introducing fortiddos - gts seminar...p layer 2 0 0 0 0 p layer 3 71,796,072 0 21,262,421...

Mar, 2013

Introducing FortiDDoS

Uses the newest member of the FortiASIC

family, FortiASIC-TPTM

Rate Based Detection

Inline Full Transparent Mode

• No MAC address changes

Signature Free Defense

• Hardware based protection

Self Learning Baseline

• Adapts based on behavior

Granular Protection

• Multiple thresholds to detect subtle changes

and provide rapid mitigation

Hardware Accelerated DDoS Defense Intent Based Protection

Introducing FortiDDoS

FortiDDoS™

Web Hosting Center

Firewall

Legitimate Traffic

Malicious Traffic

ISP 1

ISP 2

How it works – Virtual Partitions

• Enables up to eight segmented zones

• Consider a customer with multiple traffic types

• Web Browsing

• Firmware Updates

• Online Ordering

• Separate Policies for Unique Traffic Patterns

• Need to protect services from each other

• Mitigation could include limiting the

volume of firmware downloads

Corporate site

Firewall

FortiGate

DDOS

Protection

FortiDDOS

Links from

ISP(s)

How it works – Basics

• FortiDDOS is typically protecting the customer link(s)

• On premise, or within ISP data center

• Transparent deployment

• Bypass capability with FortiBridge

• Traffic flows are handled by the FortiASIC-TP

• Legitimate traffic model is automatically constructed

• Calendar based baseline

• Adaptive Threshold Estimation

• Typically increases over time, no need to re-measure

• Multiple links supported

Hosting

Center

Firewall

FortiGate

DDOS

Protection

FortiDDOS

Links from

ISP(s)

How it works – Detection and Mitigation

• Detection is performed in hardware

• Packets processed by FortiASIC-TP

• Classification and metering across multiple layers

• Single pass decision making

• Correlated with the created traffic model

• Protocol Anomalies, Threshold Violations

Application level attacks

• Mitigation occurs here

• No traffic redirection (eg.BGP) or control plane disruption

• No hidden costs, easy to deploy, immediate relief

Virtual Partitioning

Geo-Location ACL

Protocol Anomaly

Prevention

Packet Flood

Mitigation

Stateful Inspection

Out of State Filtering

Granular Layer 3 and 4

Filtering

Application Layer

Filtering

Algorithmic Filtering

Heuristic Filtering

Bogon Filtering

Att

ack T

raff

ic

Leg

itim

ate

Tra

ffic

• Multiple Independent

FortiASIC-TP complexes

• No CPU paths

• No concept of fast or slow path

• No IP/MAC address in the data

path

Overall System Architecture

Data

Path Control Bus

Management

Interface

Virtualization

Decision

Multiplexer Inbound and

outbound

packets Allowed

packets

Dropped packets

SNMP Traps/MIBs,

Syslog, Event

Notifications

FortiAsic-Traffic Processor (TP)

Control and Statistics

Network, Transport,

Application Layer

Rate Anomaly

Prevention

Dark Address, Geo-

location, IP

Reputation

Network, Transport,

Application Layer

Access Control Lists

Anti-spoofing

Network, Transport,

Application Layer

Header Anomaly

Prevention

State Anomaly

Prevention

Application Layer

Heuristics

Source Tracking

Event/ Traffic

Statistics, Graphs

Threshold Wizard,

Continuous Adaptive

Threshold Estimation

Policy Configuration,

Archive, Restore

No CPU in the path of the packets

No fast or slow path

No IP/MAC address in the path of the

packets

How it works – Baseline Building

Overall View Over a Month

These two graphs here

depict the daily traffic

over a month’s period in

terms of packet rate and

Mbps respectively. The

upper half is outbound

traffic and the lower half

(in negative) is the

inbound traffic. You can

see two peaks which

correspond to two large

inbound attacks.

The purpose of the appliance is to maintain the normal traffic and only pass what’s legitimate.

That’s what it is doing here by dropping the excess packets (shown as white ear under the

maroon lines). What’s being allowed is the blue area.

View of another link

This graph shows

the second link on

the same device.

This link has larger

and continuous

attacks over the

month’s period.

As you can see the

appliance maintains

the normal behavior

and drops

excessive packets.

This maroon line shows what’s incoming and

the blue and green lines show what gets out

of the appliance after DDoS mitigation based

on behavioral analysis. The white envelope is

the attack that’s getting dropped.

Aggregate Drop Traffic

This graph shows

the aggregate

dropped traffic and

gives you visibility

into excess traffic

that’s getting

flitered by the

appliance.

Packets are dropped due to multiple reasons and are shown in different colors.

These are drilled down further in subsequent graphs on subsequent pages. Summary Over 1 month

Packets Dropped/3 Hours Legend Type

Maximum Minimum Average

Total Packets

Dropped

█ Layer 2 0 0 0 0

█ Layer 3 71,796,072 0 21,262,421 5,273,080,458

█ Layer 4 375,005,802 300 5,899,631 1,463,108,503

█ Layer 7 303 0 1 304

Top Attacks and Top Attacker Reports

FortiDDoS

appliances give you

a visibility into the

Top Attacks, Top

Attackers, Top

Attacked

Destinations, etc.

for the last 1 hour,

1 day, 1 week, 1

month, 1 Year.

These IPs are

obfuscated.

