Securing data centres: How we are positioned as your ISP provider to prevent online attacks.



Similar documents
Arbor s Solution for ISP

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

Pravail 2.0 Technical Overview. Exclusive Networks

Complete Protection against Evolving DDoS Threats

Security Solutions for the New Threads

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Service Description DDoS Mitigation Service

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

How To Block A Ddos Attack On A Network With A Firewall

On-Premises DDoS Mitigation for the Enterprise

Denial of Service Attacks, What They are and How to Combat Them

FortiDDos Size isn t everything

A Layperson s Guide To DoS Attacks

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Cloud Security In Your Contingency Plans

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Networking for Caribbean Development

Being Ready to Face DDoS Challenge. Vodafone Power to you. DDoS

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Glasnost or Tyranny? You Can Have Secure and Open Networks!

How To Mitigate A Ddos Attack

TDC s perspective on DDoS threats

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

DDoS Overview and Incident Response Guide. July 2014

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Distributed Denial of Service protection

DoS/DDoS Attacks and Protection on VoIP/UC

Business Case for a DDoS Consolidated Solution

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Man, Machine and DDoS Mitigation

Web Application Defence. Architecture Paper

MPLS/IP VPN Services Market Update, United States

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

How Cisco IT Protects Against Distributed Denial of Service Attacks

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Application Security Backgrounder

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Network Bandwidth Denial of Service (DoS)

DEFENSE NETWORK FAQS DATA SHEET

Stop DDoS Attacks in Minutes

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

Technology Brief Demystifying Cloud Security

Secure Cloud-Ready Data Centers Juniper Networks

Acquia Cloud Edge Protect Powered by CloudFlare

Zscaler Internet Security Frequently Asked Questions

CloudFlare advanced DDoS protection

How To Protect Yourself From A Dos/Ddos Attack

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Five Steps For Securing The Data Center: Why Traditional Security May Not Work

/ Staminus Communications

Architecture Overview

Technical Series. A Prolexic White Paper. 12 Questions to Ask a DDoS Mitigation Provider

Datacenter Transformation

Firewall and UTM Solutions Guide

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

Why Is DDoS Prevention a Challenge?

Secure Pipes with Network Security Technology Showcase

DDoS Protection on the Security Gateway

VALIDATING DDoS THREAT PROTECTION

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

VERISIGN DDOS PROTECTION SERVICES IN-THE-CLOUD SOLUTION FOR SCALABLE, RELIABLE, AND FLEXIBLE DDOS MONITORING AND MITIGATION

Stop DDoS Attacks in Minutes

How To Protect A Dns Authority Server From A Flood Attack

CS 356 Lecture 16 Denial of Service. Spring 2013

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Cisco ASA 5500 Series Firewall Edition for the Enterprise

How To Stop A Ddos Attack On A Website From Being Successful

First Line of Defense to Protect Critical Infrastructure

Application DDoS Mitigation

Unified Threat Management, Managed Security, and the Cloud Services Model

Cisco RSA Announcement Update

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Load Balancing Security Gateways WHITE PAPER

Transcription:

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

Executive Summary In today s technologically-demanding world, an organisation that experiences any internet data centre (IDC) downtime will no doubt notice the significant impact it has on their bottom line. It is no surprise then that the increasing scale and frequency of distributed denial of service (DDoS) attacks are now having a much greater impact on the business continuity and profitability of these companies. On top of this, while DDoS attacks may have been driven by non-economic reasons in the past, they now have major monetary drivers including extortion, competitive advantage and corporate revenge. DDoS threats that impact the availability of services represent a significant opportunity for Internet service providers (ISPs). Enterprises and their IDC operators are more concerned about DDoS than ever before, and ISPs can help them combat these threats. Growing managed security market from ISPs According to research by Frost & Sullivan, the managed security service provider (MSSP) market is expected to grow to around $4 billion in North America alone by 2016. It is expected that the managed security and security monitoring services segment will continue to yield the highest percentage of total revenue in the MSSP market. Frost & Sullivan Research Analyst Martha Vazquez said, despite budget cutbacks, more companies were looking to upgrading their security. Although budget cutbacks have resulted from the economic slowdown, companies are continuing to implement measures to upgrade security, Ms Vazquez said. Outsourcing security to an MSSP will free up time for organisations to focus on core business processes. Enterprises will spend more on network-based security services from ISPs as they become more comfortable with ISPs providing these services. Many factors such as better support, more mature options, improved service control and faster services will increase this comfort level.

The evolving DDoS threat The market demand for managed security services is real and growing. Service providers have some inherent advantages that enable them to capitalize on this demand because they own the pipes that transmit data across the Internet. This makes ISPs uniquely wellpositioned to deliver a comprehensive solution that can combat the two primary types of DDoS attacks volumetric DDoS attacks and the newer application layer DDoS attacks. The volumetric DDoS attacks are those generated by internet bots, or compromised personal computers that are grouped together in large-scale botnets. Examples include the DDoS attack against UK-based online betting sites, where the hackers extort the betting firms, and the politically-motivated DDoS attacks against the Georgian government. They are generally high-bandwidth attacks and originate from a large number of bots that are geographically distributed. Because of the high-bandwidth and geographically-dispersed nature of these attacks, the congestion might occur upstream in the provider s network and cannot be stopped at the enterprise or data-center edge. In addition to the volumetric attacks, a new type of application layer DDoS attack has emerged that threatens the business viability of service provider customers. Two days before Christmas in 2009, last-minute shoppers could not access some of the world s most popular Internet shopping sites including Amazon, Expedia and Walmart. A targeted DDoS attack against UltraDNS3 a leading provider of domain name system (DNS) services took these major retail sites offline. The attack could have dramatically affected the Christmas shopping season and, more importantly, the profitability of these retailers if UltraDNS had not been able to detect and stop the attack very quickly. The Christmas of 2009 attack revealed the potential impact of DDoS to online commerce. More importantly, it revealed this new type of application-layer DDoS attack that targets specific services and consumes lower bandwidth. These new applicationlayer DDoS attacks threaten a myriad of services ranging from web commerce and DNS services to email and online banking. Enterprise customers are very concerned with the availability of critical services running in their data centers. At the same time, attackers view these Internet-facing data centers as new prime targets and are launching DDoS attacks to wreak havoc on these companies. The convergence of volumetric and application-layer DDoS attacks poses a significant threat to online services, with more customers looking for better solutions.

