Ab Alddos En

Arbor Application Brief

The Growing Threat ofApplication-Layer DDoS AttacksHow Peakflow SP can help Service Providers Protect CriticalCarrier Services and Customers

Arbor Networks, Inc. is a leading provider of networksecurity and management solutions for enterprise andservice provider networks, including the vast majority of the worlds Internet service providers and many of thelargest enterprise networks in use today. Arbors provennetwork security and management solutions help growand protect customer networks, businesses and brands.Through its unparalleled, privileged relationships withworldwide service providers and global network operators,Arbor provides unequalled insight into and perspective onInternet security and traffic trends via the ATLAS ActiveThreat Level Analysis System. Representing a unique collaborative effort with 230+ network operators acrossthe globe, ATLAS enables the sharing of real-time security,traffic and routing information that informs numerousbusiness decisions.

About Arbor Networks

Introduction to Application-Layer DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Types of Common Application-Layer DDoS Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Why Application-Layer DDoS Attacks are on the Rise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Business Impact of Application-Layer DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The Need for Intelligent DDoS Mitigation Systems (IDMS): Why Firewalls and IPS Devices Fall Short . . . . . . . . . . . . . . . . . . . . . . 7

Using Peakflow SP and Peakflow SP TMS to Stop Application-Layer DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Introduction to Peakflow SP and TMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Peakflow SP TMS Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Three Real-World Scenarios: How Peakflow SP and TMS Block Common Application-Layer Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Stopping a DNS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Stopping an HTTP Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Stopping a VoIP/SIP Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1

Arbor Application Brief: The Growing Threat of Application-Layer DDoS Attacks

Table of Contents

2Arbor Application Brief: The Growing Threat of Application-Layer DDoS Attacks

This trend shows no signs of changing; in fact, it may be gettingworse. Recent research from Arbor Networks sixth annualWorldwide Infrastructure Security Report1 has shown that notonly are DDoS attacks getting larger and more frequent, butthey are also becoming more sophisticated as they pinpointspecific applications with smaller, more targeted and stealthyattacks. This means that Internet Service Providers (ISPs) withcritical services must now be prepared to protect themselvesfrom two very different types of DDoS attacks: 1) VolumetricDDoS Attacks that strive to overwhelm network infrastructureand servers with high-bandwidth-consuming flood attacks;and 2) Application-Layer DDoS Attacks that attempt to targetspecific well-known applications such as Hypertext TransferProtocol (HTTP), domain name system (DNS) or Voice overInternet Protocol (VoIP).

When customer or internal services go down due to DDoSattacks, the impact is usually severe and affects the businessin multiple ways. These include lost revenue and profit, lowerproductivity, higher costs due to penalties or breaches of servicelevel agreement (SLA) contracts, and tarnished reputationor brand. Unfortunately, many security organizations areunsuccessfully relying on security products such as firewallsand intrusion protection systems (IPS) to protect themselvesfrom DDoS attacks. However, not only are these securityproducts not providing adequate protection from some DDoSattacks, they are at times the targets of DDoS attacks. Thesolution? An Intelligent DDoS Mitigation System (IDMS).Todays security operations teams can turn to Arbor NetworksIDMSthe powerful combination of the Peakflow SP solution(Peakflow SP) and Peakflow SP Threat Management System(Peakflow SP TMS or TMS)for comprehensive DDoSattack detection, reporting and most importantly, mitigation.

This application brief describes the growing threat of application-layer attacks and the financial impact these attacks are having onboth ISPs and customers. The brief also outlines how PeakflowSP and TMS solutions can be used by service providers to detectand mitigate some common application-layer DDoS attacks.

Over the past few years, the size and frequency of DDoSattacks have grown dramatically as attackers take advantageof botnets and other high-speed Internet access technologiesto overwhelm their targets network infrastructure. In fact,according to Arbors sixth annual Worldwide InfrastructureSecurity Report, the largest-recorded DDoS attack has grownten times in size from 2005 (10 Gbps) to 2010 (100 Gbps).

To make matters worse, the report also highlights a growingnew trend with DDoS attacks. Not only are DDoS attacksgetting larger and more frequent, but they are also becomingmore sophisticated as they pinpoint specific applications(e.g., DNS, HTTP or VoIP) with smaller, more stealthy attacks.

