DDoS Protection Technology White Paper



Similar documents
V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Complete Protection against Evolving DDoS Threats

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Denial of Service Attacks

Denial of Service Attacks, What They are and How to Combat Them

SECURING APACHE : DOS & DDOS ATTACKS - I

IPS Attack Protection Configuration Example

Firewalls and Intrusion Detection

Firewall Firewall August, 2003

How To Prevent DoS and DDoS Attacks using Cyberoam

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Strategies to Protect Against Distributed Denial of Service (DD

Abstract. Introduction. Section I. What is Denial of Service Attack?

A Layperson s Guide To DoS Attacks

DoS: Attack and Defense

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Security Technology White Paper

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Application DDoS Mitigation

Overview. Firewall Security. Perimeter Security Devices. Routers

How To Block A Ddos Attack On A Network With A Firewall

Survey on DDoS Attack Detection and Prevention in Cloud

Architecture Overview

H3C SecPath UTM Series Anti-Spam Configuration Example

IPS Anti-Virus Configuration Example

Introducing FortiDDoS. Mar, 2013

SecurityDAM On-demand, Cloud-based DDoS Mitigation

FortiDDos Size isn t everything

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Firewalls. Ahmad Almulhem March 10, 2012

1. Firewall Configuration

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

co Characterizing and Tracing Packet Floods Using Cisco R

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Network Security Topologies. Chapter 11

TDC s perspective on DDoS threats

Firewalls Netasq. Security Management by NETASQ

Denial Of Service. Types of attacks

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Chapter 4 Firewall Protection and Content Filtering

Figure 41-1 IP Filter Rules

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Denial of Service (DoS) Technical Primer

Safeguards Against Denial of Service Attacks for IP Phones

Huawei Traffic Cleaning Solution

A Study of DOS & DDOS Smurf Attack and Preventive Measures

DDoS Attack and Its Defense

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Eudemon8000E Anti-DDoS SPU

Chapter 15. Firewalls, IDS and IPS

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

A S B

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

United Security Technology White Paper

Firewalls, IDS and IPS

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Performance Evaluation of Intrusion Detection Systems

DDoS Overview and Incident Response Guide. July 2014

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Proxy Server, Network Address Translator, Firewall. Proxy Server

How To Protect A Dns Authority Server From A Flood Attack

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Survey on DDoS Attack in Cloud Environment

How To Stop A Ddos Attack On A Website From Being Successful

Chapter 4 Firewall Protection and Content Filtering

Reducing the impact of DoS attacks with MikroTik RouterOS

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Implementing Secure Converged Wide Area Networks (ISCW)

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Gaurav Gupta CMSC 681

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

AntiDDoS1000 DDoS Protection Systems

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

NSFOCUS Anti-DDoS System White Paper

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewall. User Manual

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Keywords Attack model, DDoS, Host Scan, Port Scan

Portal Authentication Technology White Paper

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

VALIDATING DDoS THREAT PROTECTION

McAfee Network Security Platform [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013

Radware s Attack Mitigation Solution On-line Business Protection

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Transcription:

DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of DDoS attacks, the disadvantages of traditional DDoS protection and the technical principles and typical networking application of H3C DDoS protection. Acronyms: Acronym Full spelling DDoS DoS Distributed Denial of Service Denial of Service Hangzhou H3C Technologies Co., Ltd. 1/7

Table of Contents Overview 3 What is DDoS 3 Analysis of DDoS 3 Disadvantages of Traditional DDoS Protection 3 H3C DDoS Protection 4 Architecture of H3C DDoS Protection 4 Operation of H3C DDoS Protection 5 Technical Characteristics of H3C DDoS Protection 6 Typical Application Scenarios 6 Summary and Prospect 7 Hangzhou H3C Technologies Co., Ltd. 2/7

Overview What is DDoS A DoS attack is launched in a one-to-one manner, while a DDoS attack controls many compromised "zombie" hosts to attack a single target. By planting the zombie program on these machines, a hacker can quickly build an army of zombies for launching DDoS attacks. With enough zombie hosts participating (one hundred thousand or more), the volume of an attack can be staggering. Analysis of DDoS By taking advantage of the weaknesses of some TCP/IP protocols, hackers can overwhelm a target network or server by simply sending to it a huge amount of traffic, or incomplete and malformed packets, making the victim unable to provide normal services. DDoS attacks are difficult to defend because illegitimate packets have no difference from legitimate packets and thus cannot be identified through a signature database. In addition, DDoS attacks use spoofed valid source IP addresses, thereby eluding source identification by anomaly-based monitoring tools. The two most common types of DDoS attacks are as follows. Bandwidth attacks These DDoS attacks send a large number of seemingly legitimate packets to a specific router, server, or firewall which generally has limited processing resources, thus causing the victim to deny normal access requests. Application attacks These DDoS attacks use the characteristics of protocols such as TCP and HTTP to consume up the resources of victims and prevent them from processing requests. HTTP half-open and HTTP error attacks are some examples of application attacks. When agents are used, application attacks are more disruptive. Disadvantages of Traditional DDoS Protection The main method of traditional DDoS protection is to set traffic thresholds for different attack behaviors. It has following disadvantages: Complex configuration and insufficient adaptation: As the user may not have a good understanding of different attack behaviors, it is hard for the user to make correct settings. In addition, this method cannot adjust thresholds according to dynamic changes of traffic. Limited defense: Today s DDoS attacks are more complicated and disruptive. A DDoS attack process may involve half-open attacks such as SYN flood, UDP flood and ICMP flood, connection attacks such as TCP connection flood, and application attacks such as HTTP get flood and HTTP put flood. Traditional DDoS protection aims at a specific type of attack, such as SYN flood, and it cannot satisfy current defense requirements. Hangzhou H3C Technologies Co., Ltd. 3/7

