Managed Anti-DDoS Service Protection



Similar documents
Stop DDoS Attacks in Minutes

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Service Description DDoS Mitigation Service

A Layperson s Guide To DoS Attacks

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Managing business risk

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Successfully Combating

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Quick guide: Using the Cloud to support your business

Reducing the cost and complexity of endpoint management

Reducing Downtime Costs with Network-Based IPS

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Network Intrusion Prevention Systems Justification and ROI

ISO? ISO? ISO? LTD ISO?

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Stop DDoS Attacks in Minutes

DDoS Attack Mitigation Report. Media & Entertainment Finance, Banking & Insurance. Retail

Complete Protection against Evolving DDoS Threats

Solution Brief. Secure and Assured Networking for Financial Services

Virtualized Security: The Next Generation of Consolidation

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

The Risk vs. Cost of Enterprise DDoS Protection

CloudFlare advanced DDoS protection

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Security Solutions for the New Threads

Hope is Not a Strategy

VALIDATING DDoS THREAT PROTECTION

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

ACI ON DEMAND DELIVERS PEACE OF MIND

Complete Cloud Solutions

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

7QUESTIONSYOUNEEDTOASKBEFORE CHOOSINGACOLOCATIONFACILITY FORYOURBUSINESS

Intelligent Routing Platform White Paper

Telecom Business Continuity Solutions FOR INTERNAL USE ONLY

On the Deficiencies of Active Network Discovery Systems

On-Premises DDoS Mitigation for the Enterprise

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

TLP WHITE. Denial of service attacks: what you need to know

Cisco Advanced Services for Network Security

Cutting the Cost of Application Security

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

DDoS Attack and Its Defense

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

How Cisco IT Protects Against Distributed Denial of Service Attacks

Cloud Backup And Disaster Recovery Meets Next-Generation Database Demands Public Cloud Can Lower Cost, Improve SLAs And Deliver On- Demand Scale

Cloud Security In Your Contingency Plans

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

How To Choose Data Center Colocation Over Cloud Computing

Distributed Denial of Service protection

MaximumOnTM. Bringing High Availability to a New Level. Introducing the Comm100 Live Chat Patent Pending MaximumOn TM Technology

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Cyber/ Network Security. FINEX Global

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment.

Whitepaper. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

Security. Security consulting and Integration: Definition and Deliverables. Introduction

Stop DDoS Attacks in Minutes

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Denial of Service (DoS) Technical Primer

Arbor s Solution for ISP

Acceptable Use Policy ("AUP")

Data Protection with IBM TotalStorage NAS and NSI Double- Take Data Replication Software

Network monitoring and analysis tools:

Pacnet Premium Dedicated Internet Access Dedicated Internet Access for Web-Centric Enterprises

Radware s Attack Mitigation Solution On-line Business Protection

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Acquia Cloud Edge Protect Powered by CloudFlare

WhitePaper. Private Cloud Computing Essentials

Security. 26 November 2012 Vol.18 No11

BEST PRACTICES. DMZ Virtualization with VMware Infrastructure

How To Classify A Dnet Attack

Transcription:

Managed Anti-DDoS Service Protection Distributed Denial of Service (or DDoS ), in which compromised PCs controlled by remote attackers inundate a victim s network An Internap White Paper February 2007 resources with the intent of crashing the victim s web or application servers, is among the most serious threats on the Internet today. DDoS attacks are growing larger and more destructive each day, presenting a serious threat to online organizations. The best way to deal with a DDoS attack is to utilize a comprehensive approach, which is outlined in this white paper. 250 Williams Street, Atlanta, GA 30303 Tel 404.302.9700 Toll Free 877.THE.PNAP Fax 404.475.0520 Email: mktg_info@internap.com www.internap.com

Table of Contents Executive Summary...3 Growing Risk...4 DDoS Protection Alternatives...5 Carriers / IP Providers...5 Internap DDoS Protection...5 Internap s 5-Pronged Approach...6 Off-the-Shelf Intrusion Protection Devices...6 Custom Filtering Software...6 Bandwidth, Bandwidth, Bandwidth...6 DDoS Expertise...7 Conclusion...7 Appendix A...8 Internap Network Configuration...8 Customer Configuration Example...9