Introduction to Application-Layer DDoS Attacks

SMTP OtherDNSHTTP HTTPSSIP/VoIP

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

Sur

vey

Res

pond

ents

Layer 7 DDoS Attacks: Application-layer attacks are on the rise, accordingto Arbors sixth annual Worldwide Infrastructure Security Report

1 www.arbornetworks.com/report

Distributed denial of service (DDoS) attacks have been wreaking havoc on Internet-based

services for years. During this time, the size and frequency of these attacks have grown

dramatically as attackers take advantage of botnets and other high-speed Internet access

technologies to overwhelm their victims network infrastructure.

In other words, ISPs and enterprises must now be prepared toprotect themselves from two very different types of DDoS attacks:

Volumetric DDoS AttacksThese attacks try to overwhelm the network infrastructure(e.g., routers, switches, etc.) with bandwidth-consumingassaults such as Internet Control Message Protocol (ICMP)or User Datagram Protocol (UDP) floods. Alternatively, theycan attempt to overwhelm servers, load-balancers and firewallsby using Transmission Control Protocol (TCP) state exhaustionattacks such as TCP SYN floods and idle session attacks.

Application-Layer DDoS AttacksThese attacks generally consume less bandwidth and arestealthier in nature when compared to volumetric attacks.However, they can have a similar impact to service as theytarget specific characteristics of well-known applications suchas HTTP, DNS, VoIP or Simple Mail Transfer Protocol (SMTP).

Some real-world examples:

BlackEnergy is a family of Russian malware that specializesin DDoS attacks. It supports both volumetric andapplication-layer attacks. The tools for creating customBlackEnergy botnets have become widely distributed andare regularly updated; this kit has been described asproviding DDoS for dummies. As a result, there has beena proliferation of DDoS attacks originating from variousBlackEnergy-based botnets over the last few years.

A more recent arrival to the DDoS scene is the Chinesemalware dubbed YoYoDDoS. Like BlackEnergy, it alsosupports a variety of volumetric and application-layer attacks.The YoYoDDoS botnets have been quite prolific throughout2010. Over a 10-week period of time (Q3/2010), ArborNetworks Security and Engineering Research Team (ASERT)detected attacks against over 1,300 unique, victim IPaddresses, hosted in 17 different countriesall originatingfrom YoYoDDoS botnets.2

Types of Common Application-LayerDDoS AttacksCommon application-layer attacks can be subdivided intofour categories:

Request-Flooding AttacksThese attacks send high rates of legitimate application-layerrequests (e.g., HTTP GETs, DNS queries and SIP INVITEs)to a server in an attempt to overwhelm its session resources.

Asymmetric AttacksThese send normal rates of high-workload requests. Forexample, a single request from a client generates a largeamount of work for a Web server. The objective of these attacksis to consume large amounts of server resources such as CPU,memory or disk space in order to severely degrade the serviceor bring it completely down.

Repeated One-Shot AttacksThese send a high workload request across many TCP sessions.This is a stealthier means of executing request-flooding andasymmetric application-layer attacks, but the goal is still thesameto degrade or bring down the service.

Application-Exploit AttacksThese deliberately target vulnerabilities in applicationscausing a fault in a servers operating system or applicationsand allowing the attacker to gain control of the application,system or network. Examples include scripting vulnerabilities,buffer overflows, cookie poisoning, hidden-field manipulation,cross-site scripting and Structured Query Language(SQL) injection.

3


2 Footnote and refer them over to the Anatomy of a DDoS white paper.

HTTP HTTP Malformed Attacks: These attacks send invalid HTTP packets to Web servers in order to consume or obfuscateserver resources. The Zafi.B worm is an example of an attack using malformed HTTP GET requests.

HTTP Request Attacks: These flood Web servers with different types of legitimate HTTP requests (e.g., HTTP GETS,POSTS, etc.) in an attempt to consume server resources.

HTTP Idle Attacks: An attack that opens HTTP connections but then goes idle without actually sending a complete HTTPrequest. One particularly insidious variant of this attack is called slowloris and involves indefinitely dribbling out a smallnumber of bytes per packet to keep the connection from timing out, but which never manages to complete the request.

