why ips devices and firewalls fail to stop ddos threats · why ips devices and firewalls can’t...

Arbor White Paper

Why IPS Devices andFirewalls Fail to StopDDoS ThreatsHow to Protect Your Data Center’s Availability

Arbor Networks, Inc. is a leading provider of network securityand management solutions for next-generation data centersand carrier networks. Arbor’s proven solutions help growand protect our customers’ networks, businesses andbrands. Arbor’s unparalleled, privileged relationships withworldwide service providers and global network operatorsprovide unequalled insight into and perspective on Internetsecurity and traffic trends via ATLAS—a unique collaborativeeffort with 100+ network operators across the globe sharingreal-time security, traffic and routing information that informsnumerous business decisions. For technical insight into thelatest security threats and Internet traffic trends, please visitour Web site at arbornetworks.com and our blog atasert.arbornetworks.com.

About Arbor Networks

1

Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

As e-commerce continues to proliferate anddeliver profitable results, more business isbeing done online. The growing adoption ofonline retailing, Internet banking, cloud-baseddata storage and other commercial servicesrepresents a natural evolution of Internetuse. For online businesses, however, anydowntime can dramatically impact thebottom line. As a result, the growing scaleand frequency of distributed denial of service(DDoS) attacks are taking a toll on thesebusinesses. While DDoS attacks may havebeen driven by non-economic reasons inthe past, they now have monetary driversincluding extortion, competitive advantageand corporate revenge.

When it comes to DDoS protection, many enterprises andInternet data center (IDC) operators have a false senseof security. They think they have secured their key servicesagainst DDoS attacks simply by deploying intrusion preventionsystem (IPS) devices or firewalls in front of their servers.Unfortunately, such deployments can actually expose theseorganizations to service outages and irate customers. Whenbusiness-critical services are not available, enterprises andIDC operators lose money and damage important customerrelationships. What’s more, when services are unavailabledue to external attacks, it can be sensational and unwelcomefront-page news—especially when the damages could havebeen easily prevented.

This white paper examines why IPS devices and firewallsfail to stop DDoS threats. It also describes how an intelligentDDoS mitigation system (IDMS) offers an ideal solution byenabling a layered defense strategy to combat both volumetricand application-layer DDoS attacks.

During the last few years, DDoS attacks have been dominatedby “volumetric” attacks usually generated by Internet bots orcompromised PCs that are grouped together in large-scalebotnets. Some examples include the DDoS attacks againstUK-based online betting sites1 where the hackers extortedthe gambling firms, and the politically motivated DDoS attacksagainst the Georgian government.2 This type of DDoS attackis generally high bandwidth and originates from a largenumber of geographically distributed bots. The size of thesevolumetric DDoS attacks continues to increase year over year,and they remain a major threat to enterprises and Internetservice providers (ISPs) alike.

The Growing and Evolving DDoS Threat

1 news.bbc.co.uk/2/hi/technology/4169223.stm2 www.cnn.com/2009/TECH/08/07/russia.georgia.twitter.attack

2


In addition, a new type of DDoS attack has emerged thatthreatens the business viability of service provider customers.Two days before Christmas in 2009, last-minute shoppers couldnot access some of the world’s most popular Internet shoppingsites including Amazon, Expedia and Walmart. A targeted DDoSattack against UltraDNS,3 a leading provider of domain namesystem (DNS) services, took these major retail sites offline. Theattack could have dramatically affected the Christmas shoppingseason and the profitability of these retailers if UltraDNS hadnot been able to detect and stop the attack very quickly.

This attack revealed the potential impact of DDoS one-commerce. More importantly, it revealed a new type of“application-layer” DDoS attack that targets specific servicesand consumes lower bandwidth. These new application-layerDDoS attacks threaten a myriad of services ranging from Webcommerce and DNS services to email and online banking.

Enterprises and IDC operators are very concerned with theavailability of the critical services running in their data centers.At the same time, attackers view Internet-facing data centersas new prime targets and are launching DDoS attacks towreak havoc on these companies.

DDoS driven by financial motivations

Load Balancer

Load Balancer

IMPACT

IMPACT

IMPACT

TARGET

IMPACT

Paid Attacker Botnet

Attack TrafficLegitimate Traffic

$

IMPACT

TARGET

$

TARGET

$Internet Data CenterInternet

3 www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html

3


Attackers find Internet data centers attractive for thefollowing reasons:

• The shared resources and multitenant nature of IDCs allowattackers to cause much collateral damage. In other words,they get “more bang for the buck!”

• Many times IDCs are running high-profile, mission-criticalapplications. This makes them ripe targets for extortion.By targeting such data centers, attackers are simplyfollowing the old saying “go where the money is.”

