NSFOCUS Anti-DDoS System White Paper

Transcription

1 White Paper NSFOCUS Anti-DDoS System White Paper By NSFOCUS White Paper NSFOCUS

2 NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. White Paper NSFOCUS

3 Table of Contents Table of Contents... 3 Introduction... 1 Intense Threat of DDoS... 3 Attack Analysis... 3 Development Trend... 5 Necessity of DDoS Prevention... 6 Deficiency of Today s Attack Countermeasures... 8 Manual Prevention... 8 Fallback Policy... 8 Router... 8 Firewall... 9 IPS/IDS... 9 Basic Requirements of DDoS Prevention Consummate Prevention Strategy Evolvement on Prevention Principle NSFOCUS Anti-DDoS System Three-tuple Integrated Solution Deployment Mode Core Principle System Features Professional Customer Support Conclusion White Paper NSFOCUS

4 Introduction A Denia-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack is an attempt to make a service or network resource unavailable to its intended users. DDoS attacks have become a popular attack method due to its features of easy accomplishment, difficult prevention and hard tracing. According to different standards, DDoS attacks can be classified into various types. For example, according to the attack methods, they can be classified into resource exhaustion, service termination, and physical violation. DDoS attacks usually make use of network protocol vulnerabilities, or take up the limited bandwidth of the network or a device to crash or freeze a service or resource. Owning to the fact that they can evade the prevention of common network security devices such as firewalls and intrusion detection systems, the prevention of DDoS attacks becomes a real headache for network administrators. Unlike traditional attacks that illegally obtain information by sneaking into a target s business system, DDoS attacks can cause immense destroy when they are used by hackers, who always forge a large amount of traffic to overload attacked servers, network links, or network devices (such as firewalls and routers) and crash the entire system. As a result, legitimate users cannot access services as usual. As prevention measures are inadequate and DDoS attacks are easier to launch, the threat of DDoS attacks becomes severe. The targets of DDoS attacks are not limited at a single object, such as a web server or a network device, but also the whole network. Many network infrastructures, including routers and switches on the convergence and the core layers, and the Domain Name Service (DNS) system of the ISPs (Internet service providers) have suffered DDoS attacks to some extent. In October 2002, a massive attack happened with the portent of brute DDoS attacks on the eight root domain name servers among the thirteen. Communication of the whole Internet was affected. Since the Internet is increasingly being used to conduct business and even to provide many critical services, the loss in a DDoS attack may be disastrous. Many users including ISPs, enterprises, and government institutions are threatened by DDoS attacks. What s worse, numerous destructive DDoS attacks might occur in the future as a result of the development of more powerful attack tools. Due to the fact that DDoS attacks are difficult to prevent and the harm is grave, Internet users face a severe challenge of how to handle DDoS attacks effectively. As an 1 / 26 - White Paper

5 independent module of the whole security policy, network devices or traditional boundary security devices (such as firewalls and intrusion detection systems) cannot provide a perfect prevention function against DDoS attacks. Therefore, a special mechanism is expected to detect and restrain the growing, complicated, and deceitful attacks. 2 / 26 - White Paper

6 Intense Threat of DDoS DDoS attacks are achieved via zombie systems on the Internet. As more and more unprotected personal computers are connected to the Internet, hackers can easily exploit the vulnerability, plant certain codes into computers, and change them into tools for DDoS attacks. To initiate a massive DDoS attack, hackers just need to send certain commands to the zombies and the zombies can finish the attack by themselves. With the development of Botnets, traffic caused by DDoS attacks may be stupendous and saturated all available bandwidth of the target machine or network. The common characteristics of DDoS traffic lie in the spoofed source IP address, distributed attack sources and diverse types. Impact of Attack The impact of DDoS attacks is immense. In a bandwidth exhaustion attack, the attacker forges flooding packets to saturate the limited bandwidth, thereby making the victim s intended users impossible to access services and the performance of the website declined dramatically. The SLA (Service Level Agreement) may be damaged and a large amount of service compensation will be paid. Before too long, the company reputation will be corrupted; the profit reduces; the productivity lowers; the cost of IT expenditure and lawsuit increase; and more such bad results caused by DDoS attacks. In addition, the wide spread of the attacks is another problem we have to face. According to the Report on Internet security of China 2010H1 released by CNCERT, the monitoring survey during the first half year of 2010 by CNCERT shows that nearly 1,240,000 hosts were planted with zombie and Trojan horse programs in China mainland and 127,559 control servers in foreign countries were found participating the control of infected hosts in China mainland. Attack Analysis How does a DDoS attack work? From the angle of criminology, any attacks must have three factors: method, opportunity and motive. In the following part, we will analyze DDoS attacks from the three points: 3 / 26 - White Paper

