Defending Against DDoS

Attacks using Arbor APS

Unit 1: Arbor APS Overview

Objectives

At the conclusion of this unit you will learn to:

• Introduce Arbor Networks and identify the products and
services that Arbor provides
• Discuss DDoS attack characteristics and explain DDoS defense
using Arbor Networks APS
• Identify Arbor Networks APS functionality and deployment
options

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 2

USING ARBOR NETWORKS AVAILABILITY PROTECTION SYSTEM
Characteristics of DDoS Attacks

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 3

Arbor Networks Availability Protection System

APS is Arbor’s
on-premise security
device focused on
stopping availability
threats

Arbor brings its carrier-class and

market-leading DDoS protection technology to the
enterprise market via Arbor APS

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 4

How a DDoS Attack Works

During a Distributed Denial of Service (DDoS) attack, compromised (or

voluntary) hosts or bots coming from distributed sources overwhelm the target
with attack traffic such that the servers cannot respond to legitimate clients

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 5

Bots and Botnets

• A botnet is nothing more then a tool

that can be used for:
– Criminal motivations
– Destructive purposes
• Botnets can have 100,000s of bots
– Owner controls botnet using
Command and Control (C&C)
software
• Why use a botnet?
– Cheap – cost take a website off-line is
as little as $$ per day
– Practically untraceable
– No one tries to
clean up the bots taking a Web site offline is surprisingly
affordable: about $5 to $10 per hour;
$40 to $50 per day; $350-$400 a week;

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 6

 DDoS is an Exploding & Evolving Trend

More Attack Motivations Greater Availability of Botnets

Geopolitical “Burma taken offline by DDOS attack” More infected PCs with faster
Better Bots
connections
Protests “Visa, PayPal, and MasterCard attacked” Easy Access Using web 2.0 tools to control botnets
“Techwatch weathers DDoS extortion
Extortion Commoditized Cloud-based botnets, cheaper
attack”

more attacks
Increased Volume Increased Complexity Increased Frequency
Largest volumetric DDoS has grown Over 25% of attacks are now >50% of data center operators
from 40 to 300 Gbps in 3 years application-based DDoS mostly experience >10 attacks per month
targeting HTTP, DNS, SMTP

Average Number of
Largest 7 DDos Attacks DDos Attacks per
Against IDC Month

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 7

DDoS Attack Categories

Volumetric, Brute Force Layer 4-7,

attacks Smart attacks
• Traffic Floods • TCP resource
– Exhaust resources by exhaustion
creating high bps or pps – Exhaust resources in
volumes servers, load balancers,
– Overwhelm the firewalls or routers
infrastructure – links,
routers, switches, servers • Application Layer
– Take out specific services
or applications

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 8

Volumetric, Brute Force DDoS Attacks

Designed to saturate and overwhelm network

resources, circuits, etc. by brute force

ISP 1

ISP 2 ISP
Firewall IPS
SATURATION Load
Balancer

Target
Applications &
ISP n
Services
DATA CENTER
Attack Traffic
Good Traffic

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 9

State-Exhaustion, Resource Exhaustion Attacks

Designed to target stateful security devices

Leads to exhaustion of state which render them useless

ISP 1
DATA CENTER

Exhaustion of
State

ISP 2 ISP
Firewall IPS
Load
Balancer

Target
Applications &
ISP n
Services

Attack Traffic
Good Traffic

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 10

Application Layer Attacks

Target specific applications

HTTP, SSL, DNS, SMTP, SIP, etc.

ISP 1
DATA CENTER

Exhaustion of
ISP 2 ISP Service
Firewall IPS
Load
Balancer

Target
Applications &
ISP n
Services

Attack Traffic
Good Traffic

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 11

The Evolving Threat Against Data Centers

Attackers use a combination of techniques

Layer 4-7, Smart
DDoS Impact
ISP 1
DATA CENTER

Exhaustion of
ISP 2 ISP Service
IPS
Firewall
SATURATION Load
Balancer

EXHAUSTION Target
Applications &
ISP n
Services

Volumetric, Brute Force

DDoS Impact
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 12
DDOS DEFENSE
Deployment and Features

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 13

How Arbor Networks APS Helps

• Comprehensive Protection from • Immediate Protection: “Always

all types of DDoS attacks ON”, mitigates earlier and more
• Extensive Reporting: accurately than Cloud-based
Provides detailed attack analysis services
and reports for the different • Faster: Via Cloud Signalling,
services protected interacts with Cloud-based DDoS
mitigation service to avoid or
reduce downtime

