DNS Protection safeguards Incapsula clients’ DNS servers, while also accelerating DNS responses.
Infrastructure Protection, enabled by the addition of a GRE tunneling onboarding option, widen Incapsula's security perimeter - allowing it to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
DNS and Infrastracture DDoS Protection
1. Eldad Chai, VP Product
Preparing for the Terabit Scale DDoS Attack
2. Agenda
• Network DDoS trends
• Is a Terabit DDoS imminent?
• A DDoS resilient network
• Infrastructure and DNS protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2
3. Where do we stand today?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3
59%
28%
13%
<20Gbps
20-40Gbps
>40Gbps
Attacks bandwidth is showing
exponential growth
One third of attacks exceed 20Gbps
More than 13% exceed 40Gbps
4. Its not all bandwidth
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
More than 25% of attacks exceed 10Mpps
Most IPS/IDS will crash at 5Mpps
5. Recent campaigns / SaaS applications
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.5
6. Recent campaigns / DNS providers
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
7. How are they reaching these numbers?
• Are botnets becoming bigger?
> No, according to www.shadowserver.org
• Are there more open DNS resolvers?
> No, the number is actually declining according to
www.openresolverproject.org
• Are there more open NTP servers?
> Probably not
• So what is it then?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
8. How are they reaching these numbers?
• They are using bigger guns
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
Example of a 4Mpps attack
Less than 30 IPs are generating more than 99% of the traffic
9. What can we learn from all this?
• The stronger the internet is becoming, the stronger the attacks
• The largest attacks use a small set of super resources rather
than a large set of weak resources
• Attacks will far exceed a single network capacity
• Should we expect a 1Tbps+ attack within the next 12-36
months?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
10. A DDoS resilient network
• Can scale its capacity on demand
> Cloud solution are built to scale efficiently
> Cloud provides the most cost effective way to scale capacity
• Can protect any service from any attack
> Both layer 3&4 and layer 7 mitigation is required
> Web servers and DNS servers are a target for sophisticated attacks
• Provides real time visibility
> You cannot mitigate what you cannot see
• Can respond rapidly to changes
> DDoS mitigation is a delicate balance between false positives and
false negatives
> You need to react quickly to any change that disrupts this balance
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.10
11. Incapsula DDoS protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.
11
DNS
Web
SSH, FTP, Telnet
SIP
SMTP
UDP, TCP
Network services
12. Incapsula DDoS protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.
12
DNS
Web
SSH, FTP, Telnet
SIP
SMTP
Incapsula
Application
Protection
Incapsula DNS
Protection
Incapsula
Infrastructure
Protection
UDP, TCP
13. Incapsula Application Protection
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
Protect HTTP/S Applications
Layer 3&4 and also Layer 7
Always On / On Demand
14. Incapsula DNS Protection - NEW
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
Protect DNS servers
Prevent Blacklisting
Always On Service
15. Incapsula Infrastructure Protection - NEW
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
Protect all services and protocols
Protect entire IP ranges
Layer 3&4 (Network)
On Demand Service
16. BGP and Cloud
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16
LAX
80Gbps
IAD
60Gbps
FRA
80Gbps
+1
23.5.6.0/24 23.5.6.0/24 23.5.6.0/24 23.5.6.0/24
23.5.6.0/
24
IP ranges are announced in Anycast
Traffic is forwarded to origin
over the same GRE tunnel
17. The “Behemoth”
• We still need to filter DDoS traffic…
• Our requirements
> Filter 100Gbps+ of traffic per POP
> Manage BGP for announcing
> Manage GRE for origin forwarding
> Software defined network (SDN) capabilities
• The solution
> An appliance that can deal with 170Gbps
> Advanced implementations of DDoS filtering algorithms
> Anomaly detection
> Proprietary implementation of BGP and GRE
> C&C for internal networking devices
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17