Mar, 2013
Introducing FortiDDoS
Uses the newest member of the FortiASIC
family, FortiASIC-TPTM
Rate Based Detection
Inline Full Transparent Mode
• No MAC address changes
Signature Free Defense
• Hardware based protection
Self Learning Baseline
• Adapts based on behavior
Granular Protection
• Multiple thresholds to detect subtle changes
and provide rapid mitigation
Hardware Accelerated DDoS Defense Intent Based Protection
Introducing FortiDDoS
FortiDDoS™
Web Hosting Center
Firewall
Legitimate Traffic
Malicious Traffic
ISP 1
ISP 2
How it works – Virtual Partitions
• Enables up to eight segmented zones
• Consider a customer with multiple traffic types
• Web Browsing
• Firmware Updates
• Online Ordering
• Separate Policies for Unique Traffic Patterns
• Need to protect services from each other
• Mitigation could include limiting the
volume of firmware downloads
Corporate site
Firewall
FortiGate
DDOS
Protection
FortiDDOS
Links from
ISP(s)
How it works – Basics
• FortiDDOS is typically protecting the customer link(s)
• On premise, or within ISP data center
• Transparent deployment
• Bypass capability with FortiBridge
• Traffic flows are handled by the FortiASIC-TP
• Legitimate traffic model is automatically constructed
• Calendar based baseline
• Adaptive Threshold Estimation
• Typically increases over time, no need to re-measure
• Multiple links supported
Hosting
Center
Firewall
FortiGate
DDOS
Protection
FortiDDOS
Links from
ISP(s)
How it works – Detection and Mitigation
• Detection is performed in hardware
• Packets processed by FortiASIC-TP
• Classification and metering across multiple layers
• Single pass decision making
• Correlated with the created traffic model
• Protocol Anomalies, Threshold Violations
Application level attacks
• Mitigation occurs here
• No traffic redirection (eg.BGP) or control plane disruption
• No hidden costs, easy to deploy, immediate relief
Virtual Partitioning
Geo-Location ACL
Protocol Anomaly
Prevention
Packet Flood
Mitigation
Stateful Inspection
Out of State Filtering
Granular Layer 3 and 4
Filtering
Application Layer
Filtering
Algorithmic Filtering
Heuristic Filtering
Bogon Filtering
Att
ack T
raff
ic
Leg
itim
ate
Tra
ffic
• Multiple Independent
FortiASIC-TP complexes
• No CPU paths
• No concept of fast or slow path
• No IP/MAC address in the data
path
Overall System Architecture
Data
Path Control Bus
Management
Interface
Virtualization
Decision
Multiplexer Inbound and
outbound
packets Allowed
packets
Dropped packets
SNMP Traps/MIBs,
Syslog, Event
Notifications
FortiAsic-Traffic Processor (TP)
Control and Statistics
Network, Transport,
Application Layer
Rate Anomaly
Prevention
Dark Address, Geo-
location, IP
Reputation
Network, Transport,
Application Layer
Access Control Lists
Anti-spoofing
Network, Transport,
Application Layer
Header Anomaly
Prevention
State Anomaly
Prevention
Application Layer
Heuristics
Source Tracking
Event/ Traffic
Statistics, Graphs
Threshold Wizard,
Continuous Adaptive
Threshold Estimation
Policy Configuration,
Archive, Restore
No CPU in the path of the packets
No fast or slow path
No IP/MAC address in the path of the
packets
How it works – Baseline Building
Overall View Over a Month
These two graphs here
depict the daily traffic
over a month’s period in
terms of packet rate and
Mbps respectively. The
upper half is outbound
traffic and the lower half
(in negative) is the
inbound traffic. You can
see two peaks which
correspond to two large
inbound attacks.
The purpose of the appliance is to maintain the normal traffic and only pass what’s legitimate.
That’s what it is doing here by dropping the excess packets (shown as white ear under the
maroon lines). What’s being allowed is the blue area.