DNS DNS Query/Answer Malformed Packet, DNS Query-Length Buffer Overflow, DNS Query Buffer Overflow (UnknownRequest/Response): These attacks send or receive invalid DNS packets that can cause DNS infrastructure to degrade or fail.

Man-in-the-Middle, DNS Cache Poisoning Attacks: These attacks attempt to intercept DNS queries and place erroneousinformation within the DNS infrastructure.

DNS Amplification Attacks: These are based on the simple premise that a small spoofed DNS request (e.g., 128 bytes)can generate a large DNS response (e.g., 1500 bytes) to an unsuspecting target.

DNS Dictionary Attacks: This attack consists of generating a massive number of requests to a DNS server in orderto extract information that approximates a full zone transfer. Basically, a large dictionary of words is used to exhaustivelyscan the name space of possible host names in the hopes of hitting most of the DNS records in the victim server.

VoIP SIP INVITE Flood Attacks: These attacks overwhelm the Session Initiation Protocol (SIP) registrar by sending bogus SIP INVITEs.

SIP Call Setup Request Attacks: These send a high rate of SIP call setup requests to a SIP proxy server in an attemptto disable it.

SIP Malformed Packet Attacks: These send invalid packets to SIP devices in an attempt to disable them.

Real-Time Transport Protocol (RTP) Flood/Quality of Service (QoS) Attacks: These flood RTP mediaused to transportthe voice portion of a callonto a network. Their objective is to impact the VoIP network as a whole.

SMTP SMTP Error Denial of Service, Mailbox Denial of Service Attack (Excessive Email Size), SMTP Mail Flooding: These attacksattempt to overwhelm email servers.

SMTP Buffer Overflow Attacks: Different SMTP commands can cause the SMTP server to crash or execute arbitrarybyte-code that could lead to a system compromise.

4


Application Type Attack Description

There are many different types of attacks per well-known application family. Some of these attack types are in the table below:


Why Application-Layer DDoS Attacks areon the RiseThe rise in application-layer DDoS attacks is being spurredby the following trends:

Bypass One Layer of SecurityIn most cases, the applications that attackers are trying toexploit or target are well known and must be allowed throughperimeter security devices such as firewalls or IPS devices.For example, by default, firewalls allow HTTP or DNS traffic.IPS devices are not much different as they enforce securitypolicy by inspecting packets for signatures of known threats.DDoS attacks take advantage of the fact that firewalls andIPS devices will pass legitimate trafficthus eliminating onelayer of security for the attacker.

Follow the MoneyAttackers see a major opportunity for extortion when applica-tions are supporting high revenue-generating services. Forexample, an online gaming company is far more likely to payan attacker to stop a DDoS attack that is costing millions perday in revenue than is an owner of a nonprofit Web site.

More Bang for the BuckSome attacks cause significantly more collateral damage thanothers. For example, a DNS attack that targets a single DNSservice provider impacts not only that provider but all of itscustomers as well.

INTERNET INTERNET DATA CENTER

Load Balancer

Load Balancer

IMPACT

IMPACT

TARGET

IMPACT

ttacker Botnet

Attack Traffic

ood Traffic

$

$

$

IMPACT

TARGET

Firewall IPS

Firewall IPS

Application-layer attacks provide attackers good potential for extortion and high impact


Business Impact of Application-LayerDDoS AttacksWhen customer or internal services are compromised due toDDoS attacks, the impact can be severe and have significantbusiness consequences. The exact cost of downtime dependson the organizations reliance on its online services. Whendetermining the cost of downtime, service providers must takeinto consideration at least the following:

Loss of Revenue and ProfitThis is arguably the largest cost and easiest-to-calculatemeasure of downtime. Its impact depends on the nature ofthe business. For example, if an online retailer that makes40 percent of its revenue and 100 percent of its profit in thelast two weeks of the year suffers an outage two days beforeChristmas, the financial impact can be devastating.

Lower ProductivityWhen online services go down, the productivity of employeesand/or businesses that utilize or rely on these services can bedrastically reduced. One can see how costs can quickly add upwhen using a simple calculation such as: Cost of lost produc-tivity = Number of employees using the application x Averagehourly salary x Hours of downtime.

