NSFOCUS Anti-DDoS System White Paper

Transcription

1 White Paper NSFOCUS Anti-DDoS System White Paper By NSFOCUS White Paper NSFOCUS

2 NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without the written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. White Paper NSFOCUS

3 Table of Contents Table of Contents... 3 Introduction... 1 Intense Threat of DDoS... 2 Attack Analysis... 2 Current Trends... 3 Necessity of DDoS Prevention... 4 Deficiency of Today s Attack Countermeasures... 6 Manual Prevention... 6 Fallback Policy... 6 Router... 6 Firewall... 7 IPS/IDS... 8 Basic Requirements of DDoS Prevention... 9 Consummate Prevention Strategy... 9 An Evolving Prevention Principle NSFOCUS Anti-DDoS System Triple Play Integrated Solution Deployment Modes Core Principles System Features Professional Customer Support Conclusion White Paper NSFOCUS

4 Introduction A Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack is an attempt to make an Internet service or network resource unavailable to its intended users. DDoS has become a popular attack method because it is easy to accomplish, difficult to prevent, and hard to trace. Depending on the measurement, DDoS attacks can be classified by various types. For example, depending on the attack method used, a DDoS attack can be classified under resource exhaustion, service termination, or physical violation. DDoS attacks usually make use of network protocol vulnerabilities, or consume the limited bandwidth of a network or a device to take down the service or resource. Owning to the fact that DDoS attacks can be designed to evade the protective measures of common network security devices such as firewalls and intrusion detection systems, the prevention of DDoS attacks is a constant challenge for network administrators. Unlike traditional attacks designed to sneak into a target s business system and illegally obtain information, DDoS attacks are meant to cause destruction by overloading the target servers, network links, or network devices (such as firewalls and routers) with a large amount of traffic in order to crash the entire system. As a result, legitimate users are prevented from accessing services as usual. As prevention measures become more and more inadequate in the face of DDoS attacks which are becoming easier to launch, the threat posed by DDoS attacks is severe and real. The targets of DDoS attacks are not only limited to a single source, such as a web server or a network device, but can be an entire network. Many network infrastructures, including routers and switches on the convergence and the core layers, as well as the DNS (Domain Name Service) system of ISPs (Internet service providers), have suffered DDoS attacks to some extent. In October 2002, a massive attack on the eight root domain name servers among thirteen affected communication over the entire Internet. The Internet is increasingly necessary for conducting business and providing critical services. Accordingly, losses from DDoS attacks are felt more directly. Yet network devices and traditional boundary security devices (such as firewalls and intrusion detection systems) cannot provide adequate prevention against DDoS attacks. Specially designed smart mitigation systems are required to stop the destruction caused by DDoS attacks. 1 / 24 - White Paper

5 Intense Threat of DDoS DDoS attacks are often achieved via zombie systems unleashed onto the Internet. With the vast numbers of unprotected personal computers which are connected to the Internet, hackers can easily exploit vulnerabilities, plant codes into computers, and change these personal devices into zombie tools in DDoS attacks. To initiate a massive DDoS attack, hackers send certain commands to the zombies, and the zombies can carry out the attack by themselves. Combining numerous zombies into botnets, hackers can create stupendous traffic and saturate all available bandwidth of the target in a DDos attack. Attack Analysis How does a DDoS attack work? From the perspective of criminology, any attack usually contains three elements: Method, opportunity, and motive. In the following, we will analyze DDoS attacks relating to these three elements. Attack Methods A typical DDoS attack will exploit the normal function of packets being transmitted on the Internet, by unleashing a torrent of packets to overwhelm the target network device or server. A hacker will send packets which exploit the defects of some protocols, and the network device or server will try to process the packets as usual. But these exploitative packets will rapidly consume system resources as the network device or server tries to respond, and the legitimate service requests from actual users end up being denied. The main difficulty in preventing DDoS attacks lies in the fact that illegal traffic is blended with legal traffic, and DDoS attacks cannot be effectively detected in the prevention stage.) Another DDoS attack method is to use spoofed-source IP addresses to evade the tools which check anomalies to identify attack traffic. In general, DDoS attacks can be categorized within the following types: Bandwidth-based attacks: The hacker sends a large number of packets to congest the limited bandwidth and exhaust the resources of a target. Usually, routers, servers, and firewalls are limited resources. When they are attacked and overloaded, 2 / 24 - White Paper

