Friday , 26 May 2017


Securing the Data Center: Application-layer DDoS Attacks

Rakesh Shah, director of product marketing and strategy with Arbor Networks (http://www.arbornetworks.com/), says:

Application-layer DDoS attacks have quickly become the most significant threat to availability of Internet Data Center and Cloud-based services. Application-layer attacks are low bandwidth, difficult to detect and target both end customers and network operators’ own ancillary supporting services, such as HTTP web services, domain name system (DNS), etc. The Arbor Networks portfolio provides visibility into critical IP services and applications running in the IDC, such as HTTP, DNS, VoIP/SIP and SMTP traffic. They protect IDC infrastructure against numerous trypes of attack, including Spoofed / Non-Spoofed Attacks, TCP State Exhaustion, TCP SYN Floods, HTTP/Web Attacks, DNS Floods/Authentication Attacks, UDP Floods and dozens more.

Enterprises are very concerned with availability of the critical services running in these data centers, and attackers view Internet facing data centers as new prime targets and use DDoS attacks to wreak havoc on these companies. The single biggest threat to IDC availability is DDoS. Arbor Networks brings carrier-class DDoS detection and mitigation capabilities to the data center.

Additionally, Arbor solutions are purpose built for the IDC environment.

  • Out of the box, carrier-class DDoS attack identification and mitigation capabilities
  • Can be rapidly deployed with little configuration, even during an attack
  • Focused on detecting and stopping application-layer DDoS attacks
  • A single easy to manage platform with extensive reporting capabilities

Arbor Networks solutions deliver the three pillars of protection essential to the data center environment.

  • Network Infrastructure Protection: Detect and stop DDoS, attacks that impact your, IDC’s network infrastructure and core IP services.
  • Application/Service Protection: Ensure the security, availability and performance of your data center’s applications and services.
  • Data Protection: Assure data is not being accessed or removed from your data center by unauthorized persons.

With Arbor Networks, you get more than market-tested solutions for managing and securing your data center, hosting or cloud-based infrastructure. You also get an industry-leading security research team that has developed innovative tools such as ATLAS, our Internet monitoring system, and the Active Threat Feed, which automates the distribution of attack signatures. No other entity today has either aggregated this much real-time information about what is happening across the Internet or developed the means for cross-provider collaboration that informs numerous business decisions.

Where should security and availability solutions rank in terms of overall priority in the data center?

Very high. There are two reasons for this; first the issue of availability is paramount for customers, and the IDC operator. If customers are offline, IDC are faced with a situation that may include SLAs being violated, collateral damage across multiple customers not to mention the damage to the reputation and brand of the operator.

The second reason is the tendency of IDC operators to deploy firewalls and IPS in front of IDC assets. While key elements of an overall security strategy, firewalls and Intrusion Prevention Systems are not effective solutions against DDoS attacks. Because these devices maintain state information for every session established between a client on the Internet and the corresponding server in the data center, these products themselves are commonly the targets of DDoS attacks. According to Arbor’s 2010 Worldwide Infrastructure Security Report, a solid majority of those who have deployed these devices within their IDCs experienced stateful firewall and/or IPS failure as a direct result of DDoS attacks during the survey period.

Recently, NSS Labs released its Network Firewall Comparative Group Test Report which found two major issues. One is stability where three out of six firewall products failed to remain operational when subjected to stability tests. The second issue is that external hackers were able to trick firewalls into allowing them inside the firewall of a trusted client. The conclusion can be drawn that firewalls and Intrusion Prevention Systems are not effective solutions against DDoS attacks.

What are the biggest challenges for data center and IT managers?

From the security perspective, the biggest challenge they face is that the very solutions many have deployed to protect the IDC, firewalls and IPS, are not only unable to do so, but have actually become the targets of the attacks themselves. These are the very attacks that threaten availability of data and applications.

Firewalls, IPS, and other products are key elements of a layered defense, but they are designed to provide security functions that are fundamentally different from dedicated DDOS detection and mitigation products. For example, firewalls are essentially policy enforcement points usually deployed at the network or data center perimeter. Their role is to establish and enforce the rules that govern what traffic is allowed in and out of a data center as defined by ports, protocols, and destinations. Internet facing data centers are open to web traffic (TCP port 80/443) as well as perhaps other services such as video, voice, and file transfer. Denial of Service attacks target the very services that the firewalls have to allow through, so there is no inherent DDOS protection in the firewall layer.

In fact, because firewalls maintain state information for every session established between a client on the internet and the corresponding server in the data center, the firewalls themselves are commonly the targets of DDOS attacks and are potentially the single point of failure that disables the data center during large scale DDoS attacks.

How can data center and IT managers overcome those challenges?

There are several ways; the first is through experiencing a failure of one of these devices that leads to an outage. According to Arbor’s 2010 Worldwide Infrastructure Security Report, a solid majority of those who have deployed these devices within their IDCs experienced stateful firewall and/or IPS failure as a direct result of DDoS attacks during the survey period. Nobody is more motivated than someone who has gone through an outage.

The second key point is that Arbor spends a great deal of time and energy thinking about the deployment models and usage factors that make a product successful.

For example, Arbor’s data center solutions offer out-of-the-box, carrier-class DDoS attack identification and mitigation capabilities and can be rapidly deployed with little configuration, even during an attack. From an operations standpoint, they can be managed from a single easy to manage platform with extensive reporting capabilities such as detailed attack reports in real time so operators can visually understand the actions taken by the products. Besides documenting these actions in audit logs, Arbor provides forensic reports detailing blocked hosts, origin countries of attacks, and historical trends. The easy-to-understand reports can also be given to peers or management to educate them on the threats impacting the availability of services and the steps taken to address the attacks.

Our advice would be to look at your deployment of firewalls and IPS in the IDC environment because they not only don’t stop availability threats like distributed denial of service attacks, they are actually the targets of the attack itself. This is a critical weakness in the defenses of many IDC today.

Attacks are changing: Attacks are moving from volumetric-based, where they try to simply overwhelm the connection with data, to more sophisticated application-layer DDoS attacks that target specific services and are not high bandwidth and therefore difficult to identify. The new application-layer DDoS attacks threaten a myriad of services from web commerce to DNS and from e-mail to online banking.

Host in Ireland