White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.



Similar documents
Complete Protection against Evolving DDoS Threats

DDoS Protection Technology White Paper

VALIDATING DDoS THREAT PROTECTION

The Key to Secure Online Financial Transactions

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Cisco Advanced Services for Network Security

NSFOCUS Anti-DDoS System White Paper

Kaspersky DDoS Prevention

The Hillstone and Trend Micro Joint Solution

How To Block A Ddos Attack On A Network With A Firewall

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Firewalls and Intrusion Detection

How To Prevent Hacker Attacks With Network Behavior Analysis

Why Is DDoS Prevention a Challenge?

Check Point DDoS Protector

DDoS Overview and Incident Response Guide. July 2014

On-Premises DDoS Mitigation for the Enterprise

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Protecting Against Application DDoS Attacks with BIG-IP ASM: A Three-Step Solution

SecurityDAM On-demand, Cloud-based DDoS Mitigation

How Cisco IT Protects Against Distributed Denial of Service Attacks

Service Description DDoS Mitigation Service

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

Modern Denial of Service Protection

Network Bandwidth Denial of Service (DoS)

A Layperson s Guide To DoS Attacks

Radware s Behavioral Server Cracking Protection

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

CS 356 Lecture 16 Denial of Service. Spring 2013

FortiDDos Size isn t everything

Arbor s Solution for ISP

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Cisco Remote Management Services for Security

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

TDC s perspective on DDoS threats

Design Your Security

First Line of Defense to Protect Critical Infrastructure

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

SHARE THIS WHITEPAPER

Basics of Internet Security

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Voice Over IP (VoIP) Denial of Service (DoS)

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Quality Certificate for Kaspersky DDoS Prevention Software

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Pravail 2.0 Technical Overview. Exclusive Networks

Solution Brief. Secure and Assured Networking for Financial Services

Radware s Attack Mitigation Solution On-line Business Protection

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Automated Mitigation of the Largest and Smartest DDoS Attacks

Introducing FortiDDoS. Mar, 2013

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

The Cisco ASA 5500 as a Superior Firewall Solution

State of Texas. TEX-AN Next Generation. NNI Plan

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Intrusion Detection Systems

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Introduction about DDoS. Security Functional Requirements

Where every interaction matters.

The Advantages of a Firewall Over an Interafer

DoS: Attack and Defense

DDoS Protection on the Security Gateway

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

AntiDDoS1000 DDoS Protection Systems

Secure Software Programming and Vulnerability Analysis

Distributed Denial of Service protection

DDoS Attacks & Defenses

LoadMaster Application Delivery Controller Security Overview

Denial of Service Attacks, What They are and How to Combat Them

Transcription:

TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc.

Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion Prevention Systems (IPS)... 3 Common DDoS Mitigation Strategies... 4 DDoS Protection for the Real World: AhnLab TrusGuard DPX... 4 Multi-layered Mitigation Filtering... 5 Clustering Capability... 5 Inline and Out-of-Path Deployment... 5 Conclusion... 7 1

Introduction Most companies today communicate with their clients by providing products and services via the Internet. As a result, disruptions to Internet services cause both financial losses for companies and chaos for customers. The denial of service attack, or DoS, has become one of the most serious threats against today s net-based entities, including e-commerce, infrastructure, and government websites. Attackers use several techniques to launch DoS attacks. For instance, an attacker can arbitrarily make a service inaccessible to customers by acquiring credentials and hacking a web server. Or, the attacker can flood the server with a large amount of traffic, which is known as a Distributed Denial of Service (DDoS) attack. In this relatively simple method, the attacker simultaneously sends mass amounts of traffic from compromised hosts, thereby consuming the server s resources and rendering services unavailable. There are many security products and solutions already on the market that attempt to protect against DDoS attacks. Unfortunately, these solutions rely on the traditional method of detecting anomalies, which is no longer capable of detecting the myriad new ways that DDoS attacks are launched. To ensure your business continuity against evolving DDoS threats, a new approach is required. This white paper introduces AhnLab s TrusGuard DPX, which is an effective deterrent against the new breed of DDoS attacks. TrusGuard DPX is the solution that you can depend on to keep your web servers protected and your services available to customers. The Evolution of DDoS Attacks In a DDoS attack, an attacker builds a network of compromised zombie computers or botnets. Once the attacker has enough zombie computers controlled, he or she remotely orders them to simultaneously send requests to the targeted server. This creates an extremely high volume of packets that rapidly consume server resources, interrupt valid transactions, and slow down access to URLs. As the number of requests reaches the server s maximum handling capability, web pages slow so far as to make the service unusable and valid customer requests may fail entirely. Because of the volumetric characteristics of DDoS traffic, security vendors have typically used counters and connection limits to block clients that generate excessive traffic. However, more recent attacks have proven that this approach is no longer effective, because attackers have learned to conceal traffic characteristics and make excessive requests appear very much like normal traffic. By eluding the detection scheme used by typical security products, attackers have made it very difficult to distinguish malicious packets from legitimate ones. In addition, attackers are exploiting flaws in web applications to create a new form of DDoS attack. For example, a flaw in an HTTP protocol can allow the attacker to flood a web server with very slow HTTP POST traffic (one packet 2

