Scribd
Upload
172 views

DDos Solution PDF

Uploaded by

Nguyen Huy Hoang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
172 views

DDos Solution PDF

Uploaded by

Nguyen Huy Hoang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

5G INFRASTRUCTURE

SECURITY
Enabling Terabit DDoS Defense for your
Juniper Network

Louis Chan
Sr Consulting Engineer, APAC
Jun 2019

© 2018 Juniper Networks


RISE OF IOT BOTNET

Mirai Botnet Attack Costs Companies $110 Million


https://effortlessoffice.com/mirai-botnet-attack-costs-companies-hundreds-of-millions/
© 2018 Juniper Networks 2
RISE OF IOT BOTNET

https://www.technadu.com/largest-ever-recorded-
ddos-attack-broken/66428/amp/
Last for 15 sec

DDOS attack scale up to 1Tbps!!


https://www.technadu.com/largest-ever-recorded-ddos-attack-broken/66428/amp/
© 2018 Juniper Networks
CORERO DDOS TRENDS REPORT – 2018

DDoS is an evolving and increasing threat


• Example statistics from across our customer networks

Need a solution which is real-time, volumetric and cost-efficiency


© 2018 Juniper Networks
5G INFRASTRUCTURE SECURITY CONSIDERATIONS
• Security performance must scale
• Cost efficiency
• Operation simplicity and automated
• Mitigation in real-time
• …… etc

© 2018 Juniper Networks 5


Juniper Innovation in
real-time, high
performance and cost-
efficiency DDoS
protection

© 2018 Juniper Networks 6


AGENDA
• TDD Value Propositions

• Problems of Legacy ‘Detect & Redirect’

• Accurate DDoS Detection and Mitigation at the MX Edge

• Demo – Screen shot

© 2018 Juniper Networks 7


DDOS SOLUTIONS SCOPE, SCALE AND COST
DDoS Deployments include
• CSP / Mobile SP More than
100 DDoS Protection

?
• Cloud / Hosting / DCs
Solutions Deployed 1Tb – 10Tb
• Digital Enterprise

> 100G
10-100
Transit +
Peering
networks
or sites
< 100G

PoPs +
<5 SitesDCs > 5 Sites
© 2018 Juniper Networks
MITIGATION STYLE VS. ATTACK SIZE AND EDGE
CAPACITY
Size of
Attack

Provider Edge Capacity

Blackhole
Zone
(some flowspec)

Partial
Protection
Provider Scrubbing Capacity
10%
Scrubbing Zone

Number of Attacks
© 2018 Juniper Networks
MITIGATION STYLE VS. ATTACK SIZE AND EDGE
CAPACITY
Size of
Attack
Blackhole
Provider Edge Capacity Zone 100%
Typically multiple Terabits/sec Edge Protection

Scales to >10
Provider Edge Mitigation
Leverage real-time data and analytics Terabits DDoS
to deliver intelligent automation Provider Edge Protection
Mitigation
Zone
rovider Scrubbing Capacity
>90% attacks mitigated at Provider Edge
<10% redirected to scrubbing Scrubbing Zone

Number of Attacks
© 2018 Juniper Networks
PROBLEMS OF LEGACY ‘DETECT AND REDIRECT’
SOLUTION
e.g. Arbor, Radware, A10

© 2018 Juniper Networks 11


PROBLEMS OF LEGACY ‘DETECT AND REDIRECT’ SOLUTION (E.G.
ARBOR)
DDoS attacks Good traffic
arriving from destined for
transit/peering subscribers
SP SP SP

ingress from
transit/peering

Netflow
1) Aggregation delay
Detect
(out-of-band)
2) Header only
3) Detection delay
Service
egress to Provider
subscribers

DDoS victims DDoS victims

© 2018 Juniper Networks


PROBLEMS OF LEGACY ‘DETECT AND REDIRECT’ SOLUTION (CONT)
DDoS attacks
arriving from
transit/peering
SP SP SP

ingress from
transit/peering
BGP redirect
Netflow
Detect
4) BGP propagation
(out-of-band)
5) Backhaul large
Scrubbing
Capacity
DDoS traffic in core
Service (<10% edge
6) Costly scrubber
Provider
capacity)
egress to
7) Limited capacity
subscribers
8) Low visibility
Good traffic Good traffic
tunneled to tunneled to
edge or cust edge or cust

© 2018 Juniper Networks


TIME TO MITIGATION (TTM) OF MINUTES = FAIL

SUCCESS
© 2018 Juniper Networks
ENHANCED ACCURACY + SPEED OF DDOS
DETECTION/MITIGATION

Netflow Mirror (1:1000)


• aggregation delay ▪ immediate forwarding
• header only ▪ header and payload
• attack overload ▪ scales with attack
Flowspec/RTBH NETCONF Threat Defense Director (TDD)
• BGP propagation ▪ ephemeral configuration
• header only
▪ header and payload
• limited visibility
▪ streaming telemetry

