DDoS Prevention and Mitigation

A FORTINET STRATEGY GUIDE

Introduction You have only to scan news headlines to be aware that Distributed Denial of Service (DDoS) attacks aren’t going away anytime soon. In fact, if anything, they are gaining momentum as a way for cybercriminals and hacktivists to make political statements and create a wake of destruction that includes damaged reputation, lost business and financial losses for their victims. And they are unpredictable in nature.

In their April 2012 report “Entering the Next Phase of DDoS Defense,” Stratecast researchers revealed that DDoS attacks are increasing in number by 20% - 45% annually; with application-based DDoS attacks in particular increasing by triple digits. Correspondingly, they found that attacking via DDoS is one of the most prominent tools used by the hacker community, many times as part of a multi-technique attack strategy.

Michael Suby, vice president of research at Stratecast states:“For Website operators that have not yet given the risk and business impact of DDoS attacks serious consideration, this is perilous ignorance. Although there is no guarantee an attack will occur, there is also no guarantee that an attack will not occur. What can be stated with certainty is that the probability of a DDoS attack is rising. Furthermore, when consideration is given to the use of botnets to perpetrate DDoS attacks, the increasing number of independent Internet-connected appliances and growth in machine-to-machine Internet interactions, this probability is marching toward a certainty.”

Starting out as simple denial of service assaults launched from a single computer, DDoS attacks have emerged with the proliferation of botnets and evolved into one of the most significant and prevalent threats on the security landscape—a trend Verizon calls in its 2012 Data Breach Investigations Report “more frightening than other threats, whether real or imagined.”

DDoS attacks have gradually become very sophisticated. Beginning with targeted attacks on organizations’ critical infrastructure, such as DNS, in the early 2000s, they grew to include thousands of non-spoofed botnet machines making legitimate connections in the late 2000s. Today, they utilize powerful servers with tremendous CPU power and bandwidth at their disposal for socially engineered attacks. As the use of such servers to obfuscate this next generation of more targeted attacks is becoming common place, traditional mitigation methods used by service providers are proving increasingly ineffective.

Five Steps To Protect Against A DDoS AttackThere are proactive steps organizations can take in order to bolster defenses and reduce the risk of attack. A DDoS strategy should not be aiming for the complete removal of all DDoS traffic but instead the maintaining of services and especially critical services with minimum disruption. However, like with any other aspect of network security, proper execution requires forward thinking and planning.

Key steps include:

n Assessing the network environment and implementing a defense plan

n Developing a comprehensive and layered DDoS strategy

n Implementing visibility and control at the infrastructure level

n Protecting DNS servers and other critical infrastructure n Implementing on-premise dedicated DDoS tools

The Anatomy Of A DDoS AttackDDoS attacks are some of the most effective attack mechanisms on the IT security threatscape, in part because of their simplicity.

DDoS attacks are commonly known as volumetric. In that case, attacks are executed when a cybercriminal leverages a network of compromised computers to bombard a victim’s computer - or network of victim’s computers - with more traffic than it can process. That barrage of traffic is designed to choke connectivity, thus forcing an automatic shutdown and rendering a “denial of service” for users - quite literally.

As with most attacks, the assault often originates by an attacker successfully exploiting a vulnerability to compromise one computer, which then becomes the DDoS robot under the control of a hacker or hacking group. Just like an army general, the master computer recruits its infantry by communicating with and subsequently infecting other systems, building an established botnet with a formal command and control system.

At the discretion of the bot operator, the master computer instructs its army of infected computers to launch an attack, resulting in a massive packet assault against its intended target. Overwhelmed with service requests, the victim computer is forced to go offline as it succumbs to the attack. Alternatively, it will experience serious degradation in performance and subsequently service, just as if it had gone offline. Organizations are now increasingly targeted by application-layer DDoS attacks. In that case, the attack targets the application service itself. While it was only a few years ago that a DDoS attack primarily targeted networks using low-level protocol attacks such as PING, Smurf and different worms, today’s attacks are targeting specific web applications in more sophisticated manners. Attackers use legitimate requests to overload the server. More sophisticated DDoS attacks come after site reconnaissance to understand which request creates the most CPU-intensive SQL query to the backend database. Other attacks can try to manipulate server memory, writing to hard disks and server-specific attacks. As described in the 2012 Verizon Data Breach Investigations Report, several high profile application-layer DDoS attacks hiding behind volumetric attacks were used to obscure data theft efforts, proving the theory of the use of multi-vector attacks to hide the true target of the attack.

