What
are Denial of Service (DOS) Attacks? (return)
Many
of us, as children, probably placed phone calls to random
numbers
or rang the doorbells at homes as pranks just to enjoy
watching grown
folks expending a lot of effort uselessly. A DOS attack
is a
sophisticated, extremely fast, computer version of the
prank call. A
successful DOS attack is intended to waste the victim's
available
computing resources by using bogus requests, thereby
degrading and/or
denying service to regular customers.
What
are Distributed Denial of Service (DDOS) Attacks? (return)
This
is a version of the DOS attack where the victim is targeted
simultaneously by attackers from different parts of
the
infrastructure. Often, the "attackers" are
compromised computers (or
"zombies") that have come under the control
of the attacker. The
attacker uses the compromised computers to conduct a
coordinated
attack that seems to be coming from many places.
Are
there different kinds of DOS/DDOS attacks? (return)
Yes,
indeed. There are many scripts available in the hacker
community
to conduct attacks. Some of the attacks exploit known
bugs in
commonly used operating systems and server programs on
the Internet.
Other attacks simply flood the victim with various kinds
traffic,
preventing customers from getting through.
Why
are Denial of Service Attacks Hard to Defend? (return)
Typical
security systems tend to guard individual sites.
Unfortunately, DoS / DDoS attacks cannot be defended
at a site. This
is because traffic congestion resulting from the attack
has already
occurred upstream from the victim, and legitimate customers,
therefore, cannot get through. Thus, in a sense, it
is too late for
the victim to act. Defending a potential victim from
denial of
service attacks requires cooperation from upstream infrastructure.
With
the present-day Internet, it is relatively easy for
attackers to
"spoof" packet source addresses. It is, therefore,
to tell precisely
where the attack traffic originates. This makes it difficult
to
defend against attacks.
Why
Does Cs3 Distinguish "Incoming" and "Outgoing"
Attacks? (return)
Most
people think of security as defending one's own computing
resources against external threats. With DDOS attacks,
it is also
possible that your own infrastructure is being used (wittingly
or
unwittingly) to host attacks on others. So, it makes sense
to see
DDOS defense for both incoming and outgoing attacks.
Why
Can't a Firewall stop a DDOS Attack? (return)
A
Firewall can be used to filter certain kinds of traffic.
As we have
mentioned, if you rely on data controlled by the attacker,
you could
be playing into his hands. Further, the firewall does
not help
customers whose traffic might have been dropped further
upstream
because of congestion from the attack.
What
is Cs3's Solution to Incoming Attacks? (return)
Incoming
DDOS attacks at a site are defended via the MANAnet Shield.
The vision behind the MANAnet Shield is to build "cooperative
neighborhoods" around sites that need protection.
Within a
neighborhood, one essentially eliminates source forgery,
which forms
the basis for DDOS defense. Please see Cs3's White Paper:
Towards a More Secure and Robust
Internet which explains the
technical ideas in more detail.
What
are the Products in the MANAnet Shield? (return)
The
MANAnet Shield involves the following devices:
-
MANAnet
Router : MANAnet Routers mark packets with path information
so that source forgery can be eliminated (a protocol
called Path
Enhanced IP -- PEIP). Path information is used by
cooperating MANAnet
Routers is used to provide "fair service"
to incoming packets based on
their true source. MANAnet Routers will also accept
requests from
their trusted neighbors to slow down traffic with
specific paths.
-
MANAnet
Firewall : MANAnet Firewall is installed at each site.
In
addition to PEIP, MANAnet Firewall allows site-specific
parameters for
DDOS attacks. Once an attack is sensed, the firewall
contacts
upstream cooperating MANAnet routers to slow down
traffic with
specific paths. With the MANAnet Firewall one can
do better than
"fair service" on the DDOS defense.
What
is Cs3's Solution to Defend Against Outgoing Attacks?
(return)
The
best device for outgoing attacks is the MANAnet Reverse
Firewall.
The Reverse Firewall regulates outbound traffic using
fair service to
places inside the network. In addition, it rate limits
"unexpected
packets" -- those that are not replies to packets
in the other
direction. The Reverse Firewall not only makes DDOS
attacks
impossible to mount from inside the network, it notifies
administrators about the origins of the suspicious traffic.
The
administrator can then target those networks/computers
for follow on
security measures.
Why
is Cs3's Solution Better than the Competition? (return)
Cs3's
patent-pending devices have unique features that you
will not
find in competing approaches:
a)
MANAnet products provide DETECTION and automatic,
real-time DEFENSE against DDOS attacks. The DEFENSE
is built in to the "fair service" behavior
of routers and firewalls.
b)
MANAnet Reverse Firewall is the only product in
the marketplace
that deals with defending against outbound DDOS attacks.
c)
MANAnet involves NO signature analysis, hence requires
no updates
of software to keep up with the ingenuity of potential
attackers.
d)
MANAnet tackles the DDOS problem by fixing the
infrastructure
vulnerabilities (e.g., source spoofing of packets)
within cooperative
neighborhoods. This provides a reasonably incremental
solution that
addresses the true complexity of the DDOS problem.
What
are the Benefits of the Reverse Firewall? (return)
The
Reverse Firewall provides many benefits in terms of DDOS:
a)
Properly
deployed, it can protect the internal and external
communication of legitimate users during an attack from
your own
infrastructure. This is a significant security benefit.
b)
Protects the organization from embarassment, even liability,
associated with having its infrastructure co-opted in
a DDOS attack.
c)
Protects the Internet from attacks within the infrastructure,
thereby restricting damage to the smallest possible
network.
d)
Reverse Firewall provides notifications of attacks,
which could
indicate compromised computers within the infrastructure.
Could
Reverse Firewall Have Helped with Code Red and Nimda?
(return)
Reverse
Firewall would not have stopped infestation of computers,
but
it would detected and drastically slowed the spread
of these worms,
which work through rapid port scanning -- one of the
numerous kinds of
"unexpected packets", whose bandwidth is rate
limited by the device.
How
many Reverse Firewalls do I need in my infrastructure?
(return)
If
all you want is to ensure that no DDOS attack from inside
reaches
the Internet, you can use Reverse Firewall with 2 NICs,
one connecting
to the inside and the other the outside. However, if you
have
multiple subnetworks that you wish to distinguish (e.g.,
for fair
service), you can do that by getting a Reverse Firewall
with up to 6
NICs -- which can distinguish 5 internal subnetworks.
You
can also use multiple RFW units inside your network, depending
on
its topology, to protect internal networks from one another
or to
distinguish traffic coming from those locations.
|
