SlideShare a Scribd company logo

Recent DDoS attack trends, and how you should respond

Download as PPTX, PDF
Cloudflare
Cloudflare

The past few months have seen significant changes in global DDoS tactics. We can observe these changes in detail by analyzing traffic patterns from Cloudflare’s global network, which protects more than 27 million Internet properties and blocks 45 billion cyber threats every day. What approaches are DDoS attackers using right now, and what are forward-thinking organizations doing in response? Cloudflare DDoS product experts Omer Yoachimik, and Vivek Ganti will explore new data on DDoS trends and discuss ways to counter these tactics.

1 of 26
Live webinar Recent DDoS attack trends, and how you should respond Omer Yoachimik Product Management Cloudflare Vivek Ganti Product Marketing Cloudflare
We are helping build a better Internet.
We are building a Global Cloud Network
Cloudflare’s Global Anycast Network 27M Internet properties 42 Tbps Network capacity 200 Cities and 100+ countries 72B Cyber threats blocked each day in Q2’20 99% Of the Internet-connected population in the developed world is located within 100 milliseconds of our network Note: Data as of June 28, 2019. 4
Every Product Runs On Every Server In Every Datacenter Around The World 5
Cloudflare blocks 72,000,000,000 attacks per day*
What Is A DDoS Attack?
What Is A DDoS Attack? Classic definition • DDoS Attack: Malicious actor targets traffic to an internet property with the intent of causing an outage or service disruption. Modern definitions • Self-DDoS Attack: Faulty client applications calling home too frequently • Friendly DDoS Attack: Overly excited good bots flooding with requests 8
Cost of Attacks ● Gartner: The average cost of downtime is estimated at $5,600 per minute. ● DDoS attacks are commonly used as a way to distract security teams during an attempted breach. ● Even after 3 years, breached companies underperformed the market by -13.27% T-Mobile US TJX Companies Huntsworth Adobe Global Payments Royal Bank of Scotland Group Monster Worldwide Vodafone Group Apple Source: https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/
Global Attack Trends
L3/4 DDoS Attacks Increased As World Entered Lock-down 11
83% of L3/4 DDoS Attacks Lasted < 1 HR 12
‘Smaller’ attacks dominated in Q2 13 From a packet rate perspective: 76% of all L3/4 DDoS attacks in Q2 peaked up to 1 million packets per second (pps) From a bit rate perspective: Nearly 90% of all L3/4 DDoS attacks that we saw peaked below 10 Gbps
Big attacks are getting bigger 14 Of attacks over 100 Gbps launched since shelter-in-place 88% 754 Mpps Largest L3/4 DDoS attack from a packet rate perspective
The United States is targeted with the most attacks
57% of all L3/4 DDoS attacks in Q2 were SYN floods
Cloudflare DDoS Protection
Scrubbing Industry Legacy Scrubbing Cloudflare DDoS • Network Scale can absorb any DDoS attack. • Share Intelligence constantly learns and applies intel to ID new attacks. • Ease of use -- it’s just on! A Fully Differentiated DDoS Solution Unmetered DDoS Protection = Trust Fast and Safe -- Better than distant ‘scrubbing centers’
Application Layer 7 Session Layer 5 Presentation Layer 6 Transport Layer Network Layer Datalink Layer 2 Physical Layer 1 Cloudflare DDoS Protection DDoS Protection— At Every Layer Of The OSI Stack 19 WAF/CDN L7 Proxy Spectrum L4 Proxy Magic Transit L3 Routing