The Evolution Of DDoS AttacksWhile execution mechanisms have evolved over the years, the basic concept behind DDoS attacks—denying Web service to a victim—has remained constant since soon after the inception of the Internet. In the late 1990s attackers launched these kinds of assaults from one host machine in order to create a denial of service situation. Reports from 1996 were identifying potential threats from SYN floods to connection high-jacking. Later, some of the most notorious DoS attacks of this era---WinNuke, Teardrop and Ping of Death—took DoS to a whole new level, changing the paradigm from hacker entertainment to powerful cybercriminal tool.

Eventually, simple DoS attacks became too easily traced to the source, compelling hackers to migrate to a more distributed model in order to obfuscate their origins in the early 2000s. And in recent years, DDoS attacks have grown exponentially, incorporating hundreds of thousands of zombie computers, garnered from both corporate networks and individual home machines.

More recently, a single powerful server or just a few such servers with abundant bandwidth at their disposal have been used to create massive socially-engineered DDoS attacks where users are asked to click on a link via a social Website such as Twitter and the central server then forwards attack packets to the victim using sophisticated JavaScript techniques.

While DDoS assaults are now commonplace, their size and scope can vary greatly and their attack methods are constantly evolving. Last year, for the first time in the history of DDoS, a drop in the largest volumetric attacks was observed, supporting the argument that attackers are adapting attack methods to circumvent older mitigation technologies. Reports detailed a new iteration of DDoS, targeting higher levels of the network stack and requiring much less traffic than previously needed to overwhelm the network and cause a system crash (“Denial of Service Attacks Get More Sophisticated,” eSecurity Planet, Sean Michael Kerner, January 18, 2011). Attacks using multitudes of slow connections such as Slowloris exploit weaknesses in standard protocol stacks to overwhelm victims with otherwise seemingly legitimate connections. These attack vectors appear totally genuine to a network or security device which hasn’t kept up with attack trends.

A Complete Range Of DDoS Tools To execute these massive cyber assaults, hackers have numerous tools at their disposal, many of which are free and easily downloadable on the Web. Some of the most rudimentary tools, such as simple flooding mechanisms and easily understood host shell booters enable just about anyone with a computer and devious intentions to launch an attack—with little to no technical expertise.

One of the most popular tools circulating the Web was the tool du jour of the global hacking collective Anonymous—and also one of the easiest to use. Known as the Low Orbit Ion Cannon (LOIC), the application was developed by hackers for easy launches of DDoS attacks on Websites with the click of a button.

Essentially, the app requires only a simple download for its use, which then transforms a user’s computer into a fire hose of bogus requests directed at the target. When done in collaboration with thousands of other like-minded individuals,

the tools have enough power to take down networks of multi-national corporations. Its ease of use allows users to participate in a DDoS attack even if they have no idea how to hack.

However, like many other threats on the security landscape, DDoS attack tools are becoming increasingly sophisticated and complex. More technologically advanced Remote Access Trojans (RATs) and DDoS botnets are designed to automate attacks of epic proportions, containing in their arsenal the ability to bring down the networks of entire corporations, governments or nations.

For example, the attack code dubbed “Apache Killer” exploited an insidious vulnerability in the way Apache servers handled the HTTP-based range requests. The DDoS attack, posted on the Full Disclosure mailing list, put the power in the hands of desktop hackers to knock entire networks offline from a single PC.

In parallel with technology trends, a wide range of commercial services are also available for a fee, enabling amateur hacker and professional cybercriminals alike to execute a myriad of DDoS attacks.

The Real Cost Of DDoSMake no mistake—DDoS attacks hurt everyone. While news regularly report on guerrilla groups, hacktivists and hostile governments hurl DDoS attacks at each other, often victims caught in the middle of an attack are business organizations ranging from SMBs to enterprises.

Organizations hit with DDoS service attacks—especially those that depend on uptime for business transactions—undeniably suffer customer attrition and financial losses. But they also face intangible consequences, such as a diminished brand and reputation and loss of future business that might linger for months or years, following the attack.

The costs of a DDoS attack can add up quickly. In addition to lost revenue for every minute of downtime, organizations have to endure costs related to IT analysis and cleanup, such as increased operations expenses, added help desk personnel to deal with inquiries and enhanced recovery efforts. Losses also include worker output, which suffers while the systems are inaccessible and lost business and customers. Additionally, many businesses face financial penalties from broken Service Level Agreements.

