Introducing FortiDDoS

Intent Based Detection and Mitigation

Fortinet Confidential
Agenda

• What is DDOS
• Classification of Attacks
• Approaches to DDOS Prevention
• DDOS and Market Trends
• Introducing FortiDDOS
• FortiAsic – Traffic Processor
• Deployment Scenarios
• Features and Benefits

2
What is DDoS?

An attack, the objective of which is to exhaust the available resources

of a network, application or service such that
legitimate users, or systems, are denied access

• High profile victims are easy to find

• Not all attacks are news worthy
• Any company with a web presence
can find themselves a target
• A successful DDOS attack can have
a catastrophic effect on a business

Fortinet Confidential
 Typical DDOS Motivations

• Financial
DDOS provides a revenue stream opportunity for the attacker who
targets ecommerce sites
How much would you pay to keep the store open?

• Political
DDOS is used to protest about a given issue, disrupt operations but the
primary motivation is not financial
The Armchair Hacktivist

• What ever the motivation,

the result is the same,
denial of legitimate access

4 Fortinet Confidential
 What to attack?

• Four main areas are vulnerable

Web Hosting Servers

Server vulnerabilities,
process and connection
limits
ISP 1
Web Hosting Center
Bandwidth
Flood with illegitimate
traffic to fill available
capacity

Firewall
Firewall / IPS Device
connection tables,
ISP 2 forwarding and session
Back End Database
Servers
set up processing Server resources
SQL Injection vulnerabilities

5 Fortinet Confidential
The Classification of Attacks

Volumetric Attack Application Layer Cloud Infrastructure

Attacks Attacks
Designed to consume
available Internet More sophisticated, Cloud solutions can turn
bandwidth or overload attractive to the attacker the Internet in the
server resources. since they require less Corporate WAN. Modern
resource to carry out attackers target the full
Typical examples SYN (botnet costs) range of cloud
Flood, UDP Flood, ICMP infrastructure (firewall,
Flood, SMURF attacks. Target vulnerabilities in mail & web servers)
applications to evade
flood detection strategies Mitigation can be
complex and any attack
can impact multiple
customers

Fortinet Confidential
Attack Traffic : Top Originating Countries

Source: Akamai

Fortinet Confidential
 Ever Changing Landscape – Recent quote from
Wikileaks

• "The bandwidth [being] used is so huge it is impossible

to filter without specialized hardware," the tweets said.
"The DDoS is not simple bulk UDP or ICMP packet
flooding, so most hardware filters won't work either.
The [range] of IPs used is huge. Whoever is running it
controls thousands of machines or is able to simulate
them."

Fortinet Confidential
 Volume and Motivation – Size isn’t
everything

• For the First time ever the maximum Size of a DDOS

attack decreased from 2010 to 2011
• Less than 10% of attacks> 10Gbps
• More than 75% of attacks< 1Gbps
• Over 1/3 Lasted More than 24 hours
• More than 10% Lasted more than 1 week
• Less than half of the victims knew a reason for the
attack
• Over 20% Political
• More than 10% Unhappy Users
• Less than 5% Financial Extortion

Fortinet Confidential
 Cost and Mitigation

• Admitting there is a problem is not defeat

• Estimated cost of a DDoS attack

• Nearly 2/3rds Estimate it at less than $10K/hr
• More than 10% Estimate it at more than $100K/hr
• 80% of Financial Services suppliers put the cost at more than
$10K/hr
• Mitigation Methods
• Over 2/3rd use Firewalls/IDS/IPS/Routers/Switches
• ¼ have no protection
• Less than 5% have purchased specific Hardware

A recent report from

Fortinet Confidential
Approaches to DDOS Prevention

Scrubbing Service from Firewall / IPS Dedicated Device

Internet or Cloud
Service Providers Model: Integrated device Model: Inline detection,
for FW/IPS and DDoS mitigation and reporting.
Model: Managed service prevention Auto detection of a wide
subscription model. range of DDoS attacks
Usually separate Pros: Single device,
detection and mitigation simplified architecture, Pros: Cost effective, no
less units to manage unpredictable or hidden
Pros: Easy sign up and charges. Multi-layer,
deployment Cons: Not designed to accurate, fast, scalable
detect/block sophisticated and easy to deploy
Cons: Expensive, DDoS attacks; typically
inflexible, costs can rise requires an update Cons: Additional network
during an attack license, element

Fortinet Confidential
Existing solutions are broken

Software or General Service Based Traditional Firewall/IPS

CPU based

Can become High and generally Ineffective against more

overwhelmed by traffic unpredictable costs sophisticated attacks
volume, leads to false
positives Delays to mitigation Problems in scaling to
inflexible to changing high volume attacks
Lacking a set and forget requirements
model Complex to use
Customer lacks control
IDC 2011 Frost & Sullivan 2011 IDC 2011

