Frequently Asked Questions About DDS
A distributed denial-of-service (DDoS) attack occurs when multiple systems overwhelm the bandwidth or other resources of a targeted system, overloading it and causing it to go down or to experience severely degraded service. DDoS attacks cause costly network downtime to organizations that rely on the Internet to do business.
Traditional DDoS attacks use a high volume of packets to flood the network. Today's DDoS attacks use new techniques that traditional security technologies (including firewalls) do not protect against. Network flood attacks are still occurring, but there are an increasing number of attacks on the application layer that are harder to detect and mitigate as they appear legitimate and do not consume excessive bandwidth resources.
Application layer DDoS attacks not only send network packets, but they may actually complete TCP connections from the attacker to the victim server. Once the TCP connection is made, the attacking computers make repeated requests to the application, progressively consuming resources until they are entirely depleted, rendering the application incapable of responding to legitimate user requests.
Cyber attacks that are perpetrated by criminals, terrorists and/or cyber activists have reached a level of complexity that firewall technology cannot protect against. Stateful firewalls are not designed to handle large volumetric attacks and do not have complete L3-L7 DDoS defense functionality. The firewall dictates what services may be used, but not how they are used. Attackers know this and calculatedly misuse the allowed services, compromising the firewall and/or its performance and downstream applications.
Corero’s First Line of Defense stops DDoS and blended attacks, advanced evasion techniques, specially crafted attacks and other intrusions at the perimeter of the network before they hit the infrastructure while complementing existing security devices, including firewalls.
Even firewalls that claim to have DDoS defense built-in typically have only one method of blocking attacks: the usage of indiscriminate thresholds. When the threshold limit is reached, every application and every user using that port gets blocked, causing an outage. Attackers know this is an effective way to block the good users along with the attackers. Because network and application availability is affected, the end goal of denial of service is achieved.
Cybercriminals are shifting tactics to bypass the traditional corporate perimeter defenses, which typically include anti-virus, firewalls, and intrusion prevention systems. Corero’s First Line of Defense dynamically and continuously discriminates between legitimate customer usage and malicious activity, and through the elimination of attack traffic allows legitimate customer traffic to pass normally. Corero’s First Line of Defense approach places an on-premise network device in front of the existing firewalls to defeat attacks that degrade or disable the current IT infrastructure and other security solutions, before these attacks penetrate the corporate network.
I already have a DDoS protection service form my ISP or Cloud Provider. Why do I need on-premise defense?
The breadth of DDoS attacks range from the very high volumetric attacks that fill your Internet pipes to the most common attack seen today: the low & slow application-layer DDoS attack that shuts down web services and critical applications. Cloud-based solutions only combat a small sample of DDoS attack vectors while IPS services blackhole route the attack upstream or force it through a scrubbing center, often resulting in blocking good users along with the attack traffic. Volumetric attacks are easily blocked in the cloud due to their attack nature but low & slow attacks often pass undetected. In order to detect low & slow application-layer DDoS attacks and specially crafted packet attacks, significant amounts of Deep Packet Inspection (DPI) is required, and Cloud-based DDoS services do not provide this feature. As an on premise solution, Corero’s First Line of Defense sees both client and server side traffic, providing the ability to detect anomalous or malicious behavior. Corero combines full L3-L7 DDoS protection and DPI at the perimeter of the network, stopping these new malicious server attacks before they can impact your infrastructure.
Signature-based strategies detect known threats. They utilize pattern matching techniques similar to anti-virus products but have no ability to block attacks for which they have no signature—and the attackers know this. By simply manipulating a few characters in a header or payload, an attack can easily pass through today’s signature-based technology and compromise network services. Corero’s First Line of Defense uses both protocol behavioral analysis techniques as well as signature matching to protect against unknown attacks before they hit the network.
Why can't my current IPS stop these blended attacks which can contain everything from DDoS to specially crafted exploits?
Current IPS devices do not provide network and application L3-L7 protection capabilities against DDoS and other unwanted traffic. An IPS device under a DDoS attack will experience severe degradation with massive Deep Packet Inspection (DPI) processing or simply go into bypass mode allowing the attacks to compromise network resources or applications. Today we see volumetric DDoS attacks melting down perimeter IPS devices while low-and-slow DDoS attacks pass right through them without detection. Corero’s First Line of Defense is a purpose-built in-line networking device that blocks L3-L7 DDoS and advanced server attacks at the perimeter of the network.
With regard to DDoS attacks as well as other attack vectors, layered security is a must, starting with a First Line of Defense that stops the latest and most virulent DDoS attacks and other unwanted or malicious traffic so the existing IT infrastructure can work as it was intended. Corero uses a range of techniques that successively delve deeper into the incoming packets to understand where traffic is coming from; what behaviors it exhibits; whether it violates standard protocols; and what payload it carries. A thorough inspection removes unwanted traffic before it can affect any part of the IT infrastructure, allowing normal operations even at the height of an attack.
The Corero solution performs the following to deliver layers of protection that a firewall can’t provide:
- Control Access - Control who gets in and who doesn’t. There are known bad IP addresses, questionable sources, and unknown attackers that pose threats. Therefore, the first step in Corero’s process is to block traffic coming from sources that are known to be bad and then to thoroughly scrutinize all other traffic based on reputation, geolocation and potential threat. Corero’s solution uses real-time reputation updates, current geolocation information and real-time threat detection to evaluate inbound traffic.
