DDoS Defenders: Don't Take DNS for Granted A Seven-step Plan for Ensuring DNS Defenses in Service Provider Networks
|
|
- Byron Townsend
- 8 years ago
- Views:
Transcription
1 WHITE PAPER DDoS Defenders: Don't Take DNS for Granted A Seven-step Plan for Ensuring DNS Defenses in Service Provider Networks Rev. A, February 2014
2 2
3 Table of Contents Introduction... 4 Part I: Why is DDoS Targeting DNS?... 5 How DNS Works... 7 Attacks Growing More Complex and Diversified... 8 Part II: What Can be Done to Defend the DNS?... 8 Components of Essential DNS Testing... 9 Part III: Putting DNS Defenses to the Test: A Proven Test Topology...10 When to Run Tests...10 DNS Defense Testing Topologies...10 The 7-Step Test Methodology Part IV: About Two Leading Solutions...13 Conclusion
4 Introduction In most network infrastructures, the squeaky wheel gets the grease while reliable elements that appear to be working fine may not always get much attention, until they stop working. DNS (Domain Name System) servers, for example, have been deployed in service provider networks for some twenty-five years, doing what they re expected to do. In recent years, however, DNS has started to make some noise as the complexities of network performance, security, and scalability have all skyrocketed. The explosive growth of mobile devices and applications has given rise to unprecedented volumes of DNS traffic, causing exponentially more servers to be deployed. Surges in traffic can cause these servers to become overwhelmed more easily, resulting in error messages and actual failures both of which can prompt demanding subscribers to switch providers. The openness and global reach of DNS makes it the perfect target for DDoS and other sophisticated attacks. Of equal concern is the growing link between DNS and network security. The openness and global reach of DNS makes it the perfect target for Distributed Denial of Service (DDoS) and other sophisticated attacks. Front-page campaigns such as the Spamhaus attack (one of the largest publicly announced DDoS attacks in history) exploit potential vulnerabilities by bombarding servers with queries that ultimately overwhelm DNS services. DNS is the #2 Attack Vector Protocol HTTP 87% DNS SMTP HTTPS SIP/VOIP IRC Other 7% 11% 19% 25% 24% 67% 0% 20% 40% 60% 80% 100% Source: Arbor Networks Reacting after the fact can have costly consequences such as revenue loss, dissatisfied customers, and a negative impact on brand reputation. Nor does the traditional solution throwing more server capacity at the problem suffice as this approach fails to scale, contributes to poor performance, and can even introduce new points of vulnerability. Going forward, service providers and enterprises alike must adopt comprehensive, proactive strategies for evaluating the performance, scalability, and robustness of a DNS server s security capabilities. Within certification labs, more attention must be placed on modeling real-world scenarios, recreating field issues, and simulating security threats to assess and optimize performance over time. 4
5 Part I: Why is DDoS Targeting DNS? Many research studies have explored the impact of unforeseen downtime on businesses, and it isn t pretty. One study by Ponemon Institute estimates the average revenue impact for a single hour of downtime as nearly $80,000 per hour. 1 For DDoS attacks, we can multiply this by 38, the average attack duration. 2 The number then becomes a staggering $2,990,000+. At this rate, recovering even 1 minute earlier from an outage would save a company more than $1,300. For more than a decade, DDoS and other cyber-attacks have been growing rapidly, causing disruption wherever they strike. In service provider networks, exploits have gradually migrated toward a soft target the Domain Name System. Why is DNS an Ideal Attack Target? DNS is the cornerstone of the Internet, used by every business, government, and service provider ://DNS DNS protocol is stateless and hence vulnerable DNS as a protocol is easy to exploit ISPs, mobile operators, and cloud providers all rely heavily on DNS, partly as an essential connectivity component, and partly as a service they offer customers, implicitly or explicitly. Along with preserving their own reputations, it s crucial that service providers protect this vital asset for the sake of subscribers who rely on stable, always-on Internet connectivity. Along with preserving their own reputations, it's crucial that service providers protect vital DNS assets for the sake of subscribers relying on stable, always-on Internet connectivity. 1 Emerson Network Power, "Understanding the Cost of Data Center Downtime," Prolexic Q Global DDoS Attack Report 5
6 6