Our Story — L3 DDoS Protection With Magic Transit Built for Cloudflare. Now available for our customers Cloudflare Data Center 200 cities in 95+ countries 37 Tbps DDoS mitigation capacity DDoS protection Near-instant TTM Network firewall Granular Allow/Deny rules for IP ranges Customer Data Center LAYER 3 - IP (MAGIC TRANSIT)
21 TTM <10s for dosd Cloudflare DDoS Protection - How It Works
How Cloudflare Magic Transit Compares To Other Vendors Feature Data as of July 2020 1 Radware— https://www.radware.com/products/cloud-ddos-services/ 2 Akamai Prolexic— https://www.akamai.com/us/en/multimedia/documents/product-brief/prolexic-routed-product-brief.pdf;https://blogs.akamai.com/2018/04/whats-new-with-prolexic.html 3 Neustar— https://www.home.neustar/resources/product-literature/make-ddos-direct-connection-with-netprotect 4 Imperva— https://www.imperva.com/resources/datasheets/Imperva_DDOS_ProtectionForNetworks.pdf 5 Cloudflare Magic Transit and other vendors offer 0-sec TTM for “proactive” or static rules. TTM listed here is for automatic detection and mitigation. MAGIC TRANSIT IMPERVA4NEUSTAR3 AKAMAI PROLEXIC1 RADWARE1 11 5 Tbps ‘seconds’ 19 8 Tbps < 5 min 14 12 Tbps 5-15 min 45 6 Tbps < 3 sec 200+ 37+ Tbps < 10 sec No. of data centers for DDoS mitigation DDoS scrubbing capacity Time-to-mitigation (TTM5)
North American non-profit organization that hosts Wikipedia, one of the world’s most renowned open collaboration projects. ● Founded in 2003 ● One of the most visited websites in the world ● Over 25 billion page views monthly ● Hosts 13 collaborative knowledge projects including Wikipedia CHALLENGES • Target of a massive coordinated DDoS attack campaign of ~300Gbps of bandwidth, 105MPPS of TCP ACK traffic, and 340MPPS of UDP floods • Significant increase in HTTP response times from servers that were still reachable • Site accessibility impacted in various regions around the world CLOUDFLARE SOLUTION • Magic Transit protects their on-premise data centers from volumetric attacks • Even as the attack changed patterns, Magic Transit was a resilient shield protecting Wikimedia’s network infrastructure • Improved resilience and availability • Zero performance degradation due to filtering traffic at the edge • Valuable partnership with Cloudflare and influence on product roadmap KEY RESULTS Cloudflare helps Wikimedia restore service following a massive DDoS attack https://www.cloudflare.com/case-studies/wikimedia-foundation/ Bringing Wikipedia back online
“Cloudflare has reliable infrastructure and an extremely competent and responsive team. They are well-positioned to deflect even the largest of attacks.” Grant Ingersoll CTO, Wikimedia Foundation
For a limited time: Replace your legacy provider with Cloudflare Magic Transit and pay nothing until your existing contract expires* ● Get Magic Transit service at no charge until the expiration of your current contract with Akamai Prolexic, Neustar, Imperva, or Radware for up to 12 months. ● We will aim to beat the price you are paying your legacy provider, for the paid period. ● For more information, go to www.cloudflare.com/lp/better *Terms and conditions apply Network DDoS Protection You’ll Love. We’ll Prove It.
Questions? THANK YOU! Reach us at: omer@cloudflare.com vivek@cloudflare.com