- Limit Rates - An unnatural rate of traffic coming into a network is often a strong indication of an attack. For example, there may be users with way too many requests or open connections. Corero's solution limits the rates of inbound traffic.
- Enforce Protocols - If Web traffic has passed the previous two steps, the next measure is to look at whether it conforms to desired behavior. Examples of non-conformance are users that are violating protocol and application usage standards or corporate usage policies, and questionable outbound traffic not conforming to policies and/or standards. Corero's solution uses various techniques to evaluate traffic at this stage to stop attack traffic.
- Prevent Intrusions - Typically, known security issues are specifically targeted attacks against server infrastructure. They include traffic containing buffer overflows, injections and brute-force password attacks. Attack traffic also can contain random malware and exploits as part of their payloads, and although they are not necessarily targeted at server infrastructure, these vulnerabilities do exist and must be protected. Further, advanced evasion techniques such as fragmentation and segmentation can be used to hide attacks. Corero's solution provides a range of techniques that defend against application attacks.
- Increase Visibility - Cyber attacks are becoming more advanced as well as more frequent. Attackers are growing more sophisticated in the ways they exploit network vulnerabilities and evade detection. In order to fight fire with fire, security experts need more visibility into what is happening at their network’s perimeter. They need to be able to answer questions like: Who are the attackers? What are they attacking? How are they attacking? Where are my vulnerabilities? How can I better protect my network against future threats? Corero's solution incorporates a multi-pronged approach to increase the needed visibility.
Most stand-alone anti-DDoS products only defend against DDoS and little else. Corero has brought a more comprehensive defense system to the market that covers more than just DDoS attacks but rather all forms of unwanted traffic at the perimeter by differentiating between good, legitimate traffic and malicious users.
Corero's First Line of Defense Blocks:
- Known Malicious IP Addresses
- Undesired Geographic Access
- Volumetric Rate-Based Attackers
- Below the Radar (Low-and-Slow) Attackers
- Questionable Outbound Traffic
- Protocol and Application Violators
- Zero-Day Attacks
- Overflows, Injections and Brute-Force Attackers
- Exploits, Malware and Other Attacks
- Advanced Evasion and Blended Threats
Do I need to change my current network and security configurations if I deploy Corero's First Line of Defense solution?
Corero’s First Line of Defense is a completely transparent, L2, bump-in-wire technology, and is easily inserted into any network infrastructure. The device has no MAC addresses or IP addresses on its filtering interfaces and supports out-of-band management. No network or security configuration changes are required when deployed upstream of firewalls, IPS devices, web application firewalls (WAF), load-balancers or any other network technology. Corero’s First Line of Defense operates as a pre-filter for all downstream devices, offloading DDoS attacks and unwanted traffic from the network, while protecting infrastructure and eliminating downtime.
You state that Corero is positioned as a high performance in-line networking device. How can you prove your solution stays available under a heavy attack?
Corero’s First Line of Defense is a purpose built appliance with no movable media, no exotic cooling systems, no open source or commercially available operating systems, redundant power, N+1 fan assemblies and a MTBF of over 20 years. The solution offers internal zero-power bypass models, fails open and will revert to bypass mode for any software or hardware failures while notifying operators of any issues. The First Line of Defense is sound, reliable and extremely fast.
Through patented algorithms, well-designed hardware and extremely efficient software the solution stays up with extremely low latency even when the system is operating at 100% utilization.
Corero’s First Line of Defense solution can be upgraded to a higher capacity simply via a license upgrade key. The new license key is entered into the management GUI on the device and with a simple reboot the unit operates at a higher capacity, allowing the solution to grow as customer bandwidth and processing requirements increase.
Corero's First Line of Defense provides several key business benefits:
- Protects your network, allowing legitimate users and their communications to pass without delay even while under attack
- Enables business continuity and availability
- Assures your organization’s investment in your IT infrastructure and enables it to function as it was intended
- With ReputationWatch, provides automated real-time defense against identified DDoS attack sources
ReputationWatch identifies in real time known malicious entities and blocks access to “bad” IP addresses to dynamically stop DDoS attacks. The Internet threat environment is in a constant state of flux. IP addresses can go from bad to good in a matter of minutes and vice versa. ReputationWatch dynamically responds to the latest intelligence and blocks malicious addresses automatically, so that the Corero First Line of Defense is always defending against the latest threats.
The geolocation capability in ReputationWatch enables organizations to limit or even exclude traffic from countries with which they do little or no business, or countries associated with high numbers of attacks.
SecureWatch PLUS is a comprehensive suite of configuration optimization, monitoring and response services for DDoS defense, customized to meet the security policy requirements and business goals of each Corero First Line of Defense customer. With SecureWatch PLUS, customers receive expert DDoS defense services, including organization-specific implementation, around-the-clock monitoring and immediate and effective response in the event of an attack.
Corero offers a variety of support services to complement the First Line of Defense:
- SecureWatch is a “lightweight maintained service.” This service is available to Corero customers who would like assistance with maintaining and keeping the technology operating optimally and up-to-date.
- Corero Customer Support is also available to Corero customers on a 24x7 basis to assist with software and hardware issues.
- Corero’s Threat Update Service delivers daily and weekly security updates to Corero customers ensuring that their systems are always current and providing maximal protection.
- Corero’s Premium Threat Update Service with ReputationWatch/Geolocation is also available.
- Corero includes Turn-Key Installation Services as part of the purchase price, purchased in two-day (8 hours per day) increments.
- Corero offers periodical Security Optimization Services which can be purchased in one-day (8 hour) increments.