Distributed Denial Of Service Security
Home — Security — Distributed Denial Of Service Security

Distributed Denial of Service (DDoS) attacks are a real and growing — threat to businesses worldwide. Designed to elude detection by today’s most popular tools, these attacks can quickly incapacitate a targeted business, costing victims thousands, if not millions, of dollars in lost revenue and productivity. By adopting new purpose-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep their business operations running smoothly. Distributed Denial of Service attacks are weapons of mass disruption. Unlike access attacks that penetrate security perimeters to steal information, DDoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, firewalls, etc.) with bogus traffic. Distributed Denial of Service is emerging as the weapon of choice for hackers, political “hacktivists,” cyber—extortionists, and international cyber-terrorists. Easily launched against limited defenses, DDoS attacks not only target individual Websites or other servers at the edge of the network they subdue the network itself.

Attacks have begun to explicitly target the network infrastructure, such as aggregation or core routers and switches, or Domain Name System (DNS) servers in a provider’s network. In October 2002, a harbinger of future large-scale attacks was a crude DDoS attack that affected 8 of the 13 root DNS servers, critical systems serving as the roadmap for virtually all Internet communications. The growing dependence on the Internet makes the impact of successful Distributed Denial Of Service attacks — financial and otherwise — increasingly painful for service providers, enterprises, and government agencies. And newer, more powerful DDoS tools promise to unleash even more destructive attacks in the months and years to come. Because DDoS attacks are among the most difficult to defend against, responding to them appropriately and effectively poses a tremendous challenge for all Internet-dependent organizations. Network devices and traditional perimeter security technologies such as firewalls and intrusion detection systems (IDSs).

Distributed Denial Of Service Security Threat

A DDoS attack directs hundreds or even thousands of compromised “zombie” hosts against a single target. These zombie hosts are unwittingly recruited from the millions of unprotected computers accessing the Internet through high-bandwidth, “always-on” connections. By planting “sleeper” codes on these machines, hackers can quickly build a legion of zombies, all waiting for the command to launch a DDoS attack. With enough zombie hosts participating, the volume of an attack can be astounding. The impact of a successful Distributed Denial Of Service attack is widespread. Site performance is severely compromised, resulting in frustrated customers and other users. Service Level Agreements (SLAs) are violated, triggering costly service credits. Company reputations are tarnished, sometimes permanently. Lost revenue, lost productivity, increased IT expenses, litigation costs — the losses just keep mounting.

Inside Distributed Denial Of Service Attacks

How do Distributed Denial of Service attacks work? By taking advantage of Internet protocols and the fundamental benefit of the Internet — delivering data packets from nearly any source to any destination, without prejudice. Essentially, it is the behavior of these packets that defines the Distributed Denial Of Service attack — either there are too many, overwhelming network devices as well as servers, or they are deliberately incomplete to rapidly consume server resources. What makes Distributed Denial Of Service attacks so difficult to prevent is that illegitimate packets are indistinguishable from legitimate packets, making detection difficult; typical “signature” pattern matching, performed by IDSs, do not work. Many of these attacks also use spoofed source IP addresses, thereby eluding source identification by anomaly-based monitoring tools looking for unusually high volumes of traffic coming from specific origins.

Bandwidth attacks — these Distributed Denial Of Service attacks consume resources such as network bandwidth or equipment by overwhelming one or the other (or both) with a high volume of packets. Targeted routers, servers, and firewalls-all of which have limited processing resources — can be rendered unavailable to process valid transactions, and can fail under the load. The most common form of bandwidth attack is a packet flooding attack, in which a large number of seemingly legitimate TCP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packets are directed to a specific destination. To make detection even more difficult, such attacks might also spoof the source address — that is, misrepresent the IP address that supposedly generated the request to prevent identification. Application attacks — these DDoS attacks use the expected behavior of protocols such as TCP and HTTP to the attacker’s advantage by tying up computational resources and preventing them from processing transactions or requests.
DDoS

Benefits

Distributed Denial of Service (DDoS) attacks attempt to deny legitimate users access to your systems or networks by overwhelming them with bogus requests. They target important resources, like network bandwidth, server sockets, web server threads, and CPU utilization. DDoS Mitigation helps maintain availability for your Managed Hosting services through a unique hardware-based protection system. It combines two powerful alerting technologies to identify an attack (network-level packet scanning and server-level anomaly detection) and then precision elimination of DDoS traffic to mitigate its effects.

