SlideShare a Scribd company logo

Fortinet_FortiDDoS_Introduction

S
swang2010

This document provides an overview of distributed denial of service (DDoS) attacks, including how they work, common techniques used, and strategies for mitigating them. It defines DDoS attacks as attempts to exhaust the resources of networks, applications, or services to deny access to legitimate users. The document discusses how botnets are commonly used to launch large-scale DDoS attacks from multiple sources simultaneously. It also outlines best practices for selecting DDoS protection devices, emphasizing the importance of up-to-date detection techniques, low latency, and customized hardware-based logic to withstand major attacks.

1 of 10
Download to read offline
Hemant Jain, VP of Engineering Sichao Wang, Director of Product Management April 2012, Fortinet, Inc A Primer for Distributed Denial of Service (DDoS) Attacks
A Primer for Distributed Denial of Service PAGE 2 Defining DDOS A DDoS attack is an attempted activity to exhaust the resources available to a network, application or service such that legitimate users are denied for access. The DDoS attack can be originated by a group of malware-infected or volunteered client computers that attempt to overwhelm network bandwidths, server or storage capacities of the targeted victim’s network operation environment. Only a few years back, it was common to use spoofing techniques (SMURF, Ping and SYN flood) where a hacker would actually use very few machines (or just one machine) and spoof multiple IP addresses. To the attacked destination it would seem that the attack is coming from multiple IP addresses. However in the recent years, hackers and attackers are increasingly sophisticated and they use a combined of volumetric and application layer attacking techniques. With the advent of infected PCs, increasing number of smart mobile phones, attacking tools easily enable attackers recruit botnets around the world. Through botmaster command and control (C&C) panel, these bots can be used to launch alarmingly damaging DDoS attacks. FortiDDoS Web Hosting Center Firewall Good Traffic Attacking Traffic ISP 1 ISP 2 Figure 1: Illustration of Attacking Traffic from Multiple ISPs Motivations of Attacks DDoS attacks are launched generally for three broad motivations: • Political. The attackers desire to silence you since your political or religious values are different from theirs. Operation Payback, operated by the clandestine group known as "Anonymous", has launched multi gbps cyber attacks against companies that have pulled their support for WikiLeaks. Among the institutions targeted by Operation Payback are PayPal, MasterCard, and Swiss bank PostFinance. The PayPal Blog eventually backed up after 75 service interruptions and 8 hours 15 minutes of total downtime. • Financial. Attacks against e-commerce and retailers are often for exchange of electronic fund transfers to offshore account. • Retaliation. In 2010, gamer players figured out a way to break into Sony PlayStation 3 console and use it to run a third-party application. In early 2011 Sony then issued an update for the gaming console that shored up its hardware defenses. That had angered many of the sophisticated users and resulted in retaliation style attack again Sony Playstation that brought down the worldwide service for several days.
A Primer for Distributed Denial of Service PAGE 3 Virus Infections, Botnets and Distributed Attack Tools Millions of new users join the Internet daily. These are in the far-flung corners of the world. If you are reading this primer, you are savvy - but they are not. If they get an enticing email from someone, they open it and their machine now has bot code which can be remotely controlled by botmasters. Millions of such machines around the world are under control of bot-herds who buy, sell and rent them for monetary gains. Some foreign governments are also known to control them for possible cyber-warfare. Figure 2: An Example of Botmaster Control Panel The above pictures shows a bot-controller that can be easily used to launch a DDoS attack sitting somewhere using bots recruited around the world. The renter uses this software after paying the rent. She can simply enter the URL of the target site to be attacked and choose the type of the attack and launch the attacks including a blended attack. This program controls the bots on the Internet. Following is another example of another bot controller panel. As you can see the panel consists of a display of available bots in different countries and ability to launch different tasks through the bots.
A Primer for Distributed Denial of Service PAGE 4 Figure 3: An Example of Botmaster Control Panel Another picture below shows ability of the bot-master to upload new functionality into the botnet and update the bots remotely and have an ability to remotely see the status of the bots. Figure 4: An example that bots are updated with new intelligence
A Primer for Distributed Denial of Service PAGE 5 Most Common Current Generation DDoS Attacks There are many kinds of legacy and current generation attacks that are prevalent today. SYN flood and HTTP GET floods being the most common. They are targeted to fill in the network connection pipes or overload the servers behind firewalls and IPS devices. • SYN Flood Spoofed SYN Packets fill the connection table of servers, and all other devices in your network path. Low volume SYN flood can be easily stopped by software firewalls. High bandwidth SYN floods needs faster hardware logic with SYN proxy capability. • Zombie Flood In zombie or botnet floods, non-spoofed connections overload the services. The attacking IPs are able to do three way handshakes. These are difficult to stop unless you have behavioral mitigation. High bandwidth zombie floods needs specialized hardware logic for discriminating legitimate traffic within zombie flood. • ICMP Flood In these floods, ICMP packets, such as those used for ping, overload the servers and the network pipe. Low volume ICMP flood can be easily stopped by ACLs on routers and switches. High bandwidth ICMP floods needs specialized equipment. • TCP/UDP Port Flood In these floods, TCP/UDP packets overload the servers and the pipe on ports not being used for service, e.g. TCP port 81. Low volume port floods on non-service ports are easily stopped by ACLs. Higher volume needs specialized equipment for automatic detection and mitigation unless you have totally blocked all non-service ports by default. Sites that use services such as FTP or IRC that use dynamic ports need to be careful with the stateful traffic on the dynamic ports. Most large attacks that are multi Gbps involve UDP floods because they are easy to generate by spoofing IPs. When packets overload the servers and the pipe on service ports, e.g. TCP port 80, Firewall, switches, routers, IPS appliances cannot stop