7 Attack Methods Usually, network packets are transmitted on the Internet via the TCP/IP. Though the packets do not bring harm themselves, once there are too many of them, the network device or the server will be overloaded. When the packets exploit the defects (such as crafted non-integrity or anomalies) of some protocols, the network device or the server can process the packets normally. In this case, the system resources are rapidly consumed and the service requests from users are denied. This is the working principle of DDoS attacks. The main difficulty in preventing DDoS attacks lies in the fact that illegal traffic is blended with legal traffic and DDoS attacks cannot be effectively detected during prevention. For example, it is difficult to let a signature-based IDS detect illegal packets from legal ones. In addition, many DDoS attacks use the technology of spoofed source IP addresses to evade the identification of tools that monitor attacks based on anomaly. In general, DDoS attacks fall into the following types: Bandwidth-based attacks The attacker sends a large number of packets to congest the limited bandwidth or exhaust resources of a victim. Usually, the resources of routers, servers, and firewalls are limited. When they are attacked and overloaded, the legal access cannot be processed normally. In this case, denial of service occurs. Traffic-based attacks The most common traffic attack is the Flood. In this kind of attacks, a large number of TCP, UDP, and ICPM packets that seem legal are sent to the target and the technology of spoofed source IP addresses are used to evade the monitoring of the detection system. Application-based attacks Application DDoS attacks exploit some features of the TCP or HTTP protocol. By taking up resources consistently, attackers can prevent the target device from processing intended access requests. The HTTP Half Open attack and the HTTP Error attack belong to this type of attacks. Attack Opportunity At present, we are moved forward by the convergence between terminal businesses: application service providers (ASP) and network service providers (NSP); traditional telecommunication networks and IP networks. The convergence brings new business modes and profits, but diverse security threats, too. The data from Symantec shows that zombies often infect large-scale ISPs and hosts that are connected with the Internet at high rate. The expansion of bandwidth resources also gives attackers more opportunities. Attack Motive 4 / 26 - White Paper

8 From the impact brought by so many DDoS attacks, we can see that the motive of attacks has changed greatly from pure show-off or hobby to profit pursuing. The formation and booming of the illegal industrial chain has been a problem that people in the network security field have to face with. According to recent study of Symantec on internet security threats, such illegal industrial chain is increasingly upgrading. Here are the characteristics of the illegal industry: A. Most attacks are profit-driven for profits; B. Attacks tend to be of expertise; C. Attackers have clear division of responsibility, and new business mode has been formed; D. Multiple tools are used in an attack. Common attack methods are used in the succeeding attack phrase, rather than at the beginning of launch. Development Trend NSFOCUS has been engaging in DDoS attack trace, detection, and research for many years. By transforming research achievements into a series of products, NSFOCUS provides for clients with professional security solutions, quality prevention products and expert technical supports. Recent research from NSFOCUS shows that the DDoS attack is following the development trend stated as below: A. Given the wide availability of DDoS tools on the Internet, to launch an attack will be very easy. New types of attacks will emerge. B. A flood of attack traffic, which may be up to 10Gbps at line speed, consumes a large amount of carrier s outbound bandwidth and dramatically declines performance of network devices. C. Attacks targeting application services are increasing. Around DDoS attacks, a mature industrial chain driven by economic benefits has formed. D. Attacks become more complicated. Bandwidth exhaustion attacks mixed with application attacks increase and become very hard to prevent. Through analysis of the three criminal factors and its development trend of DDoS attacks, we can see that the DDoS attack is coming with an economic benefit purpose, straightforward targets, technical tactics and serious effects. How to efficiently protect crucial businesses and resources against DDoS attacks? Is only a prevention solution adequate enough to solve this problem? 5 / 26 - White Paper

