Complete Protection against Evolving DDoS Threats



Similar documents
White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

DDoS Protection Technology White Paper

VALIDATING DDoS THREAT PROTECTION

Application Security Backgrounder

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

The Hillstone and Trend Micro Joint Solution

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Kaspersky DDoS Prevention

Firewalls and Intrusion Detection

Protecting Against Application DDoS Attacks with BIG-IP ASM: A Three-Step Solution

Acquia Cloud Edge Protect Powered by CloudFlare

How To Block A Ddos Attack On A Network With A Firewall

DDoS Overview and Incident Response Guide. July 2014

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

NSFOCUS Anti-DDoS System White Paper

Why Is DDoS Prevention a Challenge?

How To Prevent Hacker Attacks With Network Behavior Analysis

On-Premises DDoS Mitigation for the Enterprise

A Layperson s Guide To DoS Attacks

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

Cisco Advanced Services for Network Security

CloudFlare advanced DDoS protection

Radware s Behavioral Server Cracking Protection

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Network Bandwidth Denial of Service (DoS)

CS 356 Lecture 16 Denial of Service. Spring 2013

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

First Line of Defense to Protect Critical Infrastructure

TDC s perspective on DDoS threats

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Service Description DDoS Mitigation Service

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

How Cisco IT Protects Against Distributed Denial of Service Attacks

Voice Over IP (VoIP) Denial of Service (DoS)

SHARE THIS WHITEPAPER

FortiDDos Size isn t everything

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Arbor s Solution for ISP

Cisco Remote Management Services for Security

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Modern Denial of Service Protection

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Check Point DDoS Protector

Penta Security 3rd Generation Web Application Firewall No Signature Required.

BlackRidge Technology Transport Access Control: Overview

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Intrusion Detection Systems

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Web Application Defence. Architecture Paper

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Where every interaction matters.

DoS: Attack and Defense

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

Secure Software Programming and Vulnerability Analysis

DDoS Attacks & Defenses

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Automated Mitigation of the Largest and Smartest DDoS Attacks

State of Texas. TEX-AN Next Generation. NNI Plan

Introducing FortiDDoS. Mar, 2013

Fail-Safe IPS Integration with Bypass Technology

Quality Certificate for Kaspersky DDoS Prevention Software

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Chapter 6: Fundamental Cloud Security

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

How To Design An Intrusion Prevention System

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Intelligent. Data Sheet

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

10 Things Every Web Application Firewall Should Provide Share this ebook

Pravail 2.0 Technical Overview. Exclusive Networks

Radware s Attack Mitigation Solution On-line Business Protection

DDoS Protection on the Security Gateway

Application DDoS Mitigation

Solution Brief. Secure and Assured Networking for Financial Services

Design Your Security

Why an Intelligent WAN Solution is Essential for Mission Critical Networks

CHECKLIST: ONLINE SECURITY STRATEGY KEY CONSIDERATIONS MELBOURNE IT ENTERPRISE SERVICES

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

co Characterizing and Tracing Packet Floods Using Cisco R

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

End-to-End Application Security from the Cloud

Transcription:

Complete Protection against Evolving DDoS Threats AhnLab, Inc.

Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion Prevention Systems (IPS)... 3 Common DDoS Mitigation Strategies... 4 DDoS Protection for the Real World: AhnLab DPS... 4 Multi-layered Mitigation Filtering... 5 Clustering Capability... 5 Inline and Out-of-Path Deployment... 5 Conclusion... 7 1

