Complete Protection against Evolving DDoS Threats AhnLab, Inc.
Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion Prevention Systems (IPS)... 3 Common DDoS Mitigation Strategies... 4 DDoS Protection for the Real World: AhnLab DPS... 4 Multi-layered Mitigation Filtering... 5 Clustering Capability... 5 Inline and Out-of-Path Deployment... 5 Conclusion... 7 1
Introduction Most companies today communicate with their clients by providing products and services via the Internet. As a result, disruptions to Internet services cause both financial losses for companies and chaos for customers. The denial of service attack, or DoS, has become one of the most serious threats against today s net-based entities, including e-commerce, infrastructure, and government websites. Attackers use several techniques to launch DoS attacks. For instance, an attacker can arbitrarily make a service inaccessible to customers by acquiring credentials and hacking a web server. Or, the attacker can flood the server with a large amount of traffic, which is known as a Distributed Denial of Service (DDoS) attack. In this relatively simple method, the attacker simultaneously sends mass amounts of traffic from compromised hosts, thereby consuming the server s resources and rendering services unavailable. There are many security products and solutions already on the market that attempt to protect against DDoS attacks. Unfortunately, these solutions rely on the traditional method of detecting anomalies, which is no longer capable of detecting the myriad new ways that DDoS attacks are launched. To ensure your business continuity against evolving DDoS threats, a new approach is required. This white paper introduces AhnLab s DDoS attack Protection System (DPS), which is an effective deterrent against the new breed of DDoS attacks. AhnLab DPS is the solution that you can depend on to keep your web servers protected and your services available to customers. The Evolution of DDoS Attacks In a DDoS attack, an attacker builds a network of compromised zombie computers or botnets. Once the attacker has enough zombie computers controlled, he or she remotely orders them to simultaneously send requests to the targeted server. This creates an extremely high volume of packets that rapidly consume server resources, interrupt valid transactions, and slow down access to URLs. As the number of requests reaches the server s maximum handling capability, web pages slow so far as to make the service unusable and valid customer requests may fail entirely. Because of the volumetric characteristics of DDoS traffic, security vendors have typically used counters and connection limits to block clients that generate excessive traffic. However, more recent attacks have proven that this approach is no longer effective, because attackers have learned to conceal traffic characteristics and make excessive requests appear very much like normal traffic. By eluding the detection scheme used by typical security products, attackers have made it very difficult to distinguish malicious packets from legitimate ones. In addition, attackers are exploiting flaws in web applications to create a new form of DDoS attack. For example, a flaw in an HTTP protocol can allow the attacker to flood a web server with very slow HTTP POST traffic (one packet 2
every ten seconds). Techniques are also being used to evade URL redirects (302 redirects) that attempt to distinguish requests generated by attack tools from live user requests. When combined, these new techniques create a complex form of attack that cannot be dealt with by traditional security solutions. As if dealing with evolving forms of DDoS attacks wasn t enough, the motivation for these types of attacks has evolved as well. Hacktivism, as it is now called, is a means of voicing with commercial ventures, publicizing boycotts, and gaining support for political movements. The tools for launching these attacks are becoming increasingly easy to find and easy to use, which means that attackers do not require a high level of technical ability to perform them. With sufficient motivation and an entry-level skill set, attackers are now voluntarily creating botnets for the sole purpose of typing up resources and disrupting services. Typical Protection against DDoS Attacks To mitigate the threat of a traditional DDoS attack, many organizations have adopted firewalls, intrusion prevention systems, and typical DDoS mitigation strategies. However, these approaches provide only limited protection against the sophisticated attack techniques that are presently being used. Even though these network security solutions have excellent capabilities for other purposes, they are failing to protect a company s bottom line, because they are insufficient at dealing with complex, evolving threats. Firewalls Firewalls are stateful devices. They cannot effectively handle a large number of concurrent sessions, because they must keep track of the state of each interaction. If a large amount of traffic attempts to pass through a firewall at once, the firewall s connection-per-second capacity may be insufficient to handle the load. This can result in a significant delays or even failure of connection attempts. However, it cannot effectively handle a large number of concurrent sessions, because it must keep track of the state of all open connections. If a large amount of traffic attempts to pass through a firewall at once, the firewall s connection-per-second capacity may be insufficient to handle the load. This can result in a significant delays or even failure of connection attempts. In addition, firewalls monitor and filter out abnormal traffic from services that are not permitted to access the network. Many DDoS attacks are in the form of valid requests that are simply trying to tie up the server s resources. As a result, many firewalls are incapable of blocking access to these authorized, but malicious, requests. Intrusion Prevention Systems (IPS) IPS solutions are limited in the number of concurrent sessions they can support, much like firewalls. They are designed to identify harmful packets by matching signatures against a database of known threats. But again, because many DDoS attacks involve valid requests, the IPS cannot dependably protect against this type of attack simply by applying a static, signature-based technology. 3
