DDoS mitigation for systems processing
-
Upload
qrator-labs -
Category
Internet
-
view
93 -
download
0
Transcript of DDoS mitigation for systems processing
![Page 1: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/1.jpg)
DDoS mitigation for systems processingconfidentional information
![Page 2: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/2.jpg)
Money Personaldata
Commercialdata
NOT ONLY!
Confidentional information
qrator.net 2015
![Page 3: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/3.jpg)
Universal SSLSSL tra�c growth
Exabytesp.a.
Sandvine GIRP projection
Data courtesy of Sandvine Global Internet Phenomena Report - 2H 2012
2012
0
5 000
10 000
15 000
20 000
25 000
30 000
35 000
40 000
45 000
2013 2014 2015 2016 2017 2018
Coyote Point Projection
qrator.net 2015
![Page 4: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/4.jpg)
SSL enabled by default
use SSLas the default protocol
qrator.net 2015
![Page 5: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/5.jpg)
What about DDoS?
DDoS type by target Botnet size
Network infrastructure 10K+
Protocol stack 1K+
Application 100+
Exceeding bandwidth capacity 100K+
qrator.net 2015
![Page 6: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/6.jpg)
Sensible, semantically complete applicaiton-layer constructs
Application-layer attacks
qrator.net 2015
![Page 7: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/7.jpg)
Challenge
?
?
?SSL
Encryption
qrator.net 2015
![Page 8: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/8.jpg)
Industry solutions
Encryption keydisclosure
Сloudflare KeylessSSL(2014)
Qrator QLOG(2012)
qrator.net 2015
![Page 9: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/9.jpg)
Client random
Server random
Public key certificate
Visitor
Server DH parameter
Client DH parameter
Premaster secret
Session key
Signature from key server
CloudFlare
Key server
Origin server
Cashed content
Uncashed content
Private key
Keyless SSL
Client random
Server random
Public key certificate
Server DH parameter
Client DH parameter
Premaster secret
Session key
Signature from key server
1
5
2а
4
2b
3
qrator.net 2015
![Page 10: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/10.jpg)
User
HTTP
Operator networkperimeter
Orator filteringnode
Client httpserver
Client network
Client network
API
Access log
Solution by Qrator
qrator.net 2015
![Page 11: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/11.jpg)
Qrator API
100.000+ IPsin black/white listsReal-time accessand management
Policies Real-timestatistics
Expanding functionality -Sall features are avaliablethrough API
qrator.net 2015
![Page 12: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/12.jpg)
QLOG
qrator.net 2015
Verbose controland moderationof disclosed data.Log formats arediscussable
Easy to configure -- a single IPIP tunnel
Fault tolerance
![Page 13: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/13.jpg)
One-to-many
Fault tolerance
Qrator network
Filteringnode
user
user
zombiezombie
As Qrator178.248.232.0/21
As Qrator178.248.232.0/21
client’s IP
Filteringnode
user
zombie
client app
user
user
zombieuser
user
qrator.net 2015
![Page 14: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/14.jpg)
Variety of combinations
All of this can be applied an any combimation with any priority
Qrator API (White | Black lists)
Qrator API (Default DROP |ACCEPT policy)
Qrator classificator (Advisory|Director)
qrator.net 2015
![Page 15: DDoS mitigation for systems processing](https://reader033.fdocuments.in/reader033/viewer/2022042618/58a0c2041a28ab6d018b46a9/html5/thumbnails/15.jpg)
One last thing
For payment systems using a third-party merchandiser: we offer to embed our proprietary authentication algorithm into the client application source code, providing additional verification of users’ IP addresses in case of a DDoS attack
Have a word with me later or reach me by email!
It’s too sophisticated and mind-blowing for a single picture - better to save it for a separate presentationIt guarantees that all transactions in the payment system will proceed even during the attack
qrator.net 2015