• Virtualization is a big part of data centers. This not onlybrings benefits but also opens up a whole new set of securitychallenges. For example, how do you get visibility into thevirtual environment to protect it from inter-VM (virtualmachine) attacks?

The convergence of volumetric and application-layer DDoS attacks poses a significant threat toonline services, and data center operators mustbe prepared to combat them both.

Gbp

s

110

100

90

80

70

60

50

40

30

20

10

02002

0.4

2003

1.2

2004

2.5

2005

10

2008

40

20072006

17

20102009

100

49

24

Evolution of network and DDoS attacks

Peak Attack Bandwidth (Gbps)

2004–2008Botnets enable “volumetric” attacks againstinfrastructure (routers, DNS, name servers).In-cloud DDoS protection becomes essential.

2009 and BeyondSophisticated “application-layer” attacks targetIDC services and enterprises. A layered defenseis required.

2002–2003Typical attack is “host-to-host.” Goal is to exhaustCPU on the server (usually a Web server).

4


IPS devices, firewalls and other securityproducts are essential elements of alayered-defense strategy, but they aredesigned to solve security problems thatare fundamentally different from dedicatedDDoS detection and mitigation products.IPS devices, for example, block break-inattempts that cause data theft. Meanwhile,a firewall acts as policy enforcer to preventunauthorized access to data.

While such security products effectively address “networkintegrity and confidentiality,” they fail to address a fundamentalconcern regarding DDoS attacks—”network availability.” What’smore, IPS devices and firewalls are stateful, inline solutions,which means they are vulnerable to DDoS attacks and oftenbecome the targets themselves.

Why IPS Devices and Firewalls Can’t Stop DDoS Attacks

Why Existing On-Premise Solutions Fail to Address DDoS Security

Vulnerable to DDoS Attacks• Targets of DDoS attacks.• First to be affected by large flood or connection attacks.

Complicated to Use• Require skilled security experts.• Demand knowledge of attack types before attacks.

Failure to Ensure Availability• Built to protect against known (versus emerging) threats.• Designed to look for threats within single sessions, not across sessions.

Protection Limited to Certain Attacks• Address only specific application threats.• Do not handle attacks containing valid requests.

Deployed in Wrong Location• Very close to servers.• Too close to protect upstream router.

Incompatible with Cloud DDoS Protection Systems• Fail to interoperate with cloud DDoS prevention solutions.• Increase time for response to DDoS.

INTEG

RITY

CO

NFI

DEN

TIAL

ITY

AVAILABILITY

Data &Services

Key elements of an informationsecurity strategy

5


IPS Devices: Part of the DDoS Problem,Not the SolutionIPS devices are normally deployed inline behind firewalls andmust inspect every packet for signature matches. As statefuldevices, they must also track all connections. These tworequirements make IPS devices vulnerable to DDoS attacksand increased network latency.

Let’s examine the full impact of this vulnerability in more detail.IPS devices are deployed inline because they are designedto prevent malware from spreading through a network.But this inline deployment adds to the “attack surface” sincethe connection tables can be overwhelmed—thus negativelyimpacting performance.

IPS devices are especially susceptible to well-knownvulnerabilities including:

• Flooding: IPS devices depend on resources such as memoryand processor power to effectively capture packets, analyzetraffic and report malicious attacks. By flooding a networkwith noise traffic, an attacker can cause the IPS device toexhaust its resources.

• Fragmentation: Hackers can divide attack packets intosmaller and smaller portions that evade the IPS device.

Because IPS devices depend on signature-based detectionof known threats, they usually miss a new threat because thesignature has yet to be developed. They are always playingcatch-up to emerging threats.

Network-based IPS devices also use protocol anomaly-baseddetection, which is not effective in detecting and stopping DDoSattacks. That is because this method of detection does not allowIPS devices to analyze traffic simultaneously across multiplelinks. As a result, it prevents them from detecting and stoppinga true “distributed” DoS attack.

Lastly, because IPS devices are usually deployed inline, theycan introduce unacceptable latency in high-capacity networks.The complex algorithms in IPS devices can significantly addto this latency; in addition, the devices can be overwhelmedduring packet floods while performing this complicated analysis.Such latency is unacceptable in the high-bandwidth networksof hosting providers and large online enterprises. As a result,IPS devices are simply not effective on very high traffic links.

BotnetIPS

CONGESTIONCONGESTION

ISP/Internet Data Center

FAILURE


IPS devices are not designed to stop DDoS attacks

6


Firewalls: Ripe Targets for DDoS AttacksLike IPS devices, firewalls are designed to solve an importantsecurity problem—in this case, policy enforcement to preventunauthorized data access. To do this job effectively, modernfirewalls perform stateful packet inspection—maintainingrecords of all connections passing through the firewall. Theydetermine whether a packet is the start of a new connection,part of an existing connection or invalid.

