Replace your on-prem hardware DDoS appliance — Now!
Presented by: Vivek Ganti
Originally aired on February 18, 2021 @ 4:30 PM - 5:00 PM EST
It’s time for a change.
When organizations need to protect their on-prem networks, IT departments typically turn to old, legacy hardware boxes. These hardware boxes are expensive, hard to manage, and slow. And as now more than ever, the Internet is mission-critical to stay connected, we're also seeing a growing risk of cyber threats. So how do we ensure enterprise networks are safe and fast in a cost-effective manner?
Join this session to learn about Cloudflare's offering for networks—how Cloudflare can help enterprise networks be fast, secure, and reliable.
English
Security
Transcript (Beta)
Hello everyone, my name is Vivek and I'm with Product Marketing here at Cloudflare. Today I will be talking to you about why you should replace your on-premises hardware DDoS appliance and why now is a better time to do it than ever.
So let's get started.
Let's begin with looking at what most enterprise networks look like today.
Most enterprises have a headquarters, then they have data centers and branch offices, all of which have a combination of on-prem network hardware and maybe some cloud-based infrastructure to them.
And these offices are connected to each other via often a combination of MPLS, which are lease lines or broadband Internet, or actually a lot of times a combination of both.
Then of course there's also remote workers.
I'm working remotely. I'm doing this from my home. Of course, everyone is working remotely.
So we're living in a completely different world where we all need to access our internal applications.
So we need to VPN, maybe through the VPN concentrator for our internal application access, which also makes securing the network perimeter very difficult.
Basically, these networks don't have a single unified way of orchestrating them, and they're very difficult to manage.
But why did we build these large networks? We essentially built them to satisfy very fundamental needs of the Internet, security, performance, and reliability.
Organizations have had to constantly worry about protecting their applications or their networks, whether it's from DDoS attacks or malicious bots or network congestion and service disruptions.
And they've relied on the Internet to meet customer expectations for always-on access to their services with low latency, total reliability, and high levels of security and privacy.
Businesses are accountable for the delivery of these requirements end-to-end, and to every customer.
And this doesn't depend on what the client device is. It could be a desktop, it could be a mobile device, but it is forcing businesses to address these fundamental requirements, which are security, performance, and reliability globally.
So let's actually zoom in into one of those data center racks and see what it looks like.
Of course, you have a router and a switch, but then you might also have a WAN optimizer, which is often used to accelerate traffic between different branch offices.
There's, of course, a denial of service appliance, a DDoS appliance.
It's becoming more and more commonplace now more than ever. And I'll talk about this in a bit about how we're seeing an increased risk of cyber threats on the Internet.
You might have a firewall or VPN appliance. You might have a WAF, which is a web application firewall.
And for reliability, you might even have a load balancer box to do some TLS termination.
Now, while all these what we call band-aid boxes address some of the security, performance, and reliability needs of the enterprises, and they do have some benefits, they've actually contributed massively to complexity, the cost, the technical debt, and frankly, a tangled web of dependencies to enterprises.
They're expensive. They cost a lot in terms of CapEx and OpEx, and they're just not sustainable anymore.
But in spite of these drawbacks, we have these boxes because they were frankly sufficient to ensure a certain amount of safety, functionality, and resilience that most businesses require today.
And they could afford that in the on-premises paradigm. But the problem is that these boxes were never really designed to work in the cloud.
The network hardware boxes worked for a while in the on-prem environments, in the on-prem deployments, but in the early days of the Internet.
But the way we deploy applications, application deployment itself is changing.
So let's actually zoom in further on the last box in this slide, which is application servers, and look at how their evolution has been.
Gen one, once upon a time, if you wanted to deploy server-based software, you bought a server, you made an application, and then you ran it on that server.
How long did that take to deploy? The answer was actually months.
And then along came VMware, and they said you don't need a different server for every application.
On one server, you could divide it up into multiple VMs, virtual machines, and you could run different applications on the same piece of metal.
And this was incredible. But you still had to have a server, a big metal box.
And how long did that take to deploy? The answer was on average weeks, if not days.
And then came along Amazon. They came along and said, why do you even need your own server or any infrastructure at all?