9 Necessity of DDoS Prevention Any service system working via a network, whatever the reason is, economy or other, should consider investment in the prevention of DDoS attacks. All of large enterprises, government organizations, and service providers need to protect their fundamental service systems (including web, DNS, Mails, switches, routers, and firewalls) against DDoS attacks and ensure the continuity of service system operation. Although DDoS prevention requires operation cost, the investment is really worthy from the perspective of investment return. For corporate and governmental networks, network systems of corporations or governments often provide Internet connections for internal service systems or websites. Though the number of Internet users accessing to the sites may not be large, the loss will be immense if DDoS attacks occur. For a corporation, DDoS attacks indicate that the service system cannot provide intended services as usual, which apparently will influence the normal production of the enterprise. If the governmental site is attacked, the political influence would be grave. These losses can be avoided by deploying anti-ddos prevention systems. For Internet business (e-commerce, online games, electronic payment, etc.), they are often targets of DDoS attacks and it is quite necessary for these websites to invest in the DDoS prevention system. If an electronic business website suffers DDoS attacks, the economic losses caused when the system fails to provide normal services, including reduced transactions, advertisement and brand losses, and cost of website recovery. Some attackers even extort owners of websites by DDoS attacks. The impact of DDoS attacks on the operation of websites is huge. DDoS prevention measures can reduce these losses greatly, help users save the money for buying extra bandwidths or devices, and bring them a higher investment return. For telecommunication operators, network availability is a determinant of ROI. If the fundamental network of the operator is attacked, all the hosted services will collapse. The service quality would be impaired or even lost. In the highly competitive operator market, the decline of service quality means the loss of customers. Especially the loss of important customers with high score of ARPU (average revenue per user) would be a fatal for operators. Therefore, effective DDoS prevention measures are indispensable for the quality of network services. On the other hand, for operators or IDCs, DDoS prevention can not only avoid the loss 6 / 26 - White Paper

10 on services, but also provide itself for end users as a value-added service. This is a new profit growing point and brings a more powerful competence in the industry. 7 / 26 - White Paper

11 Deficiency of Today s Attack Countermeasures There are numerous network security products in the existing market, but few of them can effectively defense against DDoS attacks. Due to deficiency in design, the common security products such as firewalls, intrusion prevention systems and routers always fail to fully address today s complicated DDoS attacks. Although the fallback policy or system optimization can be taken to cope with low-traffic DDoS attacks, it is not a best option in massive traffic prevention. Manual Prevention Generally speaking, there are two ways to prevent DDoS attacks by manual operations: System optimization To optimize key parameters of victims for enhancement of their response ability to DDoS attacks. However, this method can low-traffic DDoS attacks only, but not good at mountains of attack traffic prevention. Source IP tracing The first response of the system administrator under a DDoS attack would be to consult the uplink network service carriers, which may be the ISP or the IDC, to find out the source of the attack. But if the source IP address of the DDoS attack is forged, the process of finding the attack source often involves many carriers and judicial organizations. Even when the attack source is found out, blocking the traffic from there may cause the loss of normal traffic. Moreover, the prevailing Botnets and newly-emerged DDoS attacks make it impossible to prevent DDoS attacks by network tracing. Fallback Policy To prevent DDoS attacks, customers may buy redundant hardware to improve their system s anti-ddos capability. But the effect of this fallback is not good because of low performance-price ratio and failed protection of massive traffic. Therefore, this method cannot prevent DDoS attacks essentially. Router 8 / 26 - White Paper

