Scribd
Upload
2 views33 pages

Aed Ac Jan23

The document discusses the Netscout Arbor Edge Defender (AED), a comprehensive DDoS protection solution designed to safeguard networks and services from complex and diverse DDoS attacks. It highlights the features of AED, including always-on availability, integration with existing security stacks, and advanced threat detection capabilities. Additionally, it outlines the importance of cyber threat intelligence and the role of Arbor Cloud in mitigating DDoS attacks effectively.

Uploaded by

doanviet hung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views33 pages

Aed Ac Jan23

The document discusses the Netscout Arbor Edge Defender (AED), a comprehensive DDoS protection solution designed to safeguard networks and services from complex and diverse DDoS attacks. It highlights the features of AED, including always-on availability, integration with existing security stacks, and advanced threat detection capabilities. Additionally, it outlines the importance of cyber threat intelligence and the role of Arbor Cloud in mitigating DDoS attacks effectively.

Uploaded by

doanviet hung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Netscout Arbor Edge Defender (AED)

First & Last Line of Smart Automated Defense

Tony Teo, Sale Engineering Director - APJ , Service Provider BU


DDoS Statistics in 2H 2021
Frequency, Bandwidth, and Throughput

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 2


Global Statistics
A look at the numbers

APAC NAMER EMEA LATAM

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 3


Modern DDoS Attacks Are Complex & Diverse
hiện đại đa dạngđa dạng

ISP 1

DATA CENTER
Exhaustion
of Service

Upstream Exhaustion
ISP 2 Saturation of State
IPS
Firewall Load
Balancer

Exhaustion: Kiệt sức Target


ISP n Saturation: Độ bão hòa Applications &
Services

Today’s DDoS attacks can cause (1) saturation upstream, (2) state exhaustion, or (3) service outages –
many times a single attack can result in all three – and all with the same end result:
critical services are no longer available!
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 4
4
STATE EXHAUSTION DDOS ATTACKS

DATA CENTER

Firewall

Target
Applications &
Full !! Services

Attack Traffic
Good Traffic

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 5


WHICH ARE STATEFUL DEVICE ?

Firewall WAF

IPS Anti-DDoS

Load Balancer

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 6


STATEFUL DEVICE ?

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 7


Netscout Arbor Edge Defender (AED)
First and Last Line of Smart, Automated Perimeter Defense

• Always On Availability protection of network,


services and other security devices from DDoS
• Inbound & Outbound Threat Communication
Detection and Blocking
• Integrate with existing security stack/processes
(STIX/TAXII, RESTful API)
• Intelligent Cloud Signaling
• Protects and Offload downstream stateful devices

On-Premise Always-On Availability Protection

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 8


CPE Layer 7 DDoS Protection

ISP 1

DATA
CENTER

ISP 2
IPS
Firewall Load
Balancer

Target
ISP n Netscout AED Applications &
Services

 CPE-based: L4-7 DDoS mitigation must be done at the Data Center


 Always ON: immediate mitigation
 Fine-tuned to the services behind it to minimize false positives and
false negatives
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 9
9
AED DDoS Countermeasures
1. Filter List 16. HTTP Rate Limiting
• FCAP Expression • Request Limit (Req/sec), URL Limit (URLs/sec)
2. Rate-Based Blocking 17. HTTP Header Regex
• Bits Per Second (bps), Packets Per Second (pps) 18. TLS Attack Prevention
3. Payload Regex 19. Malformed SIP Traffic
• TCP ports , UDP port, Generic 20. SIP Request Limiting
4. Spoofed SYN Flood Prevention • SIP Source Limit ( message/sec)
• Spoofed SYN Flood (3-way HS) 21. Traffic Shaping
• Out of Sequence Authentication • Max bps, Max pps, Filter
5. TCP Connection Limit 22. TCP SYN Flood Detection
6. TCP Connection Reset • SYN ACK Delta Rate, SYN Rate
• Minimum Request Bit Rate 23. ICMP Flood Detection
• TCP Connection Initial Timeout • Max Req Rate, Max bps
• Initial Timeout Required Data 24. UDP Flood Detection
• Consecutive Violations before Blocking Source • Max bps, Max pps
7. DNS Authentication 25. Botnet Prevention
8. Malformed DNS Traffic • Basic Botnet Prevention
9. DNS Rate Limit • AIF Botnet Signatures
10. DNS NXDomain Rate Limit • Slow Request Attack
11. DNS Regex 26. Fragment Detection
12. Web Crawler Support • Max bps, Max pps
13. CDN and Proxy Support 27. Multicast Blocking
14. HTTP Reporting 28. Private Address Blocking
15. Malformed HTTP Filtering 30. Application Misbehavior
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 10
• Interrupt Count
AED GUI ( Sample Screen Shots )

