Why the best DDoS Protection requires Network Service Orchestration?

What are the types of DDoS attacks?

There are three types of DDoS attacks
Application Level Attacks: These attacks use specific application vulnerabilities to either steal data or deny service for legitimate users. For example, the recent attack on Equifax that exploited weaknesses in Apache Server is an application level attack.

State Exhaustion Attacks: These attacks target the memory of systems that maintain state. They overload the memory table and force it to fail. For example, these attacks commonly target firewalls and other security defenses to allow entry into a target’s network, including lateral movement and exfiltration.

Volumetric Attacks: These attacks use brute force techniques such as TCP SYN Flood, botnet reflection traffic to overwhelm the receiver’s processing power. For example, recent Mirai botnet-based DDoS attack on Dyn is a volumetric attack.

How do you mitigate Application Level attacks?

Leading DDoS protection vendors such as Arbor Networks, Akamai, Corero, and Radware offer an on-prem appliance that is situated in front of the perimeter firewall. These on-prem appliances perform Deep Packet Inspection (DPI) to detect protocol violations as well as known attack signatures to drop malicious traffic.

How do you mitigate Volumetric attacks?

The on-prem appliance also monitors traffic, bandwidth utilization as well as connections. When the traffic increases beyond a configurable threshold, the on-prem appliance initiates a signal to the Cloud-based Protection service.

The entire traffic is redirected to the scrubbing centers using BGP route announcements. The scrubbing centers have extra capacity to filter the attack traffic using mitigation techniques that range from the simple whitelist/blacklist, rate limiting, ACLs, and BGP Flowspect to the more advanced such as blocking known attack patterns, which can be configured in numerous ways. The scrubbing centers have an out of band GRE tunnel to return clean traffic.

Some of the industry leaders including Arbor Networks, Akamai, Incapsula, F5 Silverline and Neustar use such mitigation techniques and continue to refine and develop new techniques as the attacks change.

What are the two modes of DDoS Mitigation?

Always-on Mode: Typically used for low volume application-level attacks that are mitigated using on-prem appliance deployed inline.

On-Demand Mode: Typically used for volumetric attacks more than 1 Tbps traffic and the protection is offered through scrubbing centers in the cloud.

What are the mitigation techniques?

Traditionally DDoS mitigation involved blackholing traffic based on source or destination IP address range. But this method loses clean traffic as well.

A better alternative uses BGP Flow Spec based mitigation that preserves clean traffic.

How does BGP Flow Spec mitigate DDoS attacks?

BGP Flow Spec enables operators to introduce granular control such as in an IDMS (Intelligent DDoS Mitigation System) during DDoS mitigation, but leverage the network.

Unlike blackholing, operators can include more detailed criteria for attack traffic such as source IP, source protocol, source port, Destination IP, Destination protocol, Destination port as well as Packet specific attributes such as length, fragment, etc.

For each criterion, the Flow Spec also defines the corresponding mitigation actions such as dropping the packets, rerouting to a quarantine location or applying rate limiting policies.

Service Providers routinely exchange traffic between their POPs. By introducing the BGP FlowSpec on their provider edge routers, they can minimize the overall malicious traffic that passes through each other’s network.

For more on this topic, see the link in the Reference section below.

How to differentiate vendors offering DDoS mitigation?

Some of the criteria include:

• Support for On-Prem and Cloud hosted deployments.
• Overall capacity to handle multiple large volumetric attacks simultaneously: E.g., Number, and Size of the Data Centers.
• Responsiveness: whether they use Automation or not.
• Effectiveness: Size and Experience of the threat research teams, depth and breadth of mitigations, use of intelligence feeds, and whether or not the solution is limited to just the device or whether it can leverage the network for mitigation (such as ACLS and BGP Flowspec).
• Periodic fire drills and Penetration testing along with disclosures and remediation steps.
• Reporting and post-incident de-brief: whether they provide automated reporting that meet your organization’s needs and can provide a post-attack de-brief that puts that the attack in a broader perspective of what happened either at the same time or to peers.
• Flexible Pricing model: Whether they charge per attack traffic volume, charge per clean traffic or fixed monthly subscription fee, etc.

How to initiate On-demand DDoS mitigation?

Automatic: On-prem appliance initiates Cloud Signaling when traffic exceeds pre-configured thresholds.

Manual: End customer (victim) requests from a Self-Service portal.

How does On-demand mitigation work?

Once a request to activate DDoS mitigation is received, the cloud Provider must provision multiple network elements.

• Provision virtual network in the multi-tenant infrastructure – This step requires configuring multiple switches, routers, load-balancers as well as mitigation appliances. (Note: Some providers may provision the virtual network when customer is on-boarded).
• Configure GRE tunnels to return clean traffic to the client (victim).
• Update BGP Flow tables to re-route traffic destined to the victim to the scrubbing center.
• Once the attack is mitigated, restore the BGP Flow tables.
• De-provision the virtual network – (opposite of the first step above).

How can Network Orchestration help with On-demand mitigation?

Segmentation in a Multi-tenant network: The cloud provider must ensure separation of multiple tenants. Network Service Orchestration can automate the creation and deletion of segmentation across the multi-vendor infrastructure.

Service chaining across L2-L7 multi-vendor devices: When customers network is under attack, time is of the essence. Any manual steps to configure complex network protocols and configurations are error-prone and time-consuming. Network Service Orchestration avoids all human errors, introduces consistency and delivers the entire tenant virtual network within minutes.

Extensible Service models: Network architects can extend and customize the YANG service models to define various workflows as per the existing best practices.

Capacity planning: Network Service Orchestrator keeps track of the real-time inventory of various physical and virtual resources and accordingly provisions the network. This proactive approach avoids the hassle of running out of capacity at the critical time to serve customers under attack.

Service Assurance: Network Service Orchestrator validates the current device config with the policy and resolves any inconsistency. As part of the YANG model, network architect can introduce SLA levels, mitigation steps to automate Service Assurance.

Integration with Self-Service catalog: Entire functionality of Network Service Orchestrator is available via API, and integrates with Self-Service portals as well as ticketing systems such as Service Now, BMC Remedy or OSS/BSS.

Case Study: How F5 Networks scale their Silverline DDoS private cloud deployment?

References:

1. Why BGP Flowspec is a step forward in DDoS mitigation.