12 We can use routers to implement some security measures, for example, setting an ACL, to filter some illegal traffic. ACLs are usually set based on protocols or source addresses. But most of DDoS attacks adopt legal protocols (such as HTTP), thus attack traffic cannot be filtered out by routers. And if DDoS attacks adopt the source address spoofing technology to forge packets, routers cannot prevent these attacks, either. Another DDoS countermeasure based on routers is to adopt Unicast Reverse Path Forwarding (urpf) to block packets with forged source IP addresses at the network boundary. For today s DDoS attacks, this countermeasure is also useless because, as the basic principle of urpf, the router blocks or allows a packet to pass the outlet by determining whether its source IP address is from the internal subnet, while attackers can easily forge the address and evade the urpf prevention policy. Besides, to configure the urpf policy on each router in front of potential attack sources is hardly achievable in actual environment. Firewall Firewalls are the most commonly used security products. But the DDoS attack prevention is not a part of function in its design. In some cases, firewalls even become the target of DDoS attacks and cause denial of service of the entire network. Deficiency of DDoS detection capability Firewalls are usually deployed in the network as Layer-3 packet forwarding devices. They not only protect the intranet but also provide access for devices that provide external Internet services for internal needs. If DDoS attacks exploit legal protocols allowed by servers, firewalls will be unable to identify attack traffic from the hybrid traffic precisely. Although some firewalls are equipped embedded modules that can detect attacks, the detection mechanisms are generally based on signatures and firewalls always fail to address the attacks if DDoS attackers change packets slightly. The detection of DDoS attacks must depend on the algorithm of behavior patterns. Limitation of calculation capability Traditional firewalls perform intensive inspection to detect DDoS attacks, which costs a lot of calculation. Massive traffic in DDoS attacks, however, will cause the intense declination of the firewall performance, resulting in the ineffective completion of the packet forwarding tasks. The deployment locations also influence firewalls' capability of preventing DDoS attacks. Traditional firewalls are generally deployed at the network ingress. To some extent, this type of deployment is a good way to protect all resources inside the network, but firewalls in this kind of deployment often become the victims in DDoS attacks, leading to declination of the network performance and failure to response intended users requests. IPS/IDS 9 / 26 - White Paper

13 Currently, the most commonly used tools for attack prevention or detection are the IPS (Intrusion Prevention System) and IDS (Intrusion Detection System). But for DDoS attacks, IPS/IDS products often become incapable. The reason is that although the IDS can detect attacks at the application layer, its most basic level is a signature-based mechanism that needs recovering protocol sessions. But most of today s attacks adopt legal packets to hit the targets, and therefore the IPS/IDS products can hardly detect these attacks. Some IPS/IDS products have the capability of detecting anomaly protocols, but they need manual configuration by security experts, expensive and inelastic. The IPS/IDS products were initially designed to be a signature-based attack prevention/detection tool for the application layer. But most of DDoS attacks still feature protocol anomaly at layer 3 and layer 4, which indicates that the IPS/IDS techniques are not suitable for DDoS detection and prevention. 10 / 26 - White Paper

14 Basic Requirements of DDoS Prevention Consummate Prevention Strategy DDoS prevention generally includes two aspects: one aims at effectively detecting the ever developing attack formats, especially the technique that adopts multiple spoofing techniques; the other aims at reducing the impact on service systems or networks to ensure the continuity and availability of service systems. A consummate prevention strategy of DDoS attacks should meet the following requirements: Identify exactly attack traffic from background traffic. Lower the impact of attacks on services but not just detect. Support deploying at each type of network outlets, ensuring performance and system structure. The system is reliable and easy to extend. Based on the above four points, the anti-ddos device should have the following features: Respond DDoS attacks in real time via integrated detection and prevention mechanism. Identify attack traffic from hybrid traffic by using the anomaly detection based on the behavior patterns. Provide the prevention capability aimed at massive DDoS attacks. Provide flexible deployment modes to protect the current investment and avoid single point of failure or increase extra investment. Handle the attack traffic intelligently to ensure high reliability and low investment. 11 / 26 - White Paper

