RE: Denial of Service: Commercial Defense products

["Barrett G. Lyon" <blyon () prolexic com>]

It is my philosophy that denial of service hardware cannot stop real  
DDoS attacks.  You could shell out several hundred thousand dollars  
for some defense products mentioned in a number of these forum  
emails, however, it may do nothing more that overly complicate your  
network.  Defense products such as IPS devices that do DDoS  
protection have failure points, they are also only as good as the  
operators of the hardware and network.

If you have a "2 gig" solution configured on your network, and you  
have 5 gigs of Internet transit, that does not guarantee or buy you  
anything.  Attackers often go after router interfaces, dns servers,  
or sheer packet rates that could cause your routers to completely  
fail, your network could easily be saturated.  This weekend alone we  
saw attacks that were over 9 gigabit-per-second reaching 20M PPS.  At  
9 gig, there is no IPS that will work for you.  Before we were  
dealing with the attack to that particular customer, their DDoS  
protected solution failed, their ISP went offline, and their ISP's  
tier-1 carrier had to start null routing the attack.  Some carriers  
die because their peering arraignments saturate and cause harm to  
their networks before the traffic ever reaches an IPS device.  These  
attacks require packet-per-second processing in the 20's of millions,  
not in the range of 1, 2, or even 8 gigs.

Managing bandwidth at that rate also becomes a nightmare and nearly  
impossible for a large enterprise to deal with.  Looking further into  
an attack mitigation stratigy, attacks at that size require a 24/7  
operation full of people that know how to massage traffic, massage  
routers, perform attack analysis, track attacks, report them to the  
FBI, and at times design special solutions to deal with the 0-minute  
issues that often happen with DDoS attacks.

During our attacks over Christmas (yes all Christmas day we were  
working) we saw 2 tier-1 backbones fail and were forced to pull the  
plug on the traffic.  Fortunately we operate 12+ carriers at any  
given time, so that's not a major impact to our operations.  We were  
also able to filter the traffic without impact to the customer, and  
without the customer having to foot the bill for their huge inbound  
bandwidth problems.  We also operate anycast and special distribution  
methods where we can push DDoS traffic all around the earth, this  
allows us to utilize peering arrangements with large eyeball networks  
and to deploy network sinkholes in different demographic areas.

During any off hour situations the hardware vendor will be on the  
hook to get the network fixed.  Getting a fix or even getting access  
to the equipment is a slow process for a vendor, our customers have  
used things like Cisco's Guard and when it comes down to a determined  
attacker, the Guard will fail, and that's where we pick-up the mess.

With the above said, I feel the correct approach (the approach I have  
dedicated all of my efforts towards) is a holistic defensive  
network.  Prolexic is a defense network, we operate at rates  
unobtainable by any other product.  Our SLA (yes we guarantee our  
network) is at rates 20 times higher than the best IPS and DDoS  
hardware you can buy.

Operating such a network also comes with the benefit of operating  
quarantines, research arms, and each attack makes us stronger as we  
continue to evolve our own FPGA and ASIC based defense technology.   
At today's rates we are processing several attacks a day, with our  
24/7 NOC functioning as some of the best digital grenade jumpers on  
the Internet.

My advice to all IPS and commercial DDoS product shoppers is to  
really create a defense strategy that is obtainable and not base the  
design off a single IPS or hardware device.  Make sure your entire  
operation is ready to function while under attack; programmers,  
networking groups, security groups, etc.  Making a hardware device a  
success takes a little luck and a lot of fortitude.

In my opinion finding a network based solution is the easy and  
scaleable approach to this problem and should be something that is  
also looked at seriously before buying an IPS.

-Barrett


--
Barrett Lyon
CTO and Founder
Prolexic Technologies, Inc

 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------