Solution Brief. Combating Bots and Mitigating DDoS Attacks

Size: px
Start display at page:

Download "Solution Brief. Combating Bots and Mitigating DDoS Attacks"

Transcription

1 Solution Brief Combating Bots and Mitigating DDoS Attacks

2 Combating Bots and Mitigating DDoS Attacks Page Many of today s distributed denial of service (DDoS) 1 attacks are carried out by organized criminals targeting financial institutions, e-commerce, and gambling sites. The sites are taken down by bandwidth or server extortion caused by the traffic thrown at the target. DDoS attacks range from small and targeted attacks to large scale versions launched from thousands of bots, affecting not only the target victim, but also the infrastructure of the service provider. This in turn impacts other customers services and if the network stability is affected even voice and other public services may be impacted. As hacking has turned to a tool used by organized criminals, we witness a higher degree of sophistication and the magnitude of the attacks has also increased dramatically. Service providers have a unique role to play to combat DDoS attacks. New enhancements in routing and security technologies enable them to protect their broadband users from compromising malware that turn PCs into bots. By utilizing technologies at hand and designing the networks using best practice, the impact of an attack can be limited to the victim, and the attack can quickly be mitigated. In summary, service providers are recommended to: Take a pro-active role in combating bots from residential broadband, e.g. by using dynamic threat mitigation, a solution based on a combination of policy enforcing routing techniques, dynamic policy control and intrusion detection and prevention technologies. Offer managed Intrusion Detection and Prevention to secure customer sites Implement BGP flow filters to help mitigate DDoS attacks, distributing filter mechanisms as close as possible to the distributed sources of the attack. Design their network in a reliable fashion, limiting the likelihood of misconfigured network elements and improving availability of the network. Protect the routing control plane by implementing policy rate limiting for all traffic traversing the forwarding plane to the routing engine. Define peering agreements including security policies, e.g. how quickly identified spammers should be blocked out from the network. Utilize MD5 or encrypted IPSec for routing exchanges intra and inter AS. This paper highlights how these techniques can be implemented and what security benefits they bring to the service provider. Specific application security topics like protection of next generation voice or video services are outside the scope of this paper. Criminal organizations behind attacks Over the last two years, we have witnessed a shift in how attacks appear to be carried out on the Internet. In the early days of the Internet, most of the attackers were seen to be highly skilled techies that tampered web sites in cyberspace in a similar fashion that kids in the streets of Manhattan tagged underground stations. They were driven by the technical challenge, by fame and by the pure fun of having well respected, large corporations hurt by their technical sharpness. These types of attackers are still around, causing problems for service providers and enterprises around the globe, however they don t cause the most damage anymore. 2 Instead, attacks are carried out in a more targeted fashion, and the level of sophistication increases. Large organizations like Amazon, ebay, Yahoo and Microsoft have been affected by large DDoS attacks. Lately, we witness an increase of targets in financial institutions and other organizations that keep financial records. Auction, e-commerce and gambling sites are blackmailed before major events are due, e.g. in August 2005 the Hamburg-based gambling site jaxx.de was blackmailed to pay 40,000 euros to stop an ongoing DDoS attack. 3 The pattern is clear: organized criminals appear to be behind these attacks, and their driver is money. Botnets broadband connected PCs sold to hackers Bot is short for software robot, and is referred to as compromised PC attached to the internet and remotely controlled by a hacker. Some estimate that 25% of all broadband PCs are infected by bots, and that there are over a million bots available to participate in different types of attacks. 4 Hackers use communication systems, typically the IRC internet chat application, to control the bots. The malicious code can get onto the PC through an attachment, silver wrapped in a file which is automatically installed when visiting a web site, or in an mp3 file carried in a peer to peer application, to name a few common ways Trojans propagate. Once the malicious code executes, the bot will install itself, may patch the system, open service ports on the machine, and spread itself further on to other machines that it can reach from inside the network. The bot then sets up a connection to a Herder, the server in control of a number of bots, a botnet. It may be very difficult to detect that a PC has turned into a bot. In fact, it can even be hard to find out that it is communicating at all. This makes bot mitigation very challenging. Botnets can be huge. There are examples of botnets as big as 400,000 infected computers. 5 These armies of compromised PCs serve two main purposes to launch spam s for scam marketing, or to launch DDoS attacks. Bots are also used to send phishing s, upload adware, and as key loggers to trace credit card information, passwords, or other personal information.

