VALIDATING DDoS THREAT PROTECTION



Similar documents
Load Balancing Security Gateways WHITE PAPER

CloudFlare advanced DDoS protection

Acquia Cloud Edge Protect Powered by CloudFlare

Healthcare Security and HIPAA Compliance with A10

A Layperson s Guide To DoS Attacks

DDoS Attack Tools. A Survey of the Toolkits, Apps and Services Used Today to Launch DDoS Attacks WHITE PAPER

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

VMware View 5.0 and Horizon View 6.0 DEPLOYMENT GUIDE

THUNDER TPS Next-generation DDoS Protection

PCI DSS and the A10 Solution

Complete Protection against Evolving DDoS Threats

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

FortiDDos Size isn t everything

A10 Thunder and AX Series

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

THUNDER TPS Next-generation DDoS Protection

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How To Stop A Ddos Attack On A Website From Being Successful

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Why Is DDoS Prevention a Challenge?

DDoS Protection on the Security Gateway

TDC s perspective on DDoS threats

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Denial of Service (DOS) Testing IxChariot

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

How To Mitigate A Ddos Attack

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

CS 356 Lecture 16 Denial of Service. Spring 2013

AAM Kerberos Relay Integration with SharePoint

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

SSL Insight Certificate Installation Guide

CS5008: Internet Computing

A10 Thunder TPS Hybrid DDoS Protection Deployment with Verisign OpenHybrid

SecurityDAM On-demand, Cloud-based DDoS Mitigation

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

Denial of Service Attacks

How To Protect Yourself From A Dos/Ddos Attack

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Business Case for a DDoS Consolidated Solution

SAML 2.0 SSO Deployment with Okta

AntiDDoS1000 DDoS Protection Systems

DoS/DDoS Attacks and Protection on VoIP/UC

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Advanced Core Operating System (ACOS): Experience the Performance

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Analysis of a DDoS Attack

DoS: Attack and Defense

Thunder Series for SAP BusinessObjects (BOE)

Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

First Line of Defense

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

How To Test A Ddos Prevention Solution

4 Delivers over 20,000 SSL connections per second (cps), which

How To Protect A Dns Authority Server From A Flood Attack

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Four Steps to Defeat a DDoS Attack

Automated Mitigation of the Largest and Smartest DDoS Attacks

Microsoft Exchange 2016 DEPLOYMENT GUIDE

How To Block A Ddos Attack On A Network With A Firewall

Arbor s Solution for ISP

First Line of Defense

A10 ADC Return On Investment

/ Staminus Communications

Check Point DDoS Protector

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Four Steps to Defeat a DDoS Attack

DDoS Overview and Incident Response Guide. July 2014

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

IxLoad-Attack: Network Security Testing

Thunder ADC for Epic Systems

Safeguards Against Denial of Service Attacks for IP Phones

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

DDoS Protection Technology White Paper

DDoS Mitigation Solutions

Understanding and Defending Against the Modern DDoS Threat

Frequent Denial of Service Attacks

SECURING APACHE : DOS & DDOS ATTACKS - I

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Application DDoS Mitigation

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

Transcription:

VALIDATING DDoS THREAT PROTECTION Ensure your DDoS Solution Works in Real-World Conditions WHITE PAPER

Executive Summary This white paper is for security and networking professionals who are looking to protect their networks against the devastating effects of Distributed Denial of Service (DDoS) attacks. In this paper, you will learn more about the various types of DDoS attacks, the challenges that are involved with detecting and mitigating these attacks, and the importance of validating any threat protection solution for real-world performance. The evolving mix of attack vectors demands that mitigation capabilities be tested regularly for effectiveness. Gartner, Master These Eight Steps to Control the Damage From DDoS Attacks, Lawrence Orans, 21 April 2014 2

Table of Contents The DDoS Problem...4 What Is a DDoS Attack?...4 DDoS Types...4 DDoS for the Masses...5 Mitigating DDoS Attacks...6 Validating Performance for the Real World...6 Thunder TPS Performance Validation...7 Conclusion...8 About A10 Thunder TPS...9 About A10 Networks...9 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 3

