Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Teemu Lehtonen
Systems Engineer at Fortinet, Finland & Baltics
May 2014
Agenda
Bulk Volumetric
Application Layer
Cloud Infrastructure
Problems:
Problems:
Problems:
Detection difficult
Bulk Volumetric
SYN Flood: Spoofed SYN Packets fill the connection table of servers, and all other devices
in your network path
Zombie Flood: In zombie or botnet floods, non-spoofed connections overload network and
application services.
Bulk Volumetric
Designed to overwhelm and
consume available internet
bandwidth or overload servers (e.g.
SYN, UDP, ICMP floods).
Problems:
Services unavailable to users
Can mask data breaches
Attack sizes getting larger
Easy to implement attack
ICMP Flood: In these floods, ICMP packets, such as those used for ping, overload
servers and network connections.
TCP/UDP Port Flood: TCP/UDP packets overload the servers and network ports not being
used for a service, such as TCP port 81.
Fragment Flood: Fragmented packets overload the servers.
Anomalous Packet Flood: Deliberate or accidental packet errors in scripts by hackers
easily overload network equipment and servers as they attempt to deal with anomalies.
Unwanted Geographical Area Floods: Packets are flooding in from an unwanted or
potentially malicious geographic area (country, region, etc.).
Blended Attacks: More and more DDoS events are using combinations of the basic attack
types and some are even masking service-level attacks within high-volume basic ones to
throw off detection services.
HTTP GET: These attacks involve connection-oriented bots that attempt to overload
servers and connections on service ports (such as HTTP) by mimicking legitimate users.
HTTP POST: POST body messages are sent at a very slow rate and disrupt proper
connection completion.
Application Layer
Smaller, more sophisticated attacks
that target layer 7 application
services on servers like HTTP, SMTP
and HTTPS.
Problems:
Slip past traditional defenses
Fastest growing attack type
Detection difficult
Easier for botmasters to implement
HTTP Slow Read: Attackers force servers to send a large amount of data, however it
forced to be sent in many small fragments and read at a very slow rate by the receiver.
Slowloris: Using HTTP GET, attackers launch multiple partial and time-delayed HTTP refer
headers to keep the connections open as long as needed to deplete resources.
HTTPS: Similar to HTTP attacks, these attack SSL services on servers.
SMTP: Attacks targeted at SNMP mail server services.
VoIP: Attacks target at SIP INVITE services.
Traditional Attacks
A New Approach
Layer 3 and 4
Behavioral detection
Bulk volumetric
Spoofing IP addresses
Large botnets
Hardware-assisted
Automatic mitigation
Firewall/IPS
Dedicated Appliance
Pros:
Pros:
Pros:
Easy sign up
Single device
Predictable costs
Easy deployment
Cons:
Cons:
Cons*:
Expensive overages
Unpredictable costs
Limited flexibility
Performance impacts
Source tracking
Slow attack mitigation
IPS
Address matching
Firewall
100% hardware-based
FortiGate
FortiDDoS
ACLs
FortiASIC-TP2
100% hardware-based
DDoS detection and
mitigation
Full duplex
IP Reputation
Geo-location
Only in FortiDDoS
10
UTM
Behavior-based
NAT
Threshold granularity
VPN
Bi-directional
FortiGate
Reporting
Detection
Bulk Volumetric
Layer 3 and 4
Scalable
Bandwidth Anomalies
Protocol Anomalies
FortiWeb
Data Center
FortiManager
Service Provider
WAN
FortiDB
Mitigation
Protect Infrastructure
Rate Limit
Source Filtering
Scrubbing/Cleaning Centers
BGP Redirection
11
FortiAnalyzer
FortiDDoS
Layer 3/4/7, ASIC based protection, Granular
Identification, Behavioral Anomalies, Service Centric,
Minimal Detection Times, Adaptive Protection
NMS
Up to 6x FortiASIC-TP2 processors
<50 microsecond latency
<2 second DDoS mitigation response time
Adaptive line rating
Automatic learning process
IP Reputation scoring
Geo-location ACLs
Continuous threat evaluation
Full CLI and easy to use GUI
RESTful API
Advanced analysis and reporting
12
13
100% Behavioral
100% Hardware
Congestion Resistant
Automated Learning
Multi-Attack Protection
FortiDDoS
Layer 3/4
ISP
Layer 7
Good Traffic
14
Bulk Protection
Application Protection
Data Center
H/W
ENTERPRISE
Radware
Neustar
Arbor
Networks
PRICE
VeriSign
Check
Point
MID-SIZE
Incapsula
CloudFlare
Prolexic
SMALL
FEATURES AND PERFORMANCE
15
FortiDDoS
Category
FortiDDoS
Setup
Cost of hardware
None
Sites Included
Unlimited
Various
Various (usually 1)
Monthly Cost
Support renewal
$0
Traffic Limit
None
Usually no cap
None
N/a
Advanced Layer 7
Yes
$0
Up to $180-200K for
enterprise plans
16
Category
FortiDDoS
Arbor
Pravail
Radware
DefensePro
Throughput
4-24 Gbps
2-10 Gbps
0.2-40 Gbps
0.5-12 Gbps
Pricing
$40-200K
$32K-145K
$18-600K
$19-170K
Latency
(microseconds)
<50
<80
<60
<60
Detection Type
Heuristic
Signature
Signature
Signature
17
FortiDDoS advantages
18
Performance
Up to 10X better that Radware and Arbor in detecting and protecting against
threats.
100% ASIC based doesnt slow down like CPU-based appliances.
Always up-to-date
High throughputs and line-rate speeds minimize congestion risks; most good
traffic continues through.
No software or CPU to allow for application level attacks on FortiDDoS.
Client
Establish
GOOD
ATTACK
TIME 0-300 SECONDS
Competitors Signature-based
19
ATTACK MITIGATED
30 SECONDS FROM START
MINIMAL IMPACT TO GOOD TRAFFIC
CONNECTIONS
CONNECTIONS
Client
Close
RST
ATTACK MITIGATED
100% OF CONNECTIONS
100 SECONDS FROM START
GOOD TRAFFIC AFFECTED
ATTACK
GOOD
FortiDDoS Behavior-based
All traffic is blocked for the duration of the attack, including good
traffic from legitimate users.
20
Thank You!
Robertas Vingrys
Major Accounts Manager, Baltics
+370 698 77750
rvingrys@fortinet.com
Teemu Lehtonen
Systems Engineer, Finland & Baltics
tlehtonen@fortinet.com
21