Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

Similar documents
Allot IoT Defense Solutions for Enterprises to Ensure IoT Service Continuity. Solution Brief

2017 Allot Communications Ltd. All rights reserved. If You Turn the Lights on in Your Network, Will You Like What You See?

If You Turn the Lights on in Your Network, Will You Like What You See?

Allot Virtual TDF/PCEF Drives Real Data Monetization. Solution Brief

McAfee Unified Security Powered by Allot. Solution Brief

Traffic Management Solution: Allot NetEnforcer and Juniper Networks Session and Resource Control (SRC) Platform

Allot Service Gateway Pushing the DPI Envelope

Delivering Security as a Service to SMB Customers

Delivering Security as a Service to SMB Customers. Solution Brief

Optimizing Broadband Networks for Performance and Profit. Solution Brief

Use Cases. E-Commerce. Enterprise

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

A10 DDOS PROTECTION CLOUD

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

Distributed Denial of Service

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Check Point DDoS Protector Introduction

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

haltdos - Web Application Firewall

Corrigendum 3. Tender Number: 10/ dated

DDoS Detection&Mitigation: Radware Solution

WHITE PAPER Hybrid Approach to DDoS Mitigation

Check Point DDoS Protector Simple and Easy Mitigation

Enabling Application Control and Subscriber Management in Broadband Networks

Flow-based Traffic Visibility

Arbor Solution Brief Arbor Cloud for Enterprises

Chapter 10: Denial-of-Services

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

DDoS Protection in Backbone Networks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Retail Stores & Restaurant Chains

Use Cases. Higher Education. Enterprise

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

DDoS Managed Security Services Playbook

Comprehensive datacenter protection

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

QoE Congestion Management With Allot QualityProtector

Chapter 7. Denial of Service Attacks

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

Cisco DDoS Solution Clean Pipes Architecture

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Network Security Monitoring with Flow Data

Compare Security Analytics Solutions

Clean Pipe Solution 2.0

Basic Concepts in Intrusion Detection

Arbor White Paper Keeping the Lights On

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Defence, Intelligence and Secure Communications Solutions

Firewalls, Tunnels, and Network Intrusion Detection

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

SERVICE DESCRIPTION SD-WAN. from NTT Communications

Local & National Government

Cloudflare Advanced DDoS Protection

Use Cases. Energy & Utilities. Enterprise

FIREWALL BEST PRACTICES TO BLOCK

August 14th, 2018 PRESENTED BY:

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Thunder TPS. Overview. A10 Networks, Inc.

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Encrypted Traffic Security (ETS) White Paper

Distributed Denial of Service (DDoS)

SYN Flood Attack Protection Technology White Paper

Large FSI DDoS Protection Reference Architecture

Use Cases. Transportation. Enterprise

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

A GUIDE TO DDoS PROTECTION

Broadband Traffic Management Solutions for Intelligent Networks

SUPERCHARGE YOUR DDoS PROTECTION STRATEGY

Use Cases. Healthcare. Enterprise

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Configuring Flood Protection

SmartWall Threat Defense System - NTD1100

Intelligent and Secure Network

Are You Fully Prepared to Withstand DNS Attacks?

Solutions Guide. F5 solutions for the emerging 5G landscape

Insight Guide into Securing your Connectivity

RSA INCIDENT RESPONSE SERVICES

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Seceon s Open Threat Management software

Deploying a Next-Generation IPS Infrastructure

DNS SECURITY BEST PRACTICES

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Technical Overview TDAC Anomaly Detection. copyright 2018 by Telesoft Technologies. All rights reserved.

Downtime by DDoS: Taking an Integrated Multi-Layered Approach. Arbor Solution Brief

2015 DDoS Attack Trends and 2016 Outlook

Copyright Huawei Technologies Co., Ltd All rights reserved. Trademark Notice General Disclaimer

Configuring Anomaly Detection

Cisco Traffic Anomaly Detector Module

Detecting Specific Threats

Transcription:

Inline DDoS Protection versus Scrubbing Center Solutions Solution Brief

Contents 1 Scrubbing Center vs. Inline DDoS Inspection and Mitigation... 1 2 Scrubbing Center... 2 2.1 Scrubbing Center Architecture... 2 2.2 Scrubbing Center Advantages... 2 2.2.1 Minimal hardware footprint: Lower capex... 2 2.2.2 Cloud Service Option... 3 2.3 Scrubbing Center Disadvantages... 3 2.3.1 User Experience Degradation During DDoS Attacks... 3 2.3.2 Incomplete Detection... 3 2.3.3 Relatively Slow Mitigation Due to Diversion Requirements... 3 2.3.4 No Visibility to Outbound DDoS... 4 3 Inline DDoS Protection... 5 3.1 Advantages of Inline DDoS Mitigation... 5 3.1.1 Rapid Response Time... 5 3.1.2 Accuracy... 5 3.1.3 Ability to Stop Reflection Attacks... 5 3.1.4 Better TCP Anti Spoofing... 6 3.1.5 Accurate Calibration of Normal Traffic... 6 3.2 Disadvantages of Inline DDoS Mitigation... 7 3.2.1 More Hardware Intensive... 7 3.2.2 No Cloud-Service Option... 7 4 Allot DDoS Secure... 8 4.1 Advanced Detection and Mitigation Technology... 8 4.2 Efficient DDoS Protection Architecture... 9 5 Summary... 11 5.1 Scrubbing Center... 11 5.1.1 Advantages... 11 5.1.2 Disadvantages... 11 5.2 Inline Mode... 11 5.2.1 Advantages... 11 5.2.2 Disadvantages... 11 2018 Allot Communications Ltd. All rights reserved. Allot Communications, Sigma and NetEnforcer and the Allot logo are trademarks of Allot Communications. All other brand or product names are the trademarks of their respective holders. The information in this document is for reference purpose only and constitutes neither an offer, a commitment nor an acceptance. Allot may change the information at any time without notice.

1 Scrubbing Center vs. Inline DDoS Inspection and Mitigation There are two main architectural approaches to protecting your network from Distributed Denial of Service (DDoS) attacks: mitigation by diverting traffic to a cloud scrubbing center or mitigation inline where the attack is occurring. This document elaborates on these architectures and their advantages and disadvantages. With Scrubbing Center mitigation, once a flooding attack is detected, all traffic is redirected to a cloud scrubbing center, where further inspection and mitigation takes place. Attack packets are blocked (i.e., scrubbed ) and legitimate traffic is allowed to proceed to its original destination. With inline mitigation, flooding attacks are both detected and surgically mitigated on the spot right in the data path where the attack is coming into the network. This is the method used by Allot s DDoS Protection solution Allot DDoS Secure which enables service provider and enterprise networks to establish a very effective first line of defense against inbound DDoS attacks. From its inline vantage point, Allot DDoS Secure also detects outbound attacks that originate from within networks, including outbound port-scanning, flooding and IoT botnets. 1 2018 Allot Communications Ltd. All Rights Reserved

2 Scrubbing Center Scrubbing center solutions are also referred to as Redirection, Diversion, and Netflow-based mitigation. 2.1 Scrubbing Center Architecture In scrubbing center mode, the traffic is redirected by the DDoS identification system. When the system suspects an attack, all the traffic is re-routed to a cloud scrubbing center. In the scrubbing center the traffic is further inspected and DDoS packets are blocked while "clean" traffic is routed back to its original destination. Scrubbing center solutions can only monitor inbound traffic. Outbound traffic is not monitored. This represents a problem for enterprises and service providers, who need to ensure that they themselves are not an unwitting source of volumetric attacks. Figure 1: Scrubbing Center Architecture Schematic 2.2 Scrubbing Center Advantages 2.2.1 Minimal hardware footprint: Lower capex Scrubbing center solutions are based on NetFlow and they rely on traffic sampling. They do not inspect all the traffic. Hence, the hardware footprint of the probes can 2 2018 Allot Communications Ltd. All Rights Reserved

be smaller and less expensive than a solution that inspects all traffic. Traffic is only diverted to the scrubbing center when there is suspected DDoS attack. 2.2.2 Cloud Service Option In scrubbing center solutions, you have the option to use third-party services for cleaning the traffic, usually provided by a cloud-based service provider. Cloudbased services are highly scalable, and flexible. However, you need to factor in the ongoing operating expenses (opex) for the cloud-based service provider, which will vary according to the number and volume of DDoS attacks your organization experiences. 2.3 Scrubbing Center Disadvantages 2.3.1 User Experience Degradation During DDoS Attacks A major disadvantage of redirection to a cloud scrubbing center is the throughput degradation it causes to existing legitimate connections, because the solution diverts all traffic during an attack. When the traffic on an existing TCP connection is rerouted/diverted, there is a much greater chance of generating packet loss and jitter. This adversely affects the user experience, especially in applications like VoIP and streaming video. Moreover, scrubbing devices are often unable to differentiate between an existing connection and bad traffic, and will block them both. Legitimate clients are then forced to reconnect, further degrading the user experience. 2.3.2 Incomplete Detection Because they only sample the traffic and do not inspect all traffic, diversion-based mitigation solutions cannot provide 100% effective attack detection. In addition Netflow is not able to detect low-rate application-based attacks. 2.3.3 Relatively Slow Mitigation Due to Diversion Requirements Diversion-based protection requires network routers to publish and propagate new routes (BGP/OSPF etc.) in order to redirect all traffic to the scrubbing center. Netflow-based detection is slow. Netflow propagation takes 2-3 minutes. When we consider the damage a flooding attack can do, that s a long time. For many new-wave "hit and run" attacks, this level of delay is unacceptable. 3 2018 Allot Communications Ltd. All Rights Reserved