Page 3 Executive Summary As the Internet becomes increasingly mission-critical, business executives need to be aware of a problem that can prevent customers, partners and suppliers from doing business with them online. It is called Denial of Service (or DDoS ) in which compromised PCs controlled by remote attackers inundate a victim s network resources with the intent of crashing the victim s web or application servers and is among the most serious threats on the Internet today. Twenty five percent of respondents to the 2006 CSI/FBI Computer Crime and Security Survey performed by the Computer Security Institute had experienced a DDoS attack. While no company wants to willingly publicize it, it has taken major companies offline including: Amazon, Microsoft, Yahoo, CNN and ebay. The costs of these attacks are monumental. Forrester, IDS and the Yankee Group estimate that the cost of a 24-hour outage for a large e-commerce company would approach $30 million. In addition, by violating service level agreements, these attacks trigger costly service credits. The estimated hourly down-time costs vary by industry, but are growing significantly across the board: Retail Brokerage Credit Card Sales Authorization Infomercial/800 Number Sales Catalogue Sales Center $6.45 million per hour $2.6 million per hour $200,000 per hour $90,000 per hour Source: Cert, CSI Further, not only do these attacks cost online organizations millions in lost revenues, they may damage reputations and customer relationships. These soft costs are more difficult to quantify, but could be extremely significant and include: Company Reputation Transaction / Operational Disruption Compliance / Regulatory Costs Legal Costs

Page 4 Growing Risk DDoS attacks are growing larger and more destructive each day, presenting a serious threat to online organizations. In 2006 there were 6,110 attacks per day vs. 927 in 2005. (Symantec Corp.) While the largest attacks in 2005 were 3.5 Gbps in size, they have grown by 3X during 2006 to over 10 Gbps. With these attack sizes at their disposal, assailants now have the capacity to take out entire hosting/colocation facilities with brute force. (Prolexic, Inc.) Additionally, these easy-to-deploy attacks were originally motivated by extortion, but motivated attackers now include: disgruntled employees, industrial saboteurs, cyber-terrorists and religious zealots. Figure 1: Recorded DDoS Attack against a sample Enterprise Client.

Page 5 Protection Alternatives Carriers / IP Providers While large carriers have significant bandwidth to sell to their customers, no carrier dedicates bandwidth solely to stop DDoS attacks. This results in the inability to route customers under attack in favor of those not under attack, even if the attacks are only several Gbps in size. Even though carrier offers some level of DDoS mitigation for the bandwidth they provide, they do not take responsibility for another carrier s bandwidth. This lack of a multi-homed solution forces their customers to negotiate agreements with each carrier separately, receiving different levels and quality of coverage from each. To help mitigate DDoS attacks, carriers typically acquire multiple devices from a single manufacturer, but these can only target certain attacks. As next-generation attacks pop up, they can t be stopped with these off-the-shelf manufacturer devices. Additionally, because DDoS protection is not a carrier s main focus, understanding DDoS and protecting against it is not their main concern. Training of staff tends to be limited towards operating a specific manufacturer s mitigation device rather than on experience and training to recognize and stop the multitude of attacks themselves, as manual intervention is often required to stop certain types of attacks. Internap DDoS Protection Powered by Prolexic If Internap simply relied on a single DDoS device manufacturer for its solution, then stringing multiple boxes together would provide the least expensive and simplest approach. While this approach could be implemented as easily it does not provide adequate DDoS protection for Internap customers. It would only be effective at stopping certain attacks, and not as effective as stopping others. Further, it wouldn t address bandwidth attacks where large botnets could overwhelm whatever mitigation gear was in place. Without the experienced DDoS experts behind the hardware and bandwidth, certain attacks could still be successful. Finally, if it provided superior protection for their customers but couldn t provide protection for all their bandwidth, even if acquired from another carrier, then it would only be providing a partial solution. Internap not only offers protection for the IP bandwidth that we provide, but we do the same for IP bandwidth from other providers as well.

