Kaspersky DDoS Prevention

Transcription

1 Kaspersky DDoS Prevention The rapid development of the online services industry and remote customer service systems forces entrepreneurs to consider how they can protect and ensure access to their resources. This involves enormous efforts, including deployment of all kinds of different systems for redundancy and disaster recovery. However, all of these efforts can prove futile when faced with one particular threat that is impossible to fully safeguard against: DDoS attacks. Distributed denial-of-service (DDoS) attacks involve simultaneous, concerted attacks by a large number of computers with the goal of overloading a target computer system to the point of failure. In other words, DDoS attacks intentionally create conditions in which legitimate users of a system can no longer access or have difficulty accessing resources or services normally offered by that system. DDoS attack overview Zombie Resource User All DDoS attacks can be classified into two types: a communication channel of a targeted network is flooded with a large amount of garbage traffic; a server that hosts a targeted resource is flooded with a large amount of garbage requests that overload the computing capacity of the server and in turn prevent the server from processing legitimate requests. The danger of DDoS attacks is that even if they are aimed solely at one particular network resource, they can still affect other resources and systems located on the same network segments as the targeted resource. Though most attacks in the past predominately targeted internet portals, recently other services and applications available on the Internet have become more and more frequently targeted by DDoS attacks. For example, an attack on servers can disrupt the normal functioning of the entire organization s business processes, while overloaded network channels resulting from an attack on an internet portal can disrupt communications between a company s affiliate offices and branches or paralyze the entire network of terminals.

2 Kaspersky DDoS Prevention Depending on the type of business a company is engaged in, denial of services caused by DDoS attacks could result in the following: drops in sales; losses from disrupted advertisement; dissatisfaction among customers or partners; disrupted business processes; concealment of other types of attacks being conducted at the same time; direct losses from disrupted electronic trading systems and other systems. For a variety of reasons, DDoS attacks are unfortunately becoming easier to implement. For example, one day of DDoS attacks can cost as little as dollars, making DDoS attacks a more and more common weapon used against competitors. According to Kaspersky Lab statistics, all types of businesses are becoming the targets of DDoS attacks. Unfortunately, the following commonly used defense measures are not able to fully counteract DDoS attacks: network firewalls and IDS/IPS systems reside directly in front of the resource they protect, but are useless against an overload of the communication channel; routing to so-called black holes implemented by internet providers can help block traffic from attacks, but it also blocks requests from legitimate users, meaning that the perpetrators of DDoS attacks have Most targeted sites based on internet activity (data from Review of DDoS Attacks, 2011) achieved their goal: to make the resource unavailable to users. optimizing the configurations of resources helps only against small-scale attacks; multi-level redundancy of resources is an extremely expensive and therefore unfeasible method for most organizations. Defense against DDoS attacks has recently been given more attention in industry standards and best practices literature in the field of information security. Document FFIEC Gramm-Leach Bliley Sarbanes Oxley USA Patriot Act Basel II 7% 3% Specific sections that cover DDoS defense Availability security objectives Protect Security and Confidentiality of Customer s Non-Public Personal Information Protect Against Anticipated Threats and Hazards to Information Security Establish Disaster Recovery and Business Continuity Program Secure Information Infrastructure Safeguard Information Assets Implement Risk Based Systems and Monitoring Monitoring of Risks Business Continuity Plans Implementation of Risk Mitigation 3% 1% 1% 25% Kaspersky DDoS Prevention is a powerful distributed traffic filtering system consisting of geographically distributed, high-performance traffic cleaning s connected to the Internet over high-speed communication channels. This solution enables you to withstand practically any DDoS attack. To detect parasitic traffic during an attack, the Kaspersky DDoS Prevention system uses the following criteria for traffic filtering: statistical: based on analyzing deviations of statistical traffic parameters from average values; static: based on blacklists and whitelists, including lists compiled by user applications through APIs; behavioral: based on analyzing adherence or non-adherence to the specifications of application protocols; signature: based on analyzing individual, unique behaviors of specific attack sources, commonly known as bots. Example statistical filtering profile In addition to its package of software components and the necessary hardware, the system also includes personnel who support and maintain the system, interact with clients, and conduct analysis that enables effective management of the system. The Kaspersky DDoS Prevention system includes the following main components: sensor; traffic cleaning ; control subsystem; portal. Sensor The purpose of the sensor is to collect information on traffic directed at a specific resource of a client and provide that information to the Kaspersky DDoS Prevention system for analysis and prompt detection of any anomalies. Based on the information received from the sensor, the Kaspersky DDoS Prevention system builds statistical traffic profiles, which enables quick detection of any deviations in a resource s traffic parameters and establishment of criteria for statistical traffic filtering methods. Monday Tuesday Wednesday Thursday Friday Saturday Sunday Internet trading Gaming sites Trade venues Mass media Transportation Other business sites 8% Banks Government resources Adult sites Other 8% Blogs and forums 11% 20% 13% 2 3