Introduction Most companies today communicate with their clients by providing products and services via the Internet. As a result, disruptions to Internet services cause both financial losses for companies and chaos for customers. The denial of service attack, or DoS, has become one of the most serious threats against today s net-based entities, including e-commerce, infrastructure, and government websites. Attackers use several techniques to launch DoS attacks. For instance, an attacker can arbitrarily make a service inaccessible to customers by acquiring credentials and hacking a web server. Or, the attacker can flood the server with a large amount of traffic, which is known as a Distributed Denial of Service (DDoS) attack. In this relatively simple method, the attacker simultaneously sends mass amounts of traffic from compromised hosts, thereby consuming the server s resources and rendering services unavailable. There are many security products and solutions already on the market that attempt to protect against DDoS attacks. Unfortunately, these solutions rely on the traditional method of detecting anomalies, which is no longer capable of detecting the myriad new ways that DDoS attacks are launched. To ensure your business continuity against evolving DDoS threats, a new approach is required. This white paper introduces AhnLab s DDoS attack Protection System (DPS), which is an effective deterrent against the new breed of DDoS attacks. AhnLab DPS is the solution that you can depend on to keep your web servers protected and your services available to customers. The Evolution of DDoS Attacks In a DDoS attack, an attacker builds a network of compromised zombie computers or botnets. Once the attacker has enough zombie computers controlled, he or she remotely orders them to simultaneously send requests to the targeted server. This creates an extremely high volume of packets that rapidly consume server resources, interrupt valid transactions, and slow down access to URLs. As the number of requests reaches the server s maximum handling capability, web pages slow so far as to make the service unusable and valid customer requests may fail entirely. Because of the volumetric characteristics of DDoS traffic, security vendors have typically used counters and connection limits to block clients that generate excessive traffic. However, more recent attacks have proven that this approach is no longer effective, because attackers have learned to conceal traffic characteristics and make excessive requests appear very much like normal traffic. By eluding the detection scheme used by typical security products, attackers have made it very difficult to distinguish malicious packets from legitimate ones. In addition, attackers are exploiting flaws in web applications to create a new form of DDoS attack. For example, a flaw in an HTTP protocol can allow the attacker to flood a web server with very slow HTTP POST traffic (one packet 2

every ten seconds). Techniques are also being used to evade URL redirects (302 redirects) that attempt to distinguish requests generated by attack tools from live user requests. When combined, these new techniques create a complex form of attack that cannot be dealt with by traditional security solutions. As if dealing with evolving forms of DDoS attacks wasn t enough, the motivation for these types of attacks has evolved as well. Hacktivism, as it is now called, is a means of voicing with commercial ventures, publicizing boycotts, and gaining support for political movements. The tools for launching these attacks are becoming increasingly easy to find and easy to use, which means that attackers do not require a high level of technical ability to perform them. With sufficient motivation and an entry-level skill set, attackers are now voluntarily creating botnets for the sole purpose of typing up resources and disrupting services. Typical Protection against DDoS Attacks To mitigate the threat of a traditional DDoS attack, many organizations have adopted firewalls, intrusion prevention systems, and typical DDoS mitigation strategies. However, these approaches provide only limited protection against the sophisticated attack techniques that are presently being used. Even though these network security solutions have excellent capabilities for other purposes, they are failing to protect a company s bottom line, because they are insufficient at dealing with complex, evolving threats. Firewalls Firewalls are stateful devices. They cannot effectively handle a large number of concurrent sessions, because they must keep track of the state of each interaction. If a large amount of traffic attempts to pass through a firewall at once, the firewall s connection-per-second capacity may be insufficient to handle the load. This can result in a significant delays or even failure of connection attempts. However, it cannot effectively handle a large number of concurrent sessions, because it must keep track of the state of all open connections. If a large amount of traffic attempts to pass through a firewall at once, the firewall s connection-per-second capacity may be insufficient to handle the load. This can result in a significant delays or even failure of connection attempts. In addition, firewalls monitor and filter out abnormal traffic from services that are not permitted to access the network. Many DDoS attacks are in the form of valid requests that are simply trying to tie up the server s resources. As a result, many firewalls are incapable of blocking access to these authorized, but malicious, requests. Intrusion Prevention Systems (IPS) IPS solutions are limited in the number of concurrent sessions they can support, much like firewalls. They are designed to identify harmful packets by matching signatures against a database of known threats. But again, because many DDoS attacks involve valid requests, the IPS cannot dependably protect against this type of attack simply by applying a static, signature-based technology. 3

Common DDoS Mitigation Strategies Common DDoS mitigation strategies also include limits on concurrent sessions. In this approach, only traffic that exceeds the normal limits is blocked. As attackers do more to disguise their requests as normal traffic, mitigation strategies are completely ineffective at detecting and blocking them. DDoS Protection for the Real World: AhnLab DPS AhnLab DPS provides the protection that traditional approaches cannot. It ensures business continuity and resource availability with an all-inclusive security layer that not only detects today s more complex DDoS attacks, but also mitigates their effects. AhnLab DPS Dashboard Multi-layered Mitigation Filtering Because the essence of DDoS mitigation is to allow for legitimate transactions and sustain service continuity, it becomes more important to accurately recognize good traffic rather than simply blocking suspicious requests that may result in false-positives. As a countermeasure to this paradigm shift, AhnLab DPS has layered multiple mitigation filters to enforce traffic authentication. 4