6 legitimate traffic cannot get through, and a denial of service occurs. Traffic-based attacks: The most common traffic attack is the Flood method. A large number of TCP, UDP, and ICPM packets that seem legitimate are sent to the target, using spoofed-source IP addresses to evade any detection system. Application-based attacks: Application DDoS attacks exploit certain features of TCP or HTTP protocol. By consistently occupying resources, hackers prevent the target device from processing legitimate access requests. Examples of this type of attack are the HTTP Half Open attack and the HTTP Error attack. Attack Motive Examining the numerous DDoS attacks that have occurred to date, we can see that the motive of attacks has been changing over time from pure show-off theatrics or as a hacking hobby, to pursing concrete profits. This has also spawned a formidable commercial hacking segment of hired guns who do their work not for ideological reasons, but for pay. According to a recent Symantec study on internet security threats, such illegal industrial hacker networks are growing in numbers and capabilities. Current research on Internet security shows that: A. Most attacks are profit-driven; B. Attacks tend to be carried out with a level of expertise; C. Hackers practice a clear division of responsibility, under a new business model that is disciplined and organized; D. Multiple tools are used in an attack. The more common attack methods are used in the succeeding attack phrase, rather than at the beginning of the effort. Current Trends NSFOCUS has been engaged in DDoS attack detection, tracking, and research more than 10 years. With this depth of knowledge, NSFOCUS has developed professional security solutions which are employed by clients around the globe to mitigate and prevent DDoS attacks. NSFOCUS research continues apace, with the latest NSFOCUS monitoring and analysis showing the following: A. Increasing availability of DDoS tools on the Internet, making it easy to launch an attack. Hackers will use these tools ever more creatively and 3 / 24 - White Paper

7 new types of attacks will emerge. B. One of the most popular methods is attack traffic flooding, frequently up to 100 Gbps at line speed. To achieve the desired volume and speed, hackers are increasingly exploiting cloud hosts and IDC high-performance servers as attack sources. And high-performance open servers (such as NTP and DNS) on the Internet have become popular attack sources for reflective attacks. C. Attacks targeting application services are increasing. D. A commercial for-profit business model of hacker collaboration in carrying out attacks has matured and grown in capabilities and coordination. E. Attacks are increasingly complicated. Bandwidth exhaustion attacks are mixed with application attacks and the overall result is that an attack becomes very difficult to prevent. The trend of hackers combining DDoS attacks with information theft for APT attacks is rising. F. With a higher penetration of the IPv6 network, DDoS attacks against IPv6 networks are trending upward. Necessity of DDoS Prevention Any service system working via a network, no matter for what purpose or at what economic value, should seriously plan for and invest in the prevention of DDoS attacks. Large enterprises, government organizations, and service providers need to protect their fundamental service systems (including web, DNS, Mails, switches, routers, and firewalls) against DDoS attacks in order to ensure the continuity of their service system operations for their customers. DDoS prevention is an operational cost, but the investment is absolutely worth the return. For corporate and governmental networks, providing Internet access to service systems or websites is fundamental to business. Interruption of service or loss of access causes economic as well as reputation damage. For Internet transactional business (including e-commerce, online gaming, and 4 / 24 - White Paper

8 electronic payment services), the impact of DDoS attacks on operations and profit is huge. These sites are frequently targeted in DDoS attacks to cause disruption in business, but also to steal data and to extort company owners. The economic losses when a transaction business is brought down by attack include reduced transactions, reputation and brand damage, and costs of website recovery. For telecommunication operators, network availability is a determinant of ROI. If the network is brought down, all hosted services become unavailable or quality is impaired. In the highly competitive and fluid telecom market, poor service means the loss of customers to a competitor. On the other hand, for telecom operators or IDCs, offering DDoS prevention to customers will not only protect against security risks, but can also provide a value-added service in the product packages on offer. This is a new profit-growing opportunity in the industry. 5 / 24 - White Paper

