Managed DDOS Protection
DDoS attacks are weapons of mass disruption. Unlike access attacks that penetrate security perimeters to steal information, DDoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, firewalls, etc.) with bogus traffic.
DDoS is emerging as the weapon of choice for hackers, political “hacktivists,” cyber-extortionists, and international cyber-terrorists. Easily launched against limited defences.
THE DDOS THREAT
A DDoS attack directs hundreds or even thousands of compromised “zombie” hosts against a single target. These zombie hosts are unwittingly recruited from the millions of unprotected computers accessing the Internet through high-bandwidth, “always-on” connections. By planting “sleeper” codes on these machines, hackers can quickly build a legion of zombies, all waiting for the command to launch a DDoS attack. With enough zombie hosts participating, the volume of an attack can be astounding.
The Impact of DDoS Attacks
The impact of a successful DDoS attack is widespread. Site performance is severely compromised, resulting in frustrated customers and other users. Service-level agreements (SLAs) are violated, triggering costly service credits. Company reputations are tarnished, sometimes permanently. Lost revenue, lost productivity, increased IT expenses, litigation costs-the losses just keep mounting.
The numbers are staggering. Estimates from Forrester, IDC, and the Yankee Group predict the cost of a 24-hour outage for a large e-commerce company would approach US$30 million. A spate of DDoS attacks against Amazon, Yahoo, eBay, and other major sites in February 2000 caused an estimated cumulative loss of US$1.2 billion, according to the Yankee Group. And in January 2001, Microsoft lost approximately US$500 million over the course of a few days from a DDoS attack on its site. Clearly, businesses must take steps to protect themselves from these malicious attacks by shoring up defenses at their multiple points of vulnerability
MITIGATING THE DDOS THREAT
Taking on DDoS attacks requires a new approach that not only detects increasingly complex and deceptive assaults but also mitigates the effects of the attack to ensure business continuity and resource availability.Complete DDoS protection is built around four key themes:
- Mitigate, not just detect.
- Accurately distinguish good traffic from bad traffic to preserve business continuity, not just detect the overall presence of an attack.
- Include performance and architecture to deploy upstream to protect all points of vulnerability.
- Maintain reliable and cost-efficient scalability.
A DDoS defense built on these concepts delivers the following protection attributes:
- Enables immediate response to DDoS attacks through integrated detection and blocking mechanisms, even during spoofed attacks when attacker identities and profiles are changing constantly
- Provides more complete verification capabilities than either static router filters or IDS signatures can provide today
- Delivers behavior-based anomaly recognition to detect valid packets sent with malicious intents to flood a service
- Identifies and blocks individual spoofed packets to protect legitimate business transactions
- Offers mechanisms designed to handle the huge volume of DDoS attacks without suffering the same fate as protected resources
- Enables on-demand deployment to protect the network during attacks without introducing a point of failure or imposing the scaling costs of an inline solution
Processes (with built-in intelligence) only contaminated
- traffic streams, helping ensure maximum reliability and minimum scaling costs
- Avoids reliance on network device resources or configuration changes
- Uses standard protocols for all communications, helping ensure maximum interoperability and reliability
Warrior Networks complete DDOS Protection Solution
Warrior delivers a complete DDoS protection solution based on the principles of detection, diversion, verification, and forwarding to help ensure total protection. When a DDoS attack is launched against a victim protected by Warrior’s solution, business continuity is maintained by:
- Detecting the DDoS attack
- Diverting the data traffic destined for the target device to a Cisco appliance for treatment
- Analyzing and filtering the bad traffic flows from the good traffic flows packets, preventing malicious traffic from impacting performance while allowing legitimate transactions to complete
- Forwarding the good traffic to maintain business continuity
The Cisco Solution Set
The Cisco solution provides complete protection against all types of DDoS attacks, even those that have never been seen before. Featuring active mitigation capabilities that rapidly detect attacks and separate malicious traffic from legitimate traffic, the Cisco solution delivers a rapid DDoS response that is measured in seconds, not hours. Easily deployed adjacent to critical routers and switches, the Cisco solution offers a scalable option that eliminates any single points of failure and does not impact the performance or reliability of the existing network components.
The Cisco solution set includes two distinct components-the Cisco Traffic Anomaly Detector (TAD) XT and the Cisco Guard XT-that, working together, deliver complete DDoS protection for virtually any environment.