15 Reduce the dependence on network devices and modification of device configuration. Communicate via standard protocols to ensure maximum interactive operability and reliability. Evolvement on Prevention Principle The design idea to DDoS prevention has evolved from the initial blocking attack traffic to today s diverting attack traffic. The deployment modes also become flexible. Besides in-line deployment, the traffic diversion mode has been an alternative to meet some customers demand. The in-line (or transparent) deployment is applicable to the networks with egress bandwidth less than 2Gbps. In this deployment, a professional DDoS product is able to provide real-time and granular detection to small traffic. To large-scale networks (like the ISP), the traffic diversion mode is more applicable with less cost because it reduces the risk of single point of failure, and even a small capacity can handle the cleaning work in the networks with a broad bandwidth because not all traffic has to pass through the cleaning equipment in real time. The traffic diversion works as below: Attack Detection: Detect DDoS attacks by mirroring the traffic or Netflow. Traffic Diversion: When a suspicious DDoS attack is detected, redirect the traffic to the anti-ddos device. The diverted traffic contains both attack traffic and legitimate traffic. Traffic Prevention/Cleaning: Filter attack traffic from the hybrid traffic through multilayer attack recognition and cleaning functions. Traffic Re-injection: After traffic filtering, sent the cleaned traffic back to the mainstream of the network. The traffic will be forwarded to its original destination. Traffic diversion deployment has the following advantages: A. Divert suspicious traffic only and allow legitimate traffic getting through, thereby ensuring business continuity and performance. B. Protect the whole network, rather than the network ingress or the front of the server as in the in-line deployment. 12 / 26 - White Paper

16 C. Avoid blocking legitimate traffic caused by single point of failure. D. Provide massive traffic cleaning to address bandwidth exhaustion attacks. E. Support remote traffic diversion to divert remote traffic freely. F. Provide redundant prevention for different locations or regions by deploying several cleaning systems. 13 / 26 - White Paper

17 NSFOCUS Anti-DDoS System To thwart the rampant DDoS attacks, including newly-emerged attacks, NSFOCUS developed NSFOCUS Anti-DDoS System (NSFOCUS ADS) independently. By inspecting various types of attack traffic from all network traffic in time, the ADS can rapidly filter or divert attack traffic to ensure the transmission of normal traffic. This system can be easily deployed in diverse network environments, not only avoiding the single point of failure, but also ensuring the network integrity and availability. Three-tuple Integrated Solution An integrated solution that has high performance and is very easy to manage is provided by NSFOCUS to meet carriers requirements to large networks traffic cleaning. This solution is comprised of three types of systems: anomaly traffic detection system (NSFOCUS Network Traffic Analyzer or NSFOCUS NTA), anomaly traffic cleaning system (NSFOCUS ADS) and management & forensics system (NSFOCUS ADS-M). NSFOCUS ADS it s an indispensable device in traffic cleaning system and provides up to 20G line-speed preventing capability. This product helps you clear off the attack traffic but allows normal traffic passing to its destination. In the traffic diversion mode, several ADS devices can significantly improve the system capability of preventing tens of Gbps DDoS attacks. NSFOCUS NTA the detection device in the traffic cleaning system. It is mainly used in anomaly traffic detection and cooperates with the ADS. The NTA collects and takes in-depth analysis to traffic data through Netflow. If DDoS attack traffic is detected, the NTA will trigger the alert setting on the NOC (Network Operation Center) as predefined by the system operator or automatically notify the ADS to redirect and clean attack traffic. NSFOCUS ADS-M the management device in the traffic cleaning system. This device is mainly used to collect data of ADS devices in different locations and perform correlation analysis and processing. It also provides efficient prevention management by grouping users according to businesses and generates different statistical reports for each group. With an internal abnormal traffic analysis module, ADS-M addresses a wide range of external and internal security threats for customers with traffic statistics and analysis and abnormal traffic detection. For the prevention and monitoring 14 / 26 - White Paper