For those businesses that depend on uptime, such as banking and e-commerce sites, any amount of disrupted service affects revenue. To that point, the April 2012 Stratecast report documents that incidents of DDoS attacks on e-commerce companies escalate during the period when Website disruptions will cause the greatest economic harm—the fourth quarter of the calendar year. But while financial services and online commerce stand the most to lose, DDoS attacks can indubitably badly impact all industries.

Mitigating DDoS AttacksIn light of DDoS attacks that have taken down targets of Goliath proportions, IT administrators might think there are few measures they can take to avoid becoming the next headline. That’s not entirely true. In fact, there are deliberate proactive steps companies can take and have taken to significantly reduce the risk of attack and strengthen defenses in preparation in the event one should occur.

The first step is assessing the network environment and implementing a defense plan. Among other things, the response plan should include backup and recovery efforts, additional surveillance and ways to restore service as quickly and efficiently as possible.

Multi-Layer Defense StrategySuch strategy is crucial in DDoS defenses and a significant part of multi-layer defenses should include dedicated on-premise tools that are designed to defend and mitigate threats from all angles of the network. These tools include anti-spoofing, host authentication techniques, packet level and application-specific thresholds, state and protocol verification, baseline enforcement, idle discovery, blacklist/whitelist and geolocation-based access control list.

FortiDDoS Fortinet’s FortiDDoS appliances provide comprehensive protection from both the network layer and application layer attacks. FortiDDoS appliances can be located in close proximity to an organization’s Web servers, where they examine traffic—which is instrumental in

detecting application-layer attacks. In addition, FortiDDoS devices have out-of-the box policies used to identify and block common, generic or custom DDoS attack techniques and patterns. While FortiDDoS appliances can detect and prevent DDoS attacks immediately, the devices also contain intelligent modes that “learn” to recognize both acceptable and anomalous traffic behavior patterns based on traffic flow. The traffic profiling is then used to detect and restrict threats faster while reducing the event of false positives.

That continuous learning and retuning of policies is vital when defending against DDoS threat because Website functionality is never static, and as such attackers target all vectors in an attempt to gain entrance into a victim’s network. FortiDDoS appliances continuously update their generic set of policies to stay on top of threats at all levels, regardless of their origination. Both learning mode and generic policy updates work in parallel to serve as part of a comprehensive, multi-layer defensive strategy.

Complementary DDoS SolutionsTwo complementary Fortinet product families - FortiGate and FortiWeb - can also assist in developing a multi-layer defense strategy against DDoS attacks.

FortiGate FortiGate offers network infrastructure protection, features traffic anomaly detection based on thresholds and blocks network-based attacks such as TCP SYN flood, UDP/ICMP floods, TCP port scans and protocol anomalies.

The DDoS Sensor included in FortiGate detects and drops DDoS packets before requiring firewall policy look-ups or engaging any content scanning, thus avoiding any effect on processing-intensive protective services. Administrators can configure thresholds in each FortiGate DDoS sensor, along with the action to take when the traffic volume exceeds the threshold. They can also define DDoS policies to apply to all traffic or just to traffic to or from specific IP addresses.

FortiWeb Combining both Web Application Firewall and sophisticated DDoS protection capabilities in a single platform, FortiWeb delivers Web and application server protection and features a transparent challenge/response approach to identify legitimate requests.

The appliance uses both network and application layer protection mechanisms to identify requests from legitimate users and block access to attacks originating from clients associated with botnets. FortiWeb thus blocks threats that target apps and Web services infrastructure, such as HTTP GET/POST requests, Slowloris, SQL injection among others. Sophisticated attacks are blocked using a multi-layered security approach.

The deployment positions for FortiGate and FortiWeb are slightly different from FortiDDoS. Most commonly, organizations enable DDoS protection on a FortiGate that connects a private or DMZ network to the Internet. This is a good option for protecting branch or remote offices that are outside the core DDoS security of an organization. Centrally, FortiDDoS is typically positioned before a firewall such as FortiGate and is intended to protect the network infrastructure as well as the security infrastructure. FortiWeb, on the other hand, is deployed before servers and designed to protect against malicious access to the servers and spreading malware onto the servers. The solution allows organizations to protect against application-level attacks targeting the Web application and web services infrastructure.

