Welcome www.phoenixdatacom.com Phoenix Datacom, our core - - PowerPoint PPT Presentation

www.phoenixdatacom.com

Welcome

Protection from DDoS attack is now your responsibility, but help is at hand

Mark Tilston, Senior Cyber-Security Engineer PHOENIX DATACOM 2nd December 2014

Solutions to enhance the performance & security of your networks & applications

Phoenix Datacom, our core competencies

Network Data Access for Test, Monitoring & Load Balancing Locating just the data you need in order to see further return from your security and monitoring investments Application Performance Monitoring & Improvement Resolving bottlenecks and other issues before they affect the performance of applications and staff productivity Cyber-Security Protection & Testing Protecting your critical infrastructure from the threats of cyber-crime whilst saving you significant time and money Network Performance Testing & Validation Helping you to build, test, validate and monitor your business-critical cloud, physical and virtual networks

Now in our 30th year, Phoenix Datacom is the UK’s most technically competent provider of solutions and professional services to enhance the performance & security of cloud, physical and virtual networks.

Phoenix Datacom, our core competencies Solutions | Support | Professional Services

We serve customers in : Finance | Enterprises | Government/Defence | Carriers | Mobile Operators

Solutions to enhance the performance & security of your networks & applications

Solution demonstrations available in our….

Solutions to enhance the performance & security of your networks & applications

Hacker/ Intruder

Application Servers (on-site and in the Cloud) Example Hosts

CFO HR Department Remote worker hot-desking CEO CISO Remote Worker Zero-Day Malware & APT Execution 3 x Next-Generation Intrusion Detection and Protection

2

x

Perimeter Firewall: Standard FW rules Finance Legal HR Exchange Intranet

Site

Next-Generation Firewall for Application Control 1 DDoS Protection, Prevention and Mitigation

4

x

Threat Vulnerability Management & Assessment

6

x

Network, LAN and Computer Forensics 5 Stateful Attack Generation

8

Advanced Network & DC Cloaking 7 -

Phoenix Datacom, core security solutions – Monitoring / Mediation / Remediation

Internet/ WAN

Solutions to enhance the performance & security of your networks & applications

Hacker/ Intruder

Application Servers (on-site and in the Cloud) Example Hosts

CFO HR Department Remote worker hot-desking CEO CISO Remote Worker Perimeter Firewall: Standard FW rules Finance Legal HR Exchange Intranet

Site

DDoS Protection, Prevention and Mitigation Stateful Attack Generation

Phoenix Datacom, core security solutions – Our focus today

Internet/ WAN

Solutions to enhance the performance & security of your networks & applications

The focus here today…

Agenda:

• The latest DDoS attack threat spectrum targeting Enterprises, the Government and

Financial Organisations – Arbor Networks

• How local DDoS protection combined with Carrier protection provides the most effective

incident response and remediation - Arbor Networks

• The importance of knowing the capability of your DDoS Mitigation measures, as well as

new solutions under consideration – Ixia (BreakingPoint)

• A live demo of DDoS attacks against the Arbor Networks DDoS Mitigation solution for

Enterprises, the Government and Financial Organisations - Phoenix Datacom.

Solutions to enhance the performance & security of your networks & applications

Better Protection from Cyber-Threats

Darren Anstee, Director of Solution Architects ARBOR NETWORKS

Solutions to enhance the performance & security of your networks & applications

Threats in the news…

Cost Disruption Loss of Customer Trust

Solutions to enhance the performance & security of your networks & applications

The threat space is complex…

New Advanced Threat Landscape

Loud & Noisy Quiet & Patient Availability Confidentiality Integrity

Advanced Threat Continuum

Solutions to enhance the performance & security of your networks & applications

DDoS evolution

Period Average Attack size (bps) % Change Peak Attack Size (bps) % Change Q1 1.12Gbps

• 325.06Gbps
• Q2

759.83Mbps

• 32.2%

154.69Gbps

• 52.4%

Q3 858.98Mbps +13.05% 264.61Gbps +71.1%

325.05 264.61 50 100 150 200 250 300 350 January April July October January April July October January April July October January April July October January April July

Peak Monthly Gbps of Attacks

Solutions to enhance the performance & security of your networks & applications

2014, a time for reflection…

Solutions to enhance the performance & security of your networks & applications

Characteristics of an NTP Reflection/Amplification Attack Abusable NTP Servers

Internet accessible Servers, Routers, Home CPE devices, etc.