ISP

Arbor APS
ISP

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 14

Stopping Layer 4-7 Smart Attacks

On-premise
ISP 1
DDoS Protection

DATA CENTER

ISP 2 ISP
IPS
Firewall Load
Balancer

Target
Arbor APS Applications &
ISP n
Services

• CPE-based: L4-7 DDoS mitigation must be done at the

Data Center
• Always ON: immediate mitigation
• Fine-tuned to the services behind it to minimize false
positives and false negatives
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 15
Stopping Volumetric, Brute-force DDoS Attacks

Cloud-based
Mitigation
Cloud-based
DDoS Protection
ISP 1

Cloud DATA
Signaling CENTER

ISP 2 ISP
IPS
Firewall
Load
Balancer

Target
ISP n Applications &
Services

On-premise
DDoS Protection

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 16

Solution: Layered DDoS Defense Evolution

Good: On-premise
Better: On-premise + Cloud-based
Best: On-premise + Cloud-based + Cloud Signaling

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 17

APS 2800 Appliance

APS 2800 Protection Interfaces

LR 8x10G LR

8x10G LR + 4x1G Fiber SX

• APS 2800 Mitigation Capacity: 8X10G LR + 4x1G Copper

– APS 2800-10 up to 10 Gbps 8x10G LR + 4x1G Fiber LX

– APS 2800-20 up to 20 Gbps
SR 8x10G SR
– APS 2800-30 up to 30 Gbps
8x10G SR + 4x1G Fiber SX
– APS 2800-40 up to 40 Gbps
• In APS version 6.0 license 8x10G SR + 4x1G Copper

enforcement is throughput limit 8x10G SR + 4x1G Fiber LX

on clean traffic only
Mix 4x10G SR, 4x10G LR
– Not total traffic
• Production or Spare Usage 4x10G SR, 4x10G LR + 4x1G Fiber SX

• AC or DC Power Supply 4x10G SR, 4x10G LR + 4x1G Copper

4x10G SR, 4x10G LR + 4x1G Fiber LX

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 18

APS 2600 Appliance

APS 2600 Protection Interfaces

4 x 10G fiber (SR or LR)

4 x 10G fiber (SR or LR) +

• APS 2600 Mitigation Capacity: 4 x 1G copper or fiber (SX or LX)

– APS 2600-500 up to 10 Gbps

– APS 2600-1 2 Gbps 4 x 10G fiber (SR or LR) +
8 x 1G copper or fiber (SX or LX)
– APS 2600-2 4 Gbps
– APS 2600-5 8 Gbps 4 x 1G copper or fiber (SX or LX)

– APS 2600-10 10 Gbps

8 x 1G copper or fiber (SX or LX)
– APS 2600-15 15 Gbps
– APS 2600-20 20 Gbps 12 x 1G copper or fiber (SX or LX)
• Production or Spare Usage
• AC or DC Power Supply Note: In APS version 6.0 license
enforcement is throughput limit on
clean traffic only – not total traffic

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 19

APS Installed as a Virtual Machine (VM)

• Hypervisors supported:
– VMware vSphere Hypervisor 5.5 or later
– Kernel-based Virtual Machine (KVM)
• Virtual APS (vAPS) provides the following interfaces (see note below):
– 2 management interfaces: mgt0 and mgt1
– 2 protection interfaces: ext0 and int0
• Minimum/maximum system resources for the host server are:
– 2 – 4 CPUs, 100 GB hard disk space, 6 – 12 GB RAM
– Note: with the minimum configuration vAPS supports up to 10 Protection Groups
– To increase the pps throughput rate and the number of supported protection groups recommend 4
CPUs and 12 GB RAM to support up to 50 Protection Groups
• vAPS does not support the following features and functions:
– NTP – however, the virtual machine synchronizes its clock with the hypervisor, which should have NTP
enabled
– Shell access
• Can use Cloud-Init to initialize vAPS (OpenStack)
• Minimum throughput limit requests for vAPS from the cloud-based license server now is 20
Mbps (used to be 50 Mbps)
• Note: For vAPS installation instructions, see the Arbor Networks® Virtual APS Installation
Guide
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 20
Arbor vAPS Support for Amazon Web Services (AWS)