3 Page Solution Brief DDoS attacks launched from tens of thousands of bots simultaneously result in gigabit of traffic being thrown at the victim. These attacks not only affect the targeted host or network. The service provider infrastructure will also be impacted by the bandwidth extortion, causing unpredictable behaviour of other applications on that network. In a security study from September 2005, a majority of the service providers reported an average of 10 or more attacks per month that significantly impact customer availability, with an average of 40 general attacks per month. 6 Botnets are set up for profit. Renting bots costs 10 to 50 cents per bot and month, depending on purpose, number of bots, and of course, the market price. Spammers market their services on the Internet using web sites with commercial look and feel. Some even do seasonal discounts! At a closer look behind the scene, it is hard to identify any corporate representative. They don t give out any address information or fixed phone number. The mobile phone is directed to an answering machine. Attack detection challenges It is quite obvious for the victim when he is under DDoS attack. There will be a flood of traffic, e.g. SYN messages for TCP session set up, SIP invites, or plain UDP traffic sent to one of the target s hosts, resulting in service degradation or even complete service blocking. Firewalls protect against these types of attacks, but if the bandwidth down to the site is extorted, the resolution can no longer be found at the customer site. Instead it has to be mitigated closer to the sources in cooperation with the service provider. Larger attacks are also identified by the service provider s NOC staff. Many service provider s have traffic anomalies detection solutions in place to check for such change in traffic patterns. The challenge for the service provider is that an increased load to a specific customer may well be valid traffic, e.g. the customer may have just released a new popular product on the network. This means that the operator needs to verify that his customer is under attack before taking actions against the attack. This is a manual process and will take around 10 minutes if there is a defined process and authorised people are reachable. But it takes much longer if the processes are unclear. Service Provider Actions Against Attacks So what can service providers do to combat botnets and mitigate DDoS attacks? First, service providers have a critical role to play in the preparation phase of an attack. By providing intrusion detection and prevention services to residential broadband users, the malicious code can be stopped before it makes its way down to the targeted PC. Most broadband users are not aware of the security risks their PCs are exposed to, and they have a careless take on security. What can ever be on my PC that anyone would like to get their hands at? This attitude may be seen as a bit naive, but in all fairness - network security is a complex topic and residential users need a solid guide and solution for how rules can be enforced to protect their systems from hackers. Second, service providers can implement traffic filtering mechanisms and utilize newly developed standards for distributing filtering information across its own facilities and announce the filter to peering routers of other service providers. Third, there are a number of best practices design rules that service providers should take advantage of in order to limit the impact of an attack. Last, but not least, service providers can report the DDoS events to legal authorities, which would increase the awareness of number of attacks and bring necessary information to legal authorities to trace and criminal activities on the Internet. Proactive Mitigation Combating Bots Broadband subscribers are today referred to PC-based anti virus for protection against malicious code. This is a good first level of protection, but hasn t been sufficient to protect against bot penetration on the Internet. We need a broader set of tools, and capabilities for the service providers to take a more active role to combat bots. Juniper Networks has developed the Dynamic Threat Mitigation Solution that allows network elements to work together to identify suspicious traffic, confirm whether or not the traffic is malicious and then take action to block that traffic from the network. Service providers now have the ability to cost effectively identify attacks on per user or per application basis and to quickly mitigate these attacks. The solution combines the power of advanced in-line detection and prevention (IDP) with dynamic service policy creation and configuration. 7 The Dynamic Threat Mitigation integrated solution provides many key benefits including: The ability to quickly identify, automatically isolate and notify infected customers by redirecting them to a captive portal, or by sending them an . Dynamically add remedied customers back to normal service with the help of a captive web portal page that includes instructions on virus remedies. Remediation is carried out by having the customer to go though an on-line virus scanning tool. On compromised PCs, the host anti-virus system can t be trusted as it may be tampered by the bot. Dynamic application of service policies to infected network areas or customers. Policies can be easily adapted to include the latest virus attributes. Improved user experience Minimal disruption to the end user environment