The Anti-Spoofing Protection filter checks the validity of sessions and the state information to determine whether the traffic is normal or not. The HTTP Access Authentication filter determines the validity of HTTP requests and prevents new attacks from circumventing HTTP 302 Redirects. By analyzing accumulated information about legitimate traffic, AhnLab DPS automatically renders a list of trusted IP addresses and blocks all traffic from unauthorized sources, while allowing valid transactions even during an attack. This approach helps effectively deal with stateless UDP and ICMP traffic, as well as unknown attack methods. It also enhances detection accuracy, which has been a critical issue for DDoS mitigation strategies that rely on thresholdbased control. AhnLab DPS also includes a traditional threshold-based protection feature. This mitigation method is effective against simple packet flooding attacks, although it runs the risk of false-positives. However, working in concert with the powerful Self-Learning feature, AhnLab DPS can automatically calculate the threshold and define the most adequate protection policy based on the result. In addition AhnLab DPS allows you to specify up to 128 thresholds in each protected zone for IP sources. Thus, source IP addresses that routinely send large volumes of legitimate traffic can be allowed to make continous transactions. This innovation allows for a more refined network policy while reducing the incidence of false-positives that hinders other threshold-based filters. Finally, AhnLab DPS' signature-based filter provides the IPS signatures required to detect DoS packets and connection to malicious IRC servers. It helps defend networks from known malicious packets that exploit vulnerabilities in the network and application layers. Clustering Capability Large-scale DDoS attacks can only be dealt with by more than two devices in an active-active mode. AhnLab DPS features a clustering capability that links up to twelve devices. The outstanding scalability provided by this clustering capability can simultaneously manage up to 120 Gbps of bandwidth. A list of trusted IP addresses are synchronized with all other devices within the cluster, it can ensure the legitimate traffic to pass even under a DDoS attack. Clustered devices function seamlessly as a single unit, to effectively respond to volumetric DDoS attacks, and provide the flexibility to protect all sizes of networks. Inline and Out-of-Path Deployment AhnLab DPS can be deployed inline on a network or in an out-of-path topology. Generally, inline deployment is the simplest and least expensive option. However, a single point of failure can cause the entire network to fail. In an inline framework, all traffic is routed through a single DPS device. But with support for traffic bypasses, AhnLab DPS provides a safe level of fault tolerance and continues to route traffic, even in the event of a system failure. 5

An out-of-path topology is most suitable for large-scale networks. When located outside of the network path, the AhnLab DPS does not affect the traffic flow, but still provides fault tolerance and operational stability. The AhnLab DPS can be configured for this deployment with commonly-available Cisco routers and switches. Inline Out of Path Internet Internet Traffic Hijacking Switch Inline Guard & Detector Out-of-Path Guard Out-of-Path Detector Inline Cluster OOP Cluster Internet Internet Traffic Hijacking Switch Out-of-Path Guard (Cluster) Traffic Injection Switch Out-of-Path Detector #1 Out-of-Path Detector #2 6

Conclusion Today s DDoS attacks are increasingly sophisticated and occur more frequently. With the prevalence of easy-to-use tools and new motivations for these types of attacks, this upward trend will continue. This threat is compounded by the fact that typical security solutions are incapable of keeping pace with the increased security requirements. Organizations need an effective, comprehensive approach to ensure the continuity of services and resources. Only AhnLab DPS delivers full protection against complex DDoS attacks. With its clustering technology and multiple protection layers, AhnLab DPS effectively mitigates a wide range of threats and ensures valid transactions. To be certain that DDoS attacks cannot disrupt your business operations, trust AhnLab DPS to deliver all-inclusive protection for Internet resources and services. About AhnLab AhnLab creates agile, integrated internet security solutions for corporate organizations. Founded in 1995, AhnLab, a global leader in security, delivers comprehensive protection for networks, transactions, and essential services. AhnLab delivers best-of-breed threat prevention that scales easily for high-speed networks, by combining cloud analysis with endpoint and server resources. AhnLab's multidimensional approach combines with exceptional service to create truly global protection against attacks that evade traditional security defenses. That s why more than 25,000 organizations rely on AhnLab s award-winning products and services to make the internet safe and reliable for their business operations. AhnLab, Inc. 2318-D Walsh Ave. Santa Clara, CA 95051 USA Toll Free +1.800.511.AhnLab (1.800.511.2465) +1.877.551.2690 Email info@ahnlab.com Design Your Security 2013 AhnLab, Inc. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information