7 How DNS Works DNS is the means by which computers find vital addressing information for all kinds of IP-based communications over the public Internet. In its simplest form, DNS is the Internet phone book translating a name (such as ) into an IP address. The definitive source of this addressing information is the authoritative DNS server for a given URL. When a user attempts to reach that URL, his or her computer sends a DNS request to a local DNS server. The server may have the IP addresses of common domains already stored in its cache, or it may need to locate the IP address through a process known as recursion, using a DNS query across the Internet to locate the authoritative server for that domain. The DNS response from that server contains the IP address for the domain or URL in question. DNS represents a critical element of all data center services if DNS fails, IP connectivity across the Internet fails. With the rapid growth in Internet traffic, DNS traffic volumes have risen exponentially in recent years, placing significant strain on ISP resources. DNS, originally a low-volume source of traffic, has now become a high-profile element within the Internet infrastructure. Why It's Vulnerable DNS traffic is always allowed to pass through firewalls via port 53. This has not escaped the attention of criminal elements who increasingly are exploiting the lack of defenses for DNS infrastructure. Beyond simple and sophisticated denial of service attacks that use techniques such as reflection and amplification, various additional exploits also target DNS, including cache poisoning attacks and DNS tunneling, which can lead to data theft and revenue loss for carriers. DNS traffic is always allowed to pass through firewalls via port 53. This has not escaped the attention of criminal elements. Two critical areas that require protection inside a service provider network are: DNS caching servers Authoritative DNS servers The DNS caching layer holds cached query responses for commonly accessed websites and other URLs, all of which are critical to ensuring a smooth Internet connectivity experience among customers. This layer proves vital to establishing a rapid response to DNS queries, and in turn acceptable response times. Authoritative DNS servers reside in various locations within the provider s network. These servers provide authoritative responses to DNS queries and connectivity requests from the operator s subscriber base. Authoritative DNS servers enable the web presence, e-commerce functions, and location of multiple network components for IP connectivity, including roaming and gateway location in operator networks. 7
8 Attacks Growing More Complex and Diversified Today s DDoS attackers are extremely creative, with powerful tools at their disposal and time on their side. Volumetric threats continue to grow more complex and coordinated in nature, targeting multiple points in the DNS process. DDoS Attacks Diversifying DNS reflection/ddos attacks DNS amplification DNS-based exploits TCP/UDP/ICMP floods DNS cache poisoning Protocol anomalies DNS tunneling Use third-party DNS servers (open resolvers) to propagate DDoS attacks Use specially-crafted queries to create an amplified response to flood the victim with traffic Exploit vulnerabilities in the DNS software Bring networks or services down by flooding them with large amounts of traffic; leads to denial of service on layer 3/4 Corrupt the DNS cache data with a rogue IP address Send malformed packets and queries that cause services to crash Achieve data exfiltration by tunneling another protocol through DNS To stay a step ahead and avoid costly incidents, providers can follow evolving best practices for assessing and bolstering DNS defenses. To stay a step ahead and avoid costly incidents, providers can follow evolving best practices for assessing and bolstering their defenses. Part II: What Can be Done to Defend the DNS? Obviously, networks vary greatly and operators worldwide have addressed DNS in very different ways. Some do so through architecture, placing load balancers in front of the DNS, or adding IPS as a screen. Others may use Anycast, while still others simply overprovision networks to take up the slack. New techniques introduce advanced, hardwarebased deep packet inspection (DPI) inside the DNS server to identify malicious traffic and filter it out while responding only to legitimate DNS requests. Whatever their approach, operators must thoroughly assess and address the vulnerabilities of their own unique DNS defenses. With the threat landscape changing rapidly, lab testing designed to ensure performance and stability must also evolve. Service providers must assume greater control and be increasingly proactive as they deploy equipment into their networks. Equipment vendors perform testing before releasing new platforms, but these efforts may be based on default configurations that produce best case performance data. Rather than rely on data sheets, IT departments need to broaden and tailor testing to reflect the requirements and challenges of their own individual networks. Pre-deployment testing needs to model individual network configurations, simulating real-world traffic conditions and user behavior at scale. In addition, foreseeable threat conditions and environments also must be recreated in the lab with a variety of attacks and exploits generated to assess defenses. Finally, testing should encompass established DNS solutions as well as prospective new devices and strategies. 8
