The Role of Attack Mitigation in Managed Security Services

Overcoming DDoS Protection Challenges

By all indications the first half of 2011 will go down in the record books as one of the most active periods of DDoS attacks. Cyber-hacktivism became prevalent and every on-line business, government agency or critical infrastructure is l likely a target. Anonymous, Lulzsec and others have increased their attack frequency, and highlighting their achievements publicly. The current efficacy of these attacks will likely encourage even more attackers to spawn future malicious activity.

Attackers have been using new attack techniques known as a Multi Vulnerability Attack Campaign, in which the attackers set the Botnet (or instruct their fans, such as Anonymous group operations) to launch several attack types in parallel.  This targets the several layers of IT infrastructure of the victim’s site such as the network, servers and application layers. Such attack campaigns are highly destructive even though each attack vector is well known (examples are: UDP flood targeting the network bandwidth resources; SYN flood targeting the server resources; HTTP Get flood targeting the web application resources). The victim is at high risk as even if one attack vector hits the target – the result is destructive. The attackers’ assumption is that even if their victims deploy DDoS protections tools, there are blind spots in their perimeter network security architecture and therefore are exposed to few of the attack vectors.

Learn more about Radware attack mitigation solutions and recent DDoS attacks in our informative white paper.

Background: DDoS Layer of Defense

From the point of view of a service provider, DDoS attacks can be partitioned into three dimensions:

• Packet and bandwidth DDoS flood attack – attackers flood the victim with high volume of packets consuming networking equipment resources or bandwidth resources. These are network DDoS flood attacks such as SYN flood attacks (high packet-per-second attacks) large UDP packet floods (bandwidth attacks), ICMP floods and more.
• Application DDoS flood attacks – these attacks generate complete sessions and target the application resources. Examples are HTTP Get or Post flood attacks, DNS flood attacks and SSL flood attacks.
• Directed attacks – low and slow application DDoS attacks that exploit application implementation weaknesses and design flaw. Examples are Slowloris, a tool that allows a single machine to take down another machine's web server with minimal bandwidth, and Circle cache-control (Circle-CC), which floods a  web site by scanning the site across multiple pages systematically. This type of application level DoS attack prevents the target server from using its caching mechanism and thus amplifies its impact.

Cleansing DDoS attacks requires building a layered defense approach that removes attacks from high volume to the lower volume attacks in a layered approach:

DDoS Protection Challenges

To effectively detect and remove unwanted DDoS traffic service providers need to overcome the following challenges:

• Packet and bandwidth DDoS flood attack – high packet-per-second (PPS) and bandwidth capacity, accurate mitigation.
• Application DDoS flood attacks – differentiating real-users from Bots requires advanced user “authentication” techniques. The solution requires supporting user authentication capacity and accurately detecting the artificial users and blocking them.
• Directed attacks – filtering the low and slow attacks is based on deep packet inspection, therefore the solution is required to have ability to perform RegEx filtering with n o performance impact.

Current attack mitigation solutions in the market usually offer good coverage for packet & bandwidth attacks, limited or full protection for application DDoS attacks, and no protection against the directed attacks.

Service P\providers are required, therefore to either deploy several tools in their infrastructure or develop their own filtering tools to complement off-the-shelf mitigation products.

Radware Attack Mitigation Solution for DoS Protection Service Providers

Radware offers DoS protection service providers with the most advanced attack mitigation solution, providing the following unique benefits:

• True and full DDoS protection coverage
• Ability to maintain customer SLA
• Operations efficiency

Attack mitigation solutions are typically deployed in a scrubbing center, where the mitigation is performed out-of-path.

True and Full DDoS Protection Coverage  

Radware attack mitigation solution provides the best technologies match for the three layers of defense:

• Packet and bandwidth DDoS flood attack – ASIC based Dos Mitigation Engine (DME) that can repel up to 12 million packets-per-second of attacks without impact on the overall system solution. It uses Radware real-time signatures technology to detect and block all type of network DDOS attacks.
• Application DDoS flood attacks – Multi-core CPUs system authenticates application sessions using challenge response techniques to identify sessions generated by Bots and block them.
• Directed attacks – A hardware-based StringMatch Engine (SME) performs RegEx filtering detecting and blocking the low and slow application DDoS attacks with no performance impact.

Out-of-the-box mitigation (with no human intervention) is achieved in less than 18 seconds) – where other solutions requires minutes to start protecting.

Maintain Customer SLA 

• Most comprehensive integrated SEM with detailed per-customer reporting and advanced alerting
• Shortest time-to-protect solution in the market – typically less than 18 seconds!

Operations Efficiency 

Easy integration into provider infrastructure including:

• OSS for mitigation solution management
• Feeding the provider SEM and customer portal with per customer detailed event logs and advanced alerts
• Operating a mitigation solution in an out-of-path environment where only ingress traffic is diverted to the scrubbing center and yet provide the full protection set and with no learning

• Best out-of-the-box protection set – allow provider SOC to focus on complex attack cases
• Multitude of DDoS protection and SEM in a single integrated solution – significant CapEx and OpEx savings