Pravail APS 2.

0 Certification Training
Unit 1
Pravail APS Overview

Pravail
Objectives

At the conclusion of this unit you should be able to:

• Explain DoS and DDoS attack behavior
• Describe the relationship between DDoS attacks
and botnets
• Explain why typical network security devices such
as firewalls can not address resource availability
• Differentiate volumetric from application-layer
attacks
• Explain how cloud signaling addresses volumetric
attacks
• Define the function of the ATLAS Intelligence Feed

Page 2 - Company Confidential

Pravail APS Overview

• DDoS
• Pravail APS
• Cloud Signaling
• ATLAS Intelligence Feed

Page 3 - Company Confidential

What is (D)DoS?

DDoS  Distributed Denial-of-Service (DoS) Attack

• DoS attempts to make a computer resource unavailable
to its intended users
– Prevents an Internet site or service from functioning
efficiently or at all, temporarily or indefinitely
• The attacks may directly target a victim, or they may
indirectly bring down a target, known as collateral
damage
• DDoS involves coordinated efforts of multiple computer
systems, geographically distributed, and usually
compromised by malware, and controlled by a person,
or multiple people
• Traffic generated by DoS or DDoS attackers may be
perfectly ordinary; it is their intention which is not

Page 4 - Company Confidential

Common DDoS Attacks

• Volumetric Traffic Floods !

– Large botnets or spoofed IP traffic to generate a lot of bps or pps"
– UDP based floods from spoofed IP take advantage of stateless UDP"
– Take out the infrastructure capacity – links, routers, switches, servers"
• TCP resource exhaustion!
– Take advantage of statefull nature of TCP"
– SYN, FIN, RST Floods"
– TCP connection attacks"
– Exhaust resources in servers, load balancers, firewalls or routers"
• Application layer attacks!
– Exploit limitations, scale and functionality of specific applications"
– Can be low level and still be effective"
– HTTP Get queries that return large files"
– DNS requests that prompt many zone transfers"
– Malformed HTTP, SIP, DNS requests"
– SIP invite floods to a specific client"
– Take out specific services or applications"

Page 5 - Company Confidential

DDoS Attack Surface

• Attack surface is the part of a network or host that

is vulnerable to DDoS attacks
– Surface varies depending on the type of network
• Includes all pieces of the network that are exposed
to the Internet
– General Infrastructure (routers, switches, load balancers, etc.)
– Application specific infrastructure
– Control plane if not run isolated
– Network links
– Hosts/servers
– IP protocols (TCP, UDP, ICMP, etc.)
– Applications (DNS, Web, VoIP, etc.)
• DDoS attacks can be crafted to target specific
areas of the attack surface

Page 6 - Company Confidential

 IDC DDoS Attack Surface

IDC
Core Gigabit Ethernet

10GbE Core Internet 10 Gigabit Ethernet

10 Gigabit FCoE/DCE

IP+BGP+MPLS 4Gb/8Gb Fibre

Channel
Distribution Edge
IDC Aggregation
Volumetric attacks against the SAN A/B
upstream link bandwidth of the IDC Storage Core

End-of-Row Rack Blades End-of-Row Rack Blades Storage

Page 7 - Company Confidential

 IDC DDoS Attack Surface (Cont.)

IDC
Core Gigabit Ethernet

10GbE Core Internet 10 Gigabit Ethernet

10 Gigabit FCoE/DCE

IP+BGP+MPLS 4Gb/8Gb Fibre

Channel
Distribution Edge
IDC Aggregation
SAN A/B
Attacks against Firewalls and Storage Core
Load-balancing for the datacenter
à Connection attacks exploiting
stateful devices

End-of-Row Rack Blades End-of-Row Rack Blades Storage

Page 8 - Company Confidential

 IDC DDoS Attack Surface (Cont.)