these attacks. In these cases, you need specialized equipment for discrimination. • Fragment Flood In these floods, fragmented packets overload the servers. Many firewalls, switches, routers cannot stop these attacks unless they have rule sets for dropping fragmented packets. Sometimes you may need specialized equipment. • Anomalous Packet Flood Hackers create most floods with scripts. Sometimes deliberately and sometimes due to errors in scripts, packets are anomalous. These anomalies may be headers at layer 3, 4 or 7. They may be in TCP or UDP states or protocols. These packets overload the CPU of the servers and other networking equipment on the way. Some firewalls, and IPS appliances can stop these attacks. Specialized equipment for DDoS easily stop these attacks. • HTTP GET Flood These attacks involved connection-oriented bots overload the servers and the pipe on service ports, e.g. on HTTP, mimicking legitimate users. Since firewalls, switches, routers, IPS appliances don't have behavioral anomaly prevention, they cannot stop these attacks. Therefore you need specialized equipment to stop these attacks. • Blended Attacks
A Primer for Distributed Denial of Service PAGE 6 When multiple types of above attacks are blended on the server, they confuse the conventional equipment further. Firewall, switches, routers, IPS appliances cannot stop these attacks. You need specialized equipment to stop these attacks • Floods from Unwanted Geographical Areas These are very common. For example, you have most of your customers in China and you are getting too many packets from Russia. Such floods are easy to stop with simple access control lists in Anti-DDoS equipment or in switches or routers before the network. FortiDDoS leverages its patented techniques to accurately discover all these common attacks based on traffic patterns that FortiDDoS builds during of the course of operations. The technology is automatic and does not require signature updates. Application Layer DDoS Attacks Application-layer attacks use far more sophisticated mechanisms to achieve the goals of the hacker. Rather than flooding a network with traffic or sessions, application-layer attacks target specific applications/services and slowly exhaust resources at the application layer. Application-layer attacks can be very effective at low traffic rates, and the traffic involved in the attacks can be legitimate from a protocol perspective. This makes application-layer attacks harder to detect than other DDoS attack types. HTTP Flood, DNS dictionary, Slowloris, etc., are examples of application-layer attacks. FortiDDoS Firewall Good Traffic Attacking Traffic with Low Data Rate ISP 1 ISP 2 Low bandwidth slow connections Web Hosting Center Figure 5: Attacks utilizing low bandwidth to evade detection FortiDDoS is designed with sophisticated connection aging algorithm to discover the application level attacks such as Slowloris that aims to slowly exhaust the system resource. FortiDDoS communicates with server sides to reset the TCP connections when such application layer attack is detected. Myths and Realities About DDoS Attacks • Most Network and Security Operations engineers only hear about DDoS attacks happening to others. They think that they don’t have enemies. In reality, their perceptions of risk factors and susceptibility are most often misplaced. If you have a web presence, you can be attacked easily – sometimes even by mistake.
A Primer for Distributed Denial of Service PAGE 7 • Many engineers think that they can custom compile kernel, set some options in Apache, install mod_dosevasive and DDoS attacks can be taken care of. In Reality, most servers do not have the capacity to handle DDoS attacks. Under most average sized DDoS attacks, your server CPUs will be too overloaded to give Apache modules a chance. • Another myth that exists is that simple iptables commands can block DDoS attacks. In reality, NetFilter/iptables can block very tiny attacks and tiny percentage of DDoS attacks. Real DDoS attacks require specialized equipment because the CPU running iptables will be too busy handling attack packets. • Many Network and Security Operations engineers think that their webhosts will take care of DDoS attacks. Many webhosts are happy to just null-route an attacked IP domain unless they have specialized equipment. Many webhosts do not have the skills to manually isolate issues - unless they specially advertise such capability. • Some think that their ISPs, to whom their webhosting data center is connected to, cooperate under attack and they can find the source of the attack. Most ISPs are too busy. They have strict and bureaucratic processes to reach each other. Typical response time for ISPs are in days if not in hours – whereas you want the solution NOW!! • It is also easy to think that under attack, we can report to law enforcement to solve the problem. In reality, most law enforcement departments will not bother about needle in hay-stack attacks – for them that’s what most attacks are. Unless you are important and the attacks are in multiple 10s of Gigabits per second, don’t waste their time and yours. • You may also think that you can determine that ACLs for your routers and switches to block the attacks. DDoS attacks are moving targets. The hackers are smart, their tools are smarter and techniques are sophisticated. • Another myth that surrounds DDoS attacks are filled pipes. Many wonder if there is any point in buying any specialized Anti- DDoS equipment. Without the DDoS mitigation equipment, your servers will be thoroughly exposed to even the most ordinary attacks. Anti-DDOS Appliances There are primarily following categories of appliances in the market for DDoS mitigation: 1. Carrier DDoS mitigation solutions o These solutions are useful for global networks and carriers and ISPs. o They employ IP flow-based and deep packet inspection technologies, and protect entire networks consisting of multiple routers and switches and services behind them. o These solutions are too expensive for individual IDCs, webhosts or web properties. o These solutions have been designed around early 2000 and therefore are not keeping up with the current generation of DDoS attacks which involve botnets that mimic legitimate clients. o These solutions work very well at global level and the residual attacks from such solutions may be too much for an individual web property which in turn may have to employ a solution such as 2 below. 2. Custom Logic (ASIC) based Internet Data Center (IDC), Web hosting and Web Property DDoS Mitigation Solutions o These solutions are useful for large IDCs, large web hosts and large web properties. o They work to protect one or several Internet links. o The behavioral solutions are implemented in custom hardware logic and provide line rate performance for large attacks. o FortiDDoS has one such solution. o These solutions are cost-effective and effective for IDCs, webhosts and web properties. 3. Software based Web Property DDoS Mitigation Solutions o These solutions are useful for smaller web properties with very minimal traffic. o The behavioral solutions are implemented in off-the-shelf CPUs and have issues at large attack traffic volumes in terms of keeping up. o Some appliances have IPS functionality implemented in hardware but have their DDoS mitigation logic in software and suffer from the same issues.