More Related Content

Recent DDoS attack trends, and how you should respond

  • 1. Live webinar Recent DDoS attack trends, and how you should respond Omer Yoachimik Product Management Cloudflare Vivek Ganti Product Marketing Cloudflare
  • 2. We are helping build a better Internet.
  • 3. We are building a Global Cloud Network
  • 4. Cloudflare’s Global Anycast Network 27M Internet properties 42 Tbps Network capacity 200 Cities and 100+ countries 72B Cyber threats blocked each day in Q2’20 99% Of the Internet-connected population in the developed world is located within 100 milliseconds of our network Note: Data as of June 28, 2019. 4
  • 5. Every Product Runs On Every Server In Every Datacenter Around The World 5
  • 7. What Is A DDoS Attack?
  • 8. What Is A DDoS Attack? Classic definition • DDoS Attack: Malicious actor targets traffic to an internet property with the intent of causing an outage or service disruption. Modern definitions • Self-DDoS Attack: Faulty client applications calling home too frequently • Friendly DDoS Attack: Overly excited good bots flooding with requests 8
  • 9. Cost of Attacks ● Gartner: The average cost of downtime is estimated at $5,600 per minute. ● DDoS attacks are commonly used as a way to distract security teams during an attempted breach. ● Even after 3 years, breached companies underperformed the market by -13.27% T-Mobile US TJX Companies Huntsworth Adobe Global Payments Royal Bank of Scotland Group Monster Worldwide Vodafone Group Apple Source: https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/
  • 11. L3/4 DDoS Attacks Increased As World Entered Lock-down 11
  • 12. 83% of L3/4 DDoS Attacks Lasted < 1 HR 12
  • 13. ‘Smaller’ attacks dominated in Q2 13 From a packet rate perspective: 76% of all L3/4 DDoS attacks in Q2 peaked up to 1 million packets per second (pps) From a bit rate perspective: Nearly 90% of all L3/4 DDoS attacks that we saw peaked below 10 Gbps
  • 14. Big attacks are getting bigger 14 Of attacks over 100 Gbps launched since shelter-in-place 88% 754 Mpps Largest L3/4 DDoS attack from a packet rate perspective
  • 15. The United States is targeted with the most attacks
  • 16. 57% of all L3/4 DDoS attacks in Q2 were SYN floods
  • 18. Scrubbing Industry Legacy Scrubbing Cloudflare DDoS • Network Scale can absorb any DDoS attack. • Share Intelligence constantly learns and applies intel to ID new attacks. • Ease of use -- it’s just on! A Fully Differentiated DDoS Solution Unmetered DDoS Protection = Trust Fast and Safe -- Better than distant ‘scrubbing centers’
  • 19. Application Layer 7 Session Layer 5 Presentation Layer 6 Transport Layer Network Layer Datalink Layer 2 Physical Layer 1 Cloudflare DDoS Protection DDoS Protection— At Every Layer Of The OSI Stack 19 WAF/CDN L7 Proxy Spectrum L4 Proxy Magic Transit L3 Routing
  • 20. Our Story — L3 DDoS Protection With Magic Transit Built for Cloudflare. Now available for our customers Cloudflare Data Center 200 cities in 95+ countries 37 Tbps DDoS mitigation capacity DDoS protection Near-instant TTM Network firewall Granular Allow/Deny rules for IP ranges Customer Data Center LAYER 3 - IP (MAGIC TRANSIT)
  • 21. 21 TTM <10s for dosd Cloudflare DDoS Protection - How It Works
  • 22. How Cloudflare Magic Transit Compares To Other Vendors Feature Data as of July 2020 1 Radware— https://www.radware.com/products/cloud-ddos-services/ 2 Akamai Prolexic— https://www.akamai.com/us/en/multimedia/documents/product-brief/prolexic-routed-product-brief.pdf;https://blogs.akamai.com/2018/04/whats-new-with-prolexic.html 3 Neustar— https://www.home.neustar/resources/product-literature/make-ddos-direct-connection-with-netprotect 4 Imperva— https://www.imperva.com/resources/datasheets/Imperva_DDOS_ProtectionForNetworks.pdf 5 Cloudflare Magic Transit and other vendors offer 0-sec TTM for “proactive” or static rules. TTM listed here is for automatic detection and mitigation. MAGIC TRANSIT IMPERVA4NEUSTAR3 AKAMAI PROLEXIC1 RADWARE1 11 5 Tbps ‘seconds’ 19 8 Tbps < 5 min 14 12 Tbps 5-15 min 45 6 Tbps < 3 sec 200+ 37+ Tbps < 10 sec No. of data centers for DDoS mitigation DDoS scrubbing capacity Time-to-mitigation (TTM5)
  • 23. North American non-profit organization that hosts Wikipedia, one of the world’s most renowned open collaboration projects. ● Founded in 2003 ● One of the most visited websites in the world ● Over 25 billion page views monthly ● Hosts 13 collaborative knowledge projects including Wikipedia CHALLENGES • Target of a massive coordinated DDoS attack campaign of ~300Gbps of bandwidth, 105MPPS of TCP ACK traffic, and 340MPPS of UDP floods • Significant increase in HTTP response times from servers that were still reachable • Site accessibility impacted in various regions around the world CLOUDFLARE SOLUTION • Magic Transit protects their on-premise data centers from volumetric attacks • Even as the attack changed patterns, Magic Transit was a resilient shield protecting Wikimedia’s network infrastructure • Improved resilience and availability • Zero performance degradation due to filtering traffic at the edge • Valuable partnership with Cloudflare and influence on product roadmap KEY RESULTS Cloudflare helps Wikimedia restore service following a massive DDoS attack https://www.cloudflare.com/case-studies/wikimedia-foundation/ Bringing Wikipedia back online
  • 24. “Cloudflare has reliable infrastructure and an extremely competent and responsive team. They are well-positioned to deflect even the largest of attacks.” Grant Ingersoll CTO, Wikimedia Foundation
  • 25. For a limited time: Replace your legacy provider with Cloudflare Magic Transit and pay nothing until your existing contract expires* ● Get Magic Transit service at no charge until the expiration of your current contract with Akamai Prolexic, Neustar, Imperva, or Radware for up to 12 months. ● We will aim to beat the price you are paying your legacy provider, for the paid period. ● For more information, go to www.cloudflare.com/lp/better *Terms and conditions apply Network DDoS Protection You’ll Love. We’ll Prove It.
  • 26. Questions? THANK YOU! Reach us at: omer@cloudflare.com vivek@cloudflare.com