WIXLIB

Network SecurityMonitoring with Flow DataAnomaly Detection & DDoS ProtectionPavel Minařík, Chief Technology Officer

What is Flow Data? Modern network telemetry data, supported by many vendors Cisco standard NetFlow v5/v9, IETF standard IPFIX Focused on L3/L4 information and volumetric parameters Real network traffic to flow statistics reduction ratio 500:1Flow data

Flow-Based Traffic Analysis Network as a sensor concept (and enforcer) ty-sensor-and-enforcer Bridges the gap left by signature-based security Key technology for incident response Designed for multi 10G environmentDDoSAnomaly detectionStatistical analysisVolumetric DDoS detectionAdvanced data analysis algorithmsDetection of non-volumetric anomalies

DDoS Protection on Backbone Backbone perimeter specifics Multiple peering points – routers & uplinksLarge transport capacity – tens of gigabits easilyIn-line protection is close to impossible!flow export1.2.3.4.Flow collectionDDoS detectionRouting controlMitigation control Flow-based detection and out-of-path mitigation Easy and cost efficient to deploy in backbone/ISPPrevents volumetric DDoS to reach enterprise perimeter

Out-of-Path MitigationDynamic ProtectionPolicy Deploymentincl. baselines andattack characteristicsAnomaly DetectionMitigationEnforcementScrubbing centerTraffic Diversion viaBGP Route InjectionAttack pathClean pathFlow Data CollectionLearning BaselinesProtected Object 1e.g. Data Center,Organization,Service etc AttackInternetProtected Object 2Service Provider Core

BGP Flowspec MitigationSending specificRoute advertisementvia BGP FlowSpecAnomaly DetectionMitigationEnforcementDynamic signature: Dst IP: 1.1.1.1/32DstDstport:Port:13513548Protocol IP: 17 (UDP)Discard!Flow Data CollectionLearning BaselinesAttackInternetProtected Object 1e.g. Data Center,Organization,Service etc.Protected Object 2Service Provider CoreDropped traffic for Dst IP: 1.1.1.1/32DstDstport:Port:13513548Protocol IP: 17 (UDP)!

Anomaly DetectionAnomaly Detection on sBehaviorPatternsReputationDatabases

Sample AnomalyDetection ReportFocus on Indicatorsof CompromiseProvided by ISP toEnterprise Customers

Thank youPerformance monitoring, visibility and securitywith a single solutionPavel Minařík, Chief Technology Officerpavel.minarik@flowmon.com, 420 733 713 703Flowmon Networks a.s.Sochorova 3232/34616 00 Brno, Czech Republicwww.flowmon.com

Anomaly Detection & DDoS Protection Pavel Minařík, Chief Technology Officer. What is Flow Data? Modern network telemetry data, supported by many vendors Cisco standard NetFlow v5/v9, IETF standard IPFIX Focused on L3/L4 information and volumetric parameters Real network traffic to flow statistics reduction ratio 500:1 Flow data . Flow-Based Traffic Analysis Network as a sensor concept (and .