9 Deficiency of Today s Attack Countermeasures There are numerous network security products in the market today, but few of them can effectively defend against DDoS attacks. Due to deficiency in design, none of the common security products such as firewalls or intrusion prevention systems and routers can consistently and fully address today s complicated DDoS attacks. Although system optimization or a fallback/redundancy policy may be able to cope with low-traffic DDoS attacks, these methods cannot handle massive traffic and prevent against the types of attacks that are trending currently. Manual Prevention Generally speaking, there are two ways to prevent DDoS attacks via manual operation: System optimization: Identifying key parameters and enhancing their response ability to DDoS attacks is one prevention method. However, this method is only effective with low-traffic DDoS attacks. Source IP tracing: The first response of the system administrator under a DDoS attack would be to consult the uplink network service carriers, which may be the ISP or the IDC, to find out the source of the attack. But if the source IP address of the DDoS attack is forged, the process of finding the attack source often involves many carriers and judicial organizations. Even when the attack source is discovered, blocking traffic from it may also cause the loss of normal traffic. However, with botnets and fresh methods of DDoS attacks constantly coming out, it becomes impossible to prevent DDoS attacks by network tracing. Fallback/Redundancy Policy Organizations may purchase redundant hardware to have a fallback option in response to DDoS attacks. But this method cannot prevent DDoS attacks, cannot handle massive traffic effectively, and delivers a low performance-price ratio for the business. Router 6 / 24 - White Paper

10 Routers can be utilized to implement certain security measures, for example, setting an Access Control List (ACL) to filter illegitimate traffic. ACLs are usually set based on protocols or source addresses. But since most DDoS attacks adopt legal protocols (such as HTTP), this attack traffic will not be caught and filtered by the routers. Routers are also unable to prevent attacks which adopt source address spoofing to forge packets. Another DDoS countermeasure utilizing routers is to adopt Unicast Reverse Path Forwarding (urpf) to block packets with forged source IP addresses at the network boundary. With today s DDoS attacks, this countermeasure is useless because, as the basic principle of urpf, the router blocks or allows a packet to pass the outlet by determining whether its source IP address is from the internal subnet, and hackers can easily forge the address and evade the urpf prevention policy. Besides, to configure urpf on each router facing potential attack sources is difficult to achieve in actual practice. Firewall Firewalls are one of the most commonly used security products. But DDoS attack prevention is not incorporated as a function of firewall design. In some cases, firewalls themselves become the target of DDoS attacks, which causes denial of service for the entire network. Deficiency of DDoS detection capability: Firewalls are usually deployed in the network as layer-3 packet forwarding devices. They not only protect the intranet but also provide access for devices that provide external Internet services for internal needs. If DDoS attacks exploit legal protocols allowed by servers, then firewalls will be unable to separate attack traffic from hybrid traffic precisely. Although some firewalls are equipped with embedded modules which can detect attacks, these detection mechanisms are generally based on signatures, and firewalls consistently fail to recognize attacks if the DDoS hackers change the packets slightly. The detection of DDoS attacks depends on the algorithm of behavior patterns. Limitation of calculation capability: Traditional firewalls must perform intensive inspections to detect DDoS attacks, and there is a high cost associated with the amount of calculation necessary. Massive traffic in a DDoS attack, however, will cause the firewall performance to decline greatly, resulting in ineffective completion of packet forwarding tasks. Deployment location also influences a firewall s capability to prevent DDoS attacks. Traditional firewalls are generally deployed at the network ingress. To some extent, this type of deployment is a good way to protect all resources inside the network, but firewalls in this kind of deployment often become the targeted victims themselves in DDoS attacks, and the result is that network performance suffers and legitimate user 7 / 24 - White Paper