Common DDoS Mitigation Strategies Common DDoS mitigation strategies also include limits on concurrent sessions. In this approach, only traffic that exceeds the normal limits is blocked. As attackers do more to disguise their requests as normal traffic, mitigation strategies are completely ineffective at detecting and blocking them. DDoS Protection for the Real World: AhnLab DPS AhnLab DPS provides the protection that traditional approaches cannot. It ensures business continuity and resource availability with an all-inclusive security layer that not only detects today s more complex DDoS attacks, but also mitigates their effects. AhnLab DPS Dashboard Multi-layered Mitigation Filtering Because the essence of DDoS mitigation is to allow for legitimate transactions and sustain service continuity, it becomes more important to accurately recognize good traffic rather than simply blocking suspicious requests that may result in false-positives. As a countermeasure to this paradigm shift, AhnLab DPS has layered multiple mitigation filters to enforce traffic authentication. 4
The Anti-Spoofing Protection filter checks the validity of sessions and the state information to determine whether the traffic is normal or not. The HTTP Access Authentication filter determines the validity of HTTP requests and prevents new attacks from circumventing HTTP 302 Redirects. By analyzing accumulated information about legitimate traffic, AhnLab DPS automatically renders a list of trusted IP addresses and blocks all traffic from unauthorized sources, while allowing valid transactions even during an attack. This approach helps effectively deal with stateless UDP and ICMP traffic, as well as unknown attack methods. It also enhances detection accuracy, which has been a critical issue for DDoS mitigation strategies that rely on thresholdbased control. AhnLab DPS also includes a traditional threshold-based protection feature. This mitigation method is effective against simple packet flooding attacks, although it runs the risk of false-positives. However, working in concert with the powerful Self-Learning feature, AhnLab DPS can automatically calculate the threshold and define the most adequate protection policy based on the result. In addition AhnLab DPS allows you to specify up to 128 thresholds in each protected zone for IP sources. Thus, source IP addresses that routinely send large volumes of legitimate traffic can be allowed to make continous transactions. This innovation allows for a more refined network policy while reducing the incidence of false-positives that hinders other threshold-based filters. Finally, AhnLab DPS' signature-based filter provides the IPS signatures required to detect DoS packets and connection to malicious IRC servers. It helps defend networks from known malicious packets that exploit vulnerabilities in the network and application layers. Clustering Capability Large-scale DDoS attacks can only be dealt with by more than two devices in an active-active mode. AhnLab DPS features a clustering capability that links up to twelve devices. The outstanding scalability provided by this clustering capability can simultaneously manage up to 120 Gbps of bandwidth. A list of trusted IP addresses are synchronized with all other devices within the cluster, it can ensure the legitimate traffic to pass even under a DDoS attack. Clustered devices function seamlessly as a single unit, to effectively respond to volumetric DDoS attacks, and provide the flexibility to protect all sizes of networks. Inline and Out-of-Path Deployment AhnLab DPS can be deployed inline on a network or in an out-of-path topology. Generally, inline deployment is the simplest and least expensive option. However, a single point of failure can cause the entire network to fail. In an inline framework, all traffic is routed through a single DPS device. But with support for traffic bypasses, AhnLab DPS provides a safe level of fault tolerance and continues to route traffic, even in the event of a system failure. 5
An out-of-path topology is most suitable for large-scale networks. When located outside of the network path, the AhnLab DPS does not affect the traffic flow, but still provides fault tolerance and operational stability. The AhnLab DPS can be configured for this deployment with commonly-available Cisco routers and switches. Inline Out of Path Internet Internet Traffic Hijacking Switch Inline Guard & Detector Out-of-Path Guard Out-of-Path Detector Inline Cluster OOP Cluster Internet Internet Traffic Hijacking Switch Out-of-Path Guard (Cluster) Traffic Injection Switch Out-of-Path Detector #1 Out-of-Path Detector #2 6
Conclusion Today s DDoS attacks are increasingly sophisticated and occur more frequently. With the prevalence of easy-to-use tools and new motivations for these types of attacks, this upward trend will continue. This threat is compounded by the fact that typical security solutions are incapable of keeping pace with the increased security requirements. Organizations need an effective, comprehensive approach to ensure the continuity of services and resources. Only AhnLab DPS delivers full protection against complex DDoS attacks. With its clustering technology and multiple protection layers, AhnLab DPS effectively mitigates a wide range of threats and ensures valid transactions. To be certain that DDoS attacks cannot disrupt your business operations, trust AhnLab DPS to deliver all-inclusive protection for Internet resources and services. About AhnLab AhnLab creates agile, integrated internet security solutions for corporate organizations. Founded in 1995, AhnLab, a global leader in security, delivers comprehensive protection for networks, transactions, and essential services. AhnLab delivers best-of-breed threat prevention that scales easily for high-speed networks, by combining cloud analysis with endpoint and server resources. AhnLab's multidimensional approach combines with exceptional service to create truly global protection against attacks that evade traditional security defenses. That s why more than 25,000 organizations rely on AhnLab s award-winning products and services to make the internet safe and reliable for their business operations. AhnLab, Inc. 2318-D Walsh Ave. Santa Clara, CA 95051 USA Toll Free +1.800.511.AhnLab (1.800.511.2465) +1.877.551.2690 Email info@ahnlab.com Design Your Security 2013 AhnLab, Inc. All rights reserved.