SecurityDAM On-demand, Cloud-based DDoS Mitigation
Table of contents Introduction... 3 Why premise-based DDoS solutions are lacking... 3 The problem with ISP-based DDoS solutions... 4 On-demand cloud DDoS mitigation... 4 SecurityDAM solution architecture... 5 Attack Mitigation - Step by Step... 6 SecurityDAM vs. traditional solutions... 7 About SecurityDAM... 8 2013 SecurityDAM Ltd. All Rights Reserved. www.securitydam.com +972 3 765-9894 #210001-0413
Introduction In recent years Distributed Denial of Service (DDoS) attacks have become a mainstream threat to businesses, governmental agencies and critical infrastructure worldwide. DDoS attacks have grown in complexity, volume and sophistication. 65 percent of IT security practitioners surveyed recently reported experiencing an average of three DDoS attacks in the past 12 months. i With an average downtime of 54 minutes per attack and the cost amounting to as much as $100,000 per minute - it would have been expected that organizations put into practice preventative measures to protect their networks and business. However, this is far from being the case. Many organizations still employ no DDoS protection at all. Others rely on ISP solutions or use on-premises equipment, which at best can deflect a single type of attack. However, such solutions fail to provide adequate protection against multi-level attacks, and lack the expertise to handle new types of attacks. To ensure business continuity and provide solid DDoS protection, a different, multi-layer approach is needed. Why premise-based DDoS solutions are lacking Distributed Denial of Service attacks can be broadly categorized into two types: Network (volumetric) attacks flood the victim with high volume of packets or IP flows, consuming network equipment and bandwidth resources. Some examples include SYN flood attacks (high packet-per-second attacks), large UDP packet floods (bandwidth attacks), and ICMP floods. Application attacks, also known as low and slow attacks, directly attack the application, exploiting implementation weaknesses and design flaws. Application transactions are generated by real IP addresses and machines and therefore seem real. Some examples include HTTP Get or Post flood attacks, DNS flood attacks and SSL flood attacks. Does Size Matter? When evaluating DDoS attacks, a common misconception is that the bigger the attack, the more severe it is. However, smaller, less intensive attacks can still cause serious damage. For example, a much smaller HTTP flood on the application level may do more damage than a larger UDP flood on the network. What type and size of attack should an organization expect? Unfortunately there is no clear answer. DDoS attacks are so diverse in both type and size that it is impossible to make any kind of accurate prediction. Typically, on-premises solutions are based on security systems such as firewalls. While such systems may have a DDoS mitigation feature, this does not comprise of a true DDoS mitigation solution, since critical functionality is lacking. And yet, the primary shortcoming of on-premises solutions is their inability to SecurityDAM On-demand Cloud-based DDoS Mitigation 3
protect against volumetric attacks. Such attacks completely saturate the link to the organizational network, making it technically impossible to mitigate high-volume attacks from within the network. Another challenge is the ongoing investment required to keep up with the increasingly dynamic and polymorphic DDoS threats. In most cases an internal IT/security group cannot afford to invest the time and resources needed for developing the required expertise. The problem with ISP-based DDoS solutions While offering a convenient solution, stopping DDoS attacks at the ISP level has many drawbacks. First, there s the issue of traffic volume. Using an always on, shared solution approach, an ISP must handle the traffic of all its protected customers. However, during a DDoS attack on a single customer, the same equipment must still handle the drastically increased traffic without affecting other customers. This results in a situation where the ISP simply can't handle the attack. With the need to provide protection to multiple customers and avoid many false positives, ISPs have known to soften their policies and make thresholds more lenient. Consequently, too much traffic may be passed through during attacks. An additional security hole relates to application-level attacks. ISPs have very limited capability protecting against such attacks, since harmful traffic look identical to legitimate user traffic from an ISP point of view. Specific DDoS expertise is another issue. ISPs usually rely on equipment vendors and lack the required expertise to quickly respond to new types of attacks and add new attack signatures. Finally, there s the cost consideration. If an organization is connected through several ISPs, DDoS protection services need to be purchased from each. Mitigating multi-vector attacks, therefore, requires a layered defense approach with more than one security technology in place. It requires specific expertise that are developed and upgraded on an ongoing basis. On-demand cloud DDoS mitigation SecurityDAM takes a different approach. Using a two-tier defense architecture, our solution employs two protection layers - one placed at the customer s site network perimeter, and the other located at the cloud level. The two DDoS protection layers support and complement each other, ensuring the early detection and mitigation of all attack types with minimum disruption to network and business operations. The service is empowered by a dedicated, 24/7 DDoS emergency response team ready to tackle any attack, known or new. SecurityDAM On-demand Cloud-based DDoS Mitigation 4
