Purpose: Fighting DDoS Attacks at Their Origins

The Reverse Firewall^TM chokes off Distributed Denial of Service (DDoS) attacks being launched from within an infrastructure. Most DDoS attacks are usually conducted through "zombies" -- computers that have come under the control of the attacker. The MANAnet Reverse Firewall ensures that DDoS attacks from inside a network infrastructure are stopped cold before they hit the outside network. The Reverse Firewall also notifies LAN administrators about possible DDOS attacks and their location so that follow-up security measures maybe taken.

Description: Throttling DDoS Attacks at the Edge of a Network

Traditional firewalls protect networks by filtering incoming packets. In addition to this, the MANAnet Reverse Firewall analyzes outgoing traffic from a network. By limiting the rate of "unexpected" packets this device severely reduces the impact of potential DDoS attacks before they exit the networks where they originate. In practice, while the Reverse Firewall throttles both incoming and outgoing DDoS attacks, it provides greater defensive benefits for outgoing attacks because it is close to the source of attack. For incoming attacks, the Reverse Firewall needs cooperation from upstream infrastructure to thwart attackers without affecting customers.

Who Needs the Reverse Firewall: ISPs, Universities, and Corporations

All Internet infrastructure owners who attach significant value to their own internal communications even if an attack is launched from one of their computers:

• ISPs: who provide their customers permanent and fast Internet connections through technologies such as DSL and cable.
  
  
• Universities: who provide their student, faculty, and staff with computers that have fast Internet access. Often there are also ways for the members of the University community to connect their own computers to the campus network.
  
  
• Corporations: who provide their employees with the computers and Internet access needed to conduct business.

The primary danger for infrastructure owners is not from their own legitimate customers, who are usually trustworthy. The real threat is that computers on their network will be compromised by remote hackers, who will some day use these machines as zombies to mount a coordinated DDoS attack on targets outside the network.

How It Works: Rate Limiting of Outgoing Unexpected Packets

The Reverse Firewall works by limiting the rate of outgoing "unexpected" packets from a network. In addition, the Reverse Firewall implements Path Enhanced IP and fair service scheduling of packets (see http://www.cs3-inc.com/rfw.html for details). With these techniques, the firewall can not only stop any kind of packet flooding attack launched from inside the network from reaching the outside, it also protects the ability of internal segments to communicate with the outside and amongst themselves during an attack.

A typical ISP or University has several network segments. The best way to deploy the Reverse Firewall is at the edge of each sub-network. For example, the infrastructure owner in the network below has deployed 3 Reverse firewalls: RFW1, RFW2, and RFW3 to watch outgoing traffic from Segments 1, 2, and 3 respectively.

If Segment 2 is compromised by zombies (marked in red), and an attacker tries to launch a DDoS attack from those computers, RFW2 attenuates the attempt and thereby protects the outside network. More importantly, from the perspective of the infrastructure owner and its customers, the attack from Segment 2, which is also a direct attack on the users of the local network, does not affect their ability to communicate with the outside world via RFW1 and RFW3, or their ability to communicate with each other! Thus, the Reverse Firewalls can be deployed not only to protect the outside, but also to protect internal segments from one another. In fact, a single reverse firewall with multiple interface cards for each network segment (e.g., as RFW2 has been configured to protect Segment 2 from Segment 3 and vice versa) will be adequate for such protection.

Benefits Protects Inside and Outside, Requires No Updates!

1. The MANAnet Reverse Firewall eliminates the DDoS attacker's capability to mount successful attacks from inside a network via zombies. This protects the Internet from DDoS attacks. As DDoS attacks become more common and devastating in impact, infrastructure owners are increasingly expected to be diligent and proactive in ensuring that their networks are not being used to host DDoS attacks. The Reverse Firewall provides the best way to do this.
   
   
2. Properly deployed, the Reverse Firewall protects internal communication during attacks from either the outside or the inside. This is valuable for many large customers like the Government and other enterprises.
   
   
3. Unlike tools that merely detect when a computer is compromised (like Intrusion Detection Systems) or tools that scan for known DDoS attack signatures, the MANAnet Reverse Firewall actually offers a working DDoS defense. And, it requires NO updates - it will work regardless of the attack method used!



4. The Reverse Firewall notifies identified administrators in real-time about DDoS attacks so that further security steps maybe instituted by them.