Solutions to enhance the performance & security of your networks & applications

Characteristics of an NTP Reflection/Amplification Attack Attacker sends monlist, showpeers, or

• ther NTP level-6/-7 administrative

queries with target port and spoofed IP address of target Abusable NTP Servers

Solutions to enhance the performance & security of your networks & applications

Abusable NTP Servers

Target Port:

UDP/80

Or

UDP/123

NTP services ‘reply’ to the attack target with streams of ~468-byte packets sourced from UDP/123 to the` target; the destination port is the source port the attacker chose while generating the NTP queries Characteristics of an NTP Reflection/Amplification Attack

Solutions to enhance the performance & security of your networks & applications

2014 ATLAS Initiative : Anonymous Stats, World-Wide Other Protocols for Amplification, Q3

• Given the huge storm of NTP reflection activity, there

has been some focus on other protocols that can be used in this way.

• Looking at attacks with source-ports of services used

for reflection.

• DNS has been used by attackers for several years.
• Lower proportion of events for SNMP reflection

this quarter compared to last. Chargen grows slightly.

• Significant growth in attacks with source port

1900 (SSDP)

• Almost no attacks in Q2
• 29506 in Q3

Protocol UDP Source Port Percentage

• f Attacks

in Q3 Max Size Q3 Average Size Q3

SNMP 161 0.03% 14.46Gbps 856Mbps Chargen 19 2% 24.8Gbps 1.05Gbps DNS 53 4% 83.9Gbps 1.7Gbps SSDP 1900 4% 124Gbps 4.04Gbps NTP 123 5% 156.3Gbps 2.99Gbps

Solutions to enhance the performance & security of your networks & applications

DDoS Evolution

Solutions to enhance the performance & security of your networks & applications

Confidentiality / Integrity Threats

Huge number of ‘ways in’

– Drive By Download – SPAM/Phishing – Watering Hole – Walk-in, USB

Leveraging vulnerabilities in:

– JavaScript – Java applets – Compound Documents – Anything Adobe

Many Threat Vectors

• New AND Old
• IPS / AV Limited coverage
• Patching lag

10 20 30 40 50 60

Advanced Persistent Threat Botted or Compromised Hosts Under-capacity for bandwidth Industrial Espionage Malicious Insider Other

Threats On Corporate Network

Solutions to enhance the performance & security of your networks & applications

What does Java script obfuscation look like?

Solutions to enhance the performance & security of your networks & applications

And in the real world…

Solutions to enhance the performance & security of your networks & applications

Bot builder with anti-detection

Solutions to enhance the performance & security of your networks & applications

So, how do organisations improve defenses?

Actionable Threat Intelligence

Use the expertise within vendors, integrators to maximise your own effectiveness

Ensure Availability

Many organisations are now reliant on the Internet for their business continuity

Broad & Deep Visibility

Identify suspicious or malicious activities wherever they occur. Packet capture at key network locations to monitor critical assets

Workflow

Solutions that fit into an IR workflow and enable personnel and processes.

Solutions to enhance the performance & security of your networks & applications

Actionable Threat Intelligence

Honeypots & SPAM Traps ATLAS Security Community

Millions of Samples DDoS Family

300K Malware samples/day Sandbox of Virtual Machines run malware

(look for botnet C&C, files, network behavior)

AIF Policy

Report and PCAP stored in database “Tracker” DDoS Attack Auto-classification and analysis every 24 hrs

Solutions to enhance the performance & security of your networks & applications

Ensure Availability

Internal Network Enterprise Assets Files, Packets & Flow Servers Files, Packets & Flow Enterprise Perimeter Global Internet Global Network Threats

Identify Understand Act

Pravail Availability Protection System (APS)

• Immediate protection from current

threats.

• Utilise ATLAS threat intelligence to

protect your organisation from the latest threats.

• Easy to install and deploy
• Easy to operationalize and deploy.

Built in bypass functionality. Detailed traffic and reporting for advanced users.

• (Arbor) Cloud Signaling
• Integration with cloud based DDoS

protection services to provide the automated, layered protection necessary to deal with multi-vector attacks.