PenaltiesSome organizations may face financial penalties if they fail tomeet certain availability requirements. For example, a companythat provides a service that is part of a complex supply chaincould face stiff penalties for any delays that it causes. Or afinancial organization that is bound to a contractual obligationthat requires transactions to be executed within acertain timeframe could face industry or even regulatory penaltieseasilycosting hundreds of thousands of dollars.

Tarnished Reputation or BrandNews travels fast in todays age of informationespeciallywhen it comes to news regarding service outages or securitybreaches. This negative media coverage could have a majorimpact on an organizations reputation or brand. If customerslack the confidence in a business ability to protect theirconfidential data or maintain the ability of their services, theywill surely seek alternativesobviously costing the companyan enormous amount of lost revenue and profit.

The bottom line: Service providers and their customers arebeginning to realize that the power to rapidly stop application-layer DDoS attacks that target Internet-facing services isimperative for business continuity and success.

Unfortunately, many security operations teams rely on traditionalsecurity products such as firewalls and IPS devices forprotection. But as this application brief details (in the followingsections), these products are inadequate when it comes toDDoS attack protection. In fact, they could make matters worse.Fortunately, there are dedicated Intelligent DDoS MitigationSystems (IDMS) such as the combination of Peakflow SP andPeakflow SP TMS that can protect businesses from bothlarge-scale volumetric DDoS attacks and smaller, morepinpointed application-layer attacks. This document focusesspecifically on the application-layer attack mitigation capabilitiesof the Peakflow SP and TMS solution.


This section briefly describes why firewalls and IPS devicescannot be used to mitigate DDoS attacks successfully. For amore thorough explanation, please refer to the Arbor Networkswhite paper entitled The Growing Need for Intelligent DDoSMitigation Systems (IDMS): Why Existing Security DevicesFail to Meet the Need.3

Firewalls are policy-enforcement points deployed at thenetwork or data-center perimeter. Their role is to establishand enforce the rules that govern what traffic is allowed inand out of a network as defined by ports, protocols anddestinations. Unfortunately, most firewalls allow the exactprotocols (e.g., HTTP) that attackers use for application-layerDDoS attacksthus allowing the attacker to easily bypasswhat is in many cases the first and only line of defense foran organization.

In order for stateful firewalls to work, they must maintain TCPstate information for every connection flowing through them.Tracking state is one of the key workloads for any firewall,especially in busy data-center or Internet-facing environments.Add the fact that firewalls are in-line devices, and they havethe potential to be single points of failure on the network.Attackers know this and routinely target firewalls with TCPstate exhaustion attacks that degrade performance andultimately deny access to the services these firewalls aremeant to protect. With this type of DDoS attack, operatorsmust implement DDoS protection upstream of the firewall(e.g., in the ISPs network or cloud before traffic reachesthe network/data-center-edge firewall), since by that timeit is too late.

IPS devices are also not designed or positioned to protectagainst DDoS attacks. Most are designed to inspect packetsand remove known network-born viruses and other malwarethrough signature matching. But unfortunately, DDoS attacktraffic will not normally match a signature-based threat. Andlike firewalls, IPS devices are also deployed in-line and sufferfrom the same state exhaustion problems, which make themanother potential single point of failure at the network orservice-access edge.

Some firewall and IPS products offer DDoS detection usingtechniques such as statistical anomaly detection or malformedprotocol detection. However, since firewalls and IPS devicesconduct their detection on a per session basis, they have avery myopic view of network traffic as they try to determine ifa session is allowed. The very nature of a distributed denial ofservice (DoS) attack means that the attack traffic comes fromdifferent sources or network segments. To successfully detectand stop a DDoS attack like this, a security solution must beable to consider the traffic on multiple sessions, links androuters across a network so that attack traffic can be mitigatedas close to the sources as possible. This is especially importantfor large volumetric attacks to prevent link saturation withinthe network.

Firewalls and IPS products cannot protect organizations fromall DDoS attacks. The industry best practice of layered defenseshould be applied to deal with DDoS attacks. In addition totraditional security products such as firewall, IPS and anti-virusdevices, security organizations should also use an IntelligentDDoS Mitigation System (IDMS) that will detect and stop bothvolumetric and application-layer DDoS attacks. The table onthe following page describes the key features that an IDMSsolution should have to succeed.