IDC
Core Gigabit Ethernet

10GbE Core Internet 10 Gigabit Ethernet

10 Gigabit FCoE/DCE

IP+BGP+MPLS 4Gb/8Gb Fibre

Channel
Distribution Edge
IDC Aggregation
SAN A/B
Attacks against specific services/servers/ Storage Core
applications – Web, Email, SIP, and DB
à Application layer attacks, connection
attacks

End-of-Row Rack Blades End-of-Row Rack Blades Storage

Page 9 - Company Confidential

Bots  Putting the ‘(D)’ in (D)DoS

• A bot is a servant process on a compromised

system (typically unknown to owner) usually
installed by a Trojan or Worm

• Communicates with a handler or controller via

public IRC servers or other compromised systems

• A botmaster or botherder commands bots to

perform any number of different functions

• System of bots and controller(s) is referred to as a

botnet or zombie network

Page 10 - Company Confidential

DDoS Example: Reflective Amplification Attack

Source IP of Victim (v) spoofed when DNS query

sent to resolver, resolver receives and responds
à 55-byte query elicits 4200-byte response

Quer
y r v

Attacker - a

Resolver - r
n se
v Respo
r
A botnet with as few as 20 DSL-connect homes (1 Mbps
upstream each) can generate 1.5 Gbps of attack traffic
with DNS reflective amplification attack vectors such as
Victim - v those employed for root server attacks in early 2006
(1:76 amplification factor). Most enterprises have little
more than 155 Mbps Internet connectivity.
Page 11 - Company Confidential
 Anatomy of a DDoS Attack
Bots connect to a C&C to create
an overlay network (botnet)
UK Broadband
JP Corp.
B BB
Provider
Bye Bye!
C&C
B

Systems
Become
Infected Bots attack
Internet
Backbone

B BM
B

Controller
Botnet master
B B
Connects
Issues attack
B Command The
B Peaceful
Village
US Corp US Broadband

Page 12 - Company Confidential

 DDoS is a Growing & Evolving Technology Trend

More Attack Motivations Greater Availability of Botnets

• Geopolitical “Burma taken offline by DDOS attack”
• Protests “Visa, PayPal, and MasterCard attacked”
• Extortion “Techwatch weathers DDoS extortion attack”
+ • Better Bots More infected PCs with faster connections
• Easy Access Using web 2.0 tools to control botnets
• Commoditized Cloud-based botnets, cheaper

Increased Volume Increased Complexity Increased Frequency

Largest volumetric DDoS has grown 25%+ attacks are now 50%+ data center operators
from 9 to 100 Gbps in 5 years application-based seeing 10+ attacks per month

Data Sources: Arbor Networks 6th Annual Infrastructure Security Report and
Arbor ATLAS DDoS Attack Repository

Page 13 - Company Confidential

Application Layer Attacks Increasing

• Application layer attacks are becoming common place

– 77% of respondents reported application layer attacks against critical
services
– Application attacks are advancing to more sophisticated services
– Lynchpin service infrastructure remain top targets

Page 14 - Company Confidential

DDoS Attack Sizes Over Time

• Over 102% increase YOY in attack size shows resurgence of

brute force and volumetric attack techniques
• Internet providers have focused on application threats so
miscreants turned back towards attacking network capacity

Page 15 - Company Confidential

Key DDoS Facts

According to the Worldwide Infrastructure Security Report in 2010

• Threat severity and complexity continue to increase
– Attack size increases dramatically, impacting underlying network
infrastructure
• 102% increase in attack size YOY
• Broke 100Gbps barrier for first time
• Up 1000% since Arbor’s first WISR in 2005
– Application layer attacks continue with some new applications
being targeted more frequently
• HTTP and DNS remain the top targets but HTTPS, SMTP and
SIP/VOIP attacks are becoming more common
• Firewall and IPS equipment represents critical points of failure
during DDoS attacks
– These products are commonly the targets of DDoS attacks
• Significant collateral damage may also result
– Attacks may affect other services that are hosted on same network
or server

Page 16 - Company Confidential

 Layer 7 DDoS vs Firewall and IPS Based Security

Conventional security devices focus on integrity and

confidentiality and not on availability
Product Security
Benefit
Family Triangle
Firewalls Integrity Enforce network policy to prevent unauthorized access to data

IPS Integrity Block break-in attempts causing data theft

Information Security Triangle

DATA CENTER

Many DDoS attacks target

firewalls and IPS devices directly!
IPS Load
Balancer
Firewalls and IPS devices do not solve 100%
the DDoS problem because they
(1) are optimized for other security problems,
(2) can’t detect or stop distributed attacks,
and
(3) do not integrate with in-cloud security
solutions.

Page 17 - Company Confidential

Failure of Firewall and IPS in the IDC

• Nearly half of all respondents have experienced a failure of their

firewalls or IPS due to DDoS attack
Data Sources: Arbor Networks 6th Annual Infrastructure Security
Report

Page 18 - Company Confidential

Volumetric vs. Application-layer Attacks

DDoS attacks can be summarized into two broad classes: (1) volumetric flood attacks
and (2) application-layer attacks. For example, DNS protocol or LOIC attacks would
be considered application-layer DDoS attacks, while TCP SYN flood or ICMP Smurf
attacks would be considered volumetric attacks. In some cases, application-layer
DDoS attacks can escalate into large flood attacks.