2.3.4 No Visibility to Outbound DDoS Enterprises and service providers are under pressure to detect and block DDoS attacks emanating from within their networks. This can be done only with inline solutions. Notes: If a scrubbing center solution is already in use, this and other disadvantages can be alleviated by using it in conjunction with an inline solution. 4 2018 Allot Communications Ltd. All Rights Reserved

3 Inline DDoS Protection Allot DDoS Secure provides anti-ddos, anti-botnet and outbound spam protection that is deployed inline, enabling attack detection and surgical mitigation on the spot, without diverting huge volumes of legitimate traffic and introducing delays. Figure 2: Inline DDoS Protection is provided by Allot DDoS Secure which is just one of the fully integrated services in Allot s multiservice platform Allot Service Gateway 3.1 Advantages of Inline DDoS Mitigation 3.1.1 Rapid Response Time Allot s inline DDoS protection inspects all the traffic in real-time and is able to identify, analyze and mitigate within seconds (instead of minutes which is the case with Netflow). 3.1.2 Accuracy Allot s inline DDoS protection inspects outbound traffic as well as inbound traffic, enabling correlation of traffic flows to improve accuracy and to reduce the incidence of false positive or false negative identifications. 3.1.3 Ability to Stop Reflection Attacks In a reflection attack, infected devices send a considerable number of requests to open DNS/NTP/SSDP servers while spoofing the source IP of the requests to be the IP of the victim, causing all the responses to be sent to the attacked IP. Typically, the responses far outnumber the requests, creating an amplification effect that magnifies the size of the attack by a factor of 100. 5 2018 Allot Communications Ltd. All Rights Reserved

Filtering reflection attacks is an enormous challenge for scrubbing centers because they see only inbound traffic and are blind to outbound traffic. As a result, they are unable to determine that the replies are actually responses to outbound requests that were sent by the victim. In comparison, Allot inline DDoS protection inspects both inbound and outbound traffic and can easily filter reflection attacks, without false positives. From its vantage point in the network, the inline system sees all outbound traffic in general, and can identify DNS/NTP/SSDP requests in particular. 3.1.4 Better TCP Anti Spoofing SYN cookies are the method used by firewalls and other inline devices to filter spoofed TCP traffic, and SYN floods in particular. With SYN cookie technology, the server sends a SYN+ACK response to the client, but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, it is a "real" request and the server is able to reconstruct the SYN queue entry. This method is supported when using an inline solution. In contrast, unidirectional scrubbing devices are not able to implement SYN cookies because they cannot "proxy" the TCP connection nor update the TCP sequence numbers for the entire life of the connection. As a result, other antispoofing techniques such as RST, HTTP redirect and out-of-sequence ACK were developed specifically for unidirectional scrubbing solutions. However, all of these are highly susceptible to false-positives: RST requires the client to reconnect automatically after the connection has been reset by the scrubber, which is not the case for many applications HTTP redirect works only for HTTP traffic-and not even HTTPS Out-of-sequence ACKs are often blocked by stateful inspection firewalls 3.1.5 Accurate Calibration of Normal Traffic Detecting DDoS attacks and attackers is based on comparing inbound traffic patterns to what is considered to be "normal behavior. Normal behavior is site/ip/application specific, and requires precise calibration to avoid false negative/positive identifications. The ability to inspect both inbound and outbound flows enables accurate calibration of normal traffic patterns. Allot s inline DDoS Protection solution constantly monitors and learns inbound and outbound traffic behaviors and continuously updates the normal calibration according to quantitative and qualitative changes detected. 6 2018 Allot Communications Ltd. All Rights Reserved

Scrubbing centers do not inspect outbound traffic and therefore cannot achieve the same level of calibration accuracy. 3.2 Disadvantages of Inline DDoS Mitigation 3.2.1 More Hardware Intensive Since the inline DDoS protection solution monitors all traffic and performs mitigation at the point of detection, it requires carrier-grade capacity, throughput, reliability, and scalability. Therefore, it requires a bigger up-front capital expense to deploy in your network infrastructure, than is required by scrubbing center solutions, especially cloud-based scrubbers. 3.2.2 No Cloud-Service Option While the inline DDoS protection solution provides no cloud-based option, it is compatible with cloud scrubbing centers. You can seamlessly migrate from existing cloud-based scrubbing services while using both simultaneously. 7 2018 Allot Communications Ltd. All Rights Reserved