• Small and mid-sized enterprises are particularly vulnerable to attacks

• Enterprises with multiple carriers or web centric businesses need to
look for effective on-premise solutions with scalable detection and
mitigation capability

Fortinet Confidential
DDoS and Market Trends

• Building a Defense means

development in new attack methods

• Volumes of data per attack are

decreasing
• Data Centre DDoS protection is expected
to surpass Carrier protection in 2012
• Mobile Markets expected to be one of the
largest growth opportunities
• Mobile Vulnerabilities and 4G networks
are changing source potentials
• Layer 7 attacks are the fastest growing
source of DDoS

Fortinet Confidential
Some Traditional Attacks

• SYN Flood
• Targets connection table resources
• Zombie Flood
• The classic botnet
• TCP/UDP Flood IP Spoofing, Reflection
One becomes many

• UDP typically used to generate high traffic levels

• Anomalous Packet Flooding
• By accident or design,
consume server resources
• HTTP GET Flood
• Creates a behavioral anomaly, harder to detect Zombie Botnet
Many become one

Fortinet Confidential
 Attack Tools

• Many and varied

• Configurable perl scripts,
executables, javascript
• Windows, OSX, Android
• Distributed as
• Stress Tester Utilities
• Development Toolkits
• Malware
• Used to create
• Individual attacks
• Voluntary ‘hacktivist’ attacks
booster scripts
• Botnet driven attacks

15 Fortinet Confidential
The Slowloris Attack

• Targets HTTP from a single client machine

• Not new, dates from 2009
• Opens a connection to a web server
• Not all servers are vulnerable
• Sends legitimate, but partial, never ending requests
• A blank line completes a HTTP request (RFC2616)
so don’t send one GET
HEAD
• Send ‘something’ to prevent a timeout POST

• Sockets held open

• No more sockets… no more service X-a

Fortinet Confidential
 Introducing FortiDDoS

Hardware Accelerated DDoS Defense

Intent Based Protection

 Uses the newest member of the FortiASIC  Granular Protection

family, FortiASIC-TPTM • Multiple thresholds to detect subtle changes
and provide rapid mitigation
 Rate Based Detection
 Inline Full Transparent Mode ISP 1 Web Hosting Center
• No MAC address changes FortiDDoS™

 Signature Free Defense

• Hardware based protection
 Self Learning Baseline Firewall

• Adapts based on behavior ISP 2

Legitimate Traffic
Malicious Traffic

Fortinet Confidential
 How it works – Baseline Building

• FortiDDOS is typically protecting the customer link(s) Links from

ISP(s)
• On premise, or within ISP data center
• Transparent deployment
• Bypass capability with FortiBridge*
• Traffic flows are handled by the FortiASIC-TP
DDOS
Protection
FortiDDOS
• Legitimate traffic model is automatically constructed
• Calendar based baseline
• Adaptive Threshold Estimation Firewall
FortiGate
• Typically increases over time, no need to re-measure
• Multiple links supported
Hosting
Center

Fortinet Confidential
 How it works – Detection and Mitigation

Virtual Partitioning

• Detection is performed in hardware Geo-Location ACL

• Packets processed by FortiASIC-TP
Bogon Filtering
• Classification and metering across multiple layers
Protocol Anomaly
• Single pass decision making Prevention

Legitimate Traffic
Attack Traffic
• Correlated with the created traffic model Packet Flood
Mitigation
• Protocol Anomalies, Threshold Violations Stateful Inspection
Application level attacks Out of State Filtering

• Mitigation occurs on FortiDDOS Granular Layer 3 and 4

Filtering

• No traffic redirection or control plane (BGP) disruption Application Layer

Filtering
• No hidden costs, easy to deploy, immediate relief Algorithmic Filtering

Heuristic Filtering

Fortinet Confidential
 FortiAsic-Traffic Processor (TP)
No CPU in the path of the packets
No fast or slow path
No IP/M AC address in the path of the
packets

Network, Transport,
Application Layer State Anomaly
Anti-spoofing
Header Anomaly Prevention
Prevention

Inbound and Network, Transport, Decision

outbound Virtualization Application Layer Multiplexer
Application Layer Rate Allowed
packets Heuristics packets
Anomaly Prevention
Dropped packets

Network, Transport,
Dark Address, Geo-
Application Layer Source Tracking
location, IP Reputation
Access Control Lists

Control and Statistics

SNMP Traps/MIBs, Threshold Wizard,

Event/ Traffic Statistics, Policy Configuration,
Syslog, Event Continuous Adaptive
Graphs Archive, Restore
Notifications Threshold Estimation

Fortinet Confidential
 How Does It Work?