SecurityDAM solution architecture The SecurityDAM solution is composed of the following main components: CPE (Customer-premises equipment) is a detection and signaling device placed at the edge of the customer s data center. Constantly monitoring network traffic, the CPE learns the traffic patterns to establish a normal behavior baseline. It detects anomalies and DDoS attacks early on and alerts the SecurityDAM Operation Center (SDOC) to initiate the mitigation process. The device independently detects and mitigates low and slow application-level attacks using a range of technologies such as Network Behavioral Analysis (NBA) and Deep Packet Inspection (DPI). SecurityDAM Operation Center (SOC) is a cloud-based scrubbing center, manned by an emergency response team to ensure the fastest analysis and resolution of new attack types. When the network is under a volumetric DDOS attack, traffic is redirected to the scrubbing center for attack mitigation. After filtering, clean traffic is passed back to its original destination. Attack data is collected and stored, enabling real-time monitoring and historical reporting. SDCC (SecurityDAM Control Center) is a management platform providing configuration, provisioning and accounting functions and enabling real time monitoring and analysis of traffic during attacks. Customer s Self-provisioning Portal is web-based portal that provides real-time insight into events, attack characteristics, post-attack reports and statistics. Figure 1 -SecurityDAM's Portal SecurityDAM On-demand Cloud-based DDoS Mitigation 5
Attack Mitigation - Step by Step During a DDoS attack, SecurityDAM employs its two-layered defense system and contextaware approach to optimize the response and return the network to its normal behavior as quickly as possible. 1- Detection & application attack prevention. The CPE at the customer s network constantly monitors traffic and establishes a normal behavior baseline for the network. Any deviations from this baseline are immediately identified as DDoS attacks, with low and slow application-level attacks independently blocked by the CPE device and reported to the Operations center for tracking purposes. Figure 2 - Employing a two-tier defense architecture provides maximum protection for both volumetric network attacks and application low and slow attacks. 2- Traffic redirection. When the CPE detects a volumetric network flood that it cannot handle, it automatically alerts the SecurityDAM operations center (SOC) by sending it the threat details. All network traffic is then diverted to the scrubbing center a process which can either take place automatically, or following an analysis and joint decision by the SecurityDAM emergency response team and the customer. Traffic redirection is carried out via a BGP notice (for autonomous systems), or DNS redirect (for other networks). An optional FastLane service enables implementing granular DDoS mitigation so that during network attacks, traffic from pre-defined trusted sources is never blocked. Such traffic is routed to dedicated servers to ensure un-interrupted business continuity. SecurityDAM On-demand Cloud-based DDoS Mitigation 6
3- Traffic cleansing. Incoming traffic (including SSL flows if relevant) is scrubbed for illegitimate flows and packets. The process is analyzed by SecurityDAM security experts, who may also update security signatures if needed. Legitimate traffic is channeled back to the attacked site via a GRE tunnel. 4- Return to normal operation. Once security experts conclude that the attack has ended, traffic is diverted back directly to its normal routing and paths. 5- Reporting. Data collected throughout the process enables viewing statistics related to the attack type, duration and so on through the customer s portal. SecurityDAM vs. traditional solutions Network-level attacks Application-level attacks Cost Coverage and response time to DDoS attacks Ongoing DDoS protection On-premises solutions ISP-based Solutions SecurityDAM Solutions deployed within An ISP must be able to the organization s handle massive network perimeter cannot protect attacks and keep the the Internet pipe from pipe open for multiple saturation, therefore will clients. fail. Standard security systems may fail to recognize application-level attacks. Capital investment required in dedicated DDoS mitigation equipment. Long update cycles with no emergency mechanism to handle new attack types. Continuous investment in resources and education is required to keep up with technology and DDoS attack advancements. From an ISP point of view, harmful traffic look identical to legitimate user traffic, preventing the identification of attacks. High ongoing payments - without the assurance of adequate protection during an attack. Rely on 3 rd party equipment without the expertise for real-time deep analysis and updates. ISPs core business is providing internet connectivity, therefore cannot be expected to focus on DDoS innovations. The cloud-based scrubbing center efficiently mitigates volumetric DDoS network attacks. CPE device instantly identifies and deflects any application-level attacks. Managed service with zero up-front investment. 24/7 dedicated team of DDoS security experts, providing real-time response and dynamic updates during attacks, while using the most upto-date mitigation equipment. A dedicated security expert team 100% focused on DDoS attacks and always up-to-date with the latest developments in attacks and mitigation. SecurityDAM On-demand Cloud-based DDoS Mitigation 7
About SecurityDAM Security Dam provides world-class MSSP cloud-based solutions mitigating Distributed Denial of Service (DDoS) attacks on enterprise networks. Founded by a team of security experts, Security Dam is a member of the RAD group. For more information, see www.securitydam.com. i The research for Cyber Security on the Offense: A Study of IT Security Experts, November 2012, by the Ponemon Institute and Radware. SecurityDAM On-demand Cloud-based DDoS Mitigation 8