The Need for Intelligent DDoS Mitigation Systems (IDMS):Why Firewalls and IPS Devices Fall Short

There is no doubt that firewalls and IPS devices play a significant role in network and

data-center security, but they have not been designed to stop DDoS attacks. In fact,

firewalls and IPS devices are vulnerable to some specific types of DDoS attacks and have

been the actual targets in some cases. And because of the in-line deployment model used

by firewall and IPS products, when they do fail, the impact to the services they are trying

to protect is severe.

3 www.arbornetworks.com/en/white-papers.html


The fully integrated combination of Peakflow SP and PeakflowSP TMS is an Intelligent DDoS Mitigation System (IDMS)that provides comprehensive DDoS attack detection, surgicalmitigation (meaning only the attack traffic is removed) andreporting. The following section provides a brief introductionto the Peakflow SP and TMS solution, together with examplesof how it can be used to stop some common application-layerattacks impacting service providers.

Unfortunately, most firewalls allow the exactprotocols (e.g., HTTP) that attackers use forapplication-layer DDoS attacksthus allowingthe attacker to easily bypass what is inmany cases the first and only line of defensefor an organization.

Non-Stateful The IDMS solution must be stateless. In other words, it must not track state for all connections. Aswith firewalls and IPS devices, a stateful device is vulnerable to DDoS and will only add to the problem.

In-Line and Out-of-BandDeployment Options

The solution must support both in-line and out-of-band deployment options for scalability and availabilitypurposes. In fact, the out-of-band deployment option eliminates a potential point of failure during attackand is a key difference between IDMS and firewalls/IPS devices.

Ability to Detect and StopDistributed DoS Attacks

The distributed nature of DDoS attacks requires a distributed detection method. Firewalls and IPS devicesleveraging single segment-based detection will either miss some smaller DDoS attacks or be unable to copewith large attacks.

Multiple Attack Counter-Measures

The IDMS must have the ability to detect attacks using multiple techniques. These include statistical anomalydetection; detection of protocol violations or malformed packets; customizable thresholds or ability to detectsecurity policy violations; and signatures of known or emerging threats that are based upon network behavioralpatterns, not binary patterns in packets.

Scalable DDoS Detectionand Mitigation

The solution must have the ability to easily scale mitigation from low-end attacks (e.g., deployed in the datacenter for 1 Gbps application-layer attacks) to high-end attacks (e.g., deployed in the ISP network for large40 Gbps network-layer attacks).

Industry Track Recordand Expertise

The attack vectors used within DDoS attacks are constantly evolving, with the countermeasuresneeded to deal with attacks requiring regular update. An IDMS solution should be proven and backedby a company that is a known industry expert in Internet-based DDoS threats.

Key Features of an Intelligent DDoS Mitigation System (IDMS)


Introduction to Peakflow SP and TMS

The Peakflow SP solution is a network-wide infrastructuresecurity and traffic monitoring platform. By leveraging IPflow data (e.g., NetFlow, sFlow, etc.) and information fromdeep packet inspection (DPI), Peakflow SP provides pervasiveand cost-effective network and application-layer visibility. AsPeakflow SP gathers this information, it learns normal trafficand routing behavior across hundreds of routers and thousandsof interfaces, and correlates the traffic patterns with thetopology data to build logical data models. Armed with thisinformation, Peakflow SP notifies network operations staff ofsignificant changes to the network (a.k.a. network anomalies)regardless of whether they are due to misconfiguration,equipment failure or a DDoS attack.

In the case of DDoS attacks, Peakflow SP can detect manykinds of threats, such as bandwidth-consuming attacks(e.g., ICMP/UDP floods), connection-layer exhaustion attacks(e.g., TCP SYN floods) or attacks that target specific applica-tions, such as HTTP, VoIP or DNS. In fact, since a majority ofthe worlds Internet service providers use Peakflow SP, manyconsider it to be the de facto standard for carrier-grade DDoSattack detection and surgical mitigation.

