dmms presentation25
TRANSCRIPT
Distributed Mitigation Managed Serviceagainst DDoS (DMMS)
www.iptp.net
Better network,not just a bigger one.
In this presentation we are going to compare two ways of mitigating a volumetric DDoS attack: a traditional and more commonly used Clean Pipe, Scrubbing or Cleaning Center Solution and Distributed Mitigation Managed Service (DMMS) against DDoS based on Cleaning Network by IPTP Networks. The comparison will be based on four key aspects associated with volumetric DDoS Mitigation:
CLEANPIPE
IPTPDMMS
NetwoRKVS
LatencyReaction Time
1 BandwidthExpenses
3
42
www.iptp.net
Volumetric distributed Denial-of-Service (DDoS) is a special type of denial of service attack where the malicious traffic is generated from multiple sources (for example, botnets or remotely controlled computers also known as 'zombies'). These attacks can come in different forms: DNS amplification, Reflexion attacks, SMURF and etc.
What is volumetric DDoS?
ISP2
ISP3
ISP1
50 m
s
50 ms
50 ms
GlobalInternet
TARGETSERVER
Error 504 Gateway Timeout
Error 504 Gateway Timeout
www.iptp.net
Malicious traffic
Legitimate traffic
Malicious traffic source
Legitimate traffic source
Router
High traffic load
Dangers of DDoS
Error 504Gateway timeout
The message received when the user isunable to reach web resourcesunder the Denial-of-Service attack.
www.iptp.net
600
550
500
450
400
350
300
250
200
150
100
50
02009 2010 2011 2012 2013 2014 2015 2016
100 Gbps60 Gbps
500 Gbps
602 GbpsSurvey of DDoS attacks size peak over the years
Successful DDoS attack causes the target system to stop responding, which candegrade network in several ways:
• Slowing down access and network performance by overloading it with malicious traffic.
• Causing unavailability of a targeted network resource.
• Limiting the ability to access certain resources such as servers, cloud and etc.
• Creating a diversion for network administrators and using this to obtain unauthorized access to con-fidential or sensitive information (A data breach).
Loss in revenue
1%
8%
12%
15%
5%5%
7%
11%
21%15%
Estimated loss in revenue for each minute of downtime. *
* — Ponemon Institute© Research Report
$1—10
$10—100
$100—1 000
$1 000—5 000
$5 000—10 000
$10 000—25 000
$25 000—50 000
$50 000—100 000over $100 000hard to determine
Average total loss per minute $21, 699
www.iptp.net
How Clean Pipe solution works?www.iptp.net
ISP2
ISP3
DDoSMitigation
Service Provider
ISP1
50 m
s
50 ms
50 ms
GlobalInternet
TARGETSERVER
CLEANINGCENTER
EXTRA BANDWIDTHREQUIRED! ADDITIONALCHARGES OR LIMIT MAY APPLY
50 ms
FALSE TARGET
50 ms
Latency increased!
Latency increased!
A tunnel (Clean pipe)
Malicious traffic
Legitimate traffic
Malicious traffic source
Legitimate traffic source
Router
Low traffic load
High traffic load
Mitigation of volumetric DDoS onlimited network nodes.
Up to 3600 seconds of reaction time.
Latency addedto the service.
Limited bandwidth capacity.
Extra charges for bandwidth overload.
IPTP DMMS Networkwww.iptp.net
ISP2
ISP3
ISP1
50 ms
50 ms
GlobalInternet
IPTP Networksglobal MPLS network
TARGETSERVER
IPTP DMMS Firewalls
Malicious traffic
Legitimate traffic
Malicious traffic source
Legitimate traffic source
Router
High traffic load
Distributed mitigation on a global network perimeter.
No reaction time.
No added latency.
Bandwidth limits higher by an order of magnitude.
No extra charges forbandwidth overload.
1.1 Latency
ISP1 ISP2 CLEANINGCENTER
ISP3 TARGETSERVER
WEB-SITEVISITOR
50 ms 50 ms 50 ms 50 ms 50 ms
www.iptp.net
Clean Pipe or Cleaning CenterThe route of an IP packet during a volumetric DDoS attack,
when redirected through the Cleaning Center.
• The traffic is routed through the Cleaning Center in both directions, which increases the number of network nodes between the user and protected server.
• The created route results in additional distance for the IP packets to travel through, slowing down the burst rate and dramatically increasing the latency.
1.2 Latency
• IP packets do not go any extra distances. Instead they move from the web-site visitor to the Target Server and back exclusively via our distributed firewalls.
• All our firewalls are geographically-dispersed across the globe, applying distributed protection against volumetric DDoS while adding no latency.