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 11


On-Box SSL Inspection

• Protection against DDoS attacks in HTTPS


protocol and header level – Build in standard
offering

• Add-On Protection : Protection against DDoS


attacks encrypted Payload by SSL3, TLS1,
TLS1.1, TLS1.2, TLS 1.3 Cryptographic Acceleration Module
(CAM)

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 12


Security Stack of Yesterday

Internet

DDoS NGFW
DDoS (Add-On)
Stateful
blocking
IPS
Outbound DDoS ???

Sandbox, Etc. …

End Point
SEIM/ Security
Process

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 13


Security Stack of Today

DDoS
Internet

1. DDoS Protection. AED


• Stateless ? In and Outbound DDoS Protection

2. IPS being consumed by


NGFW.

3. IoCs, (Reputation
NGFW
Outbound DDoS

blocking) in NGFW is
expensive, is impacting
performance and can be
done better with stateless
devices
Sandbox, Etc. …

End Point
SEIM/ Security
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 14 Process
….Industry is changing approach to protection

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 15


What’s in Cyber Threat Intelligent ?

• Based on Reputation

• IP/Proto/Port
• Domain
• URL
• TLS cert / JA3

• High-scale, high-efficiency blocking of known threats at the perimeter

• Millions of Indicators of Compromise (IoC) in memory with line-rate performance at


10Gbps+

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 16


Security Stack of Today

Internet

1. NGFW DDoS Protection.


• Stateless ?

2. IPS being consumed by


NGFW.

Cyber Threat
Intelligence
3. IoCs, (Reputation
blocking) in NGFW is NGFW Vendor
expensive, is impacting IPS IOC Blocking specific
performance and can be
done better with stateless
devices
Sandbox, Etc. …

End Point
SEIM/ Security
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 17 Process
Prove it! - NGFW Performance Degradation
Palo Alto Fortinet
Performance PA-7080 System PA-7050 System
Firewall throughput
52Gbps
(App-ID) 200Gbps 120Gbps
Threat Prevention
throughput 100Gbps 60Gbps
94.2%
• Throughput degrades by 50% with Drop
Threat Prevention
• Number of IOCs supported:
• Anti-virus signatures – 1 Million
• Wildfire signatures – 100K
• DNS signatures – 100K 3Gbps

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 18


Prove it! - NGFW Performance Degradation

Latency (Milliseconds) TCP Connection Rate

Firewall Firewall Firewall Firewall


(No IOC) (US Only IOC) (No IOC) (US Only IOC)

Source: bandurasystems.com
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 19
What’s a Threat Intelligence Gateway (TIG)?

Because multifunction firewalls apply so many security inspection


and prevention capabilities, they typically are limited from as low as
30,000 threat indicators to as high as 300,000 for larger (higher-
end) appliances…..

….A new solution is needed for this problem, and one now exists.
Gartner Emerging Technologies : Threat Intelligence Gateways, November 2017

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 20


Security Stack of Today

Internet

4. Threat Intelligence
Platform (TIP) managing
multiple forms of CTI.
5

Cyber Threat
5. Emergence of Threat

Intelligence
TIG IOC Blocking
Intelligence Gateway
(TIG) trying to take 4
pressure off NGFW – NGFW
uses stateless IPS
technology
TIP

Sandbox, Etc. …

End Point
SEIM/ Security
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 21 Process
AED Augments Existing Security Stack (Future)
Internet
Integration Points:
 Stop inbound & AIF
outbound DDoS and Netscout AED
other cyber threats
DDoS