Top Attacks: Inbound

Index Attack Packets dropped Events

0 Source flood 30,913,661,628 30,630

1 SYN flood 1,250,473,117 8,516

2 SYN flood from source 1,030,033,363 13,577

3 Protocol flood 147,159,676 23,042

4 TCP port flood 41,015,858 1,399

5 TCP checksum error 27,768,790 8,927

6 TCP zombie flood 23,254,968 779

7 Source IP==dest IP 19,793,175 843

8 L4 anomalies 19,252,249 4,461

9 Destination flood 2,785,518 8

Top Attackers: Inbound

Index Attacker Packets dropped Events

0 62.141.36.249 whois 10,264,827,716 2,537

1 178.32.48.19 whois 2,722,698,591 1,759

2 217.23.10.193 whois 1,696,605,289 1,813

3 208.53.158.149 whois 1,597,620,580 1,959

4 178.32.48.20 whois 1,569,216,884 1,681

5 213.165.69.62 whois 1,469,239,395 432

6 67.213.219.97 whois 1,092,829,398 1,230

7 66.219.17.96 whois 1,054,221,515 552

8 174.37.45.152 whois 757,198,482 32

9 91.191.167.12 whois 676,203,668 231

Packets Dropped at Layer 3

This graph

shows the

dropped traffic

due to certain

Layer 3

reasons which

are shown in

the table

below.

Summary Over 1 month



Total Packets

Dropped

█ Protocols 8,225,652 0 637,875 158,193,111

█ TOS 0 0 0 0

█ IPv4 Options 0 0 0 0

█ Fragmented Packets 1,157 0 7 1,873

█ L3 Anomalies 11,870,534 0 79,834 19,798,847

█ Source Flood 57,013,194 0 20,532,304 5,092,011,434

█ Misc. Source Flood 289,674 0 1,168 289,675

█ Destination Flood 2,441,260 0 11,231 2,785,518

█ Misc. Destination

Flood 0 0 0 0

█ Dark Address Scan 0 0 0 0

█ Network Scan 0 0 0 0





Total Packets

Dropped

█ TCP Options 0 0 0 0

█ SYN Packets 278,119,806 0 5,034,862 1,248,645,939

█ L4 Anomalies 12,549,983 300 54,866 13,606,809

█ TCP Ports 7,194,921 0 165,534 41,052,592

█ UDP Ports 27,297 0 908 225,429

█ ICMP Types/Codes 0 0 0 0

█ Port Scan 0 0 0 0

█ Misc. Drops for Port

Scan 0 0 0 0

█ Packets Per Connection 0 0 0 0

█ Misc. Connection Flood 71,585 0 6,992 1,734,081

█ Zombie Flood 13,368,886 0 93,770 23,254,968

█ SYN Packets Per Source 36,527,319 0 234,548 58,168,070

█ Excessive Concurrent

Connections Per Source 109 0 0 110

█

Excessive Concurrent

Connections Per

Destination

0 0 0 0

█ TCP Packets Per

Destination 0 0 0 0

This graph shows the

dropped traffic due to

certain Layer 4 reasons

which are shown in the

table below.

More than 1 billion

packets were dropped

due to SYN flood during

this period.

And over 58 million

packets dropped due to

few specific IPs sending

too many SYN

packets/second.





Total Packets

Dropped

█ Opcode Flood 303 0 1 304

█ HTTP Anomalies 0 0 0 0

█ URL Flood 0 0 0 0

This graph shows

the dropped traffic

due to certain Layer

7 reasons which

are shown in the

table below.

The appliances

monitor HTTP

opcodes, URLs and

anomalies and can

pinpoint the

excessses in any

one of the

dimensions.

Count of Unique Sources

This graph gives you

a visibility into count

of unique sources

coming to your

network.

As you can see here,

there is a large peak

during Week 21 which

corresponds to an

attack. The number of

unique sources

almost reached 1

million. These could

be spoofed IP

addresses too.

Customer Feedback

• We recently experienced a very large DDoS attack on

our network. We've found FortiDDoS withstanding the

attack quite well at this time. Seeing as this is the

largest network attack we've ever experienced,

utilizing this information should help significantly in

protecting us against other attacks in the future.

• To give you an idea of the scale of the attack, the

FortiDDoS device has had to drop nearly 6.8 billion

packets within only 8 hours. The entire attack

lasted approximately 27 hours of which the last

~12 hours were spent behind the FortiDDoS.

17

Deployment Scenarios

19

Bypass Options

Corporate

HQ

LAN

FortiGate

FortiBridge

FortiDDoS

Service Profiles

20

Wealth

Management

Loans and

Mortgages

Online Banking

Deployment Scenarios (Contd.)

FortiDDoS-100A

2U Appliance – provides dual link

protection

Specification

LAN 2 x 1G (copper and optical)

WAN 2 x 1G (copper and optical)

FortiASIC 2 x FortiASIC-TP1

RAM 4G

Storage 1TB HDD

Management 1 x RJ45 10/100/1000

Power Single AC

Protection 1Gbps full duplex

Up to 1 million simulations

connections/sec

FortiDDoS-100A

FortiDDoS-200A

4U Appliance – provides protection for

up to 4 links

Specification




RAM 8G

Storage 2 x 1TB HDD RAID


Power Dual Redundant AC



connections/sec

FortiDDoS-200A

FortiDDoS-300A

4U Appliance – provides protection for

up to 6 links

FortiDDoS-300A

Specification




RAM 8G

Storage 2 x 1TB HDD RAID


Power Dual Redundant AC



connections/sec

2

6

Thank You

New in 4.0 MR3

Email: [email protected]

introducing fortiddos - gts seminar...p layer 2 0 0 0 0 p layer 3 71,796,072 0 21,262,421...

Documents