Infrastructure Security

Nowadays service providers are facing constant and growing threats to ensure their bandwidth availability and performance. The most intimidating threats to a service provider’s bandwidth availability are the Distributed Denial of Service (DDoS) attacks. DDoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, switches, firewalls, etc.) According to a number of network security reports, DDoS attacks propagated by botnets – not viruses, worms, nor spam – currently pose the biggest threat to the Internet.

Conventional security solutions, such as firewall or IDS/IDP products, deployed at the server, host or local network edge may detect and remove attacks at the edge, and protect the local network and hosts. However, these conventional approaches cannot mitigate the DDoS attack damages for network operators. Even though the attacks are removed at the very last mile, the operator's backbone pipes have been seriously jammed, and the routers and switches on the attacking paths are paralyzed. Even if the victim network is not directly attacked by the traffic, the operator becomes the victim, and hence the target networks would be disconnected from the Internet.

Taking on DDoS attacks requires a new approach that not only detects the increasingly complicated, sophisticated and deceptive attacks, but also mitigates the impacts of the attacks to ensure network resource availability. GenieATM is such a solution providing carrier-grade network-wide DDoS defense by embedding a Network Behavior Anomaly Detection engine. It can be applied to remove the threats directly from the operator's network infrastructure to protect the ISP backbone as well as the edge local networks.

Network Behavior Analysis-based Detection (NBAD)

Basing on the embedded Network Behavior Anomaly Detection NBAD engine, after collecting flow data from routers, GenieATM analyzes flows by their header information such as TCP flag values and byte-count. GenieATM detects anomalies by their traffic behaviors deviate from normal traffic baselines, and then locates attacking paths and victim hosts, triggers alarms, logs relevant traffic data, and can also initiate mitigation actions.

The advantages of NBAD mechanism include:

* Low deployment costs since Flow devices are already in the backbone and large MAN;

* High performance/price ration when deployed to solve flood attacks compared with conventional in-line security products;

* Provide not only network-wide defense but also anomaly traffic visibility.

Non-intrusive Mitigation

Different security tools of DDoS protection exist. These include firewalls, IDP (Intrusion Detection Prevention), ACL (Access Control List) in routers or switches, etc. However, each of these products not only has its advantages but also limitations. These conventional perimeter security tools do not by themselves provide comprehensive DDoS protection, especially in the service providers’ network infrastructures. Defending against the current DDoS threatening Internet availability requires a more purpose-built architecture that includes the ability to specifically detect and mitigate the increasingly threats.

GenieATM adopts flow-based, non-intrusive deployment. Once it detects anomalies, instead of blocking the anomalous traffic directly, it sends alarming notifications to network managers or other management systems. In order to stop anomaly traffics or security threats timely, GenieATM provides anomaly mitigation countermeasures by working with 3rd-party devices such as routers and traffic cleaning devices, such as suggesting ACL filters configuration to routers, announcing Black-hole or Sink-hole routes to routers, and triggering protection actions of 3rd-party mitigation devices.

The superiority of the non-intrusive mitigation solution to “in-line” DDoS solutions is in many ways:

* The data collection points and the traffic blocking/cleaning devices are all placed via IP routing mechanisms, and hence the solution is as resilient and available as an IP network. No single-point-of-failure concern incurred;

* For reliability and availability, in-line DDoS solutions require redundant pairs of devices individually deployed at each mitigation point which increase the solution cost without real gain in value. Furthermore, the management costs of in-line solutions are significantly increased for provisioning and maintaining the devices located at different points in the network;

* The distributed architecture gives GenieATM access to all the data from network-wide, producing better heuristics and allowing earlier attack identification and mitigation.