In order for application-layer attack detection and surgicalmitigation to occur, the Peakflow SP solution relies on thecapabilities of one of its most vital componentsthe PeakflowSP Threat Management System (TMS). Peakflow SP TMS is arobust application-intelligent system for multi-service convergednetworks that speeds remediation by coupling high-level threatidentification with packet-level analysis. In addition, Peakflow SPTMS provides visibility into critical applications running on thenetwork (e.g., VoIP/SIP, DNS, HTTP, P2P, etc.) and can monitor keyapplication performance metrics (e.g., packet loss, delay and jitter).

Peakflow SP TMS comes in a variety of models, each designedwith different performance and deployment scenarios in mind.The chart to the left summarizes these different capabilities.

Using Peakflow SP and Peakflow SP TMS to StopApplication-Layer DDoS Attacks

This section provides a brief introduction to Arbors IDMS solutionthe combination of

Peakflow SP and Peakflow SP TMSand highlights three examples of how the products

can detect and surgically mitigate some well-known application-layer attacks.

Performance(Gbps)

DeploymentSmall Provider, DedicatedCustomer, Small POPs

40

30

20

10

9

8

7

6

5

4

3

2

1

0

Large Provider, RegionalScrubbing Center, Large POPs

311010 Gbps, 3U, 2 x 10 GigE ports + 10 x 1 GigE ports

40004 x APM (40 Gbps)3 x APM (30 Gbps)2 x APM (20 Gbps)

8 x 10 GigE ports, 6U, 1 x APM (10 Gbps)

25002.5 Gbps, 2U, 6 x 1 GigE ports, NEBS certified

12001.5 Gbps, 1U, 4 x 1 GigE ports

30505 Gbps (software upgrade to 10 Gbps), 3U,

2 x 10 GigE ports + 10 x 1 GigE ports

Peakflow SP TMS deployment

10


Peakflow SP TMS DeploymentThe following two pages outline how the Peakflow SP TMSappliance can be deployed in two modes:

1. Diversion/reinjection

2. In-line

Diversion/Reinjection Deployment

In diversion/reinjection mode, TMS is deployed within theservice provider network and is not in-line of normal trafficflow. When a mitigation is initiated, a Border Gateway Protocol(BGP) route is announced, which must be preferred by thenetwork, so that traffic matching the route is diverted throughthe TMS appliance. TMS then removes the attack traffic andgood traffic is reinjected back into the normal network pathfor delivery to the customer/service.

The diversion/reinjection mode is a key differentiator fromfirewalls and IPS devices as it provides the following benefits:

Since the solution is not in-line, it avoids the potential for beinga single point of failure in the network during a DDoS attack

In most cases, return path traffic is of higher volume. SincePeakflow SP TMS can ignore this traffic, the overall scalabilityof the solution can be increased

Initial deployment of the solution is greatly simplified sinceservices do not need to be interrupted

In-Line Deployment

Peakflow SP TMS can also be deployed in-line in front of criticalservices or customer data centers for application-layer attackmitigation. In this deployment scenario (see diagram, page 11),the TMS appliance is always in-line of traffic, not just whenmitigation needs to occur. TMS has several fault-tolerance andhigh-performance features designed to minimize latency andmaintain the flow of network traffic. The in-line deploymentmethod offers multiple benefits: 4

This is a much easier deployment for smaller data centersthat may not have the network environment or expertiseto accommodate the diversion/reinjection configuration.

This method allows mitigation to be closer to the attacktarget. Sometimes during pinpointed application-layer attacks,having the ability to quickly enable, disable and tweak attackcountermeasures as close to the attack target as possible isthe ideal way to stop an attack.

When a customer requests a dedicated DDoS attackprotection service, in-line deployment may be more suitableand cost effective.

Target Applicationsand Services

LOCAL ISP

SCRUBBING CENTER

DATA CENTER

IDMS

ISP 1

ISP n

ISP 2

Firewall IPS

Peakflow SP TMS diversion/reinjection deployment

4 www.arbornetworks.com/en/peakflow-sp.html

Load Balancer

Target Applicationsand Services

LOCAL ISP DATA CENTER

IDMS

ISP 1

ISP n

ISP 2

Firewall IPS

Peakflow SP TMS in-line deployment

11


Three Real-World Scenarios:How Peakflow SP and TMS BlockCommon Application-Layer AttacksAs stated earlier, application-layer DDoS attacks are on therise due to several factors. To stop application-layer DDoSattacks, Peakflow SP TMS utilizes what is known as attackcountermeasures. Peakflow SP TMS has a number ofattack countermeasures that can be used in any number ofcombinations to mitigate multi-vector attacks. The followingsections describe how Peakflow SP and Peakflow SP TMScan be used to stop DNS, HTTP and SIP attacks.

