Arbor’s Peakflow Solution

Eduardo Maffessoni
Consulting Engineer - Instructor
CURIOSIDADES
DE POSSUIR
VISIBILIDADE
 Tráfego na cidade do RJ durante as Olimpiadas, subiu ~50%

3
 Tráfego total NETFLIX Brasil, durante os jogos:

4
 Total do tráfego interno do Brasil, aumenta 40% durante as Olimpiadas

5
 Tráfego de Internet no Brasil, cai ~20% durante a abertura
dos jogos Olímpicos

6
 Tráfego do Google sobe ~500% no RJ

7
 Monitoramento da BotNet IoT – constante a 18 meses

8
 Monitoramento global de TELNET

Utilizado para
Padrão de
manutenção,
comunicação da
descoberta,
Bot
infecção

9
 Aproximadamente, 500.000 devices na Internet

10
 O que é ter visibilidade de seu tráfego?

O que é poder mitigar qualquer formato de ataque de flood de pacotes?

Cópia do comando da Bot

IoT para infecção
de novo device

11
O QUE A ARBOR PROVÊ
100% dos T1 de Internet
8 dos 10 maiores bancos do planeta
3 das 5 maiores redes sociais
5 das 5 maiores operadoras de cartões globais
5 últimos jogos Olímpicos

Os maiores bancos do Brasil

Governos federal, estaduais e municipais
Mais de 600 CLIENTES protegidos no Brasil

~70% de todo o mercado Anti-DDoS do planeta, confia na Arbor

video
 ARBOR SP/TMS

(FORMER PEAKFLOW)
 Comprehensive Dashboards

 Network: Top peers, ASNs,

Countries, Cities Applications,
Fingerprints, Growth

 Application: Customers, Ports,

Peers, Markets

 Customer: Applications, Peers,

Fingerprints, Markets, Alerts

 Router: Per router stats, Top

Interfaces, Applications,
Customers

 Per interface traffic alerts

15
 Network Visibility: Report Examples

TCP Applications

BGP ASN Origin BGP ASPath

16
 Global Geography Reporting
A New Dimension of Network Intelligence
• Reports and tracking by
country, region, city

• Track threat sources

• Country baselines and

alerts

• Allow, drop, shape traffic

based on country

• Identify growth markets

• Measure service usage

by city Benefits
Better threat response
Better market analysis
Better planning
17
 IPv6 Visibility
• First line of defense – How does IPv6
compare to
Visibility all other traffic?

– Peakflow SP (since 2009)

provides operators visibility
Which customers
into IPv6 traffic. are using IPv6?

• Why visibility is important

– Can’t troubleshoot what you
can’t see
Are customers
using Tunnels
– Can’t get alerted to what you (proto 41, Teredo)?
can’t measure

– Can’t gauge effectiveness of

remediation

– Can’t plan for growth

18
 IPv6 Reports and Dashboard

Benefits
Understand IPv6 Usage
Better IPv6 planning
19 Identify potential misuse of tunnels
 Peer Reports & Tools: Peering Evaluation
Find best candidates for new peering and visualize
savings against existing transit connections

20
 Peer Reports & Tools: Transit Reports
Ensure peering
and transit
arrangements
are as cost
effective as
possible

• Gain a strong understanding of the traffic that transits your network

beyond your initial peers
– View where your customers traffic is truly destined

– Make intelligent decisions about peering expansions

– Assure that existing peering agreements are being used to their full potential

• Ensure that transit customers are abiding service agreements like no-
resell agreements

21
 Route and VPN Analytics

• BGP Route Analytics

– Route analytics
– Route instability reports
– Route hijack prevention
– 4 Byte ASN support

• VPN Analytics
– MPLS in/out per router, per interface
– QoS in/out per router / interface
– MPLS egress PE per router / interface

Benefits
Improved Operations Management
Enhance MPLS Service Revenue
Manage Service Level Agreements
Optimize capital spend
22
Arbor’s Peakflow Solution for Service Providers
You Can’t Protect What You Can’t See…We See Things Others
Can’t.

Pervasive Network Visibility Advanced Threat Protection Service Enablement

• Backbone
• Peering/Transit edge
• Cloud/Datacenter
• Mobile network
• Customer Edge
Detect and mitigate threats (e.g.
volumetric & application layer
DDoS attacks, mobile signaling
storms) before they impact service
availability or performance.
Monetize network
infrastructure and Arbor
technologies for revenue
generating services &
competitive differentiation.

Backed By the Industry Leading Global Threat Intelligence from

ASERT and ATLAS
MITIGAÇÃO
Challenges & Trends for Service Providers

Network/Operational Complexity Cloud Adoption

Public Private

Network M&A Multiple Hybrid

Traffic Technologies

M2M SDN/NFV PaaS/XaaS CDN

Advanced Threats Value Added Services

Rise in Tools & Mobile Increased Managed Security Customer

DDoS Motivations Malware Competition Services Loyalty

Hacktivism Availability Commoditization ARPU

Today’s Service Provider Network…
DATA CENTER &
CLOUD SERVICES

BUSINESS
CUSTOMERS

Attack Traffic
CUSTOMER
Legit Traffic Transit Peer Edge EDGE

INTERNET BACKBONE

BROADBAND
SUBSCRIBERS

MOBILE
SUBSCRIBERS
& DEVICES

MOBILE NETWORK

A complex environment under constant threat

“Detection in 1 sec, Mitigation in less than 1 min”

27
 Service Protection with Peakflow SP
 HTTP / Web 2.0 Protection
– Block malformed HTTP
– Rate-limit HTTP requests
– Stop “low and slow” attacks

 SSL Protection
– Neutralize SSL signaling protocol attacks

 VoIP Protection
– Block malformed SIP packets
– SIP request limiting

 DNS Protection
– DNS Regular Expressions (RegEx)
– DNS Authentication/Anti-Spoofing
– DNS Query Rate Limiting
– DNS Non-Existent Domain (NXDOMAIN)
– Rate Limiting
Benefits
 IP-based Protection Protect business critical applications
– Packet scrubbing (TCP / UDP/ ICMP) from targeted attacks
– TCP Connection reset
– White list / black list
28
 Threat Detection Methods
• Misuse Anomaly
– Thresholds for potentially
malicious traffic (TCP SYN, IP
Frag, DNS malformed, etc)
• Profiled Anomaly
– Legitimate traffic that exceeds
normal patterns (e,g, http flood
attacks, amplification attacks)
• Fingerprint Anomaly
– Known attack signatures
– Auto updates – ATF, FSA
– Custom
• IP Location Anomaly
– Alert on Traffic Spikes from
unexpected countries
• Cloud Signaling
– Cloud signaling alerts from
registered Pravail APS devices

29 Network Wide: Detects Highly Distributed Attacks

 View packet samples in real time

• View real time packet contents in wireshark

• Analyze malicious packets while under attack

30
Obrigado