers.
Anomalous Packet Flood: Deliberate or accidental packet errors in scripts by hackers
easily overload network equipment and servers as they attempt to deal with anomalies.
Unwanted Geographical Area Floods: Packets are flooding in from an unwanted or
potentially malicious geographic area (country, region, etc.).
Blended Attacks: More and more DDoS events are using combinations of the basic attack
types and some are even masking service-level attacks within high-volume basic ones to
throw off detection services.

Application Layer Attacks

HTTP GET: These attacks involve connection-oriented bots that attempt to overload
servers and connections on service ports (such as HTTP) by mimicking legitimate users.
HTTP POST: POST body messages are sent at a very slow rate and disrupt proper
connection completion.

Application Layer
Smaller, more sophisticated attacks
that target layer 7 application
services on servers like HTTP, SMTP
and HTTPS.
Problems:
Slip past traditional defenses
Fastest growing attack type
Detection difficult
Easier for botmasters to implement

HTTP Slow Read: Attackers force servers to send a large amount of data, however it
forced to be sent in many small fragments and read at a very slow rate by the receiver.
Slowloris: Using HTTP GET, attackers launch multiple partial and time-delayed HTTP refer
headers to keep the connections open as long as needed to deplete resources.
HTTPS: Similar to HTTP attacks, these attack SSL services on servers.
SMTP: Attacks targeted at SNMP mail server services.
VoIP: Attacks target at SIP INVITE services.

The Evolving Threat

Traditional Attacks

Today and Future

A New Approach

Layer 3 and 4

Service layer 7 focus

Behavioral detection

Bulk volumetric

Small, targeted attacks

Spoofing IP addresses

Blended 3/4/7 approaches

Service and port

monitoring

Larger and larger attacks

Cloud service targets

Detect any size of attack

Large botnets

Skirting of ISP DDoS

defenses

Hardware-assisted

Larger attacks are more

for show

Automatic mitigation

Cant rely solely on ISP

DDoS Defense Options

DDoS Service Provider

Firewall/IPS

Dedicated Appliance

Managed service subscription model

usually with separate detection and
mitigation.

Integrated device that includes

firewall, intrusion protection and
DDoS prevention.

Inline data center appliance that

provides layer 3, 4 and 7 DDoS
detection and mitigation.

Pros:

Pros:

Pros:

Easy sign up

Single device

Predictable costs

Easy deployment

Less units to manage

Advanced layer 7 protection

Cons:

Cons:

Cons*:

Expensive overages

Poor level 7 attack detection

Additional device management

Unpredictable costs

May require licensing

Can be vulnerable to large attack

Limited flexibility

Performance impacts

May require signature updates

* Well demonstrate how FortiDDoS was designed to

address these issues

FortiGate DDoS Protection vs. FortiDDoS

Source tracking
Slow attack mitigation

IPS

Address matching

Firewall

100% hardware-based

FortiGate

Shared DDoS Features

FortiDDoS

ACLs

FortiASIC-TP2
100% hardware-based
DDoS detection and
mitigation
Full duplex

IP Reputation

Full layer 3, 4 and 7

detection on one chip

Geo-location

Only in FortiDDoS

10

UTM

Behavior-based

NAT

Threshold granularity

VPN

Bi-directional

Models with up to 6x TP2

processors
Less than 50 microsecond
latency

Fortinets DDoS Protection Solutions

FortiGate

Reporting

ASIC based DoS Protectors, High Performance

Firewall , Next-Generation Firewall with Advanced
Services Protection; UTM, Application Control

Detection
Bulk Volumetric
Layer 3 and 4
Scalable
Bandwidth Anomalies
Protocol Anomalies

FortiWeb

Data Center

WAF with bidirectional protection against application

layer DoS attacks and sophisticated threats like SQL
injection and Cross-site scripting

FortiManager

Service Provider
WAN
FortiDB

Mitigation
Protect Infrastructure
Rate Limit
Source Filtering
Scrubbing/Cleaning Centers
BGP Redirection

11

DB and compliance platform that uses a flexible

policy framework to allow quick and easy
implementation of internal control frameworks

FortiAnalyzer

FortiDDoS
Layer 3/4/7, ASIC based protection, Granular
Identification, Behavioral Anomalies, Service Centric,
Minimal Detection Times, Adaptive Protection

NMS

FortiDDoS DDoS Attack Mitigation Appliances

4 models with 4-24 Gbps full-duplex throughput

Up to 20x 10GE SFP+ ports (4 bypass)
100% Behavior-based detection
100% ASIC-based single-layer processing

Up to 6x FortiASIC-TP2 processors
<50 microsecond latency
<2 second DDoS mitigation response time
Adaptive line rating
Automatic learning process
IP Reputation scoring
Geo-location ACLs
Continuous threat evaluation
Full CLI and easy to use GUI
RESTful API
Advanced analysis and reporting

Full standalone DDoS solution or

can be combined with ISP basic protections

12

Key Features and Benefits

13

100% Behavioral

FortiDDoS doesnt rely on signature files that need to be updated with

the latest threats so youre protected from both known and unknown
zero-day attacks

100% Hardware

The FortiASIC-TP2 transaction processor provides full bi-directional

detection and mitigation of Layer 2, 3 and 7 DDoS attacks for industryleading performance

Continuous Attack Evaluation

Minimizes the risk of false positive detection by reevaluating the

attack to ensure that good traffic isnt disrupted

Congestion Resistant

FortiDDoS wont easily be overwhelmed and succumb to a DDoS

threat, with high throughput rates and full line rate detection and
mitigation.