18 products at different nodes, the ADS-M can perform centralized management and privileges assignment, attack source tracing and e-forensics. In addition, the self-services it provided can meet the telecom carriers needs of providing value-added services. Deployment Mode Adopting advanced intelligent detection algorithms, NSFOCUS traffic cleaning system is capable of defend against DDoS attacks in a professional manner, and provides different DDoS systems in different environments for enterprises, IDCs (Internet data centers), or telecom carriers. In-line Deployment In-line deployment is suitable for enterprises with a small number of servers or low bandwidth. The ADS appliance is transparently deployed at the network ingress to detect, analyze, and block DDoS attacks. The topology is shown as follows: Traffic Diversion Deployment ADS In-line Deployment In systems of IDCs, ICPs, or other system with crucial businesses, traffic diversion technique is used in NSFOCUS ADS to protect against anomaly traffic. Generally, a traffic detection appliance can be deployed at any location of the network, but the ADS will be deployed at the network ingress in an out-of-path mode. The traffic detection appliance chiefly monitors incoming traffic and detects the types and sources of DDoS attack packets in real time. When a suspicious DDoS attack is detected, the NTA notifies the ADS immediately. Receiving the notification, the ADS device triggers the traffic diversion mechanism and redirects the route of the suspicious traffic to itself, where the traffic is cleaned. The cleaned traffic is then sent back to the mainstream of the network and forwarded to its destination. In this processing, the ADS-M system manages and records all the procedures. 15 / 26 - White Paper

19 ADS traffic diversion deployment Cleaning Center deployment are always used when massive DDoS attacks happen in large-scale IDCs, MANs, or backbone networks. An ADS cleaning center is a device group composed of several ADS appliances. It is connected to the network in the out-of-path mode. When receiving an attack warning from the NTA, the ADS enables the traffic diversion mechanism and allocates suspicious traffic to several ADS devices for traffic sanitization. Hence, the attack prevention capability is increased significantly. Cleaning Center deployment in ISP network 16 / 26 - White Paper

20 Core Principle NSFOCUS ADS is based on embedded system design, creatively implement the algorithm for preventing DDoS attacks in the system core at the lowest layer of the protocol stack, and avoid the processing of upper-layer network stacks on systems, such as TCP, UDP, and IP, thereby reducing the whole calculation cost. Combined with specialized hardware acceleration algorithm, the efficiency of the system is very high. The core technique structure scheme is shown in the figure below. NSFOCUS ADS core technique structure Anti-spoofing the Anti-DDoS technique of NSFOCUS verifies whether the source address and port of the packets are correct, and provides reverse detection on the basis of traffic statistics and analysis. Protocol analysis check whether the protocols comply with the RFC rules based on the type of protocols. If anomaly is found, the cleaning system enables the statistic analysis mechanism. Different protocol analysis algorithms of NSFOCUS are used to decide whether to filter, restrain or forward packets based on different protocols. Customized application analysis the ADS products would enable the analysis pattern algorithm mechanism to prevent DDoS attacks of different protocol types based on certain special protocol types such as DNS, HTTP, and VOIP SIP. User behavior analysis the traffic in the network often contains many protocols. It is usually very hard for attackers to forge user s access behaviors. Therefore, there are differences between an attacker s behavior and a legitimate user s behavior. The ADS products take statistics on, trace, and analyze users event patterns to identify the real service traffic and to limit the bandwidth of and perform credit punish on the attack traffic. 17 / 26 - White Paper