A Primer for Distributed Denial of Service PAGE 8 Choosing Your DDoS Protection Devices • Latest Technology The hackers are pretty up-to-date on techniques. If your DDoS mitigation appliance is built around technology that was developed several years ago, it won't help you much as most of the current generation attacks would pass through. • Centralized monitoring Look for appliances that allow you to centrally monitor all DDoS events and traffic in your network. You can use SNMP, Cacti, MRTG to monitor traffic and attack levels and attack events. You can configure Syslog to get all attack events on a centralized server as well. • Visibility into normal network traffic patterns Look for appliances that allow you to get extremely granular visibility into your network traffic. Typically you should look for a 12 month round robin view of what normal traffic looks like and incorporate this information into a correlation engine for threat detection, alerts, and reporting. • Alerting Mechanisms Look for appliances that give you a threshold based alerting mechanism for DDoS specific events. You can set threshold for different people to get alerts depending on the quantum of attack. You should be able to query a database for Top Attacks, Top Attackers, Top Attacked Destination, etc. You should be able to create custom queries in your custom applications/reports. • Filtering Mechanisms to Reduce False Positives Look for appliances that filter traffic in different network layers as they inspect incoming packets using dynamic profiling (based on monitoring and analysis of normal behavior), anti-spoofing algorithms, and other technology to progressively filter harmful traffic upstream of the network. • Low Latency Latency, in this context, is the amount of time it takes a packet to go through an appliance. Look for appliances that don't affect your mission critical traffic by adding additional significant latency. Most switches and routers have low latency in the range of a <50 microseconds. The anti-DDoS equipment should maintain similar latency levels. This latency should be maintained even during attacks. • Hardware Logic for Anti-DDoS These days it is common for a $100 home router to claim that it has DDoS attack mitigation capability. Such claims have to withstand third party tests and real life. It is also easy to build Intel CPU based appliance running Linux with some behavioral capability built-in to claim anti-DDoS features. Many IPS appliances have IPS in hardware logic but anti-DDoS capability in software. Such appliances cannot handle attacks beyond a certain Mbps. Look for custom DDoS mitigation logic implemented in hardware as that alone can withstand large DDoS attacks. A granular approach to DDoS mitigation selectively mitigates attacks at highest possible layer so that attacks are stopped at most specific layer. This reduces the false positives. Ability to monitor a large number of ports, sources, destinations, connections etc. helps in proper identification of attacks and attackers.
A Primer for Distributed Denial of Service PAGE 9 • Bypass and Redundancy Look for internal or external bypass capability that ensures that your network traffic continues even if the appliance fails. For multiple links, look for ability to cross connect appliances in a fail-over configuration. In addition, look for asymmetric traffic support because you may have traffic coming from one link and going through another. • Extensible Architecture Anti-DDoS equipment must grow with your business. Look for appliances that have such capability to grow through licenses. • Third Party Validation Look for third party validation for a solution you choose. That will mitigate some risks of your inability to actually do a test in your own labs. FortiDDoS - Ideal DDoS Protection Feature Benefits ASIC Assisted Threat Detection and Mitigation High throughput and reliable DDOS threat detection and mitigation. Network Virtualization Attack on one customer does not impact other customers. Flexible and business priority aligned. Achieves optimal TCO for customers Automatic traffic baseline model building Requires almost no end user intervention and achieves more accurate threat detection through multi-layer profiling Easy to Deploy Very little human intervention is required No network topology or configuration change is needed. Microfine Granularity Monitor and report traffic granularly at layer 3, 4 and 7. Real- time and historic attacking traffic analysis. Comprehensive reports for top attacks, top sources and top attackers Virtual Network Partitions FortiDDoS supports up to 8 discretely managed servers, subnets or networks into different policy domains using IP addresses/masks providing a second level of granular protection to your network. This feature is not only beneficial in supporting multiple layers of defense but also is a cost containment and administration-friendly feature for organizations that have multiple business entities to protect, and that need unique policies for each. Virtual instances can also be effectively used in defense escalation. Rather than have a single set of policies, multiple sets can be defined in advance, such that the organization can apply a more stringent set of policies if the preceding policies were inadequate.
A Primer for Distributed Denial of Service PAGE 10 Ease of Deployments Because much of the complexities are handled by the ASIC hardware, and good baseline traffic models are built automatically through the continuous learning process, very little human intervention is required and best of all - no network topology or configuration change is needed. Microfine Granularity and Accurate Detection FortiDDoS offers microfine granularity on defining traffic patterns by using counters at different layers. Relying on its automatic ability on building a complex and detailed legitimate traffic model, FortiDDoS provides fast and accurate detection of sophisticated attacks that attempt to mimic legitimate traffic. Conclusion DDoS attacks are on the rise. The potential threats and volumes are increasing as more machines including mobile devices join the Internet. If you have a web property, the likelihood of your getting attacked is real. It is prudent to plan protection of the infrastructure rather than wait for the attacks to strike. For more details on DDOS or FortiDDoS, please visit us at http://www.fortinet.com.

