ddos mitigation for systems processing
TRANSCRIPT
DDoS mitigation for systems processingconfidentional information
Money Personaldata
Commercialdata
NOT ONLY!
Confidentional information
qrator.net 2015
Universal SSLSSL tra�c growth
Exabytesp.a.
Sandvine GIRP projection
Data courtesy of Sandvine Global Internet Phenomena Report - 2H 2012
2012
0
5 000
10 000
15 000
20 000
25 000
30 000
35 000
40 000
45 000
2013 2014 2015 2016 2017 2018
Coyote Point Projection
qrator.net 2015
SSL enabled by default
use SSLas the default protocol
qrator.net 2015
What about DDoS?
DDoS type by target Botnet size
Network infrastructure 10K+
Protocol stack 1K+
Application 100+
Exceeding bandwidth capacity 100K+
qrator.net 2015
Sensible, semantically complete applicaiton-layer constructs
Application-layer attacks
qrator.net 2015
Challenge
?
?
?SSL
Encryption
qrator.net 2015
Industry solutions
Encryption keydisclosure
Сloudflare KeylessSSL(2014)
Qrator QLOG(2012)
qrator.net 2015
Client random
Server random
Public key certificate
Visitor
Server DH parameter
Client DH parameter
Premaster secret
Session key
Signature from key server
CloudFlare
Key server
Origin server
Cashed content
Uncashed content
Private key
Keyless SSL
Client random
Server random
Public key certificate
Server DH parameter
Client DH parameter
Premaster secret
Session key
Signature from key server
1
5
2а
4
2b
3
qrator.net 2015
User
HTTP
Operator networkperimeter
Orator filteringnode
Client httpserver
Client network
Client network
API
Access log
Solution by Qrator
qrator.net 2015
Qrator API
100.000+ IPsin black/white listsReal-time accessand management
Policies Real-timestatistics
Expanding functionality -Sall features are avaliablethrough API
qrator.net 2015
QLOG
qrator.net 2015
Verbose controland moderationof disclosed data.Log formats arediscussable
Easy to configure -- a single IPIP tunnel
Fault tolerance
One-to-many
Fault tolerance
Qrator network
Filteringnode
user
user
zombiezombie
As Qrator178.248.232.0/21
As Qrator178.248.232.0/21
client’s IP
Filteringnode
user
zombie
client app
user
user
zombieuser
user
qrator.net 2015
Variety of combinations
All of this can be applied an any combimation with any priority
Qrator API (White | Black lists)
Qrator API (Default DROP |ACCEPT policy)
Qrator classificator (Advisory|Director)
qrator.net 2015
One last thing
For payment systems using a third-party merchandiser: we offer to embed our proprietary authentication algorithm into the client application source code, providing additional verification of users’ IP addresses in case of a DDoS attack
Have a word with me later or reach me by email!
It’s too sophisticated and mind-blowing for a single picture - better to save it for a separate presentationIt guarantees that all transactions in the payment system will proceed even during the attack
qrator.net 2015
Thanks for your attention!
QRATORLABS [email protected]