21 Dynamic fingerprint recognition as a universal algorithm, fingerprint recognition is not related to protocols. The Anti-DDoS technique of NSFOCUS takes statistics on the given byte range of the packets load through sliding windows, calculates the signatures of attack packets through the pattern identification algorithm, and limits the bandwidth and performs credit punish on the attack packets that are matched with fingerprint signatures. Rate limiting export the traffic sanitized by the system to reduce the pressure on the downstream network system. System Features Accurate Detection and Recognition NSFOCUS anti-ddos system developed specific-purpose algorithms to recognize different DDoS attacks according to probability statistics and through different filtering modules, including Anti-proofing, Protocol Behavior Pattern Analysis, Customized Application Prevention, User Behavior Analysis, Dynamic Fingerprinting, and Rate Limiting, thus to pick out malicious DDoS traffic from the normal accurately. In addition, with the high performance of attack detection and recognition, the system can prevent any type of massive DDoS attacks. The capability of NSFOCUS ADS in preventing a SYN Flood attack, for example, has been far ahead of algorithms like syn-cookie and random-drop with both its retention rate and new available connection rate up to 100 percent. Powerful Prevention Capability Supporting by unique algorithms developed by NSFOCUS, the anti-ddos system delivers high performance in prevention against various attacks, such as SYN Flood, UDP Flood, UDP DNS Query Flood, (M) Stream Flood, and ACK Flood/DRDoS. This system also has good prevention capability to more dangerous application-layer DDoS attacks like HTTP Get Flood, online game attack, video and audio service attacks. Limiting rate function in NSFOCUS ADS is designed to handle suddenly abnormal change of traffic. The ACL in the system helps the administrator to easily control some customized applications through a simple configuration of a black and white list. In-depth packet analysis rules allow the administrator to carry out quick prevention by defining templates according to source/destination IP, source/destination protocol port and protocol type of an attack or signature bytes of a TCP flag, ICMP type, ICMP code, etc. Considering innumerable users and different requirements in ISP networks, NSFOCUS classifies the users into groups, and provided granular prevention policies for them. 18 / 26 - White Paper

22 Along with the development of hacker techniques, new DDoS attack methods are continuously changing and improving. To keep up with the development of attack techniques and discover new attack types, NSFOCUS built an expert research team who are engaging in the research of network security attacks and countermeasures. Excellent extendibility of NSFOCUS ADS speeds up the upgrade within one week from a new attack type appearing, therefore efficiently secures the customers network at any time. Massive Attack Traffic Prevention NSFOCUS ADS models are equipped with different advanced multi-core processors architecture to meet demands of high-end telecom-class customers. This architecture can perform 20G line speed traffic analysis and DDoS attack prevention. Take SYN Flood, the typical 64-byte attack, as the example: an NSFOCUS ADS 6000 series device is able to undertake 14,800,000 pps SYN Flood traffic. An ADS 6000 series device cluster can further scale up the prevention and attack traffic processing capability significantly, able to diverting traffic based on attack targets, volume of traffic, types of attack and so on to defend against more devastating and complex DDoS attacks. Even when the ISPs or large enterprises are facing an extremely serious DDoS attack, the NSFOCUS ADS 6000 series can still put the best prevention in place. To ensure the availability of the entire network, the system adopts many techniques, like host recognition and traffic diversion, to filter attack traffic but not to compromise the normal traffic and quality of network services. IPv4/IPv6 Dual Stacks As IPv4 addresses are becoming increasingly scarce, more and more IPv6 traffic appears in networks. Unfortunately, DDoS attack traffic has been found in IPv6 networks and the current detection methods are insufficient to finding attack traffic for telecom carriers and corporations because of the significant difference between IPv6 format and IPv4 format. Therefore, to recognize IPv6 traffic and mitigate DDoS traffic from the traffic is becoming critical. IPv4 and IPv6 dual stacks have solved this problem. No matter which traffic it is, the detection device can accurately recognize it. And once DDoS attack traffic is found, no matter whether it is in IPv4 traffic or IPv6 traffic, the ADS appliance can efficiently block it. Flexible Application Deployment Different network environments and scales determine that NSFOCUS ADS contains different products and deployment modes. The deployment includes in-line mode, traffic diversion mode, and traffic diversion Cleaning Center modes. The flexible 19 / 26 - White Paper