9 Components of Essential DNS Testing While actual DNS testing strategies may vary among providers, some critical components of validating security remain constant: Realism: the ability to model subscriber behavior, recreate realistic network configurations, and simulate extreme traffic conditions. For example, unlike normal network traffic, DDoS has some unique and significant properties. The test and evaluation environment should emulate the deployment environment as closely as possible, including directly-connected devices such as routers, switches, and firewalls that may impact packet loss, latency, and data integrity. Scalability is needed to simulate thousands of subscribers at high-load conditions. While a system might be able to detect and mitigate DDoS traffic when barely stressed, it may only detect half the malicious traffic under high load. Definitive measurement of infrastructure resiliency is needed to understand the impact different scenarios may have on the DNS server. Comprehensive, up-to-date Attack Portfolio: Testers must be able to generate a wide variety of attacks aimed at exploiting DNS, and stay on top of emerging threats. To this end, services like Ixia s Application and Threat Intelligence (ATI) deliver relevant and current threats. The ATI service provides updates to protocols, applications, and exploits every two weeks, and includes many prebuilt tests that can be used to test DNS-specific exploits. Combined Real and Attack Traffic: The general traffic profile of a DDoS attack consists of a large number of network sources directing traffic at a single point or small group of targets. In assessing security defenses, it s essential to create blended scenarios that include both legitimate DNS traffic and attack traffic DDoS, DNS exploits, tunneling. A successful defensive posture distinguishes between the two and mitigates attacks by dropping malicious traffic while continuing to respond to legitimate DNS requests. The objective, after all, is not so much thwarting attacks as maintaining high-performing services. In assessing security defenses, it's essential to create blended scenarios that include both attack traffic and legitimate traffic. Flexibility: As we ve said, one size does not fit all. While many elements of testing (and also measures of success) may be considered constants, all networks are unique. Test topologies and methodologies must be flexible enough to accommodate important variances like patterns of valid user queries, vulnerabilities inherent in DNS services and defenses, and ultimately, the level of DDoS exposure an organization views as acceptable. Because these combined capabilities are both essential and hard to build from scratch, purpose-built systems like the Ixia BreakingPoint test solution and Infoblox Advanced DNS Protection for production DNS server deployment introduce massive cost-efficiencies while improving the quality and reliability of results. This, in turn, works to ensure the highest possible customer experience. For example, performing a series of measurements using the Ixia BreakingPoint solution helps to isolate DNS vulnerabilities and validate that DNS DDoS defenses are secure and stable under a global, custom, and current mix of application and attack traffic. Similarly, the Infoblox Advanced DNS Protection solution enables operators to deploy a hardened, carrier-class DNS infrastructure that is highly resilient against all forms of attacks on DNS whether volumetric or exploit-based one that can be updated quickly and easily, without resorting to maintenance windows as threats evolve. 9
10 Part III: Putting DNS Defenses to the Test: A Proven Test Methodology To assess security, operator IT teams need to stress DNS servers and measure the impact on response times and total capacity under attack scenarios. This section provides a brief overview of when and how to test. When to Run Tests To improve DNS defenses over the long term, testing should occur at various junctures during the deployment life-cycle: Baseline assessments of existing DNS service and defenses aid in understanding how existing infrastructures will respond to the next inevitable attack. This helps in determining what actions to take to reach and maintain acceptable levels of DNS DDoS exposure. Testing begins with measuring queries only, and progresses to assessing the overall infrastructure. During Proof of Concepts (POCs) to ensure the best possible technology investments. Results are used to compare potential new vendor technologies using quantifiable data. As part of change control, testing assures patches and configuration changes do not increase the attack surface. Periodically to validate existing technologies will withstand attacks. DNS Defense Testing Topologies Best practices dictate starting testing in a closed environment where only the DNS elements are being evaluated. This eliminates network dependencies that may complicate and slow initial testing. Systems such as Ixia BreakingPoint can generate internal and external queries to the DNS server only, or to DNS and firewall elements as shown in the topology on the left in the diagram to the right. Alternatively, BreakingPoint can also add full stateful behavior of internal application servers to test all elements of the firewall or next-gen firewall DNS defenses as shown in the middle topology. To test the full DNS infrastucture that includes the interaction between DNS servers, firewalls, and application servers, a more complex testing topology must be built. Ixia BreakingPoint provides all the important elements, including internal and external DNS client simulation, as shown in the topology on the right. 10