Page 6 Internap s 5-Pronged Approach Because of the increasing types and size of DDoS attacks, the Internap solution has developed a 5-pronged approach designed to stop DDoS attacks that include: Best-of-breed commercially available DDoS protection devices Custom filtering software More than 20 pending patents for filtering software designed to stop attacks types that off-the-shelf hardware can t stop as effectively Bandwidth More than 25 Gbps dedicated exclusively to stopping DDoS attacks spread over multiple data centers, regions and carriers, and continuously increased to handle the largest attacks DDoS expertise engineers who have seen and stopped more DDoS attacks than any other company. Multi-homed protection protects the customer s bandwidth, not just bandwidth acquired from Internap. Internap continuously tests the leading vendors for a best-of-breed approach, and have partnered with a combination of manufacturers including Arbor, Juniper, Foundry, and TopLayer, on top of its own custom filtering software. The Internap solution is continuously updated in hardware, software, bandwidth, and engineer training to accommodate the latest attacks and to maximize protection for all customers. So far, this solution has effectively combated the most varied and largest DDoS attacks and continues to be the market leader for this reason. Off-the-Shelf Intrusion Protection Devices Because each manufacturer has developed devices that are stronger at stopping certain attacks, one should not rely on any one manufacturer to stop the increasingly varied types of DDoS attacks. Stringing multiple devices from any one vendor might represent a cheaper and simpler approach, but it will not provide nearly the protection necessary to protect customers against the latest types of DDoS attacks. Custom Filtering Software Because even the best-of-breed, off-the-shelf hardware can t effectively stop every type of attack, we have developed custom filtering code on ASIC-based devices such as Cloudshield and Bivio. Bandwidth, Bandwidth, Bandwidth Beyond leveraging best-of-breed DDoS protection hardware and Internap custom filtering software, because the size of DDoS attacks have grown so significantly, we have more than 25 Gbps (and growing) of bandwidth dedicated to stopping the largest DDoS attacks. As no intrusion protection device has been developed to stop the tremendous size of the latest DDoS attacks, we have invested in over 25 Gbps of bandwidth dedicated to stopping largest brute force attacks. This is a critical component of the Internap solution, especially compared with many of the larger carriers who routinely null route those customers under attack if the attack gets beyond a few Gbps so as not to impact other customers who are not under attack.

Page 7 DDoS Expertise The Internap solution is at the forefront of the market. As a result, Internap leverages DDoS experts on staff 24x7x365 who have seen and stopped thousands of DDoS attacks. This provides a significant leverage over other service s engineers who have not had the same level of DDoS mitigation training or experience. Though a subtle point, it is important because DDoS attacks are usually operated by attackers in real-time (as opposed to canned programs), which can require manual intervention by engineers to stop certain attacks that hardware and software can t handle. Multi-Homed Solution offers protection for all of a company s bandwidth, not just bandwidth acquired from Internap. This means that companies can leverage the market leading solution across all of their bandwidth, ensuring consistency, economies of scale, and simplicity. Conclusion By taking down your websites, even for an hour, DDoS attacks will cause revenue loss, damage to your operations and customer frustration. According to the CSI/FBI study, DDoS attacks are one of the biggest problems on the Internet, and are growing significantly in both frequency and size. While there are a variety of good commercially available devices available, each has its strengths and each manufacturer is better at mitigating certain attacks over others. The result is that without a combination of best-of-breed manufactured devices, custom filtering software to fill the gaps, dedicated bandwidth to stop the largest attacks, and experienced DDoS experts to manually stop others, companies will only be partially protected at the exact time they need complete protection. By utilizing Internap s approach, companies can enjoy economical, yet more comprehensive protection from DDoS attacks.

Page 8 Appendix A Below are several diagrams related to the Internap solution designed for the purpose of understanding the network configuration, bandwidth allocation and an example of a typical customer configuration. Internap Network Configuration Powered by Prolexic

Page 9 Customer Configuration Example: The following is a typical NAP configuration at the Miami NAP, this is mirrored from multiple locations, including Phoenix and London. In Q2 2007 the Hong Kong and New York locations will be coming on online providing additional capacity, redundancy and improved performance to support the growing needs of Internap s worldwide customers. 2007 Corporation. All rights reserved. Internap and P-NAP are registered trademarks of Internap. All other trademarks are the property of their respective owners. Unauthorized reproduction, display or distribution of this document is strictly prohibited. 02/07

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information