every ten seconds). Techniques are also being used to evade URL redirects (302 redirects) that attempt to distinguish requests generated by attack tools from live user requests. When combined, these new techniques create a complex form of attack that cannot be dealt with by traditional security solutions. As if dealing with evolving forms of DDoS attacks wasn t enough, the motivation for these types of attacks has evolved as well. Hacktivism, as it is now called, is a means of voicing with commercial ventures, publicizing boycotts, and gaining support for political movements. The tools for launching these attacks are becoming increasingly easy to find and easy to use, which means that attackers do not require a high level of technical ability to perform them. With sufficient motivation and an entry-level skill set, attackers are now voluntarily creating botnets for the sole purpose of typing up resources and disrupting services. Typical Protection against DDoS Attacks To mitigate the threat of a traditional DDoS attack, many organizations have adopted firewalls, intrusion prevention systems, and typical DDoS mitigation strategies. However, these approaches provide only limited protection against the sophisticated attack techniques that are presently being used. Even though these network security solutions have excellent capabilities for other purposes, they are failing to protect a company s bottom line, because they are insufficient at dealing with complex, evolving threats. Firewalls Firewalls are stateful devices. They cannot effectively handle a large number of concurrent sessions, because they must keep track of the state of each interaction. If a large amount of traffic attempts to pass through a firewall at once, the firewall s connection-per-second capacity may be insufficient to handle the load. This can result in a significant delays or even failure of connection attempts. However, it cannot effectively handle a large number of concurrent sessions, because it must keep track of the state of all open connections. If a large amount of traffic attempts to pass through a firewall at once, the firewall s connection-per-second capacity may be insufficient to handle the load. This can result in a significant delays or even failure of connection attempts. In addition, firewalls monitor and filter out abnormal traffic from services that are not permitted to access the network. Many DDoS attacks are in the form of valid requests that are simply trying to tie up the server s resources. As a result, many firewalls are incapable of blocking access to these authorized, but malicious, requests. Intrusion Prevention Systems (IPS) IPS solutions are limited in the number of concurrent sessions they can support, much like firewalls. They are designed to identify harmful packets by matching signatures against a database of known threats. But again, because many DDoS attacks involve valid requests, the IPS cannot dependably protect against this type of attack simply by applying a static, signature-based technology. 3

Common DDoS Mitigation Strategies Common DDoS mitigation strategies also include limits on concurrent sessions. In this approach, only traffic that exceeds the normal limits is blocked. As attackers do more to disguise their requests as normal traffic, mitigation strategies are completely ineffective at detecting and blocking them. DDoS Protection for the Real World: AhnLab TrusGuard DPX AhnLab s TrusGuard DPX provides the protection that traditional approaches cannot. It ensures business continuity and resource availability with an all-inclusive security layer that not only detects today s more complex DDoS attacks, but also mitigates their effects. TrusGuard DPX Dashboard Multi-layered Mitigation Filtering Because the essence of DDoS mitigation is to allow for legitimate transactions and sustain service continuity, it becomes more important to accurately recognize good traffic rather than simply blocking suspicious requests that may result in false-positives. As a countermeasure to this paradigm shift, TrusGuard DPX has layered multiple mitigation filters to enforce traffic authentication. 4