• Packets/Source/Second Can reset server

• SYN Packet/Second connections upon
• Connection Establishments/second overload
• SYN Packets/Source/Second
• Connections/Second Too many hoops to cross
• Concurrent Connections/Source before a set of malicious
• Concurrent Connections/Destination packets can go through.
• Packets/Port/Second
• Fragmented packets/second
Prevent Rate, Policy,
• Protocol packets/second
State violations, Stealth,
• Same URL/second Slow, Fast Attacks
• Same User-Agent/Host/Referer/Cookie/Second
• Same User-Agent, Host, Cookie, Referer/Second Quick blocking (< 15s),
• Anti-Spoofing checks unblocking and
• Associated URLs heuristics revaluation (every
packet) to avoid false
positives

Fortinet Confidential
Deployment Scenarios

Fortinet Confidential
 Virtual Partitions

• Uniquely enables up to eight segmented zones Links from

ISP(s)
• Segmentation by server address / subnet
• Consider a customer with multiple traffic types
• Web Browsing
• Firmware Updates
DDOS
• Online Ordering Protection
FortiDDOS

• Separate Policies for Unique Traffic Patterns

• Connection patterns could differ from server to server
Firewall
• Need to protect services from each other FortiGate

• Mitigation could include limiting the

volume of firmware downloads
Corporate site

Fortinet Confidential
Deployment Scenarios – VIDs

Wealth Management

Online Banking

Loans and Mortgages

Fortinet Confidential
Deployment Scenarios (Contd.)

Fortinet Confidential
Deployment Scenarios (Contd.)

Fortinet Confidential
FortiDDoS-100A

2U Appliance – provides dual link

protection
Specification
LAN 2 x 1G (copper and optical)
WAN 2 x 1G (copper and optical)
FortiASIC 2 x FortiASIC-TP1
RAM 4G
Storage 1TB HDD
FortiDDoS-100A Management 1 x RJ45 10/100/1000

Power Single AC

Protection 1Gbps full duplex

Fortinet Confidential
FortiDDoS-200A

4U Appliance – provides protection for

up to 4 links
Specification
LAN 4 x 1G (copper and optical)
WAN 4 x 1G (copper and optical)
FortiASIC 4 x FortiASIC-TP1
RAM 8G
Storage 2 x 1TB HDD RAID
FortiDDoS-200A Management 1 x RJ45 10/100/1000

Power Dual Redundant AC

Protection 2Gbps full duplex

Fortinet Confidential
FortiDDoS-300A

4U Appliance – provides protection for

up to 6 links
Specification
LAN 6 x 1G (copper and optical)
WAN 6 x 1G (copper and optical)
FortiASIC 6 x FortiASIC-TP1
RAM 8G
Storage 2 x 1TB HDD RAID
FortiDDoS-300A Management 1 x RJ45 10/100/1000

Power Dual Redundant AC

Protection 3Gbps full duplex

Fortinet Confidential
 FortiDDoS Features and Benefits

Feature Benefit

ASIC-assisted threat • High-speed processors block attacks before they

detection and mitigation can affect network availability
Network virtualization and • In multi-tenant or virtual environments, prevents
segregation attack on one customer from affecting another
• Provides flexible deployment options and optimal
TCO for service providers and cloud environments
Automatic traffic pattern • Achieves more accurate threat detection through
learning multi-layer profiling
• Modeling requires almost no end user intervention
Rapid deployment • No network topology or configuration changes
needed, integrates into existing network architecture
Enforcement of network • Significantly reduces false positives
traffic on layers 3, 4 and 7 • Automatically builds a complex and detailed
legitimate traffic model
• Facilitates detection of sophisticated attacks

Fortinet Confidential 30
 Complementary Fortinet DDoS Solutions

Network infrastructure Protection

Traffic anomaly detection based on thresholds.
Blocks network-based attacks like TCP SYN flood, UDP/ICMP floods,
FortiGate TCP port scans, protocol anomalies.

Web and Application Servers Protection

Transparent challenge/response approach to identify legitimate requests
Blocks network and application-layer threats that target apps and web services
FortiWeb infrastructure like HTTP GET/POST requests, Slowloris, SQL injection, etc

Web hosting or network AND Security Infrastructures

Auto Learning accelerates deployment, with dedicated FortiASIC-TP based
detection and mitigation on attacks across all layers (L3, L4 and L7)
FortiDDOS Virtualized network partitions for maximum flexibility

Fortinet Confidential
 In Summary

• Traditional Firewalls and IPS appliances provide limited

protection against today’s DDoS attacks

• Cloud and ISP based services offer some protection but

such services can be expensive and lack granularity

• When under attack the defending appliance must be stable and deliver
predictable behavior, not possible with a general CPU and software
combination

• A successful DDOS attack can have a catastrophic impact on your business

Fortinet Confidential
THANK YOU

Fortinet Confidential