23 deployment modes and the support to various types of network protocols permit the NSFOCUS ADS to adapt complicated network environments and provide carrier-grade application solutions with lowest cost for independent servers, SMEs, large enterprises and ISPs. In the diversion deployment mode designed at outbound interface of large IDC and ICP networks, on-demand prevention can be achieved to protect different objects. When a suspicious signature is discovered, the system employs dynamic traffic diversion technique to redirect the next hop of the traffic destined to protected zone or hosts to a traffic cleaning device, leaving the normal traffic passing to the destination. After the attack traffic is recognized and filtered, the cleaned traffic is sent back to the mainstream and routed to the original destination. In order to adapt complicated network environments of ISPs and large enterprises and satisfy requirements of easy deployment and less change to current networks, the system provides sufficient traffic diversion and re-injection features as convenient options in the deployment of the current network. User-Friendly Management Interface Used with NSFOCUS ADS-M in diversion mode, the system provides straight-forward and convenient management, including device running monitoring, policy configuration, report generation and packet capture & forensics, etc. Hierarchical privilege management allows network engineers, security administrators and customers to check real-time statistic information, monitoring information, and reports on different levels. The detailed reports, involving attack events, attack types, attack characteristics and attack sources, helps the system administrators monitor attacks in real time, and on the other hand, to trace attacks and carry out forensic analysis. The system also provides tools to report traffic monitoring, log information and attack history, which are very convenient and useful for users to adjust prevention policies according to real-time situation. The use of NSFOCUS ADS-M achieves centralized management, monitoring, control and maintenance to several NSFOCUS ADS appliances. In centralized management, the user can check and modify several ADS devices at one time, and then deliver the modified result in a unified manner. The centralized monitoring function achieves real-time understanding to traffic and device running status on several NSFOCUS ADS appliance synchronously. Through centralized control, remote restart and packet capture tasks can be assigned at the same time. Configuration files, traffic statistical data and alert information of several NSFOCUS ADS devices can be stored in NSFOCUS ADS-M system for centralized management. 20 / 26 - White Paper

24 Unique Value-added Business Management The customers can obtain additional benefit from NSFOCUS ADS-M, from which unique operation and maintenance, as well as self-service system are provided. By this, the ISP provides security prevention value-added service to users who especially need prevention measures to protect their assets, such as net bars, securities, treasure emporium, electrical energy, government departments, hotels, and IPTV providers. After logging in an open self-service interface in the system, these key users can check information like real-time traffic, application protocol distribution, attack prevention status, etc. This platform not only helps customers well understand their system s security status, but also improves the ISPs quality and value of services. Professional Customer Support With almost ten years of experience in anti-ddos product providing and service supporting, NSFOCUS services experts can quickly response to attack events and provide support on prevention consultation, deployment, training and other services to help customers establish secure prevention system and build a professional attack prevention team. 21 / 26 - White Paper

25 Conclusion With the wide spread and great power of tools for DDoS attacks and greater reliance of customer services on networks, we can anticipate that DDoS attacks would increase continuously, the attack size would grow bigger, and losses caused by these attacks would be severer. Operators, enterprises or governments must have their countermeasures to protect their investments, profits and services. To supplement the capability insufficiency of the traditional firewall/ips on Web application prevention, we need a new security tool to protect important information system against Web application attacks. The tool can not only detect the current complicated DDoS attacks, but also block the attack traffic without affecting the normal service traffic. Compared with common security products, this tool requires more granular detection and analysis. To a carrier, it also can provide extra value-added services when deployed at outbound interface of a network backbone or an IDC. NSFOCUS ADS products provide a leading DDoS protection capability. Through the analysis mechanism of multiple systems and flexible deployments, products and techniques of NSFOCUS help you block attacks effectively and ensure normal transmission of legitimate traffic. This is substantial for the continuity and integrity of the service system operation. 22 / 26 - White Paper

26 For more information: For more information about NSFOCUS products and services, please contact the NSFOCUS sales NSFOCUS TEL: NSFOCUS US TEL: NSFOCUS Japan TEL: info-jp@nsfocus.com For more information visit NSFOCUS Website: NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. About NSFOCUS NSFOCUS is a proven global leader in active perimeter network security for service providers, data centers, and corporations. It focuses on providing network security solutions including: carrier-grade Anti-DDoS System, Web Application Firewall, and Network Intrusion Prevention System - all designed to help customers secure their networks and corporate-critical information. More detailed information is available at 23 / 26 - White Paper