You can install and configure vAPS on Amazon Web Services (AWS)
• Requires Arbor vAPS version 5.12 or later
• You must have an AWS account
• Create an instance in Amazon’s Elastic Computer Cloud (EC2) in one of your
organization’s Virtual Private Clouds (VPC)
– Note: vAPS is not supported in Amazon’s EC2 Classic
• Arbor recommends that your VPC have at least three subnets:
– An edge subnet
– A protected subnet
– A management subnet
• Arbor assumes that you are familiar with AWS and the configuration of
VPCs and instances
• To install vAPS on AWS you can use the EC2 Management Console or you
can modify an example script from Arbor

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 21

ARBOR APS
Key Features

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 22

 Arbor APS – Key features

Block Complex DDoS Attacks

Block complex state-exhausting &
application-layer DDoS

“Out-of-the-box” Security Feed for

Protection New Threats
Immediate Block dynamic
protection from botnet-based
threats with DDoS attacks
more control

Easy Install and Cloud Signaling

Deployment Stop flood DDoS attacks by
Easily installed in front of signaling upstream MSSPs
firewalls

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 23

“Out-of-the-Box” Protection

• Immediate protection from

most DDoS attacks and
botnets out-of-the-box
• Extensive reporting allows
quick, informed, reaction
• Full control to address
availability threats

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 24

Block Complex DDoS Attacks

General Attacks

Block all DDoS attacks including Single Source Attack

Distributed DoS Attacks
application-layer and Spoofed / Non-Spoofed DoS Attacks

TCP Attacks
state-exhausting using
TCP SYN Floods
packet-based threat detection & Window Size Attacks (Sockstress, etc)
Slow TCP Connections (TCP Idling, etc)
blocking methods HTTP Attacks
Slow HTTP Connections (Slowloris, Pyloris)
HTTPS / SSL Based Attacks
HTTP GET / POST URL Floods

DNS Attacks
DNS Floods
DNS Authentication

Other Attacks
UDP / ICMP Floods
IP / TCP / UDP Fragment Floods
SSL Renegotiation
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 25
ATLAS® Intelligence Feed (AIF)

Leverages the global intelligence in

Arbor’s ATLAS to stop emerging
DDoS and Botnet attacks
• Unique to Arbor Networks
• Continuously updated feed of botnet DDoS
threats to availability
• Layer 7 fingerprints focused on inbound
botnet attack traffic
• ASERT threat level/confidence assessment
• ASERT tracking hundreds of individual
botnets in the wild

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 26

ATLAS Intelligence Feed

• ATLAS-generated security intelligence packaged &

automatically delivered across Arbor products
Threat-Specific Intelligence Identifying Technology
DDoS Signatures/fingerprints of attack tools
IP reputation of today’s botnets launching attacks
Command & Control Botnets

Malware

Location-based Threats
Domain & IP reputation of today’s active threats
Email Threats

Targeted Attacks

Mobile Threats

Non-Threat-Specific Intelligence Identifying Technology

IP-Geo Location
IP reputation/analysis
Web Crawler Identification

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 27

DDoS Campaigns & Advanced Threats

ASERT AIF Reputation Feed

DATA
ISP 1 CENTER

ISP
ISP 2
IPS
Arbor APS Load
Balancer

Attack Traffic Target

Good Traffic Applications &
ISP n Services

• IP reputation feed for active DDoS campaigns

• IP reputation includes IP address, protocol ranges and port ranges
• DNS reputation includes hostnames in DNS requests

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 28

ATLAS Global DDoS Report

Keep Abreast of Latest Attack Trends

• Must opt-in to Arbor’s data sharing
program to view report
• Provides additional intelligence to show
scope of internal threats to your network
in the context of other networks and the
internet
– Summary of activity from last month
– From the Arbor Security Engineering
and Response Team (ASERT)
– Sourced from AIF data and the
anonymous statistics receives from
the data-sharing program
– Automatic updates with the AIF feed
of manually update

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 29

 Easy Install & Deployment Options

Monitor Mode – Detection Only Inline Mode

Data Center
Data Center
ISP
Link Tap / ISP
Port Span

Arbor APS

Arbor APS
ISP ISP

• Extensive traffic visibility • Hardware bypass

• “What if” scenarios • Auto or manual
• “Real-time” and historical mitigation
forensics • Multiple protection levels
• Used in Trials • Inline “Inactive” mode
• Cloud Signaling