 Intelligence to/from TIP


TIG
TIG

Cyber Threat
Intelligence
 Alerts to SEIM
NGFW
NGFW
 APIs enable further
integration
IPS
TIP
Consolidation:
 Stateless DDoS
Sandbox, Etc. …
protection and
reputational blocking

 Embedded TIG End Point


SEIM/ Security
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 22 Process
ATLAS Intelligence Feed for Arbor Edge Defense

Threat Protection Categories


Location Based
DDoS Threats
Threats

IP Geo-Location Email Threats

Web Crawler Identification APT / Targeted Attacks / Attack Campaign

Command and
Mobile Malware / Threat
Control

Malware

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 23


Arbor Edge Defense (AED) Continuous
AIF Update
First & Last Line of Smart Automated Defense Unique
Global Threat
Intelligence
Inbound Threats:
1. Always-on advanced
cyber threat protection Continuous
Update
• Volumetric, Application
and state-starvation
DDoS + Cloud
Signalling
• Stateless high
performance & scale
reputation blocking
(Threat Intelligence
Gateway function)
• Integrated perimeter
enforcement point
COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 24
Arbor Edge Defense (AED)
First & Last Line of Smart Automated Defense Unique
Global Threat
Intelligence
Outbound Threats:
2. Stop compromise becoming breach
• Automatically BLOCK outbound Continuous
Update
connections using curated and user-
defined IoCs. (i.e. AIF)
• Augment existing perimeter security
3. Identify advanced threats that
have evaded existing defenses
• Machine learning + Analyst oversight
• Contextual Threat Intelligence

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 25


Arbor Cloud

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 26


Arbor Cloud DDoS Mitigation Service

Stockholm

Amsterdam
• Dedicated DDoS San Jose
London
Frankfurt
New York
Protection Ashburn
Marseille
Tokyo

Platform Los Angeles


Dallas

• 14 Datacenters
Worldwide Singapore

• BGP and DNS


traffic diversion
Sao Paulo

• 24x7 SOC Sydney

Total Capacity: 11+ Tbps

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 27


Traffic Diversion Options
DNS BGP

Arbor Cloud™

Proxy
The Internet
ISP ISP

Arbor AED
Options available for Arbor AED
dedicated interconnect to
Arbor Cloud for re-injection
Enterprise Network Enterprise Network

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 28


Arbor Cloud Service Reporting Portal
Delivering Greater Visibility and Control

• Available to all Arbor Cloud customers


• Single pane of glass for your Arbor Cloud
service
– Traffic statistics
– Current & historical alert notifications & data
– Current & historical mitigation event data
– Configuration parameters
– User account management

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 29


Post-Incident Reports
• Post incident reports provide detailed information on DDoS incidents and
the actions taken by the SOC to protect you

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 30


AED / Edge Defense Cloud Signaling
Intelligent, Automated Cloud Signaling
Subscriber Subscriber

1. Edge Defense provides Network Network

always-on protection
2. Volumetric attack causes
congestion of ISP link
Cloud
3. Cloud Signal is launched Signal Internet Service
Provider
UpStream
4. Traffic is diverted to Arbor Cloud Saturation

and optionally auto-mitigated. NETSCOUT


Arbor AED

Data Center Network


Attack blocked and legitimate Firewall / IPS / WAF
sessions delivered to customer

Public Facing Servers


5. Edge Defense and Cloud portal
provide visibility of mitigation

COPYRIGHT © 2019 NETSCOUT SYSTEMS, INC. | NETSCOUT CONFIDENTIAL & PROPRIETARY 31


Netscout Arbor Security Solution Portfolio
SERVICE PROVIDER CLOUD MSSP / DATACENTER
Arbor Cloud Omnis Threat Arbor Enterprise
Sightline / TMS Insight AED Portal
Management & Portal Horizon Manager

MSSP Tools

Security Arbor Edge Defender


Arbor
Enforcement Threat Cloud (11.2Tbps)
(AED 8100, HD1000)
Virtual TMS
Mitigation
TMS BareMetal
System (TMS)

Virtual AED (NFV Ready)

Network
Security Sightline Insight
Visibility SP7500 SP8000 vSightline /
vInsight Arbor Enterprise
ATLAS Manager
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32
THANK YOU

Email : [email protected]

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

You might also like