It is my philosophy that denial of service hardware cannot stop real
DDoS attacks. You could shell out several hundred thousand dollars
for some defense products mentioned in a number of these forum
emails, however, it may do nothing more that overly complicate your
network. Defense products such as IPS devices that do DDoS
protection have failure points, they are also only as good as the
operators of the hardware and network.
If you have a "2 gig" solution configured on your network, and you
have 5 gigs of Internet transit, that does not guarantee or buy you
anything. Attackers often go after router interfaces, dns servers,
or sheer packet rates that could cause your routers to completely
fail, your network could easily be saturated. This weekend alone we
saw attacks that were over 9 gigabit-per-second reaching 20M PPS. At
9 gig, there is no IPS that will work for you. Before we were
dealing with the attack to that particular customer, their DDoS
protected solution failed, their ISP went offline, and their ISP's
tier-1 carrier had to start null routing the attack. Some carriers
die because their peering arraignments saturate and cause harm to
their networks before the traffic ever reaches an IPS device. These
attacks require packet-per-second processing in the 20's of millions,
not in the range of 1, 2, or even 8 gigs.
Managing bandwidth at that rate also becomes a nightmare and nearly
impossible for a large enterprise to deal with. Looking further into
an attack mitigation stratigy, attacks at that size require a 24/7
operation full of people that know how to massage traffic, massage
routers, perform attack analysis, track attacks, report them to the
FBI, and at times design special solutions to deal with the 0-minute
issues that often happen with DDoS attacks.
During our attacks over Christmas (yes all Christmas day we were
working) we saw 2 tier-1 backbones fail and were forced to pull the
plug on the traffic. Fortunately we operate 12+ carriers at any
given time, so that's not a major impact to our operations. We were
also able to filter the traffic without impact to the customer, and
without the customer having to foot the bill for their huge inbound
bandwidth problems. We also operate anycast and special distribution
methods where we can push DDoS traffic all around the earth, this
allows us to utilize peering arrangements with large eyeball networks
and to deploy network sinkholes in different demographic areas.
During any off hour situations the hardware vendor will be on the
hook to get the network fixed. Getting a fix or even getting access
to the equipment is a slow process for a vendor, our customers have
used things like Cisco's Guard and when it comes down to a determined
attacker, the Guard will fail, and that's where we pick-up the mess.
With the above said, I feel the correct approach (the approach I have
dedicated all of my efforts towards) is a holistic defensive
network. Prolexic is a defense network, we operate at rates
unobtainable by any other product. Our SLA (yes we guarantee our
network) is at rates 20 times higher than the best IPS and DDoS
hardware you can buy.
Operating such a network also comes with the benefit of operating
quarantines, research arms, and each attack makes us stronger as we
continue to evolve our own FPGA and ASIC based defense technology.
At today's rates we are processing several attacks a day, with our
24/7 NOC functioning as some of the best digital grenade jumpers on
the Internet.
My advice to all IPS and commercial DDoS product shoppers is to
really create a defense strategy that is obtainable and not base the
design off a single IPS or hardware device. Make sure your entire
operation is ready to function while under attack; programmers,
networking groups, security groups, etc. Making a hardware device a
success takes a little luck and a lot of fortitude.
In my opinion finding a network based solution is the easy and
scaleable approach to this problem and should be something that is
also looked at seriously before buying an IPS.
-Barrett
--
Barrett Lyon
CTO and Founder
Prolexic Technologies, Inc
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
