1y ago
690.17 KB
6 Pages
Last View : 24d ago
Last Download : 6m ago
Upload by : Milena Petrie

INTRODUCTIONDistributed Denial of Service (DDoS) attacksare some of the oldest of Internet threats.Despite that, due their simplicity andeffectiveness, they continue to be a top riskfor public services around the world. Asprotections have evolved, the technologyused by hackers has adapted and becomemuch more sophisticated. New attacktypes now target applications and services,and not only are bulk layer 3 and 4 DDoSevents becoming more sophisticated butmany times they are masked in apparentlylegitimate traffic, or combined in unique new“zero-day” attacks, making it very difficult todetect them.methods of attack detection built oncustomized hardware vs. signature basedmethods built on standard CPU/RAMarchitectures.WHAT IS A DDOS ATTACK?ROUTERNo matter how simple or complex,DDoS attacks are aimed at exhaustingthe resources available to a network,application, or service so that legitimateusers are denied access. These attacksusually are originated by a group of clientcomputers that are either hijacked withmalware or are volunteered by their owners.TYPES OF DDOS ATTACKSnnCommonDDoS Attacks: There aremany kinds of attacks that are widelyused today including older methods fromthe early days of the Internet to the latestadvanced layer 7 attacks that targetapplication services. SYN flood and HTTPGET floods are the most common and areused to overwhelm network connectionsor overload the servers behind firewallsand intrusion protection services (IPS).This whitepaper discusses some of thetechnologies used traditionally to detect andmitigate DDoS attacks, how they evolved,and why the state-of-the-art technologymust rely on Application Specific IntegratedCircuits (ASICs), inline symmetric orasymmetric deployments, a wide-spectrumof analysis methods covering from layer 2(data-link layer) to layer 7 (application layer)of the OSI model, and why this must bedone with high-performance, hardwarebased architectures.As part of the discussion we will explainsome features and benefits of the FortinetFortiDDoS approach, the differencescompared to conventional devices basedsolely on stateful or stateless inspection,and the advantages of behavior-basedWHITE PAPER

WHITE PAPER: DDOS ATTACK MITIGATION TECHNOLOGIES DEMYSTIFIEDFIGURE 2: ATTACKS UTILIZING LOW BANDWIDTH TO EVADE DETECTIONnnAdvancedApplication layer DDoSAttacks: Application layer attacks usefar more sophisticated mechanisms toattack your network and services. Ratherthan simply flooding a network withtraffic or sessions, these attack typestarget specific applications and servicesto slowly exhaust resources at theapplication layer (layer 7).nnApplication-layerattacks can be veryeffective at low traffic rates, and the trafficinvolved in the attacks can be legitimatefrom a protocol perspective. This makesapplication-layer attacks harder to detectthan other DDoS attack types. HTTPFlood, DNS dictionary, Slowloris, etc., areexamples of application-layer attacks.DDOS ATTACK MITIGATIONPLATFORMSJust as attacks were adapting to the newreality, DDoS defenses were adapting too,and evolved from being an integral part ofexisting protection technologies such asfirewalls and IPSs to independent devices.FIREWALL / IPS DDOS PREVENTIONFirewalls were the first choke-point devicesused to separate trusted from untrustednetworks. Then intrusion detection systems(IDS) and intrusion prevention systems (IPS)followed. It was natural that the most basicDenial-of-Service attacks were an integratedprotection on such devices.Conventional firewalls (packet filters,proxies, or stateful-inspection firewalls) lookinto packet headers to identify if there is arule allowing traffic from a given source toa given destination. They drop connectionattempts from a not allowed source or to aforbidden destination. Firewalls are able toobserve if a session has been establishedor not by the peers (client and server) tryingto establish a conversation (a connection).Once a session has been established, afirewall device keeps state of all connectionsallowed by its security policy, even forstateless protocols such as UDP or ICMP,and it does so from when the connectionbegins until the connection ends. Thisinformation is held on session tables, andin order to keep track of connections, eventhose that have not been completed yethave to be stored on the session table,because it is necessary for the firewall todetermine if the next packet is valid or not.But the nature of this operation makes afirewall vulnerable to attack. The numberof connections on the session table has alimit, and once the limit has been reachedthe firewall comes to a state where itcannot take any additional connections.Also, since it needs to observe the sessioncompletely, a firewall device cannot work onan asymmetric-routing scenario where onlyincoming or outgoing traffic is seen.Almost every modern firewall and intrusionprevention system (IPS) claims somelevel of DDoS defense. Some UnifiedThreat Management (UTM) devices ornext-generation firewalls (NGFWs) offeranti-DDoS services and can mitigatemany DDoS attacks. Having one devicefor firewall, IPS, and DDoS is easier tomanage and less complex to deploy, but asingle device to do all the protection mightbe easily overwhelmed with volumetricDDoS attacks. Besides, resource-intensiveprotection necessary to detect and defendagainst sophisticated layer 7 detectionmechanisms cannot typically be done ona firewall or IPS device, especially if it lacksthe power of a dedicated processor orASIC. Another trade-off is that enablingDDoS protections on the firewall or IPS mayimpact the overall performance of a singledevice, resulting in reduced throughputsand increased latency for end users. Dueto this, enabling anti-DDoS mechanisms onfirewall or IPS devices should be done withcare and deployment of dedicated antiDDoS protections in addition to the firewallor IPS is recommended in highly criticalenvironments.DEDICATED SOFTWARE-BASEDPLATFORMSOnce technology vendors and securityofficers realized it was difficult to leave antiDDoS protection to existing devices, somesoftware-based products were launched.The idea was to pack a hardened operatingsystem with additional programmedintelligence on software that could beinstalled on general-purpose servers. If youneeded more performance, you only had toadd more memory and CPU and you hadit, until it reached the limits of the hardwarearchitecture.These solutions were typically based onsignatures, meaning they were trying tounderstand patterns on how malicioustraffic behaved. On this approach, a groupof researchers would observe a new attack,analyze it and once it was understood, theywould develop a pattern or signature ofthe attack, so the next time traffic with the2