Protect DNS ServersAs part of an overall defensive strategy, organizations must protect the critical assets and infrastructure. Many organizations maintain their own DNS servers for Web availability, which are often the first systems to be targeted during a DDoS attack. Once DNS servers are hit, attackers can easily take down an organization’s Web operations, creating a denial of service situation that will only require costly and extensive cleanup afterward.

FortiDNS Fortinet’s FortiDNS product family offers a spate of robust DNS appliances that provide DNS caching and contain a strong focus on security. The devices, which come in a hardened appliance format with GUI-driven configuration, strengthen enterprise security with technologies that include transaction ID, UDP Source Port and case randomization mechanisms.

Implementing VisibilityOrganizations need a way to maintain vigilance and monitor their systems before, during and after an attack. It’s no secret that having a holistic picture into the IT environment allows administrators to detect aberrations in network traffic and detect attacks quickly, while giving them the intelligence and analytical capabilities to implement appropriate mitigation and prevention techniques. The best defenses will incorporate continuous and automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic be detected.

The FortiDDoS product line offers granular visibility and control, so IT administrators have a comprehensive view into the entirety of the network. That visibility into network behavior helps administrators get to the root of the attack’s cause and block flood traffic while allowing legitimate traffic to pass freely. It also hands administrators the ability to conduct real-time and historic attack analysis for in-depth forensics. Plus, advanced source tracking will further propel defensive efforts by pinpointing the address of a non-spoofed attack and will even contact the offender’s domain administrator.

The FortiDDoS Network Behavior Analysis (NBA) system along with Fortinet’s FortiAnalyzer centralized reporting appliances provide real-time visibility into Internet facing networks, containing capabilities that prevent network behavior anomalies—even DDoS attacks—from getting inside the organization’s perimeter. That extended visibility enables IT administrators to create easily customized reports garnered from security events, network traffic, Web content and messaging data in search of any signs of DDoS threats or other suspicious traffic.

Apply Dedicated DDoS Attack ToolsFinally, it behooves organizations to adopt dedicated DDoS attack tools that can address the growing threat head on.

FortiDDoS appliances provide comprehensive protection with a specific mission to counter DDoS threats by detecting and blocking malicious traffic while letting legitimate data and communications flow freely. FortiDDoS covers Layer 3 protocols (all 256), as well as Layer 4 and 7 protocols and can track up to one million source and destination IP addresses simultaneously. Fortinet’s appliances rely on a multitude of technologies that scan a wide range of threat vectors, including monitoring methods, referrers, cookies, URLs and user agents.

For an effective DDoS protection, FortiDDoS includes two key components: advanced virtualization and geolocation technologies.

FortiDDoS provides network segregation and virtualization capabilities, which allows organizations to seamlessly accommodate a multitude of different platforms and environments simultaneously with one appliance. With FortiDDoS’s virtualization feature, policy administrators can establish and oversee up to eight independent policy domains in a single appliance, which prevents attacks delivered in one network segment from impacting other network segments. The virtualization feature also helps to reduce the need for replicated network segments. And virtual instances can also be an effective mechanism in defense escalation. Rather than relying on a single set of policies, IT administrators can define multiple sets in advance, which create the ability to apply a more stringent set of policies if the previous ones happened to be inadequate. In addition, FortiDDoS appliances apply a virtual identifier (VID) concept for both powerful and cost-effective multi-tenancy, avoiding the need for implementing multiple DDoS appliances.

The FortiDDoS geolocation technologies allow organizations to block malicious traffic coming from unknown or suspicious foreign sources. Specifically, the appliances can block traffic based on geolocation through efficient hardware logic, and, when used judiciously, can also be used to reduce load and energy consumption on the backend servers by eliminating traffic from regions outside the organization’s geographic footprint and market.

The FortiDDoS appliances also put control of bandwidth right where it should be—in the hands of IT administrators. Bandwidth management capabilities allow IT administrators to stay on top of policies while predefining usage to customers, employees or contractors. And header and state anomaly prevention technologies ensure a “clean pipe,” that allows FortiDDoS to instantly block dark address scans and prevent the outbreak of worms and other stealthy activity. In addition, line-rate granular ACLs power FortiDDoS to protect infrastructure from unwanted traffic in the data center. The combination of these capabilities with the heuristic and behavioral detection features provided by FortiDDoS enables a powerful defense against even the most complex DDoS attacks.