Keep your infrastructure resources focused on business workloads by offloading DDoS processing to our mitigation hardware. When our network security team is alerted to an ongoing or imminent DDoS attack, they immediately initiate mitigation measures and contact you. Backed by security specialists. During initial setup, a security engineer works with you to set up your DDoS solution. After that, our system continually tunes your server profiles for peak performance. If you ever have questions or need help, security specialists are available to provide support — 24/7.

Cisco Guard XT

The Cisco solution provides complete protection against all types of DDoS attacks, even those that have never been seen before. Featuring active mitigation capabilities that rapidly detect attacks and separate malicious traffic from legitimate traffic, the Cisco solution delivers a rapid DDoS response that is measured in seconds, not hours. Easily deployed adjacent to critical routers and switches, the Cisco solution offers a scalable option that eliminates any single points of failure and does not impact the performance or reliability of the existing network components. Cisco solution set includes two distinct components — the Cisco Traffic Anomaly Detector (TAD) XT and the Cisco Guard XT — that, working together, deliver complete DDoS protection for virtually any environment.

  • Cisco Traffic Anomaly Detector XT — Acting as an early warning system, the Cisco TAD XT provides in-depth analysis of the most complex DDoS attacks. The Cisco TAD XT passively monitors network traffic, looking for any deviation from "normal" or baseline behavior that indicates a DDoS attack. When an attack is identified, the Cisco TAD XT alerts the Cisco Guard XT, providing detailed reports as well as specific alerts to quickly react to the threat. For example, the Cisco TAD XT can observe that the rate of UDP packets from a single source IP is out of range, even if overall thresholds are not exceeded.
  • Cisco Guard XT — The Cisco Guard XT is the cornerstone of the Cisco DDoS solution set — a high-performance DDoS attack-mitigation device that is deployed upstream at either the ISP data center or at the perimeter of a large enterprise to protect both the network and data center resources.

Features

Managed DDoS protection services is a fully managed security service to help organizations respond to the threat of DoS and DDoS attacks. The service staff augments adaptive rate controls to perform real-time analysis of ongoing attacks, tune existing rules and create custom rules as required, and adapt to changing attack vectors and multi dimensional threats. DDoS protection services provides organizations with dynamic protection against a broad range of potential DoS and DDoS attack types, regardless of size and complexity, and even as they change over the course of an attack.

With Managed DDoS protection security services it provides organizations with a simple and effective solution to mitigate the growing threat of DoS and DDoS attacks. IAM will have real-time visibility into security events and the ability to drill down into attack alerts to learn what’s being attacked, by whom what defense capabilities triggered the attack, and what specifically in the requests triggered site defenses. Combining a scalable infrastructure with in-depth, 24/7 security operations centers, Managed DDoS protection services are able to defend against the most sophisticated attacks.

Juniper vSRX

The Juniper Networks SRX Series architecture is designed for optimal performance and has been battle tested in some of the largest service provider and enterprise customer environments around the world. Since their inception, the SRX Series firewalls were built from the ground up with true control and data plane separation; the control plane is responsible for the management and system services that operate the device while the forwarding plane is responsible for moving data traffic as efficiently as possible.

Clear separation of control and data planes protects SRX Series firewalls from direct attack and shields critical firewall management services from being affected when an attack is underway. The SRX Series security architecture scales by processing traffic early in the pipeline, preemptively mitigating a cyberattack before affecting legitimate traffic and management services. In the case of a DoS attack, the SRX Series firewalls employ two primary security methods to protect critical services: firewall filters and screens.

Non-Intrusive Protection

Get the robust, multi-layered protection needed to mitigate today's advanced DDoS attacks — without upgrades or changes to your architecture. The system works independently from your production infrastructure. Continuous monitoring compares current traffic to a custom profile of your server's "normal" network and port behavior. Anomalous behaviors immediately trigger an alert to our network security team.

Sophisticated detection technology, capable of handling tens-of-millions of packets per second, examines all incoming packets for patterns of malicious activity. When suspicious traffic is detected, your traffic is routed through a sanitation engine that filters out and diverts malicious traffic. All legitimate traffic continues to its intended destination.