• This allows the traffic to be mitigated on the closest available firewalls, balancing the traffic load.
www.iptp.net
The route of an IP packet during a volumetric DDoS attack,when protected by IPTP DMMS Network
IPTPNETWORKS
IPTPFIREWALL
TARGETSERVER
WEB-SITEVISITOR
IPTP DMMS Network
2.1 Reaction Time
Reaction time is the time from detection of a DDoS attack to a counter-reaction against it. From when the first malicious packets arrive at the customer's doorstep to when they start being filtered by a DDoS Mitigation Service Provider is also the period when the target infrastructure suffers service unavailability, which if prolonged could lead to severe consequences.
3600sec
up to
sec
≈VSCleaning
CenterIPTP DMMSNetwork
www.iptp.net
0
2.2 Reaction Time
• The time to recognise the problem, report to the provider and establish a tunnel results in delay for the mitigation.
• Setting up a new tunnel every time DDoS attack occurs can be extremely time-consuming.
• It can take from 30 minutes to 1 hour and even longer for the mitigation to begin.
www.iptp.net
DDoSDetect Report
to providerEstablisha tunnel
Clean pipe or Cleaning Center
2.3 Reaction Timewww.iptp.net
• No time consumption for setting up a tunnel, instead the traffic is filtered directly at the border of IPTP DMMS Network.
• No manual set-up.
• No tunnel required, the mitigation is carried out on the closest network equipment.
ROUTER IPTPFIREWALL
TARGETSERVER
WEB-SITEVISITOR
“ZOMBIE”“ZOMBIE” “ZOMBIE”
Global Internet
IPTP GLOBALMPLS NETWORK
BOTNET
IPTP DMMS Network
IPTPFIREWALL
www.iptp.net 3.1 Bandwidth
• Cleaning Center is normally located within one geographical point, normally this means a restricted number of communications channels and a limited internet capacity.
• When the attack size exceeds Cleaning Centers capacity it results in channel aggregation as the ports cease to withstand the traffic load.
Clean Pipe or Cleaning Center
GlobalInternet ISP1
ISP2
ISP3
CLEANINGCENTER
DDOSMITIGATIONSERVICE PROVIDER
TARGETSERVER
ISP4
IPTP DMMS Network
www.iptp.net 3.2 Bandwidth
• 1500 10 Gbps ports distributed across the globe and the total network capacity of over 30 Tb/s allows to withstand heavy-bandwidth DDoS attacks, without the risk of service degradation.
• No cleaning centers, no additional tunnels and no limited network nodes.
• Distribution of traffic among multiple points in our network - no combined volume of traffic on one network node.
OVER
150010 Gbpsports
totalnetwork capacity
30Tbps
DATACENTERS IN
22countries
worldwide
• When additional bandwidth is required, the ISP will charge the DDoS Mitigation Service Provider, increasing the mitigation costs. • The established tunnel and the attack traffic are often redirected through the routers of the same ISP, escalating the traffic load. This results in extra-charges for the bandwidth.
www.iptp.net
Clean pipe or Cleaning Center
4.1 Expenses
GlobalInternet
ISP1
ISP2
ISP3
CLEANINGCENTER
DDOSMITIGATIONSERVICE PROVIDER
TARGETSERVER
ISP4$
BILL
$BILL
Bill for extra bandwidth
Bill for extra traffic
4.2 Expenseswww.iptp.net
IPTP DMMS Network
• Can mitigate bandwidth-heavy DDoS attacks while applying no additional charges for the traffic.
• Advanced firewalls can handle multi-gigabits of traffic and filter any types of floods (ICMP, UDP, SYN and others).
• As a One-Stop-IT-Shop we help to save costs for service provision, management and maintenance.
Limassol DubaiIstanbul
Amsterdam
Helsinki
London
Slough
Paris
Marseille
Kiev
StockholmZürich
Milan
Madrid
Frankfurt
Moscow
St.PetersburgNovosibirsk
Vladivostok
Ashburn
Atlanta Dallas
Denver
ChicagoMiami
New York
Los Angeles
San Jose
Seattle
Washington
Toronto
São Paulo
Beijing Hong Kong TaipeiSingaporeSeoul
Tokyo
Mumbai Johannesburg
Nicosia
0USD
extratraffic CHARGE
Summary
No reaction time.
No added latency
Bandwidth limits higher by an order of magnitude
No extra charges for bandwidth overload
No volumetric DDoS
To summarise, Distributed Mitigation Managed Serviceagainst DDoS by IPTP Networks covers all the main aspects associated with DDoS Mitigation, leaving you with:
www.iptp.net
Geog
raph
ical
dest
ribut
ion
Advancedfirewalls
High networkcapacity
Zero
reac
tion
time No extra
traffic charges
No additionallatency
IPTPDMMS
Network
www.iptp.net