Infrastructure Security

Nowadays service providers are facing constant and growing threats to ensure their bandwidth availability and performance. The most intimidating threats to a service provider’s bandwidth availability are the Distributed Denial of Service (DDoS) attacks. DDoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, switches, firewalls, etc.) According to a number of network security reports, DDoS attacks propagated by botnets – not viruses, worms, nor spam – currently pose the biggest threat to the Internet.

Conventional security solutions, such as firewall or IDS/IDP products, deployed at the server, host or local network edge may detect and remove attacks at the edge, and protect the local network and hosts. However, these conventional approaches cannot mitigate the DDoS attack damages for network operators. Even though the attacks are removed at the very last mile, the operator's backbone pipes have been seriously jammed, and the routers and switches on the attacking paths are paralyzed. Even if the victim network is not directly attacked by the traffic, the operator becomes the victim, and hence the target networks would be disconnected from the Internet.

Taking on DDoS attacks requires a new approach that not only detects the increasingly complicated, sophisticated and deceptive attacks, but also mitigates the impacts of the attacks to ensure network resource availability. GenieATM is such a solution providing carrier-grade network-wide DDoS defense by embedding a Network Behavior Anomaly Detection engine. It can be applied to remove the threats directly from the operator's network infrastructure to protect the ISP backbone as well as the edge local networks.

Network Behavior Analysis-based Detection (NBAD)

Basing on the embedded Network Behavior Anomaly Detection NBAD engine, after collecting flow data from routers, GenieATM analyzes flows by their header information such as TCP flag values and byte-count. GenieATM detects anomalies by their traffic behaviors deviate from normal traffic baselines, and then locates attacking paths and victim hosts, triggers alarms, logs relevant traffic data, and can also initiate mitigation actions.

The advantages of NBAD mechanism include:

Low deployment costs since Flow devices are already in the backbone and large MAN;

High performance/price ration when deployed to solve flood attacks compared with conventional in-line security products;

Provide not only network-wide defense but also anomaly traffic visibility.

Non-intrusive Mitigation

Different security tools of DDoS protection exist. These include firewalls, IDP (Intrusion Detection Prevention), ACL (Access Control List) in routers or switches, etc. However, each of these products not only has its advantages but also limitations. These conventional perimeter security tools do not by themselves provide comprehensive DDoS protection, especially in the service providers’ network infrastructures. Defending against the current DDoS threatening Internet availability requires a more purpose-built architecture that includes the ability to specifically detect and mitigate the increasingly threats.

GenieATM adopts flow-based, non-intrusive deployment. Once it detects anomalies, instead of blocking the anomalous traffic directly, it sends alarming notifications to network managers or other management systems. In order to stop anomaly traffics or security threats timely, GenieATM provides anomaly mitigation countermeasures by working with 3rd-party devices such as routers and traffic cleaning devices, such as suggesting ACL filters configuration to routers, announcing Black-hole or Sink-hole routes to routers, and triggering protection actions of 3rd-party mitigation devices.

The superiority of the non-intrusive mitigation solution to “in-line” DDoS solutions is in many ways:

The data collection points and the traffic blocking/cleaning devices are all placed via IP routing mechanisms, and hence the solution is as resilient and available as an IP network. No single-point-of-failure concern incurred;

For reliability and availability, in-line DDoS solutions require redundant pairs of devices individually deployed at each mitigation point which increase the solution cost without real gain in value. Furthermore, the management costs of in-line solutions are significantly increased for provisioning and maintaining the devices located at different points in the network;

The distributed architecture gives GenieATM access to all the data from network-wide, producing better heuristics and allowing earlier attack identification and mitigation.

Network-wide Troubleshooting

Network troubleshooting tools are among the most important products for network professionals. So many businesses depend so much on their networks that even a short interruption in service can have major consequences. When there are anomalies happening on the network, network managers require a tool which can help locate the source of the problems effectively.

A protocol analyzer, a sniffer, or a probe is among the useful network troubleshooting tools and common around. Such a tool will give a very detailed view of network traffic packets. While this level of detail is more useful in solving certain networking problems, whose location have been identified to a specific area, LANs or network links, this sort of troubleshooting tools fall short in locating the problems when a network scale is huge with hundreds of segmented networks and links. On the other hand, a network-wide network troubleshooting tool with sophisticated drill-down capability can help to get to the root cause of a problem.

Real-time Troubleshooting & Retrospective Forensics

GenieATM provides abundant of traffic monitoring reports, which give network managers a broad outlook on the traffic flow within a network, and can be used to pinpoint problems and anomalies. GenieATM is also designed to produce alerts when network activity becomes anomalous by dynamic baseline learning or user-configurable thresholds.

Meanwhile, GenieATM provides a traffic Snapshot tool for a real-time view of suspicious traffic, allows traffic drill-down from various aspects, and hence helps efficient troubleshooting on zero-day attacks, anomalous routes, and rogue servers hunting (e.g. illegal Spam mail servers.) For example, when there is a problem reported, a network manager can drill down to find the problem source, locate it, drill down to find the victims impacted, locate it, and drill down to find the problem traversing path.

In addition to the instant analysis on real-time traffic, GenieATM allows selecting historical raw traffic stored as analysis data source and performing highly flexible customized analysis.