Page 19 - Company Confidential

Pravail APS Overview

• DDoS
• Pravail APS
• Cloud Signaling
• ATLAS Intelligence Feed

Page 20 - Company Confidential

Pravail Availability Protection System

‘Out-of-the-Box’ Protection
Arbor Pravail APS is § Immediate protection from
the only CPE-based threats with more control
security appliance Advanced DDoS Blocking
§ Introduces new packet-based
focused on stopping DDoS detection & mitigation
availability threats Botnet Threat Mitigation
§ Block dynamic botnet-based
Public Web
DDoS attacks with AIF
Servers
Simple Deployment Models
Data Center Network

Corporate
Arbor Pravail APS Firewall
Load
Balancer Servers
§ Easily fits IDC requirements
including inline placement
DNS Cloud Signaling
Servers
§ Stop volumetric DDoS attacks
Firewall
SMTP by signaling upstream MSSPs
Arbor Pravail APS Load
Balancer
Servers

Page 21 - Company Confidential

Pravail Availability Protection System (Cont.)

Data Center Network

Pravail APS

• Inline layer-2 deployment (bump in the wire)

– Out of line deployment also possible
• DPI (layer 7) inspection of traffic
– AIF signatures for detecting complex elements
• Detect and mitigate application-layer attacks at
customer edge
• Cannot mitigate large volumetric attacks directly
– Cloud Signaling enables upstream mitigation

Page 22 - Company Confidential

 Pravail APS Deployment

Inline Monitor – Detection Only

Pravail APS

Data Center Network

Data Center Network
Pravail APS Link Tap /
Port Span

• Hardware • Strong reporting

bypass
• “What if”
• Multiple levels scenarios
of protection
• “Real-time” and
• Reduced traffic historical
burden on forensics
firewalls/IPS

Page 23 - Company Confidential

Pravail APS Deployment (Cont.)
Match Enterprise Needs

• Most enterprises expect inline deployment

– Always-on protection
– Easy to manage at network level
– Same as firewalls, IDS/IPS, and other security
devices they may already have
– Many enterprises don’t have routing infrastructure to
support a diversion (offramp) model
• Some enterprises forbid inline deployment
– Mission-critical server farms consider any inline
device to be point of failure
– Mitigation in the SP cloud is often acceptable
• Service provider is expected to have supervision
• Service provider is expected to have fast failover

Page 24 - Company Confidential

Pravail APS Appliances

• Models available from 2 Gbps to

10 Gbps inspected throughput
License Upgrade • License upgrades available to

APS 2104: 2 Gbps increase inspected throughput

– Customers can grow the capacity of
their model as their network grows
without new hardware
– If different protection interfaces are
APS 2105: 4 Gbps License Upgrade
required for an upgrade, a new
appliance is required
• Five protection interface options
– 2 x 10GE, SR or LR fiber
APS 2107: 8 Gbps – 12 x GE, SX or LX fiber
License Upgrade – 12 x GE, copper
All have hardware bypass!
• 2 x AC or 2 x DC power
APS 2108: 10 Gbps

Page 25 - Company Confidential

Pravail APS Features

• Protection from complex application-layer attacks

– Detect and block DoS attacks not detected upstream
• Immediate protection with near-zero downtime
– No lag between detection and protection
• Easy to deploy and operate
– Does not require in-house expertise or full-time
operators for proper use
– Default settings provide useful protection on initial setup
without tuning
• Flexible settings
– Those with expertise can tweak protection easily
• Not dependent on carrier for upstream protection
– But can work with SP solutions or third-party MSSP
providers

Page 26 - Company Confidential

Management Console Web User Interface

Page 27 - Company Confidential

Local Language Support

Web UI page text, Web UI help text, and user

documentation
• English
• Korean
• Japanese
• Mandarin
• Russian (Web UI page text only)

Page 28 - Company Confidential

Designed Operation

• “Protection Levels” provide quick and easy selection of

three sets of protection settings
Low – Safest with least protection, for “normal” use
Medium – More aggressive protection with slight risks
High – Most aggressive protection with most risks
• Reaction during attack is simple
– Icon click transitions defense to match threat level
• Advanced settings done ahead of time (not while under
attack)
– Proactive, not in reaction to current attack
• Protection from evolving threats and complex payload
threats provided by ATLAS Intelligence Feed (AIF)
– Relies on expertise at Arbor, not at customer
• Expert-level protection without an expert on-site