The DDoS Problem What Is a DDoS Attack? A Denial of Service or DoS attack is a technique an attacker uses to render an online service inaccessible to legitimate users. DDoS attack tools come in many shapes and sizes, all focused on overwhelming a part of the infrastructure that delivers the service. For example, a web server that hosts a service can be overwhelmed with an excess of fake requests, so that legitimate requests are not able to be met. Often, these attacks come from many compromised hosts on the Internet, which are all remotely controlled by an attacker. These compromised hosts, known as bots and distributed over the Internet, are enlisted in a botnet. This means that the attack is launched from many different hosts simultaneously; this is known as a Distributed Denial of Service or DDoS attack. Attack traffic accumulates to larger and larger traffic rates, all destined for the victim s IP address. Internet Internet Victim Internet Internet Figure 1: Traffic accumulating into a DDoS attack DDoS Types Technically speaking, DDoS attacks can be divided into different categories: Volumetric attacks, such as DNS or NTP amplification attacks, are aimed at flooding and saturating a victim s network connection, thus rendering services unavailable. Amplification attacks use bots that send requests with a fake or spoofed IP address (the victim s IP address) to a service such as a DNS server, which sends a response much larger than the request to the victim s IP address. All these responses, coming from many usually unpatched, or poorly configured Internet servers accumulate to large bandwidth data destined for the victim. Network protocol attacks, such as SYN floods, ping of death and IP anomalies are aimed at exhausting a victim s protocol stack so it cannot respond to legitimate traffic. A SYN flood attack, for example, is based on the fact that a server reserves resources for uncompleted connection requests. Eventually the server times out the connection and frees up the reserved resources, but if these requests happen at a high enough rate, the server s resources deplete, it is overwhelmed and thus cannot respond to legitimate requests. Also, application exploitation attacks trigger undesired behavior in the application that cause the application to fail for example. Application attacks such as low-and-slow techniques, HTTP GET flood or SSL-based attacks are specifically exploiting a weakness in an application s function or trying to overwhelm the service. The approach is similar; the attack intends to consume all resources of the application, eventually overwhelming it. 4

Exploit vulnerabilities in the application Attack amplification (for NTP/DNS etc.), buffer overflows, etc. Exhaust application resources using traffic that seems legitimate Slowloris, Slow READ, R.U.D.Y, Slow POST, HTTP GET attacks, etc. Targeted protocol attacks to exhaust specific resources TCP SYN Flood, Ping of Death, LAND attack, Fragmentation, etc. Consume targets bandwidth Large-scale network protocol attacks, including DNS/NTP Reflection attacks, UDP Flood, ICMP Flood, etc. Application Exploit Attacks Application Resource Attacks Network Protocol Attacks Network Volumetric Attacks Figure 2: Volume vs. complexity DDoS for the Masses DDoS attacks have been around for a long time, but with the rapid expansion of connected devices, they have become larger, and are now within the reach of an average Internet user. Whereas a decade or so ago, the DDoS attack was a tool of devastation that was accessible only to well-connected, highly skillful attackers, today there are network stresser tools readily available on the Internet for anyone to launch an attack on anyone, for as little as a few dollars. Figure 3: Example of a DDoS-for-hire service 5

Mitigating DDoS Attacks Because DDoS attacks often use a distributed attack strategy, with traffic coming from multiple directions and often using spoofed source IPs, traditional security infrastructure components such as firewalls and intrusion prevention system (IPS) devices can be overwhelmed, due to their stateful nature. Other sophisticated low-and-slow attacks slow down a service by communicating with it as slowly as possible, keeping the session alive. As DDoS attacks, especially volumetric attacks, enter the network with extreme packet-per-second rates, a mitigation solution with adequate packet processing power is required. The DDoS mitigation device needs to be able to verify connections for their legitimacy, or determine if the traffic is scripted and initiated by a botnet. To make that distinction, various methods can be used. For the classic but still prevalent SYN flood attack, for example, the mitigation device can respond with a cookie to the initial SYN request. The cookie is a random sequence number, which the client has to include in its response. This proves that the client is not just generating packets to the service, but is likely a legitimate client. On the application layer, similar authentication mechanisms can be used. The mitigation device responds to a client s URL request with a cookie and a redirect instruction to the same intended URL. To pass authentication, the client must resend the request along with the cookie to the redirect URL. Other sophisticated low-and-slow attacks slow down a service by communicating with it as slowly as possible, keeping the session alive. When the service continues to reserve resources for all of these connections, it eventually runs out of resources and is unable to respond to legitimate requests. Inspecting against all of these anomalies requires increasing amounts of CPU processing resources from the mitigation device. Ideally, the device should leverage network processing hardware such as Field Programmable Gate Arrays (FPGAs), which can take care of packet anomalies, reserving the CPUs for more complex tasks such as the application-layer attacks. DDoS attacks often are launched using multiple attack vectors simultaneously, using classic high packet rate attacks such as SYN flood, combined with an application attack component. This is a clever strategy, as it targets different components of the foundation that are used to enable the service under attack. Finesse is not the goal of a DDoS attack. It only takes one critical component to render a service unavailable. If the Internet connection is saturated, or the firewall is overwhelmed or the service s networking stack freezes, the attack is successful.... the performance of a product in the real world may look different from the datasheet figures. Validating Performance for the Real World As the previous paragraphs point out, DDoS attacks require a defense solution with a lot of horsepower to analyze the traffic and then take appropriate action. Also, this horsepower is not always treated equally when validating performance. DDoS mitigation vendors provide metrics to indicate the processing capacity of their product in terms of bandwidth, or packet-per-second (pps) forwarding. These figures are typically performed in a static lab environment, with a set traffic pattern, in a best-case scenario. When used in a production environment, the system is likely configured with various policies and is processing various traffic types simultaneously. Real-world performance is almost impossible to define and for a vendor to report on, as the network conditions are always changing and it depends on the end user s needs to configure the system and protect only certain services from certain attacks. One thing is often observed the performance of a product in the real world may look different from the datasheet figures. Datasheet performance figures provide a good indicator to match the product to your needs, but it is advisable to test your product of interest, and validate it through a series of tests to see how it holds up against a set of attack scenarios with your desired configuration. The multi-vector attack trend illustrates the importance of validating performance. Running a basic attack such as a SYN flood puts a base stress level onto the CPUs unless, of course, the attack is mitigated in hardware. Making the system simultaneously fight a more complex application-layer attack such as an HTTP GET flood attack could push a system over its limit. Periodic validation of your network s security performance is critical to ensure that your security solutions will hold up during various simultaneous attacks, and to ensure that your network investments are up to the task in a growing, secured network. 6