Solutions to enhance the performance & security of your networks & applications

Broad Visibility

Internal Network Enterprise Assets Files, Packets & Flow Servers Files, Packets & Flow Enterprise Perimeter Global Internet Global Network Threats

Identify Understand Act

Pravail Network Security Intelligence (NSI)

• Enterprise-Wide Visibility
• Know your network; see who

talks to who, when and how

• much. Baseline network
• activity. Assign user-identities

to network transactions..

• Advanced Threat Detection
• Utilise ATLAS threat intelligence

to protect your organisation. Profile critical systems and identify suspicious or unusual behavior wherever it occurs.

• Context & Forensics
• Understand the context for any

detected event. Detailed log of historical network traffic flows

Solutions to enhance the performance & security of your networks & applications

Deep Visibility

Internal Network Enterprise Assets Files, Packets & Flow Servers Files, Packets & Flow Enterprise Perimeter Global Internet Global Network Threats

Identify Understand Act

Pravail Security Analytics (SA)

• Total Visibilty
• Full-packet capture and threat

analysis at key network locations

• Explore and understand threats

in real-time or over years of data.

• Advanced Filtering and Deep

Packet Inspection to determine the extent and impact of an attack

• Allows the anlayst to quickly

identify attack traffic.

• Allows frame by frame

dissection of the attack.

• Looping
• Re-apply current threat

intelligence to historical traffic to identify zero day attacks.

Solutions to enhance the performance & security of your networks & applications

Workflow, Arbor is a resource multiplier

PROTECT

Provide surgical mitigation and forensic capabilities.

React

ANALYSE

Situational Awareness. Augment detected events with relevant context

Prioritise

Comprehensive monitoring and threat detection

IDENTIFY

People Products Processes

• Puts the power back in the hands of the security professionals

– Network & Threat Visibility, in context – Incident Response Workflow

• Technology should enable personnel & process investment

– Regardless of how many you have – Or skillset

Solutions to enhance the performance & security of your networks & applications

Arbor Networks 13+ Years

• f Innovation
• The Internet and security is our heritage
• Founded from a DARPA grant
• Over 40 networking and security patents
• Across 60 countries
• Service Providers, Hosters, Fortune 50 ancials

and online giants

Serving The Most Demanding Networks Trusted Experts Globally

• Over 400 employees around the globe
• >50% in Engineering, Service and Support
• Best in class support experts, global infrastructure

ATLAS / ASERT

• Unrivalled visibility, analysing 80Tb/sec of data
• Well regarded security research expertise
• Threat Intelligence

Solutions to enhance the performance & security of your networks & applications

Thank you. Any Questions?

Darren Anstee, Director of Solution Architects ARBOR NETWORKS

Solutions to enhance the performance & security of your networks & applications

Measuring your DDoS defences

Andy Young, Senior Systems Engineer IXIA

Solutions to enhance the performance & security of your networks & applications

The network has evolved Application Realism

• Application landscape
• Network load
• Cyber security threats.

Solutions to enhance the performance & security of your networks & applications

Threats have evolved

• Volumetric DoS Attacks
• SYN Flood, Ping Flood, LOIC attack, UDP Flood
• SMURF Attack, Teardrop Attack
• LAND Attack
• More Advanced
• Stateful TCP (three way handshake Only)
• DNS Request Flooding
• Fragments that add up to almost a full packet
• Layer 7 Attacks
• Slowloris Attack
• RCV Window 0
• SlowPOST Attack
• VoIP Flood
• IVR Walking
• RuDY

Solutions to enhance the performance & security of your networks & applications

Why does realism matter? … inspecting closer When something looks suspicious ! Deep Packet Inspection relies on payload inspection – the deeper the inspection, the slower the traffic Inspection Points slows down traffic

Solutions to enhance the performance & security of your networks & applications

Impact of realism on DPI performance Example: Real Proxy Device Parsing Realistic Data vs Fake Data

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint applications … and you have full control to create many application flows using intuitive workflow Best application coverage 240+ applications 1000+ predefined superflows 12,000+ configurable actions

Application Profile

a Collection of SuperFlows

SuperFlow

a Collection of Flows

Flow

a Collection of Actions

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint uses Markov algorithm to generate Ultimate Realism Example Real Content HTML + Markov + Random CSS Markov + Chat Conversation Markov in Email with ‘target’ word insertion

No other product can perform Markov String Generation! Content NEVER REPEATS and will fully exercise a content aware device!