11 requests cannot be handled. IPS/IDS Currently, the most commonly used tools in attack prevention or detection are the IPS (Intrusion Prevention System) and IDS (Intrusion Detection System). But for DDoS attacks, IPS/IDS products often fall short. The reason is that although the IDS can detect attacks at the application layer, its most basic level is a signature-based mechanism which requires recovering protocol sessions. But since most of today s attacks adopt legitimate packets, IPS/IDS products cannot detect these attacks. Some IPS/IDS products have the capability to detect anomaly protocols, but this requires manual configuration by security experts, which is expensive and inelastic. The IPS/IDS products were initially designed to be a signature-based attack prevention/detection tool for the application layer. But most DDoS attacks still feature a protocol anomaly at layer 3 and layer 4, which indicates that the IPS/IDS techniques are not suitable for DDoS detection and prevention. 8 / 24 - White Paper

12 Basic Requirements of DDoS Prevention Consummate Prevention Strategy DDoS prevention generally includes two aspects: One aims to effectively detect the attack, even though the methods are consistently evolving, especially techniques which adopt multiple spoofing techniques. The other aims at reducing the impact on service systems or networks to ensure continuity and availability to customers. A consummate prevention strategy against DDoS attacks should meet the following requirements: Identify specific attack traffic within background traffic. Do not just detect, but also mitigate the impact of the attack. Support deployment within each type of network outlet, ensuring performance and system structure integrity. Build a system which is reliable and easy to expand. Based on the above requirements, an anti-ddos device should have the following features: Response in real time via integrated detection and prevention mechanisms. Identification of attack traffic compared to hybrid traffic, using anomaly detection based on behavior patterns. Prevention capability aimed at massive DDoS attacks. Flexible deployment modes to protect the current investment and to avoid having a single point of failure. Reduction of dependence on network devices and modification to create efficiencies in device configuration. Communication via standard protocols to ensure maximum interactive 9 / 24 - White Paper

13 operability and reliability. An Evolving Prevention Principle The best design ideas for DDoS prevention have evolved from the initial effort of blocking attack traffic to today s preferred method of diverting attack traffic. Deployment modes have also become flexible. In-line (or transparent) deployment is applicable to networks with egress bandwidth of less than 2 Gbps. With this deployment, a DDoS solution is able to provide real-time and granular detection for smaller-volume traffic. For large-scale networks (like ISP), traffic diversion deployment is more suitable and at less cost because it reduces the risk of a single point of failure, and even at small capacity can handle the cleaning work for a network with a broad bandwidth, because not all traffic must pass through the cleaning equipment in real time. Traffic diversion works as follows: Detection: Detect DDoS attacks by monitoring the traffic or netflow. Diversion: When a DDoS attack is detected, redirect the traffic to the anti-ddos device. The diverted traffic will contain both attack traffic and legitimate traffic. Filtering and Cleaning: Filter the attack traffic from the hybrid traffic through multilayer recognition functions; send attack traffic through cleaning. Re-injection: After filtering and cleaning, sent the cleaned traffic back to the mainstream of the network. Traffic will be forwarded on to its original destination. Traffic diversion deployment has the following advantages: A. Diverts only suspicious traffic while allowing legitimate traffic to get through, thereby ensuring business continuity and performance. B. Protects the entire network, rather than only the network ingress or the front of the server as is covered by in-line deployment. C. Avoids blocking legitimate traffic due to a single point of failure. D. Provides massive traffic cleaning to address bandwidth exhaustion attacks. E. Supports remote traffic diversion. 10 / 24 - White Paper

14 F. Provides redundant prevention for different locations or regions by deploying several cleaning systems. 11 / 24 - White Paper