Only ISPS can provide the comprehensive solution to protect data centres from DDoS ISPs can gain a unique advantage by providing a layered network an edge-based managed solution to combat both volumetric and application-layer DDoS attacks. The best place to stop volumetric DDoS attacks is in the ISP cloud (via a network-based DDoS protection) because the saturation happens upstream and can only be remediated in the provider s cloud. The best place to perform application-layer DDoS detection is in the data center itself because the attack can only be detected and immediately stopped at the data-center edge. Only ISPs can provide both a network-based service component to stop volumetric DDoS attacks and a CPE-based service component to stop applicationlayer DDoS attacks representing a distinct competitive advantage. There are cost efficiencies at work, too. When an ISP is already supplying a managed firewall, a secure socket layer virtual private network (SSL VPN), an intrusion detection system (IDS), an intrusion prevention system (IPS) and other security measures, adding a managed DDoS protection service can be relatively straightforward and cost-efficient. Why traditional security products fail to address the evolving DDoS Threat While Firewalls and IPS may be key elements of your customers security strategy, these solutions are designed to provide security functions that are fundamentally different from dedicated DDoS detection and mitigation products. For example, firewalls are essentially policy-enforcement points that are usually deployed at the network or datacenter perimeter. Their role is to establish and enforce the rules that govern what traffic is allowed in and out of a data center as defined by ports, protocols and destinations. Internet-facing data centers are open to Web traffic (TCP port 80/443) and other services such as video, voice and file transfer. DDoS attacks target the very services that firewalls have to allow through, so there is no inherent DDoS protection in the firewall layer. Due to the fact that firewalls maintain state information for every session established between a client on the internet and the corresponding server in the data center, the firewalls themselves are commonly the targets of DDoS attacks. On top of this, they are also potentially the single point of failure that disables the data center during large-scale DDoS attacks. In these cases it is best to provide DDoS protection in the ISP network or cloud before it reaches the data center, by which time it will be too late. IPS/IDS devices are also not designed to protect against some denial of service attacks. They are designed to inspect packets and remove network-based malware through signature matching. Many times, however, DDoS attack traffic is not a signature-based threat. Because all IDS/IPS devices are deployed in-line and suffer from the same resource and memory exhaustion problems that plague firewalls, they are also a potential single point-of-failure on the network and increase network latency. In these cases, the detection and removal of DDoS attack traffic is best done in the ISP s network either before it reaches the data-center edge or through off-ramping the malicious traffic. Some firewalls and IDS/IPS products offer DDoS detection using techniques such as statistical anomaly detection or malformed protocol detection. But since firewalls and IDS/ IPS products conduct anomaly detection on a per point basis, they have a very myopic view of the network. The very nature of a distributed denial of service attack means that the attack traffic is coming from different sources. Therefore, the solution must be able to recognise this behavior and stop the traffic as close to the source as possible. This is another reason why the distributed detection and mitigation of DDoS attacks are best done in the ISP network.

The Platform for Comprehensive Managed DDoS Services A complete DDoS protection solution must support the following: Both in-line and, more importantly, out-of-band deployment to avoid being a single point of failure on the network; True distributed DoS (DDoS) attack detection, which requires broad visibility into the network (not just from a single network perspective) and the ability to analyse traffic from different parts of the network; Attack detection using multiple techniques such as statistical anomaly-detection, customizable threshold alerts and fingerprints of known or emerging threats that are based on Internet-wide intelligence; and Mitigation that can easily scale to handle attacks of all sizes, ranging from low-end (such as 1 Gbps of mitigation, deployed in the data center) to high-end (such as 40 Gbps of mitigation, deployed in the ISP network). The solution must also feature managed security service enablers. These include application programming interfaces (APIs) for integration with existing systems, the ability to launch a customer portal easily, provisioning templates, fault tolerance, and redundancy. Lastly, the solution must be proven and backed by a company that is a known industry expert in Internet-based DDoS threats.

Our Solution Our solution is a complete platform that delivers a comprehensive managed DDoS services for customers. Our solution meets the key requirements of a comprehensive DDoS solution by providing: Ability to stop both volumetric and application-layer DDoS attacks our solution provides the tools to diagnose and stop both high-bandwidth DDoS attacks as well as targeted application-layer DDoS targets True distributed DoS attack detection our solution offers true distributed anomaly detection rather than simple point-based detection Multiple methods of threat detection and mitigation our solution provides multiple attack detection techniques ranging from statistical anomaly detection and thresholdbased flood detection, to fingerprint-based detection Scalability to handle all-size threats our solution can detect threats of all sizes by leveraging flow technology in existing network infrastructure equipment. The solution can also stop any size threat and provide surgical mitigation ranging from 1 Gbps to 40 Gbps Multiple deployment options our solution can be deployed out-of-band, in-line or passively. Conclusion DDoS attacks are continuing to rise, with both the public and private data centers now prime targets. Increasingly, more data center operators are seeking solutions to this pressing problem. We offer a unique opportunity to respond to this challenge by offering valuable network and edge-based services that protect our customers data centers against DDoS attacks.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information