No capability against unknown DDoS attacks: As the source codes of DDoS attack tools spread across the Internet, attackers can easily change the types of DDoS attack packets, which traditional DDoS protection cannot identify or take countermeasures against. H3C DDoS Protection Architecture of H3C DDoS Protection H3C DDoS protection adopts an adaptive, multi-level architecture to detect and defend against DDoS attacks. It identifies DDoS attacks through authentication and analysis and then adopts countermeasures against them. Figure 1 H3C DDoS protection architecture As shown in Figure 1, the H3C DDoS protection architecture comprises the following modules. Filtering rule module Filtering rules are either static or dynamic. A static filtering rule is configured manually. A dynamic filtering rule is dynamically generated when the traffic anomaly and application anomaly identification modules detect abnormal traffic through traffic statistics and behavior analysis.. The filtering rule module filters traffic with filtering rules. It blocks attack traffic and sends suspicious traffic to the dynamic authentication module for authentication. Dynamic authentication module The dynamic authentication module uses various methods, such as HTTP/DNS request redirection, to authenticate the traffic passing the filtering rule module, and blocks packets having spoofed source IP addresses. Hangzhou H3C Technologies Co., Ltd. 4/7

Traffic anomaly identification module The traffic anomaly identification module counts the traffic passing the filtering rule and dynamic authentication modules and compares the result to the normal traffic baseline. If the result exceeds the baseline, the traffic anomaly identification module generates a dynamic filtering rule used by the filtering rule module to filter subsequent traffic. The normal traffic baseline is learned when the protected object works normally. If the baseline is exceeded, this indicates that abnormal traffic may exist. In this case, authentication and confirmation measures need to be taken. Application anomaly identification module The application anomaly identification module performs in-depth analysis on the application-layer traffic passing the filtering rule and dynamic authentication modules. Upon detection of an application anomaly, it generates a dynamic filtering rule used by the filtering rule module to filter subsequent traffic. Bandwidth control module Packets passing all preceding modules are considered normal, but a large number of such packets can also overload the protected object. The bandwidth control module solves this issue by limiting the bandwidth to be occupied by incoming traffic. Operation of H3C DDoS Protection H3C DDoS protection is implemented as follows. Traffic learning: Uses the traffic detection parameters embedded in the system to learn and count traffic, and generate the normal traffic baseline when the protected object works normally. Threshold adjustment: Uses the traffic detection parameters embedded in the system to learn and count traffic, and integrates the result to the normal traffic baseline to generate a new normal traffic baseline. Detection and protection: Counts and analyzes traffic, and compares the result to the normal traffic baseline. Upon detection of anomalies, DDoS protection generates dynamic filtering rules to check and filter traffic, such as checking the validity of the source IP address, and dropping abnormal traffic. The threshold adjustment feature and detection and protection feature can work continuously to implement dynamic threshold adjustment and protection, which enable the system to adapt to various dynamic traffic changes. Hangzhou H3C Technologies Co., Ltd. 5/7

Technical Characteristics of H3C DDoS Protection DDoS Protection Technology White Paper Comprehensive DDoS protection against IP layer attacks such as IP fragment attack, TCP layer attacks such as TCP half-open attack, and application layer attacks such as HTTP connection flood and HTTP get flood. Defense capability against unknown DDoS attacks, which identifies and takes countermeasures against any traffic that exceeds the normal traffic baseline. Taking countermeasures based on protocols. For example, for Spoof, SYN cookie is used for authentication and defense; for HTTP, HTTP redirection is used. Using network traffic model-based statistics methods, which feature good scalability. Supporting dynamic traffic learning and threshold adjustment, which simplify configuration and avoid making wrong settings. Typical Application Scenarios As shown in Figure 2, DDoS protection can be deployed at different positions on a network. Figure 2 DDoS protection deployment Data center OA CRM Branch Branch Branch ERP IPS 2 IPS 1 Internet IPS 3 IPS 6 R&D Finance IPS 4 Marketing IPS 5 SMTP POP3 Web DMZ zone IPS 1: It is deployed at the edge of the WAN to defend against DDoS attacks from the Internet and braches. IPS 2: It is deployed at a data center to defend against DDoS attacks from the Internet and the data center. IPS 3 to IPS 5: They are deployed between internal LANs to defend against DDoS/DoS attacks from the internal network. IPS 6: At the edge of the Internet, it is deployed between the firewall and the web/pop3/smtp servers to defend against DDoS attacks from the Internet. Hangzhou H3C Technologies Co., Ltd. 6/7

Summary and Prospect H3C has developed a suite of effective DDoS protection methods based on in-depth analysis, classification and abstract of all available DDoS attacks. H3C DDoS protection is capable of defending against all known DDoS attacks and most unknown DDoS attacks. As new DDoS attack tools and methods are ever emerging, H3C will closely trace and analyze them to provide effective DDoS protection solutions to customers. Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 7/7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information