We'll manage a series of VMs for you.
So now you're in the cloud. And the time to deploy went from months to weeks to now hours or minutes, which was revolutionary.
So to recap, in gen one was bare metal, gen two was virtual machines, and gen three is the cloud instances.
And this has driven drastic changes in the infrastructure that enterprises are deploying.
So the enterprise network, which looked like this, which was a combination of headquarters, data centers, their branch offices, with a hodgepodge of connectivity, now suddenly started looking like this.
So this is called the hybrid networking model, where you have both on -prem infrastructure and the cloud, and you have your VPCs, you have your cloud router, you have your security groups, your cloud NATs, but you also have your on -prem infrastructure still.
So how did we increase the overall complexity in managing our networks as opposed to reducing it?
And that brings me to my next point.
We all talk about digital transformation, and that's what digital transformation means, like moving things to the cloud, right?
But no one talks about a disconnect.
With the Amazons and the Microsofts and the GCPs of the world, compute storage and applications are shifting to the cloud.
But then there's one fundamental element which has missed the train, and that's network infrastructure, perimeter network infrastructure.
That is your firewall, your load balancers, your WAN accelerators, your DDoS mitigation boxes.
They're all still point function boxes, which are designed to deliver either security or performance or reliability, and are still on-premises.
So isn't it time that your network perimeter also transition to the cloud?
It's time for a change, and what we need is really a global cloud platform that delivers all of these very fundamental needs of the Internet from the cloud, close to where your app servers are, close to where your end users are.
That's all that matters. And a transition is underway that is tectonically changing the way we think about networking.
And Cloudflare is leading this transition. So who is Cloudflare?
I do want to take a minute to talk about who we are. Cloudflare is a global cloud platform that delivers a broad range of network services to businesses of all sizes around the world.
What we're doing is we're taking the Band -Aid boxes that I just showed you, and we're turning it into a service so that it's available to anyone in a way that's easy to use and is very flexible and scalable across our platform.
So we're providing those same security, performance, and reliability services to you, while also eliminating the cost and complexity of managing and integrating individual network pieces of hardware.
So our mission is to help build a better Internet, and a better Internet is one that's faster, that's more reliable, that's also more secure for everyone.
What does our global network look like?
If there could be a visual representation of Cloudflare, I think this is what it is.
This slide is a visual representation of our network's scale and breadth.
We have a physical presence in over 200 cities across 95-plus countries, and we're less than 100 milliseconds away from 99% of the Internet-connected population in the developed world.
And for context, the blink of an eyelid is 300 milliseconds.
And we didn't build this network maniacally for no reason.
When we talk about upgrading the Internet in a lot of ways, making it faster for everyone, part of that is actually being physically closer to everyone.
Every data center we bring online in a new region has measurable significance to our customers.
So when we zoom into one of those dots on the maps that you saw, what does it actually look like?
Each of those dots represents a city that we have a presence in, and we've created a network architecture that's flexible, scalable, and gets more and more efficient as it expands.
We've designed and built our network to grow capacity quickly and inexpensively.
So what that means is that every single service that we offer at Cloudflare is run on every server in every rack in every data center across the 200 cities that we have a physical presence in.
So our software automatically manages the deployment and execution of our product developers' code and our customers' code across our entire network.
And that's really the core of what our network is built on.
So if you know us for content caching or web application firewall or DDoS mitigation or any other security reliability performance products, it runs on every server in every rack in every one of the data centers across 200 cities that you just saw.
So now let's talk about DDoS mitigation or security in particular, because that's what I want to focus on.
And I can talk about how big our network is and the scale of our network, but then there's no better way to actually understand that than to look at maybe something like this, a slide like this.
Our network is large, and the scale of our network precisely gives us the ability to do some big things on the Internet.
For example, our network blocks over 45 billion cyber threats on an average day.
When we talk about scale, it's sometimes hard for people to fathom what it means to operate at cloud-flare scale.
And this snapshot here is roughly about 30 minutes worth of attacks on an average day.
It gives you visibility to the changing phase of attacks.
Of course, you see the big headline-making volumetric attacks with high request volumes in the big orange circles, but what you also see are the smaller, sneakier attacks, which are actually growing more and more in number, that are on the rise with lower request rates.