WHITE PAPER: DDOS ATTACK MITIGATION TECHNOLOGIES DEMYSTIFIEDcharacteristics of the attack was seen, anaction would be triggered. This was verysimilar to how IPS systems operated withthe difference that they were optimizedto catch DoS and DDoS attacks and notnecessarily exploits, worms, bots, or othermalware traversing the network.This approach was not effective to mitigatezero-day attacks, which are commonly usedfor DDoS attacks. And this is because todetect an attack, somebody has to analyzeit first in order to produce a signature.The second problem with this software andgeneric platform approach, according tothe IDC Report, DDoS Prevention: Time for“Defense in Depth,” published April 2014,is that anti-DDoS software-based platformscan become overwhelmed by traffic volumeand lead to false positives. And:“Signature-based defenses are strongat detecting known attack methodsquickly and efficiently. They are able torun inline and immediately detect anddrop or clean malicious traffic when anattack starts. However, when a newattack method arises, or an attackuses legitimate traffic for maliciouspurposes, signature-based defensesmay not detect the attack. Behaviorbased solutions solve this problem bydigging deeper into the types of trafficand how resources react to requestsand correlating with threat intelligencefeeds and other sources to determine iftraffic is malicious or not, regardless ofwhether it appears legitimate or is theresult of a zero-day exploit”HARDWARE-BASED SOLUTIONSTo solve the DDoS puzzle there are somekey issues:1) Price-Performance: The anti-DDoSsolution cannot be the bottleneck on anetwork. It must have sufficient resources,at acceptable cost, to monitor 100% ofthe packets traversing the Internet link atline rate. Sampling packets, as severalcompetitors with weaker hardware mustdo, can allow clever attacks to bypass theanti-DDoS device. It also must process allof the connection context information asfast as possible to minimize in-line latency.This means it has to correlate the currentpacket with packets that came from thesame source, went to the same destination,and infer if packets that have similar (notnecessarily the same) characteristics couldbe part of malicious behavior.2) Wide-spectrum Analysis: DDoSattacks are complex. You can havethousands of connection attempts trying toreach the same target. That is a volumetricattack, which is (relatively) easy to detect.However, if a relatively small group ofvalid (from the protocol standpoint) HTTPconnections that are already established aretrying to read the same image file severaltimes or read non-existent pages (an HTTPURL Get Flood), that might require morecomputing resources, more analytics, anda different approach. So, using techniquesfrom keeping counters or state tables(stateful awareness, not to be confusedwith stateful inspection) or having inferencemachines to correlate traffic that has thepossibility of becoming offensive at somepoint, is important.3) Secure: the anti-DDoS device must bebuilt in such a way that is not only invisibleto the protected network, but the possibilityof overwhelming it (that is, exhausting itsresources) does not exist. If an attacker cansomehow saturate the resources of youranti-DDoS device, he has succeeded in hisDDoS attack.Due the points above, it became criticalto have solutions that could offer highperformance, wide and deep analysiscapabilities, and the ability to operate withlow to zero risk of being a DDoS target. Thisis why hardware-based solutions came intothe market.FORTIDDOSPowered by Application Specific IntegratedCircuit Traffic Processors (FortiASIC-TP2)the FortiDDoS family of purpose-builtnetwork appliances provides effective, fastprotection against DDoS attacks. FortiDDoShelps to protect Internet infrastructure fromthreats and service disruptions by surgicallyremoving network and application layerDDoS attacks, while letting legitimate trafficflow without being impacted.FortiDDoS uses a 100% adaptive behaviorbased method to identify threats. It learnsbaselines of normal application activityand then compares traffic against thosebaselines while automatically adapting tonormal traffic growth. Should an attackbegin, FortiDDoS will see this as an anomalyand immediately take action in real time tomitigate it, usually in less than two seconds.Users are protected from known attacksand from unknown zero-day attacks,as FortiDDoS doesn’t need to wait for asignature file to be updated.Fortinet is the only company to use a100% custom ASIC approach to its DDoSproducts, which allows massively parallelprocessing of 1000’s of traffic parametersat significantly lower cost and energyrequirements of traditional CPU or CPU/ASIC hybrid based systems. The secondgeneration FortiASIC-TP2 traffic processorprovides detection and mitigation of alllayers 3, 4, and 7 DDoS attacks for bothinbound and outbound traffic.Unmatched Performance: Usingbehavior-based detection and ASICDDoS processors, FortiDDoS detects andmitigates more DDoS threats, includingsophisticated low-volume application layerattacks. It also detects anomolies fasterthan any other solution available on themarket today.Lowest Latency: It’s single-pass, hardwarebased DDoS detection and mitigation enginecreates less than 50 microseconds of latencyin the data stream - almost 40% lower thancompetitive products.3