4 Combating Bots and Mitigating DDoS Attacks Page There are three deployment models for the Dynamic Threat Mitigation solution: Always On, Scheduled Surveillance or Volume Triggered Surveillance. Figure 1 shows the principles behind the Volume Triggered Surveillance model. In the in-line deployment, all traffic from the broadband subscribers is inspected for malicious code by the IDP, allowing the system to drop the bad traffic before it reaches the end users PC. E-series/M-series Classifiers and traffic counters Redirect and rate limit SDX-300 Policy Manager Volume Tracking Application to redirect to IDP IDP event trigger redirect to captive portal SDX-300 Rerouted, suspicious traffic inspected by IDP Signals event to SDX feature that detects a sudden increase of traffic being sent from a customer. This trigger the policy manager to update the policy of the E- or M-series router and the traffic is redirected to the IDP site, where further traffic analyses are carried out. The IDP will identify if the user is taking part of a SYN/UDP flood attack, SIP invite attack or is spreading a worm. When the user opens up a browser, the new policy in the broadband router can redirect the user to a captive portal providing tailored remediation support. It is recommended to keep broadband users that have been in control by a bot under IDP inspection over a period of time after their PCs have been remedied. This will assure that the malicious code was successfully removed by the anti virus tool, and it will protect the customer from being infected again by the use of stateful signature detection and backdoor detection techniques. M Series E Series ISG/IDP T Series Internet The Dynamic Mitigation Solution arms the service providers with a security tool that identifies risks early on. By taking proactive steps to combat bots, customer will gain a greater broadband experience, increasing customer loyalty and reducing churn. Figure 1. Dynamic Threat Mitigation Solution deployed in volume triggered surveillance mode. Complementing antivirus tools for scanning files for malicious code, the IDP utilizes 8 unique ways to identify malicious traffic. Signatures and protocol anomalies are updated every day by J-security research lab to ensure the application servers and PCs are protected from the latest vulnerabilities announced as well as yet unknown attack. Stateful signature detection searches for a unique series of byte pattern combined with information on where in the communication state this pattern should be found. This makes the identification of worms very accurate. Other intrusion detection systems on the market don t have this capability, but just scans the traffic for a given pattern. As service providers get more active in bot mitigation, it becomes increasingly important to be accurate and avoid blocking legitimate traffic. Another useful detection method for mitigating attacks before they break out is the backdoor detection method. This identifies traffic patterns by the characteristics of the communication flow, e.g. when key strokes are transmitted to a PC. For scheduled surveillance or for volume trigged attack mitigation, the IDPs are centrally deployed and the broadband traffic is rerouted for inspection and mitigation either by certain time intervals, or triggered dynamically by a change in traffic volumes from an individual subscriber. These models require less equipment and is therefore more cost efficient. The source of a suspected attack can be identified by a volume tracking BGP Traffic Flow Filter for DDoS Attack Mitigation Service providers use primarily two methods to mitigate attacks once they have been discovered by the NOC; packet filters, and black-hole routing. Packet filters, also referred to as firewall filters or access control lists, are set in the edge routers to rate limit or discard traffic being sent to or from specific IP addresses. In a distributed attack scenario, the traffic is sent from many different sources and needs to be filtered out as close to the source as possible. Up until now, there hasn t been a standard way to communicate filtering information between routers. Instead routers have exchanged topologies and routing information using IGP or BGP protocols. The idea behind black-hole routing is to drop malicious traffic by attaching a BGP community to a route and map that route to a forwarding discard function. The router will then create black holes in the routing table and the forwarding function of the router will discard the packets accordingly. There is a historic reason why this approach was taken in the first place. Legacy routers couldn t handle large amount of flow filters without severe performance degradation. As blackhole routing utilize discard functionality in the forwarding plane, it will have similar performance as any standard forwarding action of the router. Black-hole routing information is exchanged by standard routing protocols, and in the case of BGP, standard attributes like BGP communities allow service providers to share black-hole routing information with their trusted peers.