© 2018 Juniper Networks


JUNIPER THREAT DETECTION DIRECTOR (TDD)
SOFTWARE DEFINED NETWORK EDGE DEFENSE
Web, Content,
Internet
Legitimate Juniper MX
E-Commerce,
Customers Router SaaS
Good
Users
Destination
Source 10.4.4.10/32
10.3.3.0/24

Attackers

Customer Facing Services

Mirror Streaming
(1:1000) Telemetry Dynamic Filter
(Tuple + Payload)

1. Peace-Time Operation
2. Attack Starts
3. Automatic Mitigation
Begins

© 2018 Juniper Networks


PROVIDER EDGE DDOS DETECTION AND MITIGATION
DDoS Attacks
arriving from
transit/peering
SP SP SP

ingress from
Threat Defense Director (TDD) transit/peering

netconf
Service
Provider egress to
subscribers

Good traffic to Good traffic to


edge or cust edge or cust

© 2018 Juniper Networks


DC/CLOUD EDGE DDOS DETECTION AND MITIGATION
DDoS Attacks
arriving from
transit/peering
SP SP SP

ingress from
transit/peering
Threat Defense Director (TDD)
DC/Cloud
Provider

netconf

Good traffic to
server/service

© 2018 Juniper Networks


OUTBOUND: TO INSPECT AND MITIGATE ATTACK FROM
SUBSCRIBERS

SP
SP

MX
peering MX
MPLS peering

MX PE MX PE

IP camera / IoT
IP/PPPo compromised
E
Subscribers
© 2018 Juniper Networks
COMPETITIVE SUMMARY
Juniper TDD Arbor, Radware, A10… Remarks

Mitigation Capacity 40Tbps Arbor 8Tbps, Radware


400Gbps, A10 6Tbps
Cost $ $$$$$ e.g. Arbor 1Tbps mitigation costs
USD 2M after discount
Real-time Mitigation Yes, less than 3 sec No, minutes due to delay by
flow aggregation
Inspection Accuracy Packet level deep into Flow-based (5-tuple) detect after flow redirect, traffic can be
200Byte+ and redirect inspected by scrubber, but this
takes minutes to trigger redirect.
RTBH beyond scrubber capacity –
both attack and legitimate traffic
Point of Mitigation Mitigation at the edge By scrubber inside the core Need to backhaul DDoS traffic to
scrubber. This wastes core BW.
Traffic Visibility Accurate, by by aggregate flow stats
Telemetry

© 2018 Juniper Networks 20


THE PRODUCT –
JUNIPER THREAT
DEFENSE
DIRECTOR (TDD)

© 2018 Juniper Networks 21


TDD COMPONENTS AND MX FEATURES

SmartWall TDD

- Virtual Network Threat Defense (vNTD)


- Detection engine (DE)
- Detect DDoS attack from mirrored packet

- Virtual SecureWatch Analytics (vSWA) MX


- Receive information from NTD - Packet mirroring (1:1000)
- FF provisioning
- Receive and display Telemetry - NETCONF and ephemeral config database

- Virtual Central Management Server - FF Telemetry


(vCMS)
- Firewall flexible match filter
- Manage mitigation policy
- Trio MPCs
© 2018 Juniper Networks
MX FIREWALL FILTER FLEXIBLE MATCH
EXAMPLE: NTP MONLIST

1st byte of UDP 12th byte of UDP

Flex match:
start from layer 4 (UDP)
Byte-offset 11 means the 12th Byte
Match for 8 bits
Mask = 0xFF = 1111 1111 (compare all bits)
Pattern = DEC 42 = HEX 2a
© 2018 Juniper Networks 23
MX FIREWALL FILTER FLEXIBLE MATCH (CONT)
EXAMPLE: TCP SYN ACK FLAG SET

1st byte of TCP 14th byte of TCP

0001 0010

Flex match:
start from layer 4 (TCP)
Byte-offset 13 means the 14th Byte
Match for 8 bits
Mask = 0x17 = 0001 0111 (only to compare the set position)
Pattern = DEC 18 = HEX 12 = 0001 0010
© 2018 Juniper Networks 24
ONE CUSTOMER (ATTACKS IN ONE MONTH)

© 2018 Juniper Networks


ONE ATTACK (MULTIVECTOR - 20 MINUTES DURATION)

© 2018 Juniper Networks


The following slides describe how SmartWall TDD
Mitigation works with MX

© 2018 Juniper Networks 27


TDD SUMMARY
• Real-time mitigation at the edge
• Automation – Accurate and eliminate error
• Cost efficiency
• Simplicity – Reduce mitigation 9 steps to just 3
• Scalable up to 40Tbps

© 2018 Juniper Networks 28


CONFIDENTIAL
THANK YOU

© 2018 Juniper Networks 29

You might also like