But as stateful and inline devices, firewalls add to the attacksurface and can be DDoS targets. They have no inherentcapability to detect or stop DDoS attacks because attack vec-tors use open ports and protocols. As a result, firewalls areprone to become the first victims of DDoS as their capacity totrack connections is exhausted. Because they are inline, theycan also add network latency. And because they are stateful,they are susceptible to resource-exhausting attacks such asTransmission Control Protocol synchronous (TCP SYN) floodsand spoofed Internet Control Message Protocol (ICMP) pingfloods. Major data center operators do not deploy firewalls infront of services because of this, and there is just no reason todeploy them in front of servers.

CONGESTION

BotnetFirewall

ISP/INTERNET DATA CENTER

FAILURE

CONGESTION


Firewalls can actually be the targets of DDoS attacks

7


Key Features of an IDMSThe limitations in IPS devices and firewalls reveal the keyattributes required in an IDMS solution. An IDMS must be“stateless,” in other words, it must not track state for all con-nections. As mentioned earlier, a stateful device is vulnerableto DDoS and will only add to the problem. The IDMS solutionmust also support various deployment configurations; mostimportantly, it must allow for out-of-band deployments whenneeded. This deployment flexibility can increase the scalabilityof the solution, which is a requirement as the size of DDoSattacks continues to increase.

To truly address “distributed” DoS attacks, an IDMS must be afully integrated solution that supports a distributed detectionmethod. IPS devices leveraging single segment-baseddetection will miss major attacks. Moreover, an IDMS solutionmust not depend on signatures created after the attack hasbeen unleashed on the targets; rather, it must support multipleattack countermeasures.

Finally, the IDMS must provide comprehensive reporting andbe backed by a company that is a known industry expert inInternet-based DDoS threats. The key features of IDMS are:

• Stateless

• Inline and Out-of-Band Deployment Options

• Scalable DDoS Mitigation

• Ability to Stop “Distributed” DoS Attacks

• Multiple Attack Countermeasures

• Comprehensive Reporting

• Industry Track Record and Enterprise

IDMS Enables a Layered Defense StrategyIDMS provides a layered network- and edge-based solutionto combat both volumetric and application-layer DDoSattacks. The best place to stop volumetric DDoS attacks is inthe ISP cloud (via network-based DDoS protection) becausethe saturation happens upstream and can only be remediatedin the provider’s cloud. The best place to perform application-layer DDoS detection is in the data center or the enterpriseedge because the attack can only be detected and quicklystopped at the data center edge.

IDC operators and enterprises should get DDoS protectionfrom upstream providers as well as deploy DDoS protectionon premises at the IDC and enterprise edge. This idealarchitecture will stop both large “volumetric” and “targetedapplication-layer” DDoS attacks. IDMS fits perfectly in thisideal architecture.

The Obvious Need for Intelligent DDoS MitigationSystems (IDMS)

The ideal solution is an IDMS that can stop both volumetric and application-layer DDoSattacks. It must also be deployable in the ISP network (in cloud) and at the enterpriseor data-center edge.

8


IPS devices and firewalls are effectivetools in addressing network integrity andconfidentiality. But when it comes to DDoSprotection, they provide a false sense ofsecurity. That is because they fail to addressthe fundamental concern regarding DDoSattacks—network availability.

What is more, as stateful, inline tools, IPS devices and firewallsare vulnerable to DDoS attacks, often becoming the targetsthemselves. By relying on Peakflow SP and TMS, enterprisesand IDC operators can deploy an IDMS that provides alayered network- and edge-based solution for combatingboth volumetric and application-layer DDoS attacks.

For more white papers visit Arbor NetworksWeb site at www.arbornetworks.com. Forcommentary and reports on the latest inNetwork Security, visit Arbor’s security blogat asert.arbornetworks.com

Load Balancer

IDS/IPS

Firewall

Target Applicationsand Services

ISP

Internet Data Center

Large DDoS Attacks

Application LayerAttacks

Firewall

ISP CleaningCenter

IDS/IPS


Multiple layers of defense required for comprehensive DDoS protection

Conclusion

Corporate Headquarters

6 Omni WayChelmsford, Massachusetts 01824

Toll Free USA +1 866 212 7267T +1 978 703 6600F +1 978 250 1905

Europe

T +44 207 127 8147

Asia Pacific

T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS,How Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure.are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/IPS/EN/1012

why ips devices and firewalls fail to stop ddos threats · why ips devices and firewalls can’t...

Documents