5 Page Solution Brief One limitation in black-hole routing is that it is based solely on destination or source addresses, or range thereof. In a distributed attack scenario, the sources are typically widespread across thousands of sources, thus typically the malicious traffic has to be defined by the destination address. When turned on, routers will drop any packets designated to the victim, regardless of type of traffic, good or bad. The net affect is a reliable network service for all other customers; however the DDoS attack hasn t been resolved. In fact the service provider is now doing an effective job of denying all traffic towards the victim. This is one of the major shortcomings in black-hole routing. A second limitation of blackhole routing is that it can only admit or deny traffic. There is no way to take more sophisticated actions like sampling, logging and policing. Once the attack has faded off, the service providers need to make a new update to allow traffic to the former attacked victim. As blackholes appear as any routing entry in the Internet routing tables, it can be hard to track blackholes that keep discarding traffic well after the attack has stopped. Traffic Flow Filtering - Overview Traffic Flow Filters is a new method which uses BGP to distribute filtering information dynamically across autonomous systems. Up until now, routing protocols have been used to exchange forwarding information, however there has not been any standard on how routers should exchange information about services. Traffic Flow Filters is the first initiative to address this limitation. The standard provides a common framework for distributing flow and filter information independent of the routing information. One of its first applications is DDoS attack mitigation. 8 Using BGP routing advertisements to distribute traffic filtering information has the advantage of using the existing infrastructure and inter-as communication channels. This allows service providers to automatically accept updated filter information from trusted peers, and from customers attached to their network. Filters can be applied to flows identified by a number of matching criteria: source or destination address, port number, protocol type, DSCP, TCP flags or any other information found in the IP header. The actions taken on the flow include dropping the traffic (this is a special case with the net affect similar to black hole routing), rate limiting, sampling, counting, or redirect. When using the redirect feature, the traffic is typically forwarded to a honeynet, a dedicated network managed by the service provider to analyze and manage attacks. Propagation time and execution of filter updates across the service provider own network and further propagation to peering partners depends on many factors such as network size, BGP design and the routing systems themselves. Fast convergence times have been a leading development goal for Juniper Networks and the JUNOS operating system in the M- and T-series routers have been designed from the ground up to perform quickly on these tasks. How Traffic Flow Filters works A DDoS attack is mitigated by traffic flow filters in the following way: 1) The operator identifies and validates that there is an DDoS attack on the network. 2) The operator samples the traffic to identify the attack pattern, e.g. a range of UDP ports and destination addresses. 3a) The NOC makes a filter flow update matching the attack pattern, and includes a filter actions that should be taken on this traffic, e.g. dropping the traffic and count the number of packets. 3b) Alternatively, the customer can initiate the filter flow update by configuring a flow filter on the CPE router. 4) The egress router will update its forwarding and service planes to take immediate action. 5) The traffic flow filter update will propagate across the network and the traffic flow filter information will be activated across BGP peers as defined in the routing update policy. 6) When a BGP peer receives the flow filter update, it will first make a security action, and cross check the filter update to its current unicast routing table. This ensures that the update is received from a router that is on the path to the attack victim. 7) Once the flow filters have been executed on all BGP peers, the DDoS attack will be filtered out as close to the sources as possible and the constrained resources will be released to handle good traffic. The victim will no longer be affected by the attack.

6 Combating Bots and Mitigating DDoS Attacks Page Traffic Flow Filters in Operation Victim Firewall J6300 3b a. NOC Good traffic Benefits of BGP traffic flow filtering Traffic Flow Filters allow for a more granular control of how attacks can be mitigated than offered by blackhole routing. It also provides a clean separation of filter and forwarding information, simplifying operation and limiting the risk of configuration mistakes. In addition, traffic flow filters allow a broader set of actions that can be taken on the traffic. The ability to sample traffic can provide more accurate data on attacks helping us to more quickly identify and combat future attacks. Traffic Flow Filters in Operation Victim Firewall J6300 3b a. NOC Good traffic BGP play a key role in all IP networks today. All inter AS routing information exchange between service providers is carried by BGP. MP-BGP is exclusively used to exchange VPN routing information, and many service providers use ibgp for intra AS routing updates as well. By the use of BGP for exchanging traffic flow filter information, service providers don t have to implement a new protocol for DDoS mitigation, and many of the well known AS specific community attributes can be used in combination with the traffic flow filtering to determine predefined actions. 4. Traffic Flow Filters in Operation IP/MPLS design for DDoS protection Designing networks is a profession in itself, selecting the most scalable, feature rich and cost-efficient nodes and configuring them to perform the broad set of communication services that we expect from today s IP/MPLS networks. Network nodes are designed from the ground up to be carrier class and are therefore in general less vulnerable than application servers. That said, also network nodes can witness DDoS attacks, and hackers may use vulnerabilities in network nodes to carry out attacks as well. Victim Firewall J6300 3b a. 4. NOC Good traffic Node protection Juniper Network routers are designed for high availability and predictable performance with services turned on. The design allows the service providers to protect the routers and other network elements without compromising performance. It also provides ubiquitous protection across the geographical reach. The JUNOS and JUNOSe operating systems have a modular design, allowing all protocols to run in separate protected memory modules, limiting the impact in the event of a buffer overflow or software failure. Figure 2. Traffic Flow Filters in Operation. All traffic designated to the router itself needs to traverse the hardware based forwarding engine. All security features on the interfaces can be turned on to limit the possibility of an attack. It is recommended to rate limit valid traffic to ensure the node is protected from smurf attacks using the Internet Control Message Protocol (ICMP) or SYN flood attacks on open ports that run the routing and management protocols.