Recommended

L1803046876
L1803046876L1803046876
L1803046876
IOSR Journals
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learning
eSAT Publishing House
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 

Recommended

L1803046876
L1803046876L1803046876
L1803046876
IOSR Journals
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learning
eSAT Publishing House
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...
Alexander Decker
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
RAVI RAJ
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
Ramasubbu .P
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
Computing safety
Computing safetyComputing safety
Computing safety
Brulius
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
IRJET Journal
 
Internet Traffic 2009-2019
Internet Traffic 2009-2019Internet Traffic 2009-2019
Internet Traffic 2009-2019
APNIC
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
amiable_indian
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
Raleigh ISSA
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
Mina Fawzy
 
International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I... International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I...
ijcsity
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
 
BOTNET
BOTNETBOTNET
BOTNET
Arjo Ghosh
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
allanjude
 
C_V of Saurabh
C_V of SaurabhC_V of Saurabh
C_V of Saurabh
Saurabh Singhvi
 

More Related Content

What's hot

Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...
Alexander Decker
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
RAVI RAJ
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
Ramasubbu .P
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
Computing safety
Computing safetyComputing safety
Computing safety
Brulius
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
IRJET Journal
 
Internet Traffic 2009-2019
Internet Traffic 2009-2019Internet Traffic 2009-2019
Internet Traffic 2009-2019
APNIC
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
amiable_indian
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
Raleigh ISSA
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
Mina Fawzy
 
International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I... International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I...
ijcsity
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
 
BOTNET
BOTNETBOTNET
BOTNET
Arjo Ghosh
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 

What's hot (20)

Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
 
1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
 
Botnets
BotnetsBotnets
Botnets
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
Computing safety
Computing safetyComputing safety
Computing safety
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
Internet Traffic 2009-2019
Internet Traffic 2009-2019Internet Traffic 2009-2019
Internet Traffic 2009-2019
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
 
International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I... International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I...
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
 
BOTNET
BOTNETBOTNET
BOTNET
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
 

Viewers also liked

EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
allanjude
 
C_V of Saurabh
C_V of SaurabhC_V of Saurabh
C_V of Saurabh
Saurabh Singhvi
 
Ejer agensuc
Ejer agensucEjer agensuc
Ejer agensuc
Noé Gil Arrecis
 
c.v of muhammad khurram khan
c.v of muhammad khurram khanc.v of muhammad khurram khan
c.v of muhammad khurram khan
Muhammad Khurram Khan
 
Glosario de dibujo tecnico
Glosario de dibujo tecnicoGlosario de dibujo tecnico
Glosario de dibujo tecnico
ricardo torrealba anza
 
MPN Competency Windows and Devices for Technical (MPN16022)
MPN Competency Windows and Devices for Technical (MPN16022)MPN Competency Windows and Devices for Technical (MPN16022)
MPN Competency Windows and Devices for Technical (MPN16022)
Sandro Figueiredo
 
Intelligent home energy management system including renewable energy based on...
Intelligent home energy management system including renewable energy based on...Intelligent home energy management system including renewable energy based on...
Intelligent home energy management system including renewable energy based on...
eSAT Journals
 
