RE: Denial of Service: Commercial Defense products
- From: "Barrett G. Lyon" <blyon@xxxxxxxxxxxx>
- Date: Tue, 27 Dec 2005 18:48:48 -0800
It is my philosophy that denial of service hardware cannot stop real DDoS attacks. You could shell out several hundred thousand dollars for some defense products mentioned in a number of these forum emails, however, it may do nothing more that overly complicate your network. Defense products such as IPS devices that do DDoS protection have failure points, they are also only as good as the operators of the hardware and network.
If you have a "2 gig" solution configured on your network, and you have 5 gigs of Internet transit, that does not guarantee or buy you anything. Attackers often go after router interfaces, dns servers, or sheer packet rates that could cause your routers to completely fail, your network could easily be saturated. This weekend alone we saw attacks that were over 9 gigabit-per-second reaching 20M PPS. At 9 gig, there is no IPS that will work for you. Before we were dealing with the attack to that particular customer, their DDoS protected solution failed, their ISP went offline, and their ISP's tier-1 carrier had to start null routing the attack. Some carriers die because their peering arraignments saturate and cause harm to their networks before the traffic ever reaches an IPS device. These attacks require packet-per-second processing in the 20's of millions, not in the range of 1, 2, or even 8 gigs.
Managing bandwidth at that rate also becomes a nightmare and nearly impossible for a large enterprise to deal with. Looking further into an attack mitigation stratigy, attacks at that size require a 24/7 operation full of people that know how to massage traffic, massage routers, perform attack analysis, track attacks, report them to the FBI, and at times design special solutions to deal with the 0-minute issues that often happen with DDoS attacks.
During our attacks over Christmas (yes all Christmas day we were working) we saw 2 tier-1 backbones fail and were forced to pull the plug on the traffic. Fortunately we operate 12+ carriers at any given time, so that's not a major impact to our operations. We were also able to filter the traffic without impact to the customer, and without the customer having to foot the bill for their huge inbound bandwidth problems. We also operate anycast and special distribution methods where we can push DDoS traffic all around the earth, this allows us to utilize peering arrangements with large eyeball networks and to deploy network sinkholes in different demographic areas.
During any off hour situations the hardware vendor will be on the hook to get the network fixed. Getting a fix or even getting access to the equipment is a slow process for a vendor, our customers have used things like Cisco's Guard and when it comes down to a determined attacker, the Guard will fail, and that's where we pick-up the mess.
With the above said, I feel the correct approach (the approach I have dedicated all of my efforts towards) is a holistic defensive network. Prolexic is a defense network, we operate at rates unobtainable by any other product. Our SLA (yes we guarantee our network) is at rates 20 times higher than the best IPS and DDoS hardware you can buy.
Operating such a network also comes with the benefit of operating quarantines, research arms, and each attack makes us stronger as we continue to evolve our own FPGA and ASIC based defense technology. At today's rates we are processing several attacks a day, with our 24/7 NOC functioning as some of the best digital grenade jumpers on the Internet.
My advice to all IPS and commercial DDoS product shoppers is to really create a defense strategy that is obtainable and not base the design off a single IPS or hardware device. Make sure your entire operation is ready to function while under attack; programmers, networking groups, security groups, etc. Making a hardware device a success takes a little luck and a lot of fortitude.
In my opinion finding a network based solution is the easy and scaleable approach to this problem and should be something that is also looked at seriously before buying an IPS.
-- Barrett Lyon CTO and Founder Prolexic Technologies, Inc
------------------------------------------------------------------------ Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
- Prev by Date: Re: on TASL correlation rules
- Next by Date: Fortinet's fortigate 100 devices
- Previous by thread: RE: Denial of Service: Commercial Defense products
- Next by thread: tired of "what is the best IDS/IPS system?" questions