Page 29 - Company Confidential

Protection Basics

• Service-Based Protection
– Designed to protect different types of Services
• Web (HTTP)
• DNS
• VoIP (SIP)
• Generic
• AIF (ATLAS Intelligence Feed)-Based Protection
– Packet-based signature matching for botnets and other
automated threats

Page 30 - Company Confidential

Attacks Stopped by Pravail APS

Botnet-Based DDoS Attacks

A DDoS botnet is is a large set of compromised computers that are controlled remotely by a CnC (command-and-
control) server. Usually the computers in a botnet, known as bots or zombies, become compromised without their
users’ knowledge. The bots are infected with malware that enables them to generate a high-volume traffic attack
targeting a victim server. Victim servers can include Web, DNS, and SMTP services. Botnets can also carry out
stealthy application-layer attacks because they are real hosts capable of interacting with network services
mimicking normal behavior.
Examples: blackenergy, dc++, Darkness

Voluntary Botnet Attacks

A voluntary botnet is one in which users allow their computers to become part of the botnet with the intention of
attacking a victim server. When a computer becomes a member of the botnet, it accepts commands from the CnC
server, and joins the rest of the botnet to flood the victim server with traffic. Some of the attack tools that WikiLeaks
supporters (Anonymous) used in November and December 2010 contain a feature whereby users can allow their
computers to become part of a botnet.
Examples: Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC)

Generic Bandwidth Flood Attacks

Bandwidth floods can originate from malware or from an attack tool that uses underlying operating system facilities
to connect to the victim, create requests, and perform the attack. Some attack methods can provide flexibility in
creating a traffic pattern (for example, randomized payloads), while others can provide better performance in terms
of speed. The method that the attacker uses to construct the requests determines the nature of the attack, which in
turn affects how the DDoS traffic is mitigated.
Examples: Ping Flood, UDP Flood, Trinoo

Page 31 - Company Confidential

Attacks Stopped by Pravail APS (Cont.)

Reflection Flood Attacks

Reflection flood attacks are a subset of generic bandwidth flood attacks. They use a legitimate resource to amplify
an attack to a destination. By sending a request to an IP that will yield a big response and by spoofing the source
address to that of the actual victim, the victim will see a lot of traffic from a legitimate source.
Examples: DNS Floods, Fraggle, Smurf, stream attack

HTTP Bandwidth Flood Attacks

An HTTP flood is a continuous submission of the same HTTP request or a set of HTTP request messages to a
victim’s HTTP servers. Typically, the attacker sends the requests at a high rate and forces the Web server to
respond to each request. As a result, the Web server remains busy and denies service to legitimate requests.
Examples: HTTP Floods, pucodex

Slow Resource Exhaustion Attacks

During a slow flood attack, the attacker makes several connections and, on each connection, sends a partial
request for data to the victim server. In response, the server allocates resources such as memory to each
connection and waits for subsequent requests to arrive. The attacker sends a very small portion of the request at a
rate almost equal to, but less than, the server’s timeout setting. Therefore, the server stays busy processing the
small requests but it takes a long time to time out. Eventually, the server starts to deny legitimate connection
requests from other clients.
Examples: Slowloris, pyloris, HTTP slow floods, TCP slow floods

Page 32 - Company Confidential

Attacks Stopped by Pravail APS (Cont.)

TCP Resource Exhaustion Attacks

A TCP resource exhaustion attack takes advantage of the statefull nature of the TCP protocol. By overwhelming the
target or statefull infrastructure in front of the target, the attacker will stop legitimate connections from accessing
resources. As the most common attack type utilized by “script kiddies”, it includes TCP SYN, FIN, and RST floods.
They usually exhaust connection table resources in servers, load balancers, firewalls, or routers.
Examples: TCP SYN flood, TCP RST flood

Malformed Protocol Attacks

Attackers can take advantage of various protocols such as DNS, HTTP, and SIP by sending malformed queries to
the servers. Because the malformed queries consume back-end resources, they can deny legitimate DNS queries or
SIP invites while processing them.
Examples: HTTP malformed queries, SIP malformed queries, DNS multiple requests per query