15 NSFOCUS Anti-DDoS System NSFOCUS developed the NSFOCUS Anti-DDoS System (ADS) to meet the threat of DDoS attacks, including any emerging and new methods. By inspecting all network traffic in real time, ADS can rapidly identify, filter, and divert attack traffic to prevent an attack from taking down the system while ensuring the transmission of normal traffic. ADS is easily deployed in diverse network environments. It eliminates the single point of failure issue, and bolsters network availability and integrity. Triple Play Integrated Solution NSFOCUS offers an integrated solution with high performance and ease of management that is capable of traffic cleaning and providing protection to even very large networks. This solution combines the strengths of three NSFOCUS products together: The anomaly traffic detection system called NSFOCUS Network Traffic Analyzer or NTA, the anomaly traffic cleaning system NSFOCUS ADS, and the management & forensics system called NSFOCUS ADS-Management or ADS-M. NSFOCUS ADS is an indispensable traffic filtering and cleaning system providing up to 40 Gbps of mitigating capability. In the traffic diversion mode, several ADS devices can be deployed to prevent hundreds of Gbps volume of DDoS attacks. NSFOCUS NTA is the detection device in the traffic cleaning system. NTA is mainly used in anomaly traffic detection and cooperates with NSFOCUS ADS. NTA collects traffic data and conducts in-depth analyses. If DDoS attack traffic is detected, NTA will trigger the alert setting within the NOC (Network Operation Center) as predefined by the system operator, or will automatically notify ADS to redirect and clean attack traffic. NSFOCUS ADS-M is the management device for the traffic cleaning system. This device is mainly used to collect data from ADS devices in different locations, and to perform correlation analysis and processing. ADS-M also provides efficient prevention management by grouping users according to business zones and generating different statistical reports for each group. With a built-in module for abnormal traffic analysis, ADS-M addresses a wide range of external and internal security threats. For monitoring and prevention at different nodes, ADS-M can perform centralized management with privileges assignment, attack source tracing, analysis of traffic, and e-forensics. In addition, ADS-M services can meet a telecom carrier s needs by 12 / 24 - White Paper

16 providing value-added services that can be marketed on to customers. Deployment Modes Utilizing advanced and intelligent detection algorithms, the NSFOCUS traffic cleaning system defends against DDoS attacks, and provides different DDoS response systems to fit the different environments required for enterprises, IDCs (Internet data centers), or telecom carriers. In-line Deployment In-line deployment is suitable for enterprises with a small number of servers or with low bandwidth. The ADS appliance is transparently deployed at the network ingress to detect, analyze, and block DDoS attacks. The topology is as follows: ADS In-line Deployment Traffic Diversion Deployment NSFOCUS ADS with traffic diversion deployment will protect the critical infrastructure and business systems of ISPs, IDCs, and ICPs. Generally, a traffic detection appliance can be deployed at any location within the network, but ADS is deployed at the network ingress in an out-of-path mode. ADS chiefly monitors incoming traffic and detects the types and sources of DDoS attack packets in real time. When a suspicious DDoS attack is detected, NSFOCUS NTA notifies the ADS immediately. Receiving the notification, ADS triggers the traffic diversion mechanism and re-routes the suspicious traffic to itself, where the traffic is cleaned. The cleaned traffic is then sent back to the mainstream of the network and forwarded to its destination. During this process, the ADS-M system manages and records all procedures. 13 / 24 - White Paper

17 ADS traffic diversion deployment Cleaning center deployment is always used to protect against massive DDoS attacks on large-scale IDCs, MANs, or backbone networks. An ADS cleaning center is a device group composed of several ADS appliances. It is connected to the network in the out-of-path mode. When receiving an attack warning from the NTA, ADS employs its traffic diversion mechanism and allocates suspicious traffic to several ADS devices for traffic sanitization. This increases the attack prevention capability significantly. The NSFOCUS high-performance cleaning center designed for higher network locations (such as at the backbones, the Metropolitan Area Networks (MANs), or the IDC egress) can also intelligently correlate with the NSFOCUS cleaning center deployed at the front of customer business systems with lower network locations, in-line ADS devices, or the NSFOCUS Web Application Firewall (WAF). This enables automatic cleaning of super volumes of traffic when the downstream DDoS traffic exceeds the link bandwidth or clogs the bandwidth. 14 / 24 - White Paper

18 Cleaning Center deployment in ISP network Core Principles NSFOCUS ADS is based on an embedded system design. It creatively implements the algorithm for preventing DDoS attacks in the system core at the lowest layer of the protocol stack, and avoids the processing of upper-layer network stacks on systems, such as TCP, UDP, and IP, thereby reducing the entire cost of calculations. Combined with a specialized hardware acceleration algorithm, the efficiency of the ADS system is very high. The core technique structure is illustrated in the figure below. NSFOCUS ADS core technique structure 15 / 24 - White Paper