11 DNS Server DNS Server BreakingPoint AppServer DNS Server App Server BreakingPoint Client DNS Queries BreakingPoint Client DNS and Defenses DNS Defense Test Topology To conduct comprehensive testing, some sophisticated operator IT departments have built pre-deployment labs featuring scaled-down replicas of their actual live networks As an alternative to maintaining a full lab, elements of the live network may be tested during maintenance windows. The 7-Step Test Methodology BreakingPoint Client DNS Infrastructure The recommended seven-step approach to assessing DNS performance and security progresses from measuring best case performance the capacity of the device with no threats to modeling target mixes of DNS features, DNS queries, user behavior, traffic volumes, DOS, and exploits. The more advanced stages of the methodology hinge on users ability to select the attack profiles of vulnerabilities most applicable to their unique network environments. No standard method of acceptance criteria exists. Each company must determine the capacity and level of responsiveness to valid user queries that is acceptable while under attack. No standard method of acceptance criteria exists. Each company must determine the capacity and level of responsiveness to valid user queries that is acceptable under attack. Step 1. Baseline Application Performance: Maximum Queries Here, we determine the maximum rate at which the DNS solution is able to respond to queries with only good traffic. This establishes a baseline to work from in order to better understand the impact of DDoS on the DNS solutions. The workload of legitimate queries should model the behavior of the network. For example, creating a single repetitive test query at high speed is easy to set up, but will cause unrealistically favorable results in terms of DNS queries. Other considerations in establishing a baseline to be used as a comparative metric while under attack include: What is the highest DNS query rate the server can handle without dropping queries? What is the DNS latency/response time? How does response time vary under load? 11
12 Step 2. Application Traffic with Botnet: DNS Query Single Domain Name Step 2 determines DNS performance and mitigation capabilities while under real application traffic loads, and when subjected to a flood of DNS queries for a single domain name. Step 3. Application Traffic with Botnet: DNS Query Multiple Domain Names Here, DNS performance and mitigation capabilities are determined while under real application traffic loads and subjected to a flood of DNS queries for multiple domain names. Step 4. Application Traffic with Botnet: DNS Query Random Domain Names This step determines DNS performance and mitigation capabilities while under real application traffic loads and subjected to a flood of DNS queries for random domain names. Step 5. Application Traffic with Botnet: DNS Susceptibility to Amplification Attacks DNS performance and mitigation capabilities are determined while under real application traffic loads and when subjected to a flood of spoofed queries to the caching nameserver. Step 6. Application Traffic with IP, UDP, and TCP Fuzzing This test determines the ability of the DNS defenses to handle malformed packets. The test system sends malformed IP, UDP, TCP and Ethernet packets produced by a fuzzing techniques to the DNS elements. The fuzzing technique will modify a part of the packet (checksum, protocol options, etc.) to generate corrupt data. Step 7. Application Traffic with DNS Server Infrastructure Vulnerabilities Finally, the security effectiveness of DNS infrastructures defending against known platform vulnerabilities is determined. At this stage, adequate patching and configuration settings for the DNS platform will be determined. 12
13 Part IV: About Two Leading Solutions Throughout this paper, we ve mentioned two leading solutions that combine to help mobile operators evaluate and improve their DNS defenses. This section provides insight into the capabilities and advantages provided by each. Infoblox Advanced DNS Protection Infoblox offers a completely integrated solution to provide the most comprehensive DNS protection for ISP, telco, cable, and mobile network infrastructures. Its new carrier-grade Advanced DNS Protection solution protects DNS against DDoS and other attacks. An all-new family of Advanced DNS appliance servers delivers carrier-grade protection to ensure DNS services are always available, even in the midst of an attack. The Infoblox Advanced DNS Protection Solution is able to: Separate legitimate DNS traffic from DDoS attacks Mitigate attacks by dropping DDoS queries and responding to legitimate DNS requests Maintain DNS service even during an attack Deliver network-wide reporting visibility of all attacks Support real-time automatic threat rule updates For more information please visit Ixia BreakingPoint Leading service providers, enterprises, and equipment manufacturers worldwide trust Ixia s BreakingPoint security test solution to harden and optimize new designs and ongoing defenses. BreakingPoint tests networks and infrastructure devices against the behavior of millions of simulated users downloading rich media content, placing calls, purchasing music, browsing the Web or unknowingly sharing the latest malware. A BreakingPoint solution replaces racks of equipment and complicated setup procedures with a single-chassis solution and single user interface. The system also delivers realistic city- or even nationwide scale. BreakingPoint has the unique ability to create large volumes of legitimate DNS queries mixed with malicious DNS activity. To aid in validation, BreakingPoint s ATI includes more than 80 DNS-specific attacks including DNS reflection and supports DNSSEC and DNS protocol fuzzing. Real-world applications Include: 200+ application protocols Social, peer-to-peer, voice, video, storage Web, enterprise applications, gaming Custom applications 13
