SecurityDAM On-demand, Cloud-based DDoS Mitigation

(1)

SecurityDAM

(2)

Introduction

In recent years Distributed Denial of Service (DDoS) attacks have become a mainstream threat to businesses, governmental agencies and critical infrastructure worldwide. DDoS attacks have grown in complexity, volume and sophistication. 65 percent of IT security practitioners surveyed recently reported experiencing an average of three DDoS attacks in the past 12 months. i

With an average downtime of 54 minutes per attack and the cost amounting to as much as $100,000 per minute - it would have been expected that organizations put into practice preventative measures to protect their networks and business. However, this is far from being the case.

Many organizations still employ no DDoS protection at all. Others rely on ISP solutions or use on-premises equipment, which at best can deflect a single type of attack. However, such solutions fail to provide adequate protection against multi-level attacks, and lack the

expertise to handle new types of attacks. To ensure business continuity and provide solid DDoS protection, a different, multi-layer approach is needed.

Why premise-based DDoS solutions

are lacking

Distributed Denial of Service attacks can be broadly categorized into two types:

Network (volumetric) attacks flood the victim with high volume of packets or IP flows, consuming network equipment and bandwidth resources. Some examples include SYN flood attacks (high packet-per-second attacks), large UDP packet floods (bandwidth attacks), and ICMP floods.

Application attacks, also known as “low and slow” attacks, directly attack the application, exploiting implementation weaknesses and design flaws. Application transactions are generated by real IP addresses and machines and therefore seem real. Some examples include HTTP Get or Post flood attacks, DNS flood attacks and SSL flood attacks. Typically, on-premises solutions are based on

security systems such as firewalls. While such systems may have a DDoS mitigation feature, this does not comprise of a true DDoS mitigation solution, since critical functionality is lacking. And yet, the primary shortcoming of on-premises solutions is their inability to

Does Size Matter?

When evaluating DDoS attacks, a common misconception is that the bigger the attack, the more severe it is. However, smaller, less intensive attacks can still cause serious damage. For example, a much smaller HTTP flood on the application level may do more damage than a larger UDP flood on the network.

What type and size of attack should an organization expect?

Unfortunately there is no clear answer. DDoS attacks are so diverse in both type and size that it is impossible to make any kind of accurate prediction.

(4)

protect against volumetric attacks. Such attacks completely saturate the link to the organizational network, making it technically impossible to mitigate high-volume attacks from within the network.

Another challenge is the ongoing investment required to keep up with the increasingly dynamic and polymorphic DDoS threats. In most cases an internal IT/security group cannot afford to invest the time and resources needed for developing the required expertise.

The problem with ISP-based DDoS solutions

While offering a convenient solution, stopping DDoS attacks at the ISP level has many drawbacks. First, there’s the issue of traffic volume. Using an ‘always on’, shared solution approach, an ISP must handle the traffic of all its ‘protected’ customers. However, during a DDoS attack on a single customer, the same equipment must still handle the drastically increased traffic without affecting other customers. This results in a situation where the ISP simply “can't handle the attack.”

With the need to provide protection to multiple customers and avoid many false positives, ISPs have known to ‘soften’ their policies and make thresholds more lenient. Consequently, too much traffic may be passed through during attacks. An additional security hole relates to application-level attacks. ISPs have very limited capability protecting against such attacks, since harmful traffic look identical to legitimate user traffic from an ISP point of view.

Specific DDoS expertise is another issue. ISPs usually rely on equipment vendors and lack the required expertise to quickly respond to new types of attacks and add new attack signatures. Finally, there’s the cost consideration. If an organization is connected through several ISPs, DDoS protection services need to be purchased from each.

Mitigating multi-vector attacks, therefore, requires a layered defense approach with more than one security technology in place. It requires specific expertise that are developed and upgraded on an ongoing basis.

On-demand cloud DDoS mitigation

SecurityDAM takes a different approach. Using a two-tier defense architecture, our solution employs two protection layers - one placed at the customer’s site network perimeter, and the other located at the cloud level. The two DDoS protection layers support and

complement each other, ensuring the early detection and mitigation of all attack types with minimum disruption to network and business operations.

The service is empowered by a dedicated, 24/7 DDoS emergency response team ready to tackle any attack, known or new.

(5)

SecurityDAM solution architecture

The SecurityDAM solution is composed of the following main components:

CPE(Customer-premises equipment) is a detection and signaling device placed at the edge of the customer’s data center. Constantly monitoring network traffic, the CPE learns the traffic patterns to establish a normal behavior baseline. It detects anomalies and DDoS attacks early on and alerts the SecurityDAM Operation Center (SDOC) to initiate the mitigation process. The device independently detects and mitigates ‘low and slow’

application-level attacks using a range of technologies such as Network Behavioral Analysis (NBA) and Deep Packet Inspection (DPI).