Stopping a DNS AttackDNS infrastructure is a favorite target for attackers since ithas many vulnerabilities and the impact of a successful attackcan be large. As noted previously, DNS amplification, DNSdictionary and DNS cache poisoning attacks are some examplesof well-known DNS attack types. This section providesexamples of how Peakflow SP and TMS can be used to stopan application-layer attack against DNS infrastructure.

DNS Client DNS AuthoritativeName Server

DNS Resolver

auth-ns(example.com,foo.com, bar.com)

src: resolver; dst auth-ns: q www.example.com?2src: client q www.example.com?1

src: auth-ns; dst: resolver: Answerwww.example.com A 192.168.0.1

3

src: resolver; dst: client: Answerwww.example.com A 192.168.0.1

4

src: client, dst: www.example.com5

www.example.com192.168.0.1

Typical DNS network environment

Lets assume that an attacker is using a botnet to attack theDNS resolver using multiple attack vectors. The network operations center (NOC) or security operations center (SOC)is starting to get calls from customers unable to reach certain network destinations.

One potential starting point for the security operations personinvestigating the outage is the alert displayed in the PeakflowSP console, which provides a single user interface for allattack detection, mitigation and reporting functionality.

12


Peakflow SP DoS alerts screen

Botnet

DNS Client

Attack Traffic

DNS AuthoritativeName Server

DNS Resolver

Botnet attacking DNS resolver

Botnet

DNS Client DNS AuthoritativeName Server

DNS Resolver

Peakflow SP TMS

Traffic diversion through Peakflow SP TMS for a DNS attack

13


From the alert screen, the user would configure a mitigationthat starts the diversion of all traffic through the Peakflow SP TMS appliance.

14


After some investigation using Peakflow SP as well as othertools, the security operations person confirms that this is a multi-vector DNS attack. Using the real-time mitigation dashboard ofPeakflow SP, the user can enable, configure and see the effectof multiple Peakflow SP DNS attack countermeasures.

For example, the screen above shows that the following DNSattack countermeasures are in use to stop this multifaceted DNS attack:

Black/White List: This is a simple countermeasure that uses a list of IP addresses, IP address blocks and ports todetermine what traffic will be blocked or allowed to pass.

DNS Authentication: This countermeasure can be used tostop spoofed DNS attacks using unsophisticated attack tools.DNS authentication works to ensure that sourced queries to a DNS server, resolver or authoritative servers are in factcoming from a valid host.

DNS Rate Limiting: This countermeasure protects againstattacks from legitimate hosts (e.g., a host that passes theDNS authentication countermeasure). Peakflow SP TMSdrops offending hosts that send DNS queries faster than the configured limit. One can also download a list of blockedhosts for further investigation.

DNS Malformed: This countermeasure looks for and dropsmalformed/illegal DNS packets possibly caused by crudeattack-generation tools.

From this point, the user can monitor the attack and makereal-time modifications to the countermeasures as needed.Once the attack stops, the mitigation can then be disabled to allow network traffic to return to its normal path.

Real-time mitigation dashboard showing results of DNS attack countermeasures

Stopping an HTTP AttackHTTP is arguably the most utilized protocol on the Internet.As a result, perimeter-based security products such asfirewalls and IPS devices tend to allow this traffic toflowessentially making them useless when it comes tostopping some HTTP-based attacks. Attackers know thisand commonly try to exploit the HTTP protocol to wreakhavoc on Web-based services.

As noted previously, there are many HTTP attack vectors.Some of the most popular involve sending malformed HTTPpackets or flooding a Web server or specific URL with a highrate of HTTP messages. In both cases, the objective is tooverwhelm the Web server and ultimately bring down theservice. The following is an example of how Peakflow SPand TMS can be used to mitigate such HTTP attacks.

