Distributed Denial of Service (DDoS) attacks are ever-evolving and use a variety of technologies. To successfully combat these attacks, you need a dynamic, multi-layered security solution. DDoS Network Security protects from both known and zero day attacks with very low latency. It’s easy to deploy and manage, and includes comprehensive reporting and analysis tools. DDoS Network Security Protection includes 100% security processor (SPU-based Layer-3, Layer-4, and Layer-7 DDoS Network Security protection application-aware traffic management, behavior-based DDoS protection to eliminate need for signature files, minimal false-positive detections through continuous threat evaluation, ability to monitor hundreds of thousands of parameters simultaneously, defense against every DDoS attack: bulk volumetric, Layer-7 application, and SSL/HTTPS, and attack protection for DNS services via specialized tools.
DDoS attacks are some of the oldest of Internet threats. Despite that, due their simplicity and effectiveness, they continue to be a top risk for public services around the world. As protections have evolved, the technology used by hackers has adapted and become much more sophisticated. New attack types now target applications and services, and not only are bulk Layer-3 and Layer-4 DDoS events becoming more sophisticated but many times they are masked in apparently legitimate traffic, or combined in unique new “zero day” attacks, making it very difficult to detect them. State-of-the-art technology must rely on Application Specific Integrated Circuits (ASICs), inline symmetric or asymmetric deployments, a wide-spectrum of analysis methods covering from Layer-2 (Data-Link layer) to Layer-7 (Application layer) of the OSI model, and why this must be done with high-performance, hardware-based architectures.
DDoS Network Security — Application Security
DDoS Network Security is a key component of our Application Security solution. Learn how it and other components deliver a complete, end-to-end solution to protect hosted applications from attack. Web applications and email systems have long been favorite targets of hackers because they have access to valuable information and they are relatively easy to exploit. A successful attack can result in a variety of devastating consequences including financial loss, damage to brand reputation, and loss of customer trust. Most organizations do not recover from a major security breach, making it absolutely critical to protect your users and customers from threats that target applications and email systems. Our Data Center Application Security solution consists of a robust and integrated set of products to protect against these attacks. We deliver a complete solution with the proven performance and security effectiveness to meet the increasing demands of today’s data centers.
SSL-Based Attacks use SSL-based encryption methods to hide the content of the attack packets. Additionally, the encryption methods employed will often mean that there are far fewer resources available that need to be exhausted. Most signature-based solutions require decryption of the traffic to perform matching against known attack profiles. With a behavioral system, these attacks are detected without decryption as they will cause a change in behavior. This change can then be compared with normal behavior and an understanding of the resources available. When the relevant resources become threatened, DDoS Network Security responds to the attack with the correct mitigation. DNS-based attacks target root, TLD, Authoritative and Recursive DNS servers. Enterprises and Carriers that host DNS servers are at risk from DDoS attacks that specifically target these resources by exploiting weaknesses in the way DNS servers handle requests and traffic.
Flexible Defense Mechanisms
Bulk Volumetric Attacks were the first DDoS attack types and continue to pose significant threats today. While ISPs may prevent simple attacks of this type, the attacks are increasingly used to mask more complex application-level attack methods. The easiest way to deal with these types of threats is to simply block all abnormal traffic until the attack stops. The FortiDDoS IP Reputation scoring system continues to let “good” traffic in while mitigating Source IP addresses that are causing the problem. This process not only provides the protection you need, but also minimizes the effects of a “false positive” match from halting good client traffic. Layer-7 Targeted Attacks are a fast-growing source of DDoS attacks. They attempt to exploit vulnerabilities within a service or within a server to exhaust its resources rendering it unavailable. As these types of attacks require considerably less bandwidth to deny service, they are more difficult to detect and regularly pass from ISPs directly to your network.
DDoS Network Security
Distributed Denial of Service (DDoS) attacks attempt to deny legitimate users access to your systems or networks by overwhelming them with bogus requests. They target important resources, like network bandwidth, server sockets, web server threads, and CPU utilization. DDoS Mitigation helps maintain availability for your Managed Hosting services through a unique hardware-based protection system. It combines two powerful alerting technologies to identify an attack (network-level packet scanning and server-level anomaly detection) and then precision elimination of DDoS traffic to mitigate its effects. Identify and filter hostile traffic 24/7 with layered protection built using multiple technologies for the most comprehensive protection.