SecurityDAM Operation Center (SOC) is a cloud-based scrubbing center, manned by an emergency response team to ensure the fastest analysis and resolution of new attack types. When the network is under a volumetric DDOS

attack, traffic is redirected to the scrubbing center for attack mitigation. After filtering, clean traffic is passed back to its original destination. Attack data is collected and stored, enabling real-time monitoring and historical reporting.

SDCC(SecurityDAM Control Center) is a management platform providing configuration, provisioning and accounting functions and enabling real time monitoring and analysis of traffic during attacks.

Customer’s Self-provisioning Portal is web-based portal that provides real-time insight into events, attack characteristics, post-attack reports and statistics.

(6)

Attack Mitigation - Step by Step

During a DDoS attack, SecurityDAM employs its two-layered defense system and context-aware approach to optimize the response and return the network to its normal behavior as quickly as possible.

1- Detection & application attack prevention. The CPE at the customer’s network

constantly monitors traffic and establishes a normal behavior baseline for the network. Any deviations from this baseline are immediately identified as DDoS attacks, with ‘low and slow’ application-level attacks independently blocked by the CPE device and reported to the Operations center for tracking purposes.

Figure 2 - Employing a two-tier defense architecture provides maximum protection for both volumetric network attacks and application ‘low and slow’ attacks. 2- Traffic redirection. When the CPE detects a volumetric network flood that it cannot handle, it automatically alerts the SecurityDAM operations center (SOC) by sending it the threat details. All network traffic is then diverted to the scrubbing center – a process which can either take place automatically, or following an analysis and joint decision by the SecurityDAM emergency response team and the customer. Traffic redirection is carried out via a BGP notice (for autonomous systems), or DNS redirect (for other networks).

An optional FastLane service enables implementing granular DDoS mitigation so that during network attacks, traffic from pre-defined trusted sources is never blocked. Such traffic is routed to dedicated servers to ensure un-interrupted business continuity.

(7)

3- Traffic cleansing. Incoming traffic (including SSL flows if relevant) is scrubbed for illegitimate flows and packets. The process is analyzed by SecurityDAM security experts, who may also update security signatures if needed. Legitimate traffic is channeled back to the attacked site via a GRE tunnel.

4- Return to normal operation. Once security experts conclude that the attack has ended, traffic is diverted back directly to its normal routing and paths.

5- Reporting. Data collected throughout the process enables viewing statistics related to the attack type, duration and so on through the customer’s portal.

SecurityDAM vs. traditional solutions

On-premises solutions ISP-based Solutions SecurityDAM

Network-level attacks

Solutions deployed within the organization’s perimeter cannot protect the Internet pipe from saturation, therefore will fail.

An ISP must be able to handle massive network attacks and keep the pipe open for multiple clients.

The cloud-based scrubbing center efficiently mitigates volumetric DDoS network attacks.

Application-level attacks

Standard security systems may fail to recognize application-level attacks.

From an ISP point of view, harmful traffic look identical to legitimate user traffic, preventing the identification of attacks.

CPE device instantly identifies and deflects any application-level attacks.

Cost Capital investment

required in dedicated DDoS mitigation equipment.

High ongoing payments - without the assurance of adequate protection during an attack.

Managed service with zero up-front investment.

Coverage and response time to DDoS attacks

Long update cycles with no emergency mechanism to handle new attack types.

Rely on 3rd party

equipment without the expertise for real-time deep analysis and updates.

24/7 dedicated team of DDoS security experts, providing real-time response and dynamic updates during attacks, while using the most up-to-date mitigation equipment.

Ongoing DDoS protection

Continuous investment in resources and education is required to keep up with technology and DDoS attack

advancements.

ISPs core business is providing internet connectivity, therefore cannot be expected to focus on DDoS innovations. A dedicated security expert team 100% focused on DDoS attacks and always up-to-date with the latest

developments in attacks and mitigation.

(8)

About SecurityDAM

Security Dam provides world-class MSSP cloud-based solutions mitigating Distributed Denial of Service (DDoS) attacks on enterprise networks. Founded by a team of security experts, Security Dam is a member of the RAD group. For more information, see

www.securitydam.com.

i

The research for Cyber Security on the Offense: A Study of IT Security Experts, November 2012, by the Ponemon Institute and Radware.