WHITE PAPER: DDOS ATTACK MITIGATION TECHNOLOGIES DEMYSTIFIEDNetwork Virtualization: FortiDDoSsupports different Service Protection Profilesto discretely apply different protectionpolicies to individual servers or subnetworks providing granular protection toyour network. An attack on one protectednetwork segment does not impactother segments. This feature is not onlybeneficial in supporting multiple layers ofdefense but also is a cost containmentand administration-friendly feature fororganizations that have multiple businessentities to protect, and that need uniquepolicies for each.Virtual policy instances can also beeffectively used in defense escalation.Rather than having a single set of policies,multiple sets can be defined in advance,such that the organization can automaticallyapply a more stringent set of policies if anattack escalates above customer-definedthresholds.Multi-Attack ProtectionBy understanding behaviors FortiDDoS candetect any DDoS attack from basic BulkVolumetric to sophisticated layer 7 SSLbased attacks without the need to decrypttraffic.SOFTWARE-BASED VS HARDWAREBASED DDOS MITIGATION – ANEXAMPLEFigure 3 - Signature Based: Attackstake up to 120 seconds to match againstsignature profiles. All traffic is blocked for the duration ofthe attack, including “good” traffic fromlegitimate users. False positives must wait until systemperceives attack has stopped.FORTIDDOS KEY FEATURES ANDBENEFITS100% BehavioralFortiDDoS doesn’t rely on signature files thatneed to be updated with the latest threatsso you’re protected from both known andunknown (zero-day) attacks.100% HardwareThe FortiASIC-TP2 transaction processorprovides full bi-directional detection andmitigation of layer 2, 3, and 7 DDoS attacksfor industry-leading performance.Continuous Attack EvaluationMinimizes the risk of “false positive”detection by re-evaluating the attack toensure that “good” traffic isn’t disrupted.Congestion ResistantFortiDDoS won’t easily be overwhelmedand succumb to a DDoS threat, with highthroughput rates and full line rate detectionand mitigation.Automated LearningWith minimal configuration, FortiDDoSwill automatically build normal traffic andresources behavior profiles saving you timeand IT management resources.Today even inexpensive hardware routersclaim they have some sort of protectionagainst DDoS attacks because they arestateful inspection firewalls. Let’s clarify thismatter.Dynamic packet filtering, dynamic filtering,stateful connection analysis, statefulflow analysis, stateful analysis, statefulinspection, stateful packet inspection are allterms that refer to methods that maintainstate information for a connection in orderto be able to protect it. The idea behind thisis to observe the packets that belong toconnection from when it begins until it ends,and analyze it while the connection changesfrom state to state, allowing potentialanalysis of deeper protocol information, notonly based on the headers of TCP packetsbut also analyzing upper-layer protocols.Connections areimportant forcommunicationbecause they providea reliable way totransmit data, allowingthe devices involvedto know if there wasan error in the pathbetween the twoendpoints involved inthe connection. Thestate of a connectionis defined by a statetable (a portion ofFigure 4 - FortiDDoSBehavior-Based: Attackis identified and mitigatedin less than 30 seconds. Traffic is slowed, but still“good” traffic is permitted. Repeated attackreevaluation minimizesrisk of false positives. IP Reputation blacklistsoffending IP addresses.ADVANTAGES OFUSING FORTIDDOSOVER A TYPICALFIREWALL DEVICE4