Markov supports multiple languages

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint – Security Component

 6,000+ exploits  30,000+ malware  Custom Malware  Mobile Malware  Strike fuzzing  Seeded Values to provide repeatability or uniqueness  180+ Evasions

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint – Fuzzing Application Protocols Measures stability in face of corrupted traffic Validates integrity of protocol stacks with malformed packets Generates corrupt data by modifying part of the packet

• Random or user-defined payload
• Data rates: constant, range, random
• Bad IP version, checksum, options; bad TCP options, urgent pointer, etc.
• Pseudo Random Number Generator (PRNG) seed for repeatable testing.

Solutions to enhance the performance & security of your networks & applications

Pre-built Botnet simulations  Cutwail  Zeus  SpyEye  ZeroAccess  Duqu  BlackEnergy  TDL4  PushDO  TDW  Customisation in Application Editor.

Solutions to enhance the performance & security of your networks & applications

Case Study – Financial Exchange

1-Arm Testing BreakingPoint Load Generation DDoS Traffic Volumetric DDoS traffic directed to target web servers Web-based Application Traffic http transactional traffic between BreakingPoint client and target web servers Good Application Traffic Transactional web-based application traffic through DDoS Service Provider DDoS Service Provider Target Web Servers DDoS Traffic Volumetric DDoS Traffic re-directed by DDoS Service Provider

Cloud-Based DDoS Protection DDoS Defense Validation

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint PerfectStorm Performance - per chassis

960

Gbps

Apps Throughput

Applications 24

Million

TCP CPS

Connection Rate

720

Capacity

Million HTTP CC

12M

SSL Capacity

Concurrent SSL Flows

2.4M

SSL CPS

SSL Connection Rate

240

SSL Throughput

Gbps SSL Throughput

Performance in two-arm mode, With clients and servers simulated on same blade

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint – PerfectStorm ONE

Solutions to enhance the performance & security of your networks & applications

Ixia BreakingPoint – keeping current

Solutions to enhance the performance & security of your networks & applications

Thank you. Any Questions?

Andy Young, Senior Systems Engineer IXIA

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack Mitigator

Mark Tilston, Senior Cyber-Security Engineer PHOENIX DATACOM

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack

DECISION

06:45

Warning WebServer @ 50% of maximum load

07:00 Automatic Report

DECISION DECISION

09:00

DECISION

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack

14:15

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack

What will be the reputational damage to our company? How will this effect our company share prices? Can I still afford to buy that huge yacht?

What are my financial losses?

Is any of our Intellectual property at risk?

No, I don’t recall you putting in for DDoS Protection last year! What impact is this having on our customers?

How could this have happened?

What the hell is DDoS?

Didn’t you test our Security defences?

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack

14:31 HELP!

Solutions to enhance the performance & security of your networks & applications

A day in the life of the DDoS attack

Solutions to enhance the performance & security of your networks & applications

How can you help yourself?

Questions to ask yourself!

• What is my DDoS Security

strategy and who are the Stakeholders?

• What would be the

financial impact to my business as a result of a DDoS attack?(Don’t forget call centre costs for flooded calls, loss of customers, loss of revenue, etc)

• How do I TRULY know our

current defences are capable of providing the suitable defence against modern cyber-attacks?

Taking the Next Steps!

• Identify potential security

holes, have the right tools and people in place.

• Perform business risk

analysis to determine the right budget to allocate.

• Test your DDoS mitigation

systems and make sure they are capable of detecting and mitigating today’s threats.

• Install appropriate defences,

train and support users as and when required.

How can Phoenix Datacom help you?

Solutions to enhance the performance & security of your networks & applications

Taking the Next Steps!

• Identify potential security

holes, have the right tools and people in place.

• Perform business risk

analysis to determine the right budget to allocate.

• Test your DDoS mitigation

systems and make sure they are capable of detecting and mitigating today’s threats.

• Install appropriate defences,

train and support users as and when required.

The result of which means….

Solutions to enhance the performance & security of your networks & applications

Thank you. Any Questions?

Mark Tilston, Senior Cyber-Security Engineer PHOENIX DATACOM

Event questionnaire to follow by email Further demonstrations available in/via our