Fifth Elephant 2014 talk - Crafting Visual Stories with Data
Fifth Elephant 2014 talk - Crafting Visual Stories with DataFifth Elephant 2014 talk - Crafting Visual Stories with Data
Fifth Elephant 2014 talk - Crafting Visual Stories with Data
Amit Kapoor
 

Viewers also liked (8)

EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
 
C_V of Saurabh
C_V of SaurabhC_V of Saurabh
C_V of Saurabh
 
Ejer agensuc
Ejer agensucEjer agensuc
Ejer agensuc
 
c.v of muhammad khurram khan
c.v of muhammad khurram khanc.v of muhammad khurram khan
c.v of muhammad khurram khan
 
Glosario de dibujo tecnico
Glosario de dibujo tecnicoGlosario de dibujo tecnico
Glosario de dibujo tecnico
 
MPN Competency Windows and Devices for Technical (MPN16022)
MPN Competency Windows and Devices for Technical (MPN16022)MPN Competency Windows and Devices for Technical (MPN16022)
MPN Competency Windows and Devices for Technical (MPN16022)
 
Intelligent home energy management system including renewable energy based on...
Intelligent home energy management system including renewable energy based on...Intelligent home energy management system including renewable energy based on...
Intelligent home energy management system including renewable energy based on...
 
Fifth Elephant 2014 talk - Crafting Visual Stories with Data
Fifth Elephant 2014 talk - Crafting Visual Stories with DataFifth Elephant 2014 talk - Crafting Visual Stories with Data
Fifth Elephant 2014 talk - Crafting Visual Stories with Data
 

Similar to Fortinet_FortiDDoS_Introduction

DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoS
Vihari Piratla
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
Saptha Wanniarachchi
 
DDOS Attack on Cloud Platforms.pptx
DDOS Attack on Cloud Platforms.pptxDDOS Attack on Cloud Platforms.pptx
DDOS Attack on Cloud Platforms.pptx
ShaimKibria
 
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
IJITCA Journal
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
praveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
Haltdos
 
IRJET- A Novel Survey on DOS Attacks
IRJET- A Novel Survey on DOS AttacksIRJET- A Novel Survey on DOS Attacks
IRJET- A Novel Survey on DOS Attacks
IRJET Journal
 
WebRTC Security
WebRTC SecurityWebRTC Security
WebRTC Security
Alex Hunte
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTC
Quobis
 
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
IJNSA Journal
 
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET Journal
 
Whitepaper on DDoS Mitigation
Whitepaper on DDoS MitigationWhitepaper on DDoS Mitigation
Whitepaper on DDoS Mitigation
Gaurav Bhatia
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?
VOIP2DAY
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
Quobis
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
SensePost
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3
Gurpreet singh
 
Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )
Sharon Lee
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptx
amalouwarda1
 

Similar to Fortinet_FortiDDoS_Introduction (20)

DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoS
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
 
DDOS Attack on Cloud Platforms.pptx
DDOS Attack on Cloud Platforms.pptxDDOS Attack on Cloud Platforms.pptx
DDOS Attack on Cloud Platforms.pptx
 
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
 
IRJET- A Novel Survey on DOS Attacks
IRJET- A Novel Survey on DOS AttacksIRJET- A Novel Survey on DOS Attacks
IRJET- A Novel Survey on DOS Attacks
 
WebRTC Security
WebRTC SecurityWebRTC Security
WebRTC Security
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTC
 
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
 
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
 
Whitepaper on DDoS Mitigation
Whitepaper on DDoS MitigationWhitepaper on DDoS Mitigation
Whitepaper on DDoS Mitigation
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3
 
Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptx
 

Fortinet_FortiDDoS_Introduction

  • 1. Hemant Jain, VP of Engineering Sichao Wang, Director of Product Management April 2012, Fortinet, Inc A Primer for Distributed Denial of Service (DDoS) Attacks
  • 2. A Primer for Distributed Denial of Service PAGE 2 Defining DDOS A DDoS attack is an attempted activity to exhaust the resources available to a network, application or service such that legitimate users are denied for access. The DDoS attack can be originated by a group of malware-infected or volunteered client computers that attempt to overwhelm network bandwidths, server or storage capacities of the targeted victim’s network operation environment. Only a few years back, it was common to use spoofing techniques (SMURF, Ping and SYN flood) where a hacker would actually use very few machines (or just one machine) and spoof multiple IP addresses. To the attacked destination it would seem that the attack is coming from multiple IP addresses. However in the recent years, hackers and attackers are increasingly sophisticated and they use a combined of volumetric and application layer attacking techniques. With the advent of infected PCs, increasing number of smart mobile phones, attacking tools easily enable attackers recruit botnets around the world. Through botmaster command and control (C&C) panel, these bots can be used to launch alarmingly damaging DDoS attacks. FortiDDoS Web Hosting Center Firewall Good Traffic Attacking Traffic ISP 1 ISP 2 Figure 1: Illustration of Attacking Traffic from Multiple ISPs Motivations of Attacks DDoS attacks are launched generally for three broad motivations: • Political. The attackers desire to silence you since your political or religious values are different from theirs. Operation Payback, operated by the clandestine group known as "Anonymous", has launched multi gbps cyber attacks against companies that have pulled their support for WikiLeaks. Among the institutions targeted by Operation Payback are PayPal, MasterCard, and Swiss bank PostFinance. The PayPal Blog eventually backed up after 75 service interruptions and 8 hours 15 minutes of total downtime. • Financial. Attacks against e-commerce and retailers are often for exchange of electronic fund transfers to offshore account. • Retaliation. In 2010, gamer players figured out a way to break into Sony PlayStation 3 console and use it to run a third-party application. In early 2011 Sony then issued an update for the gaming console that shored up its hardware defenses. That had angered many of the sophisticated users and resulted in retaliation style attack again Sony Playstation that brought down the worldwide service for several days.
  • 3. A Primer for Distributed Denial of Service PAGE 3 Virus Infections, Botnets and Distributed Attack Tools Millions of new users join the Internet daily. These are in the far-flung corners of the world. If you are reading this primer, you are savvy - but they are not. If they get an enticing email from someone, they open it and their machine now has bot code which can be remotely controlled by botmasters. Millions of such machines around the world are under control of bot-herds who buy, sell and rent them for monetary gains. Some foreign governments are also known to control them for possible cyber-warfare. Figure 2: An Example of Botmaster Control Panel The above pictures shows a bot-controller that can be easily used to launch a DDoS attack sitting somewhere using bots recruited around the world. The renter uses this software after paying the rent. She can simply enter the URL of the target site to be attacked and choose the type of the attack and launch the attacks including a blended attack. This program controls the bots on the Internet. Following is another example of another bot controller panel. As you can see the panel consists of a display of available bots in different countries and ability to launch different tasks through the bots.
  • 4. A Primer for Distributed Denial of Service PAGE 4 Figure 3: An Example of Botmaster Control Panel Another picture below shows ability of the bot-master to upload new functionality into the botnet and update the bots remotely and have an ability to remotely see the status of the bots. Figure 4: An example that bots are updated with new intelligence
  • 5. A Primer for Distributed Denial of Service PAGE 5 Most Common Current Generation DDoS Attacks There are many kinds of legacy and current generation attacks that are prevalent today. SYN flood and HTTP GET floods being the most common. They are targeted to fill in the network connection pipes or overload the servers behind firewalls and IPS devices. • SYN Flood Spoofed SYN Packets fill the connection table of servers, and all other devices in your network path. Low volume SYN flood can be easily stopped by software firewalls. High bandwidth SYN floods needs faster hardware logic with SYN proxy capability. • Zombie Flood In zombie or botnet floods, non-spoofed connections overload the services. The attacking IPs are able to do three way handshakes. These are difficult to stop unless you have behavioral mitigation. High bandwidth zombie floods needs specialized hardware logic for discriminating legitimate traffic within zombie flood. • ICMP Flood In these floods, ICMP packets, such as those used for ping, overload the servers and the network pipe. Low volume ICMP flood can be easily stopped by ACLs on routers and switches. High bandwidth ICMP floods needs specialized equipment. • TCP/UDP Port Flood In these floods, TCP/UDP packets overload the servers and the pipe on ports not being used for service, e.g. TCP port 81. Low volume port floods on non-service ports are easily stopped by ACLs. Higher volume needs specialized equipment for automatic detection and mitigation unless you have totally blocked all non-service ports by default. Sites that use services such as FTP or IRC that use dynamic ports need to be careful with the stateful traffic on the dynamic ports. Most large attacks that are multi Gbps involve UDP floods because they are easy to generate by spoofing IPs. When packets overload the servers and the pipe on service ports, e.g. TCP port 80, Firewall, switches, routers, IPS appliances cannot stop these attacks. In these cases, you need specialized equipment for discrimination. • Fragment Flood In these floods, fragmented packets overload the servers. Many firewalls, switches, routers cannot stop these attacks unless they have rule sets for dropping fragmented packets. Sometimes you may need specialized equipment. • Anomalous Packet Flood Hackers create most floods with scripts. Sometimes deliberately and sometimes due to errors in scripts, packets are anomalous. These anomalies may be headers at layer 3, 4 or 7. They may be in TCP or UDP states or protocols. These packets overload the CPU of the servers and other networking equipment on the way. Some firewalls, and IPS appliances can stop these attacks. Specialized equipment for DDoS easily stop these attacks. • HTTP GET Flood These attacks involved connection-oriented bots overload the servers and the pipe on service ports, e.g. on HTTP, mimicking legitimate users. Since firewalls, switches, routers, IPS appliances don't have behavioral anomaly prevention, they cannot stop these attacks. Therefore you need specialized equipment to stop these attacks. • Blended Attacks