7 Page Solution Brief Juniper M- and T-series routers can also be equipped with stateful firewalls running on adaptive services port interface adaptors. In addition to perform security services to end-users, these firewalls can be used to check the traffic designated to the routing engine. This allows for more granular protection against attacks. Network protection Unicast Reverse Path Forwarding (urpf) is a technique that validates the source address on all packets to make sure the source address corresponds to a network learned on the incoming interface of the router. This feature not only protect against IP address spoofing, but also the types of DDoS attacks that randomly sets the source address of the senders to different source addresses to make tracing more cumbersome. Routing integrity protection Attacks on the routing protocols are not as common as DDoS attacks, however the impact of these types of attacks can be severe. To ensure the integrity of traffic between BGP peers, it is recommended to use authentication schemes. One common authentication scheme is Message Digest 5 (MD5). To further increase the security level, the complete routing communication channel can be encrypted using IPSec. Designing a network to be attack tolerant and inherently secure is a continuous effort. Juniper Networks Professional Services can assist service providers to ensure the products are used efficiently and secure. Services include network audits and best practice configuration expertise. Conclusion New technologies like Traffic Flow Filters and the Dynamic Threat Mitigation solution allow service providers to take a more proactive role in protecting broadband subscribers and enterprises against attacks. Enterprises protect themselves by placing firewalls at the perimeter of the network, and just recently they have started to add unified access control (UAC) technologies to take control and offer remediation support for compromised PCs also from within their own network. Against DDoS attacks, however, the companies depend on service providers to take actions. The Dynamic Threat Mitigation solution arms the service provider with a tool to combat bots at the root of the problem. By helping residential customers to clean their broadband PCs from these software robots, the end user will get a greater broadband experience, and service provider will be rewarded by increase loyalty and reduced churn. Note! Juniper Networks has published this paper with a view to describe the benefits of and potential use of certain of its products. This paper should not be considered advice going to any specific security issue and readers should not rely on its content alone in considering or implementing security solutions, but should get appropriate advice in respect of their particular needs. 1 For a definition of DDoS, please visit Attack Trends: Beyond The Numbers, January-October 2005, Cruce Schneier, Counterpane Internet Secuirty, Inc Worldwide ISP Security Report, Arbor Networks, Sep For more details on the Dynamic Threat Mitigation Solution from Juniper Networks please visit solutionbriefs/ pdf 8 Traffic Flow Filters are being standardized by the IETF. The RFC document can be found here:

8 Page 8 CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888-JUNIPER ( ) or Fax: EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA USA Phone: Fax: ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd. Suite , Asia Pacific Finance Tower Citibank Plaza, 3 Garden Road Central, Hong Kong Phone: Fax: EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Juniper House Guildford Road Leatherhead Surrey, KT22 9JH, U. K. Phone: 44(0) Fax: 44(0) Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice Apr 2006

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

White Paper. Copyright 2012, Juniper Networks, Inc. 1

White Paper. Copyright 2012, Juniper Networks, Inc. 1 White Paper SRX Series as Gi/ Firewall for Mobile Network Infrastructure Protection Copyright 2012, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3 Overview of LTE (4G)

More information

IGMP Proxy Model for IPTV

IGMP Proxy Model for IPTV Application Note IGMP Proxy Model for IPTV Laboratory Testing of the IGMP Proxy Model Including Setup, Methodology, JUNOSe Commands and Test Report Excerpts Juniper Networks, Inc. 1194 North Mathilda Avenue

More information

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Distributed Denial of Service (DDoS) Attacks DDoS attack traffic consumes

