Thursday, December 6, 2012

DDoS protection and solutions


The DDoS  community has grown over the years and has become more involved for both the attacker and defender. The challenges for a enterprise business to mitigate these attacks locally , has become a nightmare & not practical. Even if you deploy a  on-premise gear, that 100% blocks the attack, the attacker still kind of won if  he manages to fill your internet uplinks with 100% useless traffic.

If you trust your ISP to mitigate, you normally get a very bad result, since they cut with a broad sword. Asking your ISP to mitigate for you is like going to the doctor with a small splinter in your finger and instead of pulling the splinter out with a pair of tweezers, the ISP just cuts your whole hand off,  or worst cut your arm off. Your results would not be any better off if you just left the splinter in your finger .

The new wave of mitigation involves, using a cloud base approach. With cloud base DDoS solutions, we deploy a in-the-cloud datacenter,  and install a lot of mitigation gear and big fat pipes into these scrub centers.

All in-the-cloud providers, hopes that the traffic inbound ( good and bad )  & at that one scrub center is below their available capacity of that scrub center and no single customer exhaust resources. With the in-the-cloud mitigation approach, you place all of your resources within the cloud provider arena.

Look at this way, let’s say you where a 90lb petite female, and you had to fight off Mike Tyson. The odds are against you that you  will LOOSE.  So if you hire a whole bunch of guys weighing between 120-187lbs each, and put them in front of yourself. The odds are  now that you will win. Also they will get  punch, kicked, bruised and black’d eye while you sit back , and do your nails un-impacted.

If the attacks are very huge, you just throw in more guys or switch them out with fresh bodies.

All in-the-cloud providers, have readily means to growth their uplink bandwidth,  and to scale their core mitigation gear wide and deep if required. Also the ramp up to do this, is quick in most case or more quickly than a large enterprise business could execute.

Now let’s look at what every  in-the-could mitigation  provides to some degree.
Now most solutions revolves around 1 of  the 2 technologies listed below;

·      A reverse Proxy-server  ( some  brand of a SLB server-load-balancer appliance )
·      Or some type of virtual tunnel or direct connection to the DDoS Service Provider network

In all of the above, they will need to steer traffic into  the Cloud,  and away from  you’re your front door ( your network ). So with the proxy-server solution, we typically deploy a DNS A  record redirection &  the change points your website to the Virtual-Server IP ( aka VIP ) and then all bad traffic naturally flows to the VIP,  if the attacker is using a attack via DNS hostname.

Even if he  ( attacker )  targets your ip-address directly, you  normally deploy some simple fwpolicies to only allow deny direct access from the mitigation provider trusted space.

The virtual-tunnel or direct-connected  solution, just nails your full network space behind the Mitigation provider space. All traffic entering your network space, travels thru the  service provider arena first. This allows for inspection, monitoring , mitigation and filtering of traffic. This connection is permanent and mutually agreed upon by the end-user and provider of mitigation service provider. It offer highly uptime, and lower latency.

With the Virtual-Server/direct-connections design, you can now leverage cloud base WAF, compliances inspection, and  other hosted security protection models such as flowspec, fingerprinting and ip reputation scoring. We also have the means to leverage AV/Malware cleanup at the expensive of even greater cost and possible increased latency.

In all approaches, latency does increase to some degree, but only due to your remote-client’s traffic must travel thru a path of the mitigation provider network space & platform, in order to be inspected , policed and hopefully allowed thru. This latency increase is normally minimal and  within acceptable levels.

Now a few challenges  exists with the cloud-base solution;

·      SSL inspection is still in jeporday  if certificates and web server private-keys are not provided

·      In-the-cloud providers, must maintain a higher number of bodies and  offer 24x7 coverage for the  monitoring and mitigation process during the duration of the attack

·      Unless the service is  always-on, it’s hard to determine when a attack begins or even a quick means to even figure out the type of attack(s)

( I will speak more about this in a future post )

·      Customer have to make minimal changes,  in order to integrate into the service provider systems & networks

·      Training of their IT staff is time consuming

·      Attack intelligence is limited, and not shared amongst providers, hampering quick distribution of knowledge and threats indications

·      Almost no DDoS Provider , can honestly  claim 100% effectiveness ( there’s always leakage and legit traffic that  get’s over mitigated )

·      It’s almost next to impossible to use gathered forensic,  to identify and or prosecuted ALL attackers. The cost  and  the pure fact that the attackers could be anywhere from here to Mars,  make this point very hard to followup on, or the attack src's are spoof'd or infected bot agents.

Now we need to look at what types of attacks these in-the-cloud providers protect from.  Basically any and all.

Yes with the right mitigation  gear ,we can easily defend from pure bandwidth attacks , l3/l4 protocol attacks, redirection attacks, Layer7 application attacks, to include GET/POST floods or  those base off  SQL injection.

With AV/Malware  supported gear, we can even cleanup the traffic from virus, worms and Trojans. This along will reduce the chance of a infection or a machine  that could later infected others or become a member of a future bot attack.

DDoS mitigation is an on going chess game , of the  good guys various  the bad guys. In a never ending  battle.

Ken Felix
Freelance Network and Security Engineer
Let the battles begin J

kfelix   at  hyperfeed dot com

No comments:

Post a Comment