  • 6. A Primer for Distributed Denial of Service PAGE 6 When multiple types of above attacks are blended on the server, they confuse the conventional equipment further. Firewall, switches, routers, IPS appliances cannot stop these attacks. You need specialized equipment to stop these attacks • Floods from Unwanted Geographical Areas These are very common. For example, you have most of your customers in China and you are getting too many packets from Russia. Such floods are easy to stop with simple access control lists in Anti-DDoS equipment or in switches or routers before the network. FortiDDoS leverages its patented techniques to accurately discover all these common attacks based on traffic patterns that FortiDDoS builds during of the course of operations. The technology is automatic and does not require signature updates. Application Layer DDoS Attacks Application-layer attacks use far more sophisticated mechanisms to achieve the goals of the hacker. Rather than flooding a network with traffic or sessions, application-layer attacks target specific applications/services and slowly exhaust resources at the application layer. Application-layer attacks can be very effective at low traffic rates, and the traffic involved in the attacks can be legitimate from a protocol perspective. This makes application-layer attacks harder to detect than other DDoS attack types. HTTP Flood, DNS dictionary, Slowloris, etc., are examples of application-layer attacks. FortiDDoS Firewall Good Traffic Attacking Traffic with Low Data Rate ISP 1 ISP 2 Low bandwidth slow connections Web Hosting Center Figure 5: Attacks utilizing low bandwidth to evade detection FortiDDoS is designed with sophisticated connection aging algorithm to discover the application level attacks such as Slowloris that aims to slowly exhaust the system resource. FortiDDoS communicates with server sides to reset the TCP connections when such application layer attack is detected. Myths and Realities About DDoS Attacks • Most Network and Security Operations engineers only hear about DDoS attacks happening to others. They think that they don’t have enemies. In reality, their perceptions of risk factors and susceptibility are most often misplaced. If you have a web presence, you can be attacked easily – sometimes even by mistake.
  • 7. A Primer for Distributed Denial of Service PAGE 7 • Many engineers think that they can custom compile kernel, set some options in Apache, install mod_dosevasive and DDoS attacks can be taken care of. In Reality, most servers do not have the capacity to handle DDoS attacks. Under most average sized DDoS attacks, your server CPUs will be too overloaded to give Apache modules a chance. • Another myth that exists is that simple iptables commands can block DDoS attacks. In reality, NetFilter/iptables can block very tiny attacks and tiny percentage of DDoS attacks. Real DDoS attacks require specialized equipment because the CPU running iptables will be too busy handling attack packets. • Many Network and Security Operations engineers think that their webhosts will take care of DDoS attacks. Many webhosts are happy to just null-route an attacked IP domain unless they have specialized equipment. Many webhosts do not have the skills to manually isolate issues - unless they specially advertise such capability. • Some think that their ISPs, to whom their webhosting data center is connected to, cooperate under attack and they can find the source of the attack. Most ISPs are too busy. They have strict and bureaucratic processes to reach each other. Typical response time for ISPs are in days if not in hours – whereas you want the solution NOW!! • It is also easy to think that under attack, we can report to law enforcement to solve the problem. In reality, most law enforcement departments will not bother about needle in hay-stack attacks – for them that’s what most attacks are. Unless you are important and the attacks are in multiple 10s of Gigabits per second, don’t waste their time and yours. • You may also think that you can determine that ACLs for your routers and switches to block the attacks. DDoS attacks are moving targets. The hackers are smart, their tools are smarter and techniques are sophisticated. • Another myth that surrounds DDoS attacks are filled pipes. Many wonder if there is any point in buying any specialized Anti- DDoS equipment. Without the DDoS mitigation equipment, your servers will be thoroughly exposed to even the most ordinary attacks. Anti-DDOS Appliances There are primarily following categories of appliances in the market for DDoS mitigation: 1. Carrier DDoS mitigation solutions o These solutions are useful for global networks and carriers and ISPs. o They employ IP flow-based and deep packet inspection technologies, and protect entire networks consisting of multiple routers and switches and services behind them. o These solutions are too expensive for individual IDCs, webhosts or web properties. o These solutions have been designed around early 2000 and therefore are not keeping up with the current generation of DDoS attacks which involve botnets that mimic legitimate clients. o These solutions work very well at global level and the residual attacks from such solutions may be too much for an individual web property which in turn may have to employ a solution such as 2 below. 2. Custom Logic (ASIC) based Internet Data Center (IDC), Web hosting and Web Property DDoS Mitigation Solutions o These solutions are useful for large IDCs, large web hosts and large web properties. o They work to protect one or several Internet links. o The behavioral solutions are implemented in custom hardware logic and provide line rate performance for large attacks. o FortiDDoS has one such solution. o These solutions are cost-effective and effective for IDCs, webhosts and web properties. 3. Software based Web Property DDoS Mitigation Solutions o These solutions are useful for smaller web properties with very minimal traffic. o The behavioral solutions are implemented in off-the-shelf CPUs and have issues at large attack traffic volumes in terms of keeping up. o Some appliances have IPS functionality implemented in hardware but have their DDoS mitigation logic in software and suffer from the same issues.