More information

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Protect your network: planning for (DDoS), Distributed Denial of Service attacks Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product

More information

Top tips for improved network security

Top tips for improved network security Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

CERT-In Indian Computer Emergency Response Team Enhancing Cyber Security in India

CERT-In Indian Computer Emergency Response Team Enhancing Cyber Security in India CERT-In Indian Computer Emergency Response Team Enhancing Cyber Security in India Botnet: An Overview By Basudev Saha and Ashish Gairola Department of Information Technology Ministry of Communications

More information

Identity-Based Traffic Logging and Reporting

Identity-Based Traffic Logging and Reporting Application Note Identity-Based Traffic Logging and Reporting Using UAC in Conjunction with NSM and Infranet Enforcers to Give Additional, User-Identified Visibility into Network Traffic Juniper Networks,

More information

Firewalls Overview and Best Practices. White Paper

Firewalls Overview and Best Practices. White Paper Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not

More information

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

Securing data centres: How we are positioned as your ISP provider to prevent online attacks. Securing data centres: How we are positioned as your ISP provider to prevent online attacks. Executive Summary In today s technologically-demanding world, an organisation that experiences any internet

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Technical Specification of MFSA (Multi-Functional Security Appliance) :

Technical Specification of MFSA (Multi-Functional Security Appliance) : Technical Specification of MFSA (Multi-Functional Security Appliance) : Item No. 1. 2. Item / Work Description with Configuration MFSA Must support the following parameters with CPU utilization < 50% No.

More information

Combating Botnets Using the Cisco ASA Botnet Traffic Filter

Combating Botnets Using the Cisco ASA Botnet Traffic Filter . White Paper Combating Botnets Using the Cisco ASA Botnet Traffic Filter This paper discusses the nature of botnets, the threats they pose to today s networks, and how the Cisco Botnet Traffic Filter

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

TLP WHITE. Denial of service attacks: what you need to know

TLP WHITE. Denial of service attacks: what you need to know Denial of service attacks: what you need to know Contents Introduction... 2 What is DOS and how does it work?... 2 DDOS... 4 Why are they used?... 5 Take action... 6 Firewalls, antivirus and updates...

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Denial of Service Attacks, What They are and How to Combat Them

Denial of Service Attacks, What They are and How to Combat Them Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

More information

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: info@cs3-inc.com The Reverse Firewall: Defeating

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

SecurityDAM On-demand, Cloud-based DDoS Mitigation

SecurityDAM On-demand, Cloud-based DDoS Mitigation SecurityDAM On-demand, Cloud-based DDoS Mitigation Table of contents Introduction... 3 Why premise-based DDoS solutions are lacking... 3 The problem with ISP-based DDoS solutions... 4 On-demand cloud DDoS

More information

Juniper Networks Education Services

Juniper Networks Education Services Datasheet Education Services Deploying networks that can securely and reliably deliver high-speed services is a must for setting your business apart from the competition. But how do you keep pace with

More information

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

Application Security Backgrounder

Application Security Backgrounder Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International

More information

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges

More information

Availability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013

Availability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013 the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Virus Protection Across The Enterprise

Virus Protection Across The Enterprise White Paper Virus Protection Across The Enterprise How Firewall, VPN and /Content Security Work Together Juan Pablo Pereira Sr. Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda Avenue

More information

Juniper Networks Solution Portfolio for Public Sector Network Security

Juniper Networks Solution Portfolio for Public Sector Network Security Solution Brochure Juniper Networks Solution Portfolio for Public Sector Network Security Protect against Network Downtime, Control Access to Critical Resources, and Provide Information Assurance STRM NS-Security

More information

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

More information

PEER-TO-PEER NETWORK

PEER-TO-PEER NETWORK PEER-TO-PEER NETWORK February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Guidance Regarding Skype and Other P2P VoIP Solutions

Guidance Regarding Skype and Other P2P VoIP Solutions Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,

More information

DDoS Overview and Incident Response Guide. July 2014

DDoS Overview and Incident Response Guide. July 2014 DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target

More information

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team The Internet is in the midst of a global network pandemic. Millions of computers

More information

Which of the following network tools would provide the information on what an attacker is doing to compromise a system? a. Proxy server b.