- Cisco Traffic Anomaly Detector XT-Acting as an early warning system, the Cisco TAD XT provides in-depth analysis of the most complex DDoS attacks. The Cisco TAD XT passively monitors network traffic, looking for any deviation from “normal” or baseline behavior that indicates a DDoS attack. When an attack is identified, the Cisco TAD XT alerts the Cisco Guard XT, providing detailed reports as well as specific alerts to quickly react to the threat. For example, the Cisco TAD XT can observe that the rate of UDP packets from a single source IP is out of range, even if overall thresholds are not exceeded.
- Cisco Guard XT-The Cisco Guard XT is the cornerstone of the Cisco DDoS solution set-a high-performance DDoS attack-mitigation device that is deployed upstream at either the ISP data center or at the perimeter of a large enterprise to protect both the network and data center resources.
When the Cisco Guard XT is notified that a target is under attack (whether from a Cisco TAD XT or some other security-monitoring device such as an intrusion detector or firewall), traffic destined for the target is diverted to the Guard (or Guards) associated with the targeted device. The traffic is then subjected to a rigorous five-stage analysis and filtering process designed to remove all malicious traffic while allowing good packets to continue flowing uninterrupted.
The Cisco Guard XT resides adjacent to a router or switch on a separate network interface, helping enable on-demand protection without impacting data traffic flow of other systems. Depending on its location, the Cisco Guard XT can concurrently protect multiple potential targets, including routers, Web servers, DNS servers, and LAN and WAN bandwidth.
The Cisco Systems MVP Architecture
The next-generation Cisco Guard XT DDoS defense solution is based on a unique, patent-pending Multiverification Process (MVP) architecture that integrates a variety of verification, analysis, and enforcement techniques to identify and separate malicious traffic from legitimate traffic (refer to Figure 2). This purification process consists of five modules or steps:
- Filtering-This module includes both static and dynamic DDoS filters. Static filters, which block nonessential traffic from reaching the victim under attack, are user-configurable, and they come from Cisco with preset default values. Dynamic filters are inserted by the other modules based on observed behavior and detailed analysis of traffic flows, delivering real-time updates that either increase the level of verification applied to suspicious flows or block sources and flows that have been verified as malicious.
Cisco Systems MVP Architecture
- Active verification-This module verifies that packets entering the system have not been spoofed. The Cisco Guard XT uses numerous unique, patent-pending source-authentication mechanisms to stop spoofed packets from reaching the victim. The active verification module also has several mechanisms to help ensure proper identification of legitimate traffic, virtually eliminating the risk of valid packets being discarded.
- Anomaly recognition-This module monitors all traffic that was not stopped by the filter or the active verification modules and compares it to baseline behavior recorded over time, looking for deviations that would identify the source of malicious packets. The basic principle behind the operation of this module is that the pattern of traffic originating from a “black-hat” daemon residing at a source differs dramatically from the pattern generated by legitimate sources during normal operation. This principle is used to identify the attack source and type, as well as to provide guidelines for blocking traffic or performing more detailed analysis of the suspected data.
- Protocol analysis-This module processes flows that anomaly recognition finds suspicious in order to identify application-specific attacks, such as HTTP error attacks. Protocol analysis then detects any misbehaving protocol transactions, including incomplete transactions or errors.
- Rate limiting-This module provides another enforcement option and prevents misbehaving flows from overwhelming the target while more detailed monitoring is taking place. The module performs per-flow traffic shaping, penalizing sources that consume too many resources (for example, bandwidth or connections) for too long a period.
It is important to note that, between attacks, the Cisco Guard XT is in “learning” mode, passively monitoring traffic patterns and flow for each of the different resources it protects to understand normal behavior and establish a baseline profile. This information is later used to fine-tune policies for recognizing and filtering both known and unknown, never-before-seen attacks in real-time network activity.
DDOS DEFENSE DEPLOYMENT
Cisco DDoS protection offers flexible, scalable deployment scenarios to protect data centers (servers and network devices), ISP links, and backbones (routers and DNS servers).
The Cisco Guard XT can be deployed at strategic points in the provider’s infrastructure, such as at each peering point, to protect core routers, downstream edge devices, links, and customers (refer to Figure 3). Deployment also can be at the edge router for dedicated customer protection. The detection mechanisms can be near the provider edge or on the customer premises. The scalable Cisco solution for protecting the network itself and multiple customer data centers from upstream deployment supports provider requirements.
Enterprises and Data Centers
In enterprise data centers, the Cisco Guard XT is deployed at the distribution layer in the data center, protecting lower-speed links downstream and the servers. The Cisco Guard XT can be connected to the distribution switch, and it can support a redundant configuration (refer to Figure 4).