WHITE PAPER: DDOS ATTACK MITIGATION TECHNOLOGIES DEMYSTIFIEDmemory where each connection is recordeddropped - affecting good traffic as well assand signatures is built on detecting aalong with its source-destination informationbad, or rate-limit the arrival of all ACK/RST/pattern in the flow of traffic, reading fromand current state) and is analyzed by aFIN packets also affecting all users. Neitherthe packet payloads on single connections,state engine (an engine that defines theof these options is very attractive for thewhich is good for slow attacks from singlevalid states and the correct transition fromcustomer and most competitors do notsources. Detection of most DDoS attacksstate to state) that resides on the operatingattempt to stop ACK, RST, or FIN Floods fordoesn’t come from analyzing a single flowsystems of the client and the server as wellthat reason - a gap in the defense coverage.of traffic but from analyzing things like howas some intermediate devices, like firewalls.FortiDDoS does not expose its own IPmany times, from how many sources, aThere are messages that are used toestablish a connection, which have certainorder and characteristics. There are attacks(both DDoS and non-DDoS) that can beimplemented against the state engines andstate tables of operating systems. Networksecurity devices that are aimed at protectingsuch clients and servers need to be awareof the states of a connection in order toproperly defend it. An anti-DDoS productwould be incomplete if contained nomechanism to properly analyze connectionstates, analyze the application-informationof a connection, and/or defend againstaddress to the data stream so it cannotbe attacked directly. FortiDDoS goes togreat lengths to ensure that both memoryand real-time resources cannot beoverwhelmed by the data rate, packet rate,or number of sources used in attacks. Itscertain resource (a file for example) hasbeen requested from a web server. Thereis a pattern here, but you don’t see that aspart of some text or code traveling withina packet. Patterns are seen across time,many thousands of sources, and manydata throughput and packet processingdestinations.rates (with 100% sampling of packets)Typical IPSs run their protections onare industry leading. For example a SYNstandard CPUs, not custom processors.attack over 10 GbE internet connectionThey are designed to deeply inspect thecan theoretically generate about 16 millionstandard flow of traffic, not the excessivepackets-per-second (16 Mpps) throughtraffic generated by DDoS attacks.the link. FortiDDoS can 100% sample upto 24 Mpps. A “leading” stateless vendor’sCONCLUSIONSflagship product can only manageA behavior-based, dedicated custom-8.6 Mpps-11.4Mpps, according to its publicprocessor product is the most viabledocumentation - not enough to fully protectsolution for anti-DDoS protection dueFortiDDoS is not a stateful device, buta 10 GbE its inherent strengths in performanceimplements analysis that uses statefulHowever, since some customers believe(high throughput, high packet processing,that state awareness is risky in certain100% sampling and low latency), reliability,environments, this stateful analysis can bemassively parallel analysis capabilities, anddisabled via configuration in FortiDDoS.self-security. anti-DDoS protection is aattacks against the state tables resident indownstream firewall and server operatingsystems.techniques to better protect against specificDDoS attacks. To protect against certainattacks FortiDDoS needs to understand thestate of a connection, and for that it needsto be able to understand, analyze, andstore state information. This is what allowsADVANTAGES OF USING FORTIDDOSAND OVER A TYPICAL IPS DEVICEFortiDDoS to protect against attacks usingTypical IPS devices also claim some anti-anomalies such as TCP state violations,DDoS protection. While it is true they canOut-of-TCP-Window Packets and state(and do) incorporate some basic protection,transition anomalies. For example a wholethe majority of current IPS products evolvedclass of DDoS attacks will use ACK, RST,from software-based solutions that wereand FIN packets which are connection-signature-based. Their strengths cameending signaling packets when nofrom having a large group of analysts (eitherconnection was ever active. Knowing thattheir own, third-party or community-based)there is no connection allows FortiDDoS todiscovering new attacks, programmingreject these packets instantly as “foreignsignatures to detect them, and providingpackets,” so they have zero impact on thethose signatures to their customer bases.users or servers. Without the connectionSignature-based solutions don’t do aknowledge there are only two options todetect these as anomalies - set an arrivalrate threshold above which all packets arecomplete job when it comes to anti-DDoSprotection. The logic behind their engines“big data” problem requiring knowledge ofmillions of source IPs and the packets theyare sending, which needs massively parallelcomputations to sort the good data fromthe attack data in real time. Standard CPU/RAM architectures do not perform as wellby a factor of three or more.“. behavior-based solutions [are] moreviable and, in many cases, a more desirableoption.” says IDC’s John Grady in his April2014 report DDoS Prevention: Time for“Defense in Depth.”A hardware-based DDoS appliance canbe a predictable cost-effective solutionthat provides full layer 3, 4, and 7 DDoSprotection for your data center for bothvolumetric and “slow” attacks.5