3 Traffic cleaning s Control subsystem Portal The purpose of the cleaning is to clean up, or filter out traffic forwarded from a parasitic source. The cleaning is comprised of a software component deployed on several servers that serve as the following: filtering router that decides whether to forward specific traffic based on a filtering profile sent from the control subsystem; proxy server that forwards cleaned traffic to the client s resource. One cleaning can serve several network resources of one or several different clients. The control subsystem coordinates the operation of all components of the system and evenly distributes loads among all system components. Kaspersky DDoS Prevention system interface The portal is simply a web portal used by the client of the Kaspersky DDoS Prevention system to manage system operation settings and analyze resource traffic parameters and detected anomalies. Kaspersky DDoS Prevention system architecture Zombie User Internet Control Client resource Sensor subsystem Portal 4 5

4 Competitive advantages of Kaspersky DDoS Prevention About Kaspersky Lab The Kaspersky DDoS Prevention system is an effective distributed traffic filtering system that is ready to take on virtually any DDoS attack. The geographical distribution of the system s components ensures its reliability, making it impossible for all components to simultaneously fail for whatever reason. The Kaspersky DDoS Prevention system does not depend on one specific provider, thereby increasing its reliability and fault tolerance. The Kaspersky DDoS Prevention system is supported 24-7 by a team of professionals that has already spent 5 years working on issues related to DDoS attack prevention, constantly studying the methods and techniques used by malicious perpetrators to attack Internet resources. Kaspersky DDoS Prevention system components include an entire set of statistical, signature, behavioral, and other methods to filter traffic, which helps protect resources from highly sophisticated attacks that have already penetrated other levels of protection, including low-rate attacks. The Kaspersky DDoS Prevention system includes a feature that detects attacks by using sensors deployed in close proximity to a protected resource, which enables immediate reaction to any deviations in traffic. The Kaspersky DDoS Prevention system operates based on an individual approach to protecting each specific resource or network service. Individual traffic filtering profiles are created for each protected resource in the system. The Kaspersky DDoS Prevention system was developed by one of the top anti-virus companies whose analysts constantly study the latest releases of malicious software. Kaspersky Lab includes a special department that focuses exclusively on studying zombie networks and how to neutralize them, and for that reason we possess the very latest information on the methods used by malicious perpetrators and can effectively counteract them. The Kaspersky DDoS Prevention system can be implemented either in advance to prevent potential attacks or after an attack has already begun. After an attack, Kaspersky Lab experts can prepare the client a complete packet of documents to turn over to law enforcement agencies if the client requests it. The Kaspersky DDoS Prevention system is a flexible solution based not simply on a fixed set of parameters but also on a set of rules that can be manually configured by system analysts, right in the middle of an attack response. Kaspersky DDoS Prevention functionality can also be updated right in the middle of an attack response. Its multi-level hybrid filtering using behavioral and statistical analysis helps repel attacks being launched simultaneously against many other protection systems. While defense measures are being undertaken, Kaspersky DDoS Prevention system administrators provide the client with recommendations on how to continue managing their protected web sites and other resources. Though an attack could be powerful enough to overload the channels of a specific small-scale service provider, Kaspersky DDoS Prevention cleaning s are connected to the Internet through several different providers over high-speed channels, making them extremely difficult to overload. While an Internet provider that implements its own DDoS protection measures on its network can only protect its own clients, the Kaspersky DDoS Prevention system can protect any resource at any location on a network. The Kaspersky DDoS Prevention system is currently deployed by many different companies to protect their network infrastructure, and this enables Kaspersky Lab experts to constantly study new mechanisms and characteristics of botnets. Kaspersky Lab is Europe's largest producer of systems designed to protect against malicious or unwanted software, hacker attacks, and spam. The company is one of the top four global producers of information security software solutions. In 2010, company revenues grew by 38% and exceeded 500 million USD. Kaspersky Lab employs over 2300 highly-skilled experts. The company s products reliably protect the computers and mobile devices of over 300 million users throughout the world, and the company s technologies are implemented in the products of the largest global suppliers of software and hardware solutions. For more information, you can visit the company website at. 6 7

5 Kaspersky DDoS Prevention 2012 Kaspersky Lab ZAO. All Rights Reserved. All trademarks and service marks mentioned in this document are the property of their respective owners.