The Anti-Spoofing Protection filter checks the validity of sessions and the state information to determine whether the traffic is normal or not. The HTTP Access Authentication filter determines the validity of HTTP requests and prevents new attacks from circumventing HTTP 302 Redirects. By analyzing accumulated information about legitimate traffic, TrusGuard DPX automatically renders a list of trusted IP addresses and blocks all traffic from unauthorized sources, while allowing valid transactions even during an attack. This approach helps effectively deal with stateless UDP and ICMP traffic, as well as unknown attack methods. It also enhances detection accuracy, which has been a critical issue for DDoS mitigation strategies that rely on threshold-based control. TrusGuard DPX also includes a traditional threshold-based protection feature. This mitigation method is effective against simple packet flooding attacks, although it runs the risk of false-positives. However, working in concert with the powerful Self-Learning feature, TrusGuard DPX can automatically calculate the threshold and define the most adequate protection policy based on the result. In addition TrusGuard DPX allows you to specify up to 128 thresholds in each protected zone for IP sources. Thus, source IP addresses that routinely send large volumes of legitimate traffic can be allowed to make continous transactions. This innovation allows for a more refined network policy while reducing the incidence of false-positives that hinders other threshold-based filters. Finally, TrusGuard DPX's signature-based filter provides the IPS signatures required to detect DoS packets and connection to malicious IRC servers. It helps defend networks from known malicious packets that exploit vulnerabilities in the network and application layers. Clustering Capability Large-scale DDoS attacks can only be dealt with by more than two devices in an active-active mode. AhnLab s TrusGuard DPX features a clustering capability that links up to twelve devices. The outstanding scalability provided by this clustering capability can simultaneously manage up to 120 Gbps of bandwidth. A list of trusted IP addresses are synchronized with all other devices within the cluster, it can ensure the legitimate traffic to pass even under a DDoS attack. Clustered devices function seamlessly as a single unit, to effectively respond to volumetric DDoS attacks, and provide the flexibility to protect all sizes of networks. Inline and Out-of-Path Deployment TrusGuard DPX can be deployed inline on a network or in an out-of-path topology. Generally, inline deployment is the simplest and least expensive option. However, a single point of failure can cause the entire network to fail. In an inline framework, all traffic is routed through a single TrusGuard DPX device. But with support for traffic bypasses, TrusGuard DPX provides a safe level of fault tolerance and continues to route traffic, even in the event of a system failure. 5

An out-of-path topology is most suitable for large-scale networks. When located outside of the network path, the TrusGuard DPX does not affect the traffic flow, but still provides fault tolerance and operational stability. The TrusGuard DPX can be configured for this deployment with commonly-available Cisco routers and switches. Inline Out of Path Internet Internet Traffic Hijacking Switch Inline Guard & Detector Out-of-Path Guard Out-of-Path Detector Inline Cluster OOP Cluster Internet Internet Traffic Hijacking Switch Out-of-Path Guard (Cluster) Traffic Injection Switch Out-of-Path Detector #1 Out-of-Path Detector #2 6

Conclusion Today s DDoS attacks are increasingly sophisticated and occur more frequently. With the prevalence of easy-to-use tools and new motivations for these types of attacks, this upward trend will continue. This threat is compounded by the fact that typical security solutions are incapable of keeping pace with the increased security requirements. Organizations need an effective, comprehensive approach to ensure the continuity of services and resources. Only TrusGuard DPX delivers full protection against complex DDoS attacks. With its clustering technology and multiple protection layers, TrusGuard DPX effectively mitigates a wide range of threats and ensures valid transactions. To be certain that DDoS attacks cannot disrupt your business operations, trust AhnLab s TrusGuard DPX to deliver allinclusive protection for Internet resources and services. About AhnLab AhnLab develops industry-leading information security solutions and services for consumers, enterprises, and small and medium businesses worldwide. As a leading innovator in the information security arena since 1995, AhnLab s cutting-edge technologies and services meet today s dynamic security requirements, ensure business continuity for our clients, and contribute to a safe computing environment for all. We deliver a comprehensive security lineup, including proven, world-class antivirus products for desktops and servers, mobile security products, online transaction security products, network security appliances, and consulting services. AhnLab has firmly established its market position and manages sales partners in many countries worldwide. AhnLab, Inc. www.ahnlab.com / global.sales@ahnlab.com / Tel: 1-888-537-4336 673, Sampyeong-dong, Bundang-gu, Seongnam-si, Gyeonggi-do, 463-400, Korea 2012 AhnLab, Inc. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information