220+ Mpps/150 Gbps SYN Flood Attack Attack/Bad User 4 x 40 GbE ports Attack/Bad User Normal User Application Attacks LOIC, HOIC, HULK, Tor s Hammer... Amplification Attacks A10 Thunder TPS Web Servers Microsoft IIS Apache Figure 4: Testing A10 Networks Thunder TPS under simultaneous loads Thunder TPS Performance Validation According to Gartner s Key Insights document, Master These Eight Steps to Control the Damage From DDoS Attacks 1, organizations should perform quarterly testing of DDoS mitigation capabilities. In the testing of A10 Networks Thunder TPS line of Threat Protection Systems, various Ixia products were used to assess the performance. For creating large streams with SYN requests from various IP sources, IxExplorer provides a very powerful tool. PerfectStorm provides a very easy to use solution to define massive scale, stateful Layers 4-7 application and security tests. Ixia s products have provided trusted assurance that Thunder TPS performance is validated under multi-vector attack loads. Figure 5: Ixia PerfectStorm configuration for various attacks such as Slowloris, RUDY and DNS amplification 1 Gartner, Master These Eight Steps to Control the Damage From DDoS Attacks, Lawrence Orans, 21 April 2014 7

Figure 6: Ixia GUI showcasing compounded IPv4 and IPv6 traffic streams to ensure that both protocol access types are protected This test was configured with up to 64 million concurrent sessions, and demonstrated that Thunder 6435 TPS could handle: Application-layer attacks while mitigating large SYN flood attacks Hardware-generated SYN cookies up to 223 Mpps Software-generated SYN authentication up to 70 Mpps 250 Ixia Tested Performance 200 150 100 50 0 Throughput (Gbps) SYN Cookie (Mpps) Thunder 6435 TPS SYN auth (Mpps) Figure 7: Thunder TPS 6435 test highlights Conclusion Now that DDoS attacks are ever expanding in size, frequency and tenacity, and are within the reach of an average user, organizations that rely on their online presence should carefully assess their DDoS defense strategy. Multi-vector or compounded DDoS attacks stress the network in different segments, with the intent of breaking any of the critical components of the service s underlying infrastructure. DDoS protection systems such as A10 Networks Thunder TPS line of Threat Protection Systems leverages many hardware acceleration components to distribute attack traffic where it can be mitigated most effectively. A10 Thunder TPS provides high-performance, network-wide protection against DDoS attacks, and enables service availability against a variety of volumetric, protocol, resource and more sophisticated application threats. Ixia products such as PerfectStorm provide the ability to combine authentic DDoS traffic with your network s realworld mix of application traffic. Ixia s test solutions show the effects DDoS attacks can have on your applications, individual devices, networks and data centers. Validating performance under various, continuous loads provides a better indication how a solution holds up in the real-world environment that is your network, ensuring that your DDoS protection strategy can scale against the largest and most sophisticated DDoS attacks, now and in the future. 8

About A10 Thunder TPS A10 Networks Thunder TPS product line of Threat Protection Systems provides high performance, networkwide protection against distributed denial of service (DDoS) attacks, and enables service availability against a variety of volumetric, protocol, and more sophisticated application attacks. To learn more about the Thunder TPS capabilities, please visit https://www.a10networks.com/products/thunder-series/thunder-tps-ddos-protection. About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA 95134 USA Tel: +1 408 325-8668 Fax: +1 408 325-8666 www.a10networks.com Part Number: A10-WP-21117-EN-02 Oct 2015 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative. 2015 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information