ddos trends on cloudflare network - sept 2014
DESCRIPTION
CloudFlare is an expert in DDoS mitigation. We see and mitigate more attacks than any other competitor. We have stopped more than 300BN security threats on our network of 2MM+ websites. We have visibility into hundreds of millions of IPs, which provide us with effective security intelligence. Let's take a look at the type of DDoS attacks on our network and how they have evolved.TRANSCRIPT
DDoS Attack Trends on CloudFlare NetworkSept 2014
Elenitsa Staykova
Marketing, CloudFlare
DDoS Attack Trends on CloudFlare Network – Sept 2014CloudFlare - Experts in DDoS Mitigation:
• Stopped 300BN + security threats on a network of 2MM+
websites
• Visibility into 100MM + IPs provides CloudFlare effective
security intelligence
• Sees and mitigates more attacks than any other security
provider
The Evolving Landscape of DDoS Attacks
ATTACK TYPE TREND
• Volumetric Layer 3 / 4
• DNS Infrastructure
• HTTPS application
• Origin: 100s of countries
More sophisticated DDoS mitigation and larger surface area to block volumetric attacks has forced hackers to change tactics. New DNS infrastructure and HTTP layer 7 attack signatures that mimic human-like behavior are increasing in frequency.
DNS amplification Up to 300 Gbps
NTP reflection Up to 400+ Gbps
(35% up from DNS ampl.)
DNS infrastructure100s Gbps
HTTP Application100s Gbps
Sop
his
ticati
on
2013
2014
DNS / NTP Amplification attack
Attackers pretending to be your server make tiny requests to thousands of DNS or NTP servers. Those servers return huge responses to your server, knocking it offline.
Exhausts network connection
DNS / NTP Amplification attackAttackers, pretending to be your server, make tiny requests to thousands of DNS or NTP servers. The servers return huge responses, which are absorbed by CloudFlare.
DNS Infrastructure attack Attackers use millions of compromised machines to overwhelm DNS servers with requests for a single website, making it impossible for real users to access that site.
Exhausts CPU
DNS Infrastructure attack
Attackers target the CloudFlare DNS servers, but their requests are distributed over our entire network and blocked by our WAF.
Layer 7 attacks Attackers use millions of compromised machines to launch a sophisticated attack that mimics real users and overloads the slow points in your web property.
Exhausts CPU
Layer 7 attacks
A highly advanced attack that mimics real users is detected and blocked by CloudFlare before it can overload the slow parts of your software.
IP challenged and “grey listed” in a matter of seconds.
CloudFlare effectively mitigates the new attack signatures
The latest attack trends are increasingly
sophisticated and human-like
• Attacks crawl many resources on website looking
for vulnerabilities [which is different from prior attack
tactics of flooding pipes with requests]
• Hackers utilize diverse strategies to attack URIs,
which makes it hard to write single page rule
• Attacks that impersonate valid user agent strings,
e.g. Google and Baidu, in order to bypass security
checks
• Botnets slowly crawling login / admin pages,
mimicking human behavior, in order to go
undetected
CloudFlare uniquely positioned to successfully
mitigate these attacks
• CloudFlare sees more attacks than any other
security provider
• Visibility into hundreds of millions of IPs provides
CloudFlare with effective security intelligence
• CloudFlare employs a data-driven security layer
with real-time feedback and dynamic reputation
scoring to protect over 2MM websites on our
network
• CloudFlare continually updates our WAF to
incorporate rules to protect against the latest attack
signatures
Additional information
To learn more about CloudFlare DDoS attack mitigation:
• Introducing the BPF tools to mitigate L7 attacks
• Technical details behind 400 Gbps NTP amplification DDoS att
ack
• Understanding and mitigating NTP-based DDoS attacks
Contact us:
• +1 888 99 FLARE (US)
• +44 20 37134479 (UK)