They may not feel huge on this map, but if it's your origin server that's being targeted, it really hurts.
The good news is that we have them covered. Whether it's a big attack or a small attack or whatever it is, we learn from these attacks, and each one of these 45 billion attacks strengthens our security solutions by improving on our threat intelligence.
So a good comparison I often like to make is we're like the giant immune system for the Internet, and it's one that actually gets stronger with every attack.
Speaking of attacks, let's look at some of the global DDoS trends that we've seen over the past quarter over our networks.
First, by the way, all of these numbers are in comparison to the previous quarter, which is Q4.
So all these numbers are for Q1, which is January through March. First, we saw a rise of smaller, shorter attacks in Q1.
Most of the attacks that we observed in Q1 were relatively small as measured by their bit rates.
As you'll see here, about 92% of the attacks were under 10 gigabits per second.
And what this means is one way to look at this is that more and more people are staying at home.
So we're seeing more and more stay-at-home teenagers or amateur hackers launch these DDoS attacks against network infrastructure.
However, it's not just the packet and bit rates that are decreasing, but also the attack durations.
So what this graph shows is that about 70 to 80% of DDoS attacks lasted between 30 to 60 minutes.
What this means is that these attacks can be very quick, but the damage they do is very hard to recover from.
Sometimes even before the attacks are processed and any mitigation steps are implemented, the attacker has done enough damage.
And so what we really need is something that's an automated solution that quickly and accurately detects attack and takes remedial action before any real damage is done.
So the number of DDoS attacks have also increased. And you'll see an interesting trend here.
The number of attacks in March significantly spiked when compared to those in January and February.
And this lines perfectly as the government authorities started mandating lockdowns and shelter-in-place orders.
So attackers had nothing to do.
They resorted to increasing the number of large-scale attacks in the latter half of March.
So we're seeing a larger number of smaller attacks.
But then in the second half of March, we also saw a significant amount of larger attacks too.
So you'll see that about 95% of the attacks, peaking at 300 to 400 gigabits per second, were launched in the second half of March.
So what do these numbers actually mean?
The first is attacks are cheap. Launching DDoS attacks, you don't need much technical background.
There's a lot of DDoS as a service tools, which have provided a possible avenue for bad actors with little to no technical expertise to launch DDoS attacks very quickly, very easily, in a very cost -effective manner.
But each of these attacks can be really expensive. I was reading this report by Kaspersky, which said that you can launch an attack for five brawlers for a five-minute attack.
And another report by Gartner shows that on average, it costs enterprises more than $5,000 per minute.
So think about that. It's very asymmetrical when it comes to the attacker and one who's getting attacked.
Now, the second thing is every attack hurts. When an attack is under 10 gigabits per second might seem small, it can still be enough to significantly bring down underprotected Internet properties.
So smaller and quicker attacks might prove to deliver higher ROI for attackers to extort a ransom from companies a lot of times.
And as I showed in the data, there's a large number of DDoS attacks that are happening in March compared to the first two months.
And attackers are using this crisis period to be an opportune time to launch an increased number of DDoS attacks, both in size and number.
That's unfortunate. So what can we do about it?
When we think about DDoS protection, we have to think about attacks both not just in terms of size, but also across the layers of the OSI model, because it's not just your websites that need protection.
It's also your TCP and UDP applications.
It's your network layer infrastructure. And this almost brings me to a story of Cloudflare.
In a lot of ways, this slide of the OSI model is very reflective of our journey over the last 10 years.
When we started about 10 years back, we focused on building services for the application layer, HTTP, content caching, web application firewall, load balancing, et cetera.
And our founders placed a lot of bets on HTTP being the main protocol on the Internet.
And in many ways, they were right.
But as we provided security, reliability, and performance services to our customers for their application layer, they were also asking us to extend those same services to their network infrastructure.
And in our journey from, say, five data centers to 200 data centers, we also needed to protect our own data centers and offices.
So our options were either to buy existing DDoS mitigation boxes or use other cloud scrubbing providers.
And neither of these really met our needs.
So we essentially built a DDoS mitigation and detection pipeline on commodity hardware to protect our own networks.