19 Anti-spoofing verifies whether the source address and port of the packets are correct, and provides reverse detection on the basis of traffic statistics and analysis. Protocol analysis checks whether the protocols comply with the RFC rules based on the type of protocols. If an anomaly is found, the cleaning system enables a statistic analysis mechanism. Different protocol analysis algorithms created by NSFOCUS are used to decide whether to filter, restrain, or forward packets based on different protocols. Customized application analysis enables the analysis pattern algorithm to prevent DDoS attacks of different protocol types based on certain special protocol types such as DNS, HTTP, and VOIP SIP. User behavior analysis reviews the traffic in the network which often contains many protocols. It is usually very difficult for hackers to forge the access behaviors of users. Therefore, there are differences between a hacker s behavior and a legitimate user s behavior. ADS collects data, analyzes statistics, traces, and analyzes users event patterns to identify the real service traffic and to limit the bandwidth of and perform credit punish on the attack traffic. Dynamic fingerprint recognition s a universal algorithm, fingerprint recognition is not related to protocols. The Anti-DDoS technique of NSFOCUS takes statistics on the given byte range of the packets load through sliding windows, calculates the signatures of attack packets through the pattern identification algorithm, and limits the bandwidth and performs credit punish on those attack packets which are matched with fingerprint signatures. Rate limiting exports the traffic sanitized by the system to reduce the pressure on the downstream network system. System Features Accurate Detection and Recognition The NSFOCUS anti-ddos system developed specific-purpose algorithms to recognize different DDoS attacks according to probability statistics. It also uses various filtering modules, including Anti-Proofing, Protocol Behavior Pattern Analysis, Customized Application Prevention, User Behavior Analysis, Dynamic Fingerprinting, and Rate Limiting to accurately catch malicious DDoS traffic and separate it from normal traffic. The capability of NSFOCUS ADS in preventing a SYN Flood attack, for example, has been far ahead of algorithms like syn-cookie and random-drop. ADS has an excellent retention rate and a newly available connection rate of up to 100 percent. Powerful Prevention Capability 16 / 24 - White Paper

20 Supported by unique algorithms developed by NSFOCUS, ADS delivers a high level of performance in prevention against various attacks, including SYN Flood, UDP Flood, UDP DNS Query Flood, (M) Stream Flood, and ACK Flood/DRDoS. The NSFOCUS system also delivers prevention capability against more dangerous application-layer DDoS attacks such as HTTP Get Flood and online game, video, and audio service attacks. NSFOCUS ADS includes a limiting rate function which is designed to handle suddenly abnormal changes of traffic. The ACL in the system helps the administrator to easily control customized applications through a simple configuration of a black and white list. In-depth packet analysis rules allow the administrator to carry out quick prevention by defining templates according to source/destination IP, source/destination protocol port, and protocol type of attack or signature bytes of a TCP flag, ICMP type, ICMP code, etc. Considering the innumerable users and different requirements possible in ISP networks, NSFOCUS classifies users into groups, and provides granular prevention policies for them. Hackers are continuously introducing and improving new DDoS attack methods. To keep up with this, NSFOCUS built an expert research team to closely follow and analyze network security attacks, and develop mitigation and countermeasures. This knowledge is passed on to NSFOCUS ADS, which upgrades within one week of the detection of a new attack type, thereby keeping the client s network secure against the very latest threats. Massive Attack Traffic Prevention NSFOCUS ADS models are equipped with different advanced multi-core processor architecture to meet the demands of high-performance telecom-class clients. This architecture performs to the level of up to 40G traffic analysis and DDoS attack prevention. An ADS device cluster can further scale up to 100 Gbps of prevention capability. NSFOCUS ADS systems are able to divert traffic based on attack targets, volume of traffic, types of attack, and so on; this provides excellent defense against the more devastating and complex DDoS attacks. Even in the face of an extremely serious DDoS attack, NSFOCUS ADS 8000 series provides the best prevention available in the market. IPv4/IPv6 Dual Stacks As IPv4 addresses are becoming increasingly scarce, more and more IPv6 traffic is appearing in networks. DDoS attack traffic has been found in IPv6 networks and 17 / 24 - White Paper

