Nowadays service providers are facing constant and growing threats to ensure their bandwidth availability and performance. The most intimidating threats to a service provider’s bandwidth availability are the Distributed Denial of Service (DDoS) attacks. DDoS attacks paralyze internet systems by overwhelming servers, network links, and network devices (routers, switches, firewalls, etc.) According to a number of network security reports, DDoS attacks propagated by botnets – not viruses, worms, nor spam – currently pose the biggest threat to the internet.
Conventional security solutions, such as firewall or IDS/IDP products, deployed at the server, host or local network edge may detect and remove attacks at the edge protecting the local network and hosts. However, these conventional approaches cannot mitigate the DDoS attack damages for network operators. Even though the attacks are removed at the very last mile, the operator's backbone pipes have been seriously jammed, and the routers and switches on the attacking paths are paralyzed. Even if the victim network is not directly attacked by the traffic, the operator becomes the victim hence the target networks would be disconnected from the internet.
Tackling DDoS attacks requires a new approach that not only detects the increasingly complicated, sophisticated and deceptive attacks, but also mitigates the impacts of the attacks to ensure network resource availability. GenieATM is such the solution providing carrier-grade network-wide DDoS defense by embedding a Network Behavior Anomaly Detection engine. It can be applied to remove the threats directly from the operator's network infrastructure to protect the ISP backbone as well as the edge local networks.
Network Behavior Analysis-based Detection (NBAD)
Based on the embedded Network Behavior Anomaly Detection (NBAD) engine, GenieATM analyzes flows by their header information such as TCP flag values and byte-count after collecting flow data from routers. GenieATM detects anomalies by their traffic behaviors deviating from normal traffic baselines. Attacking paths and victim hosts, triggers alarms, logs relevant traffic data is then located and mitigation actions can also be initiated.
The advantages of NBAD mechanism include:
- Low deployment costs as Flow devices are already in the backbone and large MAN
- High performance/price ratio when deployed to solve flood attacks compared with conventional in-line security products
- Provide network-wide defense and anomaly traffic visibility
Different security tools of DDoS protection exist. These include firewalls, IDP (Intrusion Detection Prevention), ACL (Access Control List) in routers or switches, etc. However, each of these products not only has its advantages but also limitations. These conventional perimeter security tools do not by themselves provide comprehensive DDoS protection, especially in the service providers’ network infrastructures. Defending the DDoS-threatened internet availability requires a more purpose-built architecture that includes the ability to specifically detect and mitigate the increasingly threats.
GenieATM adopts a flow-based, non-intrusive deployment. Once it detects anomalies, instead of blocking the anomalous traffic directly, it sends alarming notifications to network managers or other management systems. In order to stop anomaly traffics or security threats timely, GenieATM provides anomaly mitigation countermeasures by working with 3rd-party devices (routers and traffic cleaning devices etc.), suggesting ACL filters configuration to routers, announcing Black-hole or Sink-hole routes to routers, and triggering protection actions of 3rd-party mitigation devices.
The benefit of the non-intrusive mitigation solution to “in-line” DDoS solutions is in many ways:
- The data collection points and the traffic blocking/cleaning devices are all placed via IP routing mechanisms, and hence the solution is as resilient and available as an IP network. No single-point-of-failure concern incurred
- For reliability and availability, in-line DDoS solutions require redundant pairs of devices individually deployed at each mitigation point which increase the solution costs without real gain in value. Furthermore, the management costs of in-line solutions are significantly increased for provisioning and maintaining the devices located at different points in the network
- The distributed architecture gives GenieATM access to all the data network-wide hence producing better heuristics and allowing earlier attack identification and mitigation