View of another link
This graph shows
the second link on
the same device.
This link has larger
and continuous
attacks over the
month’s period.
As you can see the
appliance maintains
the normal behavior
and drops
excessive packets.
This maroon line shows what’s incoming and
the blue and green lines show what gets out
of the appliance after DDoS mitigation based
on behavioral analysis. The white envelope is
the attack that’s getting dropped.
Aggregate Drop Traffic
This graph shows
the aggregate
dropped traffic and
gives you visibility
into excess traffic
that’s getting
flitered by the
appliance.
Packets are dropped due to multiple reasons and are shown in different colors.
These are drilled down further in subsequent graphs on subsequent pages. Summary Over 1 month
Packets Dropped/3 Hours Legend Type
Maximum Minimum Average
Total Packets
Dropped
█ Layer 2 0 0 0 0
█ Layer 3 71,796,072 0 21,262,421 5,273,080,458
█ Layer 4 375,005,802 300 5,899,631 1,463,108,503
█ Layer 7 303 0 1 304
Top Attacks and Top Attacker Reports
FortiDDoS
appliances give you
a visibility into the
Top Attacks, Top
Attackers, Top
Attacked
Destinations, etc.
for the last 1 hour,
1 day, 1 week, 1
month, 1 Year.
These IPs are
obfuscated.
Top Attacks: Inbound
Index Attack Packets dropped Events
0 Source flood 30,913,661,628 30,630
1 SYN flood 1,250,473,117 8,516
2 SYN flood from source 1,030,033,363 13,577
3 Protocol flood 147,159,676 23,042
4 TCP port flood 41,015,858 1,399
5 TCP checksum error 27,768,790 8,927
6 TCP zombie flood 23,254,968 779
7 Source IP==dest IP 19,793,175 843
8 L4 anomalies 19,252,249 4,461
9 Destination flood 2,785,518 8
Top Attackers: Inbound
Index Attacker Packets dropped Events
0 62.141.36.249 whois 10,264,827,716 2,537
1 178.32.48.19 whois 2,722,698,591 1,759
2 217.23.10.193 whois 1,696,605,289 1,813
3 208.53.158.149 whois 1,597,620,580 1,959
4 178.32.48.20 whois 1,569,216,884 1,681
5 213.165.69.62 whois 1,469,239,395 432
6 67.213.219.97 whois 1,092,829,398 1,230
7 66.219.17.96 whois 1,054,221,515 552
8 174.37.45.152 whois 757,198,482 32
9 91.191.167.12 whois 676,203,668 231
Packets Dropped at Layer 3
This graph
shows the
dropped traffic
due to certain
Layer 3
reasons which
are shown in
the table
below.
Summary Over 1 month
Packets Dropped/3 Hours Legend Type
Maximum Minimum Average
Total Packets
Dropped
█ Protocols 8,225,652 0 637,875 158,193,111
█ TOS 0 0 0 0
█ IPv4 Options 0 0 0 0
█ Fragmented Packets 1,157 0 7 1,873
█ L3 Anomalies 11,870,534 0 79,834 19,798,847
█ Source Flood 57,013,194 0 20,532,304 5,092,011,434
█ Misc. Source Flood 289,674 0 1,168 289,675
█ Destination Flood 2,441,260 0 11,231 2,785,518
█ Misc. Destination
Flood 0 0 0 0
█ Dark Address Scan 0 0 0 0
█ Network Scan 0 0 0 0
Packets Dropped at Layer 4
Summary Over 1 month
Packets Dropped/3 Hours Legend Type
Maximum Minimum Average
Total Packets
Dropped
█ TCP Options 0 0 0 0
█ SYN Packets 278,119,806 0 5,034,862 1,248,645,939
█ L4 Anomalies 12,549,983 300 54,866 13,606,809
█ TCP Ports 7,194,921 0 165,534 41,052,592
█ UDP Ports 27,297 0 908 225,429
█ ICMP Types/Codes 0 0 0 0
█ Port Scan 0 0 0 0
█ Misc. Drops for Port
Scan 0 0 0 0
█ Packets Per Connection 0 0 0 0
█ Misc. Connection Flood 71,585 0 6,992 1,734,081
█ Zombie Flood 13,368,886 0 93,770 23,254,968
█ SYN Packets Per Source 36,527,319 0 234,548 58,168,070
█ Excessive Concurrent
Connections Per Source 109 0 0 110
█
Excessive Concurrent
Connections Per
Destination
0 0 0 0
█ TCP Packets Per
Destination 0 0 0 0
This graph shows the
dropped traffic due to
certain Layer 4 reasons
which are shown in the
table below.