14 Real attacks generated include: 6,000+ live security attacks 35,000+ pieces of live malware 180+ evasions DDoS and botnet simulation Custom attacks Updates every 2 weeks to keep databases current Ixia offers BreakingPoint on multiple hardware platforms to match the scale of your network. For DNS to keep doing its job, evaluation procedures and defense strategies must continue to evolve in response to the increased deployment and growing vulnerability of servers. Conclusion For DNS to keep doing its job, evaluation and defense strategies must continue to evolve in response to the increased deployment and growing vulnerability of servers. The approach described here will go a long way in helping operators assess new devices and techniques as well as their overall readiness, resilience, and ability to recover from attacks. As we've seen, new deployments must be tested against, then optimized for real-live network environments. From there, ongoing assessment allows adjustments to be made quickly to accommodate rising traffic volumes and meet the demands of the ever-changing threat landscape, and ever-more-demanding users. 14
15 15
16 WHITE PAPER Ixia Worldwide Headquarters Agoura Rd. Calabasas, CA (Toll Free North America) (Outside North America) (Fax) Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom Sales (Fax) Ixia Asia Pacific Headquarters 21 Serangoon North Avenue 5 #04-01 Singapore Sales Fax Rev. A, February 2014
Reduce Your Network's Attack Surface
WHITE PAPER Reduce Your Network's Attack Surface Ixia's ThreatARMOR Frees Up Security Resources and Personnel The Threat Landscape When you re dealing with network security, one of the primary measurements
More informationSecuring Your Business with DNS Servers That Protect Themselves
Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS/DHCP servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate
More information1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS
1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS Dominic Stahl Systems Engineer Central Europe 11.3.2014 Agenda Preface Advanced DNS Protection DDOS DNS Firewall dynamic Blacklisting
More informationInnovate, Integrate, Lead
Innovate, Integrate, Lead Ixia s Global Solution Provider Partner Program Application Performance and Security Resilience 86 of the Fortune 100 Profitability. Brand reputation. Customer loyalty. 50 of
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate
More informationWHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance
WHITE PAPER How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance www.ixiacom.com 915-3132-01 Rev. B, June 2014 2 Table of Contents Network Functions Virtualization (NFV): An
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS/DHCP servers by intelligently recognizing various attack types and dropping attack traffic while responding only to
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox Secure DNS Solution mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate queries.
More informationAKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.
CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE. Threat > The number and size of cyberattacks are increasing rapidly Website availability and rapid performance are critical factors in determining the success
More informationCyber Range Training Services
Cyber Range Training Services Table of Contents Train Like You Fight... 2 The Global Cyber Range Imperative... 3 Why Traditional Approaches Have Failed... 3 A Pragmatic Strategy for Arming and Training
More information1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security
1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security Agenda Increasing DNS availability using DNS Anycast Opening the internal DNS Enhancing DNS security DNS traffic
More informationWHITEPAPER. Designing a Secure DNS Architecture
WHITEPAPER Designing a Secure DNS Architecture Designing a Secure DNS Architecture In today s networking landscape, it is no longer adequate to have a DNS infrastructure that simply responds to queries.
More informationWHITE PAPER. Gaining Total Visibility for Lawful Interception
WHITE PAPER Gaining Total Visibility for Lawful Interception www.ixiacom.com 915-6910-01 Rev. A, July 2014 2 Table of Contents The Purposes of Lawful Interception... 4 Wiretapping in the Digital Age...
More informationWHITE PAPER. Static Load Balancers Implemented with Filters
WHITE PAPER Static Load Balancers Implemented with Filters www.ixiacom.com 915-6911-01 Rev. A, July 2014 2 Table of Contents Load Balancing of Monitoring Systems as a Key Strategy for Availability, Security
More informationEBOOK. The Network Comes of Age: Access and Monitoring at the Application Level
EBOOK The Network Comes of Age: Access and Monitoring at the Application Level www.ixiacom.com 915-6948-01 Rev. A, January 2014 2 Table of Contents How Flow Analysis Grows Into Total Application Intelligence...
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationHow To Protect A Dns Authority Server From A Flood Attack
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
More informationDISTRIBUTED DENIAL OF SERVICE OBSERVATIONS
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationWhite Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation
White Paper Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation Table of Contents Introduction... 3 Common DDoS Mitigation Measures...
More informationSHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper
SHARE THIS WHITEPAPER Top Selection Criteria for an Anti-DDoS Solution Whitepaper Table of Contents Top Selection Criteria for an Anti-DDoS Solution...3 DDoS Attack Coverage...3 Mitigation Technology...4
More informationAvailability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013
the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered
More informationF5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689
F5 Intelligent Scale Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689 Intelligent and scalable PROTECTS web properties and brand reputation IMPROVES web application
More informationLoad Balancing Security Gateways WHITE PAPER
Load Balancing Security Gateways WHITE PAPER Table of Contents Acceleration and Optimization... 4 High Performance DDoS Protection... 4 Web Application Firewall... 5 DNS Application Firewall... 5 SSL Insight...
More informationEnsuring Success in a Virtual World: Demystifying SDN and NFV Migrations
Ensuring Success in a Virtual World: Demystifying SDN and NFV Migrations Get Migration Right the First Time The virtualization of traditional networks promises vast and enduring benefits if the challenges
More informationWHITE PAPER. Extending Network Monitoring Tool Performance
WHITE PAPER Extending Network Monitoring Tool Performance www.ixiacom.com 915-6915-01 Rev. A, July 2014 2 Table of Contents Benefits... 4 Abstract... 4 Introduction... 4 Understanding Monitoring Tools...
More informationHow To Block A Ddos Attack On A Network With A Firewall
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
More informationBusiness Case for a DDoS Consolidated Solution
Business Case for a DDoS Consolidated Solution Executive Summary Distributed denial-of-service (DDoS) attacks are becoming more serious and sophisticated. Attack motivations are increasingly financial
More informationFULL SPEED AHEAD THE IXIA CHANNEL XCELERATE PROGRAM LATIN AMERICA
FULL SPEED AHEAD THE IIA CHANNEL CELERATE PROGRAM LATIN AMERICA 1998-2016 Ixia All Rights Reserved. Be Part of the Momentum... Nothing beats playing on a winning team. Joining Ixia s Channel celerate Partner
More informationDDoS Protection on the Security Gateway
DDoS Protection on the Security Gateway Best Practices 24 August 2014 Protected 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationFour Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers
Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers Whitepaper SHARE THIS WHITEPAPER Table of Contents The Rising Threat of Cyber-Attack Downtime...3 Four Key Considerations
More informationArbor s Solution for ISP
Arbor s Solution for ISP Recent Attack Cases DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard
More informationThe F5 Intelligent DNS Scale Reference Architecture.
The F5 Intelligent DNS Scale Reference Architecture. End-to-end DNS delivery solutions from F5 maximize the use of organizational resources, while remaining agile and intelligent enough to scale and support
More informationWeb Application Defence. Architecture Paper
Web Application Defence Architecture Paper June 2014 Glossary BGP Botnet DDoS DMZ DoS HTTP HTTPS IDS IP IPS LOIC NFV NGFW SDN SQL SSL TCP TLS UTM WAF XSS Border Gateway Protocol A group of compromised
More informationSecurity MWC 2014. 2013 Nokia Solutions and Networks. All rights reserved.
Security MWC 2014 2013 Nokia Solutions and Networks. All rights reserved. Security Ecosystem overview Partners Network security demo + End-user security demo + + + + NSN end-to-end security solutions for
More informationAn Executive Brief for Network Security Investments
An Executive Brief for Network Security Investments Implementing network security resilience is one of the few things that you can do that will: Protect company brand value Decrease operational costs Preserve
More informationStop DDoS Attacks in Minutes
PREVENTIA Forward Thinking Security Solutions Stop DDoS Attacks in Minutes 1 On average there are more than 7,000 DDoS attacks observed daily. You ve seen the headlines. Distributed Denial of Service (DDoS)
More informationVALIDATING DDoS THREAT PROTECTION
VALIDATING DDoS THREAT PROTECTION Ensure your DDoS Solution Works in Real-World Conditions WHITE PAPER Executive Summary This white paper is for security and networking professionals who are looking to
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationWHITE PAPER. Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment
WHITE PAPER Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment www.ixiacom.com 915-6892-01 Rev. A, July 2014 2 Table of Contents The Challenge of the Virtual Environment...
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationSHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper
SHARE THIS WHITEPAPER On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper Table of Contents Overview... 3 Current Attacks Landscape: DDoS is Becoming Mainstream... 3 Attackers Launch
More informationEvaluating Wireless Broadband Gateways for Deployment by Service Provider Customers
Evaluating Wireless Broadband Gateways for Deployment by Service Provider Customers Overview A leading provider of voice, video, and data services to the residential and businesses communities designed
More informationHow To Protect Your Network From Attack From A Network Security Threat
Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your
More informationCloud Security In Your Contingency Plans
Cloud Security In Your Contingency Plans Jerry Lock Security Sales Lead, Greater China Contingency Plans Avoid data theft and downtime by extending the security perimeter outside the data-center and protect
More informationWhy Is DDoS Prevention a Challenge?