Which of the following network tools would provide the information on what an attacker is doing to compromise a system? a. Proxy server b. An administrator is trying to secure a network from threats originating outside the network. Which of the following devices provides protection for the DMZ from attacks launched from the Internet? a. Antivirus

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection KASPERSKY DDoS PROTECTION Protecting your business against financial and reputational losses A Distributed Denial of Service (DDoS) attack is one of the most popular weapons in the cybercriminals arsenal.

More information

Service Description DDoS Mitigation Service

Service Description DDoS Mitigation Service Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3

More information

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

BlackRidge Technology Transport Access Control: Overview

BlackRidge Technology Transport Access Control: Overview 2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service

More information

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc. TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...

More information

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers SOLUTION BRIEF Enterprise Data Center Interconnectivity Increase Simplicity and Improve Reliability with VPLS on the Routers Challenge As enterprises improve business continuity by enabling resource allocation

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

Juniper Networks Customer Service

Juniper Networks Customer Service Juniper Networks Customer Service Customer Services that assure network performance by providing optimal security, quality, and reliability for your network. Juniper Networks Customer Service We Are All

More information

WildFire. Preparing for Modern Network Attacks

WildFire. Preparing for Modern Network Attacks WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends

More information

HAVE YOU EVER BEEN HACKED?

HAVE YOU EVER BEEN HACKED? HAVE YOU EVER BEEN HACKED? 90% of companies have been hacked 70% of attacks go undetected 60% of all small/med size businesses go out of business within 6 months of a data security breach 32% of computers

More information

Complete Protection against Evolving DDoS Threats

Complete Protection against Evolving DDoS Threats Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion

More information

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ

More information

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000 Network Security Protective and Dependable With the growth of the Internet threats, network security becomes the fundamental concerns of family network and enterprise network. To enhance your business

More information

Network Security: A New Perspective. NIKSUN Inc.

Network Security: A New Perspective. NIKSUN Inc. Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Cisco Network Foundation Protection Overview

Cisco Network Foundation Protection Overview Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and

More information

Network Management and Monitoring Software

Network Management and Monitoring Software Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the

More information

About Botnet, and the influence that Botnet gives to broadband ISP

About Botnet, and the influence that Botnet gives to broadband ISP About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

TDC s perspective on DDoS threats

TDC s perspective on DDoS threats TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)

More information

This chapter covers the following topics:

This chapter covers the following topics: This chapter covers the following topics: Components of SAFE Small Network Design Corporate Internet Module Campus Module Branch Versus Headend/Standalone Considerations for Small Networks C H A P T E

More information

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 3.7.x

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 3.7.x CISCO SERVICE CONTROL SOLUTION GUIDE Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 3.7.x 1 Introduction and Scope 2 Functionality Overview 3 Mass-Mailing-Based

More information

PRODUCT CATEGORY BROCHURE

PRODUCT CATEGORY BROCHURE IDP Series Intrusion Detection and Prevention Appliances PRODUCT CATEGORY BROCHURE Staying One Step Ahead With the accelerating number of applications allowed in from the Internet and the higher frequency

More information

Modern Denial of Service Protection

Modern Denial of Service Protection Modern Denial of Service Protection What is a Denial of Service Attack? A Denial of Service (DoS) attack is generally defined as a network-based attack that disables one or more resources, such as a network

More information

BGP Flow Specification Deployment Experience

BGP Flow Specification Deployment Experience BGP Flow Specification Deployment Experience Derek Gassen, Raul Lozano Time Warner Telecom Danny McPherson, Craig Labovitz Arbor Networks Agenda Flow Spec Overview About TWTC DDOS problem and Observations

More information

Safeguards Against Denial of Service Attacks for IP Phones

Safeguards Against Denial of Service Attacks for IP Phones W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)

More information

Countermeasures against Bots

Countermeasures against Bots Countermeasures against Bots Are you sure your computer is not infected with Bot? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Bot? Bot is a computer

More information

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

More information

Frequently Asked Questions (FAQs) Boundary Defense for

Frequently Asked Questions (FAQs) Boundary Defense for Frequently Asked Questions (FAQs) Boundary Defense for Email MailStreet Live Support: 866-461-0851 Boundary Defense for Email Anti-Spam FAQs What is Spam? Boundary Defense for Email / Frequently Asked

More information

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite WHITE PAPER Mobile Device Security in the Enterprise Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite Copyright 2010, Juniper Networks, Inc. Table of Contents