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 30

Outbound Threat Filter (OTF)

Data Center
ISP
OTF

Arbor APS
ISP

• Protection from the threats that can affect traffic that originates from
within your network
– Blocks threat traffic that is outbound from the network
– Blocks communication with known C&C actors
• Protect internal network from becoming source of an attack
– Prevent reflection/amplification attacks from being generated within the
internal network

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 31

IPv6 Support

• Access APS services from IPv6

hosts
• IPv6 protection groups
• View, Search or Filter by IPv6
addresses
– View and search within PGs
– View and filter the Blocked Hosts Log
– Filter on Packet Capture
• Blacklist and whitelist inbound
IPv6 addresses

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 32

Centralized Management – Arbor vAPS Console

Arbor APS Console • Use vAPS Console to manage

multiple APS devices
• vAPS Console UI provides an
enterprise-wide view for all of the
APS devices that it manages
– View critical alerts and events for
your network
– Manage the security policies
– Reduces duplication of work
– Single sign-on to APS
– Adjust protections on individual or
ISP multiple instances of APS
IPS
Firewall
Arbor
APS

ISP
IPS
Firewall

Data Center

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 33

 Cloud Signaling

Gain full protection from a

single console by signaling Subscriber Network Subscriber Network

to the cloud
Internet Service Provider

Utilize Cloud Signaling for Arbor Peakflow SP

/ TMS-based DDoS

volumetric DDoS
Service

protection SATURATION
1. Service Operating
Normally
• Immediate protection with Arbor Arbor
2. Attack Begins and
seamless handoff to ISP’s DDoS Networks APS
Initially Blocked by
filtration services
Data Center Network
Firewall / IPS / WAF Arbor Networks APS
– “Clean Pipes” 3. Attack Grows Exceeding
Bandwidth

Public Facing Servers 4. Cloud Signal

Launched
Cloud Signaling Status 5. Customer Fully
Protected!

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 34

Protecting SSL Encrypted Traffic

• Integrated Hardware Security Module (HSM) provides one-box SSL protection

– Inspects encrypted traffic for availability threats
• Integrated SSL/TLS Traffic Inspection and DDoS Protection:
– Decryption and inspection processes are transparent
– Hardware Security Module is FIPS 140 - 2 certified

Cert
Key
Cert
Key

Encrypted Traffic

Traffic
Encrypted
Blocked
Copy
DoS Attack
Decrypted DoS
Detected

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 35

Support for Perfect Forward Secrecy (PFS)

• APS with HSM card offers a “One-

Box SSL Inspection” solution
• Perfect Forward Secrecy (PFS) is a
method to create a key to encrypt
and decrypt messages between
client and server on a per session
basis
– Unlike weaker encryption protocols that
use the same encryption key over and
over, PFS generates a new, completely
unique encryption key at the start of every
session
– Increasingly being used One-Box SSL Inspection
• HSM supports the additional cipher
suites:
– Elliptic Curve Diffie-Hellman (ECDH)
– Ephemeral Elliptic Curve Diffie-Hellman
(ECDHE)

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 36

Unified, Layered DDoS Protection

Cloud Signaling: Automated,

Arbor Cloud: Global, 3 intelligent coordination to Arbor
Cloud-based, mitigation of 4 Cloud to stop large attacks
large attacks; 24x7 SOC
Arbor Cloud
Scrubbing DNS
Center
Cloud
Signal

BGP/DNS 2 Common APS Console

Arbor vAPS
The Internet managing all APS
Volumetric Attack
Botnet

Arbor APS
Appliance

Private
SERT Datacenter
Security Engineering & Response Team

1
5 1a. APS (appliance or virtual)
Continuously backed by in on-premise data center
global threat intelligence 1b. vAPS in AWS cloud.

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 37

Summary

In this unit you have learned about:

• Using Arbor Networks products, including Arbor Networks APS,

ATLAS Intelligence Feed, and Cloud Signaling, to protect critical
network equipment and services from DDoS attacks and advanced
threats.
• DDoS attack types include volumetric, state-exhaustion and
application-layer attacks and how Arbor’s Arbor Networks APS and
related services are deployed to protect against these attack
methods.
• Arbor Networks APS functionality includes detection and mitigation
for inbound/outbound threat traffic, TLS/SSL threats using the HSM,
and Cloud Signaling for faster cloud mitigation response.

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 38

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY