ddos mitigation for systems processing

DDoS mitigation for systems processingconfidentional information

Money Personaldata

Commercialdata

NOT ONLY!

Confidentional information

qrator.net 2015

Universal SSLSSL tra�c growth

Exabytesp.a.

Sandvine GIRP projection

Data courtesy of Sandvine Global Internet Phenomena Report - 2H 2012

2012

0

5 000

10 000

15 000

20 000

25 000

30 000

35 000

40 000

45 000

2013 2014 2015 2016 2017 2018

Coyote Point Projection

qrator.net 2015

SSL enabled by default

use SSLas the default protocol

qrator.net 2015

What about DDoS?

DDoS type by target Botnet size

Network infrastructure 10K+

Protocol stack 1K+

Application 100+

Exceeding bandwidth capacity 100K+

qrator.net 2015

Sensible, semantically complete applicaiton-layer constructs

Application-layer attacks

qrator.net 2015

Challenge

?

?

?SSL

Encryption

qrator.net 2015

Industry solutions

Encryption keydisclosure

Сloudflare KeylessSSL(2014)

Qrator QLOG(2012)

qrator.net 2015

Client random

Server random

Public key certificate

Visitor

Server DH parameter

Client DH parameter

Premaster secret

Session key

Signature from key server

CloudFlare

Key server

Origin server

Cashed content

Uncashed content

Private key

Keyless SSL

Client random

Server random

Public key certificate

Server DH parameter

Client DH parameter

Premaster secret

Session key

Signature from key server

1

5

2а

4

2b

3

qrator.net 2015

User

HTTP

Operator networkperimeter

Orator filteringnode

Client httpserver

Client network

Client network

API

Access log

Solution by Qrator

qrator.net 2015

Qrator API

100.000+ IPsin black/white listsReal-time accessand management

Policies Real-timestatistics

Expanding functionality -Sall features are avaliablethrough API

qrator.net 2015

QLOG

qrator.net 2015

Verbose controland moderationof disclosed data.Log formats arediscussable

Easy to configure -- a single IPIP tunnel

Fault tolerance

One-to-many

Fault tolerance

Qrator network

Filteringnode

user

user

zombiezombie

As Qrator178.248.232.0/21

As Qrator178.248.232.0/21

client’s IP

Filteringnode

user

zombie

client app

user

user

zombieuser

user

qrator.net 2015

Variety of combinations

All of this can be applied an any combimation with any priority

Qrator API (White | Black lists)

Qrator API (Default DROP |ACCEPT policy)

Qrator classificator (Advisory|Director)

qrator.net 2015

One last thing

For payment systems using a third-party merchandiser: we offer to embed our proprietary authentication algorithm into the client application source code, providing additional verification of users’ IP addresses in case of a DDoS attack

Have a word with me later or reach me by email!

It’s too sophisticated and mind-blowing for a single picture - better to save it for a separate presentationIt guarantees that all transactions in the payment system will proceed even during the attack

qrator.net 2015

Thanks for your attention!

QRATORLABS [email protected]