More than 1 billion
packets were dropped
due to SYN flood during
this period.
And over 58 million
packets dropped due to
few specific IPs sending
too many SYN
packets/second.
Packets Dropped at Layer 7
Summary Over 1 month
Packets Dropped/3 Hours Legend Type
Maximum Minimum Average
Total Packets
Dropped
█ Opcode Flood 303 0 1 304
█ HTTP Anomalies 0 0 0 0
█ URL Flood 0 0 0 0
This graph shows
the dropped traffic
due to certain Layer
7 reasons which
are shown in the
table below.
The appliances
monitor HTTP
opcodes, URLs and
anomalies and can
pinpoint the
excessses in any
one of the
dimensions.
Count of Unique Sources
This graph gives you
a visibility into count
of unique sources
coming to your
network.
As you can see here,
there is a large peak
during Week 21 which
corresponds to an
attack. The number of
unique sources
almost reached 1
million. These could
be spoofed IP
addresses too.
Customer Feedback
• We recently experienced a very large DDoS attack on
our network. We've found FortiDDoS withstanding the
attack quite well at this time. Seeing as this is the
largest network attack we've ever experienced,
utilizing this information should help significantly in
protecting us against other attacks in the future.
• To give you an idea of the scale of the attack, the
FortiDDoS device has had to drop nearly 6.8 billion
packets within only 8 hours. The entire attack
lasted approximately 27 hours of which the last
~12 hours were spent behind the FortiDDoS.
17
Deployment Scenarios
19
Bypass Options
Corporate
HQ
LAN
FortiGate
FortiBridge
FortiDDoS
Service Profiles
20
Wealth
Management
Loans and
Mortgages
Online Banking
Deployment Scenarios (Contd.)
Deployment Scenarios (Contd.)
FortiDDoS-100A
2U Appliance – provides dual link
protection
Specification
LAN 2 x 1G (copper and optical)
WAN 2 x 1G (copper and optical)
FortiASIC 2 x FortiASIC-TP1
RAM 4G
Storage 1TB HDD
Management 1 x RJ45 10/100/1000
Power Single AC
Protection 1Gbps full duplex
Up to 1 million simulations
connections/sec
FortiDDoS-100A
FortiDDoS-200A
4U Appliance – provides protection for
up to 4 links
Specification
LAN 4 x 1G (copper and optical)
WAN 4 x 1G (copper and optical)
FortiASIC 4 x FortiASIC-TP1
RAM 8G
Storage 2 x 1TB HDD RAID
Management 1 x RJ45 10/100/1000
Power Dual Redundant AC
Protection 2Gbps full duplex
Up to 2 million simulations
connections/sec
FortiDDoS-200A
FortiDDoS-300A
4U Appliance – provides protection for
up to 6 links
FortiDDoS-300A
Specification
LAN 6 x 1G (copper and optical)
WAN 6 x 1G (copper and optical)
FortiASIC 6 x FortiASIC-TP1
RAM 8G
Storage 2 x 1TB HDD RAID
Management 1 x RJ45 10/100/1000
Power Dual Redundant AC
Protection 3Gbps full duplex
Up to 3 million simulations
connections/sec