Another key and unique element is that FortiDDoS defense mechanisms apply granular custom-built hardware logic designed specifically for DDoS attack mitigation. That granular technology is contrasted with competing DDoS appliance manufacturers that offer DDoS features built on top of existing IPS infrastructure.

Finally, because no one organization or network is alike—or has the same needs, Fortinet’s FortiDDoS product family offers solutions that can be tailored to vertical and market segment, with various appliance models to address the organization’s size, users and bandwidth specific requirements.

FortiDDoS Product Family

FortiDDoS-100A

FortiDDoS-200A

FortiDDoS-300A

n 1 Gbps full-duplex anti-DDoS throughputn 8 Virtualized network partitions with independent protection policiesn Interoperable with your existing security and network environmentsn Continuous learning capability differentiates between gradual build- ups in legitimate traffic and attacksn Real-time and historic attacking traffic analysisn High-performance DDoS mitigation powered by purpose-built FortiASIC-TP processor

n 2 Gbps full-duplex anti-DDoS throughputn Custom FortiASIC Traffic Processors (FortiASIC-TP) delivers high- performance DDoS mitigationn 8 Virtualized network partitions with independent protection policiesn Automatic traffic profiling and rate limitingn Comprehensive reports including top attacks, top sources and top attackersn Inline, transparent threat mitigation provides an easy to manage, automated protection

n 3 Gbps full-duplex anti-DDoS throughputn 8 Virtualized network partitions with independent protection policiesn Automatic traffic profiling and rate limitingn Interoperable with your existing security and network environmentsn Continuous learning capability differentiates between gradual build- ups in legitimate traffic and attacksn Real-time and historic attacking traffic analysis for granular threat visibility and mitigation

For many organizations, large and small, the specter of DDoS attacks is daunting at best. News media reports that detail the latest assault on governments and corporations prompt users to wonder who the next victim will be, and when the next attack will occur.

Unfortunately, organizations can expect DDoS attacks—like other security threats—will only continue to grow and be more prolific in the future.The evolving nature of DDoS technologies will require organizations to make a paradigm shift that entails greater foresight and more proactive defenses.

Therefore, organizations need to ramp up their response plans and assess their network infrastructure vis-à-vis DDoS threats today. They need to start by bolstering defenses for critical servers and prioritizing data. They also need to implement management and monitoring capabilities to give them a comprehensive understanding of their whole network. Finally, IT administrators should be able to implement fail-safe measures that quickly identify the source of the threat, minimize the impact of the attack, and restore service as soon as possible.

Protection against the unknown has always been a challenge. However, with the advanced techniques utilized within the Fortinet product range, IT administrators can be assured of the highest possible level of protection for today and the future.

About FortinetFortinet is a global provider of high-performance network security solutions that provide our customers with the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies, combined with our FortiGuard security intelligence services, provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape. More than 125,000 customers around the world - including the majority of the Global 1,000 enterprises, service providers and governments - are utilizing Fortinet’s broad and deep portfolio to improve their security posture, simplify their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to the perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect the constantly evolving networks in every industry and region around the world.

Conclusion

AMERICAS HEADQUARTERS

1090 Kifer RoadSunnyvale, CA 94086United StatesTel +1.408.235.7700Fax +1.408.235.7737www.fortinet.com/sales

EMEA HEADQUARTERS

120 rue Albert CaquotSophia AntipolisFrance 06560Tel +33.4.8987.0510Fax +33.4.8987.0501

APAC HEADQUARTERS

300 Beach Road 20-01The ConcourseSingapore 199555Tel +65.6513.3734Fax +65.6295.0015

Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

FortiGuard® Security Subscription Services deliver dynamic, automated updates for Fortinet products. The Fortinet Global Security Research Team creates these updates to ensure up-to-date protection against sophisticated threats. Subscriptions include antivirus, intrusion prevention, web filtering, antispam, vulnerability and compliance management, application control, and database security services.

FortiCare™ Support Services provide global support for all Fortinet products and services. FortiCare support enables your Fortinet products to perform optimally. Support plans start with 8x5 Enhanced Support with "return and replace" hardware replacement or 24x7 Comprehensive Support with advanced replacement. Options include Premium Support, Premium RMA, and Professional Services. All hardware products include a 1-year limited hardware warranty and 90-day limited software warranty.