After the security operations person is alerted to the HTTPattack via the Peakflow SP console or some other means, heor she configures and starts a mitigation using a TMS appliance.Inbound traffic is then diverted through the TMS appliance forthe Web server under attack.

15


Botnet

HTTP Client Web Server

Hosting multiple URLs(www.goodsite.com,www.bad_site.com)

Peakflow SP TMS

Traffic diversion though TMS for a HTTP attack

16


After some investigation, the operator determines that theattacker is targeting a specific URL (e.g.,www.target_site.com) with a high rate of packets. As in a real-world scenario, theattack traffic is also intermixed with legitimate HTTP traffic (e.g., www.goodsite.com). By utilizing the packet capture anddecode feature of the TMS appliance, the operator can easilysee the packet contents.

A unique feature of the decode display of Peakflow SP TMS(noticeable in the screen shot below) is the ability to see thesource and destination country of each packet. This is usefulinformation for attack mitigation. In fact, GeoIP attack countermeasures can be used to block or rate-limit trafficcoming from specific countries.

Packet capture and decode capabilities of Peakflow SP TMS

HTTP rate-limiting countermeasure

17


From the decode display, the operator can clearly see thepacket contents and use the HTTP regular expression(REGExp) countermeasure to simply configure Peakflow SP TMS to block any packets destined for the target URL (e.g., www.target_site.com).

Lets say the attack is not directed towards a specific URL.Instead, the attacker is trying to overwhelm the Web server by using the botnet to send an excessive number of HTTPrequests to the Web server. This is a common type of HTTPDDoS attack that can be easily detected and stopped usingthe HTTP rate-limiting countermeasure of Peakflow SP TMS, as shown above.

HTTP/URL regular expression countermeasure

18


Stopping a VoIP/SIP AttackVoIP is a popular Internet-based phone service utilized by millions of people today. When VoIP services are down, theimpact ranges from annoying to potentially life-threatening. It is imperative that VoIP service providers have a means to protect their services from attackers who are known to exploit weaknesses in the various protocols that are utilized for VoIPfor example, the Session Initiation Protocol (SIP). One such well-known attack sends a high rate of SIP requests (e.g., INVITE, Response and REGISTER) to a SIP proxy server, eventually overwhelming it and disabling VoIP services. The diagram on the following page depicts an example of howPeakflow SP and TMS can be used to stop such a SIP attack.

After being alerted to the attack via the Peakflow SP consoleor some other means, the security operations person configuresand starts a mitigation using a TMS appliance, at which time allinbound traffic toward the SIP proxy server is diverted throughthe TMS appliance.

In this case, the operator can use the SIP request-limitingcountermeasure to limit the number of SIP request messages per second that are sent to the SIP proxy server. Once theoperator enables this countermeasure, packets from IPaddresses (called hosts) exceeding this rate are dropped and the hosts are blacklisted.

Botnet

SIP Client (User Agent) SIP Client (User Agent)SIP Proxy Server

Peakflow SP TMS

Traffic diversion though TMS for a SIP attack

SIP Request Limiting countermeasure

19


As DDoS attacks increase in frequency,

size and complexity, they will continue to

pose a serious threat to any organization

that relies on Internet-based services.

Protecting these services from DDoS attacks is imperativefor service providers since the impact on revenue, profit andreputation can be devastating. Relying upon traditional securityproducts such as firewalls or IPS devices is not enough tostop all DDoS attacks. For comprehensive DDoS detection,mitigation and reporting, ISPs should deploy an IntelligentDDoS Mitigation System (IDMS) such as the Peakflow SPand Peakflow SP TMS solution.

For more information regarding Arbors DDoSprotection products and services, please visitthe Arbor Web site at www.arbornetworks.com.

Conclusion

Corporate Headquarters

76 Blanchard RoadBurlington, MA 01803 USA

Toll Free USA +1 866 212 7267T +1 781 362 4300

Europe

T +44 207 127 8147

Asia Pacific

T +65 6299 0695

www.arbornetworks.com

2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How NetworksGrow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks ofArbor Networks, Inc. All other brands may be the trademarks of their respective owners.

AB/ALDDOS/EN/0812

Ab Alddos En

Documents

Transcript of Ab Alddos En