Keep your infrastructure resources focused on business workloads by offloading DDoS processing to our mitigation hardware. When our network security team is alerted to an ongoing or imminent DDoS attack, they immediately initiate mitigation measures and contact you. Backed by security specialists. During initial setup, a security engineer works with you to set up your DDoS solution. After that, our system continually tunes your server profiles for peak performance. If you ever have questions or need help, security specialists are available to provide support — 24/7.
The Cisco solution provides complete protection against all types of DDoS attacks, even those that have never been seen before. Featuring active mitigation capabilities that rapidly detect attacks and separate malicious traffic from legitimate traffic, the Cisco solution delivers a rapid DDoS response that is measured in seconds, not hours. Easily deployed adjacent to critical routers and switches, the Cisco solution offers a scalable option that eliminates any single points of failure and does not impact the performance or reliability of the existing network components. The Cisco solution set includes two distinct components — the Cisco Traffic Anomaly Detector (TAD) XT and the Cisco Guard XT — that, working together, deliver complete DDoS protection for virtually any environment.
- Cisco Traffic Anomaly Detector XT — Acting as an early warning system, the Cisco TAD XT provides in-depth analysis of the most complex DDoS attacks. The Cisco TAD XT passively monitors network traffic, looking for any deviation from "normal" or baseline behavior that indicates a DDoS attack. When an attack is identified, the Cisco TAD XT alerts the Cisco Guard XT, providing detailed reports as well as specific alerts to quickly react to the threat. For example, the Cisco TAD XT can observe that the rate of UDP packets from a single source IP is out of range, even if overall thresholds are not exceeded.
- Cisco Guard XT — The Cisco Guard XT is the cornerstone of the Cisco DDoS solution set — a high-performance DDoS attack-mitigation device that is deployed upstream at either the ISP data center or at the perimeter of a large enterprise to protect both the network and data center resources.
When the Cisco Guard XT is notified that a target is under attack (whether from a Cisco TAD XT or some other security-monitoring device such as an intrusion detector or firewall), traffic destined for the target is diverted to the Guard (or Guards) associated with the targeted device. The traffic is then subjected to a rigorous five-stage analysis and filtering process designed to remove all malicious traffic while allowing good packets to continue flowing uninterrupted. The Cisco Guard XT resides adjacent to a router or switch on a separate network interface, helping enable on-demand protection without impacting data traffic flow of other systems. Depending on its location, the Cisco Guard XT can concurrently protect multiple potential targets, including routers, Web servers, DNS servers, and LAN and WAN bandwidth.
Managed DDoS protection services is a fully managed security service to help organizations respond to the threat of DoS and DDoS attacks. The service staff augments adaptive rate controls to perform real-time analysis of ongoing attacks, tune existing rules and create custom rules as required, and adapt to changing attack vectors and multi dimensional threats. Managed DDoS protection services provides organizations with dynamic protection against a broad range of potential DoS and DDoS attack types, regardless of size and complexity, and even as they change over the course of an attack.
Managed DDoS protection security services provides organizations with a simple and effective solution to mitigate the growing threat of DoS and DDoS attacks. IAM will have real-time visibility into security events and the ability to drill down into attack alerts to learn what’s being attacked, by whom what defense capabilities triggered the attack, and what specifically in the requests triggered site defenses. Combining a scalable infrastructure with in-depth, 24/7 security operations centers, Managed DDoS protection services are able to defend against the most sophisticated attacks.
The Juniper Networks SRX Series architecture is designed for optimal performance and has been battle tested in some of the largest service provider and enterprise customer environments around the world. Since their inception, the SRX Series firewalls were built from the ground up with true control and data plane separation; the control plane is responsible for the management and system services that operate the device while the forwarding plane is responsible for moving data traffic as efficiently as possible.
This clear separation of control and data planes protects SRX Series firewalls from direct attack and shields critical firewall management services from being affected when an attack is underway. The SRX Series security architecture scales by processing traffic early in the pipeline, preemptively mitigating a cyberattack before affecting legitimate traffic and management services. In the case of a DoS attack, the SRX Series firewalls employ two primary security methods to protect critical services: firewall filters and screens.
Get the robust, multi-layered protection needed to mitigate today's advanced DDoS attacks — without upgrades or changes to your architecture. The system works independently from your production infrastructure. Continuous monitoring compares current traffic to a custom profile of your server's "normal" network and port behavior. Anomalous behaviors immediately trigger an alert to our network security team.
Sophisticated detection technology, capable of handling tens-of-millions of packets per second, examines all incoming packets for patterns of malicious activity. When suspicious traffic is detected, your traffic is routed through a sanitation engine that filters out and diverts malicious traffic. All legitimate traffic continues to its intended destination.