And we're making this product now available to our customers, and it's called Magic Transit.
So Cloudflare Magic Transit essentially delivers network functions virtually at Cloudflare scale.
So that's DDoS protection, that's traffic acceleration, and much more from every single one of these data centers that you see on this map.
You can literally think of it as the strength and breadth of our whole network sitting in front of your network if you have an enterprise network.
So how does it work?
We use BGP. BGP is Border Gateway Protocol to announce the routes of the customer's network.
And if you know how Cloudflare works, it's fundamentally different from how a lot of our other products work in that it's not a simple DNS redirect.
It's more involved where we would announce the customer's routes using BGP, and that could be a slash 24 prefix, and we would ingest all of the network traffic to the Cloudflare data center to inspect for any threats.
And then send all that clean traffic encapsulated using GRE or maybe using Direct Connect, tunnel it over to the customer's network.
Finally, any egress traffic that is sent back to the requesting client is sent using the Internet.
So it's DSR, which is Direct Server Return.
So why would you want to consider Magic Transit? One is it helps you get rid of those boxes.
Remember, we looked at the data centers and all those individual point function hardware boxes.
Many bigger companies are at some stage of their path towards digital transformation, and Magic Transit helps companies adopt the cloud further.
So think of this as network functions being delivered as a service.
Second is it gives you access to Cloudflare's expansive network. We have a vision where all you would have to do is plug into Cloudflare, and we take care of the rest, whether it's security performance or reliability, and we will make sure that not only is your network infrastructure fast, but also every bit based on our network will reach its destination quickly and reliably.
The third is cost.
More and more companies, especially now more than ever, are looking to find ways to reduce their capex.
Because with Cloudflare, you don't have any capital expenditure.
It's literally zero, and we don't even charge for professional services.
We deliver these services to you as functions that are delivered and built on the fly.
It's a subscription-based model. How are we different from other providers?
One is, as with other providers, we use BGP and bring your own IPs, but the biggest differentiator for us is our network.
We have a mitigation capacity of over 37 terabits per second, and that's higher than the next four competitors combined.
The way we're able to do this is because we don't have a limited number of scrubbing centers.
We can actually announce our routes from every one of our data centers and ingest traffic to each one of those data centers.
That's just advantageous in two ways. One is we can protect our networks from threats of any size, but also we take latency into account where all traffic doesn't have to be redirected to a very distant scrubbing center.
As with anything Cloudflare, we make sure your performance is not impaired.
The other good thing is that all of our products need to be integrated with each other.
If you're already using us for CDN or DDoS mitigation for your websites or web application firewall, you don't have to do much to actually turn on additional services right from our dashboard.
And finally, the other point I want to stress on is that all of our products are built in-house on our own servers, so we're not dependent on third -party vendors.
We can deploy patches. We can do firmware upgrades.
We can learn very quickly from our vast network. We're a company that's known for innovation, and building software and commodity hardware helps us innovate fast and even keep our costs down and pass those savings on to our customers.
So now moving, pivoting a little bit towards performance, as I said earlier, Cloudflare's always believed in the power of the AND, which is security and performance.
And once again, thanks to the scale of our network, we're able to accelerate traffic that traverses it.
We learn from traffic that spans like 27 million Internet properties, which enables our ML-based intelligent routing algorithms to route traffic around network congestion in real time.
So it's called Argo Smart Routing, where we make sure that any traffic between any two points on the planet gets sent in the fastest, most reliable routes in real time.
And what's also nice is that all Argo traffic is encrypted end-to-end, so that for your origin, if you're sending web traffic, if any cache misses occur, then Argo also checks for nearby Cloudflare data centers for the requested content, which also saves on latency and reduces the load on your origin server.
So if this sounds familiar, it's because it's very similar to Google Maps.
Think of it as, a good analogy would be Waze or Google Maps for the Internet.
We currently support this for all web traffic and TCP traffic.
And very soon, it won't matter what kind of traffic it is.
It'll be any traffic, any IP traffic. We'll just make sure that it's being sent over the fastest and the most reliable routes in real time.
So I alluded to this in some of our benefits, but some people have asked what our commodity hardware actually looks like.
