Distributed Denial of Service (DDoS) and other forms of attacks are a risk for any network on the
Internet. Especially when Internet is mission critical for your organisation or customers,
you need appropriate protection.
However, as there is not one single type of threat, there is also not a simple one-size-fits- all solution. A toolbox with multiple protection and mitigation tools provides more fine-grained answers to different types of attacks:
- Network Address and Port Translation (NAPT)
- Intrusion Detection
- Upstream Diversion
- DDOS Divert
- Distributed Drop (BGP Community based)
- Cloud DDOS Mitigation)
Network Address & Port Translation (NAPT)
Although NAPT or IP Masquerading (the process of dynamically swapping a internal/private IP address to a single or small group of external/public IP address using and modifying port info in the process) is not always primarily implemented for security purposes, it does give substantial protection.
As communication can only be initiated in the 'outgoing' direction (towards the Internet), and not in the 'incoming' direction (from the Internet). This can substantially limit the options for an attack to equipment and services behind NAPT. It does however have serious drawbacks as it breaks the model of end-to-end conectivity on the Internet.
A firewall is ideal as preventive measure to simply limit access to your network in a open ('permit-everything-except') or a closed ('permit-nothing-except') configuration.
Firewall not on BGP router
A firewall should not! be integrated in a BGP router as BGP inherently enables assymetric routing which brakes statefull firewalls (which depend on state info kept with traffic in one direction on an interface to allow traffic in the other direction). A staeless firewall is possible but very limited in functionality.
Historically firewalls started as simple stateless packet filters which pay no
attention to whether a packet is part of a stream of traffic.
The second generation of firewalls do keep transport layer state of packets, enabling more preciese traffic filtering, hence statefull firewalls.
The third generation, application layer firewalls, is also aware of (some) applications and application layer protocols and can filter based on application specific information and detect if applications are are seen on the right transport-layer ports. This does require deep packet isnpection (DPI).
A proxy server acts as an intermediary beween clients on the internet seeking resources from internal servers and can validate requests and can optionally answer on behalf of an internal server or modify requests and responces. A proxy can also provider additional logging and monitoring for security reasons. It can however break the model of end-to-end conectivity on the Internet.
Monitor your network to detect when and where, or even before, an attack occurs. Knowing which specific part of your network is under attack, is vital information in handling an attack. For example to divert traffic to that destination, in that the rest of the network can continue without disruption.
Scrubbing is the cleaning of traffic, seperating valid traffic from the attack traffic. This is usually done by temporarily leading all traffic through a device, which carefully analyses all traffic. Throwing away the attack traffic and let valid clean traffic continue to the original network and servers. In that users and visitors continue using the services without interruption.
A DDoS consumes a lot of network bandwidth. If the bandwidth of the attack exceeds the total available bandwidth a larger part of the network (all that use the same bandwith connection) will suffer from the attack, because the attack traffic suffocates the whole line. By overprovisioning you make sure there is much more bandwidth available that is not easily consumed. Nowadays a 10Gbit/s connection is usually sufficient for attacks are normally well below 10Gbit/s.
When an attack occurs and you have identified the target within your network you can ask upstream providers to drop the traffic for this destination. This will result in the target being (partially) unreachable, but prevents the rest of your network from suffering from the attack.
.. in progress ..
Cloud DDOS Mitigation
Distributed Denial of Service (DDoS) protection
Verisign DDOS Protection Services.
As a trusted partner, Verisign helps companies stay online without needing to make significant investments in infrastructure or establish internal DDoS expertise.
As a cloud-based service, it can be deployed quickly and easily, with no customer premise equipment required. This saves time and money through operational efficiencies, support cost, and economies of scale to provide detection and protection against the largest of DDoS attacks.
The risk and cost of DDoS attacks is undeniably a growing problem for companies dependent on online systems.i DDoS Protection Services provide an ideal DDoS attack detection and protection solution addressing needs across network security, internet services, and business continuity.
Verisign DDOS Protection FAQ
Verisign DDOS Protection Services Overview