4 Allot DDoS Secure Allot DDoS Secure provides fast and accurate DDoS protection by offering: Fully integrated system embedded in Allot inline, multiservice platforms Ability to inspect both inbound and outbound traffic for anomalous behavior Dynamic attack detection and surgical mitigation within seconds No service interruption or resource downtime Proven technologies: NBAD (Network Behavior Anomaly Detection) HBAD (Host Behavior Anomaly Detection) Asymmetric traffic monitoring Zero-day attack resilient quick response, no user action required Real-time alerts and threat analytics with customizable view Scalable to 500 Gbps in single platform and 4 Tbps in clustered platform node Carrier-grade high availability with no single point of failure 4.1 Advanced Detection and Mitigation Technology Allot s patented NBAD technology (Network Behavior Anomaly Detection) identifies DDoS and other network flooding events by the anomalies they cause in the normally time-invariant behavior of network ratios i.e., combinations of Layer 3 and 4 packet rate statistics. Packet filtering rules are obtained dynamically by searching deep into the captured DDoS packets for unique repeating patterns in each event. Surgical filtering accuracy is often achieved using the patterns detected in the Layer 3 and 4 headers and layer 7 payload. 8 2018 Allot Communications Ltd. All Rights Reserved

Figure 3: Network Behavior Anomaly Detection technology 4.2 Efficient DDoS Protection Architecture Allot DDoS Secure is fully integrated service in Allot Service Gateway the leading multiservice platform in the industry - which is deployed inline at critical network core and edge junctures. From these vantage points, Allot monitors and inspects all the traffic on the network at line-speed and without introducing any delay. When attack behavior is detected, Allot NBAD technology creates attack pattern signatures in 20-50 seconds; notifies you of the attack via email, syslog, and SNMP trap (v2c), and immediately begins surgical mitigation. The inline deployment of Allot DDoS Protection solutions means that flooding attacks are stopped on the spot at the edge of your network, without having to divert huge volumes of traffic to cloud scrubbing centers. 9 2018 Allot Communications Ltd. All Rights Reserved

Figure 4: Allot DDoS Secure provides real-time DDoS Protection and Bot Containment for both inbound and outbound traffic 10 2018 Allot Communications Ltd. All Rights Reserved

5 Summary This paper describes the architecture, advantages, and disadvantages of both modes of DDoS identification and mitigation: Inline Scrubbing Center 5.1 Scrubbing Center Scrubbing center solutions have gaps in DDoS detection and mitigation is relatively slow, but the solution may be more cost effective in some use cases. 5.1.1 Advantages Minimal hardware footprint Cloud service option 5.1.2 Disadvantages User experience degradation during DDoS attacks Incomplete detection Relatively slow mitigation due to diversion requirements No visibility of outbound DDoS 5.2 Inline Mode Inline DDoS protection inspected every packet and therefore provides more accurate anomaly detection and faster mitigation, albeit with a higher capital outlay for the inline hardware. 5.2.1 Advantages Accurate and comprehensive detection Surgical mitigation in seconds Ability to stop Reflection Attacks Better TCP anti-spoofing Accurate calibration of normal traffic behavior 5.2.2 Disadvantages More hardware intensive No cloud service option 11 2018 Allot Communications Ltd. All Rights Reserved

P/N Dxxxxxx Rev.1 www.allot.com sales@allot.com Americas: 300 TradeCenter, Suite 4680, Woburn, MA 01801 USA - Tel: +1 781-939-9300; Fax: +1 781-939-9393; Toll free: +1 877-255-6826 Europe: NCI Les Centres d'affaires Village d'entreprises, 'Green Side' 400 Avenue Roumanille, BP309 06906 Sophia Antipolis, Cedex France - Tel: +33 (0) 4-93-001160; Fax: +33 (0) 4-93-001165 Asia Pacific: 25 Tai Seng Avenue, #03-03, Scorpio East Building, Singapore 534104, Tel: +65 6749-0213; Fax: +65 6848-1015 Japan: 4-2-3-301 Kanda Surugadai, Chiyoda-ku, Tokyo 101-0062 - Tel: +81 (3) 5297 7668; Fax: +81 (3) 5297 7669 Middle East & Africa: 22 Hanagar Street, Industrial Zone B, Hod Hasharon, 4501317 Israel - Tel: 972 (9) 761-9200; Fax: 972 (9) 744-3626

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback