Presentation Material
Abstract
In June 2018 ProtonMail suffered rapidly morphing sustained DDOS attacks that included Syn Floods, TCP handshake violations, TCP Zero Sequence, ACK floods, NTP non-standard port floods, reflection attacks on SSDP, NTP, Chargen, LDAP and Memcache protocols[1].
We created an attack toolkit that mimics the ProtonMail attacks, and used it to study the efficacy of various defenses against an attack like ProtonMail suffered. We discovered that using standard techniques to fight off rapidly changing bursting attacks is near impossible for SOC operators, as speed of human action to understand the attack and apply well known mitigation is too slow.
We found that a combination of an unsupervised Machine Learning algorithm to determine a baseline, perform anomaly detection and mitigation, and another Machine Learning algorithm to tune the performance of the first, yielded the most effective defense. With this scheme in place, the SOC operator did not have to react at machine speed but simply monitored the findings and the actions of the machine.
References : https://protonmail.com/blog/a-brief-update-regarding-ongoing-ddos-incidents/
AI Generated Summarymay contain errors
Here is a summarized version of the conversation:
The speakers are discussing DDoS defense mechanisms, and how their solution can detect and mitigate volumetric attacks. They explain that placing the DDoS defense between the ISP routers and enterprise routers or in front of the firewall can help identify both forward and reverse flows of traffic sessions.
For volumetric attacks, which overwhelm the network pipe, a cloud scrubber is needed to handle the high volume of traffic. The speakers’ solution uses layer 3 and layer 4 signatures to detect bad packets without needing to inspect payload.
The conversation also touches on open-source testing tools for DDoS protection, allowing vendors to be compared based on standardized tests. The speakers offer to help with testing and provide a kit for safe environment testing.
No specific bake-off or performance comparison has been done between the speakers’ solution and other vendors’, but they invite others to test their solution and share results.