21 current detection methods are inadequate because of the significant difference between IPv6 format and IPv4 format. NSFOCUS has developed IPv4 and IPv6 dual stacks to solve this problem. No matter which traffic type it is, the ADS detection device can accurately recognize it. And once DDoS attack traffic is found, no matter whether it is in IPv4 or IPv6, the ADS appliance can efficiently block it. Collaborative Defense NSFOCUS has designed its systems so that multiple security devices, such as NSFOCUS ADS and NSFOCUS WAF, can collaborate to share business information and to flexibly allocate defense capabilities. Flexible Application Deployment Different network environments and scope require different products and deployment modes. NSFOCUS offers in-line mode, traffic diversion mode, and traffic diversion Cleaning Center mode. Flexible deployment modes and the support of various types of network protocols permit NSFOCUS ADS to protect complicated network environments and provide carrier-grade application solutions at the lowest cost possible. User-Friendly Management Interface NSFOCUS ADS-M provides straight-forward and convenient management, including device monitoring, policy configuration, report generation, and packet capture and forensics. Hierarchical privilege management allows network engineers, security administrators, and customers to check real-time statistic information, monitor information, and generate reports on different levels. The detailed reports include attack events, attack types, attack characteristics, and attack sources. The reports help system administrators to monitor attacks in real time and also to carry out forensic analysis after the fact. ADS-M provides tools for traffic monitoring, log information, and attack history, which allow users to adjust prevention policies in response to real-time situations. The use of NSFOCUS ADS-M achieves centralized management, monitoring, control and maintenance of several NSFOCUS ADS appliances at once. The centralized monitoring function achieves real-time understanding of traffic and device running status on several NSFOCUS ADS appliances synchronously. Through centralized control, 18 / 24 - White Paper

22 remote restart and packet capture tasks can be assigned at the same time. Configuration files, traffic statistical data and alert information for several NSFOCUS ADS devices can be stored in NSFOCUS ADS-M for centralized management. Cloud Managed Service Via NSFOCUS Managed Security Service (MSS) for ADS, a client s local ADS device can connect and synchronize with the NSFOCUS Cloud Security Center and be managed by the NSFOCUS security expert team. NSFOCUS CMADS is capable of assisting the client to monitor and mitigate DDoS attacks 24/7, which contributes greatly to the reduction of damages caused by DDoS attacks. Unique Value-added Business Management Clients can obtain additional benefit from NSFOCUS ADS-M. An ISP, for example, can offer a security prevention value-added service to its customers with self-service access. After logging in via a self-service interface in the system, customers can check information including real-time traffic, application protocol distribution, and attack prevention status. Professional Customer Support With years of experience in providing anti-ddos solutions and service, NSFOCUS services experts are trained to quickly respond to attack events. They provide support in prevention consultation, deployment, training and other services to help clients in setting up the optimal prevention system for their business. 19 / 24 - White Paper

23 Conclusion With the increasing power and availability of DDoS attack tools and a greater reliance by customers on networks, we can anticipate that DDoS attacks will also increase. Attack size is likely to grow, and losses caused by these attacks will be even more severe than today. Network operators, enterprises, and governments must consider the countermeasures they will need to employ to protect their investments. NSFOCUS ADS provides cutting-edge protection against DDoS attacks. With sophisticated, real-time analysis and flexible deployments, NSFOCUS blocks attacks effectively and allows business to continue as normal. 20 / 24 - White Paper

24 For more information: Please contact the NSFOCUS sales team to discuss how NSFOCUS products and services can protect your network: NSFOCUS US TEL: NSFOCUS Japan TEL: info-jp@nsfocus.com Visit the NSFOCUS Website: NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. About NSFOCUS NSFOCUS is a proven global leader in active perimeter network security for service providers, data centers, and corporations. It focuses on providing network security solutions including a carrier-grade Anti-DDoS System, Web Application Firewall, and Network Intrusion Prevention System - all designed to help clients secure their networks and corporate-critical information. More detailed information is available at 21 / 24 - White Paper