  • 8. A Primer for Distributed Denial of Service PAGE 8 Choosing Your DDoS Protection Devices • Latest Technology The hackers are pretty up-to-date on techniques. If your DDoS mitigation appliance is built around technology that was developed several years ago, it won't help you much as most of the current generation attacks would pass through. • Centralized monitoring Look for appliances that allow you to centrally monitor all DDoS events and traffic in your network. You can use SNMP, Cacti, MRTG to monitor traffic and attack levels and attack events. You can configure Syslog to get all attack events on a centralized server as well. • Visibility into normal network traffic patterns Look for appliances that allow you to get extremely granular visibility into your network traffic. Typically you should look for a 12 month round robin view of what normal traffic looks like and incorporate this information into a correlation engine for threat detection, alerts, and reporting. • Alerting Mechanisms Look for appliances that give you a threshold based alerting mechanism for DDoS specific events. You can set threshold for different people to get alerts depending on the quantum of attack. You should be able to query a database for Top Attacks, Top Attackers, Top Attacked Destination, etc. You should be able to create custom queries in your custom applications/reports. • Filtering Mechanisms to Reduce False Positives Look for appliances that filter traffic in different network layers as they inspect incoming packets using dynamic profiling (based on monitoring and analysis of normal behavior), anti-spoofing algorithms, and other technology to progressively filter harmful traffic upstream of the network. • Low Latency Latency, in this context, is the amount of time it takes a packet to go through an appliance. Look for appliances that don't affect your mission critical traffic by adding additional significant latency. Most switches and routers have low latency in the range of a <50 microseconds. The anti-DDoS equipment should maintain similar latency levels. This latency should be maintained even during attacks. • Hardware Logic for Anti-DDoS These days it is common for a $100 home router to claim that it has DDoS attack mitigation capability. Such claims have to withstand third party tests and real life. It is also easy to build Intel CPU based appliance running Linux with some behavioral capability built-in to claim anti-DDoS features. Many IPS appliances have IPS in hardware logic but anti-DDoS capability in software. Such appliances cannot handle attacks beyond a certain Mbps. Look for custom DDoS mitigation logic implemented in hardware as that alone can withstand large DDoS attacks. A granular approach to DDoS mitigation selectively mitigates attacks at highest possible layer so that attacks are stopped at most specific layer. This reduces the false positives. Ability to monitor a large number of ports, sources, destinations, connections etc. helps in proper identification of attacks and attackers.
  • 9. A Primer for Distributed Denial of Service PAGE 9 • Bypass and Redundancy Look for internal or external bypass capability that ensures that your network traffic continues even if the appliance fails. For multiple links, look for ability to cross connect appliances in a fail-over configuration. In addition, look for asymmetric traffic support because you may have traffic coming from one link and going through another. • Extensible Architecture Anti-DDoS equipment must grow with your business. Look for appliances that have such capability to grow through licenses. • Third Party Validation Look for third party validation for a solution you choose. That will mitigate some risks of your inability to actually do a test in your own labs. FortiDDoS - Ideal DDoS Protection Feature Benefits ASIC Assisted Threat Detection and Mitigation High throughput and reliable DDOS threat detection and mitigation. Network Virtualization Attack on one customer does not impact other customers. Flexible and business priority aligned. Achieves optimal TCO for customers Automatic traffic baseline model building Requires almost no end user intervention and achieves more accurate threat detection through multi-layer profiling Easy to Deploy Very little human intervention is required No network topology or configuration change is needed. Microfine Granularity Monitor and report traffic granularly at layer 3, 4 and 7. Real- time and historic attacking traffic analysis. Comprehensive reports for top attacks, top sources and top attackers Virtual Network Partitions FortiDDoS supports up to 8 discretely managed servers, subnets or networks into different policy domains using IP addresses/masks providing a second level of granular protection to your network. This feature is not only beneficial in supporting multiple layers of defense but also is a cost containment and administration-friendly feature for organizations that have multiple business entities to protect, and that need unique policies for each. Virtual instances can also be effectively used in defense escalation. Rather than have a single set of policies, multiple sets can be defined in advance, such that the organization can apply a more stringent set of policies if the preceding policies were inadequate.
  • 10. A Primer for Distributed Denial of Service PAGE 10 Ease of Deployments Because much of the complexities are handled by the ASIC hardware, and good baseline traffic models are built automatically through the continuous learning process, very little human intervention is required and best of all - no network topology or configuration change is needed. Microfine Granularity and Accurate Detection FortiDDoS offers microfine granularity on defining traffic patterns by using counters at different layers. Relying on its automatic ability on building a complex and detailed legitimate traffic model, FortiDDoS provides fast and accurate detection of sophisticated attacks that attempt to mimic legitimate traffic. Conclusion DDoS attacks are on the rise. The potential threats and volumes are increasing as more machines including mobile devices join the Internet. If you have a web property, the likelihood of your getting attacked is real. It is prudent to plan protection of the infrastructure rather than wait for the attacks to strike. For more details on DDOS or FortiDDoS, please visit us at http://www.fortinet.com.