Automated Learning

With minimal configuration, FortiDDoS will automatically build normal

traffic and resources behavior profiles saving you time and IT
management resources

Multi-Attack Protection

By understanding behaviors FortiDDoS can detect any DDoS attack

from basic Bulk Volumetric to sophisticated Layer 7 SSL-based attacks
without the need to decrypt traffic

FortiDDoS with an ISP for Congestion Protection

A dedicated appliance cant protect pipes by itself
Used with an ISPs DDoS protections, data centers are protected from high-volume layer 3/4
attacks and smaller layer 7 attacks
DDoS Attacks

FortiDDoS

Layer 3/4

ISP
Layer 7
Good Traffic

14

Bulk Protection

Application Protection

ISPs offer bulk DDoS protections

at the layer 3 and 4 level and can
screen those out to minimize
congestion on the links into the
data center

FortiDDoS detects and mitigates

smaller layer 7 attacks that are
passed by the ISP to the data
center and can detect small layer
3 and 4 attacks that may not be
detected by the ISP

Data Center

DDoS Solution Marketplace

Cloud

H/W

ENTERPRISE
Radware

Neustar

Arbor
Networks

PRICE

VeriSign
Check
Point

MID-SIZE
Incapsula

CloudFlare

Prolexic

SMALL
FEATURES AND PERFORMANCE
15

FortiDDoS

Competitive Comparison Hardware vs. Cloud

Category

FortiDDoS

Basic ISP Protections

DDoS Service Provider

Setup

Cost of hardware

None

Approx. 1 month of service

Sites Included

Unlimited

Various

Various (usually 1)

Monthly Cost

Support renewal

$0

$300-5000 (plan based)

Traffic Limit

None

Usually no cap

Capped for most

DDoS Overage Fees

None

N/a

$300 per TB average

Advanced Layer 7

Yes

No (layer 3 and 4 only)

Higher-price plans usually

Average 3 year cost (no

overages)

Hardware + 3 yrs support

($58K for FortiDDoS-400B)

$0

Up to $180-200K for
enterprise plans

16

Competitive Comparison Hardware-based options

Category

FortiDDoS

Arbor
Pravail

Radware
DefensePro

Check Point DDoS

(OEM Radware)

Throughput

4-24 Gbps

2-10 Gbps

0.2-40 Gbps

0.5-12 Gbps

Pricing

$40-200K

$32K-145K

$18-600K

$19-170K

Latency
(microseconds)

<50

<80

<60

<60

Detection Type

Heuristic

Signature

Signature

Signature

17

FortiDDoS advantages

18

Performance

Up to 10X better that Radware and Arbor in detecting and protecting against
threats.
100% ASIC based doesnt slow down like CPU-based appliances.

Lowest TCO for private DDoS

protection

Up to 50% less overall TCO compared to Radware and Arbor (hardwarebase).

Fixed-cost model is less expensive and predictable compared to enterprisegrade cloud DDoS mitigation.

Best False Positive Detection

Avoidance

Behavior-based model wont mistakenly identify threats and block applications

from legitimate traffic.
60 second reset unblocks traffic if its not a real threat or for application errors.

Always up-to-date

No signatures means the device doesnt have to wait for a threat to be

predefined.
Eliminates zero-day attacks.

Protected from DDoS Attacks

High throughputs and line-rate speeds minimize congestion risks; most good
traffic continues through.
No software or CPU to allow for application level attacks on FortiDDoS.

A Different Approach to DDoS Mitigation

TCP Connection Rates 300 Second Attack

Client
Establish
GOOD

ATTACK
TIME 0-300 SECONDS

Competitors Signature-based

19

ATTACK MITIGATED
30 SECONDS FROM START
MINIMAL IMPACT TO GOOD TRAFFIC
CONNECTIONS

CONNECTIONS

Client
Close
RST

ATTACK MITIGATED
100% OF CONNECTIONS
100 SECONDS FROM START
GOOD TRAFFIC AFFECTED

TCP Connection Rates 300 Second Attack

ATTACK
GOOD

TIME 0-300 SECONDS

FortiDDoS Behavior-based

Attacks take up to 60 seconds to match against signature profiles.

Attack is identified in less than 5 seconds on average.

All traffic is blocked for the duration of the attack, including good
traffic from legitimate users.

Traffic is slowed, but still good traffic is permitted.

False positives must wait until system perceives attack has

stopped.

IP Reputation blacklists offending IP addresses.

Repeated attack reevaluation minimizes risk of false positives.

What Analyst say?

Dedicated, on-premise solutions are a key component of DDoS

defense.
This type of defense provides dedicated resources aimed at protecting
other components of the infrastructure (e.g., routers, firewalls, IPS)
from becoming overwhelmed by malicious traffic.
Further, dedicated DDoS solutions are able to dig deeper into traffic
dynamics to detect machine-generated requests and correlate source
requests with resource responses to detect and mitigate Layer 7 attacks
while limiting false positives.
In general, false positives are a key concern for IT administrators.
If a DDoS prevention solution regularly alerts to false positives or,
worse, blocks legitimate users from accessing the resource they're
attempting to reach, the result for those users is the same as if the
organization were under a DDoS attack

20

Thank You!

Robertas Vingrys
Major Accounts Manager, Baltics
+370 698 77750
rvingrys@fortinet.com

Teemu Lehtonen
Systems Engineer, Finland & Baltics
tlehtonen@fortinet.com

21