As the web application security landscape evolves, companies are facing increased pressures to strengthen their security posture. Recently, the world’s largest distributed denial of service (DDoS) recorded attacked GitHub at 1.35 Tbps. While the big attacks get all the headlines, at Cloudflare we have learned about other forms of attacks that can unexpectedly bring your site down. Join this webinar to learn about how small DDoS attacks can still bring your site down, why TCP services may make you vulnerable to a DDoS attack, and how to augment Cloudflare’s unmetered DDoS solution with Spectrum, Rate Limiting, and Argo Tunnel.

1. How To Take Your DDoS Protection To The
Next Level

2. Presenters
Tim Fong
Product Marketing Manager
John Esterline
Solutions Engineer

3. Agenda
● The new DDoS landscape
● A little known way attackers can bypass traditional DDoS protections
● Why TCP services may make you vulnerable to a DDoS attack
● Pros and cons of multiple solutions: BGP, MPLS, and building your own
● How to augment Cloudflare’s unmetered DDoS solution with
Spectrum, Rate Limiting, and Argo Tunnel

4. Poll #1
Have you experienced a DDoS attack in the past year?
● No, but I want DDoS protection
● No, and I already have enough DDoS protection to my site
● Yes, and I want to take my DDoS protection to the next level
● Yes, but I don’t think it will happen to my site again

5. The New DDoS Landscape

6. Volumetric DNS Flood
Bots
DNS Server
DNS Server Server
Amplification (Layer 3 & 4)
HTTP Flood (Layer 7)
1
2
Bots
3
Bots
Degrades availability and performance of applications, websites, and APIs
HTTP
Application
Application/Login
Types of DDoS Attack Traffic
In-Depth
In-Depth

7. DNS Attacks Continue To Be Infrequent
7
Unmetered
Mitigation
Introduced

8. 1.7
Tbps

9. DDoS 2018 and Beyond
More
Frequent
Difficult to
Mitigate
DNS
Layer 7
SSL CPU
Exhaustion
(Layer 6)
HTTP
Layer 7
Layer 3/4
500
Gbps
100
Gbps
200
Gbps
40
Gbps
Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4
Less
Frequent
9

10. Globally distributed (128,833 IPs)

11. Say Cheese: a
snapshot of the
massive DDoS attacks
coming from IoT
cameras:
128,000+ unique IP’s
220k rps
360 Gbps
IoT DDoS / Attack Case Study
CHALLENGES
• DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers switched
to L7 attacks in an attempt to knock web applications offline
• Unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to
the attacked server.
• These attacks came from Internet-of-Things (IoT) category of devices
CLOUDFLARE SOLUTION
• Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these
attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a
fingerprint that protects all Cloudflare customers.
Attacks
Blog Post:
https://blog.cloudflare.com/say-cheese-a-snaps
hot-of-the-massive-ddos-attacks-coming-from-i
ot-cameras/
The attack lasted 15 minutes with over 1 million HTTP
RPS (Requests Per Second)
The First Attack
This attack had 128,833 unique IP addresses. It
generated only 220k RPS, but topped out at a high 360
Gbps bandwidth
The Second Attack
11

12. Poll #2
Do you run services (SSH, FTP, SharePoint, SMTP, etc.) other than HTTP/S traffic on your origin?
● Yes
● No

13. Traditional DDoS Mitigation Solutions

14. Industry Legacy Scrubbing Center
Pre-Attack Attack Begins Mitigation
Implemented
14
12:05 12:15 12:2012:00
Attack Detected

15. Alternative DDoS Mitigation Solutions

16. Cloudflare’s Always-On DDoS Mitigation
Automatic Mitigation
16
12:0512:00 12:05
Real-Time DetectionContinuous Performance Benefit

17. Other DDoS Attack Vectors

18. Volumetric attacks on TCP-based services
Attackers send direct volumetric attack traffic to
TCP-based services like email or remote access,
impacting performance and availability.
DDoS Attack
Customer Challenges
Non-HTTP/S
TCP Attack Traffic
SSH
Snooping Attempt on clear-text TCP
Attackers snoop non-web, unencrypted
traffic to gain access to sensitive data, such
as user credentials.
Data Theft
SMTP
SFTP
SSH
SMTP
SFTP
Snooping of
Unencrypted Data
in-Transit

19. Cloudflare Spectrum
Proxy non-HTTP/S TCP traffic through Cloudflare
Mitigate DDoS for TCP Protocols and Ports
Cloudflare Spectrum proxies all non-HTTPS TCP traffic through
the same 120+ cloudflare data centers, ensuring protection
against DDoS attacks targeting layers 3 and 4 across open ports.
Encrypt Non-HTTP/S TCP Traffic
Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with
Universal SSL to protect against snooping of data in transit.
Block Traffic by IP or IP Range
Spectrum integrates with Cloudflare’s IP Firewall so that traffic
from specific IP or IP ranges can be dropped at the edge
C
loudflare
Spectrum
2
1
Client
Encrypted
TCP Traffic
SSH
SMTP
SFTP
SSH
SMTP
SFTP
3
Client
SSH
SMTP
SFTP
IP
10.0.0.1
10.0.0.1
https://developers.cloudflare.com/spectrum/

20. Spectrum Demo

21. Direct Attack against Origin IP
Attackers directly attack the origin IP address.
DDoS Data Theft
Intrusion Attempt Directly on Origin
Applications exposed to the public Internet through the IP
address can be brute-forced to access sensitive data.
206.221.179.46
206.221.179.46
Brute Force
Attack stopped by
Cloudflare proxy
Direct Attack against Origin IP
Attack bypasses proxy to
hit IP address directly
Attack stopped by
Cloudflare proxy
Attack bypasses proxy to
hit IP address directly

22. Cloudflare Argo Tunnel
Stop Direct Attacks Against the Web Server’s Origin with a Secure Agent
Protect web servers from DDoS attacks directly against their
origin’s public IP address
When connected directly to Cloudflare, web servers can no longer be
directly attacked through open ports on public IP addresses with DDoS
or data theft attempts, keeping applications and APIs online and
performant.
Safely and easily expose development environments to the
Internet
Developers can expose the localhost on their laptop directly to the
public Internet for testing code and speeding up development, while
also being protected from attacks.
Accelerate Origin Traffic
Argo Tunnels not only protects web servers from direct attacks, but also
accelerates origin requests through a persistent HTTP/2 connection.
With Argo Smart routing, origin requests bypass congested networks
and are routed on the shortest network distance to ensure fast delivery.
Argo
Tunnel
2
1
3
localhost
HTTP/2
206.221.179.46

23. Argo Tunnel Demo

24. The Long Tail of “Layer 7” Attacks
Site Rank
Capacity(HTTPrequestspersecond)

25. Cloudflare Rate Limiting
Precise DDoS Mitigation
• High precision denial-of-service protection
through robust configuration options
Protect Customer Data
• Protect sensitive customer information
against brute force login attacks
Ensure Availability
• Avoid service disruptions by setting usage
limits on HTTP requests
Requests per IP address matching the traffic pattern
25

26. Rate Limiting Demo

27. Questions?
➔ John: jesterline@cloudflare.com
➔ Tim: fongster@cloudflare.com