ANALYST BRIEF Why Is DDoS Prevention a Challenge? PROTECTING AGAINST DISTRIBUTED DENIAL-OF-SERVICE ATTACKS Authors Andrew Braunberg, Mike Spanbauer Overview Over the past decade, the threat landscape has
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive
More informationWHITE PAPER. Best Practices for Deploying IPv6 over Broadband Access
WHITE PAPER Best Practices for Deploying IPv6 over Broadband Access www.ixiacom.com 915-0123-01 Rev. C, December 2013 2 Table of Contents Udi cusciamenis minctorpos... 4 Toreptur aut dolo cone verum aute
More informationSolution Brief. Secure and Assured Networking for Financial Services
Solution Brief Secure and Assured Networking for Financial Services Financial Services Solutions Page Introduction To increase competitiveness, financial institutions rely heavily on their networks to
More informationFirst Line of Defense to Protect Critical Infrastructure
RFI SUBMISSION First Line of Defense to Protect Critical Infrastructure Developing a Framework to Improve Critical Infrastructure Cybersecurity Response to NIST Docket # 130208119-3119-01 Document # 2013-044B
More informationFirewall Testing Methodology W H I T E P A P E R
Firewall ing W H I T E P A P E R Introduction With the deployment of application-aware firewalls, UTMs, and DPI engines, the network is becoming more intelligent at the application level With this awareness
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationComplete Protection against Evolving DDoS Threats
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
More informationwww.prolexic.com Stop DDoS Attacks in Minutes
www.prolexic.com Stop DDoS Attacks in Minutes Prolexic gives us the strong insurance policy against DDoS attacks that we were looking for. Mark Johnson, Chief Financial Officer, RealVision You ve seen
More informationManage the unexpected
Manage the unexpected Navigate risks and thrive Today s business world is threatened by a multitude of online security risks. But many organizations simply do not have the resources or expertise to combat
More informationV-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks
Enabling Precise Defense against New DDoS Attacks 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against
More informationLeader in Converged IP Testing. Security Testing For Financial Institutions
Leader in Converged IP Testing Security Testing For Financial Institutions 915-1784-01 Rev B July 2012 2 Contents Introduction...4 Security Threats...6 The Payoff...11 Introduction Major security breaches
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationIxLoad-Attack: Network Security Testing
IxLoad-Attack: Network Security Testing IxLoad-Attack tests network security appliances determining that they effectively and accurately block attacks while delivering high end-user quality of experience
More informationWHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency
WHITE PAPER Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency www.ixiacom.com 915-6893-01 Rev. A, July 2014 2 Table of Contents Summary... 4 Introduction... 4 Differing Goals
More informationHow to Evaluate DDoS Mitigation Providers:
Akamai White Paper How to Evaluate DDoS Mitigation Providers: Four Critical Criteria How to Evaluate DDoS Mitigation Providers 2 TABLE OF CONTENTS INTRODUCTION 3 CRITERIA #1: THREAT INTELLIGENCE 3 CRITERIA
More informationData Center Automation - A Must For All Service Providers
WHITE PAPER Automation: The Future of Network Visibility www.ixiacom.com 915-6617-01 Rev. A, November 2013 2 Table of Contents Executive Summary... 4 The Need for Monitoring Switch Automation in the Data
More informationAre You Fully Prepared to Withstand DNS Attacks?
WHITEPAPER Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationSecurityDAM On-demand, Cloud-based DDoS Mitigation
SecurityDAM On-demand, Cloud-based DDoS Mitigation Table of contents Introduction... 3 Why premise-based DDoS solutions are lacking... 3 The problem with ISP-based DDoS solutions... 4 On-demand cloud DDoS
More informationWhite Paper A10 Thunder and AX Series Load Balancing Security Gateways
White Paper A10 Thunder and AX Series Load Balancing Security Gateways June 2013 WP_LB FW 062013 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its
More informationWhite Paper. Five Steps to Firewall Planning and Design
Five Steps to Firewall Planning and Design 1 Table of Contents Executive Summary... 3 Introduction... 3 Firewall Planning and Design Processes... 3 Step 1. Identify Security Requirements for Your Organization...