We don't use vendor-specific infrastructure. These are actually x86 machines, the G9 servers with their CPU cores.
There are four sleds, which represent four nodes, each with a 224-core Intel CPU.
So it's basically the same architecture as your laptop, but it's just beefier.
So every server and every rack in each one of the 200 data centers around the world runs some sort of commodity hardware like this.
And the reason I bring up this slide is because there's no dependency on third-party vendors, which allows us to deploy patches faster.
We can innovate much faster and transfer those learnings on to our customers very quickly.
So to summarize about the product I talked about today, which is Magic Transit, it's completely built in-house.
It's a software-defined product that is designed to help make networking as a whole much better.
We use BGP and bring your own IPs, and we can onboard you within hours, if not a few days.
We return traffic over GRE, and we're very quickly soon, in the next month or so, going to be launching PNI support also.
We filter traffic over our huge global network, which comprises over 200 cities.
And unlike other vendors, we actually make your traffic faster over the Cloudflare network and not slower.
And what's also nice is that all of our products, whether you're using it for Layer 3, Layer 4, or Layer 7 services, they work natively.
And one way to look at this is that when you sign up with Cloudflare, you're really buying our entire network.
All the other services, no matter what you're using us for, run on that same global network.
And whatever product you're using Cloudflare for, we'll make sure that it's going to be a combination of security, performance, and reliability.
So let's actually tie it all together and come back to this data center rack where we started.
Without Cloudflare, you, of course, had your router and switch, and you had these point function boxes, which were all meant to address some fundamental needs of the Internet performance, security, and reliability.
You had your WAN optimization appliance, you had your DDoS mitigation appliance, you had a box for WAF, you had a box for your VPN, you might have even had a box to make sure in your peak times, you can still handle all the traffic your network's getting for your load balancer.
But all of this is getting very complex because this is all in just one data center.
You have multiple offices that you need to now connect between each other.
And the orchestration and management of this is not just expensive, but also really laborious.
We recently had a customer who come to us and tell us that the person who was managing one of these boxes left the company, and they didn't have the username and password to log into that box, and they just got fed up and wanted to use a cloud-based service like Cloudflare.
With Cloudflare, this is what it looks like. Your data center rack is hugely simplified.
All you would have to do is plug into Cloudflare, and we help make sure that your applications are secure, fast, and reliable.
So as I said, our mission is to help build a better Internet.
We build products that are secure, fast, and reliable.
And we envision a world where all you would have to do is plug into Cloudflare, and we take care of the rest.
We're building network services that scale on demand, but you still pay for only what you use.
It's a predictable subscription-based billing.
And we're always within milliseconds from all of your users worldwide.
And there's also zero latency for every service that's enabled.
And this is really the new paradigm of networking, one where you can have it all.
You don't have to choose between security, performance, or reliability.
We believe in the power of the and. And the second principle is all about software defining every single thing on commodity hardware, so you're not dependent on third-party vendors.
You have full control over your software on how it gets deployed globally, so we can innovate faster at lower costs.
And finally, we can leverage the power of network effects.
As I said, we're almost like the immune system for the Internet.
For example, if you see an attack in Chile, we can deploy those learnings in India.
And with Cloudflare, you get that automatic protection, which is powered by machine learning.
And as I said, it's not just about security.
We will also intelligently route around congestion or other problems in real time because of the intelligence that we have from our network.
So finally, I want to end this talk with a shameless plug.
The now is about, I mean, if you're thinking about replacing your DDoS mitigation infrastructure, there's no better time than now.
For a limited time, we're running a promotion where if you're an existing customer of a DDoS mitigation provider, we will replace your current product with Magic Transit at no additional charge to you.
So please feel free to contact me at vivek .Cloudflare.com or go to our page.
It's Cloudflare.com slash LP slash better. And one of us will get in touch with you and tell you more about this promotion that we're running right now.
So if there's any questions, as I said, please do reach out to me.
This has been great. And thank you all for joining. This is really exciting that we're doing this at Cloudflare TV.
Please do stay tuned. There's a lot more sessions that are exciting that are coming up today.
So with that, I will end my talk.
Transcribed by https://otter.ai