WHITE PAPER: DDOS ATTACK MITIGATION TECHNOLOGIES DEMYSTIFIEDFortiDDoS offers advanced performance,and 100% behavior-based detectionthat eliminates the need for signatureupdates.Behavioral-based adaptive methodologiesand dedicated hardware-based ASICs usedby FortiDDoS outperform DDoS appliancesthat rely primarily on signature matching andCPU/RAM or CPU/ASIC combinations toprotect against DDoS attacks.GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: OFFICE13450 W. Sunrise Blvd.Suite 430Sunrise, FL 33323United StatesTel: 1.954.368.9990EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: 33.4.8987.0500APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: 65.6513.3730LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: 1.954.368.9990Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common lawtrademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and otherresults may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, insuch event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internallab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the mostcurrent version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise thispublication without notice, and the most current version of the publication shall be applicable.Jan 04, 2017

anti-DDoS services and can mitigate many DDoS attacks. Having one device for firewall, IPS, and DDoS is easier to manage and less complex to deploy, but a single device to do all the protection might be easily overwhelmed with volumetric DDoS attacks. Besides, resource-intensive protection necessary to detect and defend

Related Documents:

SDN security issues [31-37] Security policies in SDN [28,38-52] DDoS [53-56] DDoS vulnerability in SDN [33,36,57] Policies for rescuing SDN from DDoS [58-69] DDoS, distributed denial of service; SDN, software-defined network. focusing on DDoS issue, followed by the comparison of various proposed countermeasures for them. Table I has

most important questions related to DDoS attacks and the best practices offered through the Cisco DDoS Protection solution. INTRODUCTION TO DDoS ATTACKS A DDoS attack is an attack on the end host system or the network infrastructure that disrupts service to the user. The disrupti on can come in many forms, including:

In DDoS attack, the attacker try to interrupt the services of a server and utilizes its CPU and Network. Flooding DDOS attack is based on a huge volume of attack traffic which is termed as a Flooding based DDOS attack. Flooding-based DDOS attack attempts to congest the victim's network bandwidth with real-looking but unwanted IP data.

as a flooding-based DDoS attack. A flooding-based DDoS attack attempts to congest the victim's network bandwidth with real-looking but unwanted data. As a result, legitimate packets cannot reach the victim due to a lack of bandwidth resource. 2 DOS AND DDOS DoS and DDoS attacks are simple in design and generated

detect a DDOS attack and thus, start the processes to defense these attacks. The main objective is to understand the DDOS attacks and to find the security measures. Keywords— DDoS, Intrusion detection, preventive measures of DDoS, defense mechanisms, defense models, game theory, application model defense, new enhanced model.

Fig. 4. (a) Direct DDoS attack; (b) Reflexive DDoS attack. IV. CONSEQUENCES OF DDOS Effects of DDoS attacks on business installation are immediately reflected as Revenue Losses, with loss rate going as high as 300K/hour for service outage hours [13]. With advent of time, cost to mitigate DDoS attacks kept ever rising,

F5 Silverline DDoS Protection is a service delivered via the F5 Silverline cloud-based platform. It detects and mitigates DDoS attacks in real time, with industry-leading DDoS attack mitigation bandwidth to stop even the largest of volumetric DDoS attacks from ever reaching your network. F5 security experts are available 24x7x365 to keep your

Image 34 Charles Duncan – A Modern Approach to Classical Guitar 106 Image 35 Mario Rodriguez Arenas – The School of the Guitar 108 Image 36 Julio Sagreras – First Guitar Lessons 109