More information

1 Introduction. Agenda Item: 7.23. Work Item:

1 Introduction. Agenda Item: 7.23. Work Item: 3GPP TSG SA WG3 Security S3#34 S3-040583 6-9 Jul 2004 updated S3-040566 Acapulco, Mexico Title: Selective Disabling of UE Capabilities; updated S3-040566 based on the comments on SA3 mailing list Source:

More information

JUNOScope IP Service Manager

JUNOScope IP Service Manager Datasheet JUNOScope IP Service Manager Product Description As service providers and enterprises evolve to meet the demands of their customer base, one key to success is the enhancement of operational efficiencies

More information

Software Engineering 4C03 SPAM

Software Engineering 4C03 SPAM Software Engineering 4C03 SPAM Introduction As the commercialization of the Internet continues, unsolicited bulk email has reached epidemic proportions as more and more marketers turn to bulk email as

More information

/ Staminus Communications

/ Staminus Communications / Staminus Communications Global DDoS Mitigation and Technology Provider Whitepaper Series True Cost of DDoS Attacks for Hosting Companies The most advanced and experienced DDoS mitigation provider in

More information

BGP Security. RIPE 52 Meeting Istanbul, Turkey 26 April V igil S ecurity. Russ Housley LLC

BGP Security. RIPE 52 Meeting Istanbul, Turkey 26 April V igil S ecurity. Russ Housley LLC BGP S igil S RIPE 52 Meeting Istanbul, Turkey 26 April 2006 Russ Housley housley@vigilsec.com Outline Introduction BGP S IETF Activities The Problem BGP provides critical routing infrastructure for the

More information

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand Attacks Against the Cloud: A Mitigation Strategy C L O U D A T T A C K M I T I G A T I O N & F I R E W A L L O N D E M A N D A l e x Z a c h a r i s a z a h a r i s @ a d m i n. g r n e t. g r G R N E

More information

Secure networks are crucial for IT systems and their

Secure networks are crucial for IT systems and their ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more The dramatic growth in mobile device malware continues to escalate at an ever-accelerating pace. These threats continue to become more sophisticated while the barrier to entry remains low. As specific

More information

Spyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.

Spyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc. Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References

More information

Streamlining Web and Email Security

Streamlining Web and Email Security How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor

More information

Yahoo Attack. Is DDoS a Real Problem?

Yahoo Attack. Is DDoS a Real Problem? Is DDoS a Real Problem? Yes, attacks happen every day One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are few good existing mechanisms to stop them

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Filter-Based Forwarding

Filter-Based Forwarding Application Note Filter-Based Forwarding Using Filter-Based Forwarding to Control Next-Hop Selection Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888

More information

1 Introduction. Agenda Item: 7.23. Work Item:

1 Introduction. Agenda Item: 7.23. Work Item: 3GPP TSG SA WG3 Security S3#34 S3-040682 6-9 Jul 2004 updated S3-040632 Acapulco, Mexico Title: Selective Disabling of UE Capabilities; updated S3-040583 based on the comments in SA3#34 meeting Source:

More information

Limitation of Riverbed s Quality of Service (QoS)

Limitation of Riverbed s Quality of Service (QoS) Application Note Limitation of Riverbed s Quality of Service (QoS) Riverbed s Quality of Service (QoS) configuration and limitations Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California

More information

Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out

Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out A typical connection from an ISP to a customer Packets from ISP:

More information

Secure Web Gateways Buyer s Guide >

Secure Web Gateways Buyer s Guide > White Paper Secure Web Gateways Buyer s Guide > (Abbreviated Version) The web is the number one source for malware distribution. With more than 2 million 1 new pages added every day and 10,000 new malicious

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

McAfee Total Protection Reduce the Complexity of Managing Security

McAfee Total Protection Reduce the Complexity of Managing Security McAfee Total Protection Reduce the Complexity of Managing Security Computer security has changed dramatically since the first computer virus emerged 25 years ago. It s now far more complex and time-consuming.

More information

Combating DoS/DDoS Attacks Using Cyberoam

Combating DoS/DDoS Attacks Using Cyberoam White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

Security Threats to the Internet Backbone

Security Threats to the Internet Backbone Security Threats to the Internet Backbone Presented by Ricky Lou IT Intelligence Limited Potential Risks DDoS on critical Internet Resources DNS Spoofing Wide-Area Internet Routing DDoS on critical Internet

More information