SIP Invite Attacks

The SIP protocol can be exploited by overwhelming SIP gateways. An attacker can send a flood of SIP INVITES
messages to consume all available resources and potentially trigger a kernel panic on the target system.
Examples: SIP INVITE flood, SIP REGISTRAR flood

DNS Protocol Attacks

Beyond malformed query attacks, the DNS protocol can be exploited in multiple ways. The NXDOMAIN reflection
attacks involve a flood of bogus domain resolution requests with the spoofed source being the target. A DNS root
query attack, similarly, makes a request of the root servers with a spoofed resolver thus leading to a large number of
responses.
Examples: DNS NXDOMAIN Flood, DNS Root Query Attack, DNS Cache Poisoning

Page 33 - Company Confidential

Pravail APS Overview

• DDoS
• Pravail APS
• Cloud Signaling
• ATLAS Intelligence Feed

Page 34 - Company Confidential

Cloud Signaling Motivation

• Pravail APS customers need both local application-

layer protection and upstream volumetric protection

Application-Layer
DDoS Impact

DATA CENTER

IPS Load
Balancer

Volumetric
DDoS Impact

Page 35 - Company Confidential

Cloud Signaling Motivation (Cont.)

• No on-premises security device can protect Internet

uplinks from traffic that overloads links at the service
provider source
• Cloud Signaling allows the enterprise to request
mitigation in the cloud
– Mitigation in service provider cloud filters traffic before
it reaches the links
– Can be automated to allow attack mitigation without
manual service provider intervention
• Arbor Peakflow SP-based
• Fast response to enterprise requests
• Provider avoids costs of personnel to start mitigations
– Can be implemented as an active managed service
• Cloud Signaling only triggers alert at service provider
• Faster provider workflow because alert appears in same
system to be used for mitigation

Page 36 - Company Confidential

Cloud Signaling

• Partner with ISP / MSSP

for volumetric protection Subscriber Network Subscriber Network

– Cloud Signaling Internet Service Provider

Coalition offers many 1. Service Operating
Arbor Peakflow Normally
benefits for members SP / TMS-based
DDoS Service 2. Attack Begins and Initially
Blocked by Pravail
3. Attack Grows Exceeding
Bandwidth
• Immediate protection
4. Cloud Signal
with seamless handoff to Arbor
Pravail APS Launched
DDoS services 5. Customer Fully
Cloud Signaling Status Firewall / IPS / WAF Protected!
Data Center Network

Public Facing Servers

Page 37 - Company Confidential

Pravail APS Overview

• DDoS
• Pravail APS
• Cloud Signaling
• ATLAS Intelligence Feed

Page 38 - Company Confidential

ATLAS Overview

• Active Threat Level Analysis system (ATLAS)

• The Internet's first globally scoped threat analysis
system
• The intersection of two of Arbor’s greatest assets:

Page 39 - Company Confidential

 ATLAS System Design

1. ATLAS sensors are deployed in global

Internet darknet space to discover and
classify attack activity

2. This malware information is sent to an

ATLAS central repository where it is
combined with Arbor Peakflow, third-
party, and vulnerability data

3. ASERT analyzes combined data and

converts into actionable intelligence
which is posted on the ATLAS public
portal (atlas.arbor.net)
Page 40 - Company Confidential
Atlas Intelligence Feed

• ATLAS Intelligence Feed (AIF)

– DPI-based feed to Pravail APS appliances
– Signature-based mitigation of DDoS attacks
• Provides automatic detection and mitigation for
complex threats “out of the box”
– Many single-packet detect/defend rules per family
• AIF keeps Pravail APS appliances updated with
continually evolving set of signatures
– ATLAS tracks more than 180 threat families, such as:
• Pucodex
• Slowloris
• Sockstress
• AIF provides detection of:
– HTTP header signatures
– Inbound traffic (DDoS)
• AIF also updates IP Location data
Page 41 - Company Confidential
ATLAS Intelligence Feed (Cont.)

Malware Analysis

ASERT
Findings
DDoS
Threat
Database

ATLAS
Intelligence
Feed

Pravail APS Appliances

Page 42 - Company Confidential
ATLAS Intelligence Feed (Cont.)

• What does AIF Feed Contain?

– List of rules (attack signatures)
– Signatures apply to HTTP requests
• Each signature contains:
– Regex expression to apply
– Case sensitivity flag
– Signature ID and version
– Risk Level à indicates possibility of false positives
based on live traffic testing

Page 43 - Company Confidential

Page 44 - Company Confidential