More informationBlocking DNS Messages is Dangerous
Blocking DNS Messages is Dangerous Florian Maury, Mathieu Feuillet October 5-6, 2013 F Maury, M Feuillet Blocking DNS Messages is Dangerous October 5-6, 2013 1/25 ANSSI Created in 2009, the ANSSI is the
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationTECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory
TECHNICAL WHITE PAPER Infoblox and the Relationship between DNS and Active Directory Infoblox DNS in a Microsoft Environment Infoblox is the first, and currently only, DNS/DHCP/IP address management (DDI)
More informationWHITE PAPER. Security Testing For Financial Institutions
WHITE PAPER Security Testing For Financial Institutions www.ixiacom.com 915-1784-01 Rev. C, January 2014 2 Table of Contents Introduction... 4 The Need for Security Testing... 6 Security Threats... 6 Client
More informationProtect your network: planning for (DDoS), Distributed Denial of Service attacks
Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationHow To Protect Yourself From A Dos/Ddos Attack
RELEVANT. INTELLIGENT. SECURITY White Paper In Denial?...Follow Seven Steps for Better DoS and DDoS Protection www.solutionary.com (866) 333-2133 In Denial?...Follow Seven Steps for Better DoS and DDoS
More informationWhite paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.
TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...
More informationDefense In Depth To Fight Against The Most Persistent DDoS
Defense In Depth To Fight Against The Most Persistent DDoS All enterprises with an Internet presence should worry about Distributed Denial-of-Service (DDoS) - some more than others. It is a fact of life
More informationMcAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.
Optimize your defense, resilience, and efficiency. Table of Contents Need Stronger Network Defense? Network Concerns Security Concerns Cost of Ownership Manageability Application and User Awareness High
More informationA Layperson s Guide To DoS Attacks
A Layperson s Guide To DoS Attacks A Rackspace Whitepaper A Layperson s Guide to DoS Attacks Cover Table of Contents 1. Introduction 2 2. Background on DoS and DDoS Attacks 3 3. Types of DoS Attacks 4
More informationWhy an Intelligent WAN Solution is Essential for Mission Critical Networks
Why an Intelligent WAN Solution is Essential for Mission Critical Networks White Paper Series WP100135 Charles Tucker Director of Marketing June 1, 2006 Abstract: Reliable Internet connectivity is now
More informationCisco SAFE: A Security Reference Architecture
Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed
More informationHow To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)
McAfee Security: Intrusion Prevention System REV: 0.1.1 (July 2011) 1 Contents 1. McAfee Network Security Platform...3 2. McAfee Host Intrusion Prevention for Server...4 2.1 Network IPS...4 2.2 Workload
More informationProtecting DNS Infrastructure Inside and Out
Protecting DNS Infrastructure Inside and Out How to combat a pervasive threat that is doing serious harm to businesses every day How to combat a pervasive threat that is doing serious harm to businesses
More informationIxChariot Virtualization Performance Test Plan
WHITE PAPER IxChariot Virtualization Performance Test Plan Test Methodologies The following test plan gives a brief overview of the trend toward virtualization, and how IxChariot can be used to validate
More informationBEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE
BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without
More informationGame changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE
Game changing Technology für Ihre Kunden Thomas Bürgis System Engineering Manager CEE Threats have evolved traditional firewalls & IPS have not Protection centered around ports & protocols Expensive to
More informationIntroduction to DDoS Attacks. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter
Introduction to DDoS Attacks Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News Q1 2014 DDoS Attack Trends DDoS Attack Trends Q4 2013 Mobile devices
More informationspirent Test the security, performance and scalability of your app-aware infrastructure
spirent Avalanche NEXT Test the security, performance and scalability of your app-aware infrastructure Avalanche NEXT The App-Aware Challenge The deployment of application-aware infrastructure brings with
More information2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer
2012 Infrastructure Security Report 8th Annual Edition Kleber Carriello Consulting Engineer Key Findings in the Survey* Advanced Persistent Threats (APT) a top concern for service providers and enterprises
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationWHITE PAPER. SDN Controller Testing: Part 1
WHITE PAPER SDN Controller Testing: Part 1 www.ixiacom.com 915-0946-01 Rev. A, April 2014 2 Table of Contents Introduction... 4 Testing SDN... 5 Methodologies... 6 Testing OpenFlow Network Topology Discovery...
More informationEvaluating IPv6 Firewalls & Verifying Firewall Security Performance
Next Generation IPv6 Network Security IPv6 Summit Bonn 30 th June 2004 Evaluating IPv6 Firewalls & Verifying Firewall Security Performance [ Vital questions to ask your firewall vendor ] Yvon Rouault Agilent
More informationThis document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons
This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More information